From d28adb5af7a3e01da9ebc29c390dad59e0605c00 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Dec 2024 11:27:07 +0000 Subject: [PATCH 01/11] fix typo in variable Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 8e037db8..0f50ca5c 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -676,7 +676,7 @@ - rule_2.1.21 - NIST800-53R5_CM-7 vars: - warn_control_id: "2.2.21" + warn_control_id: "2.1.21" block: - name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" when: "'exim4' in ansible_facts.packages" From 6632b77a3ecab66a4c1b9eb32e216e038d239ad1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Dec 2024 11:53:32 +0000 Subject: [PATCH 02/11] Addressed #262 mount refactor thanks to @bgro Signed-off-by: Mark Bolwell --- .yamllint | 2 +- handlers/main.yml | 179 +++++++++++++++------- tasks/pre_remediation_audit.yml | 4 +- tasks/prelim.yml | 21 ++- tasks/section_1/cis_1.1.2.1.x.yml | 109 +++++++++---- tasks/section_1/cis_1.1.2.2.x.yml | 72 ++++++--- tasks/section_1/cis_1.1.2.3.x.yml | 77 ++++++---- tasks/section_1/cis_1.1.2.4.x.yml | 76 +++++---- tasks/section_1/cis_1.1.2.5.x.yml | 94 ++++++++---- tasks/section_1/cis_1.1.2.6.x.yml | 93 +++++++---- tasks/section_1/cis_1.1.2.7.x.yml | 94 ++++++++---- templates/etc/systemd/system/tmp.mount.j2 | 2 +- 12 files changed, 565 insertions(+), 258 deletions(-) diff --git a/.yamllint b/.yamllint index 4cf70478..78eb3e2b 100755 --- a/.yamllint +++ b/.yamllint @@ -17,7 +17,7 @@ rules: comments: ignore-shebangs: true min-spaces-from-content: 1 # prettier compatibility - comments-indentation: enable + comments-indentation: false empty-lines: max: 1 indentation: diff --git a/handlers/main.yml b/handlers/main.yml index 41ff924d..edd42124 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,87 +1,152 @@ --- -- name: Writing the tmp file | tmp_systemd - when: - - "'/tmp' in mount_names" - - item.mount == "/tmp" - - tmp_mnt_type == 'tmp_systemd' - ansible.builtin.template: - src: etc/systemd/system/tmp.mount.j2 - dest: /etc/systemd/system/tmp.mount - owner: root - group: root - mode: 'go-wx' - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - listen: Writing and remounting tmp - -- name: Writing the tmp file | fstab - when: - - "'/tmp' in mount_names" - - tmp_mnt_type == 'fstab' - - item.mount == "/tmp" +- name: "Adding options for /tmp" + when: not ubtu22cis_tmp_svc + vars: + mount_point: '/tmp' ansible.posix.mount: - path: /tmp - src: "{{ item.device }}" + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ item.fstype }}" - opts: defaults,{{ tmp_partition_mount_options | unique | join(',') }} - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - listen: Writing and remounting tmp + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /tmp" -- name: Update_Initramfs - ansible.builtin.command: update-initramfs -u - changed_when: true - notify: Set_reboot_required - -- name: Remount tmp +- name: "Remounting /tmp" + vars: + mount_point: '/tmp' ansible.posix.mount: - path: /tmp + path: "{{ mount_point }}" state: remounted - when: - - "'/tmp' in mount_names" - listen: Writing and remounting tmp + listen: "Remount /tmp" -- name: Remount dev_shm +- name: "Remounting /tmp systemd" + vars: + mount_point: '/tmp' + ansible.builtin.systemd: + name: tmp.mount + state: restarted + daemon_reload: true + listen: "Remount /tmp" + +- name: "Adding options for /dev/shm" + vars: + mount_point: '/dev/shm' ansible.posix.mount: - path: /dev/shm - state: remounted + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /dev/shm" -- name: Remount var +- name: "Remounting /dev/shm" + vars: + mount_point: '/dev/shm' ansible.posix.mount: - path: /var + path: "{{ mount_point }}" state: remounted + listen: "Remount /dev/shm" + +- name: "Adding options for /home" + vars: + mount_point: '/home' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /home" -- name: Remount var_tmp +- name: "Remounting /home" + vars: + mount_point: '/home' ansible.posix.mount: - path: /var/tmp + path: "{{ mount_point }}" state: remounted + listen: "Remount /home" -- name: Remount var_log +- name: "Adding options for /var" + vars: + mount_point: '/var' ansible.posix.mount: - path: /var/log + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var" + +- name: "Remounting /var" + vars: + mount_point: '/var' + ansible.posix.mount: + path: "{{ mount_point }}" state: remounted + listen: "Remount /var" -- name: Remount var_log_audit +- name: "Adding options for /var/tmp" + vars: + mount_point: '/var/tmp' ansible.posix.mount: - path: /var/log/audit + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var/tmp" + +- name: "Remounting /var/tmp" + vars: + mount_point: '/var/tmp' + ansible.posix.mount: + path: "{{ mount_point }}" state: remounted + listen: "Remount /var/tmp" + +- name: "Adding options for /var/log" + vars: + mount_point: '/var/log' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var/log" -- name: Remount home +- name: "Remounting /var/log" + vars: + mount_point: '/var/log' ansible.posix.mount: - path: /home + path: "{{ mount_point }}" state: remounted + listen: "Remount /var/log" -- name: Remount dev_shm +- name: "Adding options for /var/log/audit" + vars: + mount_point: '/var/log/audit' ansible.posix.mount: - path: /dev/shm - src: /dev/shm + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var/log/audit" + +- name: "Remounting /var/log/audit" + vars: + mount_point: '/var/log/audit' + ansible.posix.mount: + path: "{{ mount_point }}" state: remounted + listen: "Remount /var/log/audit" + +- name: Update_Initramfs + ansible.builtin.command: update-initramfs -u + changed_when: true + notify: Set_reboot_required - name: Grub update ansible.builtin.command: update-grub diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 3db36fd8..3b4990cb 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -44,8 +44,8 @@ ansible.builtin.unarchive: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" - remote_src: "{{ (audit_conf_source is contains ('http'))| ternary(true, false) }}" - extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', []) }}" + remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}" + extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}" - name: Pre Audit Setup | Check Goss is available when: run_audit diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 8cf8d007..deb618db 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -29,6 +29,25 @@ ansible.builtin.set_fact: mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" +- name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options + tags: always + block: + - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - call mount # noqa command-instead-of-module + ansible.builtin.shell: | + mount | awk '{print $1, $3, $5, $6}' + changed_when: false + register: mount_output + + - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact + ansible.builtin.set_fact: + mount_point_fs_and_options: >- + {%- set mount_point_fs_and_options = {} -%} + {%- for line in mount_output.stdout_lines -%} + {%- set fields = line.split() -%} + {%- set _ = mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%} + {%- endfor -%} + {{ mount_point_fs_and_options }} + - name: Include audit specific variables when: - run_audit or audit_only @@ -198,7 +217,7 @@ check_mode: false register: prelim_uid_zero_accounts_except_root -- name: PRELIM | PATCH | create journald conf.d directory +- name: PRELIM | PATCH | Create journald conf.d directory when: - ubtu22cis_rule_6_2_1_1_3 or ubtu22cis_rule_6_2_1_1_5 or diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index 05ae9f42..adbfb8f6 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -12,62 +12,101 @@ - rule_1.1.2.1.1 - NIST800-53R5_CM-7 vars: - warn_control_id: '1.1.2.1.1' - required_mount: '/tmp' + warn_control_id: "1.1.2.1.1" + required_mount: "/tmp" block: - - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Absent" + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_tmp_mount.rc not in [ 0, 1 ] + register: discovered_tmp_mount + + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent" + when: discovered_tmp_mount is undefined ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Present" + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Present" + when: discovered_tmp_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml # via fstab -- name: | - "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" - "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" - "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" - ansible.posix.mount: - name: /tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_1_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_1_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and ubtu22cis_rule_1_1_2_1_4) %},noexec{% endif %}" - notify: Remount tmp - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" +- name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" when: - - item.mount == "/tmp" + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_1_2 - not ubtu22cis_tmp_svc - - ubtu22cis_rule_1_1_2_1_2 or - ubtu22cis_rule_1_1_2_1_3 or - ubtu22cis_rule_1_1_2_1_4 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.1.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_1_3 + - not ubtu22cis_tmp_svc + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.1.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_1_4 + - not ubtu22cis_tmp_svc + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.1.4 - - NIST800-53R5_CM-7 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when # via systemd - name: | - "1.1.2.1.1 | PATCH | Ensure /tmp is configured" - "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" - "1.1.2.1.3 | PATCH | Ensure noexec option set on /tmp partition" - "1.1.2.1.4 | PATCH | Ensure nosuid option set on /tmp partition" + "1.1.2.1.1 | PATCH | Ensure /tmp is configured + 1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition + 1.1.2.1.3 | PATCH | Ensure noexec option set on /tmp partition + 1.1.2.1.4 | PATCH | Ensure nosuid option set on /tmp partition" when: - ubtu22cis_tmp_svc - - ubtu22cis_rule_1_1_2_1_1 or - ubtu22cis_rule_1_1_2_1_2 or - ubtu22cis_rule_1_1_2_1_3 or - ubtu22cis_rule_1_1_2_1_4 + - ubtu22cis_rule_1_1_2_1_1 or ubtu22cis_rule_1_1_2_1_2 or ubtu22cis_rule_1_1_2_1_3 or ubtu22cis_rule_1_1_2_1_4 tags: - level1-server - level1-workstation @@ -79,10 +118,12 @@ - rule_1.1.2.1.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" ansible.builtin.template: src: etc/systemd/system/tmp.mount.j2 dest: /etc/systemd/system/tmp.mount owner: root group: root - mode: 'go-wx' - notify: Systemd restart tmp.mount + mode: "go-wx" + notify: *mount_option_notify diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index b249d29f..26b703c2 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -12,8 +12,8 @@ - rule_1.1.2.2.1 - NIST800-53R5_CM-7 vars: - warn_control_id: '1.1.2.2.1' - required_mount: '/dev/shm' + warn_control_id: "1.1.2.2.1" + required_mount: "/dev/shm" block: - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check for mount" ansible.builtin.command: findmnt -kn "{{ required_mount }}" @@ -31,31 +31,65 @@ ansible.builtin.import_tasks: file: warning_facts.yml -- name: | - "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition - 1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition - 1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" +- name: "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition" when: - - discovered_dev_shm_mount is defined - - ubtu22cis_rule_1_1_2_2_2 or - ubtu22cis_rule_1_1_2_2_3 or - ubtu22cis_rule_1_1_2_2_4 + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_2_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.2.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/dev/shm" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_2_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.2.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/dev/shm" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_2_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.2.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: - - Set_reboot_required - - Remount dev_shm - ansible.posix.mount: - name: /dev/shm - src: tmpfs - fstype: tmpfs - state: mounted - opts: defaults,{% if ubtu22cis_rule_1_1_2_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_2_3 %}nosuid,{% endif %}{% if ubtu22cis_rule_1_1_2_2_4 %}noexec{% endif %} + vars: + mount_point: "/dev/shm" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index 1554c645..b45b4650 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -1,55 +1,74 @@ --- - -- name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home" +- name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition" when: - ubtu22cis_rule_1_1_2_3_1 - required_mount not in mount_names tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation - audit - mounts - rule_1.1.2.3.1 - NIST800-53R5_CM-7 vars: - warn_control_id: '1.1.2.3.1' - required_mount: '/home' + warn_control_id: "1.1.2.3.1" + required_mount: "/home" block: - - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Warn if partition is absent" + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_home_mount.rc not in [ 0, 1 ] + register: discovered_home_mount + + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Absent" + when: discovered_dev_shm_mount is undefined ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Present" + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Present" + when: discovered_dev_shm_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition - 1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition +- name: "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition" when: - - "'/home' in mount_names" - - item.mount == "/home" - - ubtu22cis_rule_1_1_2_3_2 or - ubtu22cis_rule_1_1_2_3_3 + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_3_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.3.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/home" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_3_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.3.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: - - Remount home - - Set_reboot_required - ansible.posix.mount: - name: /home - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_3_3) %},nosuid{% endif %}" - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" + vars: + mount_point: "/home" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index 19929d1b..58ae6f4f 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -1,13 +1,13 @@ --- -- name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var" +- name: "1.1.2.4.1 | PATCH | Ensure /var is a separate partition" when: - - required_mount not in mount_names - ubtu22cis_rule_1_1_2_4_1 + - required_mount not in mount_names tags: - - level2-server - - level2-workstation - - patch + - level1-server + - level1-workstation + - audit - mounts - rule_1.1.2.4.1 - NIST800-53R5_CM-7 @@ -15,41 +15,61 @@ warn_control_id: '1.1.2.4.1' required_mount: '/var' block: - - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Warn if partition is absent" + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_mount.rc not in [ 0, 1 ] + register: discovered_var_mount + + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent" + when: discovered_dev_shm_mount is undefined ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Present" + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present" + when: discovered_dev_shm_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition" - "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" +- name: "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition" when: - - "'/var' in mount_names" - - item.mount == "/var" - - ubtu22cis_rule_1_1_2_4_2 or - ubtu22cis_rule_1_1_2_4_3 + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_4_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.4.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_4_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.4.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: - - Remount var - - Set_reboot_required - ansible.posix.mount: - name: /var - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_4_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_4_3) %},nosuid{% endif %}" - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" + vars: + mount_point: "/var" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index f5555672..a830b4b0 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -1,13 +1,12 @@ --- -# Skips if mount is absent -- name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp" +- name: "1.1.2.5.1 | PATCH | Ensure /var/tmp is a separate partition" when: - ubtu22cis_rule_1_1_2_5_1 - required_mount not in mount_names tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation - audit - mounts - rule_1.1.2.5.1 @@ -16,44 +15,81 @@ warn_control_id: '1.1.2.5.1' required_mount: '/var/tmp' block: - - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn if partition is absent" + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_tmp_mount.rc not in [ 0, 1 ] + register: discovered_var_tmp_mount + + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | Absent" + when: discovered_var_tmp_mount is undefined ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | Present" + when: discovered_var_tmp_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition" - "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition" - "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" +- name: "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition" when: - - "'/var/tmp' in mount_names" - - item.mount == "/var/tmp" - - ubtu22cis_rule_1_1_2_5_2 or - ubtu22cis_rule_1_1_2_5_3 or - ubtu22cis_rule_1_1_2_5_4 + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_5_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.5.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/tmp" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_5_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.5.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/tmp" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_5_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.5.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: - - Remount var_tmp - - Set_reboot_required - ansible.posix.mount: - name: /var/tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_5_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_5_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and ubtu22cis_rule_1_1_2_5_4) %},noexec{% endif %}" - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" + vars: + mount_point: "/var/tmp" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index 7c1435b8..780a8e9c 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -1,12 +1,12 @@ --- -- name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log" +- name: "1/.1 | PATCH | Ensure /var/log is a separate partition" when: - ubtu22cis_rule_1_1_2_6_1 - required_mount not in mount_names tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation - audit - mounts - rule_1.1.2.6.1 @@ -15,44 +15,81 @@ warn_control_id: '1.1.2.6.1' required_mount: '/var/log' block: - - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Warn if partition is absent" + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_log_mount.rc not in [ 0, 1 ] + register: discovered_var_log_mount + + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | Absent" + when: discovered_var_log_mount is undefined ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Present" + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | Present" + when: discovered_var_log_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition" - "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition" - "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" +- name: "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition" when: - - "'/var/log' in mount_names" - - item.mount == "/var/log" - - ubtu22cis_rule_1_1_2_6_2 or - ubtu22cis_rule_1_1_2_6_3 or - ubtu22cis_rule_1_1_2_6_4 + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_6_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.6.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_6_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.6.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_6_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.6.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: - - Remount var_log - - Set_reboot_required - ansible.posix.mount: - name: /var/log - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_6_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_6_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and ubtu22cis_rule_1_1_2_6_4) %},noexec{% endif %}" - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" + vars: + mount_point: "/var/log" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index 7bde0d24..c7ed992c 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -1,12 +1,12 @@ --- -- name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit" +- name: "1/.1 | PATCH | Ensure /var/log/audit is a separate partition" when: - ubtu22cis_rule_1_1_2_7_1 - required_mount not in mount_names tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation - audit - mounts - rule_1.1.2.7.1 @@ -15,45 +15,81 @@ warn_control_id: '1.1.2.7.1' required_mount: '/var/log/audit' block: - - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn if partition is absent" + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_log_audit_mount.rc not in [ 0, 1 ] + register: discovered_var_log_audit_mount + + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | Absent" + when: discovered_var_log_audit_mount is undefined ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | Present" + when: discovered_var_log_audit_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition" - "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition" - "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" +- name: "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition" when: - - "'/var/log/audit' in mount_names" - - item.mount == "/var/log/audit" - - ubtu22cis_rule_1_1_2_7_2 or - ubtu22cis_rule_1_1_2_7_3 or - ubtu22cis_rule_1_1_2_7_4 + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_7_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.7.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log/audit" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_7_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.7.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log/audit" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_7_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.7.4 - - NIST800-53R5_CM-7 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: - - Remount var_log_audit - - Set_reboot_required - ansible.posix.mount: - name: /var/log/audit - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_7_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_7_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and ubtu22cis_rule_1_1_2_7_4) %},noexec{% endif %}" - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" + vars: + mount_point: "/var/log/audit" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2 index 72490e3d..057a465d 100644 --- a/templates/etc/systemd/system/tmp.mount.j2 +++ b/templates/etc/systemd/system/tmp.mount.j2 @@ -11,7 +11,7 @@ What=tmpfs Where=/tmp Type=tmpfs -Options: {{ tmp_partition_mount_options | unique | join(',') }} +Options: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" [Install] WantedBy=local-fs.target From b1068de72666b2b60801551baa7d92145852ba64 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Dec 2024 12:08:36 +0000 Subject: [PATCH 03/11] Updated tmpfs options in conditional Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.1.x.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index adbfb8f6..baf0f495 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -35,6 +35,7 @@ - name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" when: - mount_point_fs_and_options[mount_point] is defined + - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu22cis_rule_1_1_2_1_2 - not ubtu22cis_tmp_svc tags: @@ -59,6 +60,7 @@ - name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" when: - mount_point_fs_and_options[mount_point] is defined + - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu22cis_rule_1_1_2_1_3 - not ubtu22cis_tmp_svc tags: @@ -80,6 +82,7 @@ - name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" when: - mount_point_fs_and_options[mount_point] is defined + - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu22cis_rule_1_1_2_1_4 - not ubtu22cis_tmp_svc tags: From f7121144d0139f4cda6de4dcf4d931e5814d23d4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Dec 2024 12:13:20 +0000 Subject: [PATCH 04/11] Updated with name titles Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 10deb27d..acdd8963 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -11,12 +11,17 @@ repos: hooks: # Safety - id: detect-aws-credentials + name: Detect AWS Credentials - id: detect-private-key + name: Detect Private Keys # git checks - id: check-merge-conflict + name: Check for merge conflicts - id: check-added-large-files + name: Check for Large files - id: check-case-conflict + name: Check case conflict # General checks - id: trailing-whitespace @@ -27,6 +32,7 @@ repos: types: [text] args: [--markdown-linebreak-ext=md] - id: end-of-file-fixer + name: Ensure line at end of file # Scan for passwords - repo: https://github.com/Yelp/detect-secrets @@ -62,3 +68,4 @@ repos: rev: v1.35.1 # or higher tag hooks: - id: yamllint + name: Check YAML Lint From 180d19a69edd8b41bfc107712069ccce3aadad9f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Dec 2024 15:38:37 +0000 Subject: [PATCH 05/11] Enable debug options for mounts Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +++ tasks/prelim.yml | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 1be361ba..23f9d566 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -613,6 +613,9 @@ ubtu22cis_purge_apt: false ## Section 1 Control Variables ## +## Ability to enabe debug on mounts to assist in troubleshooting +ubtu22cis_debug_mount_data: false + ## Control 1.1.2 # If set to `true`, rule will be implemented using the `tmp.mount` systemd-service, # otherwise fstab configuration will be used. diff --git a/tasks/prelim.yml b/tasks/prelim.yml index deb618db..1f36df0f 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -48,6 +48,11 @@ {%- endfor -%} {{ mount_point_fs_and_options }} + - name: "PRELIM | AUDIT | Debug of mount variables to assist in troubleshooting" + when: ubtu22cis_debug_mount_data + ansible.builtin.debug: + msg: "{{ mount_point_fs_and_options }}" + - name: Include audit specific variables when: - run_audit or audit_only From db17068cb334c7327c3257eaa5e5ea003785a9ea Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Dec 2024 15:57:11 +0000 Subject: [PATCH 06/11] expanded mountpoint explaination Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 23f9d566..7c9ee8bd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -614,6 +614,8 @@ ubtu22cis_purge_apt: false ## ## Ability to enabe debug on mounts to assist in troubleshooting +# Mount point changes are set based upon facts created in Prelim +# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1. ubtu22cis_debug_mount_data: false ## Control 1.1.2 From 6e6161cb9b9863621f2f3587afdf7bc2a3f4a539 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 08:33:05 +0000 Subject: [PATCH 07/11] layout update for pipeline Signed-off-by: Mark Bolwell --- .yamllint | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.yamllint b/.yamllint index 78eb3e2b..c271c2aa 100755 --- a/.yamllint +++ b/.yamllint @@ -1,12 +1,13 @@ --- + extends: default locale: en_US.UTF-8 ignore: | - tests/ - molecule/ - .github/ - .gitlab-ci.yml - *molecule.yml + tests/ + molecule/ + .github/ + .gitlab-ci.yml + *molecule.yml rules: braces: max-spaces-inside: 1 @@ -16,8 +17,8 @@ rules: level: error comments: ignore-shebangs: true - min-spaces-from-content: 1 # prettier compatibility - comments-indentation: false + min-spaces-from-content: 1 # prettier compatibility + comments-indentation: enable empty-lines: max: 1 indentation: From 7056dd0c70659695796a7f26f622b62dea69c58b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 09:35:01 +0000 Subject: [PATCH 08/11] convert file characterset Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/section_4/cis_4.3.3.x.yml | 2 +- tasks/warning_facts.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7c9ee8bd..69871962 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -986,7 +986,7 @@ ubtu22cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwqualit ubtu22cis_passwd_quality_enforce_value: 1 # 5.3.3.2.8 - password quality enforce for root included with 5.3.3.2.7 -# enforce_for_root: This ensures that the password policies are adhered to even if it’s the root user configuring the passwords. +# enforce_for_root: This ensures that the password policies are adhered to even if its the root user configuring the passwords. ubtu22cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf # pragma: allowlist secret ubtu22cis_passwd_quality_enforce_root_value: enforce_for_root # pragma: allowlist secret diff --git a/tasks/section_4/cis_4.3.3.x.yml b/tasks/section_4/cis_4.3.3.x.yml index 2470855f..181c09ab 100644 --- a/tasks/section_4/cis_4.3.3.x.yml +++ b/tasks/section_4/cis_4.3.3.x.yml @@ -4,7 +4,7 @@ when: ubtu22cis_rule_4_3_3_1 tags: - level1-server - - level1-workstationå + - level1-workstation - patch - rule_4.3.3.1 - ip6tables diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index e43e31f9..66594eb8 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -9,7 +9,7 @@ # # warn_control_id is set within the task itself and has the control ID as the value # -# warn_control_list is the main variable to be used and is a list made up of the warn_control_id’s +# warn_control_list is the main variable to be used and is a list made up of the warn_control_ids # # warn_count is the main variable for the number of warnings and each time a warn_control_id is added # the count increases by a value of 1 From a9cb02747b31cd65ffbaecc9a242c92b3719887c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 09:40:43 +0000 Subject: [PATCH 09/11] removed locale Signed-off-by: Mark Bolwell --- .yamllint | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/.yamllint b/.yamllint index c271c2aa..fa7b6971 100755 --- a/.yamllint +++ b/.yamllint @@ -1,13 +1,11 @@ --- - extends: default -locale: en_US.UTF-8 ignore: | - tests/ - molecule/ - .github/ - .gitlab-ci.yml - *molecule.yml + tests/ + molecule/ + .github/ + .gitlab-ci.yml + *molecule.yml rules: braces: max-spaces-inside: 1 @@ -17,7 +15,7 @@ rules: level: error comments: ignore-shebangs: true - min-spaces-from-content: 1 # prettier compatibility + min-spaces-from-content: 1 # prettier compatibility comments-indentation: enable empty-lines: max: 1 From 0666e00458e97288265e400747e963503c891c80 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 14:47:50 +0000 Subject: [PATCH 10/11] Align mountpoint variable naming Signed-off-by: Mark Bolwell --- handlers/main.yml | 42 +++++++++++++++---------------- tasks/prelim.yml | 14 +++++------ tasks/section_1/cis_1.1.2.1.x.yml | 18 ++++++------- tasks/section_1/cis_1.1.2.2.x.yml | 12 ++++----- tasks/section_1/cis_1.1.2.3.x.yml | 10 ++++---- tasks/section_1/cis_1.1.2.4.x.yml | 10 ++++---- tasks/section_1/cis_1.1.2.5.x.yml | 12 ++++----- tasks/section_1/cis_1.1.2.6.x.yml | 12 ++++----- tasks/section_1/cis_1.1.2.7.x.yml | 12 ++++----- 9 files changed, 71 insertions(+), 71 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index edd42124..dc6bf653 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -6,10 +6,10 @@ mount_point: '/tmp' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /tmp" - name: "Remounting /tmp" @@ -34,10 +34,10 @@ mount_point: '/dev/shm' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /dev/shm" - name: "Remounting /dev/shm" @@ -53,10 +53,10 @@ mount_point: '/home' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /home" - name: "Remounting /home" @@ -72,10 +72,10 @@ mount_point: '/var' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /var" - name: "Remounting /var" @@ -91,10 +91,10 @@ mount_point: '/var/tmp' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /var/tmp" - name: "Remounting /var/tmp" @@ -110,10 +110,10 @@ mount_point: '/var/log' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /var/log" - name: "Remounting /var/log" @@ -129,10 +129,10 @@ mount_point: '/var/log/audit' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /var/log/audit" - name: "Remounting /var/log/audit" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1f36df0f..2bd30871 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -36,22 +36,22 @@ ansible.builtin.shell: | mount | awk '{print $1, $3, $5, $6}' changed_when: false - register: mount_output + register: prelim_mount_output - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact ansible.builtin.set_fact: - mount_point_fs_and_options: >- - {%- set mount_point_fs_and_options = {} -%} - {%- for line in mount_output.stdout_lines -%} + prelim_mount_point_fs_and_options: >- + {%- set prelim_mount_point_fs_and_options = {} -%} + {%- for line in prelim_mount_output.stdout_lines -%} {%- set fields = line.split() -%} - {%- set _ = mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%} + {%- set _ = prelim_mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%} {%- endfor -%} - {{ mount_point_fs_and_options }} + {{ prelim_mount_point_fs_and_options }} - name: "PRELIM | AUDIT | Debug of mount variables to assist in troubleshooting" when: ubtu22cis_debug_mount_data ansible.builtin.debug: - msg: "{{ mount_point_fs_and_options }}" + msg: "{{ prelim_mount_point_fs_and_options }}" - name: Include audit specific variables when: diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index baf0f495..d33ea877 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -34,8 +34,8 @@ # via fstab - name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined - - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" + - prelim_mount_point_fs_and_options[mount_point] is defined + - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu22cis_rule_1_1_2_1_2 - not ubtu22cis_tmp_svc tags: @@ -52,15 +52,15 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined - - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" + - prelim_mount_point_fs_and_options[mount_point] is defined + - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu22cis_rule_1_1_2_1_3 - not ubtu22cis_tmp_svc tags: @@ -81,8 +81,8 @@ - name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined - - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" + - prelim_mount_point_fs_and_options[mount_point] is defined + - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu22cis_rule_1_1_2_1_4 - not ubtu22cis_tmp_svc tags: diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index 26b703c2..81aa836d 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -33,7 +33,7 @@ - name: "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_2_2 tags: - level1-server @@ -49,14 +49,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_2_3 tags: - level1-server @@ -76,7 +76,7 @@ - name: "1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_2_4 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index b45b4650..d41d339b 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -32,7 +32,7 @@ - name: "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_3_2 tags: - level1-server @@ -48,14 +48,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_3_3 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index 58ae6f4f..d934a51c 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -33,7 +33,7 @@ - name: "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_4_2 tags: - level1-server @@ -49,14 +49,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_4_3 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index a830b4b0..ea1140dd 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -33,7 +33,7 @@ - name: "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_5_2 tags: - level1-server @@ -49,14 +49,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_5_3 tags: - level1-server @@ -76,7 +76,7 @@ - name: "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_5_4 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index 780a8e9c..9d6eaae5 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -33,7 +33,7 @@ - name: "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_6_2 tags: - level1-server @@ -49,14 +49,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_6_3 tags: - level1-server @@ -76,7 +76,7 @@ - name: "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_6_4 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index c7ed992c..b310e086 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -33,7 +33,7 @@ - name: "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_7_2 tags: - level1-server @@ -49,14 +49,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_7_3 tags: - level1-server @@ -76,7 +76,7 @@ - name: "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_7_4 tags: - level1-server From 7f934388b977dea5abfa62806db4d51ef872945f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 14:48:22 +0000 Subject: [PATCH 11/11] change case in title Signed-off-by: Mark Bolwell --- tasks/audit_only.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index 56e933de..a8e81e20 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -1,6 +1,6 @@ --- -- name: Audit_Only | Create local Directories for hosts +- name: Audit_only | Create local Directories for hosts when: fetch_audit_files delegate_to: localhost become: false