Updated 1.1.10 Logic And Prelim

Signed-off-by: Stephen Williams <[email protected]>
ansible-lockdown · Sep 20, 2024 · da0b1c9 · da0b1c9
1 parent 1078752
commit da0b1c9
Show file tree

Hide file tree

Showing 3 changed files with 94 additions and 69 deletions.
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -441,6 +441,13 @@ expected_tmp_mnt: fstab
 # Options are "remove" or "mask"
 debian11cis_autofs: mask
 debian11cis_allow_usb_storage: false
+# We have found that some systems may have UAS kernel running and if it is
+# usb-storage will fail to be removed which is control 1.1.10. By default This
+# is set to false. By having this set to false control 1.1.10 will run but if UAS
+# Is loaded you will receive a warning message instead of usb-storage being removed
+# and the playbook will have to be re-run with this switch set to true.
+# Default: false
+debian11cis_uas_remove: false
 
 # Control 1.3.1 - allow aide to be configured
 debian11cis_config_aide: true

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -75,57 +75,6 @@
       - section1
       - always
 
-- name: "PRELIM | Check for UAS running for usb-storage"
-  block:
-      - name: "PRELIM | AUDIT | Check if UAS kernel module is running"
-        ansible.builtin.shell: "lsmod | grep uas"
-        register: discovered_uas_status
-        changed_when: false
-        failed_when: false
-        ignore_errors: true
-
-      - name: "PRELIM | AUDIT | Find mounted devices"
-        ansible.builtin.command: lsblk -o NAME,MOUNTPOINT | grep -v '^$'
-        register: discovered_mounted_devices
-        changed_when: false
-        failed_when: false
-        ignore_errors: true
-        when: discovered_uas_status.rc == 0
-
-      - name: "PRELIM | PATCH | Unmount devices"
-        ansible.builtin.command:
-            cmd: "umount /dev/{{ item }}"
-        loop: "{{ discovered_mounted_devices.stdout_lines | map('split', ' ') | map('first') | list }}"
-        changed_when: false
-        failed_when: false
-        ignore_errors: true
-        when: discovered_uas_status.rc == 0
-
-      - name: "PRELIM | PATCH | Unload UAS kernel module"
-        community.general.modprobe:
-            name: uas
-            state: absent
-        when: discovered_uas_status.rc == 0
-
-      - name: "PRELIM | AUDIT | Verify UAS module is unloaded"
-        ansible.builtin.shell: "lsmod | grep uas"
-        changed_when: false
-        failed_when: false
-        ignore_errors: true
-        register: discovered_uas_check
-
-      - name: "PRELIM | AUDIT | Output UAS unload status"
-        ansible.builtin.debug:
-            msg: "The UAS module has been successfully unloaded."
-        when: discovered_uas_check.rc != 0
-  when:
-      - debian11cis_rule_1_1_10
-  tags:
-      - level1-server
-      - level2-workstation
-      - patch
-      - always
-
 - name: "PRELIM | Check for avahi-daemon service"
   ansible.builtin.shell: "systemctl show avahi-daemon | grep LoadState | cut -d = -f 2"
   register: avahi_service_status
@@ -287,3 +236,44 @@
       - debian11cis_ufw_use_sysctl
   tags:
       - always
+
+- name: "Optional | PATCH | Check for UAS running for usb-storage"
+  block:
+      - name: "PRELIM | AUDIT | Check if UAS kernel module is running"
+        ansible.builtin.shell: "lsmod | grep uas"
+        register: discovered_uas_status
+        changed_when: false
+        failed_when: false
+        ignore_errors: true
+        block:
+            - name: "1.1.10 | PATCH | Disable UAS Storage | Set UAS config"
+              ansible.builtin.lineinfile:
+                  path: /etc/modprobe.d/uas.conf
+                  regexp: '^install uas'
+                  line: 'install uas /bin/true'
+                  create: true
+
+            - name: "1.1.10 | PATCH | Disable USB Storage | Blacklist usb-storage"
+              ansible.builtin.lineinfile:
+                  path: /etc/modprobe.d/blacklist.conf
+                  line: 'blacklist uas'
+                  insertafter: EOF
+
+            - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module"
+              community.general.modprobe:
+                  name: uas
+                  state: absent
+              when:
+                  - ansible_connection != 'docker'
+        notify: Update_Initramfs
+        when:
+            - discovered_uas_status.rc == 0
+            - not debian11cis_allow_usb_storage
+            - debian11cis_uas_remove
+  when:
+      - debian11cis_rule_1_1_10
+  tags:
+      - level1-server
+      - level2-workstation
+      - patch
+      - always
diff --git a/tasks/section_1/cis_1.1.10.yml b/tasks/section_1/cis_1.1.10.yml
@@ -2,28 +2,56 @@
 
 - name: "1.1.10 | PATCH | Disable USB Storage"
   block:
-      - name: "1.1.10 | PATCH | Disable USB Storage | Set modprobe config"
-        ansible.builtin.lineinfile:
-            path: /etc/modprobe.d/usb_storage.conf
-            regexp: '^install usb-storage'
-            line: 'install usb-storage /bin/true'
-            create: true
+      - block:
+            - name: "1.1.10 | PATCH | Disable USB Storage | Set modprobe config"
+              ansible.builtin.lineinfile:
+                  path: /etc/modprobe.d/usb_storage.conf
+                  regexp: '^install usb-storage'
+                  line: 'install usb-storage /bin/true'
+                  create: true
 
-      - name: "1.1.10 | PATCH | Disable USB Storage | Blacklist usb-storage"
-        ansible.builtin.lineinfile:
-            path: /etc/modprobe.d/blacklist.conf
-            line: 'blacklist usb-storage'
-            insertafter: EOF
+            - name: "1.1.10 | PATCH | Disable USB Storage | Blacklist usb-storage"
+              ansible.builtin.lineinfile:
+                  path: /etc/modprobe.d/blacklist.conf
+                  line: 'blacklist usb-storage'
+                  insertafter: EOF
 
-      - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module"
-        community.general.modprobe:
-            name: usb-storage
-            state: absent
-        when: ansible_connection != 'docker'
-  notify: Update_Initramfs
+            - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module"
+              community.general.modprobe:
+                  name: usb-storage
+                  state: absent
+              when: ansible_connection != 'docker'
+        when:
+            - debian11cis_rule_1_1_10
+            - not debian11cis_allow_usb_storage
+            - discovered_uas_status.rc != 0
+        notify: Update_Initramfs
+
+      - name: "1.1.10 | AUDIT | Disable USB Storage | Warning Message"
+        ansible.builtin.debug:
+            msg:
+                - "Warning!! USB Attached SCSI (UAS) support is still detected."
+                - "Removing UAS may cause performance issues or prevent certain USB devices from functioning correctly."
+                - "UAS provides higher speeds and better I/O performance compared to traditional USB mass storage"
+                - "Ensure that this action is intentional and consider testing on non-critical systems before applying in production."
+                - "Please review your setting for variable debian11cis_uas_remove and make sure it is set to true"
+                - "And rerun the Ansible playbook to properly remove usb_storage."
+        when:
+            - debian11cis_rule_1_1_10
+            - not debian11cis_allow_usb_storage
+            - discovered_uas_status.rc == 0
+
+      - name: "1.1.10 | WARN | Disable USB Storage | Warn Count"
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
+        vars:
+            warn_control_id: '1.1.10'
+        when:
+            - debian11cis_rule_1_1_10
+            - not debian11cis_allow_usb_storage
+            - discovered_uas_status.rc == 0
   when:
       - debian11cis_rule_1_1_10
-      - not debian11cis_allow_usb_storage
   tags:
       - level1-server
       - level2-workstation