diff --git a/.ansible-lint b/.ansible-lint index b717f678..c7095e24 100755 --- a/.ansible-lint +++ b/.ansible-lint @@ -11,6 +11,7 @@ skip_list: - 'name[casing]' - 'name[template]' - 'key-order[task]' + - 'yaml[line-length]' - '204' - '305' - '303' diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index dba39dc0..040dbf2d 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -17,7 +17,7 @@ # A workflow run is made up of one or more jobs # that can run sequentially or in parallel jobs: - # This will create messages for first time contributers and direct them to the Discord server + # This will create messages for first-time contributors and direct them to the Discord server welcome: runs-on: ubuntu-latest @@ -29,13 +29,13 @@ Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest env: ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform + # Imported as a variable by Terraform TF_VAR_repository: ${{ github.event.repository.name }} defaults: run: @@ -48,7 +48,7 @@ with: ref: ${{ github.event.pull_request.head.sha }} - # Pull in terraform code for linux servers + # Pull in Terraform code for Linux servers - name: Clone github IaC plan uses: actions/checkout@v3 with: @@ -74,7 +74,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -82,7 +82,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -90,7 +90,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -108,12 +108,12 @@ if: env.ENABLE_DEBUG == 'true' run: cat hosts.yml - # Aws deployments taking a while to come up insert sleep or playbook fails + # AWS deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds run: sleep 60s - # Run the ansible playbook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 0b149fb3..976f9b79 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -18,7 +18,7 @@ # that can run sequentially or in parallel jobs: - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -37,8 +37,8 @@ with: ref: ${{ github.event.pull_request.head.sha }} - # Pull in terraform code for linux servers - - name: Clone github IaC plan + # Pull in Terraform code for Linux servers + - name: Clone GitHub IaC plan uses: actions/checkout@v3 with: repository: ansible-lockdown/github_linux_IaC @@ -63,7 +63,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -71,7 +71,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -79,7 +79,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -102,7 +102,7 @@ - name: Sleep for 60 seconds run: sleep 60s - # Run the ansible playbook + # Run the Ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 2052b0a8..e46092b0 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,12 +1,8 @@ --- -# This is a basic workflow to help you get started with Actions - name: update galaxy -# Controls when the action will run. -# Triggers the workflow on merge request events to the main branch -on: # yamllint disable-line rule:truthy +on: push: branches: - main diff --git a/.yamllint b/.yamllint index 65faae6c..db1b7584 100755 --- a/.yamllint +++ b/.yamllint @@ -1,4 +1,5 @@ --- + extends: default ignore: | diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 1680d197..2a7fd388 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -5,11 +5,11 @@ Rules ----- 1) All commits must be GPG signed (details in Signing section) 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) -3) All work is done in your own branch or own fork +3) All work is done in your own branch or fork 4) Pull requests - a) From within the repo: All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing - b) From a forked repo: All pull requests will go into a staging branch within the repo. There are automated checks for signed commits, signoff in commit message, and functional testing when going from staging to devel -4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) + a) From within the repo: All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit messages, and functional testing + b) From a forked repo: All pull requests will go into a staging branch within the repo. There are automated checks for signed commits, signoff in commit messages, and functional testing when going from staging to devel +4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit messages, and functional testing) 5) Be open and nice to each other Workflow @@ -32,19 +32,19 @@ The process is to certify the below DCO 1.1 text By making a contribution to this project, I certify that: (a) The contribution was created in whole or in part by me and I - have the right to submit it under the open source license + have the right to submit it under the open-source license indicated in the file; or (b) The contribution is based upon previous work that, to the best - of my knowledge, is covered under an appropriate open source + of my knowledge, is covered under an appropriate open-source license and I have the right under that license to submit that work with modifications, whether created in whole or in part - by me, under the same open source license (unless I am + by me, under the same open-source license (unless I am permitted to submit under a different license), as indicated in the file; or (c) The contribution was provided directly to me by some other - person who certified (a), (b) or (c) and I have not modified + person who certified (a), (b), or (c) and I have not modified it. (d) I understand and agree that this project and the contribution diff --git a/LICENSE b/LICENSE index 4f5e4fdb..e9cb70f0 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2022 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +Copyright (c) 2023 MindPoint Group / Lockdown Enterprise / Lockdown Enterprise Releases Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 08b1e392..188493eb 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to a This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. -This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed. +This role was developed against a clean install of the Operating System. If you are implementing on an existing system, please review this role for any site-specific changes that are needed. ## Documentation @@ -64,7 +64,7 @@ This role was developed against a clean install of the Operating System. If you - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) - Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/UBUNTU22-CIS/wiki/Main-Variables). +- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also, familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/UBUNTU22-CIS/wiki/Main-Variables). **Technical Dependencies:** @@ -87,14 +87,14 @@ Further audit documentation can be found at [Read The Docs](https://ansible-lock ## Role Variables -This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. +This role is designed so the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. ## Branches -- **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch +- **devel** - This is the default branch and the working development branch. Community pull requests will be pulled into this branch - **main** - This is the release branch - **reports** - This is a protected branch for our scoring reports, no code should ever go here -- **gh-pages** - This is the github pages branch +- **gh-pages** - This is the GitHub pages branch - **all other branches** - Individual community member branches ## Community Contribution @@ -111,7 +111,7 @@ We encourage you (the community) to contribute to this role. Please read the rul uses: - ansible-core 2.12 -- ansible collections - pulls in the latest version based on requirements file +- ansible collections - pulls in the latest version based on the requirements file - runs the audit using the devel branch - This is an automated test that occurs on pull requests into devel diff --git a/defaults/main.yml b/defaults/main.yml index 1d909ff7..1cacb49a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,5 @@ --- + ## Switching on/off specific baseline sections # These variables govern whether the tasks of a particular section are to be executed when running the role. # E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true. diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 4ef8469f..c8222b8e 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -7,7 +7,7 @@ owner: root group: root checksum: "{{ audit_bin_version.checksum }}" - mode: 0555 + mode: '0555' when: - get_audit_binary_method == 'download' @@ -15,8 +15,8 @@ ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" - mode: 0555 owner: root group: root + mode: '0555' when: - get_audit_binary_method == 'copy' diff --git a/tasks/auditd.yml b/tasks/auditd.yml index ecf420b6..71dbf629 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -6,7 +6,7 @@ dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: 0600 + mode: '0600' register: audit_rules_updated notify: - Auditd rules reload @@ -21,7 +21,7 @@ dest: /etc/audit/rules.d/98_auditd_exceptions.rules owner: root group: root - mode: 0600 + mode: '0600' notify: Restart auditd when: - ubtu22cis_allow_auditd_uid_user_exclusions diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index f0a7664e..a5dc34b1 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -11,7 +11,7 @@ - name: Post Audit | ensure audit files readable by users ansible.builtin.file: path: "{{ item }}" - mode: 0644 + mode: '0644' state: file loop: - "{{ post_audit_outfile }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 0b782389..82f2f13e 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -78,7 +78,7 @@ ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" - mode: 0600 + mode: '0600' when: - run_audit tags: diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index b9886bcd..0067d823 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -32,7 +32,7 @@ dest: /etc/systemd/system/tmp.mount owner: root group: root - mode: 0644 + mode: '0644' notify: Remount tmp with_items: - "{{ ansible_mounts }}" diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 5d467085..c07254c5 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -46,7 +46,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' - name: "1.5.3 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package" ansible.builtin.package: diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 8bbad97a..7feffda3 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -60,7 +60,7 @@ path: /etc/motd owner: root group: root - mode: 0644 + mode: '0644' when: - ubtu22cis_rule_1_7_4 tags: @@ -77,7 +77,7 @@ path: /etc/issue owner: root group: root - mode: 0644 + mode: '0644' when: - ubtu22cis_rule_1_7_5 tags: @@ -94,7 +94,7 @@ path: /etc/issue.net owner: root group: root - mode: 0644 + mode: '0644' when: - ubtu22cis_rule_1_7_6 tags: diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index efb574b6..8b4716fd 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -25,7 +25,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' notify: Update dconf with_items: - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } @@ -51,7 +51,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' notify: Update dconf when: - ubtu22cis_rule_1_8_3 @@ -82,7 +82,7 @@ path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" owner: root group: root - mode: 0755 + mode: '0755' state: directory notify: Update dconf @@ -112,7 +112,7 @@ path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" owner: root group: root - mode: 0755 + mode: '0755' state: directory notify: Update dconf @@ -122,7 +122,7 @@ dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-screensaver" owner: root group: root - mode: 0644 + mode: '0644' notify: Update dconf when: - ubtu22cis_rule_1_8_5 @@ -142,7 +142,7 @@ path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" owner: root group: root - mode: 0755 + mode: '0755' state: directory notify: Update dconf @@ -172,7 +172,7 @@ path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" owner: root group: root - mode: 0755 + mode: '0755' state: directory notify: Update dconf @@ -182,7 +182,7 @@ dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-automount_lock" owner: root group: root - mode: 0644 + mode: '0644' notify: Update dconf when: - ubtu22cis_rule_1_8_7 @@ -202,7 +202,7 @@ path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" owner: root group: root - mode: 0755 + mode: '0755' state: directory notify: Update dconf @@ -232,7 +232,7 @@ path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" owner: root group: root - mode: 0755 + mode: '0755' state: directory notify: Update dconf @@ -242,7 +242,7 @@ dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-autorun_lock" owner: root group: root - mode: 0644 + mode: '0644' notify: Update dconf when: - ubtu22cis_rule_1_8_9 diff --git a/tasks/section_2/cis_2.1.2.x.yml b/tasks/section_2/cis_2.1.2.x.yml index 06790b8b..cf1dc323 100644 --- a/tasks/section_2/cis_2.1.2.x.yml +++ b/tasks/section_2/cis_2.1.2.x.yml @@ -6,7 +6,7 @@ ansible.builtin.template: src: "{{ item }}.j2" dest: "/{{ item }}" - mode: 0644 + mode: '0644' owner: root group: root loop: diff --git a/tasks/section_2/cis_2.1.3.x.yml b/tasks/section_2/cis_2.1.3.x.yml index 44849af2..a1a39efe 100644 --- a/tasks/section_2/cis_2.1.3.x.yml +++ b/tasks/section_2/cis_2.1.3.x.yml @@ -14,7 +14,7 @@ ansible.builtin.template: src: "{{ item }}.j2" dest: "/{{ item }}" - mode: 0644 + mode: '0644' owner: root group: root loop: diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 8b7d1b58..6b66846b 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -17,7 +17,7 @@ dest: "/{{ item }}" owner: root group: root - mode: 0640 + mode: '0640' notify: Flush ipv6 route table loop: - etc/sysctl.d/60-disable_ipv6.conf diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 1e959a7e..718d7c50 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -50,7 +50,7 @@ ansible.builtin.file: path: "{{ audit_discovered_logfile.stdout | dirname }}" state: directory - mode: 0750 + mode: '0750' when: not auditlog_dir.stat.mode is match('07(0|5)0') when: - ubtu22cis_rule_4_1_4_4 @@ -64,7 +64,7 @@ - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" ansible.builtin.file: path: "{{ item.path }}" - mode: 0640 + mode: '0640' loop: "{{ auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -127,7 +127,7 @@ - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" ansible.builtin.file: path: "{{ item.item }}" - mode: 0750 + mode: '0750' loop: "{{ audit_bins.results }}" loop_control: diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index 906ecb03..26fc5c82 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -12,7 +12,7 @@ - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" ansible.builtin.file: path: "{{ item.path }}" - mode: 0640 + mode: '0640' loop: "{{ logfiles.files }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index e7b798a5..b8bcea4c 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -20,7 +20,7 @@ path: /etc/crontab owner: root group: root - mode: 0600 + mode: '0600' when: - ubtu22cis_rule_5_1_2 tags: @@ -36,7 +36,7 @@ path: /etc/cron.hourly owner: root group: root - mode: 0700 + mode: '0700' when: - ubtu22cis_rule_5_1_3 tags: @@ -52,7 +52,7 @@ path: /etc/cron.daily owner: root group: root - mode: 0700 + mode: '0700' when: - ubtu22cis_rule_5_1_4 tags: @@ -68,7 +68,7 @@ path: /etc/cron.weekly owner: root group: root - mode: 0700 + mode: '0700' when: - ubtu22cis_rule_5_1_5 tags: @@ -84,7 +84,7 @@ path: /etc/cron.monthly owner: root group: root - mode: 0700 + mode: '0700' when: - ubtu22cis_rule_5_1_6 tags: @@ -100,7 +100,7 @@ path: /etc/cron.d owner: root group: root - mode: 0700 + mode: '0700' when: - ubtu22cis_rule_5_1_7 tags: @@ -128,7 +128,7 @@ path: /etc/cron.allow owner: root group: root - mode: 0640 + mode: '0640' state: touch when: not ubtu22cis_5_1_8_status.stat.exists @@ -137,7 +137,7 @@ path: /etc/cron.allow owner: root group: root - mode: 0640 + mode: '0640' when: ubtu22cis_5_1_8_status.stat.exists when: - ubtu22cis_rule_5_1_8 @@ -166,7 +166,7 @@ path: /etc/at.allow owner: root group: root - mode: 0640 + mode: '0640' state: touch when: not ubtu22cis_5_1_9_status.stat.exists @@ -175,7 +175,7 @@ path: /etc/at.allow owner: root group: root - mode: 0640 + mode: '0640' when: ubtu22cis_5_1_9_status.stat.exists when: - ubtu22cis_rule_5_1_9 diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index aaea22e7..29d41e74 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -5,7 +5,7 @@ path: /etc/ssh/sshd_config owner: root group: root - mode: 0600 + mode: '0600' when: - ubtu22cis_rule_5_2_1 tags: @@ -29,7 +29,7 @@ path: "{{ item.path }}" owner: root group: root - mode: 0600 + mode: '0600' with_items: - "{{ ubtu22cis_5_2_2_ssh_host_priv_keys.files }}" loop_control: @@ -57,7 +57,7 @@ path: "{{ item.path }}" owner: root group: root - mode: 0644 + mode: '0644' with_items: - "{{ ubtu22cis_5_2_3_ssh_host_pub_keys.files }}" loop_control: diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 5b6a07b7..cd622454 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -273,7 +273,7 @@ - name: "5.5.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" ansible.builtin.blockinfile: create: true - mode: 0644 + mode: '0644' dest: "{{ item.dest }}" state: "{{ item.state }}" marker: "# {mark} ANSIBLE MANAGED" diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 00c6a0a2..41a3988d 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -5,7 +5,7 @@ path: /etc/passwd owner: root group: root - mode: 0644 + mode: '0644' when: - ubtu22cis_rule_6_1_1 tags: @@ -20,7 +20,7 @@ path: /etc/passwd- owner: root group: root - mode: 0644 + mode: '0644' when: - ubtu22cis_rule_6_1_2 tags: @@ -35,7 +35,7 @@ path: /etc/group- owner: root group: root - mode: 0644 + mode: '0644' when: - ubtu22cis_rule_6_1_3 tags: @@ -50,7 +50,7 @@ path: /etc/group- owner: root group: root - mode: 0644 + mode: '0644' when: - ubtu22cis_rule_6_1_4 tags: @@ -65,7 +65,7 @@ path: /etc/shadow owner: root group: root - mode: 0000 + mode: '0000' when: - ubtu22cis_rule_6_1_5 tags: @@ -80,7 +80,7 @@ path: /etc/shadow- owner: root group: root - mode: 0000 + mode: '0000' when: - ubtu22cis_rule_6_1_6 tags: @@ -95,7 +95,7 @@ path: /etc/gshadow owner: root group: root - mode: 0000 + mode: '0000' when: - ubtu22cis_rule_6_1_7 tags: @@ -110,7 +110,7 @@ path: /etc/gshadow- owner: root group: root - mode: 0000 + mode: '0000' when: - ubtu22cis_rule_6_1_8 tags: diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index 6e804873..0da92a67 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -12,7 +12,7 @@ # # warn_control_list is the main variable to be used and is a list made up of the warn_control_id’s # -# warn_count the main variable for the number of warnings and each time a warn_control_id is added +# warn_count is the main variable for the number of warnings and each time a warn_control_id is added # the count increases by a value of 1 - name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." ansible.builtin.set_fact: