From b5c0035d4b222a23fe9bf869b090fd1456b45686 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Dec 2024 13:06:01 +0000 Subject: [PATCH 1/2] Align with standards Signed-off-by: Mark Bolwell --- LICENSE | 2 +- defaults/main.yml | 9 +- handlers/main.yml | 18 ++-- tasks/auditd.yml | 18 +--- tasks/main.yml | 4 +- tasks/parse_etc_password.yml | 6 +- tasks/pre_remediation_audit.yml | 4 +- tasks/prelim.yml | 2 +- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 8 +- tasks/section_1/cis_1.3.x.yml | 4 +- tasks/section_1/cis_1.4.x.yml | 8 +- tasks/section_1/cis_1.5.x.yml | 8 +- tasks/section_1/cis_1.6.x.yml | 28 +++--- tasks/section_1/cis_1.7.x.yml | 6 +- tasks/section_1/cis_1.8.x.yml | 34 +++---- tasks/section_2/cis_2.1.2.x.yml | 2 +- tasks/section_2/cis_2.1.3.x.yml | 4 +- tasks/section_2/cis_2.2.x.yml | 6 +- tasks/section_2/cis_2.4.yml | 8 +- tasks/section_3/cis_3.1.x.yml | 18 ++-- tasks/section_3/cis_3.5.1.x.yml | 8 +- tasks/section_3/cis_3.5.2.x.yml | 4 +- tasks/section_3/cis_3.5.3.x.yml | 74 ++------------- tasks/section_4/cis_4.1.1.x.yml | 14 +-- tasks/section_4/cis_4.1.2.x.yml | 3 - tasks/section_4/cis_4.1.3.x.yml | 4 +- tasks/section_4/cis_4.1.4.x.yml | 54 +++-------- tasks/section_4/cis_4.2.1.x.yml | 10 +- tasks/section_4/cis_4.2.2.x.yml | 10 +- tasks/section_4/cis_4.2.3.yml | 6 +- tasks/section_5/cis_5.1.x.yml | 32 +++---- tasks/section_5/cis_5.2.x.yml | 14 +-- tasks/section_5/cis_5.3.x.yml | 9 +- tasks/section_5/cis_5.4.x.yml | 22 ++--- tasks/section_5/cis_5.5.x.yml | 74 +++++++-------- tasks/section_6/cis_6.1.x.yml | 80 ++++++++-------- tasks/section_6/cis_6.2.x.yml | 95 +++++++++---------- templates/ansible_vars_goss.yml.j2 | 6 +- templates/audit/99_auditd.rules.j2 | 6 +- .../etc/chrony/sources.d/pool.sources.j2 | 2 +- .../etc/chrony/sources.d/server.sources.j2 | 2 +- templates/etc/dconf/db/00-automount_lock.j2 | 2 +- templates/etc/dconf/db/00-autorun_lock.j2 | 2 +- templates/etc/dconf/db/00-media-automount.j2 | 2 +- templates/etc/dconf/db/00-media-autorun.j2 | 2 +- templates/etc/dconf/db/00-screensaver.j2 | 2 +- templates/etc/dconf/db/00-screensaver_lock.j2 | 2 +- templates/etc/grub.d/00_user.j2 | 2 +- .../etc/sysctl.d/60-disable_ipv6.conf.j2 | 2 +- .../timesyncd.conf.d/50-timesyncd.conf.j2 | 2 +- vars/main.yml | 8 ++ 52 files changed, 323 insertions(+), 431 deletions(-) diff --git a/LICENSE b/LICENSE index 4f5e4fd..7e51eb7 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2022 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/defaults/main.yml b/defaults/main.yml index 700c969..4e5b420 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -750,11 +750,10 @@ debian11cis_passwd_setpam_hash_algo: false # warn_age is how many days before pw expiry the user will be warned. Set to 7 or more to conform to CIS standards # Control 5.5.1.4 # inactive the number of days of inactivity before the account will lock. Set to 30 day sor less to conform to CIS standards -debian11cis_pass: - max_days: 365 - min_days: 1 - warn_age: 7 - inactive: 30 +debian11cis_pass_max_days: 365 +debian11cis_pass_min_days: 1 +debian11cis_pass_warn_age: 7 +debian11cis_pass_inactive: 30 # Control 5.5.4 # debian11cis_bash_umask is the umask to set in the /etc/bash.bashrc and /etc/profile. diff --git a/handlers/main.yml b/handlers/main.yml index 83a28f9..7576cb6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -100,33 +100,33 @@ - name: Iptables persistent ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" - changed_when: debian11cis_iptables_save.rc == 0 - failed_when: debian11cis_iptables_save.rc > 0 - register: debian11cis_iptables_save + changed_when: discovered_ip4tables_save.rc == 0 + failed_when: discovered_ip4tables_save.rc > 0 + register: discovered_ip4tables_save - name: Ip6tables persistent ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" - changed_when: debian11cis_ip6tables_save.rc == 0 - failed_when: debian11cis_ip6tables_save.rc > 0 - register: debian11cis_ip6tables_save + changed_when: discovered_ip6tables_save.rc == 0 + failed_when: discovered_ip6tables_save.rc > 0 + register: discovered_ip6tables_save - name: Auditd rules reload ansible.builtin.shell: augenrules --load when: - - debian11cis_rule_4_1_3_21_augen_check is not defined + - discovered_auditd_diff_check is not defined - name: Audit_immutable_fact ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" notify: change_requires_reboot when: - - audit_rules_updated.changed + - discovered_audit_rules_updated.changed - auditd_immutable_check is defined - name: Restart auditd ansible.builtin.shell: service auditd restart when: - - audit_rules_updated is defined + - discovered_audit_rules_updated is defined tags: - skip_ansible_lint diff --git a/tasks/auditd.yml b/tasks/auditd.yml index d28d57f..e25d64a 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -7,7 +7,7 @@ owner: root group: root mode: '0640' - register: audit_rules_updated + register: discovered_audit_rules_updated notify: - Auditd rules reload - Audit_immutable_fact @@ -25,19 +25,3 @@ when: - allow_auditd_uid_user_exclusions - debian11ciscis_auditd_uid_exclude | length > 0 - -# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable" -# block: -# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable | Get status" -# ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules -# changed_when: false -# failed_when: false -# register: debian11ciscis_auditd_immutable_check - -# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable | Set reboot required" -# ansible.builtin.debug: -# msg: "Reboot required for auditd to apply new rules as immutable set" -# notify: change_requires_reboot -# when: debian11ciscis_auditd_immutable_check.stdout == '1' -# when: -# - debian11ciscis_audit_rules_update.changed diff --git a/tasks/main.yml b/tasks/main.yml index df7a7eb..3435399 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -25,11 +25,11 @@ changed_when: false failed_when: false check_mode: false - register: ansible_user_password_set + register: discovered_ansible_user_password_set - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" ansible.builtin.assert: - that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" + that: discovered_ansible_user_password_set.stdout | length != 0 and discovered_ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for sudo user {{ ansible_env.SUDO_USER }}" vars: diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 7bb0758..92d67c8 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -6,13 +6,13 @@ ansible.builtin.shell: cat /etc/passwd changed_when: false check_mode: false - register: debian11cis_passwd_file_audit + register: discovered_passwd_file_audit - name: "PRELIM | Parse /etc/passwd | Split passwd entries" ansible.builtin.set_fact: - debian11cis_passwd: "{{ debian11cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" + debian11cis_passwd: "{{ discovered_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" - with_items: "{{ debian11cis_passwd_file_audit.stdout_lines }}" + with_items: "{{ discovered_passwd_file_audit.stdout_lines }}" vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index a745826..319ea1c 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -60,11 +60,11 @@ - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: path: "{{ audit_bin }}" - register: goss_available + register: discovered_goss_available - name: Pre Audit Setup | If audit ensure goss is available when: - - not goss_available.stat.exists + - not discovered_goss_available.stat.exists ansible.builtin.assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 978cb7f..c2d9b6c 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -228,7 +228,7 @@ regexp: ^IPT_SYSCTL=.* line: IPT_SYSCTL=/etc/sysctl.conf create: true - mode: '0640' + mode: 'u-x,g-wx,o-rwx' owner: root group: root when: diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index f2c4045..f814108 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -32,7 +32,7 @@ dest: /etc/systemd/system/tmp.mount owner: root group: root - mode: 0644 + mode: 'u-x,go-wx' notify: Remount tmp with_items: - "{{ ansible_facts.mounts }}" diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 38ccda6..61b5409 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -7,14 +7,14 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_1_2_1_apt_policy + register: discovered_apt_policy - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" ansible.builtin.debug: msg: - "Warning!! Below are the apt package repositories" - "Please review to make sure they conform to your sites policies" - - "{{ debian11cis_1_2_1_apt_policy.stdout_lines }}" + - "{{ discovered_apt_policy.stdout_lines }}" - name: "1.2.1 | WARN | Ensure package manager repositories are configured | warn_count" ansible.builtin.import_tasks: @@ -38,7 +38,7 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_1_2_2_apt_gpgkeys + register: discovered_apt_gpgkeys - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" ansible.builtin.debug: @@ -46,7 +46,7 @@ - "Warning!! Below are the apt gpg keys configured" - "Please review to make sure they are configured" - "in accordance with site policy" - - "{{ debian11cis_1_2_2_apt_gpgkeys.stdout_lines }}" + - "{{ discovered_apt_gpgkeys.stdout_lines }}" - name: "1.2.2 | WARN | Ensure GPG keys are configured | warn_count" ansible.builtin.import_tasks: diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 696b452..927ca22 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -7,7 +7,7 @@ name: ['aide', 'aide-common'] state: present update_cache: true - register: debian11cis_rule_1_3_1_aide_added + register: discovered_aide_installed when: - "'aide' not in ansible_facts.packages or 'aide-common' not in ansible_facts.packages" @@ -15,7 +15,7 @@ - name: "1.3.1 | PATCH | Ensure AIDE is installed | Recapture packages" ansible.builtin.package_facts: manager: auto - when: debian11cis_rule_1_3_1_aide_added.skipped is not defined + when: discovered_aide_installed.skipped is not defined - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" ansible.builtin.shell: aideinit && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 639ea2e..a776ccb 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -8,7 +8,7 @@ dest: "{{ debian11cis_grub_user_file }}" owner: root group: root - mode: 0755 + mode: 'u+x,go-w' notify: Grub update - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot" @@ -36,16 +36,16 @@ ansible.builtin.stat: path: "{{ debian11cis_grub_file }}" check_mode: false - register: debian11cis_1_4_2_grub_cfg_status + register: discovered_grub_cfg_status - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | Set permissions" ansible.builtin.file: path: "{{ debian11cis_grub_file }}" owner: root group: root - mode: '0400' + mode: 'go-wx' when: - - debian11cis_1_4_2_grub_cfg_status.stat.exists + - discovered_grub_cfg_status.stat.exists when: - debian11cis_rule_1_4_2 tags: diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index d520fcc..a2e5350 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -52,7 +52,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' - name: "1.5.3 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package" ansible.builtin.package: @@ -91,7 +91,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' - name: "1.5.4 | PATCH | Ensure core dumps are restricted | sysctl.conf" ansible.builtin.lineinfile: @@ -100,7 +100,7 @@ line: fs.suid_dumpable=0 owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Reload systemctl - name: "1.5.4 | PATCH | Ensure core dumps are restricted | coredump.conf" @@ -111,7 +111,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' loop: - { regexp: '^Storage', line: 'Storage=none' } - { regexp: '^ProcessSizeMax', line: 'ProcessSizeMax=0' } diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index c77cb9a..a963f64 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -23,7 +23,7 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_1_6_1_2_cmdline_settings + register: discovered_grub_cmdline_settings - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" ansible.builtin.lineinfile: @@ -32,7 +32,7 @@ line: \1apparmor=1 \3 backrefs: true notify: Grub update - when: debian11cis_1_6_1_2_cmdline_settings.stdout is not search('apparmor=') + when: discovered_grub_cmdline_settings.stdout is not search('apparmor=') - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set security settings if none exist" ansible.builtin.lineinfile: @@ -41,17 +41,17 @@ line: \1security=apparmor \3 backrefs: true notify: Grub update - when: debian11cis_1_6_1_2_cmdline_settings.stdout is not search('security=') + when: discovered_grub_cmdline_settings.stdout is not search('security=') - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ debian11cis_1_6_1_2_cmdline_settings.stdout }}"' + line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ discovered_grub_cmdline_settings.stdout }}"' insertafter: '^GRUB_' when: - - "'apparmor' not in debian11cis_1_6_1_2_cmdline_settings.stdout" - - "'security' not in debian11cis_1_6_1_2_cmdline_settings.stdout" + - "'apparmor' not in discovered_grub_cmdline_settings.stdout" + - "'security' not in discovered_grub_cmdline_settings.stdout" notify: Grub update - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Replace apparmor settings when exists" @@ -63,8 +63,8 @@ - { regexp: 'apparmor=\w+', replace: 'apparmor=1' } - { regexp: 'security=\w+', replace: 'security=apparmor' } when: - - "'apparmor' in debian11cis_1_6_1_2_cmdline_settings.stdout or - 'security' in debian11cis_1_6_1_2_cmdline_settings.stdout" + - "'apparmor' in discovered_grub_cmdline_settings.stdout or + 'security' in discovered_grub_cmdline_settings.stdout" notify: Grub update when: - debian11cis_rule_1_6_1_2 @@ -83,7 +83,7 @@ ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 changed_when: false failed_when: false - register: debian11cis_1_6_1_3_pre_count + register: discovered_apparmor_pre_count - name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Apply enforcing to /etc/apparmor.d profiles" ansible.builtin.shell: aa-enforce /etc/apparmor.d/* @@ -94,13 +94,13 @@ ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 changed_when: false failed_when: false - register: debian11cis_1_6_1_3_post_count + register: discovered_apparmor_pre_count - name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | This flags for idempotency" ansible.builtin.debug: msg: Changed! The profiles in /etc/apparmor.d were set to enforcing changed_when: true - when: debian11cis_1_6_1_3_pre_count.stdout != debian11cis_1_6_1_3_post_count.stdout + when: discovered_apparmor_pre_count.stdout != discovered_apparmor_pre_count.stdout when: - debian11cis_rule_1_6_1_3 - not debian11cis_apparmor_disable @@ -119,7 +119,7 @@ ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 changed_when: false failed_when: false - register: debian11cis_1_6_1_4_pre_count + register: discovered_apparmor_pre_count - name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Apply enforcing to /etc/apparmor.d profiles" ansible.builtin.shell: aa-enforce /etc/apparmor.d/* @@ -130,13 +130,13 @@ ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 changed_when: false failed_when: false - register: debian11cis_1_6_1_4_post_count + register: discovered_apparmor_pre_count - name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | This flags for idempotency" ansible.builtin.debug: msg: Changed! The profiles in /etc/apparmor.d were set to enforcing changed_when: true - when: debian11cis_1_6_1_4_pre_count.stdout != debian11cis_1_6_1_4_post_count.stdout + when: discovered_apparmor_pre_count.stdout != discovered_apparmor_pre_count.stdout when: - debian11cis_rule_1_6_1_4 - not debian11cis_apparmor_disable diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index f097333..7eab80f 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -61,7 +61,7 @@ path: /etc/motd owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - debian11cis_rule_1_7_4 tags: @@ -78,7 +78,7 @@ path: /etc/issue owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - debian11cis_rule_1_7_5 tags: @@ -95,7 +95,7 @@ path: /etc/issue.net owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - debian11cis_rule_1_7_6 tags: diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 537ecb5..37e0c9e 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -23,7 +23,7 @@ path: "/etc/dconf/db/{{ debian11cis_dconf_db_name }}.d" owner: root group: root - mode: '0755' + mode: 'u+x,go-w' state: directory - name: "1.8.2 | PATCH | Ensure GDM login banner is configured | banner settings" @@ -35,7 +35,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' loop: - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'} @@ -59,7 +59,7 @@ path: "{{ item }}" owner: root group: root - mode: '0755' + mode: 'u+x,go-w' state: directory loop: - /etc/dconf/db/{{ debian11cis_dconf_db_name }}.d @@ -74,7 +74,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' loop: - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } - { regexp: 'disable-user-list', line: 'disable-user-list=true', insertafter: '\[org\/gnome\/login-screen\]'} @@ -88,7 +88,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' loop: - { regexp: '^user-db:user', line: 'user-db:user', insertafter: EOF } - { regexp: '^system-db:{{ debian11cis_dconf_db_name }}', line: 'system-db:{{ debian11cis_dconf_db_name }}', insertafter: 'user-db:user'} @@ -122,7 +122,7 @@ path: "/etc/dconf/db/{{ debian11cis_dconf_db_name }}.d" owner: root group: root - mode: 0755 + mode: 'u+x,go-w' state: directory notify: Update dconf @@ -132,7 +132,7 @@ dest: "/etc/dconf/db/{{ debian11cis_dconf_db_name }}.d/00-screensaver" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf when: - debian11cis_rule_1_8_4 @@ -152,7 +152,7 @@ path: "/etc/dconf/db/{{ debian11cis_dconf_db_name }}.d/locks" owner: root group: root - mode: '0755' + mode: 'u+x,go-w' state: directory notify: Update dconf @@ -162,7 +162,7 @@ dest: "/etc/dconf/db/{{ debian11cis_dconf_db_name }}.d/locks/00-screensaver" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf when: - debian11cis_rule_1_8_5 @@ -182,7 +182,7 @@ path: "/etc/dconf/db/{{ debian11cis_dconf_db_name }}.d" owner: root group: root - mode: 0755 + mode: 'u+x,go-w' state: directory notify: Update dconf @@ -192,7 +192,7 @@ dest: "/etc/dconf/db/{{ debian11cis_dconf_db_name }}.d/00-media-automount" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf when: - debian11cis_rule_1_8_6 @@ -212,7 +212,7 @@ path: "/etc/dconf/db/{{ debian11cis_dconf_db_name }}.d/locks" owner: root group: root - mode: '0755' + mode: 'u+x,go-w' state: directory notify: Update dconf @@ -222,7 +222,7 @@ dest: "/etc/dconf/db/{{ debian11cis_dconf_db_name }}.d/locks/00-automount_lock" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf when: - debian11cis_rule_1_8_7 @@ -242,7 +242,7 @@ path: "/etc/dconf/db/{{ debian11cis_dconf_db_name }}.d" owner: root group: root - mode: 0755 + mode: 'u+x,go-w' state: directory notify: Update dconf @@ -252,7 +252,7 @@ dest: "/etc/dconf/db/{{ debian11cis_dconf_db_name }}.d/00-media-autorun" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf when: - debian11cis_rule_1_8_8 @@ -272,7 +272,7 @@ path: "/etc/dconf/db/{{ debian11cis_dconf_db_name }}.d/locks" owner: root group: root - mode: 0755 + mode: 'u+x,go-w' state: directory notify: Update dconf @@ -282,7 +282,7 @@ dest: "/etc/dconf/db/{{ debian11cis_dconf_db_name }}.d/locks/00-autorun_lock" owner: root group: root - mode: 0644 + mode: 'u-x,go-wx' notify: Update dconf when: - debian11cis_rule_1_8_9 diff --git a/tasks/section_2/cis_2.1.2.x.yml b/tasks/section_2/cis_2.1.2.x.yml index 4e97984..cfa7d0d 100644 --- a/tasks/section_2/cis_2.1.2.x.yml +++ b/tasks/section_2/cis_2.1.2.x.yml @@ -6,7 +6,7 @@ ansible.builtin.template: src: "{{ item }}.j2" dest: "/{{ item }}" - mode: '0644' + mode: 'u-x,go-wx' owner: root group: root loop: diff --git a/tasks/section_2/cis_2.1.3.x.yml b/tasks/section_2/cis_2.1.3.x.yml index 1d6fb2e..bb3a714 100644 --- a/tasks/section_2/cis_2.1.3.x.yml +++ b/tasks/section_2/cis_2.1.3.x.yml @@ -7,14 +7,14 @@ path: /etc/systemd/timesyncd.conf.d owner: root group: root - mode: '0755' + mode: 'u+x,go-w' state: directory - name: "2.1.3.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver | sources" ansible.builtin.template: src: "{{ item }}.j2" dest: "/{{ item }}" - mode: '0644' + mode: 'u-x,go-wx' owner: root group: root loop: diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 4d096df..6513746 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -283,7 +283,7 @@ - name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | check 25 listening" ansible.builtin.shell: "ss -lntuH state listening sport = :25" - register: debian11cis_rule_2_2_15_port_25_listen + register: discovered_port_25_listen changed_when: false - name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" @@ -320,8 +320,8 @@ - "Warning!! You are not using either exim4 or postfix" - "Please review your vendors documentation to configure local-only mode" when: - - debian11cis_rule_2_2_15_port_25_listen is defined - - debian11cis_rule_2_2_15_port_25_listen | length > 0 + - discovered_port_25_listen is defined + - discovered_port_25_listen | length > 0 - "'exim4' not in ansible_facts.packages" - "'postfix' not in ansible_facts.packages" diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index e2a8afd..a6095b1 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -7,19 +7,19 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_2_3_services + register: discovered_listening_services - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Message out running services" ansible.builtin.debug: msg: - "Warning!! Below are the running services. Please review and remove as well as mask un-needed services" - - "{{ debian11cis_2_3_services.stdout_lines }}" - when: debian11cis_2_3_services.stdout | length > 0 + - "{{ discovered_listening_services.stdout_lines }}" + when: discovered_listening_services.stdout | length > 0 - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Set warning count" ansible.builtin.import_tasks: file: warning_facts.yml - when: debian11cis_2_3_services.stdout | length > 0 + when: discovered_listening_services.stdout | length > 0 vars: warn_control_id: '2.4' when: diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index bf2abd0..9e5b150 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -8,7 +8,7 @@ regexp: '^(GRUB_CMDLINE_LINUX=.*)\bipv6\.disable=\d\b(.*$)' replace: '\1ipv6.disable=1\2' when: debian11cis_ipv6_disable == 'grub' - register: ipv6disable_replaced + register: discovered_ipv6disable_replaced notify: Grub update - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Check grub cmdline linux" @@ -16,7 +16,7 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_3_1_1_cmdline_settings + register: discovered_grub_cmdline_settings when: debian11cis_ipv6_disable == 'grub' - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist" @@ -27,8 +27,8 @@ backrefs: true when: - debian11cis_ipv6_disable == 'grub' - - ipv6disable_replaced is not changed - - "'ipv6.disable' not in debian11cis_3_1_1_cmdline_settings.stdout" + - discovered_ipv6disable_replaced is not changed + - "'ipv6.disable' not in discovered_grub_cmdline_settings.stdout" notify: Grub update - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Remove net.ipv6.conf.all.disable_ipv6" @@ -37,7 +37,7 @@ dest: "/{{ item }}" owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' notify: Flush ipv6 route table loop: - etc/sysctl.d/60-disable_ipv6.conf @@ -59,16 +59,16 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_3_1_2_wifi_status + register: discovered_wifi_status when: "'network-manager' in ansible_facts.packages" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" ansible.builtin.shell: nmcli radio all off - changed_when: debian11cis_3_1_2_nmcli_radio_off.rc == 0 - register: debian11cis_3_1_2_nmcli_radio_off + changed_when: discovered_nmcli_radio_off.rc == 0 + register: discovered_nmcli_radio_off when: - "'network-manager' in ansible_facts.packages" - - "'enabled' in debian11cis_3_1_2_wifi_status.stdout" + - "'enabled' in discovered_wifi_status.stdout" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" ansible.builtin.debug: diff --git a/tasks/section_3/cis_3.5.1.x.yml b/tasks/section_3/cis_3.5.1.x.yml index 854a25d..421654a 100644 --- a/tasks/section_3/cis_3.5.1.x.yml +++ b/tasks/section_3/cis_3.5.1.x.yml @@ -131,14 +131,14 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_3_5_1_6_open_listen_ports + register: discovered_ufw_open_listen_ports - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules" ansible.builtin.shell: ufw status changed_when: false failed_when: false check_mode: false - register: debian11cis_3_5_1_6_firewall_rules + register: discovered_ufw_status - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings" ansible.builtin.debug: @@ -146,9 +146,9 @@ - "Warning!! Below are the listening ports and firewall rules" - "Please create firewall rule for any open ports if not already done" - "*****---Open Listen Ports---*****" - - "{{ debian11cis_3_5_1_6_open_listen_ports.stdout_lines }}" + - "{{ discovered_ufw_open_listen_ports.stdout_lines }}" - "*****---Firewall Rules---*****" - - "{{ debian11cis_3_5_1_6_firewall_rules.stdout_lines }}" + - "{{ discovered_ufw_status.stdout_lines }}" - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: diff --git a/tasks/section_3/cis_3.5.2.x.yml b/tasks/section_3/cis_3.5.2.x.yml index 4c92105..4d57498 100644 --- a/tasks/section_3/cis_3.5.2.x.yml +++ b/tasks/section_3/cis_3.5.2.x.yml @@ -82,10 +82,10 @@ ansible.builtin.debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning" # ansible.builtin.shell: "nft create table {{ debian11cis_nftables_table_name }}" - # changed_when: debian11cis_3_5_2_4_new_table.rc == 0 + # changed_when: discovered_new_nftables_table.rc == 0 # failed_when: false # check_mode: false - # register: debian11cis_3_5_2_4_new_table + # register: discovered_new_nftables_table - name: "3.5.2.4 | AUDIT | Ensure a nftables table exists | Set warning count" ansible.builtin.import_tasks: diff --git a/tasks/section_3/cis_3.5.3.x.yml b/tasks/section_3/cis_3.5.3.x.yml index 4ca7d95..5e3f3ed 100644 --- a/tasks/section_3/cis_3.5.3.x.yml +++ b/tasks/section_3/cis_3.5.3.x.yml @@ -166,14 +166,14 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_3_5_3_2_4_open_ports + register: ddiscovered_ipv4_iptables_open_ports - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" ansible.builtin.shell: iptables -L INPUT -v -n changed_when: false failed_when: false check_mode: false - register: debian11cis_3_5_3_2_4_current_rules + register: discovered_ipv4_iptables_current_rules - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: @@ -181,9 +181,9 @@ - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ debian11cis_3_5_3_2_4_open_ports.stdout_lines }}" + - "{{ ddiscovered_ipv4_iptables_open_ports.stdout_lines }}" - "Current Rules:" - - "{{ debian11cis_3_5_3_2_4_current_rules.stdout_lines }}" + - "{{ discovered_ipv4_iptables_current_rules.stdout_lines }}" - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: @@ -202,33 +202,6 @@ - rule_3.5.3.2.4 - iptables -# --------------- -# --------------- -# This is not a control however using the iptables module only writes to memery -# if a reboot occurs that means changes can revert. This task will make the -# above iptables settings permanent -# --------------- -# --------------- -# - name: "Make IPTables persistent | Not a control" -# block: -# - name: "Make IPTables persistent | Install iptables-persistent" -# ansible.builtin.package: -# name: iptables-persistent -# state: present - -# - name: "Make IPTables persistent | Save to persistent files" -# ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" -# changed_when: debian11cis_iptables_save.rc == 0 -# failed_when: debian11cis_iptables_save.rc > 0 -# register: debian11cis_iptables_save -# when: -# - debian11cis_firewall_package == "iptables" -# - debian11cis_save_iptables_cis_rules -# - debian11cis_rule_3_5_3_2_1 or -# debian11cis_rule_3_5_3_2_2 or -# debian11cis_rule_3_5_3_2_3 or -# debian11cis_rule_3_5_3_2_4 - - name: "3.5.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy" block: - name: "3.5.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" @@ -348,14 +321,14 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_3_5_3_3_4_open_ports + register: discovered_ipv6_iptables_open_ports - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" ansible.builtin.shell: ip6tables -L INPUT -v -n changed_when: false failed_when: false check_mode: false - register: debian11cis_3_5_3_3_4_current_rules + register: discovered_ipv6_iptables_current_rules - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: @@ -363,9 +336,9 @@ - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ debian11cis_3_5_3_3_4_open_ports.stdout_lines }}" + - "{{ discovered_ipv6_iptables_open_ports.stdout_lines }}" - "Current Rules:" - - "{{ debian11cis_3_5_3_3_4_current_rules.stdout_lines }}" + - "{{ discovered_ipv6_iptables_current_rules.stdout_lines }}" - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: @@ -384,34 +357,3 @@ - audit - rule_3.5.3.3.4 - ip6tables - -# --------------- -# --------------- -# This is not a control however using the ip6tables module only writes to memery -# if a reboot occurs that means changes can revert. This task will make the -# above ip6tables settings permanent -# --------------- -# --------------- -# via handler -# - name: "Make IP6Tables persistent | Not a control" -# block: -# - name: "Make IP6Tables persistent | Install iptables-persistent" -# ansible.builtin.package: -# name: iptables-persistent -# state: present -# when: "'iptables-persistent' not in ansible_facts.packages" - -# - name: "Make IP6Tables persistent | Save to persistent files" -# ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" -# changed_when: debian11cis_ip6tables_save.rc == 0 -# failed_when: debian11cis_ip6tables_save.rc > 0 -# register: debian11cis_ip6tables_save -# when: -# - debian11cis_firewall_package == "iptables" -# - debian11cis_ipv6_required -# - not debian11cis_ipv4_required -# - debian11cis_save_iptables_cis_rules -# - debian11cis_rule_3_5_3_3_1 or -# debian11cis_rule_3_5_3_3_2 or -# debian11cis_rule_3_5_3_3_3 or -# debian11cis_rule_3_5_3_3_4 diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index 3bcaf49..ade5afa 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -38,14 +38,14 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_4_1_1_3_cmdline_settings + register: discovered_grub_cmdline_settings - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ debian11cis_4_1_1_3_cmdline_settings.stdout }} audit=1"' - when: "'audit=' not in debian11cis_4_1_1_3_cmdline_settings.stdout" + line: 'GRUB_CMDLINE_LINUX="{{ discovered_grub_cmdline_settings.stdout }} audit=1"' + when: "'audit=' not in discovered_grub_cmdline_settings.stdout" notify: Grub update - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists" @@ -56,7 +56,7 @@ after: '^GRUB_CMDLINE_LINUX="' before: '"' notify: Grub update - when: "'audit=' in debian11cis_4_1_1_3_cmdline_settings.stdout" + when: "'audit=' in discovered_grub_cmdline_settings.stdout" when: - debian11cis_rule_4_1_1_3 tags: @@ -74,15 +74,15 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_4_1_1_4_cmdline_settings + register: discovered_grub_cmdline_settings - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ debian11cis_4_1_1_4_cmdline_settings.stdout }} audit_backlog_limit={{ debian11cis_audit_back_log_limit }}"' + line: 'GRUB_CMDLINE_LINUX="{{ discovered_grub_cmdline_settings.stdout }} audit_backlog_limit={{ debian11cis_audit_back_log_limit }}"' notify: Grub update - when: "'audit_backlog_limit=' not in debian11cis_4_1_1_4_cmdline_settings.stdout" + when: "'audit_backlog_limit=' not in discovered_grub_cmdline_settings.stdout" - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists" ansible.builtin.replace: diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index 07b691d..8c63f91 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -6,7 +6,6 @@ regexp: "^max_log_file( |=)" line: "max_log_file = {{ debian11cis_max_log_file_size }}" state: present - register: rule_4_1_2_1 notify: Restart auditd when: - debian11cis_rule_4_1_2_1 @@ -23,7 +22,6 @@ path: /etc/audit/auditd.conf regexp: '^max_log_file_action' line: "max_log_file_action = {{ debian11cis_auditd['max_log_file_action'] }}" - register: rule_4_1_2_2 notify: Restart auditd when: - debian11cis_rule_4_1_2_2 @@ -40,7 +38,6 @@ path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - register: rule_4_1_2_3 notify: Restart auditd with_items: - { regexp: '^space_left_action', line: "space_left_action = {{ debian11cis_auditd['space_left_action'] }}" } diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index fc49017..d63f2b3 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -71,7 +71,7 @@ block: - name: "4.1.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done | grep -vw '/snap' - register: priv_procs + register: discovered_privilege_process changed_when: false check_mode: false @@ -274,7 +274,7 @@ - name: "4.1.3.21 | PATCH | Ensure the running and on disk configuration is the same" ansible.builtin.shell: augenrules --check changed_when: false - register: debian11cis_rule_4_1_3_21_augen_check + register: discovered_auditd_diff_check when: - debian11cis_rule_4_1_3_21 tags: diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 82dab1d..d8afddc 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -15,7 +15,7 @@ ansible.builtin.stat: path: "{{ audit_discovered_logfile.stdout }}" changed_when: false - register: audit_logfile + register: discovered_audit_logfile - name: | "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive" @@ -23,7 +23,7 @@ "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" ansible.builtin.file: path: "{{ audit_discovered_logfile.stdout }}" - mode: "{% if audit_logfile.stat.mode > '0640' %}0640{% endif %}" + mode: 'u-x,g-wx,o-rwx' owner: root group: root when: @@ -44,14 +44,14 @@ - name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions" ansible.builtin.stat: path: "{{ audit_discovered_logfile.stdout | dirname }}" - register: auditlog_dir + register: discovered_auditlog_directory - name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set" ansible.builtin.file: path: "{{ audit_discovered_logfile.stdout | dirname }}" state: directory - mode: 0750 - when: not auditlog_dir.stat.mode is match('07(0|5)0') + mode: 'u-x,g-w,o-rwx' + when: not discovered_auditlog_directory.stat.mode is match('07(0|5)0') when: - debian11cis_rule_4_1_4_4 tags: @@ -64,7 +64,7 @@ - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" ansible.builtin.file: path: "{{ item.path }}" - mode: '0640' + mode: 'u-x,g-wx,o-rwx' loop: "{{ auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -111,28 +111,10 @@ - rule_4.1.4.7 - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive" - block: - - name: "4.1.4.8 | AUDIT | Get audit binary file stat | get current mode" - ansible.builtin.stat: - path: "{{ item }}" - register: "audit_bins" - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules - - - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" - ansible.builtin.file: - path: "{{ item.item }}" - mode: 0750 - - loop: "{{ audit_bins.results }}" - loop_control: - label: "{{ item.item }}" - when: not item.stat.mode is match('07(0|5)0') + ansible.builtin.file: + path: "{{ item }}" + mode: 'u-x,g-w,o-rwx' + loop: "{{ audit_bins }}" when: - debian11cis_rule_4_1_4_8 tags: @@ -147,13 +129,7 @@ path: "{{ item }}" owner: root group: root - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules + loop: "{{ audit_bins }}" when: - debian11cis_rule_4_1_4_9 tags: @@ -167,13 +143,7 @@ ansible.builtin.file: path: "{{ item }}" group: root - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules + loop: "{{ audit_bins }}" when: - debian11cis_rule_4_1_4_10 tags: diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 93f7642..aae275e 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -6,18 +6,18 @@ ansible.builtin.shell: systemctl is-enabled systemd-journald.service changed_when: false failed_when: false - register: debian11cis_4_2_1_2_status + register: discovered_journald_status - name: "4.2.1.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" ansible.builtin.debug: msg: - "Warning!! The status of systemd-journald should be static and it is not. Please investigate" - when: "'static' not in debian11cis_4_2_1_2_status.stdout" + when: "'static' not in discovered_journald_status.stdout" - name: "4.2.1.2 | AUDIT | Ensure journald service is enabled | Warn Count" ansible.builtin.import_tasks: file: warning_facts.yml - when: "'static' not in debian11cis_4_2_1_2_status.stdout" + when: "'static' not in discovered_journald_status.stdout" vars: warn_control_id: '4.2.1.2' when: @@ -102,12 +102,12 @@ - name: "4.2.1.7 | AUDIT | Ensure journald default file permissions configured | Check for override file" ansible.builtin.stat: path: /etc/tmpfiles.d/systemd.conf - register: debian11cis_4_2_1_7_override + register: discovered_journald_override_status - name: "4.2.1.7 | AUDIT | Ensure journald default file permissions configured | Set live file" ansible.builtin.set_fact: systemd_conf_file: /etc/tmpfiles.d/systemd.conf - when: debian11cis_4_2_1_7_override.stat.exists + when: discovered_journald_override_status.stat.exists - name: "4.2.1.7 | PATCH | Ensure journald default file permissions configured | Set permission" ansible.builtin.lineinfile: diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index a1cee06..08c31e8 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -69,20 +69,20 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_4_2_2_5_rsyslog_config_path + register: discovered_debian11cis_rsyslog_config_path - name: "4.2.2.5 | AUDIT | Ensure logging is configured | Gather rsyslog current config" - ansible.builtin.shell: "cat {{ debian11cis_4_2_2_5_rsyslog_config_path.stdout }}" + ansible.builtin.shell: "cat {{ discovered_debian11cis_rsyslog_config_path.stdout }}" changed_when: false failed_when: false check_mode: false - register: debian11cis_4_2_2_5_rsyslog_config + register: discovered_debian11cis_rsyslog_config - name: "4.2.2.5 | AUDIT | Ensure logging is configured | Message out config" ansible.builtin.debug: msg: - "Warning!! Below is the current logging configurations for rsyslog, please review" - - "{{ debian11cis_4_2_2_5_rsyslog_config.stdout_lines }}" + - "{{ discovered_debian11cis_rsyslog_config.stdout_lines }}" when: not debian11cis_rsyslog_ansible_managed - name: "4.2.2.5 | PATCH | Ensure logging is configured | Set warning count" @@ -92,7 +92,7 @@ - name: "4.2.2.5 | PATCH | Ensure logging is configured | Automated rsyslog configuration" ansible.builtin.lineinfile: - path: "{{ debian11cis_4_2_2_5_rsyslog_config_path.stdout }}" + path: "{{ discovered_debian11cis_rsyslog_config_path.stdout }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index e51fbe6..ba72677 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -8,13 +8,13 @@ file_type: file recurse: true hidden: true - register: logfiles + register: discovered_logfiles - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" ansible.builtin.file: path: "{{ item.path }}" - mode: 0640 - loop: "{{ logfiles.files }}" + mode: 'u-x,g-wx,o-rwx' + loop: "{{ discovered_logfiles.files }}" loop_control: label: "{{ item.path }}" when: diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index c9c0e57..4cbbd3a 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -20,7 +20,7 @@ path: /etc/crontab owner: root group: root - mode: 0600 + mode: 'u-x,go-rwx' when: - debian11cis_rule_5_1_2 tags: @@ -36,7 +36,7 @@ path: /etc/cron.hourly owner: root group: root - mode: 0700 + mode: 'u+x,go-rwx' when: - debian11cis_rule_5_1_3 tags: @@ -52,7 +52,7 @@ path: /etc/cron.daily owner: root group: root - mode: 0700 + mode: 'u+x,go-rwx' when: - debian11cis_rule_5_1_4 tags: @@ -68,7 +68,7 @@ path: /etc/cron.weekly owner: root group: root - mode: 0700 + mode: 'u+x,go-rwx' when: - debian11cis_rule_5_1_5 tags: @@ -84,7 +84,7 @@ path: /etc/cron.monthly owner: root group: root - mode: 0700 + mode: 'u+x,go-rwx' when: - debian11cis_rule_5_1_6 tags: @@ -100,7 +100,7 @@ path: /etc/cron.d owner: root group: root - mode: 0700 + mode: 'u+x,go-rwx' when: - debian11cis_rule_5_1_7 tags: @@ -121,24 +121,24 @@ - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check for cron.allow" ansible.builtin.stat: path: /etc/cron.allow - register: debian11cis_5_1_8_status + register: discovered_cron_allow_status - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Create cron.allow if doesn't exist" ansible.builtin.file: path: /etc/cron.allow owner: root group: root - mode: 0640 + mode: 'u-x,g-wx,o-rwx' state: touch - when: not debian11cis_5_1_8_status.stat.exists + when: not discovered_cron_allow_status.stat.exists - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Update cron.allow if exists" ansible.builtin.file: path: /etc/cron.allow owner: root group: root - mode: 0640 - when: debian11cis_5_1_8_status.stat.exists + mode: 'u-x,g-wx,o-rwx' + when: discovered_cron_allow_status.stat.exists when: - debian11cis_rule_5_1_8 tags: @@ -159,24 +159,24 @@ - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check for at.allow" ansible.builtin.stat: path: /etc/at.allow - register: debian11cis_5_1_9_status + register: discovered_at_allow_status - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Create at.allow if doesn't exist" ansible.builtin.file: path: /etc/at.allow owner: root group: root - mode: 0640 + mode: 'u-x,g-wx,o-rwx' state: touch - when: not debian11cis_5_1_9_status.stat.exists + when: not discovered_at_allow_status.stat.exists - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | update at.allow if exists" ansible.builtin.file: path: /etc/at.allow owner: root group: root - mode: 0640 - when: debian11cis_5_1_9_status.stat.exists + mode: 'u-x,g-wx,o-rwx' + when: discovered_at_allow_status.stat.exists when: - debian11cis_rule_5_1_9 tags: diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index adb4dd9..5500fbf 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -5,7 +5,7 @@ path: /etc/ssh/sshd_config owner: root group: root - mode: 0600 + mode: 'u-x,go-rwx' when: - debian11cis_rule_5_2_1 tags: @@ -22,16 +22,16 @@ ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*_key' - register: debian11cis_5_2_2_ssh_host_priv_keys + register: discovered_ssh_host_priv_keys - name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" ansible.builtin.file: path: "{{ item.path }}" owner: root group: root - mode: 0600 + mode: 'u-x,go-rwx' with_items: - - "{{ debian11cis_5_2_2_ssh_host_priv_keys.files }}" + - "{{ discovered_ssh_host_priv_keys.files }}" loop_control: label: "{{ item.path }}" when: @@ -50,16 +50,16 @@ ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*_key.pub' - register: debian11cis_5_2_3_ssh_host_pub_keys + register: discovered_ssh_host_pub_keys - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" ansible.builtin.file: path: "{{ item.path }}" owner: root group: root - mode: 0644 + mode: 'u-x,go-wx' with_items: - - "{{ debian11cis_5_2_3_ssh_host_pub_keys.files }}" + - "{{ discovered_ssh_host_pub_keys.files }}" loop_control: label: "{{ item.path }}" when: diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index a4b0435..e20f7ca 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -84,7 +84,7 @@ ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false - register: debian11cis_5_3_6_timeout_files + register: discovered_sudo_timeout_files - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" ansible.builtin.lineinfile: @@ -93,7 +93,7 @@ line: "Defaults timestamp_timeout={{ debian11cis_sudo_timestamp_timeout }}" insertafter: '^\s*Defaults' validate: '/usr/sbin/visudo -cf %s' - when: debian11cis_5_3_6_timeout_files.stdout | length == 0 + when: discovered_sudo_timeout_files.stdout | length == 0 - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" ansible.builtin.replace: @@ -101,8 +101,8 @@ regexp: 'timestamp_timeout=(\d+)' replace: "timestamp_timeout={{ debian11cis_sudo_timestamp_timeout }}" validate: '/usr/sbin/visudo -cf %s' - loop: "{{ debian11cis_5_3_6_timeout_files.stdout_lines }}" - when: debian11cis_5_3_6_timeout_files.stdout | length > 0 + loop: "{{ discovered_sudo_timeout_files.stdout_lines }}" + when: discovered_sudo_timeout_files.stdout | length > 0 when: - debian11cis_rule_5_3_6 tags: @@ -119,7 +119,6 @@ ansible.builtin.group: name: "{{ debian11cis_sugroup }}" state: present - register: debian11cis_5_3_7_sugroup - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group" ansible.builtin.lineinfile: diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 91bad75..53bc802 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -33,7 +33,7 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_5_4_1_pam_pwquality_state + register: discovered_pwquality_loaded_state - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality exists" community.general.pamd: @@ -43,7 +43,7 @@ module_path: pam_pwquality.so module_arguments: 'retry=3' state: args_present - when: debian11cis_5_4_1_pam_pwquality_state.stdout | length > 0 + when: discovered_pwquality_loaded_state.stdout | length > 0 - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality does not exist" community.general.pamd: @@ -56,7 +56,7 @@ new_module_path: pam_pwquality.so module_arguments: 'retry=3' state: after - when: debian11cis_5_4_1_pam_pwquality_state.stdout | length == 0 + when: discovered_pwquality_loaded_state.stdout | length == 0 when: - debian11cis_rule_5_4_1 tags: @@ -71,8 +71,8 @@ block: - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Check pam faillock is set" ansible.builtin.shell: grep -E "preauth|authfail|authsucc" /etc/pam.d/common-auth | grep pam_faillock.so - register: faillock_state - failed_when: faillock_state.rc not in [0, 1] + register: discovered_pam_faillock_loaded_state + failed_when: discovered_pam_faillock_loaded_state.rc not in [0, 1] changed_when: false ## Issues have been seen with this control that can't always be replicated @@ -84,7 +84,7 @@ regexp: .*pam_unix.so nullok replace: "{{ debian11cis_rule_5_4_2_faillock_config }}" when: - - "'pam_faillock.so' not in faillock_state.stdout" + - "'pam_faillock.so' not in discovered_pam_faillock_loaded_state.stdout" - debian11cis_allow_common_auth_rewrite - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock common-account" @@ -156,7 +156,7 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_5_4_4_pam_unix_state + register: discovered_pam_unix_algorithm - name: "5.4.4 | PATCH | Ensure password hashing algorithm is up to date with the latest standards | Set hashing if pam_unix.so exists" community.general.pamd: @@ -167,7 +167,7 @@ module_arguments: "{{ debian11cis_passwd_hash_algo }}" state: "{{ debian11cis_passwd_setpam_hash_algo | ternary('args_present', 'args_absent') }}" when: - - debian11cis_5_4_4_pam_unix_state.stdout | length > 0 + - discovered_pam_unix_algorithm.stdout | length > 0 - name: "5.4.4 | PATCH | Ensure password hashing algorithm is up to date with the latest standards | Set hashing if pam_unix.so does not exist" ansible.builtin.lineinfile: @@ -191,18 +191,18 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_5_4_5_passwd_hash_used + register: discovered_current_passwds_hash # This is only looking for yescrypt if sha512 need to change the $y$ to $6$ - name: "5.4.5 | AUDIT | Ensure all current passwords uses the configured hashing algorithm | check has found" ansible.builtin.debug: msg: "Warning!! Passwords found using not using {{ debian11cis_passwd_hash_algo }} algorithm - This required manual intervention" - when: "' $y$' not in debian11cis_5_4_5_passwd_hash_used.stdout" + when: "' $y$' not in discovered_current_passwds_hash.stdout" - name: "5.4.5 | WARN | Ensure all current passwords uses the configured hashing algorithm | warn_count" ansible.builtin.import_tasks: file: warning_facts.yml - when: "' $y$' not in debian11cis_5_4_5_passwd_hash_used.stdout" + when: "' $y$' not in discovered_current_passwds_hash.stdout" vars: warn_control_id: '5.4.5' when: diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 86b36da..1947510 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -6,20 +6,20 @@ ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS' - line: 'PASS_MIN_DAYS {{ debian11cis_pass.min_days }}' + line: 'PASS_MIN_DAYS {{ debian11cis_pass_min_days }}' - name: "5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Get existing users PASS_MIN_DAYS" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($4>{{ debian11cis_pass.min_days }})){print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($4>{{ debian11cis_pass_min_days }})){print $1}' /etc/shadow" changed_when: false failed_when: false - register: debian11cis_5_5_1_1_min_days + register: discovered_password_min_days - name: "5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS" - ansible.builtin.shell: chage --mindays {{ debian11cis_pass.min_days }} {{ item }} + ansible.builtin.shell: chage --mindays {{ debian11cis_pass_min_days }} {{ item }} failed_when: false - changed_when: debian11cis_5_5_1_1_min_days.stdout |length > 0 + changed_when: discovered_password_min_days.stdout |length > 0 loop: - - debian11cis_5_5_1_1_min_days.stdout_list + - discovered_password_min_days.stdout_list when: - debian11cis_disruption_high - (item != 'root') and (not debian11cis_uses_root) @@ -40,21 +40,21 @@ ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS' - line: 'PASS_MAX_DAYS {{ debian11cis_pass.max_days }}' + line: 'PASS_MAX_DAYS {{ debian11cis_pass_max_days }}' insertafter: '# Password aging controls' - name: "5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5<={{ debian11cis_pass.max_days }} && $5<{{ debian11cis_pass.min_days }})){print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5<={{ debian11cis_pass_max_days }} && $5<{{ debian11cis_pass_min_days }})){print $1}' /etc/shadow" changed_when: false failed_when: false - register: debian11cis_5_5_1_2_max_days + register: discovered_password_max_days - name: "5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" - ansible.builtin.shell: chage --maxdays {{ debian11cis_pass.max_days }} {{ item }} + ansible.builtin.shell: chage --maxdays {{ debian11cis_pass_max_days }} {{ item }} failed_when: false - changed_when: debian11cis_5_5_1_2_max_days.stdout | length > 0 + changed_when: discovered_password_max_days.stdout | length > 0 loop: - - debian11cis_5_5_1_2_max_days.stdout_list + - discovered_password_max_days.stdout_list when: - debian11cis_disruption_high - (item != 'root') and (not debian11cis_uses_root) @@ -76,20 +76,20 @@ ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE' - line: 'PASS_WARN_AGE {{ debian11cis_pass.warn_age }}' + line: 'PASS_WARN_AGE {{ debian11cis_pass_warn_age }}' - name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Get existing users PASS_WARN_AGE" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ debian11cis_pass.warn_age }}){print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ debian11cis_pass_warn_age }}){print $1}' /etc/shadow" changed_when: false failed_when: false - register: debian11cis_5_5_1_3_warn_days + register: discovered_password_warn_days - name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users PASS_WARN_AGE" - ansible.builtin.shell: chage --maxdays {{ debian11cis_pass.warn_age }} {{ item }} + ansible.builtin.shell: chage --maxdays {{ debian11cis_pass_warn_age }} {{ item }} failed_when: false - changed_when: debian11cis_5_5_1_3_warn_days.stdout | length > 0 + changed_when: discovered_password_warn_days.stdout | length > 0 loop: - - debian11cis_5_5_1_3_warn_days.stdout_list + - discovered_password_warn_days.stdout_list when: - debian11cis_disruption_high - (item != 'root') and (not debian11cis_uses_root) @@ -110,26 +110,20 @@ ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2 changed_when: false failed_when: false - register: debian11cis_5_5_1_4_inactive_setting - - - name: "5.5.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Individual users" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7<1 || $7>30)){print $1}' /etc/shadow" - changed_when: false - failed_when: false - register: debian11cis_5_5_1_4_inactive_users + register: discovered_password_inactive_setting - name: "5.5.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Get Individual users" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\\\s*$|-1)/ || ( $7>1 && $7<{{ debian11cis_pass.inactive }}))) {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\\\s*$|-1)/ || ( $7>1 && $7<{{ debian11cis_pass_inactive }}))) {print $1}' /etc/shadow" changed_when: false failed_when: false - register: debian11cis_5_5_1_4_inactive_users + register: discovered_password_inactive_users - name: "5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for existing users" - ansible.builtin.shell: chage --inactive {{ debian11cis_pass.inactive }} {{ item }} + ansible.builtin.shell: chage --inactive {{ debian11cis_pass_inactive }} {{ item }} failed_when: false when: - debian11cis_disruption_high - - debian11cis_5_5_1_4_inactive_users.stdout | length > 0 + - discovered_password_inactive_users.stdout | length > 0 - (item != 'root') and (not debian11cis_uses_root) when: - debian11cis_rule_5_5_1_4 @@ -149,35 +143,35 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_5_5_1_5_current_time + register: discovered_password_current_epoch - name: "5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" - ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ debian11cis_5_5_1_5_current_time.stdout }})print$1}'" + ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ discovered_password_current_epoch.stdout }})print$1}'" changed_when: false failed_when: false check_mode: false - register: debian11cis_5_5_1_5_user_list + register: discovered_password_pastdate_userlist - name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Warn about users" ansible.builtin.debug: msg: - "WARNING!! The following accounts have the last PW change date in the future" - - "{{ debian11cis_5_5_1_5_user_list.stdout_lines }}" - when: debian11cis_5_5_1_5_user_list.stdout | length > 0 + - "{{ discovered_password_pastdate_userlist.stdout_lines }}" + when: discovered_password_pastdate_userlist.stdout | length > 0 - name: "5.5.1.5 | WARN | Ensure all users last password change date is in the past | warn_count" ansible.builtin.import_tasks: file: warning_facts.yml - when: debian11cis_5_5_1_5_user_list.stdout | length > 0 + when: discovered_password_pastdate_userlist.stdout | length > 0 - name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with future PW changed dates" ansible.builtin.shell: passwd --expire {{ item }} failed_when: false with_items: - - "{{ debian11cis_5_5_1_5_user_list.stdout_lines }}" + - "{{ discovered_password_pastdate_userlist.stdout_lines }}" when: - debian11cis_disruption_high - - debian11cis_5_5_1_5_user_list.stdout | length > 0 + - discovered_password_pastdate_userlist.stdout | length > 0 vars: warn_control_id: '5.5.1.5' when: @@ -254,14 +248,14 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_5_5_4_umask_pam_status + register: discovered_umask_pam_status - name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" ansible.builtin.lineinfile: path: /etc/pam.d/common-session line: 'session optional pam_umask.so' insertbefore: '^# end of pam-auth-update config' - when: debian11cis_5_5_4_umask_pam_status.stdout | length == 0 + when: discovered_umask_pam_status.stdout | length == 0 - name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" ansible.builtin.lineinfile: @@ -291,7 +285,7 @@ - name: "5.5.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" ansible.builtin.blockinfile: create: true - mode: 0644 + mode: 'u-x,go-wx' dest: "{{ item.dest }}" state: "{{ item.state }}" marker: "# {mark} ANSIBLE MANAGED" diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 60bdde7..c3aa61a 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -5,7 +5,7 @@ path: /etc/passwd owner: root group: root - mode: 0644 + mode: 'u-x,go-wx' when: - debian11cis_rule_6_1_1 tags: @@ -20,7 +20,7 @@ path: /etc/passwd- owner: root group: root - mode: 0644 + mode: 'u-x,go-wx' when: - debian11cis_rule_6_1_2 tags: @@ -35,7 +35,7 @@ path: /etc/group- owner: root group: root - mode: 0644 + mode: 'u-x,go-wx' when: - debian11cis_rule_6_1_3 tags: @@ -50,7 +50,7 @@ path: /etc/group- owner: root group: root - mode: 0644 + mode: 'u-x,go-wx' when: - debian11cis_rule_6_1_4 tags: @@ -65,7 +65,7 @@ path: /etc/shadow owner: root group: root - mode: 0000 + mode: 'ugo-rwx' when: - debian11cis_rule_6_1_5 tags: @@ -80,7 +80,7 @@ path: /etc/shadow- owner: root group: root - mode: 0000 + mode: 'ugo-rwx' when: - debian11cis_rule_6_1_6 tags: @@ -95,7 +95,7 @@ path: /etc/gshadow owner: root group: root - mode: 0000 + mode: 'ugo-rwx' when: - debian11cis_rule_6_1_7 tags: @@ -110,7 +110,7 @@ path: /etc/gshadow- owner: root group: root - mode: 0000 + mode: 'ugo-rwx' when: - debian11cis_rule_6_1_8 tags: @@ -126,16 +126,16 @@ ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 failed_when: false changed_when: false - register: rhel_09_6_1_9_perms_results + register: discovered_files_worldwrite - name: "6.1.9 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" ansible.builtin.file: path: '{{ item }}' - mode: o-w + mode: 'o-w' state: touch - loop: "{{ rhel_09_6_1_9_perms_results.stdout_lines }}" + loop: "{{ discovered_files_worldwrite.stdout_lines }}" when: - - rhel_09_6_1_9_perms_results.stdout_lines is defined + - discovered_files_worldwrite.stdout_lines is defined - debian11cis_no_world_write_adjust when: - debian11cis_rule_6_1_9 @@ -154,7 +154,7 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_6_1_10_no_user_items + register: discovered_unowned_files with_items: - "{{ ansible_facts.mounts }}" loop_control: @@ -162,34 +162,34 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use" ansible.builtin.set_fact: - debian11cis_6_1_10_no_user_items_flatten: "{{ debian11cis_6_1_10_no_user_items.results | map(attribute='stdout_lines') | flatten }}" + discovered_unowned_files_flatten: "{{ discovered_unowned_files.results | map(attribute='stdout_lines') | flatten }}" - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Alert on unowned files and directories" ansible.builtin.debug: msg: - "Warning!! You have unowned files and are configured to not auto-remediate for this task" - "Please review the files/directories below and assign an owner" - - "{{ debian11cis_6_1_10_no_user_items_flatten }}" + - "{{ discovered_unowned_files_flatten }}" when: - not debian11cis_no_owner_adjust - - debian11cis_6_1_10_no_user_items_flatten | length > 0 + - discovered_unowned_files_flatten | length > 0 - name: "6.1.10 | PATCH | Ensure no unowned files or directories exist | Set unowned files/directories to configured owner" ansible.builtin.file: path: "{{ item }}" owner: "{{ debian11cis_unowned_owner }}" with_items: - - "{{ debian11cis_6_1_10_no_user_items_flatten }}" + - "{{ discovered_unowned_files_flatten }}" when: - debian11cis_no_owner_adjust - - debian11cis_6_1_10_no_user_items_flatten | length > 0 + - discovered_unowned_files_flatten | length > 0 - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Warn Count" ansible.builtin.import_tasks: file: warning_facts.yml when: - not debian11cis_no_owner_adjust - - debian11cis_6_1_10_no_user_items_flatten | length > 0 + - discovered_unowned_files_flatten | length > 0 vars: warn_control_id: '6.1.10' when: @@ -209,7 +209,7 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_6_1_11_ungrouped_items + register: discovered_ungrouped_files with_items: - "{{ ansible_facts.mounts }}" loop_control: @@ -217,34 +217,34 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Flatten ungrouped_items results for easier use" ansible.builtin.set_fact: - debian11cis_6_1_11_ungrouped_items_flatten: "{{ debian11cis_6_1_11_ungrouped_items.results | map(attribute='stdout_lines') | flatten }}" + discovered_ungrouped_files_flatten: "{{ discovered_ungrouped_files.results | map(attribute='stdout_lines') | flatten }}" - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Alert on ungrouped files and directories" ansible.builtin.debug: msg: - "Warning!! You have ungrouped files/directories and are configured to not auto-remediate for this task" - "Please review the files/directories below and assign a group" - - "{{ debian11cis_6_1_11_ungrouped_items_flatten }}" + - "{{ discovered_ungrouped_files_flatten }}" when: - not debian11cis_no_group_adjust - - debian11cis_6_1_11_ungrouped_items_flatten | length > 0 + - discovered_ungrouped_files_flatten | length > 0 - name: "6.1.11 | PATCH | Ensure no ungrouped files or directories exist | Set ungrouped files/directories to configured group" ansible.builtin.file: path: "{{ item }}" group: "{{ debian11cis_ungrouped_group }}" with_items: - - "{{ debian11cis_6_1_11_ungrouped_items_flatten }}" + - "{{ discovered_ungrouped_files_flatten }}" when: - debian11cis_no_group_adjust - - debian11cis_6_1_11_ungrouped_items_flatten | length > 0 + - discovered_ungrouped_files_flatten | length > 0 - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Warn Count" ansible.builtin.import_tasks: file: warning_facts.yml when: - not debian11cis_no_group_adjust - - debian11cis_6_1_11_ungrouped_items_flatten | length > 0 + - discovered_ungrouped_files_flatten | length > 0 vars: warn_control_id: '6.1.11' when: @@ -264,7 +264,7 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_6_1_12_suid_executables + register: discovered_suid_executables with_items: - "{{ ansible_facts.mounts }}" loop_control: @@ -272,16 +272,16 @@ - name: "6.1.12 | AUDIT | Audit SUID executables | Flatten suid_executables results for easier use" ansible.builtin.set_fact: - debian11cis_6_1_12_suid_executables_flatten: "{{ debian11cis_6_1_12_suid_executables.results | map(attribute='stdout_lines') | flatten }}" + discovered_suid_executables_flatten: "{{ discovered_suid_executables.results | map(attribute='stdout_lines') | flatten }}" - name: "6.1.12 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: msg: - "Warning!! You have SUID executables" - "The files are listed below, please confirm the integrity of these binaries" - - "{{ debian11cis_6_1_12_suid_executables_flatten }}" + - "{{ discovered_suid_executables_flatten }}" when: - - debian11cis_6_1_12_suid_executables_flatten | length > 0 + - discovered_suid_executables_flatten | length > 0 - not debian11cis_suid_adjust - name: "6.1.12 | PATCH | Audit SUID executables | Remove SUID bit" @@ -289,16 +289,16 @@ path: "{{ item }}" mode: 'u-s' with_items: - - "{{ debian11cis_6_1_12_suid_executables_flatten }}" + - "{{ discovered_suid_executables_flatten }}" when: - debian11cis_suid_adjust - - debian11cis_6_1_12_suid_executables_flatten | length > 0 + - discovered_suid_executables_flatten | length > 0 - name: "6.1.12 | AUDIT | Audit SUID executables | Warn Count" ansible.builtin.import_tasks: file: warning_facts.yml when: - - debian11cis_6_1_12_suid_executables_flatten | length > 0 + - discovered_suid_executables_flatten | length > 0 - not debian11cis_suid_adjust vars: warn_control_id: '6.1.12' @@ -319,7 +319,7 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_6_1_13_sgid_executables + register: discovered_sgid_executables with_items: - "{{ ansible_facts.mounts }}" loop_control: @@ -327,23 +327,23 @@ - name: "6.1.13 | AUDIT | Audit SGID executables | Flatten sgid_executables results for easier use" ansible.builtin.set_fact: - debian11cis_6_1_13_sgid_executables_flatten: "{{ debian11cis_6_1_13_sgid_executables.results | map(attribute='stdout_lines') | flatten }}" + discovered_sgid_executables_flatten: "{{ discovered_sgid_executables.results | map(attribute='stdout_lines') | flatten }}" - name: "6.1.13 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: msg: - "Warning!! You have SGID executables" - "The files are listed below, please review the integrity of these binaries" - - "{{ debian11cis_6_1_13_sgid_executables_flatten }}" + - "{{ discovered_sgid_executables_flatten }}" when: - - debian11cis_6_1_13_sgid_executables_flatten | length > 0 + - discovered_sgid_executables_flatten | length > 0 - not debian11cis_sgid_adjust - name: "6.1.13 | AUDIT | Audit SGID executables | Warn Count" ansible.builtin.import_tasks: file: warning_facts.yml when: - - debian11cis_6_1_13_sgid_executables_flatten | length > 0 + - discovered_sgid_executables_flatten | length > 0 - not debian11cis_sgid_adjust - name: "6.1.13 | PATCH | Audit SGID executables | Remove SGID bit" @@ -351,10 +351,10 @@ path: "{{ item }}" mode: 'g-s' with_items: - - "{{ debian11cis_6_1_13_sgid_executables_flatten }}" + - "{{ discovered_sgid_executables_flatten }}" when: - debian11cis_sgid_adjust - - debian11cis_6_1_13_sgid_executables_flatten | length > 0 + - discovered_sgid_executables_flatten | length > 0 vars: warn_control_id: '6.1.13' when: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 9079913..6f0df81 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -6,19 +6,19 @@ ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd changed_when: false failed_when: false - register: debian11cis_6_2_1_nonshadowed_users + register: discovered_nonshadowed_users - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Warn on findings" ansible.builtin.debug: msg: - "Warning!! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password" - - "{{ debian11cis_6_2_1_nonshadowed_users.stdout_lines }}" - when: debian11cis_6_2_1_nonshadowed_users.stdout | length > 0 + - "{{ discovered_nonshadowed_users.stdout_lines }}" + when: discovered_nonshadowed_users.stdout | length > 0 - name: "6.2.1 | WARN | Ensure accounts in /etc/passwd use shadowed passwords | warn_count" ansible.builtin.import_tasks: file: warning_facts.yml - when: debian11cis_6_2_1_nonshadowed_users.stdout | length > 0 + when: discovered_nonshadowed_users.stdout | length > 0 vars: warn_control_id: '6.2.1' when: @@ -37,15 +37,15 @@ ansible.builtin.shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow changed_when: false check_mode: false - register: debian11cis_6_2_2_empty_password_acct + register: discovered_empty_password_acct - name: "6.2.2 | PATCH | Ensure /etc/shadow password fields are not empty | Lock users with empty password" ansible.builtin.user: name: "{{ item }}" password_lock: true with_items: - - "{{ debian11cis_6_2_2_empty_password_acct.stdout_lines }}" - when: debian11cis_6_2_2_empty_password_acct.stdout | length > 0 + - "{{ discovered_empty_password_acct.stdout_lines }}" + when: discovered_empty_password_acct.stdout | length > 0 when: - debian11cis_rule_6_2_2 tags: @@ -64,22 +64,22 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_6_2_3_passwd_gid_check + register: discovered_passwd_gid_check - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" ansible.builtin.debug: msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: debian11cis_6_2_3_passwd_gid_check.stdout | length == 0 + when: discovered_passwd_gid_check.stdout | length == 0 - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" ansible.builtin.debug: - msg: "Warning!! The following users have non-existent GIDs (Groups): {{ debian11cis_6_2_3_passwd_gid_check.stdout_lines | join (', ') }}" - when: debian11cis_6_2_3_passwd_gid_check.stdout | length > 0 + msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join (', ') }}" + when: discovered_passwd_gid_check.stdout | length > 0 - name: "6.2.3 | WARN | Ensure all groups in /etc/passwd exist in /etc/group | warn_count" ansible.builtin.import_tasks: file: warning_facts.yml - when: debian11cis_6_2_3_passwd_gid_check.stdout | length > 0 + when: discovered_passwd_gid_check.stdout | length > 0 vars: warn_control_id: '6.2.3' when: @@ -128,17 +128,17 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_6_2_5_user_uid_check + register: discovered_user_uid_check - name: "6.2.5 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" ansible.builtin.debug: - msg: "Warning!! The following users have UIDs that are duplicates: {{ debian11cis_6_2_5_user_uid_check.stdout_lines }}" - when: debian11cis_6_2_5_user_uid_check.stdout | length > 0 + msg: "Warning!! The following users have UIDs that are duplicates: {{ discovered_user_uid_check.stdout_lines }}" + when: discovered_user_uid_check.stdout | length > 0 - name: "6.2.5 | AUDIT | Ensure no duplicate UIDs exist | Set warning count" ansible.builtin.import_tasks: file: warning_facts.yml - when: debian11cis_6_2_5_user_uid_check.stdout | length > 0 + when: discovered_user_uid_check.stdout | length > 0 vars: warn_control_id: '6.2.5' when: @@ -158,17 +158,17 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_6_2_6_user_user_check + register: discovered_user_user_check - name: "6.2.6 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" ansible.builtin.debug: msg: "Warning!! The following groups have duplicate GIDs: {{ debian11cis_6_2_14_user_user_check.stdout_lines }}" - when: debian11cis_6_2_6_user_user_check.stdout | length > 0 + when: discovered_user_user_check.stdout | length > 0 - name: "6.2.6 | AUDIT | Ensure no duplicate GIDs exist | Set warning count" ansible.builtin.import_tasks: file: warning_facts.yml - when: debian11cis_6_2_6_user_user_check.stdout | length > 0 + when: discovered_user_user_check.stdout | length > 0 vars: warn_control_id: '6.2.6' when: @@ -188,17 +188,17 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_6_2_7_user_username_check + register: discovered_user_username_check - name: "6.2.7 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" ansible.builtin.debug: - msg: "Warning!! The following user names are duplicates: {{ debian11cis_6_2_7_user_username_check.stdout_lines }}" - when: debian11cis_6_2_7_user_username_check.stdout | length > 0 + msg: "Warning!! The following user names are duplicates: {{ discovered_user_username_check.stdout_lines }}" + when: discovered_user_username_check.stdout | length > 0 - name: "6.2.7 | AUDIT | Ensure no duplicate user names exist | Set warning count" ansible.builtin.import_tasks: file: warning_facts.yml - when: debian11cis_6_2_7_user_username_check.stdout | length > 0 + when: discovered_user_username_check.stdout | length > 0 vars: warn_control_id: '6.2.7' when: @@ -218,17 +218,17 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_6_2_8_group_group_check + register: discovered_group_group_check - name: "6.2.8 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" ansible.builtin.debug: - msg: "Warning!! The following group names are duplicates: {{ debian11cis_6_2_8_group_group_check.stdout_lines }}" - when: debian11cis_6_2_8_group_group_check.stdout | length > 0 + msg: "Warning!! The following group names are duplicates: {{ discovered_group_group_check.stdout_lines }}" + when: discovered_group_group_check.stdout | length > 0 - name: "6.2.8 | AUDIT | Ensure no duplicate group names exist | Set warning count" ansible.builtin.import_tasks: file: warning_facts.yml - when: debian11cis_6_2_8_group_group_check.stdout | length > 0 + when: discovered_group_group_check.stdout | length > 0 vars: warn_control_id: '6.2.8' when: @@ -246,36 +246,36 @@ - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Get root paths" ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 changed_when: false - register: debian11cis_6_2_9_root_paths + register: discovered_root_paths - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Get root paths" ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 | tr ":" "\n" changed_when: false - register: debian11cis_6_2_9_root_paths_split + register: discovered_root_paths_split - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Set fact" ansible.builtin.set_fact: - root_paths: "{{ debian11cis_6_2_9_root_paths.stdout }}" + root_paths: "{{ discovered_root_paths.stdout }}" - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Check for empty dirs" ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"' changed_when: false - failed_when: root_path_empty_dir.rc not in [ 0, 1 ] - register: root_path_empty_dir + failed_when: discovered_root_path_empty_dir.rc not in [ 0, 1 ] + register: discovered_root_path_empty_dir - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Check for trailing ':'" ansible.builtin.shell: '{{ root_paths }} | cut -d= -f2 | grep -q ":$" && echo "roots path contains a trailing (:)"' changed_when: false - failed_when: root_path_trailing_colon.rc not in [ 0, 1 ] - register: root_path_trailing_colon + failed_when: discovered_root_path_trailing_colon.rc not in [ 0, 1 ] + register: discovered_root_path_trailing_colon - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" block: - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" ansible.builtin.stat: path: "{{ item }}" - register: root_path_perms - loop: "{{ debian11cis_6_2_9_root_paths_split.stdout_lines }}" + register: discovered_root_path_perms + loop: "{{ discovered_root_paths_split.stdout_lines }}" - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Set permissions" ansible.builtin.file: @@ -283,9 +283,9 @@ state: directory owner: root group: root - mode: "0755" + mode: 'u+x,go-w' follow: false - loop: "{{ root_path_perms.results }}" + loop: "{{ discovered_root_path_perms.results }}" loop_control: label: "{{ item }}" when: @@ -326,7 +326,6 @@ state: directory owner: "{{ item.id }}" group: "{{ item.gid }}" - register: debian11cis_6_2_11_home_dir loop: "{{ debian11cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" loop_control: label: "{{ item.id }}" @@ -386,15 +385,15 @@ - name: "6.2.13 | AUDIT | Ensure local interactive user home directories are mode 750 or more restrictive | get stat" ansible.builtin.stat: path: "{{ item }}" - register: rhel_09_6_2_13_home_dir_perms + register: discovered_home_dir_perms loop: "{{ interactive_users_home.stdout_lines }}" - name: "6.2.13 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | amend if needed" ansible.builtin.file: path: "{{ item.stat.path }}" state: directory - mode: "0750" - loop: "{{ rhel_09_6_2_13_home_dir_perms.results }}" + mode: 'g-w,o-rwx' + loop: "{{ discovered_home_dir_perms.results }}" loop_control: label: "{{ item }}" when: @@ -488,30 +487,30 @@ changed_when: false failed_when: false check_mode: false - register: debian11cis_6_2_17_audit + register: discovered_dot_files_worldwrite - name: "6.2.17 | AUDIT | Ensure users' dot files are not group or world-writable | Warning on files found" ansible.builtin.debug: msg: - "Warning!! You have group or world-writable dot files on your system and have configured for manual intervention" when: - - debian11cis_6_2_17_audit.stdout | length > 0 + - discovered_dot_files_worldwrite.stdout | length > 0 - debian11cis_dotperm_ansiblemanaged - name: "6.2.17 | PATCH | Ensure users' dot files are not group or world writable | Set warning count" ansible.builtin.import_tasks: file: warning_facts.yml when: - - debian11cis_6_2_17_audit.stdout | length > 0 + - discovered_dot_files_worldwrite.stdout | length > 0 - debian11cis_dotperm_ansiblemanaged - name: "6.2.17 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" ansible.builtin.file: path: '{{ item }}' - mode: go-w - with_items: "{{ debian11cis_6_2_17_audit.stdout_lines }}" + mode: 'go-w' + with_items: "{{ discovered_dot_files_worldwrite.stdout_lines }}" when: - - debian11cis_6_2_17_audit.stdout | length > 0 + - discovered_dot_files_worldwrite.stdout | length > 0 - debian11cis_dotperm_ansiblemanaged vars: warn_control_id: '6.2.17' diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 0c56108..12ada01 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -551,9 +551,9 @@ debian11cis_passwd_remember: {{ debian11cis_pamd_pwhistory_remember }} # logins.def password settings debian11cis_pass: - max_days: {{ debian11cis_pass.max_days }} - min_days: {{ debian11cis_pass.min_days }} - warn_age: {{ debian11cis_pass.warn_age }} + max_days: {{ debian11cis_pass_max_days }} + min_days: {{ debian11cis_pass_min_days }} + warn_age: {{ debian11cis_pass_warn_age }} # set sugroup if differs from wheel debian11cis_sugroup: {{ debian11cis_sugroup }} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 40bf9f9..c2f67c8 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,7 +1,7 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC YOUR CHANGED WILL BE LOST! +# provided by Mindpoint Group - A Tyto Athene Company YOUR CHANGED WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually @@ -31,8 +31,8 @@ -w /etc/network/ -p wa -k system-locale {% endif %} {% if debian11cis_rule_4_1_3_6 %} -{% if priv_procs is defined %} -{% for proc in priv_procs.stdout_lines -%} +{% if discovered_privilege_process is defined %} +{% for proc in discovered_privilege_process.stdout_lines -%} -a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged {% endfor %} {% endif %} diff --git a/templates/etc/chrony/sources.d/pool.sources.j2 b/templates/etc/chrony/sources.d/pool.sources.j2 index 7e3bca1..aa98621 100644 --- a/templates/etc/chrony/sources.d/pool.sources.j2 +++ b/templates/etc/chrony/sources.d/pool.sources.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company {% for pool in debian11cis_time_pool %} pool {{ pool.name }} {{ pool.options }} diff --git a/templates/etc/chrony/sources.d/server.sources.j2 b/templates/etc/chrony/sources.d/server.sources.j2 index a5e3731..0f7095e 100644 --- a/templates/etc/chrony/sources.d/server.sources.j2 +++ b/templates/etc/chrony/sources.d/server.sources.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company {% for server in debian11cis_time_servers %} server {{ server.name }} {{ server.options }} diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 index 3534474..f623e10 100644 --- a/templates/etc/dconf/db/00-automount_lock.j2 +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop media-handling automount setting /org/gnome/desktop/media-handling/automount diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 index 392af74..ce6f4f6 100644 --- a/templates/etc/dconf/db/00-autorun_lock.j2 +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop media-handling settings /org/gnome/desktop/media-handling/autorun-never diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 index 227498e..28d7ae0 100644 --- a/templates/etc/dconf/db/00-media-automount.j2 +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/desktop/media-handling] automount=false diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 index a8c297f..ed6b769 100644 --- a/templates/etc/dconf/db/00-media-autorun.j2 +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/desktop/media-handling] autorun-never=true diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index 1c991f6..64c86a9 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Specify the dconf path diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 index 5d5869f..b27c99c 100644 --- a/templates/etc/dconf/db/00-screensaver_lock.j2 +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop screensaver idle-delay setting /org/gnome/desktop/session/idle-delay diff --git a/templates/etc/grub.d/00_user.j2 b/templates/etc/grub.d/00_user.j2 index ac999c6..000e79f 100644 --- a/templates/etc/grub.d/00_user.j2 +++ b/templates/etc/grub.d/00_user.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company cat < Date: Mon, 16 Dec 2024 08:49:36 +0000 Subject: [PATCH 2/2] fixed typo in msg 3.5.3.2.4 Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.5.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_3/cis_3.5.3.x.yml b/tasks/section_3/cis_3.5.3.x.yml index 5e3f3ed..c780edf 100644 --- a/tasks/section_3/cis_3.5.3.x.yml +++ b/tasks/section_3/cis_3.5.3.x.yml @@ -181,7 +181,7 @@ - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ ddiscovered_ipv4_iptables_open_ports.stdout_lines }}" + - "{{ discovered_ipv4_iptables_open_ports.stdout_lines }}" - "Current Rules:" - "{{ discovered_ipv4_iptables_current_rules.stdout_lines }}"