Updated titles #256 thanks to @bgro

Signed-off-by: Mark Bolwell <[email protected]>

tasks/section_1/cis_1.5.x.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter"
+- name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled | Set active kernel parameter"
   when: ubtu22cis_rule_1_5_1
   tags:
     - level1-server

tasks/section_1/cis_1.6.x.yml

@@ -71,7 +71,7 @@
       community.general.dpkg_divert:
         path: /etc/issue.net
 
-- name: "1.6.4 | PATCH | Ensure permissions on /etc/motd are configured"
+- name: "1.6.4 | PATCH | Ensure access to /etc/motd is configured"
   when: ubtu22cis_rule_1_6_4
   tags:
     - level1-server
@@ -88,7 +88,7 @@
     group: root
     mode: 'u-x,go-wx'
 
-- name: "1.6.5 | PATCH | Ensure permissions on /etc/issue are configured"
+- name: "1.6.5 | PATCH | Ensure access to /etc/issue is configured"
   when: ubtu22cis_rule_1_6_5
   tags:
     - level1-server
@@ -105,7 +105,7 @@
     group: root
     mode: 'u-x,go-wx'
 
-- name: "1.6.6 | PATCH | Ensure permissions on /etc/issue.net are configured"
+- name: "1.6.6 | PATCH | Ensure access to /etc/issue.net is configured"
   when: ubtu22cis_rule_1_6_6
   tags:
     - level1-server

tasks/section_1/cis_1.7.x.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: "1.7.1 | PATCH | Ensure GNOME Display Manager is removed"
+- name: "1.7.1 | PATCH | Ensure GDM is removed"
   when:
     - ubtu22cis_rule_1_7_1
     - not ubtu22cis_desktop_required
@@ -56,7 +56,7 @@
           - { regexp: 'banner-message-text', line: "banner-message-text='{{ ubtu22cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: 'banner-message-enable' }
   notify: Update dconf
 
-- name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled"
+- name: "1.7.3 | PATCH | Ensure GDM disable-user-list option is enabled"
   when:
     - ubtu22cis_rule_1_7_3
     - ubtu22cis_desktop_required
@@ -72,7 +72,7 @@
     - NIST800-53R5_CM-7
     - NIST800-53R5_IA-5
   block:
-    - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | make directories"
+    - name: "1.7.3 | PATCH | Ensure GDM disable-user-list option is enabled | make directories"
       ansible.builtin.file:
         path: "{{ item }}"
         owner: root

tasks/section_2/cis_2.1.x.yml

@@ -134,7 +134,7 @@
         masked: true
       notify: Systemd_daemon_reload
 
-- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use"
+- name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use"
   when: ubtu22cis_rule_2_1_5
   tags:
     - level1-server
@@ -144,7 +144,7 @@
     - rule_2.1.5
     - NIST800-53R5_CM-7
   block:
-    - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Remove package"
+    - name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Remove package"
       when:
         - "'dnsmasq' in ansible_facts.packages"
         - not ubtu22cis_dnsmasq_server
@@ -154,7 +154,7 @@
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
 
-    - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Mask service"
+    - name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Mask service"
       when:
         - not ubtu22cis_dnsmasq_server
         - ubtu22cis_dnsmasq_mask
@@ -664,7 +664,7 @@
     state: absent
     purge: "{{ ubtu22cis_purge_apt }}"
 
-- name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode"
+- name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode"
   when:
     - not ubtu22cis_is_mail_server
     - ubtu22cis_rule_2_1_21
@@ -678,7 +678,7 @@
   vars:
     warn_control_id: '2.2.21'
   block:
-    - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed"
+    - name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed"
       when: "'exim4' in ansible_facts.packages"
       ansible.builtin.lineinfile:
         path: /etc/exim4/update-exim4.conf.conf
@@ -698,15 +698,15 @@
           - { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" }
         notify: Restart exim4
 
-    - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if postfix is installed"
+    - name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if postfix is installed"
       when: "'postfix' in ansible_facts.packages"
       notify: Restart postfix
       ansible.builtin.lineinfile:
         path: /etc/postfix/main.cf
         regexp: '^(#)?inet_interfaces'
         line: 'inet_interfaces = loopback-only'
 
-    - name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | Message out other main agents"
+    - name: "2.1.21 | WARN | Ensure mail transfer agent is configured for local-only mode | Message out other main agents"
       when:
         - "'exim4' not in ansible_facts.packages"
         - "'postfix' not in ansible_facts.packages"
@@ -715,7 +715,7 @@
           - "Warning!! You are not using either exim4 or postfix, please ensure mail services set for local only mode"
           - "Please review your vendors documentation to configure local-only mode"
 
-    - name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | warn_count"
+    - name: "2.1.21 | WARN | Ensure mail transfer agent is configured for local-only mode | warn_count"
       when:
         - "'exim4' not in ansible_facts.packages"
         - "'postfix' not in ansible_facts.packages"

tasks/section_2/cis_2.2.x.yml

@@ -81,7 +81,7 @@
     state: absent
     purge: "{{ ubtu22cis_purge_apt }}"
 
-- name: "2.2.6 | PATCH | Ensure ftp is not installed"
+- name: "2.2.6 | PATCH | Ensure ftp client is not installed"
   when:
     - ubtu22cis_rule_2_2_6
     - not ubtu22cis_ftp_client

tasks/section_2/cis_2.4.1.x.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and running"
+- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and active"
   when: ubtu22cis_rule_2_4_1_1
   tags:
     - level1-server
@@ -119,7 +119,7 @@
     mode: '0700'
     state: directory
 
-- name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users"
+- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users"
   when: ubtu22cis_rule_2_4_1_8
   tags:
     - level1-server
@@ -130,17 +130,17 @@
     - NIST800-53R5_AC-3
     - NIST800-53R5_MP-2
   block:
-    - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny"
+    - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Remove cron.deny"
       ansible.builtin.file:
         path: /etc/cron.deny
         state: absent
 
-    - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Check for cron.allow"
+    - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Check for cron.allow"
       ansible.builtin.stat:
         path: /etc/cron.allow
       register: ubtu22cis_2_4_1_8_status
 
-    - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Create cron.allow if doesn't exist"
+    - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Create cron.allow if doesn't exist"
       when: not ubtu22cis_2_4_1_8_status.stat.exists
       ansible.builtin.file:
         path: /etc/cron.allow
@@ -149,7 +149,7 @@
         mode: 'u-x,g-wx,o-rwx'
         state: touch
 
-    - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users |  Update cron.allow if exists"
+    - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users |  Update cron.allow if exists"
       when: ubtu22cis_2_4_1_8_status.stat.exists
       ansible.builtin.file:
         path: /etc/cron.allow

tasks/section_4/cis_4.1.x.yml

@@ -55,7 +55,7 @@
         enabled: true
         state: started
 
-- name: "4.1.4 | PATCH | Ensure loopback traffic is configured"
+- name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured"
   when:
     - ubtu22cis_rule_4_1_4
   tags:
@@ -66,28 +66,28 @@
     - ufw
     - NIST800-53R5_SC-7
   block:
-    - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set allow in ufw rules"
+    - name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured | Set allow in ufw rules"
       community.general.ufw:
         rule: allow
         direction: in
         interface: lo
       notify: Reload ufw
 
-    - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set allow out ufw rules"
+    - name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured | Set allow out ufw rules"
       community.general.ufw:
         rule: allow
         direction: out
         interface: lo
       notify: Reload ufw
 
-    - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv4"
+    - name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured | Set deny ufw rules IPv4"
       community.general.ufw:
         rule: deny
         direction: in
         from_ip: 127.0.0.0/8
       notify: Reload ufw
 
-    - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv6"
+    - name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured | Set deny ufw rules IPv6"
       when: ubtu22cis_ipv6_required
       community.general.ufw:
         rule: deny

tasks/section_5/cis_5.1.x.yml

@@ -140,7 +140,7 @@
     validate: 'sshd -t -f %s'
   notify: Restart sshd
 
-- name: "5.1.6 | PATCH | Ensure only strong Ciphers are used"
+- name: "5.1.6 | PATCH | Ensure sshd Ciphers are configured"
   when: ubtu22cis_rule_5_1_6
   tags:
     - level1-server
@@ -196,7 +196,7 @@
     validate: 'sshd -t -f %s'
   notify: Restart sshd
 
-- name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is is disabled"
+- name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is disabled"
   when: ubtu22cis_rule_5_1_9
   tags:
     - level2-server
@@ -216,7 +216,7 @@
     validate: 'sshd -t -f %s'
   notify: Restart sshd
 
-- name: "5.1.10 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
+- name: "5.1.10 | PATCH | Ensure sshd HostbasedAuthentication is disabled"
   when: ubtu22cis_rule_5_1_10
   tags:
     - level1-server
@@ -236,7 +236,7 @@
     validate: 'sshd -t -f %s'
   notify: Restart sshd
 
-- name: "5.1.11 | PATCH | Ensure SSH IgnoreRhosts is enabled"
+- name: "5.1.11 | PATCH | Ensure sshd IgnoreRhosts is enabled"
   when: ubtu22cis_rule_5_1_11
   tags:
     - level1-server
@@ -256,7 +256,7 @@
     validate: 'sshd -t -f %s'
   notify: Restart sshd
 
-- name: "5.1.12 | PATCH | Ensure only strong Key Exchange algorithms are used"
+- name: "5.1.12 | PATCH | Ensure sshd Kexalgorithms is configured"
   when: ubtu22cis_rule_5_1_12
   tags:
     - level1-server
@@ -273,7 +273,7 @@
     validate: 'sshd -t -f %s'
   notify: Restart sshd
 
-- name: "5.1.13 | PATCH | Ensure SSH LoginGraceTime is configured"
+- name: "5.1.13 | PATCH | Ensure sshd LoginGraceTime is configured"
   when: ubtu22cis_rule_5_1_13
   tags:
     - level1-server
@@ -290,7 +290,7 @@
     validate: 'sshd -t -f %s'
   notify: Restart sshd
 
-- name: "5.1.14 | PATCH | Ensure SSH LogLevel is configured"
+- name: "5.1.14 | PATCH | Ensure sshd LogLevel is configured"
   when: ubtu22cis_rule_5_1_14
   tags:
     - level1-server
@@ -309,7 +309,7 @@
     validate: 'sshd -t -f %s'
   notify: Restart sshd
 
-- name: "5.1.15 | PATCH | Ensure only strong MAC algorithms are used"
+- name: "5.1.15 | PATCH | Ensure sshd MACs are configured"
   when: ubtu22cis_rule_5_1_15
   tags:
     - level1-server
@@ -330,7 +330,7 @@
     validate: 'sshd -t -f %s'
   notify: Restart sshd
 
-- name: "5.1.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
+- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is configured"
   when: ubtu22cis_rule_5_1_16
   tags:
     - level1-server
@@ -368,7 +368,7 @@
     validate: 'sshd -t -f %s'
   notify: Restart sshd
 
-- name: "5.1.18 | PATCH | Ensure SSH MaxStartups is configured"
+- name: "5.1.18 | PATCH | Ensure sshd MaxStartups is configured"
   when: ubtu22cis_rule_5_1_18
   tags:
     - level1-server
@@ -388,7 +388,7 @@
     validate: 'sshd -t -f %s'
   notify: Restart sshd
 
-- name: "5.1.19 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
+- name: "5.1.19 | PATCH | Ensure sshd PermitEmptyPasswords is disabled"
   when: ubtu22cis_rule_5_1_19
   tags:
     - level1-server
@@ -425,7 +425,7 @@
     validate: 'sshd -t -f %s'
   notify: Restart sshd
 
-- name: "5.1.21 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
+- name: "5.1.21 | PATCH | Ensure sshd PermitUserEnvironment is disabled"
   when: ubtu22cis_rule_5_1_21
   tags:
     - level1-server

tasks/section_5/cis_5.2.x.yml

@@ -44,7 +44,7 @@
     line: 'Defaults        logfile="{{ ubtu22cis_sudo_logfile }}"'
     insertafter: '^\s*Defaults'
 
-- name: "5.2.4 | PATCH | Ensure users must provide password for escalation"
+- name: "5.2.4 | PATCH | Ensure users must provide password for privilege escalation"
   when: ubtu22cis_rule_5_2_4
   tags:
     - level2-server

tasks/section_5/cis_5.3.3.2.x.yml

@@ -124,7 +124,7 @@
         group: root
         mode: '0600'
 
-- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured"
+- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured"
   when:
     - ubtu22cis_rule_5_3_3_2_5
   tags:

tasks/section_6/cis_6.1.x.yml

@@ -53,8 +53,7 @@
             state: absent
 
         - name: "6.1.1 | PATCH | Ensure AIDE is installed | Configure AIDE"
-          when:
-            - not ansible_check_mode
+          when: not ansible_check_mode
           ansible.builtin.shell: aideinit -y -f
           args:
             creates: "{{ ubtu22cis_aide_db_file }}"

tasks/section_6/cis_6.2.1.2.x.yml

@@ -40,7 +40,7 @@
     - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ ubtu22cis_journal_trustedcertificatefile }}'}
   notify: Restart journald
 
-- name: "6.2.1.2.3 | PATCH | Ensure systemd-journal-remote is enabled and active"
+- name: "6.2.1.2.3 | PATCH | Ensure systemd-journal-upload is enabled and active"
   when:
     - not ubtu22cis_system_is_log_server
     - ubtu22cis_rule_6_2_1_2_3