From bea6849b474e6d4e435b36c68321cb86edff741b Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 17:48:51 +0000 Subject: [PATCH 01/10] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.4 → v8.19.2](https://github.com/gitleaks/gitleaks/compare/v8.18.4...v8.19.2) - [github.com/ansible-community/ansible-lint: v24.7.0 → v24.9.0](https://github.com/ansible-community/ansible-lint/compare/v24.7.0...v24.9.0) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9b4a326a..a930b981 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,13 +36,13 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.4 + rev: v8.19.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.7.0 + rev: v24.9.0 hooks: - id: ansible-lint name: Ansible-lint From 31e5267f2649f8739269b2ab243da0ce29867c3c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Sep 2024 08:40:45 +0100 Subject: [PATCH 02/10] addressed issue 90 Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.3.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index da728946..2ee735b5 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -14,6 +14,8 @@ ansible.builtin.file: path: "{{ item.path }}" mode: '0640' + failed_when: logfiles_perms_update.state not in '[ file, absent ]' + register: logfiles_perms_update loop: "{{ logfiles.files }}" loop_control: label: "{{ item.path }}" From 6521784917b4a455072ae236641d4128ccda4861 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Sep 2024 08:48:40 +0100 Subject: [PATCH 03/10] Improved mode logic for audit log Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index b97e9b71..98c9e192 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -23,7 +23,7 @@ "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" ansible.builtin.file: path: "{{ audit_discovered_logfile.stdout }}" - mode: "{% if auditd_logfile.stat.mode > '0640' %}0640{% endif %}" + mode: 'u-x,g-wx,o-rwx' owner: root group: root when: From e7bc0c7a3c35c9b8e5a5bc1918f0e50088c2a33e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Sep 2024 09:58:14 +0100 Subject: [PATCH 04/10] updated for issue #38 Signed-off-by: Mark Bolwell --- vars/audit.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/vars/audit.yml b/vars/audit.yml index 371cb605..a7076e93 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -26,8 +26,9 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma ### Audit binary settings ### audit_bin_version: - release: v0.4.4 - AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' + release: v0.4.8 + AMD64_checksum: 'sha256:85d00b7bba5f175bec95de7dfe1f71f8f25204914aad4c6f03c8457868eb6e2f' + ARM64_checksum: 'sha256:bca8c898bfd35b94c51455ece6193c95e2cd7b2b183ac2047b2d76291e73e47d' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json From 6e38d9adcedee22b567144569bf3b6c669e9c6f0 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 17:49:03 +0000 Subject: [PATCH 05/10] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.9.0 → v24.9.2](https://github.com/ansible-community/ansible-lint/compare/v24.9.0...v24.9.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a930b981..382c345d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,7 +42,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.9.0 + rev: v24.9.2 hooks: - id: ansible-lint name: Ansible-lint From d0822c161604b797330275d9723879b44e1964c0 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 18:27:12 +0000 Subject: [PATCH 06/10] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v4.6.0 → v5.0.0](https://github.com/pre-commit/pre-commit-hooks/compare/v4.6.0...v5.0.0) - [github.com/gitleaks/gitleaks: v8.19.2 → v8.20.1](https://github.com/gitleaks/gitleaks/compare/v8.19.2...v8.20.1) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 382c345d..3c51241d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v5.0.0 hooks: # Safety - id: detect-aws-credentials @@ -36,7 +36,7 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.19.2 + rev: v8.20.1 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From 9784e2d05781350036b7c3b380a12a62152aaabe Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 17:55:08 +0000 Subject: [PATCH 07/10] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.20.1 → v8.21.1](https://github.com/gitleaks/gitleaks/compare/v8.20.1...v8.21.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3c51241d..c6a8d07f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,7 +36,7 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.20.1 + rev: v8.21.1 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From c7bc4ebbe85acdf8e2404f6e87c2731b6079a5f9 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 18:01:29 +0000 Subject: [PATCH 08/10] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.21.1 → v8.21.2](https://github.com/gitleaks/gitleaks/compare/v8.21.1...v8.21.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c6a8d07f..a679c82a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,7 +36,7 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.21.1 + rev: v8.21.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From a0f12f61c4fed335d42f190640d35b517c9d521c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Nov 2024 12:26:26 +0000 Subject: [PATCH 09/10] addressed #247 thanks to @angaaruriakhil Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c72db659..50d73e0e 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -138,28 +138,13 @@ - always - name: "PRELIM | PATCH | Ensure auditd is installed" - block: - - name: "PRELIM | PATCH | Ensure auditd is installed" - ansible.builtin.package: - name: ['auditd', 'audispd-plugins'] - state: present - when: - - "'auditd' not in ansible_facts.packages or - 'auditd-plugins' not in ansible_facts.packages" - - - name: "PRELIM | AUDIT | Audit conf and rules files | list files" - ansible.builtin.find: - path: /etc/audit/ - file_type: file - recurse: true - patterns: '*.conf,*.rules' - register: auditd_conf_files - + ansible.builtin.package: + name: ['auditd', 'audispd-plugins'] + state: present when: - - ubtu22cis_rule_4_1_1_1 or - ubtu22cis_rule_4_1_4_5 or - ubtu22cis_rule_4_1_4_6 or - ubtu22cis_rule_4_1_4_7 + - "'auditd' not in ansible_facts.packages or + 'auditd-plugins' not in ansible_facts.packages" + - ubtu22cis_rule_4_1_1_1 tags: - level2-server - level2-workstation @@ -167,6 +152,18 @@ - auditd - always +- name: "PRELIM | AUDIT | Audit conf and rules files | list files" + ansible.builtin.find: + path: /etc/audit/ + file_type: file + recurse: true + patterns: '*.conf,*.rules' + register: auditd_conf_files + tags: + - patch + - auditd + - always + - name: "PRELIM | AUDIT | Check if auditd is immutable before changes" ansible.builtin.shell: auditctl -l | grep -c '-e 2' changed_when: false From 048d1976e5d0199db1724278cf5db5a07ebe0b32 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Nov 2024 12:32:45 +0000 Subject: [PATCH 10/10] added fix for #248 thanks to @dlesaffrew Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 9c4c677d..9770898e 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -21,6 +21,8 @@ owner: root group: root mode: '0644' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists when: - ubtu22cis_rule_6_1_2 tags: