From f8c1f54a669e6186b9d6140d453f6a76a09df643 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 13:02:07 +0200 Subject: [PATCH 1/7] Small documentation fix by adding the description right above each variable from the "ubtu22cis_aide_init" dictionary. Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 878534c..0951794 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -543,8 +543,10 @@ ubtu22cis_config_aide: true ## When Initializing aide this can take longer on some systems # changing the values enables user to change to thier own requirements ubtu22cis_aide_init: - async: 45 # Maximum Time in seconds - poll: 0 # Polling Interval in seconds + # Maximum Time in seconds + async: 45 + # Polling Interval in seconds + poll: 0 ## Control 1.3.2 # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. From b30145c55505dabb141d967bcff46138c80d6ca8 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 13:09:51 +0200 Subject: [PATCH 2/7] Small documentation fix by adding in the description of some variables the "Controls" keyword. Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0951794..f9acc40 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -599,7 +599,7 @@ ubtu22cis_set_boot_pass: false ubtu22cis_grub_file: /boot/grub/grub.cfg -## 1.5.x +## Controls 1.5.x # Ability to set file in which the kernel systcl changes are placed ubtu22cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf @@ -750,7 +750,7 @@ ubtu22cis_audit_back_log_limit: 8192 # This should be set based on your sites policy. CIS does not provide a specific value. ubtu22cis_max_log_file_size: 10 -## 4.1.3.x - Audit template +## Controls 4.1.3.x - Audit template # This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the # audit settings are overwritten with the role's template. In order to exclude # specific rules, you must set the variable of form `ubtu22cis_rule_4_1_3_x` above From 55f660fde3261103173c7515764b0f5ee73cc32d Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 13:13:21 +0200 Subject: [PATCH 3/7] Small documentation fix by adding double "#" before the title of some of the variables' description. Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f9acc40..6b09d4f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -946,7 +946,7 @@ ubtu22cis_sugroup: nosugroup # CIS requires a value of 5 or more. ubtu22cis_pamd_pwhistory_remember: 5 -# Control 5.4.2 +## Control 5.4.2 # This can seriously break access to a system ## The end state the file /etc/pam.d/common-auth need to be understood ## If using external auth providers this will be very different @@ -957,7 +957,7 @@ ubtu22cis_rule_5_4_2_faillock_config: | auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc -# Control 5.4.4 +## Control 5.4.4 # ubtu22cis_passwd_hash_algo is the hashing algorithm used ubtu22cis_passwd_hash_algo: yescrypt # pragma: allowlist secret # Set pam as well as login defs if PAM is required From 54f219d469e4183074569732c954daa576455c27 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 13:02:07 +0200 Subject: [PATCH 4/7] Small documentation fix by adding the description right above each variable from the "ubtu22cis_aide_init" dictionary. Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 878534c..0951794 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -543,8 +543,10 @@ ubtu22cis_config_aide: true ## When Initializing aide this can take longer on some systems # changing the values enables user to change to thier own requirements ubtu22cis_aide_init: - async: 45 # Maximum Time in seconds - poll: 0 # Polling Interval in seconds + # Maximum Time in seconds + async: 45 + # Polling Interval in seconds + poll: 0 ## Control 1.3.2 # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. From 1b909e60d48bc497890b733a5125be5ab6d61e6d Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 13:09:51 +0200 Subject: [PATCH 5/7] Small documentation fix by adding in the description of some variables the "Controls" keyword. Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0951794..f9acc40 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -599,7 +599,7 @@ ubtu22cis_set_boot_pass: false ubtu22cis_grub_file: /boot/grub/grub.cfg -## 1.5.x +## Controls 1.5.x # Ability to set file in which the kernel systcl changes are placed ubtu22cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf @@ -750,7 +750,7 @@ ubtu22cis_audit_back_log_limit: 8192 # This should be set based on your sites policy. CIS does not provide a specific value. ubtu22cis_max_log_file_size: 10 -## 4.1.3.x - Audit template +## Controls 4.1.3.x - Audit template # This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the # audit settings are overwritten with the role's template. In order to exclude # specific rules, you must set the variable of form `ubtu22cis_rule_4_1_3_x` above From 6458a14851994dbbca46582d20c6301064b06471 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 13:13:21 +0200 Subject: [PATCH 6/7] Small documentation fix by adding double "#" before the title of some of the variables' description. Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f9acc40..6b09d4f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -946,7 +946,7 @@ ubtu22cis_sugroup: nosugroup # CIS requires a value of 5 or more. ubtu22cis_pamd_pwhistory_remember: 5 -# Control 5.4.2 +## Control 5.4.2 # This can seriously break access to a system ## The end state the file /etc/pam.d/common-auth need to be understood ## If using external auth providers this will be very different @@ -957,7 +957,7 @@ ubtu22cis_rule_5_4_2_faillock_config: | auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc -# Control 5.4.4 +## Control 5.4.4 # ubtu22cis_passwd_hash_algo is the hashing algorithm used ubtu22cis_passwd_hash_algo: yescrypt # pragma: allowlist secret # Set pam as well as login defs if PAM is required From cbac7754ede76a386f355b77b224db47aa16bd6b Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Mon, 29 Jan 2024 14:02:30 +0200 Subject: [PATCH 7/7] Removing some trailing whitespaces Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6b09d4f..24f9197 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -544,9 +544,9 @@ ubtu22cis_config_aide: true # changing the values enables user to change to thier own requirements ubtu22cis_aide_init: # Maximum Time in seconds - async: 45 + async: 45 # Polling Interval in seconds - poll: 0 + poll: 0 ## Control 1.3.2 # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE.