Skip to content

Commit

Permalink
Merge pull request #206 from ansible-lockdown/Jan24
Browse files Browse the repository at this point in the history
Jan24 - changes and updates
  • Loading branch information
uk-bolly authored Feb 12, 2024
2 parents 42a6418 + 40d5781 commit b87edb7
Show file tree
Hide file tree
Showing 19 changed files with 200 additions and 48 deletions.
10 changes: 10 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,16 @@

## Based on CIS V1.0.0

### 1.0.9

- updated audit command to allow multiple groups from inventory
- #144 usb-blacklisting - thanks to @paulquevedojdrf
- #152 and #170 Added ssh validate to tasks - thanks to @dderemiah and @twadelij
- #180 and #181 password reuse 5.3.4 - thanks to @DianaMariaDDM
- #182 pwquality enhancement New variable to allow extended or minclass (default)options - thanks to @ma3s7ro
- #184 Initial container config feedback required - thanks to @ipruteanu-sie
- #204 reboot not idempotent - changed auditd and reboot logic update to 4.1.3.6 discovery - thanks to @bhuddah

### 1.0.8

- updated goss binary to 0.4.4
Expand Down
22 changes: 21 additions & 1 deletion defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ ubtu22cis_ask_passwd_to_boot: false
# is executed on a container image and sets the variable
# system_is_container the true. Otherwise, the default value
# 'false' is left unchanged.
system_is_container: false
container_vars_file: is_container.yml

## Root user used
# Root by default is not used unless setup by user
Expand Down Expand Up @@ -940,6 +940,26 @@ ubtu22cis_sudo_timestamp_timeout: 15
# CIS requires that such a group be created (named according to site policy) and be kept empty.
ubtu22cis_sugroup: nosugroup

## Control 5.4.1
# This variable allows us to use either
#

ubtu22cis_pwquality_minclass: true
ubtu22cis_pwquality_minclass_value: '4'
ubtu22cis_pwquality:
- key: '#minclass'
value: "{{ ubtu22cis_pwquality_minclass_value }}"
- key: 'minlen'
value: '14'
- key: 'dcredit'
value: '-1'
- key: 'ucredit'
value: '-1'
- key: 'ocredit'
value: '-1'
- key: 'lcredit'
value: '-1'

## Control 5.4.3
# This variable represents the number of password change cycles, after which
# a user can re-use a password.
Expand Down
21 changes: 8 additions & 13 deletions handlers/main.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
---

- name: Update_Initramfs
ansible.builtin.shell: update-initramfs -u
notify: change_requires_reboot

- name: Remount tmp
ansible.posix.mount:
path: /tmp
Expand Down Expand Up @@ -39,6 +43,7 @@
- name: Grub update
ansible.builtin.shell: update-grub
failed_when: false
notify: change_requires_reboot

- name: Restart timeservice
ansible.builtin.systemd:
Expand Down Expand Up @@ -110,31 +115,21 @@
when:
- '"No change" not in ubtu22cis_rule_4_1_3_21_augen_check.stdout'

- name: Auditd_immutable_check
ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
changed_when: false
register: auditd_immutable_check

- name: Audit_immutable_fact
ansible.builtin.debug:
msg: "Reboot required for auditd to apply new rules as immutable set"
notify: change_requires_reboot
when:
- auditd_immutable_check.stdout == '1'
- audit_rules_updated.changed
- auditd_immutable_check is defined

- name: Restart auditd
ansible.builtin.shell: service auditd restart
when:
- audit_rules_updated.changed or
rule_4_1_2_1.changed or
rule_4_1_2_2.changed or
rule_4_1_2_3.changed
- audit_rules_updated is defined
tags:
- skip_ansible_lint

- name: remount tmp
ansible.builtin.shell: mount -o remount /tmp

- name: restart sshd
ansible.builtin.systemd:
name: sshd
Expand Down
20 changes: 2 additions & 18 deletions tasks/auditd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,13 @@
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
group: root
mode: '0600'
mode: '0640'
register: audit_rules_updated
notify:
- Auditd rules reload
- Auditd_immutable_check
- Audit_immutable_fact
- Restart auditd
- change_requires_reboot
when: update_audit_template

- name: POST | Set up auditd user logging exceptions
Expand All @@ -25,19 +25,3 @@
notify: Restart auditd
when:
- ubtu22cis_allow_auditd_uid_user_exclusions

# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable"
# block:
# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable | Get status"
# ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
# changed_when: false
# failed_when: false
# register: ubtu22cis_auditd_immutable_check

# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable | Set reboot required"
# ansible.builtin.debug:
# msg: "Reboot required for auditd to apply new rules as immutable set"
# notify: change_requires_reboot
# when: ubtu22cis_auditd_immutable_check.stdout == '1'
# when:
# - ubtu22cis_audit_rules_update.changed
2 changes: 2 additions & 0 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -208,13 +208,15 @@
ansible.builtin.reboot:
when:
- not skip_reboot
- change_requires_reboot

- name: Warning a reboot required but skip option set
ansible.builtin.debug:
msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
changed_when: true
when:
- skip_reboot
- change_requires_reboot

- name: Run post remediation audit
ansible.builtin.import_tasks:
Expand Down
2 changes: 1 addition & 1 deletion tasks/post_remediation_audit.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---

- name: Post Audit | Run post_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
Expand Down
2 changes: 1 addition & 1 deletion tasks/pre_remediation_audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@
mode: '0600'

- name: Pre Audit | Run pre_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
Expand Down
15 changes: 9 additions & 6 deletions tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,15 @@
- auditd
- always

- name: "PRELIM | Check if auditd is immutable before changes"
ansible.builtin.shell: auditctl -l | grep -c '-e 2'
changed_when: false
failed_when: auditd_immutable_check.rc not in [ 0, 1 ]
register: auditd_immutable_check
when: "'auditd' in ansible_facts.packages"
tags:
- always

- name: "PRELIM | 5.3.4 | 5.3.5 | Find all sudoers files."
ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
changed_when: false
Expand Down Expand Up @@ -216,12 +225,6 @@
tags:
- always

- name: "PRELIM | Recapture packages"
ansible.builtin.package_facts:
manager: auto
tags:
- always

- name: "Optional | Patch | UFW firewall force to use /etc/sysctl.conf settings"
ansible.builtin.lineinfile:
path: /etc/default/ufw
Expand Down
3 changes: 3 additions & 0 deletions tasks/section_1/cis_1.1.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
name: cramfs
state: absent
when: ansible_connection != 'docker'
notify: Update_Initramfs
when:
- ubtu22cis_rule_1_1_1_1
tags:
Expand Down Expand Up @@ -54,6 +55,7 @@
name: squashfs
state: absent
when: ansible_connection != 'docker'
notify: Update_Initramfs
when:
- ubtu22cis_rule_1_1_1_2
- snap_pkg_mgr.stdout == "0"
Expand Down Expand Up @@ -88,6 +90,7 @@
name: udf
state: absent
when: ansible_connection != 'docker'
notify: Update_Initramfs
when:
- ubtu22cis_rule_1_1_1_3
tags:
Expand Down
1 change: 1 addition & 0 deletions tasks/section_1/cis_1.1.10.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
name: usb-storage
state: absent
when: ansible_connection != 'docker'
notify: Update_Initramfs
when:
- ubtu22cis_rule_1_1_10
- not ubtu22cis_allow_usb_storage
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@
state: present
fstype: "{{ item.fstype }}"
opts: defaults,{% if ubtu22cis_rule_1_1_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_2_4 %}nosuid{% endif %}
notify: remount tmp
notify: Remount tmp
with_items:
- "{{ ansible_facts.mounts }}"
loop_control:
Expand Down
15 changes: 14 additions & 1 deletion tasks/section_1/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,12 @@
- name: "SECTION | 1.1.2 | configure /tmp"
ansible.builtin.import_tasks:
file: cis_1.1.2.x.yml
when: not system_is_container

- name: "SECTION | 1.1.3 | configure /var"
ansible.builtin.import_tasks:
file: cis_1.1.3.x.yml
when: not system_is_container

- name: "SECTION | 1.1.4 | configure /var/tmp"
ansible.builtin.import_tasks:
Expand All @@ -19,30 +21,37 @@
- name: "SECTION | 1.1.5 | configure /var/log"
ansible.builtin.import_tasks:
file: cis_1.1.5.x.yml
when: not system_is_container

- name: "SECTION | 1.1.6 | configure /var/log/audit"
ansible.builtin.import_tasks:
file: cis_1.1.6.x.yml
when: not system_is_container

- name: "SECTION | 1.1.7 | configure /home"
ansible.builtin.import_tasks:
file: cis_1.1.7.x.yml
when: not system_is_container

- name: "SECTION | 1.1.8 | configure /dev/shm"
ansible.builtin.import_tasks:
file: cis_1.1.8.x.yml
when: not system_is_container

- name: "SECTION | 1.1.9 | configure software updates"
ansible.builtin.import_tasks:
file: cis_1.1.9.yml
when: not system_is_container

- name: "SECTION | 1.1.10 | Disable USB storage"
ansible.builtin.import_tasks:
file: cis_1.1.10.yml
when: not system_is_container

- name: "SECTION | 1.2 | Configure Software Updates"
ansible.builtin.import_tasks:
file: cis_1.2.x.yml
when: not system_is_container

- name: "SECTION | 1.3. | Filesystem Integrity Checking"
ansible.builtin.import_tasks:
Expand All @@ -55,6 +64,7 @@
- name: "SECTION | 1.5 | Additional Process Hardening"
ansible.builtin.import_tasks:
file: cis_1.5.x.yml
when: not system_is_container

- name: "SECTION | 1.6 | Mandatory Access Control"
ansible.builtin.import_tasks:
Expand All @@ -67,8 +77,11 @@
- name: "SECTION | 1.8 | GNOME Display Manager"
ansible.builtin.import_tasks:
file: cis_1.8.x.yml
when: "'gdm3' in ansible_facts.packages"
when:
- "'gdm3' in ansible_facts.packages"
- not system_is_container

- name: "SECTION | 1.9 | Ensure updates, patches, and additional security software are installed"
ansible.builtin.import_tasks:
file: cis_1.9.yml
when: not system_is_container
2 changes: 1 addition & 1 deletion tasks/section_4/cis_4.1.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
block:
- name: "4.1.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs"
ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done | grep -vw '/snap'
register: priv_procs
changed_when: false
check_mode: false
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_5/cis_5.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: '^LogLevel|^#LogLevel'
line: 'LogLevel {{ ubtu22cis_sshd.log_level }}'
line: "LogLevel {{ ubtu22cis_sshd.log_level }}"
insertafter: '^# Logging'
validate: 'sshd -t -f %s'
notify: restart sshd
Expand Down
1 change: 0 additions & 1 deletion tasks/section_5/cis_5.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,6 @@

- name: "5.3.7 | PATCH | Ensure access to the su command is restricted"
block:

- name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists"
ansible.builtin.group:
name: "{{ ubtu22cis_sugroup }}"
Expand Down
13 changes: 11 additions & 2 deletions tasks/section_5/cis_5.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,17 @@
- name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add minclass"
ansible.builtin.lineinfile:
path: /etc/security/pwquality.conf
regexp: '^minclass|^# minclass'
line: 'minclass = 4'
regexp: ^minclass
line: "minclass = {{ ubtu22cis_pwquality_minclass_value }}"
when: ubtu22cis_pwquality_minclass

- name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add extended keys"
ansible.builtin.lineinfile:
path: /etc/security/pwquality.conf
regexp: ^{{ item.key }}
line: "{{ item.key }} = {{ item.value }}"
loop: "{{ ubtu22cis_pwquality }}"
when: not ubtu22cis_pwquality_minclass

- name: "5.4.1 | AUDIT | Ensure password creation requirements are configured | Confirm pwquality module in common-password"
ansible.builtin.shell: grep 'password.*requisite.*pam_pwquality.so' /etc/pam.d/common-password
Expand Down
3 changes: 3 additions & 0 deletions tasks/section_5/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,17 @@
- name: "SECTION | 5.2 | Configure sudo"
ansible.builtin.import_tasks:
file: cis_5.2.x.yml
when: not system_is_container

- name: "SECTION | 5.3 | Configure SSH Server"
ansible.builtin.import_tasks:
file: cis_5.3.x.yml
when: not system_is_container

- name: "SECTION | 5.4.x | User PAM"
ansible.builtin.import_tasks:
file: cis_5.4.x.yml
when: not system_is_container

- name: "SECTION | 5.5.x | User Accounts and Environment"
ansible.builtin.import_tasks:
Expand Down
Loading

0 comments on commit b87edb7

Please sign in to comment.