diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 4e53e1fb..8893265c 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,6 +1,6 @@ --- -- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" +- name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled | Set active kernel parameter" when: ubtu22cis_rule_1_5_1 tags: - level1-server diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 2134f75d..6ea392db 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -71,7 +71,7 @@ community.general.dpkg_divert: path: /etc/issue.net -- name: "1.6.4 | PATCH | Ensure permissions on /etc/motd are configured" +- name: "1.6.4 | PATCH | Ensure access to /etc/motd is configured" when: ubtu22cis_rule_1_6_4 tags: - level1-server @@ -88,7 +88,7 @@ group: root mode: 'u-x,go-wx' -- name: "1.6.5 | PATCH | Ensure permissions on /etc/issue are configured" +- name: "1.6.5 | PATCH | Ensure access to /etc/issue is configured" when: ubtu22cis_rule_1_6_5 tags: - level1-server @@ -105,7 +105,7 @@ group: root mode: 'u-x,go-wx' -- name: "1.6.6 | PATCH | Ensure permissions on /etc/issue.net are configured" +- name: "1.6.6 | PATCH | Ensure access to /etc/issue.net is configured" when: ubtu22cis_rule_1_6_6 tags: - level1-server diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index f1381b1a..7c78788f 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -1,6 +1,6 @@ --- -- name: "1.7.1 | PATCH | Ensure GNOME Display Manager is removed" +- name: "1.7.1 | PATCH | Ensure GDM is removed" when: - ubtu22cis_rule_1_7_1 - not ubtu22cis_desktop_required @@ -56,7 +56,7 @@ - { regexp: 'banner-message-text', line: "banner-message-text='{{ ubtu22cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: 'banner-message-enable' } notify: Update dconf -- name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled" +- name: "1.7.3 | PATCH | Ensure GDM disable-user-list option is enabled" when: - ubtu22cis_rule_1_7_3 - ubtu22cis_desktop_required @@ -72,7 +72,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 block: - - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | make directories" + - name: "1.7.3 | PATCH | Ensure GDM disable-user-list option is enabled | make directories" ansible.builtin.file: path: "{{ item }}" owner: root diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index db315764..c15fe386 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -134,7 +134,7 @@ masked: true notify: Systemd_daemon_reload -- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use" +- name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use" when: ubtu22cis_rule_2_1_5 tags: - level1-server @@ -144,7 +144,7 @@ - rule_2.1.5 - NIST800-53R5_CM-7 block: - - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Remove package" + - name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Remove package" when: - "'dnsmasq' in ansible_facts.packages" - not ubtu22cis_dnsmasq_server @@ -154,7 +154,7 @@ state: absent purge: "{{ ubtu22cis_purge_apt }}" - - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Mask service" + - name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Mask service" when: - not ubtu22cis_dnsmasq_server - ubtu22cis_dnsmasq_mask @@ -664,7 +664,7 @@ state: absent purge: "{{ ubtu22cis_purge_apt }}" -- name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode" +- name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode" when: - not ubtu22cis_is_mail_server - ubtu22cis_rule_2_1_21 @@ -678,7 +678,7 @@ vars: warn_control_id: '2.2.21' block: - - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed" + - name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" when: "'exim4' in ansible_facts.packages" ansible.builtin.lineinfile: path: /etc/exim4/update-exim4.conf.conf @@ -698,7 +698,7 @@ - { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" } notify: Restart exim4 - - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if postfix is installed" + - name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if postfix is installed" when: "'postfix' in ansible_facts.packages" notify: Restart postfix ansible.builtin.lineinfile: @@ -706,7 +706,7 @@ regexp: '^(#)?inet_interfaces' line: 'inet_interfaces = loopback-only' - - name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | Message out other main agents" + - name: "2.1.21 | WARN | Ensure mail transfer agent is configured for local-only mode | Message out other main agents" when: - "'exim4' not in ansible_facts.packages" - "'postfix' not in ansible_facts.packages" @@ -715,7 +715,7 @@ - "Warning!! You are not using either exim4 or postfix, please ensure mail services set for local only mode" - "Please review your vendors documentation to configure local-only mode" - - name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | warn_count" + - name: "2.1.21 | WARN | Ensure mail transfer agent is configured for local-only mode | warn_count" when: - "'exim4' not in ansible_facts.packages" - "'postfix' not in ansible_facts.packages" diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 076bd4b2..7bcc9098 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -81,7 +81,7 @@ state: absent purge: "{{ ubtu22cis_purge_apt }}" -- name: "2.2.6 | PATCH | Ensure ftp is not installed" +- name: "2.2.6 | PATCH | Ensure ftp client is not installed" when: - ubtu22cis_rule_2_2_6 - not ubtu22cis_ftp_client diff --git a/tasks/section_2/cis_2.4.1.x.yml b/tasks/section_2/cis_2.4.1.x.yml index 7aed3c88..17d594bf 100644 --- a/tasks/section_2/cis_2.4.1.x.yml +++ b/tasks/section_2/cis_2.4.1.x.yml @@ -1,6 +1,6 @@ --- -- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and running" +- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and active" when: ubtu22cis_rule_2_4_1_1 tags: - level1-server @@ -119,7 +119,7 @@ mode: '0700' state: directory -- name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users" +- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users" when: ubtu22cis_rule_2_4_1_8 tags: - level1-server @@ -130,17 +130,17 @@ - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 block: - - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" + - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Remove cron.deny" ansible.builtin.file: path: /etc/cron.deny state: absent - - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Check for cron.allow" + - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Check for cron.allow" ansible.builtin.stat: path: /etc/cron.allow register: ubtu22cis_2_4_1_8_status - - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Create cron.allow if doesn't exist" + - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Create cron.allow if doesn't exist" when: not ubtu22cis_2_4_1_8_status.stat.exists ansible.builtin.file: path: /etc/cron.allow @@ -149,7 +149,7 @@ mode: 'u-x,g-wx,o-rwx' state: touch - - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Update cron.allow if exists" + - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Update cron.allow if exists" when: ubtu22cis_2_4_1_8_status.stat.exists ansible.builtin.file: path: /etc/cron.allow diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index 5cddd0bd..09d19aad 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -55,7 +55,7 @@ enabled: true state: started -- name: "4.1.4 | PATCH | Ensure loopback traffic is configured" +- name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured" when: - ubtu22cis_rule_4_1_4 tags: @@ -66,28 +66,28 @@ - ufw - NIST800-53R5_SC-7 block: - - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set allow in ufw rules" + - name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured | Set allow in ufw rules" community.general.ufw: rule: allow direction: in interface: lo notify: Reload ufw - - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set allow out ufw rules" + - name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured | Set allow out ufw rules" community.general.ufw: rule: allow direction: out interface: lo notify: Reload ufw - - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv4" + - name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured | Set deny ufw rules IPv4" community.general.ufw: rule: deny direction: in from_ip: 127.0.0.0/8 notify: Reload ufw - - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv6" + - name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured | Set deny ufw rules IPv6" when: ubtu22cis_ipv6_required community.general.ufw: rule: deny diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index ca07d4cd..d7a118f9 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -140,7 +140,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.6 | PATCH | Ensure only strong Ciphers are used" +- name: "5.1.6 | PATCH | Ensure sshd Ciphers are configured" when: ubtu22cis_rule_5_1_6 tags: - level1-server @@ -196,7 +196,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is is disabled" +- name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is disabled" when: ubtu22cis_rule_5_1_9 tags: - level2-server @@ -216,7 +216,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.10 | PATCH | Ensure SSH HostbasedAuthentication is disabled" +- name: "5.1.10 | PATCH | Ensure sshd HostbasedAuthentication is disabled" when: ubtu22cis_rule_5_1_10 tags: - level1-server @@ -236,7 +236,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" +- name: "5.1.11 | PATCH | Ensure sshd IgnoreRhosts is enabled" when: ubtu22cis_rule_5_1_11 tags: - level1-server @@ -256,7 +256,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.12 | PATCH | Ensure only strong Key Exchange algorithms are used" +- name: "5.1.12 | PATCH | Ensure sshd Kexalgorithms is configured" when: ubtu22cis_rule_5_1_12 tags: - level1-server @@ -273,7 +273,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.13 | PATCH | Ensure SSH LoginGraceTime is configured" +- name: "5.1.13 | PATCH | Ensure sshd LoginGraceTime is configured" when: ubtu22cis_rule_5_1_13 tags: - level1-server @@ -290,7 +290,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.14 | PATCH | Ensure SSH LogLevel is configured" +- name: "5.1.14 | PATCH | Ensure sshd LogLevel is configured" when: ubtu22cis_rule_5_1_14 tags: - level1-server @@ -309,7 +309,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.15 | PATCH | Ensure only strong MAC algorithms are used" +- name: "5.1.15 | PATCH | Ensure sshd MACs are configured" when: ubtu22cis_rule_5_1_15 tags: - level1-server @@ -330,7 +330,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" +- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is configured" when: ubtu22cis_rule_5_1_16 tags: - level1-server @@ -368,7 +368,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.18 | PATCH | Ensure SSH MaxStartups is configured" +- name: "5.1.18 | PATCH | Ensure sshd MaxStartups is configured" when: ubtu22cis_rule_5_1_18 tags: - level1-server @@ -388,7 +388,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.19 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" +- name: "5.1.19 | PATCH | Ensure sshd PermitEmptyPasswords is disabled" when: ubtu22cis_rule_5_1_19 tags: - level1-server @@ -425,7 +425,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.21 | PATCH | Ensure SSH PermitUserEnvironment is disabled" +- name: "5.1.21 | PATCH | Ensure sshd PermitUserEnvironment is disabled" when: ubtu22cis_rule_5_1_21 tags: - level1-server diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index df8124db..b998d204 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -44,7 +44,7 @@ line: 'Defaults logfile="{{ ubtu22cis_sudo_logfile }}"' insertafter: '^\s*Defaults' -- name: "5.2.4 | PATCH | Ensure users must provide password for escalation" +- name: "5.2.4 | PATCH | Ensure users must provide password for privilege escalation" when: ubtu22cis_rule_5_2_4 tags: - level2-server diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml index 6bf35231..f972c75f 100644 --- a/tasks/section_5/cis_5.3.3.2.x.yml +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -124,7 +124,7 @@ group: root mode: '0600' -- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured" +- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured" when: - ubtu22cis_rule_5_3_3_2_5 tags: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 5b2c4ca0..7a8f8a95 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -53,8 +53,7 @@ state: absent - name: "6.1.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - when: - - not ansible_check_mode + when: not ansible_check_mode ansible.builtin.shell: aideinit -y -f args: creates: "{{ ubtu22cis_aide_db_file }}" diff --git a/tasks/section_6/cis_6.2.1.2.x.yml b/tasks/section_6/cis_6.2.1.2.x.yml index 6211baa6..e4747936 100644 --- a/tasks/section_6/cis_6.2.1.2.x.yml +++ b/tasks/section_6/cis_6.2.1.2.x.yml @@ -40,7 +40,7 @@ - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ ubtu22cis_journal_trustedcertificatefile }}'} notify: Restart journald -- name: "6.2.1.2.3 | PATCH | Ensure systemd-journal-remote is enabled and active" +- name: "6.2.1.2.3 | PATCH | Ensure systemd-journal-upload is enabled and active" when: - not ubtu22cis_system_is_log_server - ubtu22cis_rule_6_2_1_2_3 diff --git a/tasks/section_6/cis_6.3.3.x.yml b/tasks/section_6/cis_6.3.3.x.yml index 5c014389..a4937b3d 100644 --- a/tasks/section_6/cis_6.3.3.x.yml +++ b/tasks/section_6/cis_6.3.3.x.yml @@ -62,7 +62,7 @@ ansible.builtin.set_fact: update_audit_template: true -- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" +- name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected" when: ubtu22cis_rule_6_3_3_6 tags: - level2-server @@ -82,7 +82,7 @@ ansible.builtin.set_fact: update_audit_template: true -- name: "6.3.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" +- name: "6.3.3.7 | PATCH | Ensure unsuccessful file access attempts are collected" when: ubtu22cis_rule_6_3_3_7 tags: - level2-server @@ -237,7 +237,7 @@ ansible.builtin.set_fact: update_audit_template: true -- name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading is collected" +- name: "6.3.3.19 | PATCH | Ensure kernel module loading unloading and modification is collected" when: ubtu22cis_rule_6_3_3_19 tags: - level2-server