diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 54e9449b..82858b54 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,13 +36,13 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.1 + rev: v8.18.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.0 + rev: v24.2.0 hooks: - id: ansible-lint name: Ansible-lint @@ -61,6 +61,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.33.0 # or higher tag + rev: v1.35.1 # or higher tag hooks: - id: yamllint diff --git a/Changelog.md b/Changelog.md index dbd4df7d..ff0aae1b 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,16 @@ ## Based on CIS V1.0.0 +### 1.0.9 + +- updated audit command to allow multiple groups from inventory +- #144 usb-blacklisting - thanks to @paulquevedojdrf +- #152 and #170 Added ssh validate to tasks - thanks to @dderemiah and @twadelij +- #180 and #181 password reuse 5.3.4 - thanks to @DianaMariaDDM +- #182 pwquality enhancement New variable to allow extended or minclass (default)options - thanks to @ma3s7ro +- #184 Initial container config feedback required - thanks to @ipruteanu-sie +- #204 reboot not idempotent - changed auditd and reboot logic update to 4.1.3.6 discovery - thanks to @bhuddah + ### 1.0.8 - updated goss binary to 0.4.4 diff --git a/defaults/main.yml b/defaults/main.yml index 878534cb..70665369 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -40,7 +40,7 @@ ubtu22cis_ask_passwd_to_boot: false # is executed on a container image and sets the variable # system_is_container the true. Otherwise, the default value # 'false' is left unchanged. -system_is_container: false +container_vars_file: is_container.yml ## Root user used # Root by default is not used unless setup by user @@ -543,8 +543,10 @@ ubtu22cis_config_aide: true ## When Initializing aide this can take longer on some systems # changing the values enables user to change to thier own requirements ubtu22cis_aide_init: - async: 45 # Maximum Time in seconds - poll: 0 # Polling Interval in seconds + # Maximum Time in seconds + async: 45 + # Polling Interval in seconds + poll: 0 ## Control 1.3.2 # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. @@ -597,7 +599,7 @@ ubtu22cis_set_boot_pass: false ubtu22cis_grub_file: /boot/grub/grub.cfg -## 1.5.x +## Controls 1.5.x # Ability to set file in which the kernel systcl changes are placed ubtu22cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf @@ -748,7 +750,7 @@ ubtu22cis_audit_back_log_limit: 8192 # This should be set based on your sites policy. CIS does not provide a specific value. ubtu22cis_max_log_file_size: 10 -## 4.1.3.x - Audit template +## Controls 4.1.3.x - Audit template # This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the # audit settings are overwritten with the role's template. In order to exclude # specific rules, you must set the variable of form `ubtu22cis_rule_4_1_3_x` above @@ -938,13 +940,33 @@ ubtu22cis_sudo_timestamp_timeout: 15 # CIS requires that such a group be created (named according to site policy) and be kept empty. ubtu22cis_sugroup: nosugroup +## Control 5.4.1 +# This variable allows us to use either +# + +ubtu22cis_pwquality_minclass: true +ubtu22cis_pwquality_minclass_value: '4' +ubtu22cis_pwquality: + - key: '#minclass' + value: "{{ ubtu22cis_pwquality_minclass_value }}" + - key: 'minlen' + value: '14' + - key: 'dcredit' + value: '-1' + - key: 'ucredit' + value: '-1' + - key: 'ocredit' + value: '-1' + - key: 'lcredit' + value: '-1' + ## Control 5.4.3 # This variable represents the number of password change cycles, after which # a user can re-use a password. # CIS requires a value of 5 or more. ubtu22cis_pamd_pwhistory_remember: 5 -# Control 5.4.2 +## Control 5.4.2 # This can seriously break access to a system ## The end state the file /etc/pam.d/common-auth need to be understood ## If using external auth providers this will be very different @@ -955,7 +977,7 @@ ubtu22cis_rule_5_4_2_faillock_config: | auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc -# Control 5.4.4 +## Control 5.4.4 # ubtu22cis_passwd_hash_algo is the hashing algorithm used ubtu22cis_passwd_hash_algo: yescrypt # pragma: allowlist secret # Set pam as well as login defs if PAM is required diff --git a/handlers/main.yml b/handlers/main.yml index 207593b8..23f1ca47 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,5 +1,9 @@ --- +- name: Update_Initramfs + ansible.builtin.shell: update-initramfs -u + notify: change_requires_reboot + - name: Remount tmp ansible.posix.mount: path: /tmp @@ -39,6 +43,7 @@ - name: Grub update ansible.builtin.shell: update-grub failed_when: false + notify: change_requires_reboot - name: Restart timeservice ansible.builtin.systemd: @@ -110,31 +115,21 @@ when: - '"No change" not in ubtu22cis_rule_4_1_3_21_augen_check.stdout' -- name: Auditd_immutable_check - ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules - changed_when: false - register: auditd_immutable_check - - name: Audit_immutable_fact ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" notify: change_requires_reboot when: - - auditd_immutable_check.stdout == '1' + - audit_rules_updated.changed + - auditd_immutable_check is defined - name: Restart auditd ansible.builtin.shell: service auditd restart when: - - audit_rules_updated.changed or - rule_4_1_2_1.changed or - rule_4_1_2_2.changed or - rule_4_1_2_3.changed + - audit_rules_updated is defined tags: - skip_ansible_lint -- name: remount tmp - ansible.builtin.shell: mount -o remount /tmp - - name: restart sshd ansible.builtin.systemd: name: sshd diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 7ef94b4a..08d047d6 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -10,7 +10,7 @@ - name: Pre Audit Setup | Set audit package name | ARM64 ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 - when: ansible_facts.machine == "arm64" + when: ansible_facts.machine == "aarch64" - name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 71dbf629..d753add0 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -6,13 +6,13 @@ dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: '0600' + mode: '0640' register: audit_rules_updated notify: - Auditd rules reload - - Auditd_immutable_check - Audit_immutable_fact - Restart auditd + - change_requires_reboot when: update_audit_template - name: POST | Set up auditd user logging exceptions @@ -25,19 +25,3 @@ notify: Restart auditd when: - ubtu22cis_allow_auditd_uid_user_exclusions - -# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable" -# block: -# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable | Get status" -# ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules -# changed_when: false -# failed_when: false -# register: ubtu22cis_auditd_immutable_check - -# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable | Set reboot required" -# ansible.builtin.debug: -# msg: "Reboot required for auditd to apply new rules as immutable set" -# notify: change_requires_reboot -# when: ubtu22cis_auditd_immutable_check.stdout == '1' -# when: -# - ubtu22cis_audit_rules_update.changed diff --git a/tasks/main.yml b/tasks/main.yml index 9124d732..11076736 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -208,6 +208,7 @@ ansible.builtin.reboot: when: - not skip_reboot + - change_requires_reboot - name: Warning a reboot required but skip option set ansible.builtin.debug: @@ -215,6 +216,7 @@ changed_when: true when: - skip_reboot + - change_requires_reboot - name: Run post remediation audit ansible.builtin.import_tasks: diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index eb01bc75..2c51bbb0 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,7 +1,7 @@ --- - name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 258171a1..e3a261e7 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -77,7 +77,7 @@ mode: '0600' - name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 61108164..cb3f8678 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -133,7 +133,16 @@ - auditd - always -- name: "PRELIM | 5.3.4 | Find all sudoers files." +- name: "PRELIM | Check if auditd is immutable before changes" + ansible.builtin.shell: auditctl -l | grep -c '-e 2' + changed_when: false + failed_when: auditd_immutable_check.rc not in [ 0, 1 ] + register: auditd_immutable_check + when: "'auditd' in ansible_facts.packages" + tags: + - always + +- name: "PRELIM | 5.3.4 | 5.3.5 | Find all sudoers files." ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false @@ -177,6 +186,12 @@ grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/false") { print $6 }' changed_when: false register: interactive_users_home + when: + - ubtu22cis_rule_6_2_11 or + ubtu22cis_rule_6_2_13 or + ubtu22cis_rule_6_2_14 or + ubtu22cis_rule_6_2_15 or + ubtu22cis_rule_6_2_16 tags: - always @@ -207,16 +222,6 @@ changed_when: false check_mode: false register: ubtu22cis_users - when: - - ubtu22cis_rule_6_2_14 or - ubtu22cis_rule_6_2_15 or - ubtu22cis_rule_6_2_16 - tags: - - always - -- name: "PRELIM | Recapture packages" - ansible.builtin.package_facts: - manager: auto tags: - always diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 806b2800..5c3d41e7 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -22,6 +22,7 @@ name: cramfs state: absent when: ansible_connection != 'docker' + notify: Update_Initramfs when: - ubtu22cis_rule_1_1_1_1 tags: @@ -54,6 +55,7 @@ name: squashfs state: absent when: ansible_connection != 'docker' + notify: Update_Initramfs when: - ubtu22cis_rule_1_1_1_2 - snap_pkg_mgr.stdout == "0" @@ -88,6 +90,7 @@ name: udf state: absent when: ansible_connection != 'docker' + notify: Update_Initramfs when: - ubtu22cis_rule_1_1_1_3 tags: diff --git a/tasks/section_1/cis_1.1.10.yml b/tasks/section_1/cis_1.1.10.yml index 3ea9324c..4b964b62 100644 --- a/tasks/section_1/cis_1.1.10.yml +++ b/tasks/section_1/cis_1.1.10.yml @@ -20,6 +20,7 @@ name: usb-storage state: absent when: ansible_connection != 'docker' + notify: Update_Initramfs when: - ubtu22cis_rule_1_1_10 - not ubtu22cis_allow_usb_storage diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 5f1e75fc..5e5f9d22 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -65,7 +65,7 @@ state: present fstype: "{{ item.fstype }}" opts: defaults,{% if ubtu22cis_rule_1_1_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_2_4 %}nosuid{% endif %} - notify: remount tmp + notify: Remount tmp with_items: - "{{ ansible_facts.mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 53067b28..298563bc 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -29,9 +29,15 @@ - motd - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" - ansible.builtin.template: - src: etc/issue.j2 - dest: /etc/issue + block: + - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly | issue" + ansible.builtin.template: + src: etc/issue.j2 + dest: /etc/issue + + - name: "1.7.2 | PATCH | Ensure local login warning banner is kept on package upgrade | issue" + community.general.dpkg_divert: + path: /etc/issue when: - ubtu22cis_rule_1_7_2 tags: @@ -43,9 +49,15 @@ - banner - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" - ansible.builtin.template: - src: etc/issue.net.j2 - dest: /etc/issue.net + block: + - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly | issue.net" + ansible.builtin.template: + src: etc/issue.net.j2 + dest: /etc/issue.net + + - name: "1.7.3 | PATCH | Ensure remote login warning banner is kept on package upgrade | issue.net" + community.general.dpkg_divert: + path: /etc/issue.net when: - ubtu22cis_rule_1_7_3 tags: diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index e8a6ef89..d8ac800f 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -7,10 +7,12 @@ - name: "SECTION | 1.1.2 | configure /tmp" ansible.builtin.import_tasks: file: cis_1.1.2.x.yml + when: not system_is_container - name: "SECTION | 1.1.3 | configure /var" ansible.builtin.import_tasks: file: cis_1.1.3.x.yml + when: not system_is_container - name: "SECTION | 1.1.4 | configure /var/tmp" ansible.builtin.import_tasks: @@ -19,30 +21,37 @@ - name: "SECTION | 1.1.5 | configure /var/log" ansible.builtin.import_tasks: file: cis_1.1.5.x.yml + when: not system_is_container - name: "SECTION | 1.1.6 | configure /var/log/audit" ansible.builtin.import_tasks: file: cis_1.1.6.x.yml + when: not system_is_container - name: "SECTION | 1.1.7 | configure /home" ansible.builtin.import_tasks: file: cis_1.1.7.x.yml + when: not system_is_container - name: "SECTION | 1.1.8 | configure /dev/shm" ansible.builtin.import_tasks: file: cis_1.1.8.x.yml + when: not system_is_container - name: "SECTION | 1.1.9 | configure software updates" ansible.builtin.import_tasks: file: cis_1.1.9.yml + when: not system_is_container - name: "SECTION | 1.1.10 | Disable USB storage" ansible.builtin.import_tasks: file: cis_1.1.10.yml + when: not system_is_container - name: "SECTION | 1.2 | Configure Software Updates" ansible.builtin.import_tasks: file: cis_1.2.x.yml + when: not system_is_container - name: "SECTION | 1.3. | Filesystem Integrity Checking" ansible.builtin.import_tasks: @@ -55,6 +64,7 @@ - name: "SECTION | 1.5 | Additional Process Hardening" ansible.builtin.import_tasks: file: cis_1.5.x.yml + when: not system_is_container - name: "SECTION | 1.6 | Mandatory Access Control" ansible.builtin.import_tasks: @@ -67,8 +77,11 @@ - name: "SECTION | 1.8 | GNOME Display Manager" ansible.builtin.import_tasks: file: cis_1.8.x.yml - when: "'gdm3' in ansible_facts.packages" + when: + - "'gdm3' in ansible_facts.packages" + - not system_is_container - name: "SECTION | 1.9 | Ensure updates, patches, and additional security software are installed" ansible.builtin.import_tasks: file: cis_1.9.yml + when: not system_is_container diff --git a/tasks/section_2/cis_2.1.2.x.yml b/tasks/section_2/cis_2.1.2.x.yml index cf1dc323..a58e69a2 100644 --- a/tasks/section_2/cis_2.1.2.x.yml +++ b/tasks/section_2/cis_2.1.2.x.yml @@ -10,8 +10,8 @@ owner: root group: root loop: - - etc/chrony/sources.d/pool.source - - etc/chrony/sources.d/server.source + - etc/chrony/sources.d/pool.sources + - etc/chrony/sources.d/server.sources notify: Restart timeservice - name: "2.1.2.1 | PATCH | Ensure chrony is configured with authorized timeserver | load sources" diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 43a08762..baa622ea 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -349,6 +349,7 @@ - ubtu22cis_rsync_server == 'mask' when: - "'rsync' in ansible_facts.packages" + - ubtu22cis_rule_2_2_16 tags: - level1-server - level1-workstation diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 73021427..c8fbe0cf 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -17,7 +17,6 @@ failed_when: false check_mode: false register: ubtu22cis_3_1_1_cmdline_settings - when: ubtu22cis_ipv6_disable == 'grub' - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist" ansible.builtin.lineinfile: @@ -26,6 +25,7 @@ line: '\1 ipv6.disable=1"' backrefs: true when: + - ubtu22cis_ipv6_disable == 'grub' - ipv6disable_replaced is not changed - "'ipv6.disable' not in ubtu22cis_3_1_1_cmdline_settings.stdout" notify: Grub update diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index f497c448..e12f9118 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -48,6 +48,7 @@ state: present reload: true ignoreerrors: true + when: ubtu22cis_ipv6_disable == 'sysctl' notify: - Flush ipv6 route table diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index c4915cca..67b13df4 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -25,6 +25,7 @@ state: present reload: true ignoreerrors: true + when: ubtu22cis_ipv6_disable == 'sysctl' with_items: - net.ipv6.conf.all.accept_source_route - net.ipv6.conf.default.accept_source_route @@ -66,6 +67,7 @@ state: present reload: true ignoreerrors: true + when: ubtu22cis_ipv6_disable == 'sysctl' with_items: - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index da145e6e..a0d85703 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -70,7 +70,7 @@ - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" block: - name: "4.1.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" - ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done + ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done | grep -vw '/snap' register: priv_procs changed_when: false check_mode: false diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index ed219bf3..68ac2c85 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -123,7 +123,7 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^LogLevel|^#LogLevel' - line: 'LogLevel {{ ubtu22cis_sshd.log_level }}' + line: "LogLevel {{ ubtu22cis_sshd.log_level }}" insertafter: '^# Logging' validate: 'sshd -t -f %s' notify: restart sshd diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 975dd5b5..bd495b19 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -17,9 +17,9 @@ - name: "5.3.2 | PATCH | Ensure sudo commands use pty" ansible.builtin.lineinfile: path: /etc/sudoers - regexp: '^Defaults use_' + regexp: '^Defaults\s+use_' line: 'Defaults use_pty' - insertafter: '^Defaults' + insertafter: '^\s*Defaults' when: - ubtu22cis_rule_5_3_2 tags: @@ -33,9 +33,9 @@ - name: "5.3.3 | PATCH | Ensure sudo log file exists" ansible.builtin.lineinfile: path: /etc/sudoers - regexp: '^Defaults logfile' + regexp: '^Defaults\s+logfile' line: 'Defaults logfile="{{ ubtu22cis_sudo_logfile }}"' - insertafter: '^Defaults' + insertafter: '^\s*Defaults' when: - ubtu22cis_rule_5_3_3 tags: @@ -89,8 +89,9 @@ - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" ansible.builtin.lineinfile: path: /etc/sudoers - regexp: 'Defaults timestamp_timeout=' - line: "Defaults timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" + regexp: '^\s*Defaults/s+timestamp_timeout=' + line: "Defaults timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" + insertafter: '^\s*Defaults' validate: '/usr/sbin/visudo -cf %s' when: ubtu22cis_5_3_6_timeout_files.stdout | length == 0 @@ -113,7 +114,6 @@ - name: "5.3.7 | PATCH | Ensure access to the su command is restricted" block: - - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists" ansible.builtin.group: name: "{{ ubtu22cis_sugroup }}" diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 1894dead..f04e27c3 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -16,8 +16,17 @@ - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add minclass" ansible.builtin.lineinfile: path: /etc/security/pwquality.conf - regexp: '^minclass|^# minclass' - line: 'minclass = 4' + regexp: ^minclass + line: "minclass = {{ ubtu22cis_pwquality_minclass_value }}" + when: ubtu22cis_pwquality_minclass + + - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add extended keys" + ansible.builtin.lineinfile: + path: /etc/security/pwquality.conf + regexp: ^{{ item.key }} + line: "{{ item.key }} = {{ item.value }}" + loop: "{{ ubtu22cis_pwquality }}" + when: not ubtu22cis_pwquality_minclass - name: "5.4.1 | AUDIT | Ensure password creation requirements are configured | Confirm pwquality module in common-password" ansible.builtin.shell: grep 'password.*requisite.*pam_pwquality.so' /etc/pam.d/common-password @@ -106,14 +115,30 @@ - pam - notimplemented -- name: 5.4.3 | PATCH | Ensure password reuse is limited" - community.general.pamd: - name: common-password - type: password - control: '[success=1 default=ignore]' - module_path: pam_unix.so - module_arguments: "remember={{ ubtu22cis_pamd_pwhistory_remember }}" - state: args_present +- name: "5.4.3 | PATCH | Ensure password reuse is limited" + block: + - name: "5.4.3 | PATCH | Ensure password reuse is limited | Add pam_unix or edit it accordingly" + community.general.pamd: + name: common-password + type: password + control: '[success=1 default=ignore]' + module_path: pam_unix.so + module_arguments: 'obscure + yescrypt' + state: args_present + + - name: "5.4.3 | PATCH | Ensure password reuse is limited| Set remember value after adding pam unix" + community.general.pamd: + name: common-password + type: password + control: '[success=1 default=ignore]' + module_path: pam_unix.so + new_type: password + new_module_path: pam_pwhistory.so + new_control: required + module_arguments: 'use_authtok + remember={{ ubtu22cis_pamd_pwhistory_remember }}' + state: before when: - ubtu22cis_rule_5_4_3 tags: diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 2dba103e..b5bc9184 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -7,14 +7,17 @@ - name: "SECTION | 5.2 | Configure sudo" ansible.builtin.import_tasks: file: cis_5.2.x.yml + when: not system_is_container - name: "SECTION | 5.3 | Configure SSH Server" ansible.builtin.import_tasks: file: cis_5.3.x.yml + when: not system_is_container - name: "SECTION | 5.4.x | User PAM" ansible.builtin.import_tasks: file: cis_5.4.x.yml + when: not system_is_container - name: "SECTION | 5.5.x | User Accounts and Environment" ansible.builtin.import_tasks: diff --git a/templates/etc/chrony/sources.d/pool.source.j2 b/templates/etc/chrony/sources.d/pool.sources.j2 similarity index 100% rename from templates/etc/chrony/sources.d/pool.source.j2 rename to templates/etc/chrony/sources.d/pool.sources.j2 diff --git a/templates/etc/chrony/sources.d/server.source.j2 b/templates/etc/chrony/sources.d/server.sources.j2 similarity index 100% rename from templates/etc/chrony/sources.d/server.source.j2 rename to templates/etc/chrony/sources.d/server.sources.j2 diff --git a/vars/is_container.yml b/vars/is_container.yml new file mode 100644 index 00000000..4c93d6be --- /dev/null +++ b/vars/is_container.yml @@ -0,0 +1,104 @@ +--- + +# File to skip controls if container +# Based on standard image no changes +# it expected all pkgs required for the container are alreday installed + +## controls + +# Firewall +ubtu22cis_firewall_package: None + +# Filesystems + +## Related individual rules +# Aide +ubtu22cis_rule_1_4_1: false +ubtu22cis_rule_1_4_2: false + +# AppArmor +ubtu22cis_rule_1_6_1: false +ubtu22cis_rule_1_6_2: false +ubtu22cis_rule_1_6_3: false +ubtu22cis_rule_1_6_4: false + +# time sync +ubtu22cis_rule_2_1_1_1: false +ubtu22cis_rule_2_2_1_2: false + +# Auditd +ubtu22cis_rule_4_1_1_1: true +ubtu22cis_rule_4_1_1_2: true +ubtu22cis_rule_4_1_1_3: true +ubtu22cis_rule_4_1_1_4: true +ubtu22cis_rule_4_1_2_1: true +ubtu22cis_rule_4_1_2_2: true +ubtu22cis_rule_4_1_2_3: true +# Auditd rules +ubtu22cis_rule_4_1_3_1: true +ubtu22cis_rule_4_1_3_2: true +ubtu22cis_rule_4_1_3_3: true +ubtu22cis_rule_4_1_3_4: true +ubtu22cis_rule_4_1_3_5: true +ubtu22cis_rule_4_1_3_6: true +ubtu22cis_rule_4_1_3_7: true +ubtu22cis_rule_4_1_3_8: true +ubtu22cis_rule_4_1_3_9: true +ubtu22cis_rule_4_1_3_10: true +ubtu22cis_rule_4_1_3_11: true +ubtu22cis_rule_4_1_3_12: true +ubtu22cis_rule_4_1_3_13: true +ubtu22cis_rule_4_1_3_14: true +ubtu22cis_rule_4_1_3_15: true +ubtu22cis_rule_4_1_3_16: true +ubtu22cis_rule_4_1_3_17: true +ubtu22cis_rule_4_1_3_18: true +ubtu22cis_rule_4_1_3_19: true +ubtu22cis_rule_4_1_3_20: true +ubtu22cis_rule_4_1_3_21: true +# Auditd file access +ubtu22cis_rule_4_1_4_1: true +ubtu22cis_rule_4_1_4_2: true +ubtu22cis_rule_4_1_4_3: true +ubtu22cis_rule_4_1_4_4: true +ubtu22cis_rule_4_1_4_5: true +ubtu22cis_rule_4_1_4_6: true +ubtu22cis_rule_4_1_4_7: true +ubtu22cis_rule_4_1_4_8: true +ubtu22cis_rule_4_1_4_9: true +ubtu22cis_rule_4_1_4_10: true +ubtu22cis_rule_4_1_4_11: true + +# cron +ubtu22cis_rule_5_1_1: false +ubtu22cis_rule_5_1_2: false +ubtu22cis_rule_5_1_3: false +ubtu22cis_rule_5_1_4: false +ubtu22cis_rule_5_1_5: false +ubtu22cis_rule_5_1_6: false +ubtu22cis_rule_5_1_7: false +ubtu22cis_rule_5_1_8: false + +# ssh +ubtu22cis_rule_5_2_1: false +ubtu22cis_rule_5_2_2: false +ubtu22cis_rule_5_2_3: false +ubtu22cis_rule_5_2_4: false +ubtu22cis_rule_5_2_5: false +ubtu22cis_rule_5_2_6: false +ubtu22cis_rule_5_2_7: false +ubtu22cis_rule_5_2_8: false +ubtu22cis_rule_5_2_9: false +ubtu22cis_rule_5_2_10: false +ubtu22cis_rule_5_2_11: false +ubtu22cis_rule_5_2_12: false +ubtu22cis_rule_5_2_13: false +ubtu22cis_rule_5_2_14: false +ubtu22cis_rule_5_2_15: false +ubtu22cis_rule_5_2_16: false +ubtu22cis_rule_5_2_17: false +ubtu22cis_rule_5_2_18: false +ubtu22cis_rule_5_2_19: false +ubtu22cis_rule_5_2_20: false +ubtu22cis_rule_5_2_21: false +ubtu22cis_rule_5_2_22: false diff --git a/vars/main.yml b/vars/main.yml index 1b9bcfc8..e36495f0 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,7 +1,13 @@ --- min_ansible_version: 2.10.1 - +# Set default value for reboot value +change_requires_reboot: false +# The role discovers dynamically (in tasks/main.yml) whether it +# is executed on a container image and sets the variable +# system_is_container the true. Otherwise, the default value +# 'false' is left unchanged. +system_is_container: false # Used to control warning summary warn_control_list: "" warn_count: 0