Skip to content

Commit

Permalink
Merge pull request #214 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
New release
  • Loading branch information
uk-bolly authored Mar 11, 2024
2 parents 583e16f + f80e871 commit 98e6419
Show file tree
Hide file tree
Showing 29 changed files with 275 additions and 86 deletions.
6 changes: 3 additions & 3 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,13 +36,13 @@ repos:
args: [ '--baseline', '.config/.secrets.baseline' ]

- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.1
rev: v8.18.2
hooks:
- id: gitleaks
args: ['--baseline-path', '.config/.gitleaks-report.json']

- repo: https://github.com/ansible-community/ansible-lint
rev: v6.22.0
rev: v24.2.0
hooks:
- id: ansible-lint
name: Ansible-lint
Expand All @@ -61,6 +61,6 @@ repos:
- ansible-core>=2.10.1

- repo: https://github.com/adrienverge/yamllint.git
rev: v1.33.0 # or higher tag
rev: v1.35.1 # or higher tag
hooks:
- id: yamllint
10 changes: 10 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,16 @@

## Based on CIS V1.0.0

### 1.0.9

- updated audit command to allow multiple groups from inventory
- #144 usb-blacklisting - thanks to @paulquevedojdrf
- #152 and #170 Added ssh validate to tasks - thanks to @dderemiah and @twadelij
- #180 and #181 password reuse 5.3.4 - thanks to @DianaMariaDDM
- #182 pwquality enhancement New variable to allow extended or minclass (default)options - thanks to @ma3s7ro
- #184 Initial container config feedback required - thanks to @ipruteanu-sie
- #204 reboot not idempotent - changed auditd and reboot logic update to 4.1.3.6 discovery - thanks to @bhuddah

### 1.0.8

- updated goss binary to 0.4.4
Expand Down
36 changes: 29 additions & 7 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ ubtu22cis_ask_passwd_to_boot: false
# is executed on a container image and sets the variable
# system_is_container the true. Otherwise, the default value
# 'false' is left unchanged.
system_is_container: false
container_vars_file: is_container.yml

## Root user used
# Root by default is not used unless setup by user
Expand Down Expand Up @@ -543,8 +543,10 @@ ubtu22cis_config_aide: true
## When Initializing aide this can take longer on some systems
# changing the values enables user to change to thier own requirements
ubtu22cis_aide_init:
async: 45 # Maximum Time in seconds
poll: 0 # Polling Interval in seconds
# Maximum Time in seconds
async: 45
# Polling Interval in seconds
poll: 0

## Control 1.3.2
# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE.
Expand Down Expand Up @@ -597,7 +599,7 @@ ubtu22cis_set_boot_pass: false

ubtu22cis_grub_file: /boot/grub/grub.cfg

## 1.5.x
## Controls 1.5.x
# Ability to set file in which the kernel systcl changes are placed
ubtu22cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf

Expand Down Expand Up @@ -748,7 +750,7 @@ ubtu22cis_audit_back_log_limit: 8192
# This should be set based on your sites policy. CIS does not provide a specific value.
ubtu22cis_max_log_file_size: 10

## 4.1.3.x - Audit template
## Controls 4.1.3.x - Audit template
# This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the
# audit settings are overwritten with the role's template. In order to exclude
# specific rules, you must set the variable of form `ubtu22cis_rule_4_1_3_x` above
Expand Down Expand Up @@ -938,13 +940,33 @@ ubtu22cis_sudo_timestamp_timeout: 15
# CIS requires that such a group be created (named according to site policy) and be kept empty.
ubtu22cis_sugroup: nosugroup

## Control 5.4.1
# This variable allows us to use either
#

ubtu22cis_pwquality_minclass: true
ubtu22cis_pwquality_minclass_value: '4'
ubtu22cis_pwquality:
- key: '#minclass'
value: "{{ ubtu22cis_pwquality_minclass_value }}"
- key: 'minlen'
value: '14'
- key: 'dcredit'
value: '-1'
- key: 'ucredit'
value: '-1'
- key: 'ocredit'
value: '-1'
- key: 'lcredit'
value: '-1'

## Control 5.4.3
# This variable represents the number of password change cycles, after which
# a user can re-use a password.
# CIS requires a value of 5 or more.
ubtu22cis_pamd_pwhistory_remember: 5

# Control 5.4.2
## Control 5.4.2
# This can seriously break access to a system
## The end state the file /etc/pam.d/common-auth need to be understood
## If using external auth providers this will be very different
Expand All @@ -955,7 +977,7 @@ ubtu22cis_rule_5_4_2_faillock_config: |
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc
# Control 5.4.4
## Control 5.4.4
# ubtu22cis_passwd_hash_algo is the hashing algorithm used
ubtu22cis_passwd_hash_algo: yescrypt # pragma: allowlist secret
# Set pam as well as login defs if PAM is required
Expand Down
21 changes: 8 additions & 13 deletions handlers/main.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
---

- name: Update_Initramfs
ansible.builtin.shell: update-initramfs -u
notify: change_requires_reboot

- name: Remount tmp
ansible.posix.mount:
path: /tmp
Expand Down Expand Up @@ -39,6 +43,7 @@
- name: Grub update
ansible.builtin.shell: update-grub
failed_when: false
notify: change_requires_reboot

- name: Restart timeservice
ansible.builtin.systemd:
Expand Down Expand Up @@ -110,31 +115,21 @@
when:
- '"No change" not in ubtu22cis_rule_4_1_3_21_augen_check.stdout'

- name: Auditd_immutable_check
ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false
register: auditd_immutable_check

- name: Audit_immutable_fact
ansible.builtin.debug:
msg: "Reboot required for auditd to apply new rules as immutable set"
notify: change_requires_reboot
when:
- auditd_immutable_check.stdout == '1'
- audit_rules_updated.changed
- auditd_immutable_check is defined

- name: Restart auditd
ansible.builtin.shell: service auditd restart
when:
- audit_rules_updated.changed or
rule_4_1_2_1.changed or
rule_4_1_2_2.changed or
rule_4_1_2_3.changed
- audit_rules_updated is defined
tags:
- skip_ansible_lint

- name: remount tmp
ansible.builtin.shell: mount -o remount /tmp

- name: restart sshd
ansible.builtin.systemd:
name: sshd
Expand Down
2 changes: 1 addition & 1 deletion tasks/LE_audit_setup.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
- name: Pre Audit Setup | Set audit package name | ARM64
ansible.builtin.set_fact:
audit_pkg_arch_name: ARM64
when: ansible_facts.machine == "arm64"
when: ansible_facts.machine == "aarch64"

- name: Pre Audit Setup | Download audit binary
ansible.builtin.get_url:
Expand Down
20 changes: 2 additions & 18 deletions tasks/auditd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
group: root
mode: '0600'
mode: '0640'
register: audit_rules_updated
notify:
- Auditd rules reload
- Auditd_immutable_check
- Audit_immutable_fact
- Restart auditd
- change_requires_reboot
when: update_audit_template

- name: POST | Set up auditd user logging exceptions
Expand All @@ -25,19 +25,3 @@
notify: Restart auditd
when:
- ubtu22cis_allow_auditd_uid_user_exclusions

# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable"
# block:
# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable | Get status"
# ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
# changed_when: false
# failed_when: false
# register: ubtu22cis_auditd_immutable_check

# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable | Set reboot required"
# ansible.builtin.debug:
# msg: "Reboot required for auditd to apply new rules as immutable set"
# notify: change_requires_reboot
# when: ubtu22cis_auditd_immutable_check.stdout == '1'
# when:
# - ubtu22cis_audit_rules_update.changed
2 changes: 2 additions & 0 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -208,13 +208,15 @@
ansible.builtin.reboot:
when:
- not skip_reboot
- change_requires_reboot

- name: Warning a reboot required but skip option set
ansible.builtin.debug:
msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
changed_when: true
when:
- skip_reboot
- change_requires_reboot

- name: Run post remediation audit
ansible.builtin.import_tasks:
Expand Down
2 changes: 1 addition & 1 deletion tasks/post_remediation_audit.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---

- name: Post Audit | Run post_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
Expand Down
2 changes: 1 addition & 1 deletion tasks/pre_remediation_audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@
mode: '0600'

- name: Pre Audit | Run pre_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
Expand Down
27 changes: 16 additions & 11 deletions tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,16 @@
- auditd
- always

- name: "PRELIM | 5.3.4 | Find all sudoers files."
- name: "PRELIM | Check if auditd is immutable before changes"
ansible.builtin.shell: auditctl -l | grep -c '-e 2'
changed_when: false
failed_when: auditd_immutable_check.rc not in [ 0, 1 ]
register: auditd_immutable_check
when: "'auditd' in ansible_facts.packages"
tags:
- always

- name: "PRELIM | 5.3.4 | 5.3.5 | Find all sudoers files."
ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
changed_when: false
failed_when: false
Expand Down Expand Up @@ -177,6 +186,12 @@
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/false") { print $6 }'
changed_when: false
register: interactive_users_home
when:
- ubtu22cis_rule_6_2_11 or
ubtu22cis_rule_6_2_13 or
ubtu22cis_rule_6_2_14 or
ubtu22cis_rule_6_2_15 or
ubtu22cis_rule_6_2_16
tags:
- always

Expand Down Expand Up @@ -207,16 +222,6 @@
changed_when: false
check_mode: false
register: ubtu22cis_users
when:
- ubtu22cis_rule_6_2_14 or
ubtu22cis_rule_6_2_15 or
ubtu22cis_rule_6_2_16
tags:
- always

- name: "PRELIM | Recapture packages"
ansible.builtin.package_facts:
manager: auto
tags:
- always

Expand Down
3 changes: 3 additions & 0 deletions tasks/section_1/cis_1.1.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
name: cramfs
state: absent
when: ansible_connection != 'docker'
notify: Update_Initramfs
when:
- ubtu22cis_rule_1_1_1_1
tags:
Expand Down Expand Up @@ -54,6 +55,7 @@
name: squashfs
state: absent
when: ansible_connection != 'docker'
notify: Update_Initramfs
when:
- ubtu22cis_rule_1_1_1_2
- snap_pkg_mgr.stdout == "0"
Expand Down Expand Up @@ -88,6 +90,7 @@
name: udf
state: absent
when: ansible_connection != 'docker'
notify: Update_Initramfs
when:
- ubtu22cis_rule_1_1_1_3
tags:
Expand Down
1 change: 1 addition & 0 deletions tasks/section_1/cis_1.1.10.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
name: usb-storage
state: absent
when: ansible_connection != 'docker'
notify: Update_Initramfs
when:
- ubtu22cis_rule_1_1_10
- not ubtu22cis_allow_usb_storage
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@
state: present
fstype: "{{ item.fstype }}"
opts: defaults,{% if ubtu22cis_rule_1_1_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_2_4 %}nosuid{% endif %}
notify: remount tmp
notify: Remount tmp
with_items:
- "{{ ansible_facts.mounts }}"
loop_control:
Expand Down
24 changes: 18 additions & 6 deletions tasks/section_1/cis_1.7.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,15 @@
- motd

- name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly"
ansible.builtin.template:
src: etc/issue.j2
dest: /etc/issue
block:
- name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly | issue"
ansible.builtin.template:
src: etc/issue.j2
dest: /etc/issue

- name: "1.7.2 | PATCH | Ensure local login warning banner is kept on package upgrade | issue"
community.general.dpkg_divert:
path: /etc/issue
when:
- ubtu22cis_rule_1_7_2
tags:
Expand All @@ -43,9 +49,15 @@
- banner

- name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly"
ansible.builtin.template:
src: etc/issue.net.j2
dest: /etc/issue.net
block:
- name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly | issue.net"
ansible.builtin.template:
src: etc/issue.net.j2
dest: /etc/issue.net

- name: "1.7.3 | PATCH | Ensure remote login warning banner is kept on package upgrade | issue.net"
community.general.dpkg_divert:
path: /etc/issue.net
when:
- ubtu22cis_rule_1_7_3
tags:
Expand Down
Loading

0 comments on commit 98e6419

Please sign in to comment.