Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to V2.0.0 #253

Closed
wants to merge 90 commits into from
Closed
Changes from 1 commit
Commits
Show all changes
90 commits
Select commit Hold shift + click to select a range
7ff3857
initial v2.0 update
uk-bolly Jun 27, 2024
d8f3311
updated 5.4.3.2 variables
uk-bolly Jul 1, 2024
ed5b7cc
fix confditionals if skipped
uk-bolly Jul 1, 2024
72a47e7
updated conditionals
uk-bolly Jul 1, 2024
d39d92e
updated ID references
uk-bolly Jul 1, 2024
58a76a1
fix typo
uk-bolly Jul 1, 2024
4061505
updated
uk-bolly Jul 1, 2024
f7fd57d
adjusted rule ids
uk-bolly Jul 1, 2024
327ba53
1.1.1.6 updated conditionals
uk-bolly Jul 2, 2024
e4db7a6
fixed typo
uk-bolly Jul 2, 2024
83123bf
updated var naming
uk-bolly Jul 2, 2024
c887a75
fix layout
uk-bolly Jul 2, 2024
f302e52
reomved comments
uk-bolly Jul 2, 2024
e1d43b6
5.3.3.4.4 fixed path
uk-bolly Jul 2, 2024
48df824
moved directory creation to prelim
uk-bolly Jul 2, 2024
0b123a4
removed path as not valid for OS
uk-bolly Jul 2, 2024
1604af6
fix layout and conditionals
uk-bolly Jul 2, 2024
dcf74dc
layout and naming updates
uk-bolly Jul 2, 2024
d3caf0f
tidy up and remove uneccessary items
uk-bolly Jul 2, 2024
ee4cec7
handler naming correction
uk-bolly Jul 2, 2024
e89587f
updated handler naming
uk-bolly Jul 2, 2024
9b62df3
renamed files
uk-bolly Jul 2, 2024
78d17cc
fix tasks
uk-bolly Jul 2, 2024
c4dbd7c
fix typo
uk-bolly Jul 2, 2024
8a03ed8
rename handler
uk-bolly Jul 2, 2024
cddb639
rename var
uk-bolly Jul 2, 2024
0d0e2d0
moved tasks and updated
uk-bolly Jul 2, 2024
c0e6da2
update var
uk-bolly Jul 2, 2024
fe594fd
aligned variables
uk-bolly Jul 2, 2024
a56603f
tidy up 6.4.3.1-4
uk-bolly Jul 2, 2024
8bf0743
6.3.2.3 updated
uk-bolly Jul 2, 2024
9653e6b
fix 6.2.1.2.3
uk-bolly Jul 2, 2024
c35ff9d
tidy up
uk-bolly Jul 2, 2024
d967816
fix mode in quotes
uk-bolly Jul 2, 2024
f710cc2
remove empty line
uk-bolly Jul 2, 2024
eeb9c03
lint updates
uk-bolly Jul 2, 2024
65e10cc
fix typo
uk-bolly Jul 2, 2024
bd31db5
update comments
uk-bolly Jul 2, 2024
ea9fec3
lint
uk-bolly Jul 2, 2024
477c6d0
add pragma
uk-bolly Jul 2, 2024
d60280b
fix directory layout
uk-bolly Jul 2, 2024
6b5e1c7
typo resolved
uk-bolly Jul 2, 2024
a69e163
moved conditional to tag
uk-bolly Jul 2, 2024
0d95f24
improved mail 2.1.21
uk-bolly Jul 2, 2024
ac85608
improved tasks
uk-bolly Jul 3, 2024
533681a
fix tasks
uk-bolly Jul 3, 2024
20d3934
update defaults
uk-bolly Jul 3, 2024
500af8a
improve controls
uk-bolly Jul 5, 2024
e135d75
fix typo
uk-bolly Jul 5, 2024
cdf51db
improved tests
uk-bolly Jul 5, 2024
f7c090f
removed dupes
uk-bolly Jul 5, 2024
86ce8ed
updated value to be correct
uk-bolly Jul 8, 2024
92a0d48
updated to add flush handlers
uk-bolly Jul 8, 2024
5ad2554
fix tags
uk-bolly Jul 8, 2024
16c969c
updated test
uk-bolly Jul 8, 2024
2906e2f
fixed 6.3.3.5
uk-bolly Jul 8, 2024
4fd48c9
initial_v2
uk-bolly Jul 8, 2024
254eca5
add variable
uk-bolly Jul 8, 2024
d7ff345
tidy up space
uk-bolly Jul 8, 2024
f89c43e
improve 6.1.2
uk-bolly Jul 8, 2024
066cfc2
6.1.2 additions
uk-bolly Jul 8, 2024
d268d74
fixed logic
uk-bolly Jul 8, 2024
4c3e008
fixed handler
uk-bolly Jul 8, 2024
567385c
Tidy up vars
uk-bolly Jul 8, 2024
46cc906
updated precommit
uk-bolly Jul 8, 2024
c8c4878
updated to new workflow
uk-bolly Jul 8, 2024
10578a0
lint work
uk-bolly Jul 8, 2024
e549b14
Merge pull request #1 from ansible-lockdown/v2_beta
uk-bolly Jul 8, 2024
cdb62ff
updated changelog
uk-bolly Jul 8, 2024
c1f742c
removed file not needed
uk-bolly Jul 23, 2024
cabbe89
updated to enable AMR audit to take place
uk-bolly Aug 13, 2024
8bba2bb
typos and updates
uk-bolly Sep 2, 2024
a150588
typos and improvements
uk-bolly Sep 2, 2024
4ed7fab
improved variable import
uk-bolly Sep 2, 2024
36818a0
fixed bad handler
uk-bolly Sep 2, 2024
04c62a0
applied fixes
uk-bolly Sep 4, 2024
814599e
remove jmespath_requirement
uk-bolly Oct 22, 2024
5a9785f
updated root password check
uk-bolly Oct 22, 2024
4a4812c
Updated audit
uk-bolly Oct 22, 2024
5fd4dc6
fixed conditionals and requirements
uk-bolly Oct 22, 2024
62e6228
updated precommit
uk-bolly Oct 22, 2024
9b5c0ea
Merge pull request #7 from ansible-lockdown/updated_oct_24
uk-bolly Oct 25, 2024
7bd332e
updated 7.1 passwd- thanks to @dlesaffrew
uk-bolly Nov 4, 2024
1bbf6ee
issue #247 addressed thanks to @angaaruriakhil
uk-bolly Nov 4, 2024
29660b0
updated pre-commit
uk-bolly Nov 12, 2024
14621eb
updated 1st to ubuntu
uk-bolly Nov 12, 2024
b7c950a
Merge branch 'devel' into v2.0.0_cis
uk-bolly Nov 19, 2024
68968ca
removed legacy data
uk-bolly Nov 19, 2024
685f4a0
Lint on file
uk-bolly Nov 19, 2024
c2b422b
Improvements to 6.1.1 logic
uk-bolly Nov 19, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
typos and updates
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
uk-bolly committed Sep 2, 2024
commit 8bba2bb56dd2300e1f7d87e3eaff0a672f6953a8
4 changes: 2 additions & 2 deletions tasks/section_2/cis_2.1.x.yml
Original file line number Diff line number Diff line change
@@ -126,7 +126,7 @@
- ubtu22cis_dns_mask
notify: Systemd_daemon_reload
ansible.builtin.systemd:
name: bind9.service
name: named.service
enabled: false
state: stopped
masked: true
@@ -175,7 +175,7 @@
block:
- name: "2.1.6 | PATCH | Ensure ftp server services are not in use | Remove package"
when:
- "'ftp' in ansible_facts.packages"
- "'vsftp' in ansible_facts.packages"
- not ubtu22cis_ftp_server
- not ubtu22cis_ftp_mask
ansible.builtin.package:
9 changes: 7 additions & 2 deletions tasks/section_2/cis_2.4.1.x.yml
Original file line number Diff line number Diff line change
@@ -43,6 +43,7 @@
owner: root
group: root
mode: '0700'
state: directory

- name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
when:
@@ -58,6 +59,7 @@
owner: root
group: root
mode: '0700'
state: directory

- name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
when:
@@ -73,6 +75,7 @@
owner: root
group: root
mode: '0700'
state: directory

- name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
when:
@@ -88,6 +91,7 @@
owner: root
group: root
mode: '0700'
state: directory

- name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
when:
@@ -103,6 +107,7 @@
owner: root
group: root
mode: '0700'
state: directory

- name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users"
when:
@@ -130,7 +135,7 @@
path: /etc/cron.allow
owner: root
group: root
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
state: touch

- name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Update cron.allow if exists"
@@ -139,4 +144,4 @@
path: /etc/cron.allow
owner: root
group: root
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
4 changes: 2 additions & 2 deletions tasks/section_2/cis_2.4.2.x.yml
Original file line number Diff line number Diff line change
@@ -26,7 +26,7 @@
path: /etc/at.allow
owner: root
group: root
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
state: touch

- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | update at.allow if exists"
@@ -35,4 +35,4 @@
path: /etc/at.allow
owner: root
group: root
mode: '0640'
mode: 'u-x,g-wx,o-rwx'
2 changes: 1 addition & 1 deletion tasks/section_3/cis_3.1.x.yml
Original file line number Diff line number Diff line change
@@ -95,7 +95,7 @@
- level1-server
- level2-workstation
- patch
- sctp
- bluetooth
- rule_3.1.3
block:
- name: "3.1.3 | PATCH | Ensure bluetooth services are not in use | pkg"
10 changes: 5 additions & 5 deletions tasks/section_5/cis_5.4.1.x.yml
Original file line number Diff line number Diff line change
@@ -151,16 +151,16 @@

- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past"
when:
- ubtu22cis_rule_5_4_1_5
- ubtu22cis_rule_5_4_1_6
tags:
- level1-server
- level1-workstation
- patch
- rule_5.4.1.5
- rule_5.4.1.6
- user
- login
vars:
warn_control_id: '5.4.1.5'
warn_control_id: '5.4.1.6'
block:
- name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time"
ansible.builtin.shell: echo $(($(date --utc --date "$1" +%s)/86400))
@@ -183,12 +183,12 @@
- "WARNING!! The following accounts have the last PW change date in the future"
- "{{ ubtu22cis_passwd_future_user_list.stdout_lines }}"

- name: "5.4.1.5 | WARN | Ensure all users last password change date is in the past | warn_count"
- name: "5.4.1.6 | WARN | Ensure all users last password change date is in the past | warn_count"
when: ubtu22cis_passwd_future_user_list.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml

- name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with future PW changed dates"
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Lock accounts with future PW changed dates"
when:
- ubtu22cis_disruption_high
- ubtu22cis_passwd_future_user_list.stdout | length > 0
2 changes: 1 addition & 1 deletion tasks/section_5/cis_5.4.2.x.yml
Original file line number Diff line number Diff line change
@@ -53,7 +53,7 @@
- level1-server
- level1-workstation
- patch
- rule_5.4.2.2
- rule_5.4.2.3
- user
- system
block:
2 changes: 1 addition & 1 deletion tasks/section_6/cis_6.3.3.x.yml
Original file line number Diff line number Diff line change
@@ -111,7 +111,7 @@
- level2-server
- level2-workstation
- patch
- rule_6.3.3.1
- rule_6.3.3.9
- auditd
ansible.builtin.set_fact:
update_audit_template: true