Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cis2.0.1 release March 24 #141

Merged
merged 31 commits into from
Mar 20, 2024
Merged
Changes from 1 commit
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
bbb0d0f
Fix loop condition default
arousseau-coveo Dec 7, 2023
f1d8600
Fix loop condition default
arousseau-coveo Dec 7, 2023
a3df7a1
Empty-Commit
arousseau-coveo Dec 8, 2023
4449780
Merge pull request #124 from arousseau-coveo/fix/cis-5-2-4-5-loop
MrSteve81 Dec 13, 2023
14e04df
Fix loop condition default
arousseau-coveo Dec 7, 2023
7ed1002
Fix loop condition default
arousseau-coveo Dec 7, 2023
c6fbfac
added default value for ubtu20cis_uses_root
arousseau-coveo Dec 20, 2023
70809e4
fix prelim check to check for AIDE install rule and updates rule
dderemiah Jan 5, 2024
aab873f
Groups the Defaults together
dderemiah Jan 5, 2024
1e8f2e1
Merge pull request #130 from dderemiah/fix_prelim
uk-bolly Jan 9, 2024
de94cba
Merge pull request #131 from dderemiah/fix_4.3
uk-bolly Jan 9, 2024
4830ea2
Fix regex to prevent swallowing closing quote in bootloader config. F…
kdebisschop Jan 14, 2024
207f0f9
pre and post_remediation - quote group_names
diepes Jan 16, 2024
742a695
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Jan 22, 2024
6884015
Merge pull request #128 from diepes/devel
uk-bolly Jan 26, 2024
61dc2e2
Merge pull request #133 from kdebisschop/AppArmor-bootloader-quoting
uk-bolly Jan 26, 2024
587f340
Merge pull request #134 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Jan 26, 2024
7f0a4f6
Fixes a couple typos
dderemiah Jan 30, 2024
7104ccf
Fixes list privileged cmd collection to match benchmark
dderemiah Jan 30, 2024
abd02cc
Merge pull request #135 from dderemiah/typo_5.1.2.x
uk-bolly Jan 30, 2024
17517ff
Merge pull request #136 from dderemiah/fix_5.2.3.6
uk-bolly Jan 30, 2024
2dd63f1
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Feb 5, 2024
47f3b26
Merge branch 'ansible-lockdown:devel' into fix/ubtu20cis_uses_root_de…
arousseau-coveo Feb 6, 2024
270df6e
Merge pull request #129 from arousseau-coveo/fix/ubtu20cis_uses_root_…
uk-bolly Feb 6, 2024
bfdd97b
Merge pull request #137 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Feb 6, 2024
fc03fdd
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Feb 19, 2024
664b32e
Merge pull request #138 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Feb 20, 2024
c46d1e6
fixed test for the arm64 conditional
uk-bolly Mar 8, 2024
eb0843b
Merge pull request #139 from ansible-lockdown/audit_arm64
MrSteve81 Mar 8, 2024
768be7f
[pre-commit.ci] pre-commit autoupdate
pre-commit-ci[bot] Mar 18, 2024
38b4140
Merge pull request #140 from ansible-lockdown/pre-commit-ci-update-co…
uk-bolly Mar 20, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Fixes list privileged cmd collection to match benchmark
Signed-off-by: Dan D <daniel.deremiah@windriver.com>
dderemiah committed Jan 30, 2024
commit 7104ccf0ea65faa87813775a6c5355380daabebb
2 changes: 1 addition & 1 deletion tasks/section_5/cis_5.2.3.x.yml
Original file line number Diff line number Diff line change
@@ -93,7 +93,7 @@
- name: "5.2.3.6 | PATCH | Ensure use of privileged commands is collected"
block:
- name: "5.2.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs"
ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
register: priv_procs
changed_when: false
check_mode: false