From da0b1c938c1230f8070bb50b91d4bbfef7fba3bb Mon Sep 17 00:00:00 2001 From: Stephen Williams <stephenw@mindpointgroup.com> Date: Fri, 20 Sep 2024 11:40:50 -0400 Subject: [PATCH] Updated 1.1.10 Logic And Prelim Signed-off-by: Stephen Williams <stephenw@mindpointgroup.com> --- defaults/main.yml | 7 +++ tasks/prelim.yml | 92 +++++++++++++++------------------- tasks/section_1/cis_1.1.10.yml | 64 ++++++++++++++++------- 3 files changed, 94 insertions(+), 69 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 700c969..da56799 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -441,6 +441,13 @@ expected_tmp_mnt: fstab # Options are "remove" or "mask" debian11cis_autofs: mask debian11cis_allow_usb_storage: false +# We have found that some systems may have UAS kernel running and if it is +# usb-storage will fail to be removed which is control 1.1.10. By default This +# is set to false. By having this set to false control 1.1.10 will run but if UAS +# Is loaded you will receive a warning message instead of usb-storage being removed +# and the playbook will have to be re-run with this switch set to true. +# Default: false +debian11cis_uas_remove: false # Control 1.3.1 - allow aide to be configured debian11cis_config_aide: true diff --git a/tasks/prelim.yml b/tasks/prelim.yml index d273340..4347f71 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -75,57 +75,6 @@ - section1 - always -- name: "PRELIM | Check for UAS running for usb-storage" - block: - - name: "PRELIM | AUDIT | Check if UAS kernel module is running" - ansible.builtin.shell: "lsmod | grep uas" - register: discovered_uas_status - changed_when: false - failed_when: false - ignore_errors: true - - - name: "PRELIM | AUDIT | Find mounted devices" - ansible.builtin.command: lsblk -o NAME,MOUNTPOINT | grep -v '^$' - register: discovered_mounted_devices - changed_when: false - failed_when: false - ignore_errors: true - when: discovered_uas_status.rc == 0 - - - name: "PRELIM | PATCH | Unmount devices" - ansible.builtin.command: - cmd: "umount /dev/{{ item }}" - loop: "{{ discovered_mounted_devices.stdout_lines | map('split', ' ') | map('first') | list }}" - changed_when: false - failed_when: false - ignore_errors: true - when: discovered_uas_status.rc == 0 - - - name: "PRELIM | PATCH | Unload UAS kernel module" - community.general.modprobe: - name: uas - state: absent - when: discovered_uas_status.rc == 0 - - - name: "PRELIM | AUDIT | Verify UAS module is unloaded" - ansible.builtin.shell: "lsmod | grep uas" - changed_when: false - failed_when: false - ignore_errors: true - register: discovered_uas_check - - - name: "PRELIM | AUDIT | Output UAS unload status" - ansible.builtin.debug: - msg: "The UAS module has been successfully unloaded." - when: discovered_uas_check.rc != 0 - when: - - debian11cis_rule_1_1_10 - tags: - - level1-server - - level2-workstation - - patch - - always - - name: "PRELIM | Check for avahi-daemon service" ansible.builtin.shell: "systemctl show avahi-daemon | grep LoadState | cut -d = -f 2" register: avahi_service_status @@ -287,3 +236,44 @@ - debian11cis_ufw_use_sysctl tags: - always + +- name: "Optional | PATCH | Check for UAS running for usb-storage" + block: + - name: "PRELIM | AUDIT | Check if UAS kernel module is running" + ansible.builtin.shell: "lsmod | grep uas" + register: discovered_uas_status + changed_when: false + failed_when: false + ignore_errors: true + block: + - name: "1.1.10 | PATCH | Disable UAS Storage | Set UAS config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/uas.conf + regexp: '^install uas' + line: 'install uas /bin/true' + create: true + + - name: "1.1.10 | PATCH | Disable USB Storage | Blacklist usb-storage" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + line: 'blacklist uas' + insertafter: EOF + + - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module" + community.general.modprobe: + name: uas + state: absent + when: + - ansible_connection != 'docker' + notify: Update_Initramfs + when: + - discovered_uas_status.rc == 0 + - not debian11cis_allow_usb_storage + - debian11cis_uas_remove + when: + - debian11cis_rule_1_1_10 + tags: + - level1-server + - level2-workstation + - patch + - always diff --git a/tasks/section_1/cis_1.1.10.yml b/tasks/section_1/cis_1.1.10.yml index b6405c4..661fde9 100644 --- a/tasks/section_1/cis_1.1.10.yml +++ b/tasks/section_1/cis_1.1.10.yml @@ -2,28 +2,56 @@ - name: "1.1.10 | PATCH | Disable USB Storage" block: - - name: "1.1.10 | PATCH | Disable USB Storage | Set modprobe config" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/usb_storage.conf - regexp: '^install usb-storage' - line: 'install usb-storage /bin/true' - create: true + - block: + - name: "1.1.10 | PATCH | Disable USB Storage | Set modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/usb_storage.conf + regexp: '^install usb-storage' + line: 'install usb-storage /bin/true' + create: true - - name: "1.1.10 | PATCH | Disable USB Storage | Blacklist usb-storage" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - line: 'blacklist usb-storage' - insertafter: EOF + - name: "1.1.10 | PATCH | Disable USB Storage | Blacklist usb-storage" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + line: 'blacklist usb-storage' + insertafter: EOF - - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module" - community.general.modprobe: - name: usb-storage - state: absent - when: ansible_connection != 'docker' - notify: Update_Initramfs + - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module" + community.general.modprobe: + name: usb-storage + state: absent + when: ansible_connection != 'docker' + when: + - debian11cis_rule_1_1_10 + - not debian11cis_allow_usb_storage + - discovered_uas_status.rc != 0 + notify: Update_Initramfs + + - name: "1.1.10 | AUDIT | Disable USB Storage | Warning Message" + ansible.builtin.debug: + msg: + - "Warning!! USB Attached SCSI (UAS) support is still detected." + - "Removing UAS may cause performance issues or prevent certain USB devices from functioning correctly." + - "UAS provides higher speeds and better I/O performance compared to traditional USB mass storage" + - "Ensure that this action is intentional and consider testing on non-critical systems before applying in production." + - "Please review your setting for variable debian11cis_uas_remove and make sure it is set to true" + - "And rerun the Ansible playbook to properly remove usb_storage." + when: + - debian11cis_rule_1_1_10 + - not debian11cis_allow_usb_storage + - discovered_uas_status.rc == 0 + + - name: "1.1.10 | WARN | Disable USB Storage | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '1.1.10' + when: + - debian11cis_rule_1_1_10 + - not debian11cis_allow_usb_storage + - discovered_uas_status.rc == 0 when: - debian11cis_rule_1_1_10 - - not debian11cis_allow_usb_storage tags: - level1-server - level2-workstation