From 4f36e3c07d90633996edefbfb20392718a02ad55 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Sep 2023 11:49:23 +0100 Subject: [PATCH 01/26] updated goss version Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ee4bb3c..669cd52 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -636,10 +636,10 @@ audit_run_script_environment: AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" ### Goss binary settings ### -audit_bin_release: v0.3.23 +audit_bin_release: v0.4.0 audit_bin_version: - AMD64_checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' - ARM64_checksum: 'sha256:7b0794fa590857e7d64ef436e1a100ca26f6039f269a6138009aa837d27d7f9e' + AMD64_checksum: 'sha256:9cb37863d3d25e2af80cb5cf55198c0c115b2477724153ba9afd0a2e544cb46e' + ARM64_checksum: 'sha256:ce364fad93f9c0702e73767d60fddbb87a8c5f2a586b0d99ec823e8331e6a73b' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json From 917412ffdec186ab086228abefd167bc2c5ffedc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Sep 2023 11:51:04 +0100 Subject: [PATCH 02/26] removed temp audit limitation Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 504bf4b..f9e90ed 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -264,8 +264,3 @@ manager: auto tags: - always - -- name: "PRELIM | Set audit to not run if amazon 2023" - ansible.builtin.set_fact: - run_audit: false - when: ansible_distribution_major_version == '2023' From 71c41a19961f5bafb18d8fa7ef2de20e474181c1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Sep 2023 12:36:09 +0100 Subject: [PATCH 03/26] added audit heavy test option Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +++ templates/ansible_vars_goss.yml.j2 | 4 +--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 669cd52..e938eed 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -61,6 +61,9 @@ run_audit: false # Timeout for those cmds that take longer to run where timeout set audit_cmd_timeout: 60000 +# Some tests can be resource heavy allow these to take place +amzn2023cis_run_heavy_tests: true + ### End Goss enablements #### #### Detailed settings found at the end of this document #### diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 78fc06a..5a1b25f 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -10,6 +10,7 @@ host_os_distribution: {{ ansible_distribution | lower }} # timeout for each command to run where set - default = 10seconds/10000ms timeout_ms: 60000 +amzn2023cis_run_heavy_tests: {{ amzn2023cis_run_heavy_tests }} amzn2023cis_section1: {{ amzn2023cis_section1 }} amzn2023cis_section2: {{ amzn2023cis_section2 }} @@ -26,9 +27,6 @@ amzn2023cis_selinux_disable: {{ amzn2023cis_selinux_disable }} # to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy run_heavy_tests: true - -amzn2023cis_set_boot_pass: {{ amzn2023cis_set_boot_pass }} - # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. From b1a32ec24fd6058c41b8d87584755f8910e04fcf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 1 Sep 2023 12:37:00 +0100 Subject: [PATCH 04/26] new lint layout Signed-off-by: Mark Bolwell --- tasks/main.yml | 73 +++++++++++++++++++++++++++++--------------------- 1 file changed, 43 insertions(+), 30 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index edb4187..88c4782 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,12 +2,12 @@ # tasks file for AMAZON2023 - name: Check OS version and family + when: + - os_check ansible.builtin.assert: that: (ansible_distribution == 'Amazon' and ansible_distribution_major_version is version_compare('2023', '==')) fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" - when: - - os_check tags: - always @@ -20,6 +20,8 @@ - always - name: Ensure root password is set + when: + - amzn2023cis_rule_4_6_6 block: - name: Ensure root password is set ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt" @@ -31,8 +33,6 @@ that: root_passwd_set.rc == 0 fail_msg: "You have rule 5.6.6 enabled this requires that you have a root password set" success_msg: "You have a root password set" - when: - - amzn2023cis_rule_4_6_6 tags: - level1-server - patch @@ -41,6 +41,9 @@ - rule_4.6.6 - name: Setup rules if container + when: + - ansible_connection == 'docker' or + ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] block: - name: Discover and set container variable if required ansible.builtin.set_fact: @@ -51,13 +54,10 @@ file: "{{ container_vars_file }}" - name: Output if discovered is a container - ansible.builtin.debug: - msg: system has been discovered as a container when: - system_is_container - when: - - ansible_connection == 'docker' or - ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + ansible.builtin.debug: + msg: system has been discovered as a container tags: - container_discovery - always @@ -69,13 +69,13 @@ success_msg: "Crypto policy is a permitted version" - name: Check crypto-policy module input + when: + - amzn2023cis_rule_1_9 + - amzn2023cis_crypto_policy_module | length > 0 ansible.builtin.assert: that: amzn2023cis_crypto_policy_module in amzn2023cis_allowed_crypto_policies_modules fail_msg: "Crypto policy module is not a permitted version" success_msg: "Crypto policy module is a permitted version" - when: - - amzn2023cis_rule_1_9 - - amzn2023cis_crypto_policy_module | length > 0 tags: - rule_1.9 @@ -91,50 +91,59 @@ - prelim_tasks - always -- name: run pre_remediation audit - ansible.builtin.include_tasks: pre_remediation_audit.yml +- name: Run pre_remediation audit when: - run_audit + ansible.builtin.include_tasks: pre_remediation_audit.yml + tags: + - run_audit -- name: run Section 1 tasks +- name: Run Section 1 tasks + when: + - amzn2023cis_section1 ansible.builtin.import_tasks: section_1/main.yml - when: amzn2023cis_section1 tags: - amzn2023cis_section1 -- name: run Section 2 tasks +- name: Run Section 2 tasks + when: + - amzn2023cis_section2 ansible.builtin.import_tasks: section_2/main.yml - when: amzn2023cis_section2 tags: - amzn2023cis_section2 -- name: run Section 3 tasks +- name: Run Section 3 tasks + when: + - amzn2023cis_section3 ansible.builtin.import_tasks: section_3/main.yml - when: amzn2023cis_section3 tags: - amzn2023cis_section3 -- name: run Section 4 tasks +- name: Run Section 4 tasks + when: + - amzn2023cis_section4 ansible.builtin.import_tasks: section_4/main.yml - when: amzn2023cis_section4 tags: - amzn2023cis_section4 -- name: run Section 5 tasks +- name: Run Section 5 tasks + when: + - amzn2023cis_section5 ansible.builtin.import_tasks: section_5/main.yml - when: amzn2023cis_section5 tags: - amzn2023cis_section5 -- name: run Section 6 tasks +- name: Run Section 6 tasks + when: + - amzn2023cis_section6 ansible.builtin.import_tasks: section_6/main.yml - when: amzn2023cis_section6 tags: - amzn2023cis_section6 - name: run auditd logic + when: + - update_audit_template ansible.builtin.import_tasks: auditd.yml - when: update_audit_template tags: - always @@ -145,18 +154,22 @@ - always - name: run post_remediation audit - ansible.builtin.import_tasks: post_remediation_audit.yml when: - run_audit + ansible.builtin.import_tasks: post_remediation_audit.yml - name: Show Audit Summary + when: + - run_audit ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" - when: run_audit + tags: + - run_audit - name: If Warnings found Output count and control IDs affected + when: + - warn_count != 0 ansible.builtin.debug: msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" - when: warn_count != 0 tags: - always From a4289c2ec01a18b5091c53c5bfa351d9c3d93f59 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Sep 2023 10:09:51 +0100 Subject: [PATCH 05/26] add legacy boot var Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 68 ++++++++++++++++++++++++++---- 1 file changed, 59 insertions(+), 9 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 5a1b25f..c2939d0 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -24,6 +24,8 @@ amzn2023cis_level_2: {{ amzn2023cis_level_2 }} amzn2023cis_selinux_disable: {{ amzn2023cis_selinux_disable }} +amzn2023cis_legacy_boot: {{ amzn2023cis_legacy_boot }} + # to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy run_heavy_tests: true @@ -418,11 +420,11 @@ amzn2023cis_remote_log_queuesize: {{ amzn2023cis_remote_log_queuesize }} ## syslog amzn2023cis_syslog: {{ amzn2023cis_syslog }} -# Section 5 +# Section 4 # This will allow use of drop in files when CIS adopts them. amzn2023cis_sshd_config_file: {{ amzn2023cis_sshd_config_file }} -## 5.2.4 Note the following to understand precedence and layout +## Note the following to understand precedence and layout amzn2023cis_sshd_limited: false amzn2023cis_sshd_access: - AllowUser @@ -430,33 +432,81 @@ amzn2023cis_sshd_access: - DenyUser - DenyGroup -## 5.3.2 & 5.4.2 Enable automation to select custom profile options, using the settings above +## Enable automation to select custom profile options, using the settings above amzn2023cis_authselect_custom_profile_select: {{ amzn2023cis_authselect_custom_profile_select }} -## 5.3.2 Authselect select false if using AD or RHEL ID mgmt +## Authselect select false if using AD or RHEL ID mgmt amzn2023cis_authselect: custom_profile_name: {{ amzn2023cis_authselect['custom_profile_name'] }} default_file_to_copy: {{ amzn2023cis_authselect['default_file_to_copy'] }} -## 5.4.1 Enable automation to create custom profile settings, using the setings above +## Enable automation to create custom profile settings, using the setings above amzn2023cis_authselect_custom_profile_create: {{ amzn2023cis_authselect_custom_profile_create }} -# 5.5.1 + ## PAM amzn2023cis_pam_password: minlen: {{ amzn2023cis_pam_password['minlen'] }} minclass: {{ amzn2023cis_pam_password['minclass'] }} amzn2023cis_pam_passwd_retry: "3" -## 5.5.3 choose one of below +## choose one of below amzn2023cis_pwhistory_so: "14" amzn2023cis_passwd_remember: "5" -## 5.6.x login.defs password settings +## login.defs password settings amzn2023cis_pass: max_days: {{ amzn2023cis_pass['max_days'] }} min_days: {{ amzn2023cis_pass['min_days'] }} warn_age: {{ amzn2023cis_pass['warn_age'] }} -## 5.3.7 set sugroup if differs from wheel +##set sugroup if differs from wheel amzn2023cis_sugroup: {{ amzn2023cis_sugroup }} + + +## Section 5 + +## auditd settings +amzn2023cis_auditd: + space_left_action: email + action_mail_acct: root + admin_space_left_action: {{ amzn2023cis_auditd.admin_space_left_action }} + max_log_file_action: {{ amzn2023cis_auditd.max_log_file_action }} + auditd_backlog_limit: {{ amzn2023cis_audit_back_log_limit }} + +## syslog +amzn2023cis_is_syslog_server: {{ amzn2023cis_system_is_log_server }} +amzn2023cis_syslog_service: "{{ amzn2023cis_syslog_service }}" +amzn2023cis_remote_log_server: "{{ amzn2023cis_remote_log_server }}" + +#### remote and destination log server name +amzn2023cis_remote_log_server: false +amzn2023cis_remote_log_host: logagg.example.com +amzn2023cis_remote_log_port: 514 +amzn2023cis_remote_log_protocol: tcp +amzn2023cis_remote_log_retrycount: 100 +amzn2023cis_remote_log_queuesize: 1000 + + +# +# amzn2023cis_journal_upload_url is the ip address to upload the journal entries to +amzn2023cis_journal_upload_url: 192.168.50.42 + +# The paths below have the default paths/files, but allow user to create custom paths/filenames +amzn2023cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +amzn2023cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +amzn2023cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" + + +# The variables below related to journald, please set these to your site specific values +# amzn2023cis_journald_systemmaxuse is the max amount of disk space the logs will use +amzn2023cis_journald_systemmaxuse: 10M +# amzn2023cis_journald_systemkeepfree is the amount of disk space to keep free +amzn2023cis_journald_systemkeepfree: 100G +amzn2023cis_journald_runtimemaxuse: 10M +amzn2023cis_journald_runtimekeepfree: 100G +# amzn2023cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +amzn2023cis_journald_maxfilesec: 1month + + +amzn2023cis_logrotate: "daily" From 943c2799ec4137ea56230a827d873f334b505cd2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Sep 2023 10:18:21 +0100 Subject: [PATCH 06/26] remove entry not required Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 3 --- 1 file changed, 3 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index c2939d0..159206c 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -417,9 +417,6 @@ amzn2023cis_remote_log_protocol: {{ amzn2023cis_remote_log_protocol }} amzn2023cis_remote_log_retrycount: {{ amzn2023cis_remote_log_retrycount }} amzn2023cis_remote_log_queuesize: {{ amzn2023cis_remote_log_queuesize }} -## syslog -amzn2023cis_syslog: {{ amzn2023cis_syslog }} - # Section 4 # This will allow use of drop in files when CIS adopts them. amzn2023cis_sshd_config_file: {{ amzn2023cis_sshd_config_file }} From 69a4bce341c3f56d5c021d9509afc019e9e00f76 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Sep 2023 10:21:58 +0100 Subject: [PATCH 07/26] syslog change to syslog_service Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/section_5/cis_5.1.1.x.yml | 2 +- tasks/section_5/main.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e938eed..a0e9cd9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -498,7 +498,7 @@ amzn2023cis_auditd_extra_conf: {} ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 -amzn2023cis_syslog: rsyslog +amzn2023cis_syslog_service: rsyslog amzn2023cis_rsyslog_ansiblemanaged: true #### 4.2.1.6 remote and destation log server name diff --git a/tasks/section_5/cis_5.1.1.x.yml b/tasks/section_5/cis_5.1.1.x.yml index 6618cb5..20181c7 100644 --- a/tasks/section_5/cis_5.1.1.x.yml +++ b/tasks/section_5/cis_5.1.1.x.yml @@ -38,7 +38,7 @@ notify: Restart rsyslog when: - amzn2023cis_rule_5_1_1_3 - - amzn2023cis_syslog == "rsyslog" + - amzn2023cis_syslog_service == "rsyslog" tags: - level1-server - patch diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index dca539f..520352e 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -4,11 +4,11 @@ - name: "SECTION | 5.1.1 | Configure Logging - rsyslog" ansible.builtin.import_tasks: cis_5.1.1.x.yml - when: amzn2023cis_syslog == 'rsyslog' + when: amzn2023cis_syslog_service == 'rsyslog' - name: "SECTION | 5.1.2 | Configure Logging - journald" ansible.builtin.import_tasks: cis_5.1.2.x.yml - when: amzn2023cis_syslog == 'journald' + when: amzn2023cis_syslog_service == 'journald' - name: "SECTION | 5.1.3 | Configure logfile perms" ansible.builtin.import_tasks: cis_5.1.3.yml From 84831b340d19c863ace7eb35ed07782df97323f3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Sep 2023 11:38:49 +0100 Subject: [PATCH 08/26] tidy naming Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 29f8960..c4a2e4b 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -23,7 +23,7 @@ when: - get_audit_binary_method == 'download' -- name: Pre Audit Setup | copy audit binary +- name: Pre Audit Setup | Copy audit binary ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" From 9ef58fb5c334733499bdb3a7d8c46ccb28ff6d34 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Sep 2023 11:39:20 +0100 Subject: [PATCH 09/26] update vars Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 159206c..d14629f 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -23,8 +23,11 @@ amzn2023cis_level_1: {{ amzn2023cis_level_1 }} amzn2023cis_level_2: {{ amzn2023cis_level_2 }} amzn2023cis_selinux_disable: {{ amzn2023cis_selinux_disable }} +amzn2023cis_selinux_enforce: {{ amzn2023cis_selinux_enforce }} amzn2023cis_legacy_boot: {{ amzn2023cis_legacy_boot }} +amzn2023cis_bootloader_file: /boot/grub2/grub.cfg +amzn2023cis_bootloader_user: /boot/grub2/user.cfg # to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy run_heavy_tests: true From 409e02d9eab786bb8c5e255c3a0e3430477bc598 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Sep 2023 11:39:51 +0100 Subject: [PATCH 10/26] tidy up Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/pre_remediation_audit.yml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a0e9cd9..1f60b0c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -383,7 +383,7 @@ amzn2023cis_aide_cron: # SELinux policy amzn2023cis_selinux_pol: targeted -# chose onf or enfocing or permissive +# chose conf or enforcing or permissive amzn2023cis_selinux_enforce: enforcing # Whether or not to run tasks related to auditing/patching the desktop environment diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 711f59b..7c0c9a6 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -20,7 +20,7 @@ name: git state: present - - name: Pre Audit Setup | retrieve audit content files from git + - name: Pre Audit Setup | Retrieve audit content files from git ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" @@ -28,7 +28,7 @@ when: - audit_content == 'git' -- name: Pre Audit Setup | copy to audit content files to server +- name: Pre Audit Setup | Copy to audit content files to server ansible.builtin.copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dest }}" @@ -36,14 +36,14 @@ when: - audit_content == 'copy' -- name: Pre Audit Setup | unarchive audit content files on server +- name: Pre Audit Setup | Unarchive audit content files on server ansible.builtin.unarchive: src: "{{ audit_conf_copy }}" dest: "{{ audit_conf_dir }}" when: - audit_content == 'archived' -- name: Pre Audit Setup | get audit content from url +- name: Pre Audit Setup | Get audit content from url ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" From 586b5122cedd4d487d065c371a2ff93790e78ad8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Sep 2023 12:44:32 +0100 Subject: [PATCH 11/26] aligned vars Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f9e90ed..2770c3d 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -110,13 +110,13 @@ path: /sys/firmware/efi register: amzn2023cis_efi_boot - - name: "PRELIM | set legacy boot and grub path | Bios" + - name: "PRELIM | Set legacy boot and grub path | Bios" ansible.builtin.set_fact: amzn2023cis_legacy_boot: true grub2_path: /etc/grub2.cfg when: not amzn2023cis_efi_boot.stat.exists - - name: "PRELIM | set grub fact | UEFI" + - name: "PRELIM | Set grub fact | UEFI" ansible.builtin.set_fact: grub2_path: /etc/grub2-efi.cfg when: amzn2023cis_efi_boot.stat.exists @@ -246,7 +246,7 @@ changed_when: false register: gid_min_id - - name: "PRELIM | set_facts for interactive uid/gid" + - name: "PRELIM | Set_facts for interactive uid/gid" ansible.builtin.set_fact: min_int_uid: "{{ uid_min_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}" From 55e76e763599849956316f32002473e06173736d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Sep 2023 12:45:02 +0100 Subject: [PATCH 12/26] tidy up Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 33 +++++++++++++++++++----------- 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index d14629f..9782079 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -23,7 +23,7 @@ amzn2023cis_level_1: {{ amzn2023cis_level_1 }} amzn2023cis_level_2: {{ amzn2023cis_level_2 }} amzn2023cis_selinux_disable: {{ amzn2023cis_selinux_disable }} -amzn2023cis_selinux_enforce: {{ amzn2023cis_selinux_enforce }} +amzn2023cis_selinux_state: {{ amzn2023cis_selinux_enforce }} amzn2023cis_legacy_boot: {{ amzn2023cis_legacy_boot }} amzn2023cis_bootloader_file: /boot/grub2/grub.cfg @@ -155,8 +155,8 @@ amzn2023cis_rule_2_4: true amzn2023cis_rule_3_1_1: {{ amzn2023cis_rule_3_1_1 }} amzn2023cis_rule_3_1_2: {{ amzn2023cis_rule_3_1_2 }} amzn2023cis_rule_3_1_3: {{ amzn2023cis_rule_3_1_3 }} -amzn2023cis_rule_3_1_3: {{ amzn2023cis_rule_3_1_4 }} -amzn2023cis_rule_3_1_3: {{ amzn2023cis_rule_3_1_5 }} +amzn2023cis_rule_3_1_4: {{ amzn2023cis_rule_3_1_4 }} +amzn2023cis_rule_3_1_5: {{ amzn2023cis_rule_3_1_5 }} # 3.2 Network Parameters (Host Only) amzn2023cis_rule_3_2_1: {{ amzn2023cis_rule_3_2_1 }} amzn2023cis_rule_3_2_2: {{ amzn2023cis_rule_3_2_2 }} @@ -352,6 +352,13 @@ amzn2023cis_warning_banner: {{ amzn2023cis_warning_banner }} amzn2023cis_aide_scan: cron # Section 2 +#### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 +amzn2023cis_time_synchronization_servers: +{% for name in amzn2023cis_time_synchronization_servers %} + - {{ name }} +{% endfor %} +amzn2023cis_chrony_server_options: "minpoll 8" + ## 2.2 Special Purposes # Set to 'true' if X Windows is needed in your environment amzn2023cis_xwindows_required: false @@ -374,14 +381,11 @@ amzn2023cis_telnet_server: {{ amzn2023cis_telnet_server }} amzn2023cis_is_mail_server: {{ amzn2023cis_is_mail_server }} # Note the options -# Packages are used for client services and Server- only remove if you dont use the client service +# Packages are used for client services and Server - only remove if you dont use the client service # -amzn2023cis_use_nfs_server: {{ amzn2023cis_use_nfs_server }} -amzn2023cis_use_nfs_service: {{ amzn2023cis_use_nfs_service }} -amzn2023cis_use_rpc_server: {{ amzn2023cis_use_rpc_server }} -amzn2023cis_use_rpc_service: {{ amzn2023cis_use_rpc_service }} -amzn2023cis_use_rsync_server: {{ amzn2023cis_use_rsync_server }} -amzn2023cis_use_rsync_service: {{ amzn2023cis_use_rsync_service }} +amzn2023cis_use_server: {{ amzn2023cis_use_nfs_server }} +amzn2023cis_rpc_server: {{ amzn2023cis_use_rpc_server }} +amzn2023cis_rsyncd_server: {{ amzn2023cis_use_rsync_server }} #### 2.3 Service clients amzn2023cis_telnet_required: {{ amzn2023cis_telnet_required }} @@ -408,7 +412,7 @@ amzn2023cis_nft_tables_autonewtable: {{ amzn2023cis_nft_tables_autonewtable }} amzn2023cis_nft_tables_tablename: {{ amzn2023cis_nft_tables_tablename }} amzn2023cis_nft_tables_autochaincreate: {{ amzn2023cis_nft_tables_autochaincreate }} -# Section 4 +# Section 5 ## Set if host is a logserver amzn2023cis_remote_log_server: {{ amzn2023cis_remote_log_server }} @@ -432,6 +436,11 @@ amzn2023cis_sshd_access: - DenyUser - DenyGroup +amzn2023cis_sshd: + clientalivecountmax: {{ amzn2023cis_sshd.clientalivecountmax }} + clientaliveinterval: {{ amzn2023cis_sshd.clientaliveinterval }} + logingracetime: {{ amzn2023cis_sshd.logingracetime }} + ## Enable automation to select custom profile options, using the settings above amzn2023cis_authselect_custom_profile_select: {{ amzn2023cis_authselect_custom_profile_select }} @@ -443,7 +452,6 @@ amzn2023cis_authselect: ## Enable automation to create custom profile settings, using the setings above amzn2023cis_authselect_custom_profile_create: {{ amzn2023cis_authselect_custom_profile_create }} - ## PAM amzn2023cis_pam_password: minlen: {{ amzn2023cis_pam_password['minlen'] }} @@ -487,6 +495,7 @@ amzn2023cis_remote_log_protocol: tcp amzn2023cis_remote_log_retrycount: 100 amzn2023cis_remote_log_queuesize: 1000 +amzn2023cis_system_is_log_server: {{ amzn2023cis_system_is_log_server }} # # amzn2023cis_journal_upload_url is the ip address to upload the journal entries to From db13b642346c584328052b1093e9c16c3171ccd5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Sep 2023 14:13:17 +0100 Subject: [PATCH 13/26] allow remove or mask options Signed-off-by: Mark Bolwell --- defaults/main.yml | 13 ++++--------- tasks/section_2/cis_2.2.x.yml | 5 ++--- templates/ansible_vars_goss.yml.j2 | 7 ++++--- 3 files changed, 10 insertions(+), 15 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 1f60b0c..7ff408a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -422,15 +422,10 @@ amzn2023cis_is_mail_server: false # Note the options # Packages are used for client services and Server- only remove if you dont use the client service # - -amzn2023cis_use_nfs_server: false -amzn2023cis_use_nfs_service: false - -amzn2023cis_use_rpc_server: false -amzn2023cis_use_rpc_service: false - -amzn2023cis_use_rsync_server: false -amzn2023cis_use_rsync_service: false +# optional either remove or mask +amzn2023cis_nfs_server: mask +amzn2023cis_rpc_server: mask +amzn2023cis_rsync_server: mask #### 2.3 Service clients amzn2023cis_telnet_required: false diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index e26b190..7fe14e2 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -338,7 +338,7 @@ name: rsync-daemon state: absent when: - - not amzn2023cis_use_rsync_server + - amzn2023cis_rsync_server == "remove" - not amzn2023cis_use_rsync_service - name: "2.2.18 | PATCH | Ensure rsync service is not enabled | mask service" @@ -347,8 +347,7 @@ masked: true state: stopped when: - - amzn2023cis_use_rsync_server - - not amzn2023cis_use_rsync_service + - amzn2023cis_rsync_server == "mask" when: - "'rsync' in ansible_facts.packages" - amzn2023cis_rule_2_2_18 diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 9782079..ec98932 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -383,9 +383,10 @@ amzn2023cis_is_mail_server: {{ amzn2023cis_is_mail_server }} # Note the options # Packages are used for client services and Server - only remove if you dont use the client service # -amzn2023cis_use_server: {{ amzn2023cis_use_nfs_server }} -amzn2023cis_rpc_server: {{ amzn2023cis_use_rpc_server }} -amzn2023cis_rsyncd_server: {{ amzn2023cis_use_rsync_server }} +# Set either mask or remove +amzn2023cis_nfs_server: {{ amzn2023cis_nfs_server }} +amzn2023cis_rpc_server: {{ amzn2023cis_rpc_server }} +amzn2023cis_rsync_server: {{ amzn2023cis_rsync_server }} #### 2.3 Service clients amzn2023cis_telnet_required: {{ amzn2023cis_telnet_required }} From 74a5c0adfcd88b1c4554173678db358b022259d3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Sep 2023 16:13:09 +0100 Subject: [PATCH 14/26] improve values Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7ff408a..aaf7219 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -473,10 +473,10 @@ amzn2023cis_auditd: max_log_file_action: keep_logs # The audit_back_log_limit value should never be below 8192 -amzn2023cis_audit_back_log_limit: 8192 +amzn2023cis_audit_back_log_limit: '8192' # The max_log_file parameter should be based on your sites policy -amzn2023cis_max_log_file_size: 10 +amzn2023cis_max_log_file_size: '10' ### 4.1.3.x audit template update_audit_template: false @@ -568,7 +568,7 @@ amzn2023cis_authselect_custom_profile_select: false amzn2023cis_pass: max_days: 365 - min_days: 7 + min_days: 1 warn_age: 7 # UID settings for interactive users From 51825827310da8cf55dd45f0fd8bd3d11ab3d800 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Sep 2023 16:13:48 +0100 Subject: [PATCH 15/26] tidy up Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.1.x.yml | 10 ++----- tasks/section_5/cis_5.2.1.x.yml | 8 +++--- templates/ansible_vars_goss.yml.j2 | 43 +++++++++++++++--------------- 3 files changed, 27 insertions(+), 34 deletions(-) diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 764c2fd..b579fcf 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -20,22 +20,16 @@ block: - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | nftables" ansible.builtin.systemd: - name: "{{ item }}" + name: firewalld masked: true - loop: - - firewalld when: - - item in ansible_facts.packages - amzn2023cis_firewall == 'nftables' - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | firewalld" ansible.builtin.systemd: - name: "{{ item }}" + name: nftables masked: true - loop: - - nftables when: - - item in ansible_facts.packages - amzn2023cis_firewall == 'firewalld' - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | package installed" diff --git a/tasks/section_5/cis_5.2.1.x.yml b/tasks/section_5/cis_5.2.1.x.yml index a53edae..30c1b0b 100644 --- a/tasks/section_5/cis_5.2.1.x.yml +++ b/tasks/section_5/cis_5.2.1.x.yml @@ -28,7 +28,7 @@ - name: "5.2.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" block: - name: "5.2.1.2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" - ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false check_mode: false @@ -45,7 +45,7 @@ - name: "5.2.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" ansible.builtin.lineinfile: path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' + regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=' line: '{{ amzn2023cis_5_2_1_2_grub_cmdline_linux.stdout }} audit=1"' notify: Grub2cfg when: "'audit=' not in amzn2023cis_5_2_1_2_grub_cmdline_linux.stdout" @@ -64,7 +64,7 @@ - name: "5.2.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" block: - name: "5.2.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX" - ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX_DEFAULT=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false check_mode: false @@ -81,7 +81,7 @@ - name: "5.2.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" ansible.builtin.lineinfile: path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' + regexp: '^GRUB_CMDLINE_LINUX_DEFAULT=' line: '{{ amzn2023cis_5_2_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ amzn2023cis_audit_back_log_limit }}"' notify: Grub2cfg when: "'audit_backlog_limit=' not in amzn2023cis_5_2_1_3_grub_cmdline_linux.stdout" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ec98932..b864569 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -413,18 +413,6 @@ amzn2023cis_nft_tables_autonewtable: {{ amzn2023cis_nft_tables_autonewtable }} amzn2023cis_nft_tables_tablename: {{ amzn2023cis_nft_tables_tablename }} amzn2023cis_nft_tables_autochaincreate: {{ amzn2023cis_nft_tables_autochaincreate }} -# Section 5 - -## Set if host is a logserver -amzn2023cis_remote_log_server: {{ amzn2023cis_remote_log_server }} - -# Remote logserver settings -amzn2023cis_remote_log_host: {{ amzn2023cis_remote_log_host }} -amzn2023cis_remote_log_port: {{ amzn2023cis_remote_log_port }} -amzn2023cis_remote_log_protocol: {{ amzn2023cis_remote_log_protocol }} -amzn2023cis_remote_log_retrycount: {{ amzn2023cis_remote_log_retrycount }} -amzn2023cis_remote_log_queuesize: {{ amzn2023cis_remote_log_queuesize }} - # Section 4 # This will allow use of drop in files when CIS adopts them. amzn2023cis_sshd_config_file: {{ amzn2023cis_sshd_config_file }} @@ -455,8 +443,8 @@ amzn2023cis_authselect_custom_profile_create: {{ amzn2023cis_authselect_custom_p ## PAM amzn2023cis_pam_password: - minlen: {{ amzn2023cis_pam_password['minlen'] }} - minclass: {{ amzn2023cis_pam_password['minclass'] }} + minlen: '{{ amzn2023cis_pam_password['minlen'] }}' + minclass: '{{ amzn2023cis_pam_password['minclass'] }}' amzn2023cis_pam_passwd_retry: "3" ## choose one of below @@ -475,13 +463,16 @@ amzn2023cis_sugroup: {{ amzn2023cis_sugroup }} ## Section 5 -## auditd settings -amzn2023cis_auditd: - space_left_action: email - action_mail_acct: root - admin_space_left_action: {{ amzn2023cis_auditd.admin_space_left_action }} - max_log_file_action: {{ amzn2023cis_auditd.max_log_file_action }} - auditd_backlog_limit: {{ amzn2023cis_audit_back_log_limit }} + +## Set if host is a logserver +amzn2023cis_remote_log_server: {{ amzn2023cis_remote_log_server }} + +# Remote logserver settings +amzn2023cis_remote_log_host: {{ amzn2023cis_remote_log_host }} +amzn2023cis_remote_log_port: {{ amzn2023cis_remote_log_port }} +amzn2023cis_remote_log_protocol: {{ amzn2023cis_remote_log_protocol }} +amzn2023cis_remote_log_retrycount: {{ amzn2023cis_remote_log_retrycount }} +amzn2023cis_remote_log_queuesize: {{ amzn2023cis_remote_log_queuesize }} ## syslog amzn2023cis_is_syslog_server: {{ amzn2023cis_system_is_log_server }} @@ -518,5 +509,13 @@ amzn2023cis_journald_runtimekeepfree: 100G # amzn2023cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks amzn2023cis_journald_maxfilesec: 1month - amzn2023cis_logrotate: "daily" + +## auditd settings +amzn2023cis_auditd: + space_left_action: email + action_mail_acct: root + admin_space_left_action: {{ amzn2023cis_auditd.admin_space_left_action }} + max_log_file_action: {{ amzn2023cis_auditd.max_log_file_action }} + auditd_backlog_limit: {{ amzn2023cis_audit_back_log_limit }} + max_log_file_size: {{ amzn2023cis_max_log_file_size }} From ba3ca810218e72d51e6d275e79ba2d4679a7f986 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 13:36:49 +0100 Subject: [PATCH 16/26] tidy up layout Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index b864569..00e421d 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -426,9 +426,9 @@ amzn2023cis_sshd_access: - DenyGroup amzn2023cis_sshd: - clientalivecountmax: {{ amzn2023cis_sshd.clientalivecountmax }} - clientaliveinterval: {{ amzn2023cis_sshd.clientaliveinterval }} - logingracetime: {{ amzn2023cis_sshd.logingracetime }} + clientalivecountmax: {{ amzn2023cis_sshd.clientalivecountmax }} + clientaliveinterval: {{ amzn2023cis_sshd.clientaliveinterval }} + logingracetime: {{ amzn2023cis_sshd.logingracetime }} ## Enable automation to select custom profile options, using the settings above amzn2023cis_authselect_custom_profile_select: {{ amzn2023cis_authselect_custom_profile_select }} From 800bce7b184ea2e01a2787880e2a4ff1dbba5118 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 15:54:23 +0100 Subject: [PATCH 17/26] updated logic for nfs and rpc Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.2.x.yml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 7fe14e2..3afa08d 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -275,17 +275,16 @@ name: nfs-utils state: absent when: - - not amzn2023cis_use_nfs_server - - not amzn2023cis_use_nfs_service + - amzn2023cis_nfs_server == "remove" - name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service" ansible.builtin.systemd: name: nfs-server masked: true state: stopped + daemon_reload: true when: - - not amzn2023cis_use_nfs_server - - amzn2023cis_use_nfs_service + - amzn2023cis_nfs_server == "mask" when: - "'nfs-utils' in ansible_facts.packages" - amzn2023cis_rule_2_2_16 @@ -307,17 +306,16 @@ name: rpcbind state: absent when: - - not amzn2023cis_use_rpc_server - - not amzn2023cis_use_rpc_service + - amzn2023cis_rpc_server == "remove" - name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" ansible.builtin.systemd: name: rpcbind.socket masked: true state: stopped + daemon_reload: true when: - - amzn2023cis_use_rpc_server - - not amzn2023cis_use_rpc_service + - amzn2023cis_rpc_server == "mask" when: - "'rpcbind' in ansible_facts.packages" - amzn2023cis_rule_2_2_17 @@ -331,7 +329,7 @@ # The name title of the service says mask the service, but the fix allows for both options # Options available in default/main if to remove the package default is false just mask the server service -- name: "2.2.18 | PATCH | Ensure rsync service is not enabled " +- name: "2.2.18 | PATCH | Ensure rsync-daemon is not installed or the rsyncd service is masked " block: - name: "2.2.18 | PATCH | Ensure rsync-daemon is not installed or the rsync service is masked | remove package" ansible.builtin.package: @@ -341,11 +339,12 @@ - amzn2023cis_rsync_server == "remove" - not amzn2023cis_use_rsync_service - - name: "2.2.18 | PATCH | Ensure rsync service is not enabled | mask service" + - name: "2.2.18 | PATCH | Ensure rsync-daemon is not installed or the rsyncd service is masked | mask service" ansible.builtin.systemd: name: rsyncd masked: true state: stopped + daemon_reload: true when: - amzn2023cis_rsync_server == "mask" when: From 851dab6f4f1b191097e2e4bed00b594812a366ba Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 16:05:38 +0100 Subject: [PATCH 18/26] update logic Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 3afa08d..549600a 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -348,7 +348,7 @@ when: - amzn2023cis_rsync_server == "mask" when: - - "'rsync' in ansible_facts.packages" + - "'rsync-daemon' in ansible_facts.packages" - amzn2023cis_rule_2_2_18 tags: - level1-server From a77cc2ca800f63a9923d6a18e4a83e8409ad43d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Luzar?= Date: Fri, 15 Sep 2023 09:54:59 +0200 Subject: [PATCH 19/26] Replace 'when' keyword with a required 'that' param in assert MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Anže Luzar --- tasks/pre_remediation_audit.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 7c0c9a6..bf177dc 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -59,9 +59,8 @@ - name: Pre Audit Setup | If audit ensure goss is available ansible.builtin.assert: + that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - when: - - not goss_available.stat.exists when: - run_audit From 99edfdcfb703df7341e6641e322c4c9011e92e04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C5=BEe=20Luzar?= Date: Fri, 15 Sep 2023 09:58:27 +0200 Subject: [PATCH 20/26] Replace inline strings with module parameters MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Anže Luzar --- tasks/auditd.yml | 3 +- tasks/main.yml | 33 ++++++++++++++------- tasks/post.yml | 3 +- tasks/pre_remediation_audit.yml | 3 +- tasks/prelim.yml | 3 +- tasks/section_1/cis_1.1.2.x.yml | 3 +- tasks/section_1/cis_1.1.3.x.yml | 3 +- tasks/section_1/cis_1.1.4.x.yml | 3 +- tasks/section_1/cis_1.1.5.x.yml | 3 +- tasks/section_1/cis_1.1.6.x.yml | 3 +- tasks/section_1/cis_1.1.7.x.yml | 3 +- tasks/section_1/cis_1.1.8.x.yml | 3 +- tasks/section_1/cis_1.2.x.yml | 3 +- tasks/section_1/cis_1.6.1.x.yml | 3 +- tasks/section_1/main.yml | 51 ++++++++++++++++++++++----------- tasks/section_2/cis_2.4.yml | 3 +- tasks/section_2/main.yml | 12 +++++--- tasks/section_3/cis_3.4.2.x.yml | 3 +- tasks/section_3/main.yml | 15 ++++++---- tasks/section_4/cis_4.6.1.x.yml | 3 +- tasks/section_4/main.yml | 21 +++++++++----- tasks/section_5/cis_5.1.2.x.yml | 3 +- tasks/section_5/cis_5.3.yml | 3 +- tasks/section_5/main.yml | 27 +++++++++++------ tasks/section_6/cis_6.1.x.yml | 9 ++++-- tasks/section_6/cis_6.2.x.yml | 18 ++++++++---- tasks/section_6/main.yml | 6 ++-- 27 files changed, 164 insertions(+), 82 deletions(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 664cf79..729553f 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -20,7 +20,8 @@ - Restart auditd - name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'Auditd template updated, see diff output for details' when: diff --git a/tasks/main.yml b/tasks/main.yml index 88c4782..bf119b2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -86,7 +86,8 @@ - always - name: Include preliminary steps - ansible.builtin.import_tasks: prelim.yml + ansible.builtin.import_tasks: + file: prelim.yml tags: - prelim_tasks - always @@ -94,61 +95,70 @@ - name: Run pre_remediation audit when: - run_audit - ansible.builtin.include_tasks: pre_remediation_audit.yml + ansible.builtin.include_tasks: + file: pre_remediation_audit.yml tags: - run_audit - name: Run Section 1 tasks when: - amzn2023cis_section1 - ansible.builtin.import_tasks: section_1/main.yml + ansible.builtin.import_tasks: + file: section_1/main.yml tags: - amzn2023cis_section1 - name: Run Section 2 tasks when: - amzn2023cis_section2 - ansible.builtin.import_tasks: section_2/main.yml + ansible.builtin.import_tasks: + file: section_2/main.yml tags: - amzn2023cis_section2 - name: Run Section 3 tasks when: - amzn2023cis_section3 - ansible.builtin.import_tasks: section_3/main.yml + ansible.builtin.import_tasks: + file: section_3/main.yml tags: - amzn2023cis_section3 - name: Run Section 4 tasks when: - amzn2023cis_section4 - ansible.builtin.import_tasks: section_4/main.yml + ansible.builtin.import_tasks: + file: section_4/main.yml tags: - amzn2023cis_section4 - name: Run Section 5 tasks when: - amzn2023cis_section5 - ansible.builtin.import_tasks: section_5/main.yml + ansible.builtin.import_tasks: + file: section_5/main.yml tags: - amzn2023cis_section5 - name: Run Section 6 tasks when: - amzn2023cis_section6 - ansible.builtin.import_tasks: section_6/main.yml + ansible.builtin.import_tasks: + file: section_6/main.yml tags: - amzn2023cis_section6 - name: run auditd logic when: - update_audit_template - ansible.builtin.import_tasks: auditd.yml + ansible.builtin.import_tasks: + file: auditd.yml tags: - always - name: run post remediation tasks - ansible.builtin.import_tasks: post.yml + ansible.builtin.import_tasks: + file: post.yml tags: - post_tasks - always @@ -156,7 +166,8 @@ - name: run post_remediation audit when: - run_audit - ansible.builtin.import_tasks: post_remediation_audit.yml + ansible.builtin.import_tasks: + file: post_remediation_audit.yml - name: Show Audit Summary when: diff --git a/tasks/post.yml b/tasks/post.yml index 0621b13..7568c19 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -46,7 +46,8 @@ - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: - change_requires_reboot - skip_reboot diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index bf177dc..79302b0 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,7 +1,8 @@ --- - name: Pre Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml when: - setup_audit tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 2770c3d..c55a8be 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -12,7 +12,8 @@ - users - name: "PRELIM | capture /etc/password variables" - ansible.builtin.include_tasks: parse_etc_password.yml + ansible.builtin.include_tasks: + file: parse_etc_password.yml tags: - rule_5.5.2 - rule_5.6.2 diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 0e82c70..211e66b 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.2.1' required_mount: '/tmp' diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index a931e80..0e1f472 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.3.1' required_mount: '/var' diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 8dbf162..b411ab8 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -8,7 +8,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.4.1' required_mount: '/var/tmp' diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 700bfd0..658032d 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.5.1' diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 41f3dcf..38c9585 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.6.1' diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index bdeb432..99bab8e 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.7.1' diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 6159ca3..ddfa5de 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -8,7 +8,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.8.1' diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 62b5df9..c6d887c 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -71,7 +71,8 @@ - "{{ dnf_configured.stdout_lines }}" - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.2.3' when: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index ffea6e7..ea34149 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -97,7 +97,8 @@ when: amzn2023cis_1_6_1_6_unconf_services.stdout | length > 0 - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: amzn2023cis_1_6_1_6_unconf_services.stdout | length > 0 vars: warn_control_id: '1.6.1.6' diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 1cd9d91..93faea2 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,54 +1,71 @@ --- - name: "SECTION | 1.1.1.x | Disable unused filesystems" - ansible.builtin.import_tasks: cis_1.1.1.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.1.x.yml - name: "SECTION | 1.1.2.x | Configure /tmp" - ansible.builtin.import_tasks: cis_1.1.2.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.2.x.yml - name: "SECTION | 1.1.3.x | Configure /var" - ansible.builtin.import_tasks: cis_1.1.3.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.3.x.yml - name: "SECTION | 1.1.4.x | Configure /var/tmp" - ansible.builtin.import_tasks: cis_1.1.4.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.4.x.yml - name: "SECTION | 1.1.5.x | Configure /var/log" - ansible.builtin.import_tasks: cis_1.1.5.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.5.x.yml - name: "SECTION | 1.1.6.x | Configure /var/log/audit" - ansible.builtin.import_tasks: cis_1.1.6.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.6.x.yml - name: "SECTION | 1.1.7.x | Configure /home" - ansible.builtin.import_tasks: cis_1.1.7.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.7.x.yml - name: "SECTION | 1.1.8.x | Configure /dev/shm" - ansible.builtin.import_tasks: cis_1.1.8.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.8.x.yml - name: "SECTION | 1.1.9 | Disable various mounting" - ansible.builtin.import_tasks: cis_1.1.9.yml + ansible.builtin.import_tasks: + file: cis_1.1.9.yml - name: "SECTION | 1.2 | Configure Software Updates" - ansible.builtin.import_tasks: cis_1.2.x.yml + ansible.builtin.import_tasks: + file: cis_1.2.x.yml - name: "SECTION | 1.3 | Filesystem Integrity Checking" - ansible.builtin.import_tasks: cis_1.3.x.yml + ansible.builtin.import_tasks: + file: cis_1.3.x.yml when: amzn2023cis_config_aide - name: "SECTION | 1.4 | Secure Boot Settings" - ansible.builtin.import_tasks: cis_1.4.x.yml + ansible.builtin.import_tasks: + file: cis_1.4.x.yml - name: "SECTION | 1.5 | Additional Process Hardening" - ansible.builtin.import_tasks: cis_1.5.x.yml + ansible.builtin.import_tasks: + file: cis_1.5.x.yml - name: "SECTION | 1.6 | Mandatory Access Control" - include_tasks: cis_1.6.1.x.yml + ansible.builtin.include_tasks: + file: cis_1.6.1.x.yml when: not amzn2023cis_selinux_disable - name: "SECTION | 1.7 | Command Line Warning Banners" - ansible.builtin.import_tasks: cis_1.7.x.yml + ansible.builtin.import_tasks: + file: cis_1.7.x.yml - name: "SECTION | 1.8 | Updates and Patches" - ansible.builtin.import_tasks: cis_1.8.yml + ansible.builtin.import_tasks: + file: cis_1.8.yml - name: "SECTION | 1.9 | Crypto policies" - include_tasks: cis_1.9.yml + ansible.builtin.include_tasks: + file: cis_1.9.yml diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 4d53a0d..87c092e 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -25,7 +25,8 @@ - "{{ amzn2023cis_2_4_sockets.stdout_lines }}" - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '2.4' when: diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 39b912d..b90d7bb 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,17 @@ --- - name: "SECTION | 2.1 | Time Synchronization" - ansible.builtin.import_tasks: cis_2.1.x.yml + ansible.builtin.import_tasks: + file: cis_2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" - ansible.builtin.import_tasks: cis_2.2.x.yml + ansible.builtin.import_tasks: + file: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" - ansible.builtin.import_tasks: cis_2.3.x.yml + ansible.builtin.import_tasks: + file: cis_2.3.x.yml - name: "SECTION | 2.4 | Nonessential services removed" - ansible.builtin.import_tasks: cis_2.4.yml + ansible.builtin.import_tasks: + file: cis_2.4.yml diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index d9861d5..a635567 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -47,7 +47,8 @@ - not amzn2023cis_nft_tables_autonewtable - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: - amzn2023cis_3_4_2_2_nft_tables.stdout | length == 0 - not amzn2023cis_nft_tables_autonewtable diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 535aba9..91986db 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,16 +1,21 @@ --- - name: "SECTION | 3.1.x | Disable unused network protocols and devices" - ansible.builtin.import_tasks: cis_3.1.x.yml + ansible.builtin.import_tasks: + file: cis_3.1.x.yml - name: "SECTION | 3.2.x | Network Parameters (Host Only)" - ansible.builtin.import_tasks: cis_3.2.x.yml + ansible.builtin.import_tasks: + file: cis_3.2.x.yml - name: "SECTION | 3.3.x | Network Parameters (host and Router)" - ansible.builtin.import_tasks: cis_3.3.x.yml + ansible.builtin.import_tasks: + file: cis_3.3.x.yml - name: "SECTION | 3.4.1.x | Firewall configuration" - ansible.builtin.import_tasks: cis_3.4.1.x.yml + ansible.builtin.import_tasks: + file: cis_3.4.1.x.yml - name: "SECTION | 3.4.2.x | Configure firewall" - ansible.builtin.import_tasks: cis_3.4.2.x.yml + ansible.builtin.import_tasks: + file: cis_3.4.2.x.yml diff --git a/tasks/section_4/cis_4.6.1.x.yml b/tasks/section_4/cis_4.6.1.x.yml index d33ac8d..a7bf5eb 100644 --- a/tasks/section_4/cis_4.6.1.x.yml +++ b/tasks/section_4/cis_4.6.1.x.yml @@ -113,7 +113,8 @@ - not amzn2023cis_futurepwchgdate_autofix - name: "4.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: - amzn2023cis_4_6_1_5_user_list.stdout | length > 0 - not amzn2023cis_futurepwchgdate_autofix diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index b1fed95..4cc88ca 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -3,24 +3,31 @@ # Access, Authentication, and Authorization - name: "SECTION | 4.1 | Configure time-based job schedulers" - ansible.builtin.import_tasks: cis_4.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.x.yml - name: "SECTION | 4.2 | Configure SSH Server" - ansible.builtin.import_tasks: cis_4.2.x.yml + ansible.builtin.import_tasks: + file: cis_4.2.x.yml when: - "'openssh-server' in ansible_facts.packages" - name: "SECTION | 4.3 | Configure privilege escalation" - ansible.builtin.import_tasks: cis_4.3.x.yml + ansible.builtin.import_tasks: + file: cis_4.3.x.yml - name: "SECTION | 4.4 | Configure authselect" - ansible.builtin.import_tasks: cis_4.4.x.yml + ansible.builtin.import_tasks: + file: cis_4.4.x.yml - name: "SECTION | 4.5 | Configure PAM " - ansible.builtin.import_tasks: cis_4.5.x.yml + ansible.builtin.import_tasks: + file: cis_4.5.x.yml - name: "SECTION | 4.6.1.x | Shadow Password Suite Parameters" - ansible.builtin.import_tasks: cis_4.6.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.6.1.x.yml - name: "SECTION | 4.6.x | Misc. User Account Settings" - ansible.builtin.import_tasks: cis_4.6.x.yml + ansible.builtin.import_tasks: + file: cis_4.6.x.yml diff --git a/tasks/section_5/cis_5.1.2.x.yml b/tasks/section_5/cis_5.1.2.x.yml index 152654a..cf78562 100644 --- a/tasks/section_5/cis_5.1.2.x.yml +++ b/tasks/section_5/cis_5.1.2.x.yml @@ -98,7 +98,8 @@ when: "'static' not in amzn2023cis_5_1_2_2_status.stdout" - name: "5.1.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: "'static' not in amzn2023cis_5_1_2_2_status.stdout" vars: warn_control_id: '5.1.2.2' diff --git a/tasks/section_5/cis_5.3.yml b/tasks/section_5/cis_5.3.yml index 614d3c5..3b45ad3 100644 --- a/tasks/section_5/cis_5.3.yml +++ b/tasks/section_5/cis_5.3.yml @@ -39,7 +39,8 @@ loop: "{{ log_rotates.files }}" - name: "5.3 | AUDIT | Ensure logrotate is configured | Warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '5.3' when: log_rotates.matched > 0 diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 520352e..df31c6a 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -3,32 +3,41 @@ # Logging and Auditing - name: "SECTION | 5.1.1 | Configure Logging - rsyslog" - ansible.builtin.import_tasks: cis_5.1.1.x.yml + ansible.builtin.import_tasks: + file: cis_5.1.1.x.yml when: amzn2023cis_syslog_service == 'rsyslog' - name: "SECTION | 5.1.2 | Configure Logging - journald" - ansible.builtin.import_tasks: cis_5.1.2.x.yml + ansible.builtin.import_tasks: + file: cis_5.1.2.x.yml when: amzn2023cis_syslog_service == 'journald' - name: "SECTION | 5.1.3 | Configure logfile perms" - ansible.builtin.import_tasks: cis_5.1.3.yml + ansible.builtin.import_tasks: + file: cis_5.1.3.yml - name: "SECTION | 5.2.1 | Configure System Accounting (auditd)" - ansible.builtin.import_tasks: cis_5.2.1.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.1.x.yml when: - not system_is_container - name: "SECTION | 5.2.2 | Configure Data Retention" - ansible.builtin.import_tasks: cis_5.2.2.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.2.x.yml - name: "SECTION | 5.2.3 | Configure Auditd rules" - ansible.builtin.import_tasks: cis_5.2.3.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.3.x.yml - name: "SECTION | 5.2.4 | Configure Audit files" - ansible.builtin.import_tasks: cis_5.2.4.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.4.x.yml - name: "SECTION | 5.3 | Configure LogRotate" - ansible.builtin.import_tasks: cis_5.3.yml + ansible.builtin.import_tasks: + file: cis_5.3.yml - name: "SECTION | 5.3 | Configure logrotate" - ansible.builtin.import_tasks: cis_5.3.yml + ansible.builtin.import_tasks: + file: cis_5.3.yml diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index e9c0d30..1c54130 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -153,7 +153,8 @@ The file list can be found in {{ amzn2023cis_rpm_audit_file }}" - name: "6.1.9 | AUDIT | Audit system file permissions | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.1.9' when: amzn2023cis_6_1_9_packages_rpm.stdout|length > 0 @@ -258,7 +259,8 @@ when: amzn2023cis_6_1_11_ungrouped_files_found - name: "6.1.11 | AUDIT | Ensure no unowned or ungrouped files or directories exist | warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.1.11' when: amzn2023cis_6_1_11_unowned_files_found or amzn2023cis_6_1_11_ungrouped_files_found @@ -340,7 +342,8 @@ when: amzn2023cis_6_1_12_sgid_found - name: "6.1.12 | AUDIT | Ensure SUID and SGID files are reviewed | Alert SUID/SGID exist | warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.1.12' when: amzn2023cis_6_1_12_suid_found or amzn2023cis_6_1_12_sgid_found diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 5a5b593..318cdd8 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -15,7 +15,8 @@ when: shadow_passwd.stdout | length > 0 - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.1' when: shadow_passwd.stdout | length >= 1 @@ -58,7 +59,8 @@ when: amzn2023cis_6_2_3_passwd_gid_check.stdout | length >= 1 - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.3' when: amzn2023cis_6_2_3_passwd_gid_check.stdout | length >= 1 @@ -90,7 +92,8 @@ when: amzn2023cis_6_2_4_user_uid_check.stdout | length >= 1 - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: amzn2023cis_6_2_4_user_uid_check.stdout | length >= 1 vars: warn_control_id: '6.2.4' @@ -122,7 +125,8 @@ when: amzn2023cis_6_2_5_user_user_check.stdout | length >= 1 - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.5' when: amzn2023cis_6_2_5_user_user_check.stdout_lines | length >= 1 @@ -155,7 +159,8 @@ when: amzn2023cis_6_2_6_user_username_check.stdout | length >= 1 - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.6' when: amzn2023cis_6_2_6_user_username_check.stdout | length >= 1 @@ -188,7 +193,8 @@ when: amzn2023cis_6_2_7_group_group_check.stdout is not defined - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.7' when: amzn2023cis_6_2_7_group_group_check.stdout is not defined diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index 35328e5..bf2a779 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,7 +1,9 @@ --- - name: "SECTION | 6.1 | System File Permissions" - ansible.builtin.import_tasks: cis_6.1.x.yml + ansible.builtin.import_tasks: + file: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - ansible.builtin.import_tasks: cis_6.2.x.yml + ansible.builtin.import_tasks: + file: cis_6.2.x.yml From 009dde46af045ba7adf3a0171c7f33830a31ca25 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Sep 2023 11:54:19 +0100 Subject: [PATCH 21/26] lint updates Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 2 +- tasks/main.yml | 22 ++++++++++----------- tasks/post.yml | 2 +- tasks/pre_remediation_audit.yml | 2 +- tasks/prelim.yml | 2 +- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.1.3.x.yml | 2 +- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 2 +- tasks/section_1/cis_1.1.7.x.yml | 2 +- tasks/section_1/cis_1.1.8.x.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 2 +- tasks/section_1/cis_1.6.1.x.yml | 2 +- tasks/section_1/main.yml | 34 ++++++++++++++++----------------- tasks/section_2/cis_2.4.yml | 2 +- tasks/section_2/main.yml | 8 ++++---- tasks/section_3/cis_3.4.2.x.yml | 2 +- tasks/section_3/main.yml | 10 +++++----- tasks/section_4/cis_4.6.1.x.yml | 2 +- tasks/section_4/main.yml | 14 +++++++------- tasks/section_5/cis_5.1.2.x.yml | 2 +- tasks/section_5/cis_5.3.yml | 2 +- tasks/section_5/main.yml | 18 ++++++++--------- tasks/section_6/cis_6.1.x.yml | 6 +++--- tasks/section_6/cis_6.2.x.yml | 12 ++++++------ tasks/section_6/main.yml | 4 ++-- 27 files changed, 82 insertions(+), 82 deletions(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 729553f..5e58427 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -21,7 +21,7 @@ - name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: 'Auditd template updated, see diff output for details' when: diff --git a/tasks/main.yml b/tasks/main.yml index bf119b2..678c65a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -87,7 +87,7 @@ - name: Include preliminary steps ansible.builtin.import_tasks: - file: prelim.yml + file: prelim.yml tags: - prelim_tasks - always @@ -96,7 +96,7 @@ when: - run_audit ansible.builtin.include_tasks: - file: pre_remediation_audit.yml + file: pre_remediation_audit.yml tags: - run_audit @@ -104,7 +104,7 @@ when: - amzn2023cis_section1 ansible.builtin.import_tasks: - file: section_1/main.yml + file: section_1/main.yml tags: - amzn2023cis_section1 @@ -112,7 +112,7 @@ when: - amzn2023cis_section2 ansible.builtin.import_tasks: - file: section_2/main.yml + file: section_2/main.yml tags: - amzn2023cis_section2 @@ -120,7 +120,7 @@ when: - amzn2023cis_section3 ansible.builtin.import_tasks: - file: section_3/main.yml + file: section_3/main.yml tags: - amzn2023cis_section3 @@ -128,7 +128,7 @@ when: - amzn2023cis_section4 ansible.builtin.import_tasks: - file: section_4/main.yml + file: section_4/main.yml tags: - amzn2023cis_section4 @@ -136,7 +136,7 @@ when: - amzn2023cis_section5 ansible.builtin.import_tasks: - file: section_5/main.yml + file: section_5/main.yml tags: - amzn2023cis_section5 @@ -144,7 +144,7 @@ when: - amzn2023cis_section6 ansible.builtin.import_tasks: - file: section_6/main.yml + file: section_6/main.yml tags: - amzn2023cis_section6 @@ -152,13 +152,13 @@ when: - update_audit_template ansible.builtin.import_tasks: - file: auditd.yml + file: auditd.yml tags: - always - name: run post remediation tasks ansible.builtin.import_tasks: - file: post.yml + file: post.yml tags: - post_tasks - always @@ -167,7 +167,7 @@ when: - run_audit ansible.builtin.import_tasks: - file: post_remediation_audit.yml + file: post_remediation_audit.yml - name: Show Audit Summary when: diff --git a/tasks/post.yml b/tasks/post.yml index 7568c19..b681f02 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -47,7 +47,7 @@ - name: "POST | Warning a reboot required but skip option set | warning count" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml when: - change_requires_reboot - skip_reboot diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 79302b0..4b60075 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -2,7 +2,7 @@ - name: Pre Audit Binary Setup | Setup the LE audit ansible.builtin.include_tasks: - file: LE_audit_setup.yml + file: LE_audit_setup.yml when: - setup_audit tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c55a8be..90bb606 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -13,7 +13,7 @@ - name: "PRELIM | capture /etc/password variables" ansible.builtin.include_tasks: - file: parse_etc_password.yml + file: parse_etc_password.yml tags: - rule_5.5.2 - rule_5.6.2 diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 211e66b..514651d 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -8,7 +8,7 @@ - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Present" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '1.1.2.1' required_mount: '/tmp' diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 0e1f472..fda1806 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -8,7 +8,7 @@ - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '1.1.3.1' required_mount: '/var' diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index b411ab8..317635c 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -9,7 +9,7 @@ - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '1.1.4.1' required_mount: '/var/tmp' diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 658032d..26e0926 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -8,7 +8,7 @@ - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '1.1.5.1' diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 38c9585..72c6055 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -8,7 +8,7 @@ - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '1.1.6.1' diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 99bab8e..53a7424 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -8,7 +8,7 @@ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '1.1.7.1' diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index ddfa5de..d9577ec 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -9,7 +9,7 @@ - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '1.1.8.1' diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index c6d887c..2b853de 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -72,7 +72,7 @@ - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '1.2.3' when: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index ea34149..33ef1c7 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -98,7 +98,7 @@ - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml when: amzn2023cis_1_6_1_6_unconf_services.stdout | length > 0 vars: warn_control_id: '1.6.1.6' diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 93faea2..f6acd63 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -2,70 +2,70 @@ - name: "SECTION | 1.1.1.x | Disable unused filesystems" ansible.builtin.import_tasks: - file: cis_1.1.1.x.yml + file: cis_1.1.1.x.yml - name: "SECTION | 1.1.2.x | Configure /tmp" ansible.builtin.import_tasks: - file: cis_1.1.2.x.yml + file: cis_1.1.2.x.yml - name: "SECTION | 1.1.3.x | Configure /var" ansible.builtin.import_tasks: - file: cis_1.1.3.x.yml + file: cis_1.1.3.x.yml - name: "SECTION | 1.1.4.x | Configure /var/tmp" ansible.builtin.import_tasks: - file: cis_1.1.4.x.yml + file: cis_1.1.4.x.yml - name: "SECTION | 1.1.5.x | Configure /var/log" ansible.builtin.import_tasks: - file: cis_1.1.5.x.yml + file: cis_1.1.5.x.yml - name: "SECTION | 1.1.6.x | Configure /var/log/audit" ansible.builtin.import_tasks: - file: cis_1.1.6.x.yml + file: cis_1.1.6.x.yml - name: "SECTION | 1.1.7.x | Configure /home" ansible.builtin.import_tasks: - file: cis_1.1.7.x.yml + file: cis_1.1.7.x.yml - name: "SECTION | 1.1.8.x | Configure /dev/shm" ansible.builtin.import_tasks: - file: cis_1.1.8.x.yml + file: cis_1.1.8.x.yml - name: "SECTION | 1.1.9 | Disable various mounting" ansible.builtin.import_tasks: - file: cis_1.1.9.yml + file: cis_1.1.9.yml - name: "SECTION | 1.2 | Configure Software Updates" ansible.builtin.import_tasks: - file: cis_1.2.x.yml + file: cis_1.2.x.yml - name: "SECTION | 1.3 | Filesystem Integrity Checking" ansible.builtin.import_tasks: - file: cis_1.3.x.yml + file: cis_1.3.x.yml when: amzn2023cis_config_aide - name: "SECTION | 1.4 | Secure Boot Settings" ansible.builtin.import_tasks: - file: cis_1.4.x.yml + file: cis_1.4.x.yml - name: "SECTION | 1.5 | Additional Process Hardening" ansible.builtin.import_tasks: - file: cis_1.5.x.yml + file: cis_1.5.x.yml - name: "SECTION | 1.6 | Mandatory Access Control" ansible.builtin.include_tasks: - file: cis_1.6.1.x.yml + file: cis_1.6.1.x.yml when: not amzn2023cis_selinux_disable - name: "SECTION | 1.7 | Command Line Warning Banners" ansible.builtin.import_tasks: - file: cis_1.7.x.yml + file: cis_1.7.x.yml - name: "SECTION | 1.8 | Updates and Patches" ansible.builtin.import_tasks: - file: cis_1.8.yml + file: cis_1.8.yml - name: "SECTION | 1.9 | Crypto policies" ansible.builtin.include_tasks: - file: cis_1.9.yml + file: cis_1.9.yml diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 87c092e..393d4aa 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -26,7 +26,7 @@ - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '2.4' when: diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index b90d7bb..3e8996a 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -2,16 +2,16 @@ - name: "SECTION | 2.1 | Time Synchronization" ansible.builtin.import_tasks: - file: cis_2.1.x.yml + file: cis_2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" ansible.builtin.import_tasks: - file: cis_2.2.x.yml + file: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" ansible.builtin.import_tasks: - file: cis_2.3.x.yml + file: cis_2.3.x.yml - name: "SECTION | 2.4 | Nonessential services removed" ansible.builtin.import_tasks: - file: cis_2.4.yml + file: cis_2.4.yml diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index a635567..54a1ef0 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -48,7 +48,7 @@ - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml when: - amzn2023cis_3_4_2_2_nft_tables.stdout | length == 0 - not amzn2023cis_nft_tables_autonewtable diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 91986db..34553d7 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -2,20 +2,20 @@ - name: "SECTION | 3.1.x | Disable unused network protocols and devices" ansible.builtin.import_tasks: - file: cis_3.1.x.yml + file: cis_3.1.x.yml - name: "SECTION | 3.2.x | Network Parameters (Host Only)" ansible.builtin.import_tasks: - file: cis_3.2.x.yml + file: cis_3.2.x.yml - name: "SECTION | 3.3.x | Network Parameters (host and Router)" ansible.builtin.import_tasks: - file: cis_3.3.x.yml + file: cis_3.3.x.yml - name: "SECTION | 3.4.1.x | Firewall configuration" ansible.builtin.import_tasks: - file: cis_3.4.1.x.yml + file: cis_3.4.1.x.yml - name: "SECTION | 3.4.2.x | Configure firewall" ansible.builtin.import_tasks: - file: cis_3.4.2.x.yml + file: cis_3.4.2.x.yml diff --git a/tasks/section_4/cis_4.6.1.x.yml b/tasks/section_4/cis_4.6.1.x.yml index a7bf5eb..82094ba 100644 --- a/tasks/section_4/cis_4.6.1.x.yml +++ b/tasks/section_4/cis_4.6.1.x.yml @@ -114,7 +114,7 @@ - name: "4.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml when: - amzn2023cis_4_6_1_5_user_list.stdout | length > 0 - not amzn2023cis_futurepwchgdate_autofix diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index 4cc88ca..f780ee8 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -4,30 +4,30 @@ - name: "SECTION | 4.1 | Configure time-based job schedulers" ansible.builtin.import_tasks: - file: cis_4.1.x.yml + file: cis_4.1.x.yml - name: "SECTION | 4.2 | Configure SSH Server" ansible.builtin.import_tasks: - file: cis_4.2.x.yml + file: cis_4.2.x.yml when: - "'openssh-server' in ansible_facts.packages" - name: "SECTION | 4.3 | Configure privilege escalation" ansible.builtin.import_tasks: - file: cis_4.3.x.yml + file: cis_4.3.x.yml - name: "SECTION | 4.4 | Configure authselect" ansible.builtin.import_tasks: - file: cis_4.4.x.yml + file: cis_4.4.x.yml - name: "SECTION | 4.5 | Configure PAM " ansible.builtin.import_tasks: - file: cis_4.5.x.yml + file: cis_4.5.x.yml - name: "SECTION | 4.6.1.x | Shadow Password Suite Parameters" ansible.builtin.import_tasks: - file: cis_4.6.1.x.yml + file: cis_4.6.1.x.yml - name: "SECTION | 4.6.x | Misc. User Account Settings" ansible.builtin.import_tasks: - file: cis_4.6.x.yml + file: cis_4.6.x.yml diff --git a/tasks/section_5/cis_5.1.2.x.yml b/tasks/section_5/cis_5.1.2.x.yml index cf78562..70d04e7 100644 --- a/tasks/section_5/cis_5.1.2.x.yml +++ b/tasks/section_5/cis_5.1.2.x.yml @@ -99,7 +99,7 @@ - name: "5.1.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml when: "'static' not in amzn2023cis_5_1_2_2_status.stdout" vars: warn_control_id: '5.1.2.2' diff --git a/tasks/section_5/cis_5.3.yml b/tasks/section_5/cis_5.3.yml index 3b45ad3..e4b4fd9 100644 --- a/tasks/section_5/cis_5.3.yml +++ b/tasks/section_5/cis_5.3.yml @@ -40,7 +40,7 @@ - name: "5.3 | AUDIT | Ensure logrotate is configured | Warning count" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '5.3' when: log_rotates.matched > 0 diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index df31c6a..447229f 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -4,40 +4,40 @@ - name: "SECTION | 5.1.1 | Configure Logging - rsyslog" ansible.builtin.import_tasks: - file: cis_5.1.1.x.yml + file: cis_5.1.1.x.yml when: amzn2023cis_syslog_service == 'rsyslog' - name: "SECTION | 5.1.2 | Configure Logging - journald" ansible.builtin.import_tasks: - file: cis_5.1.2.x.yml + file: cis_5.1.2.x.yml when: amzn2023cis_syslog_service == 'journald' - name: "SECTION | 5.1.3 | Configure logfile perms" ansible.builtin.import_tasks: - file: cis_5.1.3.yml + file: cis_5.1.3.yml - name: "SECTION | 5.2.1 | Configure System Accounting (auditd)" ansible.builtin.import_tasks: - file: cis_5.2.1.x.yml + file: cis_5.2.1.x.yml when: - not system_is_container - name: "SECTION | 5.2.2 | Configure Data Retention" ansible.builtin.import_tasks: - file: cis_5.2.2.x.yml + file: cis_5.2.2.x.yml - name: "SECTION | 5.2.3 | Configure Auditd rules" ansible.builtin.import_tasks: - file: cis_5.2.3.x.yml + file: cis_5.2.3.x.yml - name: "SECTION | 5.2.4 | Configure Audit files" ansible.builtin.import_tasks: - file: cis_5.2.4.x.yml + file: cis_5.2.4.x.yml - name: "SECTION | 5.3 | Configure LogRotate" ansible.builtin.import_tasks: - file: cis_5.3.yml + file: cis_5.3.yml - name: "SECTION | 5.3 | Configure logrotate" ansible.builtin.import_tasks: - file: cis_5.3.yml + file: cis_5.3.yml diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 1c54130..826117a 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -154,7 +154,7 @@ - name: "6.1.9 | AUDIT | Audit system file permissions | warning count" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '6.1.9' when: amzn2023cis_6_1_9_packages_rpm.stdout|length > 0 @@ -260,7 +260,7 @@ - name: "6.1.11 | AUDIT | Ensure no unowned or ungrouped files or directories exist | warning" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '6.1.11' when: amzn2023cis_6_1_11_unowned_files_found or amzn2023cis_6_1_11_ungrouped_files_found @@ -343,7 +343,7 @@ - name: "6.1.12 | AUDIT | Ensure SUID and SGID files are reviewed | Alert SUID/SGID exist | warning" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '6.1.12' when: amzn2023cis_6_1_12_suid_found or amzn2023cis_6_1_12_sgid_found diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 318cdd8..c100d41 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -16,7 +16,7 @@ - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '6.2.1' when: shadow_passwd.stdout | length >= 1 @@ -60,7 +60,7 @@ - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '6.2.3' when: amzn2023cis_6_2_3_passwd_gid_check.stdout | length >= 1 @@ -93,7 +93,7 @@ - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml when: amzn2023cis_6_2_4_user_uid_check.stdout | length >= 1 vars: warn_control_id: '6.2.4' @@ -126,7 +126,7 @@ - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '6.2.5' when: amzn2023cis_6_2_5_user_user_check.stdout_lines | length >= 1 @@ -160,7 +160,7 @@ - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '6.2.6' when: amzn2023cis_6_2_6_user_username_check.stdout | length >= 1 @@ -194,7 +194,7 @@ - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yml + file: warning_facts.yml vars: warn_control_id: '6.2.7' when: amzn2023cis_6_2_7_group_group_check.stdout is not defined diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index bf2a779..b194fdc 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -2,8 +2,8 @@ - name: "SECTION | 6.1 | System File Permissions" ansible.builtin.import_tasks: - file: cis_6.1.x.yml + file: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" ansible.builtin.import_tasks: - file: cis_6.2.x.yml + file: cis_6.2.x.yml From b4b0a4c0f85c4e690dcfc19d2ff5c5a580ec30b0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Sep 2023 11:54:47 +0100 Subject: [PATCH 22/26] updated discord link Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- README.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 8d9d15c..31a4a6b 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,7 +27,7 @@ repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. # This workflow contains a single job which tests the playbook playbook-test: diff --git a/README.md b/README.md index c93ad38..83b3854 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ NOTE AUDIT NOT YET AVAILABLE [![Main Pipeline Status](https://github.com/ansible-lockdown/AMAZON2023-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/AMAZON2023-CIS/actions/workflows/main_pipeline_validation.yml) [![Devel Pipeline Status](https://github.com/ansible-lockdown/AMAZON2023-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/AMAZON2023-CIS/actions/workflows/devel_pipeline_validation.yml) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/AMAZON2023-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/AMAZON2023-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/AMAZON2023-CIS?label=Open%20Issues) ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/AMAZON2023-CIS?label=Closed%20Issues&&color=success) @@ -44,7 +44,7 @@ NOTE AUDIT NOT YET AVAILABLE ### Community -Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. +Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. ### Contributing From 2074aac592fef54d158fb18b8d2b32bd3bd4d1ed Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 22 Sep 2023 14:21:57 +0100 Subject: [PATCH 23/26] updated truthy Signed-off-by: Mark Bolwell --- .yamllint | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.yamllint b/.yamllint index ec46929..65faae6 100644 --- a/.yamllint +++ b/.yamllint @@ -30,4 +30,4 @@ rules: trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: false + check-keys: true From 91fc33739710fe9b89efb37e42c448ded7c3ef13 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 22 Sep 2023 14:22:21 +0100 Subject: [PATCH 24/26] updated Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index d1d2ada..c1b01c1 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -105,18 +105,15 @@ }, { "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + ".config/.gitleaks-report.json", + "tasks/parse_etc_password.yml" + ] } ], - "results": { - "tasks/parse_etc_password.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_password.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ] - }, - "generated_at": "2023-08-23T10:10:15Z" + "results": {}, + "generated_at": "2023-09-22T13:20:34Z" } From 7e8d8283eb09350c529f85bcf5b8b001f7acd964 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 22 Sep 2023 14:23:30 +0100 Subject: [PATCH 25/26] updated Signed-off-by: Mark Bolwell --- README.md | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 83b3854..87243e1 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,4 @@ -# AMAZON 2023 CIS - Beta - -**************************** -NOTE AUDIT NOT YET AVAILABLE -**************************** +# AMAZON 2023 CIS ## Configure a Amazon 2023 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant @@ -16,7 +12,7 @@ NOTE AUDIT NOT YET AVAILABLE ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61781?label=Quality&&logo=ansible) +![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) @@ -38,9 +34,9 @@ NOTE AUDIT NOT YET AVAILABLE ## Looking for support? -[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH9_cis) +[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_AMZ2023_cis) -[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH9_cis) +[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_AMZ2023_cis) ### Community @@ -96,10 +92,10 @@ Refer to [AMAZON2023-CIS-Audit](https://github.com/ansible-lockdown/AMAZON2023-C ## Documentation - [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/) -- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_RH9_cis) -- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise#GH_AL_RH9_cis) -- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_RH9_cis) -- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_RH9_cis) +- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_AMZ2023_cis) +- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise#GH_AL_AMZ2023_cis) +- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_AMZ2023_cis) +- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_AMZ2023_cis) ## Requirements @@ -195,7 +191,6 @@ uses: ## Added Extras -- makefile - this is there purely for testing and initial setup purposes. - [pre-commit](https://pre-commit.com) can be tested and can be run from within the directory ```sh From 858aabfe23e1297f1552f4d15c585f69d6ef8699 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 22 Sep 2023 14:25:31 +0100 Subject: [PATCH 26/26] removed skip for fqcn Signed-off-by: Mark Bolwell --- .ansible-lint | 2 -- 1 file changed, 2 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 057c65e..b717f67 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,12 +6,10 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' - - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' - 'name[template]' - - 'fqcn[action]' - 'key-order[task]' - '204' - '305'