Merge pull request #263 from ansible-lockdown/mounts

Mounts
ansible-lockdown · Dec 12, 2024 · 31844a6 · 31844a6
2 parents 57ca826 + 7f93438
commit 31844a6
Show file tree

Hide file tree

Showing 18 changed files with 589 additions and 263 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -11,12 +11,17 @@ repos:
   hooks:
   # Safety
   - id: detect-aws-credentials
+    name: Detect AWS Credentials
   - id: detect-private-key
+    name: Detect Private Keys
 
   # git checks
   - id: check-merge-conflict
+    name: Check for merge conflicts
   - id: check-added-large-files
+    name: Check for Large files
   - id: check-case-conflict
+    name: Check case conflict
 
   # General checks
   - id: trailing-whitespace
@@ -27,6 +32,7 @@ repos:
     types: [text]
     args: [--markdown-linebreak-ext=md]
   - id: end-of-file-fixer
+    name: Ensure line at end of file
 
 # Scan for passwords
 - repo: https://github.com/Yelp/detect-secrets
@@ -62,3 +68,4 @@ repos:
   rev: v1.35.1  # or higher tag
   hooks:
   - id: yamllint
+    name: Check YAML Lint
diff --git a/.yamllint b/.yamllint
@@ -1,6 +1,5 @@
 ---
 extends: default
-locale: en_US.UTF-8
 ignore: |
     tests/
     molecule/

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -613,6 +613,11 @@ ubtu22cis_purge_apt: false
 ## Section 1 Control Variables
 ##
 
+## Ability to enabe debug on mounts to assist in troubleshooting
+# Mount point changes are set based upon facts created in Prelim
+# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1.
+ubtu22cis_debug_mount_data: false
+
 ## Control 1.1.2
 # If set to `true`, rule will be implemented using the `tmp.mount` systemd-service,
 # otherwise fstab configuration will be used.
@@ -981,7 +986,7 @@ ubtu22cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwqualit
 ubtu22cis_passwd_quality_enforce_value: 1
 
 # 5.3.3.2.8 - password quality enforce for root included with 5.3.3.2.7
-# enforce_for_root: This ensures that the password policies are adhered to even if it’s the root user configuring the passwords.
+# enforce_for_root: This ensures that the password policies are adhered to even if its the root user configuring the passwords.
 ubtu22cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf  # pragma: allowlist secret
 ubtu22cis_passwd_quality_enforce_root_value: enforce_for_root  # pragma: allowlist secret
 

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,87 +1,152 @@
 ---
 
-- name: Writing the tmp file | tmp_systemd
-  when:
-    - "'/tmp' in mount_names"
-    - item.mount == "/tmp"
-    - tmp_mnt_type == 'tmp_systemd'
-  ansible.builtin.template:
-    src: etc/systemd/system/tmp.mount.j2
-    dest: /etc/systemd/system/tmp.mount
-    owner: root
-    group: root
-    mode: 'go-wx'
-  with_items:
-    - "{{ ansible_facts.mounts }}"
-  loop_control:
-    label: "{{ item.device }}"
-  listen: Writing and remounting tmp
-
-- name: Writing the tmp file | fstab
-  when:
-    - "'/tmp' in mount_names"
-    - tmp_mnt_type == 'fstab'
-    - item.mount == "/tmp"
+- name: "Adding options for /tmp"
+  when: not ubtu22cis_tmp_svc
+  vars:
+    mount_point: '/tmp'
   ansible.posix.mount:
-    path: /tmp
-    src: "{{ item.device }}"
+    path: "{{ mount_point }}"
+    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
     state: present
-    fstype: "{{ item.fstype }}"
-    opts: defaults,{{ tmp_partition_mount_options | unique | join(',') }}
-  with_items:
-    - "{{ ansible_facts.mounts }}"
-  loop_control:
-    label: "{{ item.device }}"
-  listen: Writing and remounting tmp
+    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
+    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
+  listen: "Remount /tmp"
 
-- name: Update_Initramfs
-  ansible.builtin.command: update-initramfs -u
-  changed_when: true
-  notify: Set_reboot_required
-
-- name: Remount tmp
+- name: "Remounting /tmp"
+  vars:
+    mount_point: '/tmp'
   ansible.posix.mount:
-    path: /tmp
+    path: "{{ mount_point }}"
     state: remounted
-  when:
-    - "'/tmp' in mount_names"
-  listen: Writing and remounting tmp
+  listen: "Remount /tmp"
 
-- name: Remount dev_shm
+- name: "Remounting /tmp systemd"
+  vars:
+    mount_point: '/tmp'
+  ansible.builtin.systemd:
+    name: tmp.mount
+    state: restarted
+    daemon_reload: true
+  listen: "Remount /tmp"
+
+- name: "Adding options for /dev/shm"
+  vars:
+    mount_point: '/dev/shm'
   ansible.posix.mount:
-    path: /dev/shm
-    state: remounted
+    path: "{{ mount_point }}"
+    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
+    state: present
+    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
+    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
+  listen: "Remount /dev/shm"
 
-- name: Remount var
+- name: "Remounting /dev/shm"
+  vars:
+    mount_point: '/dev/shm'
   ansible.posix.mount:
-    path: /var
+    path: "{{ mount_point }}"
     state: remounted
+  listen: "Remount /dev/shm"
+
+- name: "Adding options for /home"
+  vars:
+    mount_point: '/home'
+  ansible.posix.mount:
+    path: "{{ mount_point }}"
+    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
+    state: present
+    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
+    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
+  listen: "Remount /home"
 
-- name: Remount var_tmp
+- name: "Remounting /home"
+  vars:
+    mount_point: '/home'
   ansible.posix.mount:
-    path: /var/tmp
+    path: "{{ mount_point }}"
     state: remounted
+  listen: "Remount /home"
 
-- name: Remount var_log
+- name: "Adding options for /var"
+  vars:
+    mount_point: '/var'
   ansible.posix.mount:
-    path: /var/log
+    path: "{{ mount_point }}"
+    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
+    state: present
+    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
+    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
+  listen: "Remount /var"
+
+- name: "Remounting /var"
+  vars:
+    mount_point: '/var'
+  ansible.posix.mount:
+    path: "{{ mount_point }}"
     state: remounted
+  listen: "Remount /var"
 
-- name: Remount var_log_audit
+- name: "Adding options for /var/tmp"
+  vars:
+    mount_point: '/var/tmp'
   ansible.posix.mount:
-    path: /var/log/audit
+    path: "{{ mount_point }}"
+    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
+    state: present
+    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
+    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
+  listen: "Remount /var/tmp"
+
+- name: "Remounting /var/tmp"
+  vars:
+    mount_point: '/var/tmp'
+  ansible.posix.mount:
+    path: "{{ mount_point }}"
     state: remounted
+  listen: "Remount /var/tmp"
+
+- name: "Adding options for /var/log"
+  vars:
+    mount_point: '/var/log'
+  ansible.posix.mount:
+    path: "{{ mount_point }}"
+    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
+    state: present
+    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
+    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
+  listen: "Remount /var/log"
 
-- name: Remount home
+- name: "Remounting /var/log"
+  vars:
+    mount_point: '/var/log'
   ansible.posix.mount:
-    path: /home
+    path: "{{ mount_point }}"
     state: remounted
+  listen: "Remount /var/log"
 
-- name: Remount dev_shm
+- name: "Adding options for /var/log/audit"
+  vars:
+    mount_point: '/var/log/audit'
   ansible.posix.mount:
-    path: /dev/shm
-    src: /dev/shm
+    path: "{{ mount_point }}"
+    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
+    state: present
+    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
+    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
+  listen: "Remount /var/log/audit"
+
+- name: "Remounting /var/log/audit"
+  vars:
+    mount_point: '/var/log/audit'
+  ansible.posix.mount:
+    path: "{{ mount_point }}"
     state: remounted
+  listen: "Remount /var/log/audit"
+
+- name: Update_Initramfs
+  ansible.builtin.command: update-initramfs -u
+  changed_when: true
+  notify: Set_reboot_required
 
 - name: Grub update
   ansible.builtin.command: update-grub

diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: Audit_Only | Create local Directories for hosts
+- name: Audit_only | Create local Directories for hosts
   when: fetch_audit_files
   delegate_to: localhost
   become: false

diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml
@@ -44,8 +44,8 @@
   ansible.builtin.unarchive:
     src: "{{ audit_conf_source }}"
     dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit"
-    remote_src: "{{ (audit_conf_source is contains ('http'))| ternary(true, false) }}"
-    extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', []) }}"
+    remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}"
+    extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}"
 
 - name: Pre Audit Setup | Check Goss is available
   when: run_audit

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -29,6 +29,30 @@
   ansible.builtin.set_fact:
     mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}"
 
+- name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options
+  tags: always
+  block:
+    - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - call mount  # noqa command-instead-of-module
+      ansible.builtin.shell: |
+        mount | awk '{print $1, $3, $5, $6}'
+      changed_when: false
+      register: prelim_mount_output
+
+    - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact
+      ansible.builtin.set_fact:
+        prelim_mount_point_fs_and_options: >-
+          {%- set prelim_mount_point_fs_and_options = {} -%}
+          {%- for line in prelim_mount_output.stdout_lines -%}
+          {%- set fields = line.split() -%}
+          {%- set _ = prelim_mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%}
+          {%- endfor -%}
+          {{ prelim_mount_point_fs_and_options }}
+
+    - name: "PRELIM | AUDIT | Debug of mount variables to assist in troubleshooting"
+      when: ubtu22cis_debug_mount_data
+      ansible.builtin.debug:
+        msg: "{{ prelim_mount_point_fs_and_options }}"
+
 - name: Include audit specific variables
   when:
     - run_audit or audit_only
@@ -198,7 +222,7 @@
   check_mode: false
   register: prelim_uid_zero_accounts_except_root
 
-- name: PRELIM | PATCH | create journald conf.d directory
+- name: PRELIM | PATCH | Create journald conf.d directory
   when:
     - ubtu22cis_rule_6_2_1_1_3 or
       ubtu22cis_rule_6_2_1_1_5 or