Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Task validation fixes and rewrites (by Steampunk Spotter) #8

Merged
merged 2 commits into from
Sep 15, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion tasks/auditd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,8 @@
- Restart auditd

- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: 'Auditd template updated, see diff output for details'
when:
Expand Down
33 changes: 22 additions & 11 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -86,77 +86,88 @@
- always

- name: Include preliminary steps
ansible.builtin.import_tasks: prelim.yml
ansible.builtin.import_tasks:
file: prelim.yml
tags:
- prelim_tasks
- always

- name: Run pre_remediation audit
when:
- run_audit
ansible.builtin.include_tasks: pre_remediation_audit.yml
ansible.builtin.include_tasks:
file: pre_remediation_audit.yml
tags:
- run_audit

- name: Run Section 1 tasks
when:
- amzn2023cis_section1
ansible.builtin.import_tasks: section_1/main.yml
ansible.builtin.import_tasks:
file: section_1/main.yml
tags:
- amzn2023cis_section1

- name: Run Section 2 tasks
when:
- amzn2023cis_section2
ansible.builtin.import_tasks: section_2/main.yml
ansible.builtin.import_tasks:
file: section_2/main.yml
tags:
- amzn2023cis_section2

- name: Run Section 3 tasks
when:
- amzn2023cis_section3
ansible.builtin.import_tasks: section_3/main.yml
ansible.builtin.import_tasks:
file: section_3/main.yml
tags:
- amzn2023cis_section3

- name: Run Section 4 tasks
when:
- amzn2023cis_section4
ansible.builtin.import_tasks: section_4/main.yml
ansible.builtin.import_tasks:
file: section_4/main.yml
tags:
- amzn2023cis_section4

- name: Run Section 5 tasks
when:
- amzn2023cis_section5
ansible.builtin.import_tasks: section_5/main.yml
ansible.builtin.import_tasks:
file: section_5/main.yml
tags:
- amzn2023cis_section5

- name: Run Section 6 tasks
when:
- amzn2023cis_section6
ansible.builtin.import_tasks: section_6/main.yml
ansible.builtin.import_tasks:
file: section_6/main.yml
tags:
- amzn2023cis_section6

- name: run auditd logic
when:
- update_audit_template
ansible.builtin.import_tasks: auditd.yml
ansible.builtin.import_tasks:
file: auditd.yml
tags:
- always

- name: run post remediation tasks
ansible.builtin.import_tasks: post.yml
ansible.builtin.import_tasks:
file: post.yml
tags:
- post_tasks
- always

- name: run post_remediation audit
when:
- run_audit
ansible.builtin.import_tasks: post_remediation_audit.yml
ansible.builtin.import_tasks:
file: post_remediation_audit.yml

- name: Show Audit Summary
when:
Expand Down
3 changes: 2 additions & 1 deletion tasks/post.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,8 @@
- skip_reboot

- name: "POST | Warning a reboot required but skip option set | warning count"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
when:
- change_requires_reboot
- skip_reboot
Expand Down
6 changes: 3 additions & 3 deletions tasks/pre_remediation_audit.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
---

- name: Pre Audit Binary Setup | Setup the LE audit
ansible.builtin.include_tasks: LE_audit_setup.yml
ansible.builtin.include_tasks:
file: LE_audit_setup.yml
when:
- setup_audit
tags:
Expand Down Expand Up @@ -59,9 +60,8 @@

- name: Pre Audit Setup | If audit ensure goss is available
ansible.builtin.assert:
that: goss_available.stat.exists
msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
when:
- not goss_available.stat.exists
when:
- run_audit

Expand Down
3 changes: 2 additions & 1 deletion tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@
- users

- name: "PRELIM | capture /etc/password variables"
ansible.builtin.include_tasks: parse_etc_password.yml
ansible.builtin.include_tasks:
file: parse_etc_password.yml
tags:
- rule_5.5.2
- rule_5.6.2
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"

- name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Present"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.1.2.1'
required_mount: '/tmp'
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.1.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"

- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.1.3.1'
required_mount: '/var'
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.1.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"

- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.1.4.1'
required_mount: '/var/tmp'
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.1.5.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"

- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml

vars:
warn_control_id: '1.1.5.1'
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.1.6.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"

- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml

vars:
warn_control_id: '1.1.6.1'
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.1.7.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"

- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml

vars:
warn_control_id: '1.1.7.1'
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.1.8.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"

- name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml

vars:
warn_control_id: '1.1.8.1'
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,8 @@
- "{{ dnf_configured.stdout_lines }}"

- name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.2.3'
when:
Expand Down
3 changes: 2 additions & 1 deletion tasks/section_1/cis_1.6.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,8 @@
when: amzn2023cis_1_6_1_6_unconf_services.stdout | length > 0

- name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
when: amzn2023cis_1_6_1_6_unconf_services.stdout | length > 0
vars:
warn_control_id: '1.6.1.6'
Expand Down
51 changes: 34 additions & 17 deletions tasks/section_1/main.yml
Original file line number Diff line number Diff line change
@@ -1,54 +1,71 @@
---

- name: "SECTION | 1.1.1.x | Disable unused filesystems"
ansible.builtin.import_tasks: cis_1.1.1.x.yml
ansible.builtin.import_tasks:
file: cis_1.1.1.x.yml

- name: "SECTION | 1.1.2.x | Configure /tmp"
ansible.builtin.import_tasks: cis_1.1.2.x.yml
ansible.builtin.import_tasks:
file: cis_1.1.2.x.yml

- name: "SECTION | 1.1.3.x | Configure /var"
ansible.builtin.import_tasks: cis_1.1.3.x.yml
ansible.builtin.import_tasks:
file: cis_1.1.3.x.yml

- name: "SECTION | 1.1.4.x | Configure /var/tmp"
ansible.builtin.import_tasks: cis_1.1.4.x.yml
ansible.builtin.import_tasks:
file: cis_1.1.4.x.yml

- name: "SECTION | 1.1.5.x | Configure /var/log"
ansible.builtin.import_tasks: cis_1.1.5.x.yml
ansible.builtin.import_tasks:
file: cis_1.1.5.x.yml

- name: "SECTION | 1.1.6.x | Configure /var/log/audit"
ansible.builtin.import_tasks: cis_1.1.6.x.yml
ansible.builtin.import_tasks:
file: cis_1.1.6.x.yml

- name: "SECTION | 1.1.7.x | Configure /home"
ansible.builtin.import_tasks: cis_1.1.7.x.yml
ansible.builtin.import_tasks:
file: cis_1.1.7.x.yml

- name: "SECTION | 1.1.8.x | Configure /dev/shm"
ansible.builtin.import_tasks: cis_1.1.8.x.yml
ansible.builtin.import_tasks:
file: cis_1.1.8.x.yml

- name: "SECTION | 1.1.9 | Disable various mounting"
ansible.builtin.import_tasks: cis_1.1.9.yml
ansible.builtin.import_tasks:
file: cis_1.1.9.yml

- name: "SECTION | 1.2 | Configure Software Updates"
ansible.builtin.import_tasks: cis_1.2.x.yml
ansible.builtin.import_tasks:
file: cis_1.2.x.yml

- name: "SECTION | 1.3 | Filesystem Integrity Checking"
ansible.builtin.import_tasks: cis_1.3.x.yml
ansible.builtin.import_tasks:
file: cis_1.3.x.yml
when: amzn2023cis_config_aide

- name: "SECTION | 1.4 | Secure Boot Settings"
ansible.builtin.import_tasks: cis_1.4.x.yml
ansible.builtin.import_tasks:
file: cis_1.4.x.yml

- name: "SECTION | 1.5 | Additional Process Hardening"
ansible.builtin.import_tasks: cis_1.5.x.yml
ansible.builtin.import_tasks:
file: cis_1.5.x.yml

- name: "SECTION | 1.6 | Mandatory Access Control"
include_tasks: cis_1.6.1.x.yml
ansible.builtin.include_tasks:
file: cis_1.6.1.x.yml
when: not amzn2023cis_selinux_disable

- name: "SECTION | 1.7 | Command Line Warning Banners"
ansible.builtin.import_tasks: cis_1.7.x.yml
ansible.builtin.import_tasks:
file: cis_1.7.x.yml

- name: "SECTION | 1.8 | Updates and Patches"
ansible.builtin.import_tasks: cis_1.8.yml
ansible.builtin.import_tasks:
file: cis_1.8.yml

- name: "SECTION | 1.9 | Crypto policies"
include_tasks: cis_1.9.yml
ansible.builtin.include_tasks:
file: cis_1.9.yml
3 changes: 2 additions & 1 deletion tasks/section_2/cis_2.4.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@
- "{{ amzn2023cis_2_4_sockets.stdout_lines }}"

- name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '2.4'
when:
Expand Down
12 changes: 8 additions & 4 deletions tasks/section_2/main.yml
Original file line number Diff line number Diff line change
@@ -1,13 +1,17 @@
---

- name: "SECTION | 2.1 | Time Synchronization"
ansible.builtin.import_tasks: cis_2.1.x.yml
ansible.builtin.import_tasks:
file: cis_2.1.x.yml

- name: "SECTION | 2.2 | Special Purpose Services"
ansible.builtin.import_tasks: cis_2.2.x.yml
ansible.builtin.import_tasks:
file: cis_2.2.x.yml

- name: "SECTION | 2.3 | Service Clients"
ansible.builtin.import_tasks: cis_2.3.x.yml
ansible.builtin.import_tasks:
file: cis_2.3.x.yml

- name: "SECTION | 2.4 | Nonessential services removed"
ansible.builtin.import_tasks: cis_2.4.yml
ansible.builtin.import_tasks:
file: cis_2.4.yml
3 changes: 2 additions & 1 deletion tasks/section_3/cis_3.4.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,8 @@
- not amzn2023cis_nft_tables_autonewtable

- name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count"
ansible.builtin.import_tasks: warning_facts.yml
ansible.builtin.import_tasks:
file: warning_facts.yml
when:
- amzn2023cis_3_4_2_2_nft_tables.stdout | length == 0
- not amzn2023cis_nft_tables_autonewtable
Expand Down
15 changes: 10 additions & 5 deletions tasks/section_3/main.yml
Original file line number Diff line number Diff line change
@@ -1,16 +1,21 @@
---

- name: "SECTION | 3.1.x | Disable unused network protocols and devices"
ansible.builtin.import_tasks: cis_3.1.x.yml
ansible.builtin.import_tasks:
file: cis_3.1.x.yml

- name: "SECTION | 3.2.x | Network Parameters (Host Only)"
ansible.builtin.import_tasks: cis_3.2.x.yml
ansible.builtin.import_tasks:
file: cis_3.2.x.yml

- name: "SECTION | 3.3.x | Network Parameters (host and Router)"
ansible.builtin.import_tasks: cis_3.3.x.yml
ansible.builtin.import_tasks:
file: cis_3.3.x.yml

- name: "SECTION | 3.4.1.x | Firewall configuration"
ansible.builtin.import_tasks: cis_3.4.1.x.yml
ansible.builtin.import_tasks:
file: cis_3.4.1.x.yml

- name: "SECTION | 3.4.2.x | Configure firewall"
ansible.builtin.import_tasks: cis_3.4.2.x.yml
ansible.builtin.import_tasks:
file: cis_3.4.2.x.yml
Loading