From 7ff385739a009f8d254358fa6fa8149ff21509c8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jun 2024 17:43:34 +0100 Subject: [PATCH 001/135] initial v2.0 update Signed-off-by: Mark Bolwell --- .yamllint | 42 +- README.md | 2 +- defaults/main.yml | 1087 ++++++++++------- handlers/main.yml | 15 + tasks/LE_audit_setup.yml | 44 +- tasks/audit_only.yml | 26 +- tasks/auditd.yml | 33 +- tasks/main.yml | 298 ++--- tasks/parse_etc_password.yml | 55 +- tasks/post_remediation_audit.yml | 52 +- tasks/pre_remediation_audit.yml | 135 +- tasks/prelim.yml | 340 +++--- tasks/section_1/cis_1.1.1.x.yml | 345 ++++-- tasks/section_1/cis_1.1.10.yml | 33 - tasks/section_1/cis_1.1.2.1.x.yml | 75 ++ tasks/section_1/cis_1.1.2.2.x.yml | 50 + tasks/section_1/cis_1.1.2.3.x.yml | 52 + tasks/section_1/cis_1.1.2.4.x.yml | 52 + tasks/section_1/cis_1.1.2.5.x.yml | 56 + tasks/section_1/cis_1.1.2.6.x.yml | 55 + tasks/section_1/cis_1.1.2.7.x.yml | 55 + tasks/section_1/cis_1.1.2.x.yml | 78 -- tasks/section_1/cis_1.1.3.x.yml | 50 - tasks/section_1/cis_1.1.4.x.yml | 53 - tasks/section_1/cis_1.1.5.x.yml | 53 - tasks/section_1/cis_1.1.6.x.yml | 53 - tasks/section_1/cis_1.1.7.x.yml | 50 - tasks/section_1/cis_1.1.8.x.yml | 26 - tasks/section_1/cis_1.1.9.yml | 18 - tasks/section_1/cis_1.2.1.x.yml | 63 + tasks/section_1/cis_1.2.2.x.yml | 14 + tasks/section_1/cis_1.2.x.yml | 65 - tasks/section_1/cis_1.3.1.x.yml | 169 +++ tasks/section_1/cis_1.3.x.yml | 61 - tasks/section_1/cis_1.4.x.yml | 108 +- tasks/section_1/cis_1.5.x.yml | 232 ++-- tasks/section_1/cis_1.6.x.yml | 252 ++-- tasks/section_1/cis_1.7.x.yml | 387 ++++-- tasks/section_1/cis_1.8.x.yml | 313 ----- tasks/section_1/cis_1.9.yml | 15 - tasks/section_1/main.yml | 77 +- tasks/section_2/cis_2.1.1.x.yml | 40 - tasks/section_2/cis_2.1.2.x.yml | 57 - tasks/section_2/cis_2.1.3.x.yml | 44 - tasks/section_2/cis_2.1.4.x.yml | 78 -- tasks/section_2/cis_2.1.x.yml | 699 +++++++++++ tasks/section_2/cis_2.2.x.yml | 399 +----- tasks/section_2/cis_2.3.1.x.yml | 38 + tasks/section_2/cis_2.3.2.x.yml | 62 + tasks/section_2/cis_2.3.3.x.yml | 75 ++ tasks/section_2/cis_2.3.x.yml | 95 -- tasks/section_2/cis_2.4.1.x.yml | 142 +++ tasks/section_2/cis_2.4.2.x.yml | 38 + tasks/section_2/cis_2.4.yml | 33 - tasks/section_2/main.yml | 38 +- tasks/section_3/cis_3.1.x.yml | 181 +-- tasks/section_3/cis_3.2.x.yml | 158 ++- tasks/section_3/cis_3.3.x.yml | 468 +++---- tasks/section_3/cis_3.4.x.yml | 120 -- tasks/section_3/cis_3.5.1.x.yml | 185 --- tasks/section_3/cis_3.5.2.x.yml | 240 ---- tasks/section_3/cis_3.5.3.x.yml | 417 ------- tasks/section_3/main.yml | 31 +- tasks/section_4/cis_4.1.1.x.yml | 103 -- tasks/section_4/cis_4.1.2.x.yml | 57 - tasks/section_4/cis_4.1.3.x.yml | 287 ----- tasks/section_4/cis_4.1.4.x.yml | 207 ---- tasks/section_4/cis_4.1.x.yml | 178 +++ tasks/section_4/cis_4.2.1.1.x.yml | 70 -- tasks/section_4/cis_4.2.1.x.yml | 125 -- tasks/section_4/cis_4.2.2.x.yml | 179 --- tasks/section_4/cis_4.2.3.yml | 31 - tasks/section_4/cis_4.2.x.yml | 230 ++++ tasks/section_4/cis_4.3.1.x.yml | 406 ++++++ tasks/section_4/cis_4.3.2.x.yml | 180 +++ tasks/section_4/cis_4.3.3.x.yml | 177 +++ tasks/section_4/main.yml | 42 +- tasks/section_5/cis_5.1.x.yml | 564 ++++++--- tasks/section_5/cis_5.2.x.yml | 467 ++----- tasks/section_5/cis_5.3.1.x.yml | 45 + tasks/section_5/cis_5.3.2.x.yml | 88 ++ tasks/section_5/cis_5.3.3.1.x.yml | 103 ++ tasks/section_5/cis_5.3.3.2.x.yml | 242 ++++ tasks/section_5/cis_5.3.3.3.x.yml | 79 ++ tasks/section_5/cis_5.3.3.4.x.yml | 100 ++ tasks/section_5/cis_5.3.x.yml | 142 --- tasks/section_5/cis_5.4.1.x.yml | 198 +++ tasks/section_5/cis_5.4.2.x.yml | 200 +++ tasks/section_5/cis_5.4.3.x.yml | 56 + tasks/section_5/cis_5.4.x.yml | 216 ---- tasks/section_5/cis_5.5.x.yml | 313 ----- tasks/section_5/main.yml | 40 +- tasks/section_6/cis_6.1.x.yml | 431 ++----- tasks/section_6/cis_6.2.1.1.x.yml | 164 +++ tasks/section_6/cis_6.2.1.2.x.yml | 67 + tasks/section_6/cis_6.2.2.yml | 35 + tasks/section_6/cis_6.2.x.yml | 528 -------- tasks/section_6/cis_6.3.1.x.yml | 100 ++ tasks/section_6/cis_6.3.2.x.yml | 69 ++ tasks/section_6/cis_6.3.3.x.yml | 263 ++++ tasks/section_6/cis_6.3.4.x.yml | 181 +++ tasks/section_6/main.yml | 30 +- tasks/section_7/cis_7.1.x.yml | 295 +++++ tasks/section_7/cis_7.2.x.yml | 314 +++++ tasks/section_7/main.yml | 9 + tasks/warning_facts.yml | 4 +- templates/ansible_vars_goss.yml.j2 | 154 ++- templates/audit/99_auditd.rules.j2 | 93 +- .../pwquality.conf.d/50-pwcomplexity.conf.j2 | 7 + .../pwquality.conf.d/50-pwdictcheck.conf.j2 | 3 + .../pwquality.conf.d/50-pwdifok.conf.j2 | 3 + .../pwquality.conf.d/50-pwlength.conf.j2 | 3 + .../pwquality.conf.d/50-pwmaxsequence.conf.j2 | 3 + .../50-pwquality_enforce.conf.j2 | 4 + .../pwquality.conf.d/50-pwrepeat.conf.j2 | 3 + .../pwquality.conf.d/50-pwroot.conf.j2 | 3 + .../journald.conf.d/forwardtosyslog.j2 | 4 + .../systemd/journald.conf.d/rotation.conf.j2 | 8 + .../etc/systemd/journald.conf.d/storage.j2 | 11 + templates/usr/share/pam-config/faillock.j2 | 6 + .../usr/share/pam-config/faillock_notify.j2 | 9 + templates/usr/share/pam-config/pam_unix.j2 | 23 + templates/usr/share/pam-config/pwhistory.j2 | 6 + templates/usr/share/pam-config/pwquality.j2 | 8 + 124 files changed, 8899 insertions(+), 7744 deletions(-) delete mode 100644 tasks/section_1/cis_1.1.10.yml create mode 100644 tasks/section_1/cis_1.1.2.1.x.yml create mode 100644 tasks/section_1/cis_1.1.2.2.x.yml create mode 100644 tasks/section_1/cis_1.1.2.3.x.yml create mode 100644 tasks/section_1/cis_1.1.2.4.x.yml create mode 100644 tasks/section_1/cis_1.1.2.5.x.yml create mode 100644 tasks/section_1/cis_1.1.2.6.x.yml create mode 100644 tasks/section_1/cis_1.1.2.7.x.yml delete mode 100644 tasks/section_1/cis_1.1.2.x.yml delete mode 100644 tasks/section_1/cis_1.1.3.x.yml delete mode 100644 tasks/section_1/cis_1.1.4.x.yml delete mode 100644 tasks/section_1/cis_1.1.5.x.yml delete mode 100644 tasks/section_1/cis_1.1.6.x.yml delete mode 100644 tasks/section_1/cis_1.1.7.x.yml delete mode 100644 tasks/section_1/cis_1.1.8.x.yml delete mode 100644 tasks/section_1/cis_1.1.9.yml create mode 100644 tasks/section_1/cis_1.2.1.x.yml create mode 100644 tasks/section_1/cis_1.2.2.x.yml delete mode 100644 tasks/section_1/cis_1.2.x.yml create mode 100644 tasks/section_1/cis_1.3.1.x.yml delete mode 100644 tasks/section_1/cis_1.3.x.yml delete mode 100644 tasks/section_1/cis_1.8.x.yml delete mode 100644 tasks/section_1/cis_1.9.yml delete mode 100644 tasks/section_2/cis_2.1.1.x.yml delete mode 100644 tasks/section_2/cis_2.1.2.x.yml delete mode 100644 tasks/section_2/cis_2.1.3.x.yml delete mode 100644 tasks/section_2/cis_2.1.4.x.yml create mode 100644 tasks/section_2/cis_2.1.x.yml create mode 100644 tasks/section_2/cis_2.3.1.x.yml create mode 100644 tasks/section_2/cis_2.3.2.x.yml create mode 100644 tasks/section_2/cis_2.3.3.x.yml delete mode 100644 tasks/section_2/cis_2.3.x.yml create mode 100644 tasks/section_2/cis_2.4.1.x.yml create mode 100644 tasks/section_2/cis_2.4.2.x.yml delete mode 100644 tasks/section_2/cis_2.4.yml delete mode 100644 tasks/section_3/cis_3.4.x.yml delete mode 100644 tasks/section_3/cis_3.5.1.x.yml delete mode 100644 tasks/section_3/cis_3.5.2.x.yml delete mode 100644 tasks/section_3/cis_3.5.3.x.yml delete mode 100644 tasks/section_4/cis_4.1.1.x.yml delete mode 100644 tasks/section_4/cis_4.1.2.x.yml delete mode 100644 tasks/section_4/cis_4.1.3.x.yml delete mode 100644 tasks/section_4/cis_4.1.4.x.yml create mode 100644 tasks/section_4/cis_4.1.x.yml delete mode 100644 tasks/section_4/cis_4.2.1.1.x.yml delete mode 100644 tasks/section_4/cis_4.2.1.x.yml delete mode 100644 tasks/section_4/cis_4.2.2.x.yml delete mode 100644 tasks/section_4/cis_4.2.3.yml create mode 100644 tasks/section_4/cis_4.2.x.yml create mode 100644 tasks/section_4/cis_4.3.1.x.yml create mode 100644 tasks/section_4/cis_4.3.2.x.yml create mode 100644 tasks/section_4/cis_4.3.3.x.yml create mode 100644 tasks/section_5/cis_5.3.1.x.yml create mode 100644 tasks/section_5/cis_5.3.2.x.yml create mode 100644 tasks/section_5/cis_5.3.3.1.x.yml create mode 100644 tasks/section_5/cis_5.3.3.2.x.yml create mode 100644 tasks/section_5/cis_5.3.3.3.x.yml create mode 100644 tasks/section_5/cis_5.3.3.4.x.yml delete mode 100644 tasks/section_5/cis_5.3.x.yml create mode 100644 tasks/section_5/cis_5.4.1.x.yml create mode 100644 tasks/section_5/cis_5.4.2.x.yml create mode 100644 tasks/section_5/cis_5.4.3.x.yml delete mode 100644 tasks/section_5/cis_5.4.x.yml delete mode 100644 tasks/section_5/cis_5.5.x.yml create mode 100644 tasks/section_6/cis_6.2.1.1.x.yml create mode 100644 tasks/section_6/cis_6.2.1.2.x.yml create mode 100644 tasks/section_6/cis_6.2.2.yml delete mode 100644 tasks/section_6/cis_6.2.x.yml create mode 100644 tasks/section_6/cis_6.3.1.x.yml create mode 100644 tasks/section_6/cis_6.3.2.x.yml create mode 100644 tasks/section_6/cis_6.3.3.x.yml create mode 100644 tasks/section_6/cis_6.3.4.x.yml create mode 100644 tasks/section_7/cis_7.1.x.yml create mode 100644 tasks/section_7/cis_7.2.x.yml create mode 100644 tasks/section_7/main.yml create mode 100644 templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 create mode 100644 templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2 create mode 100644 templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2 create mode 100644 templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2 create mode 100644 templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2 create mode 100644 templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 create mode 100644 templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2 create mode 100644 templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2 create mode 100644 templates/etc/systemd/journald.conf.d/forwardtosyslog.j2 create mode 100644 templates/etc/systemd/journald.conf.d/rotation.conf.j2 create mode 100644 templates/etc/systemd/journald.conf.d/storage.j2 create mode 100644 templates/usr/share/pam-config/faillock.j2 create mode 100644 templates/usr/share/pam-config/faillock_notify.j2 create mode 100644 templates/usr/share/pam-config/pam_unix.j2 create mode 100644 templates/usr/share/pam-config/pwhistory.j2 create mode 100644 templates/usr/share/pam-config/pwquality.j2 diff --git a/.yamllint b/.yamllint index db1b7584..dff24572 100755 --- a/.yamllint +++ b/.yamllint @@ -10,25 +10,23 @@ ignore: | *molecule.yml rules: - indentation: - # Requiring 4 space indentation - spaces: 4 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent - braces: - max-spaces-inside: 1 - level: error - brackets: - max-spaces-inside: 1 - level: error - empty-lines: - max: 1 - line-length: disable - key-duplicates: enable - new-line-at-end-of-file: enable - new-lines: - type: unix - trailing-spaces: enable - truthy: - allowed-values: ['true', 'false'] - check-keys: true + indentation: + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + empty-lines: + max: 1 + line-length: disable + key-duplicates: enable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: true diff --git a/README.md b/README.md index af7225cc..3345dfd6 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a Ubuntu 22 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant -### Based on CIS Ubuntu Linux 22.04 LTS Benchmark v1.0.0 [Release](https://learn.cisecurity.org/l/799323/2022-09-15/3l9d2k) +### Based on CIS Ubuntu Linux 22.04 LTS Benchmark v2.0.0 [Release](https://downloads.cisecurity.org/#/) ![Org Stars](https://img.shields.io/github/stars/ansible-lockdown?label=Org%20Stars&style=social) ![Stars](https://img.shields.io/github/stars/ansible-lockdown/ubuntu22-cis?label=Repo%20Stars&style=social) diff --git a/defaults/main.yml b/defaults/main.yml index a7e6665b..06f03b8a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -10,6 +10,7 @@ ubtu22cis_section3: true ubtu22cis_section4: true ubtu22cis_section5: true ubtu22cis_section6: true +ubtu22cis_section7: true ## Reboot system before audit # System will reboot if false, can give better audit results @@ -18,7 +19,7 @@ skip_reboot: true ## Benchmark name and profiles used by auditing control role # The audit variable found at the base benchmark: UBUNTU22-CIS -benchmark_version: v1.0.0 +benchmark_version: v2.0.0 # Used for audit ubtu22cis_level_1: true ubtu22cis_level_2: true @@ -118,124 +119,173 @@ system_is_ec2: false ## Section 1 Fixes # Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, # Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) + +# 1.1 Filesystems +# 1.1.1 Configure Filesystem Kernel Modules ubtu22cis_rule_1_1_1_1: true ubtu22cis_rule_1_1_1_2: true ubtu22cis_rule_1_1_1_3: true -ubtu22cis_rule_1_1_2_1: true -ubtu22cis_rule_1_1_2_2: true -ubtu22cis_rule_1_1_2_3: true -ubtu22cis_rule_1_1_2_4: true -ubtu22cis_rule_1_1_3_1: true -ubtu22cis_rule_1_1_3_2: true -ubtu22cis_rule_1_1_3_3: true -ubtu22cis_rule_1_1_4_1: true -ubtu22cis_rule_1_1_4_2: true -ubtu22cis_rule_1_1_4_3: true -ubtu22cis_rule_1_1_4_4: true -ubtu22cis_rule_1_1_5_1: true -ubtu22cis_rule_1_1_5_2: true -ubtu22cis_rule_1_1_5_3: true -ubtu22cis_rule_1_1_5_4: true -ubtu22cis_rule_1_1_6_1: true -ubtu22cis_rule_1_1_6_2: true -ubtu22cis_rule_1_1_6_3: true -ubtu22cis_rule_1_1_6_4: true -ubtu22cis_rule_1_1_7_1: true -ubtu22cis_rule_1_1_7_2: true -ubtu22cis_rule_1_1_7_3: true -ubtu22cis_rule_1_1_8_1: true -ubtu22cis_rule_1_1_8_2: true -ubtu22cis_rule_1_1_8_3: true -ubtu22cis_rule_1_1_9: true -ubtu22cis_rule_1_1_10: true -ubtu22cis_rule_1_2_1: true -ubtu22cis_rule_1_2_2: true -ubtu22cis_rule_1_3_1: true -ubtu22cis_rule_1_3_2: true -ubtu22cis_rule_1_4_1: true -ubtu22cis_rule_1_4_2: true -ubtu22cis_rule_1_4_3: true -ubtu22cis_rule_1_5_1: true -ubtu22cis_rule_1_5_2: true -ubtu22cis_rule_1_5_3: true -ubtu22cis_rule_1_5_4: true -ubtu22cis_rule_1_6_1_1: true -ubtu22cis_rule_1_6_1_2: true -ubtu22cis_rule_1_6_1_3: true -ubtu22cis_rule_1_6_1_4: true -ubtu22cis_rule_1_7_1: true -ubtu22cis_rule_1_7_2: true -ubtu22cis_rule_1_7_3: true -ubtu22cis_rule_1_7_4: true -ubtu22cis_rule_1_7_5: true -ubtu22cis_rule_1_7_6: true -ubtu22cis_rule_1_8_1: true -ubtu22cis_rule_1_8_2: true -ubtu22cis_rule_1_8_3: true -ubtu22cis_rule_1_8_4: true -ubtu22cis_rule_1_8_5: true -ubtu22cis_rule_1_8_6: true -ubtu22cis_rule_1_8_7: true -ubtu22cis_rule_1_8_8: true -ubtu22cis_rule_1_8_9: true -ubtu22cis_rule_1_8_10: true -ubtu22cis_rule_1_9: true +ubtu22cis_rule_1_1_1_4: true +ubtu22cis_rule_1_1_1_5: true +ubtu22cis_rule_1_1_1_6: true +ubtu22cis_rule_1_1_1_7: true +ubtu22cis_rule_1_1_1_8: true + +# 1.1.2 Configure Filesystem Partitions +# /tmp +ubtu22cis_rule_1_1_2_1_1: true +ubtu22cis_rule_1_1_2_1_2: true +ubtu22cis_rule_1_1_2_1_3: true +ubtu22cis_rule_1_1_2_1_4: true + +# /dev/shm +ubtu22cis_rule_1_1_2_2_1: true +ubtu22cis_rule_1_1_2_2_2: true +ubtu22cis_rule_1_1_2_2_3: true +ubtu22cis_rule_1_1_2_2_4: true + +# /home +ubtu22cis_rule_1_1_2_3_1: true +ubtu22cis_rule_1_1_2_3_2: true +ubtu22cis_rule_1_1_2_3_3: true + +# /var +ubtu22cis_rule_1_1_2_4_1: true +ubtu22cis_rule_1_1_2_4_2: true +ubtu22cis_rule_1_1_2_4_3: true + +# /var/tmp +ubtu22cis_rule_1_1_2_5_1: true +ubtu22cis_rule_1_1_2_5_2: true +ubtu22cis_rule_1_1_2_5_3: true +ubtu22cis_rule_1_1_2_5_4: true + +# /var/log +ubtu22cis_rule_1_1_2_6_1: true +ubtu22cis_rule_1_1_2_6_2: true +ubtu22cis_rule_1_1_2_6_3: true +ubtu22cis_rule_1_1_2_6_4: true + +# /var/log/audit +ubtu22cis_rule_1_1_2_7_1: true +ubtu22cis_rule_1_1_2_7_2: true +ubtu22cis_rule_1_1_2_7_3: true +ubtu22cis_rule_1_1_2_7_4: true + +# 1.2 Package mgmt +# 1.2.1 Configure Package repositories +ubtu22cis_rule_1_2_1_1: true +ubtu22cis_rule_1_2_1_2: true +# 1.2.2 Configure Package updates +ubtu22cis_rule_1_2_2_1: true + +# 1.3 Mandatory Access Control +## 1.3.1 Configure AppArmor +ubtu22cis_1_3_1_1: true +ubtu22cis_1_3_1_2: true +ubtu22cis_1_3_1_3: true +ubtu22cis_1_3_1_4: true + +# 1.4 Configure Bootloader +ubtu22cis_1_4_1: true +ubtu22cis_1_4_2: true + +# 1.5 Configure additional Process Hardening +ubtu22cis_1_5_1: true +ubtu22cis_1_5_2: true +ubtu22cis_1_5_3: true +ubtu22cis_1_5_4: true +ubtu22cis_1_5_5: true + +# 1.6 Configure Command Line Warning Banners +ubtu22cis_1_6_1: true +ubtu22cis_1_6_2: true +ubtu22cis_1_6_3: true +ubtu22cis_1_6_4: true +ubtu22cis_1_6_5: true +ubtu22cis_1_6_6: true + +# 1.7 Configure GNOME Display Manager +ubtu22cis_1_7_1: true +ubtu22cis_1_7_2: true +ubtu22cis_1_7_3: true +ubtu22cis_1_7_4: true +ubtu22cis_1_7_5: true +ubtu22cis_1_7_6: true +ubtu22cis_1_7_7: true +ubtu22cis_1_7_8: true +ubtu22cis_1_7_9: true +ubtu22cis_1_7_10: true ## Section 2 Fixes # Section 2 is Services (Special Purpose Services, and service clients) -ubtu22cis_rule_2_1_1_1: true -ubtu22cis_rule_2_1_1_2: true -ubtu22cis_rule_2_1_1_3: true -ubtu22cis_rule_2_1_1_4: true -# Chrony -ubtu22cis_rule_2_1_2_1: true -ubtu22cis_rule_2_1_2_2: true -ubtu22cis_rule_2_1_2_3: true -# systemd-timesyncd -ubtu22cis_rule_2_1_3_1: true -ubtu22cis_rule_2_1_3_2: true - -# ntp -ubtu22cis_rule_2_1_4_1: true -ubtu22cis_rule_2_1_4_2: true -ubtu22cis_rule_2_1_4_3: true -ubtu22cis_rule_2_1_4_4: true -# Services + +# 2.1 Configure Server Services +ubtu22cis_rule_2_1_1: true +ubtu22cis_rule_2_1_2: true +ubtu22cis_rule_2_1_3: true +ubtu22cis_rule_2_1_4: true +ubtu22cis_rule_2_1_5: true +ubtu22cis_rule_2_1_6: true +ubtu22cis_rule_2_1_7: true +ubtu22cis_rule_2_1_8: true +ubtu22cis_rule_2_1_9: true +ubtu22cis_rule_2_1_10: true +ubtu22cis_rule_2_1_11: true +ubtu22cis_rule_2_1_12: true +ubtu22cis_rule_2_1_13: true +ubtu22cis_rule_2_1_14: true +ubtu22cis_rule_2_1_15: true +ubtu22cis_rule_2_1_16: true +ubtu22cis_rule_2_1_17: true +ubtu22cis_rule_2_1_18: true +ubtu22cis_rule_2_1_19: true +ubtu22cis_rule_2_1_20: true +ubtu22cis_rule_2_1_21: true +ubtu22cis_rule_2_1_22: true + +# 2.2 Configure client services ubtu22cis_rule_2_2_1: true ubtu22cis_rule_2_2_2: true ubtu22cis_rule_2_2_3: true ubtu22cis_rule_2_2_4: true ubtu22cis_rule_2_2_5: true ubtu22cis_rule_2_2_6: true -ubtu22cis_rule_2_2_7: true -ubtu22cis_rule_2_2_8: true -ubtu22cis_rule_2_2_9: true -ubtu22cis_rule_2_2_10: true -ubtu22cis_rule_2_2_11: true -ubtu22cis_rule_2_2_12: true -ubtu22cis_rule_2_2_13: true -ubtu22cis_rule_2_2_14: true -ubtu22cis_rule_2_2_15: true -ubtu22cis_rule_2_2_16: true -ubtu22cis_rule_2_2_17: true -# Service Client -ubtu22cis_rule_2_3_1: true -ubtu22cis_rule_2_3_2: true -ubtu22cis_rule_2_3_3: true -ubtu22cis_rule_2_3_4: true -ubtu22cis_rule_2_3_5: true -ubtu22cis_rule_2_3_6: true -# Non-essential services -ubtu22cis_rule_2_4: true + +# Ensure time synchronization is in use +ubtu22cis_rule_2_3_1_1: true +# Configure systemd-timesyncd +ubtu22cis_rule_2_3_2_1: true +ubtu22cis_rule_2_3_2_2: true +# Configure Chrony +ubtu22cis_rule_2_3_3_1: true +ubtu22cis_rule_2_3_3_2: true +ubtu22cis_rule_2_3_3_3: true + +# 2.4 Job Schedulers +# 2.4.1 Configure Cron +ubtu22cis_rule_2_4_1_1: true +ubtu22cis_rule_2_4_1_2: true +ubtu22cis_rule_2_4_1_3: true +ubtu22cis_rule_2_4_1_4: true +ubtu22cis_rule_2_4_1_5: true +ubtu22cis_rule_2_4_1_6: true +ubtu22cis_rule_2_4_1_7: true +ubtu22cis_rule_2_4_1_8: true +# Configure At +ubtu22cis_rule_2_4_2_1: true ## Section 3 Network Configuration -# Disable Unused Network +# 3.1 Configure Network Devices ubtu22cis_rule_3_1_1: true ubtu22cis_rule_3_1_2: true -# Network Parameters (Host Only) +ubtu22cis_rule_3_1_3: true +# 3.2 Configure Network Kernel Modules (Host Only) ubtu22cis_rule_3_2_1: true ubtu22cis_rule_3_2_2: true -# Network Parameters (Host and Router) +ubtu22cis_rule_3_2_3: true +ubtu22cis_rule_3_2_4: true +# 3.3 Configure Network Kernel Parameters (Host and Router) ubtu22cis_rule_3_3_1: true ubtu22cis_rule_3_3_2: true ubtu22cis_rule_3_3_3: true @@ -245,115 +295,47 @@ ubtu22cis_rule_3_3_6: true ubtu22cis_rule_3_3_7: true ubtu22cis_rule_3_3_8: true ubtu22cis_rule_3_3_9: true -# Uncommon Network Protocols -ubtu22cis_rule_3_4_1: true -ubtu22cis_rule_3_4_2: true -ubtu22cis_rule_3_4_3: true -ubtu22cis_rule_3_4_4: true -# Firewall Configuration -# UFW -ubtu22cis_rule_3_5_1_1: true -ubtu22cis_rule_3_5_1_2: true -ubtu22cis_rule_3_5_1_3: true -ubtu22cis_rule_3_5_1_4: true -ubtu22cis_rule_3_5_1_5: true -ubtu22cis_rule_3_5_1_6: true -ubtu22cis_rule_3_5_1_7: true -# nftables -ubtu22cis_rule_3_5_2_1: true -ubtu22cis_rule_3_5_2_2: true -ubtu22cis_rule_3_5_2_3: true -ubtu22cis_rule_3_5_2_4: true -ubtu22cis_rule_3_5_2_5: true -ubtu22cis_rule_3_5_2_6: true -ubtu22cis_rule_3_5_2_7: true -ubtu22cis_rule_3_5_2_8: true -ubtu22cis_rule_3_5_2_9: true -ubtu22cis_rule_3_5_2_10: true -# iptables -ubtu22cis_rule_3_5_3_1_1: true -ubtu22cis_rule_3_5_3_1_2: true -ubtu22cis_rule_3_5_3_1_3: true -ubtu22cis_rule_3_5_3_2_1: true -ubtu22cis_rule_3_5_3_2_2: true -ubtu22cis_rule_3_5_3_2_3: true -ubtu22cis_rule_3_5_3_2_4: true -ubtu22cis_rule_3_5_3_3_1: true -ubtu22cis_rule_3_5_3_3_2: true -ubtu22cis_rule_3_5_3_3_3: true -ubtu22cis_rule_3_5_3_3_4: true - -## Section 4 Fixes -# Section 4 is Logging and Auditing (Configure System Accounting (auditd), Configure Data Retention, and Configure Logging) -ubtu22cis_rule_4_1_1_1: true -ubtu22cis_rule_4_1_1_2: true -ubtu22cis_rule_4_1_1_3: true -ubtu22cis_rule_4_1_1_4: true -ubtu22cis_rule_4_1_2_1: true -ubtu22cis_rule_4_1_2_2: true -ubtu22cis_rule_4_1_2_3: true -# Auditd rules -ubtu22cis_rule_4_1_3_1: true -ubtu22cis_rule_4_1_3_2: true -ubtu22cis_rule_4_1_3_3: true -ubtu22cis_rule_4_1_3_4: true -ubtu22cis_rule_4_1_3_5: true -ubtu22cis_rule_4_1_3_6: true -ubtu22cis_rule_4_1_3_7: true -ubtu22cis_rule_4_1_3_8: true -ubtu22cis_rule_4_1_3_9: true -ubtu22cis_rule_4_1_3_10: true -ubtu22cis_rule_4_1_3_11: true -ubtu22cis_rule_4_1_3_12: true -ubtu22cis_rule_4_1_3_13: true -ubtu22cis_rule_4_1_3_14: true -ubtu22cis_rule_4_1_3_15: true -ubtu22cis_rule_4_1_3_16: true -ubtu22cis_rule_4_1_3_17: true -ubtu22cis_rule_4_1_3_18: true -ubtu22cis_rule_4_1_3_19: true -ubtu22cis_rule_4_1_3_20: true -ubtu22cis_rule_4_1_3_21: true -# Auditd file access -ubtu22cis_rule_4_1_4_1: true -ubtu22cis_rule_4_1_4_2: true -ubtu22cis_rule_4_1_4_3: true -ubtu22cis_rule_4_1_4_4: true -ubtu22cis_rule_4_1_4_5: true -ubtu22cis_rule_4_1_4_6: true -ubtu22cis_rule_4_1_4_7: true -ubtu22cis_rule_4_1_4_8: true -ubtu22cis_rule_4_1_4_9: true -ubtu22cis_rule_4_1_4_10: true -ubtu22cis_rule_4_1_4_11: true -# Configure Logging -## journald -ubtu22cis_rule_4_2_1_1_1: true -ubtu22cis_rule_4_2_1_1_2: true -ubtu22cis_rule_4_2_1_1_3: true -ubtu22cis_rule_4_2_1_1_4: true -ubtu22cis_rule_4_2_1_1: true -ubtu22cis_rule_4_2_1_2: true -ubtu22cis_rule_4_2_1_3: true -ubtu22cis_rule_4_2_1_4: true -ubtu22cis_rule_4_2_1_5: true -ubtu22cis_rule_4_2_1_6: true -ubtu22cis_rule_4_2_1_7: true -# rsyslog -ubtu22cis_rule_4_2_2_1: true -ubtu22cis_rule_4_2_2_2: true -ubtu22cis_rule_4_2_2_3: true -ubtu22cis_rule_4_2_2_4: true -ubtu22cis_rule_4_2_2_5: true -ubtu22cis_rule_4_2_2_6: true -ubtu22cis_rule_4_2_2_7: true +ubtu22cis_rule_3_3_10: true +ubtu22cis_rule_3_3_11: true + +## Section 4 Host Based Firewall +# 4.1 Configure UncomplicatedFirewall +ubtu22cis_rule_4_1_1: true +ubtu22cis_rule_4_1_2: true +ubtu22cis_rule_4_1_3: true +ubtu22cis_rule_4_1_4: true +ubtu22cis_rule_4_1_5: true +ubtu22cis_rule_4_1_6: true +ubtu22cis_rule_4_1_7: true +# 4.2 Configure nftables +ubtu22cis_rule_4_2_1: true +ubtu22cis_rule_4_2_2: true ubtu22cis_rule_4_2_3: true -ubtu22cis_rule_4_3: true -ubtu22cis_rule_4_4: true - -## Section 5 Fixes -# Section 5 is Access, Authentication, and Authorization (Configure time-based job schedulers, Configure sudo, Configure SSH Server, Configure PAM -# and User Accounts and Environment) +ubtu22cis_rule_4_2_4: true +ubtu22cis_rule_4_2_5: true +ubtu22cis_rule_4_2_6: true +ubtu22cis_rule_4_2_7: true +ubtu22cis_rule_4_2_8: true +ubtu22cis_rule_4_2_9: true +ubtu22cis_rule_4_2_10: true +# Configure iptables software +ubtu22cis_rule_4_3_1_1: true +ubtu22cis_rule_4_3_1_2: true +ubtu22cis_rule_4_3_1_3: true + +# Configure IPv4 iptables +ubtu22cis_rule_4_3_2_1: true +ubtu22cis_rule_4_3_2_2: true +ubtu22cis_rule_4_3_2_3: true +ubtu22cis_rule_4_3_2_4: true +# Configure IPv5 iptables +ubtu22cis_rule_4_3_3_1: true +ubtu22cis_rule_4_3_3_2: true +ubtu22cis_rule_4_3_3_3: true +ubtu22cis_rule_4_3_3_4: true + +## Section 5 Access Control +# 5.1 Configure SSH Server ubtu22cis_rule_5_1_1: true ubtu22cis_rule_5_1_2: true ubtu22cis_rule_5_1_3: true @@ -363,7 +345,20 @@ ubtu22cis_rule_5_1_6: true ubtu22cis_rule_5_1_7: true ubtu22cis_rule_5_1_8: true ubtu22cis_rule_5_1_9: true - +ubtu22cis_rule_5_1_10: true +ubtu22cis_rule_5_1_11: true +ubtu22cis_rule_5_1_12: true +ubtu22cis_rule_5_1_13: true +ubtu22cis_rule_5_1_14: true +ubtu22cis_rule_5_1_15: true +ubtu22cis_rule_5_1_16: true +ubtu22cis_rule_5_1_17: true +ubtu22cis_rule_5_1_18: true +ubtu22cis_rule_5_1_19: true +ubtu22cis_rule_5_1_20: true +ubtu22cis_rule_5_1_21: true +ubtu22cis_rule_5_1_22: true +# 5.2 Configure privilege escalation ubtu22cis_rule_5_2_1: true ubtu22cis_rule_5_2_2: true ubtu22cis_rule_5_2_3: true @@ -371,77 +366,149 @@ ubtu22cis_rule_5_2_4: true ubtu22cis_rule_5_2_5: true ubtu22cis_rule_5_2_6: true ubtu22cis_rule_5_2_7: true -ubtu22cis_rule_5_2_8: true -ubtu22cis_rule_5_2_9: true -ubtu22cis_rule_5_2_10: true -ubtu22cis_rule_5_2_11: true -ubtu22cis_rule_5_2_12: true -ubtu22cis_rule_5_2_13: true -ubtu22cis_rule_5_2_14: true -ubtu22cis_rule_5_2_15: true -ubtu22cis_rule_5_2_16: true -ubtu22cis_rule_5_2_17: true -ubtu22cis_rule_5_2_18: true -ubtu22cis_rule_5_2_19: true -ubtu22cis_rule_5_2_20: true -ubtu22cis_rule_5_2_21: true -ubtu22cis_rule_5_2_22: true -ubtu22cis_rule_5_3_1: true -ubtu22cis_rule_5_3_2: true -ubtu22cis_rule_5_3_3: true -ubtu22cis_rule_5_3_4: true -ubtu22cis_rule_5_3_5: true -ubtu22cis_rule_5_3_6: true -ubtu22cis_rule_5_3_7: true -ubtu22cis_rule_5_4_1: true -ubtu22cis_rule_5_4_2: true -ubtu22cis_rule_5_4_3: true -ubtu22cis_rule_5_4_4: true -ubtu22cis_rule_5_4_5: true -ubtu22cis_rule_5_5_1_1: true -ubtu22cis_rule_5_5_1_2: true -ubtu22cis_rule_5_5_1_3: true -ubtu22cis_rule_5_5_1_4: true -ubtu22cis_rule_5_5_1_5: true -ubtu22cis_rule_5_5_2: true -ubtu22cis_rule_5_5_3: true -ubtu22cis_rule_5_5_4: true -ubtu22cis_rule_5_5_5: true -ubtu22cis_rule_5_6: true -ubtu22cis_rule_5_7: true - -## Section 6 Fixes -# Section is System Maintenance (System File Permissions and User and Group Settings) +# 5.3.1 Configure PAM software packages +ubtu22cis_rule_5_3_1_1: true +ubtu22cis_rule_5_3_1_2: true +ubtu22cis_rule_5_3_1_3: true +# 5.3.2 Configure pam-auth-update profiles +ubtu22cis_rule_5_3_2_1: true +ubtu22cis_rule_5_3_2_2: true +ubtu22cis_rule_5_3_2_3: true +ubtu22cis_rule_5_3_2_4: true +# 5.3.3.1 Configure pam_faillock module +ubtu22cis_rule_5_3_3_1_1: true +ubtu22cis_rule_5_3_3_1_2: true +ubtu22cis_rule_5_3_3_1_3: true +# 5.3.3.2 Configure pam_quality module +ubtu22cis_rule_5_3_3_2_1: true +ubtu22cis_rule_5_3_3_2_2: true +ubtu22cis_rule_5_3_3_2_3: true +ubtu22cis_rule_5_3_3_2_4: true +ubtu22cis_rule_5_3_3_2_5: true +ubtu22cis_rule_5_3_3_2_6: true +ubtu22cis_rule_5_3_3_2_7: true +ubtu22cis_rule_5_3_3_2_8: true +# 5.3.3.3 Configure pam_history module +# This are added as part of 5.3.2.4 using jinja2 template +ubtu22cis_rule_5_3_3_3_1: true +ubtu22cis_rule_5_3_3_3_2: true +ubtu22cis_rule_5_3_3_3_3: true +# 5.3.3.4 Configure pam_unix module +ubtu22cis_rule_5_3_3_4_1: true +ubtu22cis_rule_5_3_3_4_2: true +ubtu22cis_rule_5_3_3_4_3: true +ubtu22cis_rule_5_3_3_4_4: true +# 5.4 User Accounts and Environment +# 5.4.1 Configure shadow password suite parameters +ubtu22cis_rule_5_4_1_1: true +ubtu22cis_rule_5_4_1_2: true +ubtu22cis_rule_5_4_1_3: true +ubtu22cis_rule_5_4_1_4: true +ubtu22cis_rule_5_4_1_5: true +ubtu22cis_rule_5_4_1_6: true +# 5.4.2 Configure root and system accounts and environment +ubtu22cis_rule_5_4_2_1: true +ubtu22cis_rule_5_4_2_2: true +ubtu22cis_rule_5_4_2_3: true +ubtu22cis_rule_5_4_2_4: true +ubtu22cis_rule_5_4_2_5: true +ubtu22cis_rule_5_4_2_6: true +ubtu22cis_rule_5_4_2_7: true +ubtu22cis_rule_5_4_2_8: true +# 5.4.2 Configure user default environment +ubtu22cis_rule_5_4_3_1: true +ubtu22cis_rule_5_4_3_2: true +ubtu22cis_rule_5_4_3_3: true + +## Section 6 +# 6.1 Configure Filesystem Integrity Checking ubtu22cis_rule_6_1_1: true ubtu22cis_rule_6_1_2: true ubtu22cis_rule_6_1_3: true -ubtu22cis_rule_6_1_4: true -ubtu22cis_rule_6_1_5: true -ubtu22cis_rule_6_1_6: true -ubtu22cis_rule_6_1_7: true -ubtu22cis_rule_6_1_8: true -ubtu22cis_rule_6_1_9: true -ubtu22cis_rule_6_1_10: true -ubtu22cis_rule_6_1_11: true -ubtu22cis_rule_6_1_12: true -ubtu22cis_rule_6_1_13: true -ubtu22cis_rule_6_2_1: true +# 6.2.1.1 Configure systemd-journald service +ubtu22cis_rule_6_1_1_1_1: true +ubtu22cis_rule_6_1_1_1_2: true +ubtu22cis_rule_6_1_1_1_3: true +ubtu22cis_rule_6_1_1_1_4: true +ubtu22cis_rule_6_1_1_1_5: true +ubtu22cis_rule_6_1_1_1_6: true +# 6.2.1.2 Configure systemd-journald service +ubtu22cis_rule_6_1_1_2_1: true +ubtu22cis_rule_6_1_1_2_2: true +ubtu22cis_rule_6_1_1_2_3: true +ubtu22cis_rule_6_1_1_2_4: true +# 6.2.2 Configure Logfiles ubtu22cis_rule_6_2_2: true -ubtu22cis_rule_6_2_3: true -ubtu22cis_rule_6_2_4: true -ubtu22cis_rule_6_2_5: true -ubtu22cis_rule_6_2_6: true -ubtu22cis_rule_6_2_7: true -ubtu22cis_rule_6_2_8: true -ubtu22cis_rule_6_2_9: true -ubtu22cis_rule_6_2_10: true -ubtu22cis_rule_6_2_11: true -ubtu22cis_rule_6_2_12: true -ubtu22cis_rule_6_2_13: true -ubtu22cis_rule_6_2_14: true -ubtu22cis_rule_6_2_15: true -ubtu22cis_rule_6_2_16: true -ubtu22cis_rule_6_2_17: true +# 6.3.1 Configure auditd Service +ubtu22cis_rule_6_3_1_1: true +ubtu22cis_rule_6_3_1_2: true +ubtu22cis_rule_6_3_1_3: true +ubtu22cis_rule_6_3_1_4: true +# 6.3.2 Configure data retention +ubtu22cis_rule_6_3_2_1: true +ubtu22cis_rule_6_3_2_2: true +ubtu22cis_rule_6_3_2_3: true +ubtu22cis_rule_6_3_2_4: true +# 6.3.3 Configure auditd rules +ubtu22cis_rule_6_3_3_1: true +ubtu22cis_rule_6_3_3_2: true +ubtu22cis_rule_6_3_3_3: true +ubtu22cis_rule_6_3_3_4: true +ubtu22cis_rule_6_3_3_5: true +ubtu22cis_rule_6_3_3_6: true +ubtu22cis_rule_6_3_3_7: true +ubtu22cis_rule_6_3_3_8: true +ubtu22cis_rule_6_3_3_9: true +ubtu22cis_rule_6_3_3_10: true +ubtu22cis_rule_6_3_3_11: true +ubtu22cis_rule_6_3_3_12: true +ubtu22cis_rule_6_3_3_13: true +ubtu22cis_rule_6_3_3_14: true +ubtu22cis_rule_6_3_3_15: true +ubtu22cis_rule_6_3_3_16: true +ubtu22cis_rule_6_3_3_17: true +ubtu22cis_rule_6_3_3_18: true +ubtu22cis_rule_6_3_3_19: true +ubtu22cis_rule_6_3_3_20: true +ubtu22cis_rule_6_3_3_21: true +# 6.3.4 Configure audit file access +ubtu22cis_rule_6_3_4_1: true +ubtu22cis_rule_6_3_4_2: true +ubtu22cis_rule_6_3_4_3: true +ubtu22cis_rule_6_3_4_4: true +ubtu22cis_rule_6_3_4_5: true +ubtu22cis_rule_6_3_4_6: true +ubtu22cis_rule_6_3_4_7: true +ubtu22cis_rule_6_3_4_8: true +ubtu22cis_rule_6_3_4_9: true +ubtu22cis_rule_6_3_4_10: true + +## Section 7 +# 7.1 System File Permissions +ubtu22cis_rule_7_1_1: true +ubtu22cis_rule_7_1_2: true +ubtu22cis_rule_7_1_3: true +ubtu22cis_rule_7_1_4: true +ubtu22cis_rule_7_1_5: true +ubtu22cis_rule_7_1_6: true +ubtu22cis_rule_7_1_7: true +ubtu22cis_rule_7_1_8: true +ubtu22cis_rule_7_1_9: true +ubtu22cis_rule_7_1_10: true +ubtu22cis_rule_7_1_11: true +ubtu22cis_rule_7_1_12: true +ubtu22cis_rule_7_1_13: true +# 7.2 Local User and Group Settings +ubtu22cis_rule_7_2_1: true +ubtu22cis_rule_7_2_2: true +ubtu22cis_rule_7_2_3: true +ubtu22cis_rule_7_2_4: true +ubtu22cis_rule_7_2_5: true +ubtu22cis_rule_7_2_6: true +ubtu22cis_rule_7_2_7: true +ubtu22cis_rule_7_2_8: true +ubtu22cis_rule_7_2_9: true +ubtu22cis_rule_7_2_10: true ## ## Service configuration variables. @@ -449,44 +516,65 @@ ubtu22cis_rule_6_2_17: true ## Set the respective variable to true to keep the service. ## otherwise the service is stopped and disabled ## - -ubtu22cis_allow_autofs: false -ubtu22cis_allow_usb_storage: false +# Service configuration +# Options are +# true to leave installed if exists not changes take place +# false - this removes the package +# mask - if a dependancy for product so cannot be removed +# Server Services +ubtu22cis_autofs_services: false +ubtu22cis_autofs_mask: true ubtu22cis_avahi_server: false -ubtu22cis_cups_server: false +ubtu22cis_avahi_mask: false ubtu22cis_dhcp_server: false -ubtu22cis_ldap_server: false -ubtu22cis_nfs_server: false +ubtu22cis_dhcp_mask: false ubtu22cis_dns_server: false -ubtu22cis_vsftpd_server: false -ubtu22cis_httpd_server: false -ubtu22cis_dovecot_server: false -ubtu22cis_smb_server: false -ubtu22cis_squid_server: false +ubtu22cis_dns_mask: false +ubtu22cis_dnsmasq_server: false +ubtu22cis_dnsmasq_mask: false +ubtu22cis_ftp_server: false +ubtu22cis_ftp_mask: false +ubtu22cis_ldap_server: false +ubtu22cis_ldap_mask: false +ubtu22cis_message_server: false # This is for messaging dovecot and cyrus-imap +ubtu22cis_message_mask: false +ubtu22cis_nfs_server: true +ubtu22cis_nfs_mask: true +ubtu22cis_nis_server: true # set to mask if nis client required +ubtu22cis_nis_mask: false +ubtu22cis_print_server: false # replaces cups +ubtu22cis_print_mask: false +ubtu22cis_rpc_server: true +ubtu22cis_rpc_mask: true +ubtu22cis_rsync_server: false +ubtu22cis_rsync_mask: false +ubtu22cis_samba_server: false +ubtu22cis_samba_mask: false ubtu22cis_snmp_server: false -ubtu22cis_rsync_server: mask # Can be set to true, mask or remove depending on requirements -ubtu22cis_nis_server: false -ubtu22cis_nfs_client: false - -# rpcbind is required by nfs-common which is required on client and server -# The value of the variable is determined automatically, based on the variables -# for NFS server and NFS client. -ubtu22cis_rpc_required: "{{ ubtu22cis_nfs_server or ubtu22cis_nfs_client }}" - -## -## Client package configuration variables. -## -## Set the respective variable to `true` to keep the -## client package, otherwise it is uninstalled. -## +ubtu22cis_snmp_mask: false +ubtu22cis_telnet_server: false +ubtu22cis_telnet_mask: false +ubtu22cis_tftp_server: false +ubtu22cis_tftp_mask: false +ubtu22cis_squid_server: false +ubtu22cis_squid_mask: false +ubtu22cis_httpd_server: false +ubtu22cis_httpd_mask: false +ubtu22cis_nginx_server: false +ubtu22cis_nginx_mask: false +ubtu22cis_xinetd_server: false +ubtu22cis_xinetd_mask: false +ubtu22cis_xwindow_server: false # will remove mask not an option +ubtu22cis_is_mail_server: false -ubtu22cis_nis_required: false -ubtu22cis_rsh_required: false -ubtu22cis_talk_required: false +# Client Services +ubtu22cis_nis_client_required: false # Same package as NIS server +ubtu22cis_rsh_client: false +ubtu22cis_talk_client: false ubtu22cis_telnet_required: false ubtu22cis_ldap_clients_required: false +ubtu22cis_ftp_client: false -## ## System functionality configuration variables ## ## There are certain functionalities of a system @@ -546,43 +634,6 @@ ubtu22cis_aide_init: # Polling Interval in seconds poll: 0 -## Control 1.3.2 -# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. -# The sub-settings of this variable provide the parameters required to configure -# the cron job on the target system. -# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled -# and executed automatically at a certain point in time. -ubtu22cis_aide_cron: - # This variable represents the user account under which the cron job for AIDE will run. - cron_user: root - # This variable represents the path to the AIDE crontab file. - cron_file: /etc/cron.d/aide_cron - # This variable represents the actual command or script that the cron job - # will execute for running AIDE. - aide_job: '/usr/bin/aide --config /etc/aide/aide.conf --check' - # These variables define the schedule for the cron job - # This variable governs the minute of the time of day when the AIDE cronjob is run. - # It must be in the range `0-59`. - aide_minute: 0 - # This variable governs the hour of the time of day when the AIDE cronjob is run. - # It must be in the range `0-23`. - aide_hour: 5 - # This variable governs the day of the month when the AIDE cronjob is run. - # `*` signifies that the job is run on all days; furthermore, specific days - # can be given in the range `1-31`; several days can be concatenated with a comma. - # The specified day(s) can must be in the range `1-31`. - aide_day: '*' - # This variable governs months when the AIDE cronjob is run. - # `*` signifies that the job is run in every month; furthermore, specific months - # can be given in the range `1-12`; several months can be concatenated with commas. - # The specified month(s) can must be in the range `1-12`. - aide_month: '*' - # This variable governs the weekdays, when the AIDE cronjob is run. - # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays - # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays - # can be concatenated with commas. - aide_weekday: '*' - ## Controls 1.4.x - Boot password # # THIS VARIABLE SHOULD BE CHANGED AND INCORPORATED INTO VAULT @@ -673,13 +724,6 @@ ubtu22cis_time_servers: - name: time-c-g.nist.gov options: iburst -## Control 2.2.15 - Local only mode for mail server -# This variable is used to determine whether you intend to use your machine as a mail server or not. -# If you do not intend to use it as such, the mail transfer agent (MTA) will be configured to only -# process local mail, in order to reduce chances of security risks. Set to `false` if your machine -# is not a mail server or to `true` if it is! -ubtu22cis_is_mail_server: false - ## ## Section 3 Control Variables ## @@ -734,20 +778,6 @@ ubtu22cis_ufw_allow_out_ports: ## Section 4 Control Variables ## -## Control 4.1.1.4 - Ensure audit_backlog_limit is sufficient -# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the -# system can buffer in memory, if the audit subsystem is unable to process them in real-time. -# Buffering in memory is useful in situations, where the audit system is overwhelmed -# with incoming audit events, and needs to temporarily store them until they can be processed. -# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value. -ubtu22cis_audit_back_log_limit: 8192 - -## Control 4.1.2.1 - Ensure audit log storage size is configured -# This variable specifies the maximum size in MB that an audit log file can reach -# before it is archived or deleted to make space for the new audit data. -# This should be set based on your sites policy. CIS does not provide a specific value. -ubtu22cis_max_log_file_size: 10 - ## Controls 4.1.3.x - Audit template # This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the # audit settings are overwritten with the role's template. In order to exclude @@ -789,7 +819,7 @@ ubtu22cis_auditd: # CIS prescribes the value `keep_logs`. max_log_file_action: keep_logs -## Controls 4.2.1.x (`journald`) and 4.2.2.x (`rsyslog`) +## Controls 6.2.1.x journald # This variable governs which logging system is used. # The options for this variable are `rsyslog` or `journald`. ubtu22cis_syslog_service: rsyslog @@ -800,7 +830,7 @@ ubtu22cis_remote_log_server: 192.168.2.100 # require that own system logs be sent to some other log server are skipped. ubtu22cis_system_is_log_server: false -## Controls 4.2.1.1.x & 4.2.1.x journald +## Controls 6.2.1.2.x & 6.2.1.x journald # This variable specifies the path to the private key file used by the remote journal # server to authenticate itself to the client. This key is used alongside the server's # public certificate to establish secure communication. @@ -812,59 +842,39 @@ ubtu22cis_journal_servercertificatefile: # of certificate authorities (CAs) that the client trusts. These trusted certificates are used # to validate the authenticity of the remote server's certificate. ubtu22cis_journal_trustedcertificatefile: -# These variable specifies how much disk space the journal may use up at most -# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. -# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. -# ATTENTION: Uncomment the keyword below when values are set! -ubtu22cis_journald_systemmaxuse: "#SystemMaxUse=" -ubtu22cis_journald_systemkeepfree: "#SystemKeepFree=" -ubtu22cis_journald_runtimemaxuse: "#RuntimeMaxUse=" -ubtu22cis_journald_runtimekeepfree: "#RuntimeKeepFree=" -# This variable specifies, the maximum time to store entries in a single journal -# file before rotating to the next one. Set to 0 to turn off this feature. -# The given values is interpreted as seconds, unless suffixed with the units -# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. -# ATTENTION: Uncomment the keyword below when values are set! -ubtu22cis_journald_maxfilesec: "#MaxFileSec=" - -## Controls 4.2.2.x Rsyslog -# This variable governs whether the rsyslog configuration is to be set by this Ansible role. -# Set it to `true` to configure via Ansible and to `false` otherwise. -ubtu22cis_rsyslog_ansible_managed: true ## ## Section 5 Control Variables ## - -## Controls 5.2.4/5/13/14/15/18/20/21/22 -- various sshd settings +## Controls 5.1.x -- various sshd settings ubtu22cis_sshd_default_log_level: "INFO" +ubtu22cis_sshd_default_max_auth_tries: 4 +ubtu22cis_sshd_default_max_sessions: 8 +ubtu22cis_sshd_default_login_grace_time: 60 +ubtu22cis_sshd_default_client_alive_interval: 300 +ubtu22cis_sshd_default_client_alive_count_max: 3 +# Removed chacha20-poly1305 due to cve2023-48795 +# all Ciphers, KEX and Macs set to FIPS 140 +# This will nee dto be adjusted according to your site requirements ubtu22cis_sshd_default_ciphers: - - chacha20-poly1305@openssh.com - aes256-gcm@openssh.com - aes128-gcm@openssh.com - aes256-ctr - aes192-ctr - aes128-ctr ubtu22cis_sshd_default_macs: - - hmac-sha2-512-etm@openssh.com - - hmac-sha2-256-etm@openssh.com - - hmac-sha2-512 + - hmac-sha1 - hmac-sha2-256 + - hmac-sha2-384 + - hmac-sha2-512 ubtu22cis_sshd_default_kex_algorithms: - - curve25519-sha256 - - curve25519-sha256@libssh.org - - diffie-hellman-group14-sha256 - - diffie-hellman-group16-sha512 - - diffie-hellman-group18-sha512 - - ecdh-sha2-nistp521 - - ecdh-sha2-nistp384 - ecdh-sha2-nistp256 + - ecdh-sha2-nistp384 + - ecdh-sha2-nistp521 - diffie-hellman-group-exchange-sha256 -ubtu22cis_sshd_default_max_auth_tries: 4 -ubtu22cis_sshd_default_max_sessions: 8 -ubtu22cis_sshd_default_login_grace_time: 60 -ubtu22cis_sshd_default_client_alive_interval: 300 -ubtu22cis_sshd_default_client_alive_count_max: 3 + - diffie-hellman-group16-sha512 + - diffie-hellman-group18-sha512 + - diffie-hellman-group14-sha256 ubtu22cis_sshd: # This variable is used to control the verbosity of the logging produced by the SSH server. @@ -928,6 +938,189 @@ ubtu22cis_sshd: # For more info, see https://linux.die.net/man/5/sshd_config deny_groups: "" +## 5.3.2.x +# Path to find templates and where to put file for pam-auth +ubtu22cis_pam_confd_dir: 'usr/share/pam-config.d/' + +# Controls 5.3.2.1 - pam_unix +# Note: controls also managed with disruption high due to the nature of pam changes +# Allow pam-auth-update --enable unix to run +# should not be enabled if allowing custom config that enabled pam_faillock +ubtu22cis_pam_create_pamunix_file: false +ubtu22cis_pam_auth_unix: false +ubtu22cis_pam_pwunix_file: 'pam_unix' + +# 5.3.2.2 - pam_faillock +# Enables pam auth update with new files +ubtu22cis_pam_auth_faillock: false +# Will create file - change paths to existing files if managed elsewhere +ubtu22cis_pam_create_faillock_files: false +ubtu22cis_pam_faillock_file: 'faillock' +ubtu22cis_pam_faillock_notify_file: 'faillock_notify' + +# 5.3.2.3 - pam_pwquality +# Enables pam auth update with new files +ubtu22cis_pam_auth_pwquality: false +# Will create file - change paths to existing files if managed elsewhere +ubtu22cis_pam_create_pwquality_files: false +ubtu22cis_pam_pwquality_file: 'pwquality' + +# 5.3.2.4 - pam_pwhistory +# Enables pam auth update with new files +ubtu22cis_pam_auth_pwhistory: false +# Will create file - change paths to existing files if managed elsewhere +# filepath also affects controls 5.3.3.3.1, 5.3.3.3.2, 5.3.3.3.3 +ubtu22cis_pam_create_pwhistory_files: false +ubtu22cis_pam_pwhistory_file: 'pwhistory' + +# 5.3.3.1.1 - faillock_deny +ubtu22cis_faillock_deny: 3 + +# 5.3.3.1.3 - lock root +# This allow optional - even_deny_root or root_unlock_time +ubtu22cis_pamroot_lock_option: even_deny_root +ubtu22cis_pamroot_lock_string: even_deny_root + +# 5.3.3.2.1 - password difok +ubtu22cis_passwd_difok_file: etc/security/pwquality.conf.d/50-pwdifok.conf +ubtu22cis_passwd_difok_value: 2 + +# 5.3.3.2.2 - password minlength +ubtu22cis_passwd_minlen_file: etc/security/pwquality.conf.d/50-pwlength.conf +ubtu22cis_passwd_minlen_value: 14 + +# 5.3.3.2.3 - password complex +ubtu22cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf +ubtu22cis_passwd_minclass: 3 +ubtu22cis_passwd_dcredit: -1 +ubtu22cis_passwd_ucredit: -2 +ubtu22cis_passwd_ocredit: 0 +ubtu22cis_passwd_lcredit: -2 + +# 5.3.3.2.4 - password maxrepeat +ubtu22cis_passwd_maxrepeat_file: etc/security/pwquality.conf.d/50-pwrepeat.conf +ubtu22cis_passwd_maxrepeat_value: 3 + +# 5.3.3.2.5 - password maxsequence +ubtu22cis_passwd_maxsequence_file: etc/security/pwquality.conf.d/50-pwmaxsequence.conf +ubtu22cis_passwd_maxsequence_value: 3 + +# 5.3.3.2.6 - password dictcheck +ubtu22cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.conf +ubtu22cis_passwd_dictcheck_value: 1 + +# 5.3.3.2.7 - password quality enforce +ubtu22cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwquality_enforce.conf +ubtu22cis_passwd_quality_enforce_value: 1 + +# 5.3.3.2.8 - password quality enforce for root included with 5.3.3.2.7 +ubtu22cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf +ubtu22cis_passwd_quality_enforce_root_value: enforce_for_root + +## 5.3.3.3 Configure pam_pwhistory module +# Uses value for ubtu22cis_pam_pwhistory_file in 5.3.2.4 +# Control 5.3.3.3.1 +# This variable represents the number of password change cycles, after which +# a user can re-use a password. # CIS requires a value of 24 or more. +ubtu22cis_pamd_pwhistory_remember: 24 + +## Controls 5.4.1.x - Password settings +ubtu22cis_pass: + ## Control 5.4.1.1 + # This variable governs after how many days a password expires. + # CIS requires a value of 365 or less. + max_days: 365 + ## Control 5.4.1.2 + # This variable specifies the minimum number of days allowed between changing passwords. + # CIS requires a value of at least 1. + min_days: 1 + ## Control 5.5.1.3 + # This variable governs, how many days before a password expires, the user will be warned. + # CIS requires a value of at least 7. + warn_age: 7 + ## Control 5.4.1.5 + # This variable specifies the number of days of inactivity before an account will be locked. + # CIS requires a value of 45 days or less. + inactive: 45 + +# 5.4.2.6 root umask +ubtu22cis_root_umask: '0027' # 0027 or more restrictive + +### +# Section 6 +### +## Control 6.1.2 +# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. +# The sub-settings of this variable provide the parameters required to configure +# the cron job on the target system. +# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled +# and executed automatically at a certain point in time. +ubtu22cis_aide_cron: + # This variable represents the user account under which the cron job for AIDE will run. + cron_user: root + # This variable represents the path to the AIDE crontab file. + cron_file: /etc/cron.d/aide_cron + # This variable represents the actual command or script that the cron job + # will execute for running AIDE. + aide_job: '/usr/bin/aide --config /etc/aide/aide.conf --check' + # These variables define the schedule for the cron job + # This variable governs the minute of the time of day when the AIDE cronjob is run. + # It must be in the range `0-59`. + aide_minute: 0 + # This variable governs the hour of the time of day when the AIDE cronjob is run. + # It must be in the range `0-23`. + aide_hour: 5 + # This variable governs the day of the month when the AIDE cronjob is run. + # `*` signifies that the job is run on all days; furthermore, specific days + # can be given in the range `1-31`; several days can be concatenated with a comma. + # The specified day(s) can must be in the range `1-31`. + aide_day: '*' + # This variable governs months when the AIDE cronjob is run. + # `*` signifies that the job is run in every month; furthermore, specific months + # can be given in the range `1-12`; several months can be concatenated with commas. + # The specified month(s) can must be in the range `1-12`. + aide_month: '*' + # This variable governs the weekdays, when the AIDE cronjob is run. + # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays + # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays + # can be concatenated with commas. + aide_weekday: '*' + +# 6.2.1.1.3 +# These variable specifies how much disk space the journal may use up at most +# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. +# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. +# ATTENTION: Uncomment the keyword below when values are set! +ubtu22cis_journald_systemmaxuse: "#SystemMaxUse=" +ubtu22cis_journald_systemkeepfree: "#SystemKeepFree=" +ubtu22cis_journald_runtimemaxuse: "#RuntimeMaxUse=" +ubtu22cis_journald_runtimekeepfree: "#RuntimeKeepFree=" +# This variable specifies, the maximum time to store entries in a single journal +# file before rotating to the next one. Set to 0 to turn off this feature. +# The given values is interpreted as seconds, unless suffixed with the units +# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. +# ATTENTION: Uncomment the keyword below when values are set! +ubtu22cis_journald_maxfilesec: "#MaxFileSec=" + +## Control 6.3.1.4 - Ensure audit_backlog_limit is sufficient +# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the +# system can buffer in memory, if the audit subsystem is unable to process them in real-time. +# Buffering in memory is useful in situations, where the audit system is overwhelmed +# with incoming audit events, and needs to temporarily store them until they can be processed. +# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value. +ubtu22cis_audit_back_log_limit: 8192 + +## Control 6.3.2.1 - Ensure audit log storage size is configured +# This variable specifies the maximum size in MB that an audit log file can reach +# before it is archived or deleted to make space for the new audit data. +# This should be set based on your sites policy. CIS does not provide a specific value. +ubtu22cis_max_log_file_size: 10 + +# Control 6.3.2.4 +# Wait to do when space left is low. +ubtu22cis_auditd_space_left_action: email +ubtu22cis_auditd_admin_space_left_action: email + ## Control 5.3.1 # This variable represents the name of the sudo package to install # CIS recommends `sudo` or, if LDAP functionality is required, `sudo-ldap`. @@ -948,32 +1141,6 @@ ubtu22cis_sudo_timestamp_timeout: 15 # CIS requires that such a group be created (named according to site policy) and be kept empty. ubtu22cis_sugroup: nosugroup -## Control 5.4.1 -# This variable allows us to use either -# - -ubtu22cis_pwquality_minclass: true -ubtu22cis_pwquality_minclass_value: '4' -ubtu22cis_pwquality: - - key: '#minclass' - value: "{{ ubtu22cis_pwquality_minclass_value }}" - - key: 'minlen' - value: '14' - - key: 'dcredit' - value: '-1' - - key: 'ucredit' - value: '-1' - - key: 'ocredit' - value: '-1' - - key: 'lcredit' - value: '-1' - -## Control 5.4.3 -# This variable represents the number of password change cycles, after which -# a user can re-use a password. -# CIS requires a value of 5 or more. -ubtu22cis_pamd_pwhistory_remember: 5 - ## Control 5.4.2 # This can seriously break access to a system ## The end state the file /etc/pam.d/common-auth need to be understood @@ -991,25 +1158,6 @@ ubtu22cis_passwd_hash_algo: yescrypt # pragma: allowlist secret # Set pam as well as login defs if PAM is required ubtu22cis_passwd_setpam_hash_algo: false -## Controls 5.5.1.x - Password settings -ubtu22cis_pass: - ## Control 5.5.1.2 - # This variable governs after how many days a password expires. - # CIS requires a value of 365 or less. - max_days: 365 - ## Control 5.5.1.1 - # This variable specifies the minimum number of days allowed between changing passwords. - # CIS requires a value of at least 1. - min_days: 1 - ## Control 5.5.1.3 - # This variable governs, how many days before a password expires, the user will be warned. - # CIS requires a value of at least 7. - warn_age: 7 - ## Control 5.5.1.4 - # This variable specifies the number of days of inactivity before an account will be locked. - # CIS requires a value of 30 days or less. - inactive: 30 - ## Control 5.5.4 - Default user mask # The following variable specifies the "umask" to set in the `/etc/bash.bashrc` and `/etc/profile`. # The value needs to be `027` or more restrictive to comply with CIS standards @@ -1058,38 +1206,29 @@ max_int_uid: 65533 # Possible values are `true` and `false`. ubtu22cis_no_world_write_adjust: true -# Control 6.1.10 +## Control 6.2.7 +# This variable is a toggle foe enabling/disabling the automated modification of +# permissions on dot files. +# Possible values are `true` and `false`. +ubtu22cis_dotperm_ansiblemanaged: true + +## Section 7 + +# 7.1.12 Ensure no files or directories without an owner and a group exist +ubtu22cis_exclude_unowned_search_path: (! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "*/kubelet/plugins/*" -a ! -path "/sys/fs/cgroup/memory/*" -a ! -path "/var/*/private/*") + +# Control 7.1.12 # The value of this variable specifies the owner that will be set for unowned files and directories. ubtu22cis_unowned_owner: root +ubtu22cis_ungrouped_group: root # This variable is a toggle for enabling/disabling the automated # setting of an owner (specified in variable `ubtu22cis_unowned_owner`) # for all unowned files and directories. # Possible values are `true` and `false`. -ubtu22cis_no_owner_adjust: true +ubtu22cis_ownership_adjust: true -## Control 6.1.11 -# This variable represents the group that will be set for files without group. -ubtu22cis_ungrouped_group: root -# This variable is a toggle for enabling/disabling the automated -# assignment of a group (specified in variable `ubtu22cis_unowned_group`) -# for all group-less files and directories. -# Possible values are `true` and `false`. -ubtu22cis_no_group_adjust: true - -## Control 6.1.12 +## Control 7.1.13 # This variable is a toggle for enabling/disabling the automated removal # of the SUID bit from all files on all mounts. # Possible values are `true` and `false`. -ubtu22cis_suid_adjust: false - -## Control 6.1.13 -# This variable is a toggle for enabling/disabling the automated removal the SGID -# bit from all files on all mounts -# Possible values are `true` and `false`. -ubtu22cis_sgid_adjust: false - -## Control 6.2.7 -# This variable is a toggle foe enabling/disabling the automated modification of -# permissions on dot files. -# Possible values are `true` and `false`. -ubtu22cis_dotperm_ansiblemanaged: true +ubtu22cis_suid_sgid_adjust: false diff --git a/handlers/main.yml b/handlers/main.yml index 6499d4b7..1fe9f435 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -147,6 +147,21 @@ failed_when: ubtu22cis_ip6tables_save.rc > 0 register: ubtu22cis_ip6tables_save +- name: pam_auth_update_pwunix + ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_pwunix_file }} + +- name: pam_auth_update_pwfaillock + ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_faillock_file }} + +- name: pam_auth_update_pwfaillock_notify + ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_faillock_file_notify }} + +- name: pam_auth_update_pwquality + ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_pwquality_file }} + +- name: pam_auth_update_pwhistory + ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_pwhistory_file }} + - name: Auditd rules reload ansible.builtin.shell: augenrules --load when: diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 7ef94b4a..ffbb324a 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -2,33 +2,31 @@ - name: Pre Audit Setup | Set audit package name block: - - name: Pre Audit Setup | Set audit package name | 64bit - ansible.builtin.set_fact: - audit_pkg_arch_name: AMD64 - when: ansible_facts.machine == "x86_64" + - name: Pre Audit Setup | Set audit package name | 64bit + when: ansible_facts.machine == "x86_64" + ansible.builtin.set_fact: + audit_pkg_arch_name: AMD64 - - name: Pre Audit Setup | Set audit package name | ARM64 - ansible.builtin.set_fact: - audit_pkg_arch_name: ARM64 - when: ansible_facts.machine == "arm64" + - name: Pre Audit Setup | Set audit package name | ARM64 + when: ansible_facts.machine == "arm64" + ansible.builtin.set_fact: + audit_pkg_arch_name: ARM64 - name: Pre Audit Setup | Download audit binary + when: get_audit_binary_method == 'download' ansible.builtin.get_url: - url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" - dest: "{{ audit_bin }}" - owner: root - group: root - checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" - mode: '0555' - when: - - get_audit_binary_method == 'download' + url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" + dest: "{{ audit_bin }}" + owner: root + group: root + checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" + mode: '0555' - name: Pre Audit Setup | Copy audit binary + when: get_audit_binary_method == 'copy' ansible.builtin.copy: - src: "{{ audit_bin_copy_location }}" - dest: "{{ audit_bin }}" - mode: '0555' - owner: root - group: root - when: - - get_audit_binary_method == 'copy' + src: "{{ audit_bin_copy_location }}" + dest: "{{ audit_bin }}" + mode: '0555' + owner: root + group: root diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index ab5a5735..f1623397 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -1,30 +1,30 @@ --- - name: Audit_Only | Create local Directories for hosts - ansible.builtin.file: - mode: '0755' - path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" - recurse: true - state: directory when: fetch_audit_files delegate_to: localhost become: false + ansible.builtin.file: + mode: '0755' + path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" + recurse: true + state: directory - name: Audit_only | Get audits from systems and put in group dir - ansible.builtin.fetch: - dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" - flat: true - mode: '0644' - src: "{{ pre_audit_outfile }}" when: fetch_audit_files + ansible.builtin.fetch: + dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" + flat: true + mode: '0644' + src: "{{ pre_audit_outfile }}" - name: Audit_only | Show Audit Summary when: - - audit_only + - audit_only ansible.builtin.debug: - msg: "{{ audit_results.split('\n') }}" + msg: "{{ audit_results.split('\n') }}" - name: Audit_only | Stop Playbook Audit Only selected when: - - audit_only + - audit_only ansible.builtin.meta: end_play diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 4078d858..a65a5521 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,27 +1,26 @@ --- - name: "POST | AUDITD | Apply auditd template for section 4.1.3.x" + when: update_audit_template ansible.builtin.template: - src: audit/99_auditd.rules.j2 - dest: /etc/audit/rules.d/99_auditd.rules - owner: root - group: root - mode: '0640' + src: audit/99_auditd.rules.j2 + dest: /etc/audit/rules.d/99_auditd.rules + owner: root + group: root + mode: '0640' register: audit_rules_updated notify: - - Auditd rules reload - - Audit_immutable_fact - - Restart auditd - - set_reboot_required - when: update_audit_template + - Auditd rules reload + - Audit_immutable_fact + - Restart auditd + - set_reboot_required - name: POST | Set up auditd user logging exceptions + when: ubtu22cis_allow_auditd_uid_user_exclusions ansible.builtin.template: - src: audit/98_auditd_exception.rules.j2 - dest: /etc/audit/rules.d/98_auditd_exceptions.rules - owner: root - group: root - mode: '0600' + src: audit/98_auditd_exception.rules.j2 + dest: /etc/audit/rules.d/98_auditd_exceptions.rules + owner: root + group: root + mode: '0600' notify: Restart auditd - when: - - ubtu22cis_allow_auditd_uid_user_exclusions diff --git a/tasks/main.yml b/tasks/main.yml index 5d138b4e..b54d9ae2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,225 +1,251 @@ --- - name: Check OS version and family - ansible.builtin.fail: - msg: "This role can only be run against Ubuntu 22. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." when: - - ansible_facts.distribution == 'Ubuntu' - - ansible_facts.distribution_major_version is version_compare('22', '!=') + - ansible_facts.distribution == 'Ubuntu' + - ansible_facts.distribution_major_version is version_compare('22', '!=') tags: - - always + - always + ansible.builtin.fail: + msg: "This role can only be run against Ubuntu 22. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." - name: Check ansible version ansible.builtin.assert: - that: ansible_version.full is version_compare(min_ansible_version, '>=') - fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" - success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" + that: ansible_version.full is version_compare(min_ansible_version, '>=') + fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" + success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" tags: - - always + - always # This control should always run as this can pass on unintended issues. - name: "Check password set for connecting user" + when: + - ubtu22cis_rule_5_3_4 + - ansible_env.SUDO_USER is defined + tags: + - always block: - - name: Capture current password state of connecting user" - ansible.builtin.shell: "grep -w {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" - changed_when: false - failed_when: false - check_mode: false - register: ansible_user_password_set - - - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" - ansible.builtin.assert: - that: ansible_user_password_set.stdout != "!!" and ansible_user_password_set.stdout | length > 10 - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" - success_msg: "You have a password set for sudo user {{ ansible_env.SUDO_USER }}" - vars: - sudo_password_rule: ubtu22cis_rule_5_3_4 # pragma: allowlist secret + - name: Capture current password state of connecting user" + ansible.builtin.shell: "grep -w {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" + changed_when: false + failed_when: false + check_mode: false + register: ansible_user_password_set + + - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" + ansible.builtin.assert: + that: ansible_user_password_set.stdout != "!!" and ansible_user_password_set.stdout | length > 10 + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" + success_msg: "You have a password set for sudo user {{ ansible_env.SUDO_USER }}" + vars: + sudo_password_rule: ubtu22cis_rule_5_3_4 # pragma: allowlist secret + +- name: Ensure root password is set when: - - ubtu22cis_rule_5_3_4 - - ansible_env.SUDO_USER is defined + - ubtu22cis_rule_5_4_2_4 tags: - - always + - always + block: + - name: Ensure root password is set + ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)" + changed_when: false + failed_when: false + register: root_passwd_set + + - name: Ensure root password is set + ansible.builtin.assert: + that: root_passwd_set.rc == 0 + fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set - Please manually set a root password" + success_msg: "You have a root password set" - name: Check ubtu22cis_bootloader_password_hash variable has been changed - ansible.builtin.assert: - that: ubtu22cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu22cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret - msg: "This role will not be able to run single user password commands as ubtu22cis_bootloader_password_hash variable has not been set correctly" when: - - ubtu22cis_set_boot_pass - - ubtu22cis_rule_1_4_1 + - ubtu22cis_set_boot_pass + - ubtu22cis_rule_1_4_1 tags: - - always + - always + ansible.builtin.assert: + that: ubtu22cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu22cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret + msg: "This role will not be able to run single user password commands as ubtu22cis_bootloader_password_hash variable has not been set correctly" - name: Check ubtu22cis_grub_user password variable has been changed - block: - - name: Check ubtu22cis_grub_user password variable has been changed | check password is set - ansible.builtin.shell: "grep ^{{ ubtu22cis_grub_user }} /etc/shadow | awk -F : '{print $2}'" - changed_when: false - register: ubtu22cis_password_set_grub_user - - - name: Check ubtu22cis_grub_user password variable has been changed | check password is set - ansible.builtin.assert: - that: ubtu22cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu22cis_grub_user_passwd.find('$y$') != -1 and ubtu22cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' - msg: "This role will not set the {{ ubtu22cis_grub_user }} user password is not set or ubtu22cis_grub_user_passwd variable has not been set correctly" - when: - - "'$y$' in ubtu22cis_password_set_grub_user.stdout" - - ubtu22cis_set_grub_user_pass - - ubtu22cis_rule_1_4_3 - - - name: Check ubtu22cis_grub_user password variable has been changed | if password blank or incorrect type and not being set - ansible.builtin.assert: - that: ( ubtu22cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu22cis_password_set_grub_user.stdout - fail_msg: "Grub User {{ ubtu22cis_grub_user }} has no password set or incorrect encryption" - success_msg: "Grub User {{ ubtu22cis_grub_user }} has a valid password set to be used in single user mode" - when: - - not ubtu22cis_set_grub_user_pass when: ubtu22cis_rule_1_4_3 tags: - - always + - always + block: + - name: Check ubtu22cis_grub_user password variable has been changed | check password is set + ansible.builtin.shell: "grep ^{{ ubtu22cis_grub_user }} /etc/shadow | awk -F : '{print $2}'" + changed_when: false + register: ubtu22cis_password_set_grub_user + + - name: Check ubtu22cis_grub_user password variable has been changed | check password is set + when: + - "'$y$' in ubtu22cis_password_set_grub_user.stdout" + - ubtu22cis_set_grub_user_pass + - ubtu22cis_rule_1_4_3 + ansible.builtin.assert: + that: ubtu22cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu22cis_grub_user_passwd.find('$y$') != -1 and ubtu22cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' + msg: "This role will not set the {{ ubtu22cis_grub_user }} user password is not set or ubtu22cis_grub_user_passwd variable has not been set correctly" + + - name: Check ubtu22cis_grub_user password variable has been changed | if password blank or incorrect type and not being set + when: + - not ubtu22cis_set_grub_user_pass + ansible.builtin.assert: + that: ( ubtu22cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu22cis_password_set_grub_user.stdout + fail_msg: "Grub User {{ ubtu22cis_grub_user }} has no password set or incorrect encryption" + success_msg: "Grub User {{ ubtu22cis_grub_user }} has a valid password set to be used in single user mode" - name: Setup rules if container - block: - - name: Discover and set container variable if required - ansible.builtin.set_fact: - system_is_container: true - - - name: Load variable for container - ansible.builtin.include_vars: - file: "{{ container_vars_file }}" - - - name: Output if discovered is a container - ansible.builtin.debug: - msg: system has been discovered as a container - when: - - system_is_container when: - - ansible_connection == 'docker' or - ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + - ansible_connection == 'docker' or + ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] tags: - - container_discovery - - always + - container_discovery + - always + block: + - name: Discover and set container variable if required + ansible.builtin.set_fact: + system_is_container: true + + - name: Load variable for container + ansible.builtin.include_vars: + file: "{{ container_vars_file }}" + + - name: Output if discovered is a container + when: + - system_is_container + ansible.builtin.debug: + msg: system has been discovered as a container - name: Gather the package facts before prelim - ansible.builtin.package_facts: - manager: auto tags: - - always + - always + ansible.builtin.package_facts: + manager: auto - name: Run prelim tasks - ansible.builtin.import_tasks: - file: prelim.yml tags: - - prelim_tasks - - run_audit - - always + - prelim_tasks + - run_audit + - always + ansible.builtin.import_tasks: + file: prelim.yml - name: Gather the package facts after prelim - ansible.builtin.package_facts: - manager: auto tags: - - always + - always + ansible.builtin.package_facts: + manager: auto - name: Run parse /etc/passwd - ansible.builtin.import_tasks: - file: parse_etc_password.yml when: - - ubtu22cis_section5 or - ubtu22cis_section6 + - ubtu22cis_section5 or + ubtu22cis_section6 tags: - - always + - always + ansible.builtin.import_tasks: + file: parse_etc_password.yml - name: Gather the package facts - ansible.builtin.package_facts: - manager: auto tags: - - always + - always + ansible.builtin.package_facts: + manager: auto - name: Include section 1 patches - ansible.builtin.import_tasks: - file: section_1/main.yml when: ubtu22cis_section1 tags: - - section1 + - section1 + ansible.builtin.import_tasks: + file: section_1/main.yml - name: Include section 2 patches - ansible.builtin.import_tasks: - file: section_2/main.yml when: ubtu22cis_section2 tags: - - section2 + - section2 + ansible.builtin.import_tasks: + file: section_2/main.yml - name: Include section 3 patches - ansible.builtin.import_tasks: - file: section_3/main.yml when: ubtu22cis_section3 tags: - - section3 + - section3 + ansible.builtin.import_tasks: + file: section_3/main.yml - name: Include section 4 patches - ansible.builtin.import_tasks: - file: section_4/main.yml when: ubtu22cis_section4 tags: - - section4 + - section4 + ansible.builtin.import_tasks: + file: section_4/main.yml - name: Include section 5 patches - ansible.builtin.import_tasks: section_5/main.yml when: ubtu22cis_section5 tags: - - section5 + - section5 + ansible.builtin.import_tasks: + file: section_5/main.yml - name: Include section 6 patches - ansible.builtin.import_tasks: - file: section_6/main.yml when: ubtu22cis_section6 tags: - - section6 + - section6 + ansible.builtin.import_tasks: + file: section_6/main.yml + +- name: Include section 7 patches + when: ubtu22cis_section7 + tags: + - section7 + ansible.builtin.import_tasks: + file: section_7/main.yml - name: Run auditd logic - ansible.builtin.import_tasks: - file: auditd.yml when: update_audit_template tags: - - always + - always + ansible.builtin.import_tasks: + file: auditd.yml - name: Flush handlers ansible.builtin.meta: flush_handlers - name: Reboot system block: - - name: Reboot system if not skipped - ansible.builtin.reboot: - when: - - not skip_reboot - - change_requires_reboot - - - name: Warning a reboot required but skip option set - ansible.builtin.debug: - msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" - changed_when: true - when: - - skip_reboot - - change_requires_reboot + - name: Reboot system if not skipped + when: + - not skip_reboot + - change_requires_reboot + ansible.builtin.reboot: + + - name: Warning a reboot required but skip option set + when: + - skip_reboot + - change_requires_reboot + ansible.builtin.debug: + msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" + changed_when: true - name: Run post remediation audit - ansible.builtin.import_tasks: - file: post_remediation_audit.yml when: - - run_audit + - run_audit tags: - - run_audit + - run_audit + ansible.builtin.import_tasks: + file: post_remediation_audit.yml - name: Show Audit Summary - ansible.builtin.debug: - msg: "{{ audit_results.split('\n') }}" when: - - run_audit + - run_audit tags: - - run_audit + - run_audit + ansible.builtin.debug: + msg: "{{ audit_results.split('\n') }}" - name: If Warnings found Output count and control IDs affected - ansible.builtin.debug: - msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" when: warn_count != 0 tags: - - always + - always + ansible.builtin.debug: + msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 76a72b03..dc8eb21e 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -1,33 +1,32 @@ --- - name: "PRELIM | Parse /etc/passwd" + tags: + - always block: - - name: "PRELIM | Parse /etc/passwd | Get /etc/password contents" - ansible.builtin.shell: cat /etc/passwd - changed_when: false - check_mode: false - register: ubtu22cis_passwd_file_audit - - - name: "PRELIM | Parse /etc/passwd | Split passwd entries" - ansible.builtin.set_fact: - ubtu22cis_passwd: "{{ ubtu22cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" + - name: "PRELIM | Parse /etc/passwd | Get /etc/password contents" + ansible.builtin.shell: cat /etc/passwd + changed_when: false + check_mode: false + register: ubtu22cis_passwd_file_audit - with_items: "{{ ubtu22cis_passwd_file_audit.stdout_lines }}" - vars: - ld_passwd_regex: >- - ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) - ld_passwd_yaml: | - id: >-4 - \g - password: >-4 - \g - uid: \g - gid: \g - gecos: >-4 - \g - dir: >-4 - \g - shell: >-4 - \g - tags: - - always + - name: "PRELIM | Parse /etc/passwd | Split passwd entries" + ansible.builtin.set_fact: + ubtu22cis_passwd: "{{ ubtu22cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" + # with_items: "{{ ubtu22cis_passwd_file_audit.stdout_lines }}" + vars: + ld_passwd_regex: >- + ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) + ld_passwd_yaml: | + id: >-4 + \g + password: >-4 + \g + uid: \g + gid: \g + gecos: >-4 + \g + dir: >-4 + \g + shell: >-4 + \g diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index b3111c80..c887ba64 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -4,43 +4,43 @@ ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" - AUDIT_FILE: goss.yml + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" + AUDIT_FILE: goss.yml - name: Post Audit | ensure audit files readable by users ansible.builtin.file: - path: "{{ item }}" - mode: '0644' - state: file + path: "{{ item }}" + mode: '0644' + state: file loop: - - "{{ post_audit_outfile }}" - - "{{ pre_audit_outfile }}" + - "{{ post_audit_outfile }}" + - "{{ pre_audit_outfile }}" - name: Post Audit | Capture audit data if json format when: - - audit_format == "json" + - audit_format == "json" block: - - name: capture data {{ post_audit_outfile }} - ansible.builtin.shell: "cat {{ post_audit_outfile }}" - register: post_audit - changed_when: false + - name: capture data {{ post_audit_outfile }} + ansible.builtin.shell: "cat {{ post_audit_outfile }}" + register: post_audit + changed_when: false - - name: Capture post-audit result - ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: summary."summary-line" + - name: Capture post-audit result + ansible.builtin.set_fact: + post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" + vars: + summary: summary."summary-line" - name: Post Audit | Capture audit data if documentation format when: - - audit_format == "documentation" + - audit_format == "documentation" block: - - name: Post Audit | capture data {{ post_audit_outfile }} - ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" - register: post_audit - changed_when: false + - name: Post Audit | capture data {{ post_audit_outfile }} + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" + register: post_audit + changed_when: false - - name: Post Audit | Capture post-audit result - ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout_lines }}" + - name: Post Audit | Capture post-audit result + ansible.builtin.set_fact: + post_audit_summary: "{{ post_audit.stdout_lines }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index d0137e81..bd1154b8 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -2,120 +2,121 @@ - name: Pre Audit Setup | Setup the LE audit when: - - setup_audit + - setup_audit tags: - - setup_audit + - setup_audit ansible.builtin.include_tasks: - file: LE_audit_setup.yml + file: LE_audit_setup.yml - name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: - path: "{{ audit_conf_dir }}" - state: directory - mode: '0755' + path: "{{ audit_conf_dir }}" + state: directory + mode: '0755' - name: Pre Audit Setup | If using git for content set up when: - - audit_content == 'git' + - audit_content == 'git' block: - - name: Pre Audit Setup | Install git - ansible.builtin.package: - name: git - state: present + - name: Pre Audit Setup | Install git + ansible.builtin.package: + name: git + state: present - - name: Pre Audit Setup | Retrieve audit content files from git - ansible.builtin.git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" + - name: Pre Audit Setup | Retrieve audit content files from git + ansible.builtin.git: + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" - name: Pre Audit Setup | Copy to audit content files to server when: - - audit_content == 'copy' + - audit_content == 'copy' ansible.builtin.copy: - src: "{{ audit_conf_source }}" - dest: "{{ audit_conf_dest }}" - mode: preserve + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" + mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server when: - - audit_content == 'archive' + - audit_content == 'archive' ansible.builtin.unarchive: - src: "{{ audit_conf_source }}" - dest: "{{ audit_conf_dest }}" + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url when: - - audit_content == 'get_url' + - audit_content == 'get_url' ansible.builtin.unarchive: - src: "{{ audit_conf_source }}" - dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" - remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" - extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" + remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" + extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" - name: Pre Audit Setup | Check Goss is available when: - - run_audit + - run_audit block: - - name: Pre Audit Setup | Check for goss file - ansible.builtin.stat: - path: "{{ audit_bin }}" - register: goss_available + - name: Pre Audit Setup | Check for goss file + ansible.builtin.stat: + path: "{{ audit_bin }}" + register: goss_available - - name: Pre Audit Setup | If audit ensure goss is available - when: - - not goss_available.stat.exists - ansible.builtin.assert: - msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" + - name: Pre Audit Setup | If audit ensure goss is available + when: + - not goss_available.stat.exists + ansible.builtin.assert: + msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit tags: - - goss_template - - run_audit + - goss_template + - run_audit when: - - run_audit + - run_audit ansible.builtin.template: - src: ansible_vars_goss.yml.j2 - dest: "{{ audit_vars_path }}" - mode: '0600' + src: ansible_vars_goss.yml.j2 + dest: "{{ audit_vars_path }}" + mode: '0600' - name: Pre Audit | Run pre_remediation {{ benchmark }} audit ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: - AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" - AUDIT_FILE: goss.yml + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" + AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format when: - - audit_format == "json" + - audit_format == "json" block: - - name: Pre Audit | Capture data {{ pre_audit_outfile }} - ansible.builtin.shell: "cat {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false + - name: Pre Audit | Capture data {{ pre_audit_outfile }} + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false - - name: Pre Audit | Capture pre-audit result - ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: summary."summary-line" + - name: Pre Audit | Capture pre-audit result + ansible.builtin.set_fact: + pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" + vars: + summary: summary."summary-line" - name: Pre Audit | Capture audit data if documentation format when: - - audit_format == "documentation" + - audit_format == "documentation" block: - - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format - ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false + - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false - - name: Pre Audit | Capture pre-audit result | documentation format - ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" + - name: Pre Audit | Capture pre-audit result | documentation format + ansible.builtin.set_fact: + pre_audit_summary: "{{ pre_audit.stdout_lines }}" - name: Audit_Only | Run Audit Only when: - - audit_only - ansible.builtin.import_tasks: audit_only.yml + - audit_only + ansible.builtin.import_tasks: + file: audit_only.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml index e3075203..07b54d33 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,8 +1,9 @@ --- + - name: "PRELIM | AUDIT | Set default values for facts" ansible.builtin.set_fact: - control_1_6_1_4_was_run: false - ubtu22cis_apparmor_enforce_only: false + control_1_6_1_4_was_run: false + ubtu22cis_apparmor_enforce_only: false changed_when: false - name: "PRELIM | AUDIT | Register if snap being used" @@ -11,10 +12,10 @@ failed_when: snap_pkg_mgr.rc not in [ 0, 1 ] register: snap_pkg_mgr tags: - - rule_1.1.1.2 - - always + - rule_1.1.1.2 + - always when: - - ubtu22cis_rule_1_1_1_2 + - ubtu22cis_rule_1_1_1_2 - name: "PRELIM | AUDIT | Register if squashfs is built into the kernel" ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs" @@ -22,150 +23,149 @@ failed_when: squashfs_builtin.rc not in [ 0, 1 ] register: squashfs_builtin tags: - - rule_1.1.1.2 - - always + - always when: - - ubtu22cis_rule_1_1_1_2 + - ubtu22cis_rule_1_1_1_2 - name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points" ansible.builtin.set_fact: - mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" + mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" tags: - - always + - always - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type + when: + - "'/tmp' in mount_names" + - ubtu22cis_rule_1_1_2_1 or + ubtu22cis_rule_1_1_2_2 or + ubtu22cis_rule_1_1_2_3 or + ubtu22cis_rule_1_1_2_4 + tags: + - always block: - - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type - ansible.builtin.shell: systemctl is-enabled tmp.mount - register: discover_tmp_mnt_type - changed_when: false - failed_when: discover_tmp_mnt_type.rc not in [ 0, 1 ] + - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type + ansible.builtin.shell: systemctl is-enabled tmp.mount + register: discover_tmp_mnt_type + changed_when: false + failed_when: discover_tmp_mnt_type.rc not in [ 0, 1 ] - - name: PRELIM | AUDIT | Capture tmp mount type | Set to expected_tmp_mnt variable - ansible.builtin.set_fact: - tmp_mnt_type: "{{ expected_tmp_mnt }}" - when: "'generated' in discover_tmp_mnt_type.stdout" + - name: PRELIM | AUDIT | Capture tmp mount type | Set to expected_tmp_mnt variable + when: "'generated' in discover_tmp_mnt_type.stdout" + ansible.builtin.set_fact: + tmp_mnt_type: "{{ expected_tmp_mnt }}" - - name: PRELIM | AUDIT | Capture tmp mount type | Set systemd service - ansible.builtin.set_fact: - tmp_mnt_type: tmp_systemd - when: "'generated' not in discover_tmp_mnt_type.stdout" - when: - - "'/tmp' in mount_names" - - ubtu22cis_rule_1_1_2_1 or - ubtu22cis_rule_1_1_2_2 or - ubtu22cis_rule_1_1_2_3 or - ubtu22cis_rule_1_1_2_4 - tags: - - always + - name: PRELIM | AUDIT | Capture tmp mount type | Set systemd service + when: "'generated' not in discover_tmp_mnt_type.stdout" + ansible.builtin.set_fact: + tmp_mnt_type: tmp_systemd - name: PRELIM | Initialize the mount options variable + tags: + - always block: - - name: PRELIM | Initializing the var if there is no /tmp mount | set_fact - ansible.builtin.set_fact: - tmp_partition_mount_options: [] - when: "'/tmp' not in mount_names" + - name: PRELIM | Initializing the var if there is no /tmp mount | set_fact + when: "'/tmp' not in mount_names" + ansible.builtin.set_fact: + tmp_partition_mount_options: [] - - name: PRELIM | Initializing the var if there is a /tmp mount | set_fact - ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ item.options.split(',') }}" - loop: "{{ ansible_facts.mounts }}" - when: - - item.mount == "/tmp" - - "'/tmp' in mount_names" - tags: - - always + - name: PRELIM | Initializing the var if there is a /tmp mount | set_fact + when: + - item.mount == "/tmp" + - "'/tmp' in mount_names" + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ item.options.split(',') }}" + loop: "{{ ansible_facts.mounts }}" - name: "PRELIM | AUDIT | Check for autofs service" - ansible.builtin.shell: "systemctl show autofs | grep LoadState | cut -d = -f 2" - register: ubtu22cis_autofs_service_status - changed_when: false - check_mode: false when: - - ubtu22cis_rule_1_1_9 + - ubtu22cis_rule_1_1_9 tags: - - skip_ansible_lint - - section1 - - always - -- name: "PRELIM | AUDIT | Check for avahi-daemon service" - ansible.builtin.shell: "systemctl show avahi-daemon | grep LoadState | cut -d = -f 2" - register: avahi_service_status + - skip_ansible_lint + - section1 + - always + ansible.builtin.shell: "systemctl show autofs | grep LoadState | cut -d = -f 2" + register: ubtu22cis_autofs_service_status changed_when: false check_mode: false - when: - - ubtu22cis_rule_2_2_2 - tags: - - skip_ansible_lint - - always - name: Include audit specific variables - ansible.builtin.include_vars: audit.yml when: - - run_audit or audit_only - - setup_audit + - run_audit or audit_only + - setup_audit tags: - - setup_audit - - run_audit + - setup_audit + - run_audit + ansible.builtin.include_vars: + file: audit.yml - name: Include pre-remediation audit tasks - ansible.builtin.import_tasks: pre_remediation_audit.yml when: - - run_audit or audit_only - - setup_audit + - run_audit or audit_only + - setup_audit tags: - - run_audit + - run_audit + ansible.builtin.import_tasks: + file: pre_remediation_audit.yml - name: "PRELIM | PATCH | Run apt update" - ansible.builtin.package: - update_cache: true when: - - ubtu22cis_rule_1_3_1 or - ubtu22cis_rule_1_9 + - ubtu22cis_rule_1_3_1 or + ubtu22cis_rule_1_9 tags: - - always - -- name: "PRELIM | PATCH | Install Network-Manager" + - always ansible.builtin.package: - name: network-manager - state: present + update_cache: true + +- name: "PRELIM | AUDIT | Wireless adapter pre-requisites" when: - - ubtu22cis_rule_3_1_2 - - ubtu22cis_install_network_manager - - not system_is_container - - "'network-manager' not in ansible_facts.packages" + - ubtu22cis_rule_3_1_2 + - not system_is_container tags: - - always - -- name: "PRELIM | PATCH | Ensure auditd is installed" + - always block: - - name: "PRELIM | PATCH | Ensure auditd is installed" - ansible.builtin.package: - name: ['auditd', 'audispd-plugins'] - state: present - when: - - "'auditd' not in ansible_facts.packages or - 'auditd-plugins' not in ansible_facts.packages" + - name: "PRELIM | AUDIT | Discover is wirelss adapter on system" + ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless + register: discover_wireless_adapters + changed_when: false + failed_when: discover_wireless_adapters.rc not in [ 0, 1 ] - - name: "PRELIM | AUDIT | Audit conf and rules files | list files" - ansible.builtin.find: - path: /etc/audit/ - file_type: file - recurse: true - patterns: '*.conf,*.rules' - register: auditd_conf_files + - name: "PRELIM | PATCH | Install Network-Manager | if wireless adpater present" + when: + - ubtu22cis_install_network_manager + - discover_wireless_adapters.rc == 0 + - "'network-manager' not in ansible_facts.packages" + ansible.builtin.package: + name: network-manager + state: present +- name: "PRELIM | PATCH | Ensure auditd is installed" when: - - ubtu22cis_rule_4_1_1_1 or - ubtu22cis_rule_4_1_4_5 or - ubtu22cis_rule_4_1_4_6 or - ubtu22cis_rule_4_1_4_7 + - ubtu22cis_rule_4_1_1_1 or + ubtu22cis_rule_4_1_4_5 or + ubtu22cis_rule_4_1_4_6 or + ubtu22cis_rule_4_1_4_7 tags: - - level2-server - - level2-workstation - - patch - - auditd - - always + - level2-server + - level2-workstation + - patch + - auditd + - always + block: + - name: "PRELIM | PATCH | Ensure auditd is installed" + when: + - "'auditd' not in ansible_facts.packages or + 'auditd-plugins' not in ansible_facts.packages" + ansible.builtin.package: + name: ['auditd', 'audispd-plugins'] + state: present + + - name: "PRELIM | AUDIT | Audit conf and rules files | list files" + ansible.builtin.find: + path: /etc/audit/ + file_type: file + recurse: true + patterns: '*.conf,*.rules' + register: auditd_conf_files - name: "PRELIM | AUDIT | Check if auditd is immutable before changes" ansible.builtin.shell: auditctl -l | grep -c '-e 2' @@ -174,7 +174,7 @@ register: auditd_immutable_check when: "'auditd' in ansible_facts.packages" tags: - - always + - always - name: "PRELIM | PATCH | 5.3.4/5 | Find all sudoers files." ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" @@ -183,93 +183,103 @@ check_mode: false register: ubtu22cis_sudoers_files when: - - ubtu22cis_rule_5_3_4 or - ubtu22cis_rule_5_3_5 + - ubtu22cis_rule_5_3_4 or + ubtu22cis_rule_5_3_5 tags: - - always + - always - name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" + when: + - not discover_int_uid + tags: + - always block: - - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" - ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' - changed_when: false - register: uid_min_id + - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" + ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' + changed_when: false + register: uid_min_id - - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" - ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' - changed_when: false - register: uid_max_id + - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" + ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' + changed_when: false + register: uid_max_id - - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" - ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' - changed_when: false - register: gid_min_id + - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" + ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' + changed_when: false + register: gid_min_id - - name: "PRELIM | AUDIT | Set_facts for interactive uid/gid" - ansible.builtin.set_fact: - min_int_uid: "{{ uid_min_id.stdout }}" - max_int_uid: "{{ uid_max_id.stdout }}" - min_int_gid: "{{ gid_min_id.stdout }}" - when: - - not discover_int_uid + - name: "PRELIM | AUDIT | Set_facts for interactive uid/gid" + ansible.builtin.set_fact: + min_int_uid: "{{ uid_min_id.stdout }}" + max_int_uid: "{{ uid_max_id.stdout }}" + min_int_gid: "{{ gid_min_id.stdout }}" + +- name: "PRELIM | AUDIT | Interactive Users" tags: - - always + - always + ansible.builtin.shell: > + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }' + changed_when: false + register: discovered_interactive_usernames -- name: "PRELIM | AUDIT | Interactive User accounts" +- name: "PRELIM | AUDIT | Interactive User accounts home directories" + tags: + - always ansible.builtin.shell: > - grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/false") { print $6 }' + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $6 }' changed_when: false - register: interactive_users_home - when: - - ubtu22cis_rule_6_2_11 or - ubtu22cis_rule_6_2_13 or - ubtu22cis_rule_6_2_14 or - ubtu22cis_rule_6_2_15 or - ubtu22cis_rule_6_2_16 + register: discovered_interactive_users_home + +- name: "PRELIM | AUDIT | Interactive UIDs" tags: - - always + - always + ansible.builtin.shell: > + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }' + changed_when: false + register: discovered_interactive_uids - name: "PRELIM | PATCH | Install ACL" - ansible.builtin.package: - name: acl - state: present when: - - ubtu22cis_rule_6_2_6 - - "'acl' not in ansible_facts.packages" + - ubtu22cis_rule_6_2_6 + - "'acl' not in ansible_facts.packages" tags: - - always + - always + ansible.builtin.package: + name: acl + state: present - name: "PRELIM | AUDIT | Gather UID 0 accounts other than root" + when: + - ubtu22cis_rule_6_2_10 + tags: + - rule_6.2.10 + - level1-server + - level1-workstation + - users + - always ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" changed_when: false check_mode: false register: ubtu22cis_uid_zero_accounts_except_root - when: - - ubtu22cis_rule_6_2_10 - tags: - - rule_6.2.10 - - level1-server - - level1-workstation - - users - - always - name: "PRELIM | AUDIT | List users accounts" + tags: + - always ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd" changed_when: false check_mode: false register: ubtu22cis_users - tags: - - always ## Optional - name: "Optional | PATCH | UFW firewall force to use /etc/sysctl.conf settings" ansible.builtin.lineinfile: - path: /etc/default/ufw - regexp: ^IPT_SYSCTL=.* - line: IPT_SYSCTL=/etc/sysctl.conf + path: /etc/default/ufw + regexp: ^IPT_SYSCTL=.* + line: IPT_SYSCTL=/etc/sysctl.conf when: - - ubtu22cis_firewall_package == "ufw" - - ubtu22cis_ufw_use_sysctl + - ubtu22cis_firewall_package == "ufw" + - ubtu22cis_ufw_use_sysctl tags: - - always + - always diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 5c3d41e7..0ea0ddf0 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -1,102 +1,265 @@ --- -- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" +- name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available" + when: + - ubtu22cis_rule_1_1_1_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.1.1.1 + - cramfs + block: + - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install cramfs(\\s|$)" + line: "install cramfs /bin/true" + create: true + mode: 0600 + + - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist cramfs(\\s|$)" + line: "blacklist cramfs" + create: true + mode: '0600' + + - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs" + when: + - not system_is_container + community.general.modprobe: + name: cramfs + state: absent + +- name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available" + when: + - ubtu22cis_rule_1_1_1_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.1.1.2 + - freevxfs + block: + - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install freevxfs(\\s|$)" + line: "install freevxfs /bin/true" + create: true + mode: '0600' + + - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist freevxfs(\\s|$)" + line: "blacklist freevxfs" + create: true + mode: '0600' + + - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs" + when: + - not system_is_container + community.general.modprobe: + name: freevxfs + state: absent + +- name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available" + when: + - ubtu22cis_rule_1_1_1_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.1.1.3 + - hfs + block: + - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install hfs(\\s|$)" + line: "install hfs /bin/true" + create: true + mode: '0600' + + - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist hfs(\\s|$)" + line: "blacklist hfs" + create: true + mode: '0600' + + - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable squashfs" + when: + - not system_is_container + community.general.modprobe: + name: squashfs + state: absent + +- name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available" + when: + - ubtu22cis_rule_1_1_1_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.1.1.4 + - hfsplus block: - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" - ansible.builtin.lineinfile: - dest: /etc/modprobe.d/cramfs.conf - regexp: '^(#)?install cramfs(\\s|$)' - line: install cramfs /bin/true - create: true - - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | blacklist" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "^(#)?blacklist cramfs(\\s|$)" - line: "blacklist cramfs" - create: true - mode: '0600' - - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" - community.general.modprobe: - name: cramfs - state: absent - when: ansible_connection != 'docker' - notify: Update_Initramfs + - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install hfsplus(\\s|$)" + line: "install hfsplus /bin/true" + create: true + mode: '0600' + + - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist hfsplus(\\s|$)" + line: "blacklist hfsplus" + create: true + mode: '0600' + + - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus" + when: + - not system_is_container + community.general.modprobe: + name: hfsplus + state: absent + +- name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available" when: - - ubtu22cis_rule_1_1_1_1 + - ubtu22cis_rule_1_1_1_5 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.1.1 - - cramfs - -- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled" + - level1-server + - level1-workstation + - patch + - rule_1.1.1.5 + - jffs2 block: - - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" - ansible.builtin.lineinfile: - dest: /etc/modprobe.d/squashfs.conf - regexp: '^(#)?install squashfs(\\s|$)' - line: install squashfs /bin/true - create: true - - - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "^(#)?blacklist squashfs(\\s|$)" - line: "blacklist squashfs" - create: true - mode: '0600' - - - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" - community.general.modprobe: - name: squashfs - state: absent - when: ansible_connection != 'docker' - notify: Update_Initramfs + - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install jffs2(\\s|$)" + line: "install jffs2 /bin/true" + create: true + mode: '0600' + + - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist jffs2(\\s|$)" + line: "blacklist jffs2" + create: true + mode: '0600' + + - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2" + when: + - not system_is_container + community.general.modprobe: + name: jffs2 + state: absent + +- name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available" when: - - ubtu22cis_rule_1_1_1_2 - - snap_pkg_mgr.stdout == "0" - - squashfs_builtin.stdout == "0" + - ubtu22cis_rule_1_1_1_6 tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_1.1.1.2 - - squashfs - -- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled" + - level2-server + - level2-workstation + - patch + - rule_1.1.1.6 + - squashfs block: - - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled | Edit modprobe config" - ansible.builtin.lineinfile: - dest: /etc/modprobe.d/udf.conf - regexp: '^(#)?install udf(\\s|$)' - line: install udf /bin/true - create: true - - - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "^(#)?blacklist udf(\\s|$)" - line: "blacklist udf" - create: true - mode: '0600' - - - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled | Disable udf" - community.general.modprobe: - name: udf - state: absent - when: ansible_connection != 'docker' - notify: Update_Initramfs + - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install squashfs(\\s|$)" + line: "install squashfs /bin/true" + create: true + mode: '0600' + + - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist squashfs(\\s|$)" + line: "blacklist squashfs" + create: true + mode: '0600' + + - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs" + when: + - not system_is_container + community.general.modprobe: + name: squashfs + state: absent + +- name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available" when: - - ubtu22cis_rule_1_1_1_3 + - ubtu22cis_rule_1_1_1_7 tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_1.1.1.3 - - udf + - level2-server + - level2-workstation + - patch + - rule_1.1.1.7 + - udf + block: + - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install udf(\\s|$)" + line: "install udf /bin/true" + create: true + mode: '0600' + + - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist udf(\\s|$)" + line: "blacklist udf" + create: true + mode: '0600' + + - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Disable udf" + when: + - not system_is_container + community.general.modprobe: + name: udf + state: absent + +- name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available" + when: + - ubtu22cis_rule_1_1_1_8 + tags: + - level1-server + - level2-workstation + - patch + - rule_1.1.1.8 + - usb + block: + - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install usb-storage(\\s|$)" + line: "install usb-storage /bin/true" + create: true + mode: '0600' + + - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist usb-storage(\\s|$)" + line: "blacklist usb-storage" + create: true + mode: '0600' + + - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Disable usb" + when: + - not system_is_container + community.general.modprobe: + name: usb-storage + state: absent diff --git a/tasks/section_1/cis_1.1.10.yml b/tasks/section_1/cis_1.1.10.yml deleted file mode 100644 index 4b964b62..00000000 --- a/tasks/section_1/cis_1.1.10.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- - -- name: "1.1.10 | PATCH | Disable USB Storage" - block: - - name: "1.1.10 | PATCH | Disable USB Storage | Set modprobe config" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/usb_storage.conf - regexp: '^install usb-storage' - line: 'install usb-storage /bin/true' - create: true - - - name: "1.1.10 | PATCH | Disable USB Storage | Blacklist usb-storage" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - line: 'blacklist usb-storage' - insertafter: EOF - - - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module" - community.general.modprobe: - name: usb-storage - state: absent - when: ansible_connection != 'docker' - notify: Update_Initramfs - when: - - ubtu22cis_rule_1_1_10 - - not ubtu22cis_allow_usb_storage - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_1.1.10 - - usb_storage diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml new file mode 100644 index 00000000..16edfe72 --- /dev/null +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -0,0 +1,75 @@ +--- + +- name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition" + when: + - required_mount not in mount_names + - ubtu22cis_rule_1_1_2_1_1 + tags: + - level1-server + - level1-workstation + - audit + - mounts + - rule_1.1.2.1.1 + - tmp + vars: + warn_control_id: '1.1.2.1.1' + required_mount: '/tmp' + block: + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + + - name: "1.1.2.1.1 | WARN | Ensure /tmp is a separate partition | warn_count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" + when: + - required_mount in mount_names + - ubtu22cis_rule_1_1_2_1_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.1.2.1.2 + - tmp + vars: + required_mount: '/tmp' + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nodev' ] }}" + changed_when: true + notify: Writing and remounting tmp + +- name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" + when: + - required_mount in mount_names + - ubtu22cis_rule_1_1_2_1_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.1.2.1.3 + - tmp + vars: + required_mount: '/tmp' + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nosuid' ] }}" + changed_when: true + notify: Writing and remounting tmp + +- name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" + when: + - required_mount in mount_names + - ubtu22cis_rule_1_1_2_1_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.1.2.1.4 + - tmp + vars: + required_mount: '/tmp' + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'noexec' ] }}" + changed_when: true + notify: Writing and remounting tmp diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml new file mode 100644 index 00000000..be1af438 --- /dev/null +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -0,0 +1,50 @@ +--- + +- name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition" + when: + - ubtu22cis_rule_1_1_2_2_1 + - "'/tmp' not in mount_names" + tags: + - level1-server + - level1-workstation + - audit + - mounts + - rule_1.1.2.2.1 + vars: + warn_control_id: '1.1.2.2.1' + required_mount: '/dev/shm' + block: + - name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition | Absent" + when: ubtu22cis_dev_shm_present is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition | Present" + when: ubtu22cis_dev_shm_present is undefined + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: | + "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition + 1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition + 1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" + when: + - ubtu22cis_dev_shm_present is defined + - ubtu22cis_rule_1_1_2_2_2 or + ubtu22cis_rule_1_1_2_2_3 or + ubtu22cis_rule_1_1_2_2_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.2.1 + - rule_1.1.2.2.2 + - rule_1.1.2.2.3 + notify: Change_requires_reboot + ansible.posix.mount: + name: /dev/shm + src: tmpfs + fstype: tmpfs + state: mounted + opts: defaults,{% if ubtu22cis_rule_1_1_2_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_2_3 %}nosuid,{% endif %}{% if ubtu22cis_rule_1_1_2_2_4 %}noexec{% endif %} diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml new file mode 100644 index 00000000..4faaf929 --- /dev/null +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -0,0 +1,52 @@ +--- + +- name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home" + when: + - ubtu22cis_rule_1_1_2_3_1 + - "'/home' not in mount_names" + tags: + - level2-server + - level2-workstation + - audit + - mounts + - rule_1.1.2.3.1 + vars: + warn_control_id: '1.1.2.3.1' + required_mount: '/home' + block: + - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Warn if partition is absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + register: home_mount_absent + changed_when: home_mount_absent.skipped is undefined + + - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Present" + ansible.builtin.import_tasks: + file: warning_facts.yml + +# skips if mount is absent +- name: | + "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition + 1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition + when: + - "'/home' in mount_names" + - item.mount == "/home" + - ubtu22cis_rule_1_1_2_3_2 or + ubtu22cis_rule_1_1_2_3_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.3.2 + - rule_1.1.2.3.3 + notify: Change_requires_reboot + ansible.posix.mount: + name: /home + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if ubtu22cis_rule_1_1_2_3_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3_3 %}nosuid{% endif %} + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml new file mode 100644 index 00000000..44e5c061 --- /dev/null +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -0,0 +1,52 @@ +--- + +- name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var" + when: + - "'/var' not in mount_names" + - ubtu22cis_rule_1_1_2_4_1 + tags: + - level2-server + - level2-workstation + - patch + - mounts + - rule_1.1.2.4.1 + vars: + warn_control_id: '1.1.2.4.1' + required_mount: '/var' + block: + - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Warn if partition is absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + register: var_mount_absent + changed_when: var_mount_absent.skipped is undefined + + - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Present" + ansible.builtin.import_tasks: + file: warning_facts.yml + +# skips if mount is absent +- name: | + "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition" + "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" + when: + - "'/var' in mount_names" + - item.mount == "/var" + - ubtu22cis_rule_1_1_2_4_2 or + ubtu22cis_rule_1_1_2_4_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.4.2 + - rule_1.1.2.4.3 + notify: Change_requires_reboot + ansible.posix.mount: + name: /var + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if ubtu22cis_rule_1_1_2_4_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_4_3 %}nosuid{% endif %} + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml new file mode 100644 index 00000000..ba36c01e --- /dev/null +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -0,0 +1,56 @@ +--- + +# Skips if mount is absent +- name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp" + when: + - ubtu22cis_rule_1_1_2_5_1 + - "'/var/tmp' not in mount_names" + tags: + - level2-server + - level2-workstation + - audit + - mounts + - rule_1.1.2.5.1 + vars: + warn_control_id: '1.1.2.5.1' + required_mount: '/var/tmp' + block: + - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn if partition is absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + register: var_tmp_mount_absent + changed_when: var_tmp_mount_absent.skipped is undefined + + - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" + ansible.builtin.import_tasks: + file: warning_facts.yml + +# skips if mount is absent +- name: | + "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition" + "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition" + "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" + when: + - "'/var/tmp' in mount_names" + - item.mount == "/var/tmp" + - ubtu22cis_rule_1_1_2_5_2 or + ubtu22cis_rule_1_1_2_5_3 or + ubtu22cis_rule_1_1_2_5_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.5.2 + - rule_1.1.2.5.3 + - rule_1.1.2.5.4 + notify: Change_requires_reboot + ansible.posix.mount: + name: /var/tmp + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if ubtu22cis_rule_1_1_2_5_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_5_3 %}nosuid,{% endif %}{% if ubtu22cis_rule_1_1_2_5_4 %}noexec{% endif %} + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml new file mode 100644 index 00000000..5a1a7958 --- /dev/null +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -0,0 +1,55 @@ +--- + +- name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log" + when: + - ubtu22cis_rule_1_1_2_6_1 + - "'/var/log' not in mount_names" + tags: + - level2-server + - level2-workstation + - audit + - mounts + - rule_1.1.2.6.1 + vars: + warn_control_id: '1.1.2.6.1' + required_mount: '/var/log' + block: + - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Warn if partition is absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + register: var_log_mount_absent + changed_when: var_log_mount_absent.skipped is undefined + + - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Present" + ansible.builtin.import_tasks: + file: warning_facts.yml + +# skips if mount is absent +- name: | + "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition" + "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition" + "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" + when: + - "'/var/log' in mount_names" + - item.mount == "/var/log" + - ubtu22cis_rule_1_1_2_6_2 or + ubtu22cis_rule_1_1_2_6_3 or + ubtu22cis_rule_1_1_2_6_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.6.2 + - rule_1.1.2.6.3 + - rule_1.1.2.6.4 + notify: Change_requires_reboot + ansible.posix.mount: + name: /var/log + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if ubtu22cis_rule_1_1_2_6_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_6_3 %}nosuid,{% endif %}{% if ubtu22cis_rule_1_1_2_6_4 %}noexec{% endif %} + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml new file mode 100644 index 00000000..222ba46c --- /dev/null +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -0,0 +1,55 @@ +--- + +- name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit" + when: + - ubtu22cis_rule_1_1_2_7_1 + - "'/var/log/audit' not in mount_names" + tags: + - level2-server + - level2-workstation + - audit + - mounts + - rule_1.1.2.7.1 + vars: + warn_control_id: '1.1.2.7.1' + required_mount: '/var/log/audit' + block: + - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn if partition is absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + register: var_log_audit_mount_absent + changed_when: var_log_audit_mount_absent.skipped is undefined + + - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" + ansible.builtin.import_tasks: + file: warning_facts.yml + +# skips if mount is absent +- name: | + "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition" + "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition" + "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" + when: + - "'/var/log/audit' in mount_names" + - item.mount == "/var/log/audit" + - ubtu22cis_rule_1_1_2_7_2 or + ubtu22cis_rule_1_1_2_7_3 or + ubtu22cis_rule_1_1_2_7_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.7.2 + - rule_1.1.2.7.3 + - rule_1.1.2.7.4 + notify: Change_requires_reboot + ansible.posix.mount: + name: /var/log/audit + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if ubtu22cis_rule_1_1_2_7_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_7_3 %}nosuid,{% endif %}{% if ubtu22cis_rule_1_1_2_7_4 %}noexec{% endif %} + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml deleted file mode 100644 index 9d2b903a..00000000 --- a/tasks/section_1/cis_1.1.2.x.yml +++ /dev/null @@ -1,78 +0,0 @@ ---- - -- name: "1.1.2.1 | AUDIT | Ensure /tmp is a separate partition" - block: - - name: "1.1.2.1 | AUDIT | Ensure /tmp is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - - name: "1.1.2.1 | WARN | Ensure /tmp is a separate partition | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '1.1.2.1' - required_mount: '/tmp' - when: - - required_mount not in mount_names - - ubtu22cis_rule_1_1_2_1 - tags: - - level1-server - - level1-workstation - - audit - - mounts - - rule_1.1.2.1 - - tmp - -- name: "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" - ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nodev' ] }}" - changed_when: true - notify: Writing and remounting tmp - vars: - required_mount: '/tmp' - when: - - required_mount in mount_names - - ubtu22cis_rule_1_1_2_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.2.2 - - tmp - -- name: "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" - ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'noexec' ] }}" - changed_when: true - notify: Writing and remounting tmp - vars: - required_mount: '/tmp' - when: - - required_mount in mount_names - - ubtu22cis_rule_1_1_2_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.2.3 - - tmp - -- name: "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" - ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nosuid' ] }}" - changed_when: true - notify: Writing and remounting tmp - vars: - required_mount: '/tmp' - when: - - required_mount in mount_names - - ubtu22cis_rule_1_1_2_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.2.4 - - tmp diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml deleted file mode 100644 index 3e67519b..00000000 --- a/tasks/section_1/cis_1.1.3.x.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- - -- name: "1.1.3.1 | AUDIT | Ensure /var is a separate partition" - block: - - name: "1.1.3.1 | AUDIT | Ensure /var is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - - name: "1.1.3.1 | WARN | Ensure /var is a separate partition | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '1.1.3.1' - required_mount: '/var' - when: - - required_mount not in mount_names - - ubtu22cis_rule_1_1_3_1 - tags: - - level2-server - - level2-workstation - - automated - - audit - - rule_1.1.3.1 - - var - -- name: | - "1.1.3.2 | PATCH | Ensure /var partition includes the nodev option" - "1.1.3.3 | PATCH | Ensure /var partition includes the nosuid option" - ansible.posix.mount: - path: /var - src: "{{ item.device }}" - state: present - fstype: "{{ item.fstype }}" - opts: defaults,{% if ubtu22cis_rule_1_1_3_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_3_3 %}nosuid{% endif %} - notify: Remount var - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - when: - - item.mount == "/var" - - ubtu22cis_rule_1_1_3_2 or - ubtu22cis_rule_1_1_3_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.3.2 - - rule_1.1.3.3 - - var diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml deleted file mode 100644 index ecfe566f..00000000 --- a/tasks/section_1/cis_1.1.4.x.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- - -- name: "1.1.4.1 | AUDIT | Ensure /var/tmp is a separate partition" - block: - - name: "1.1.4.1 | AUDIT | Ensure /var/tmp is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - - name: "1.1.4.1 | WARN | Ensure /var/tmp is a separate partition | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '1.1.4.1' - required_mount: '/var/tmp' - when: - - required_mount not in mount_names - - ubtu22cis_rule_1_1_4_1 - tags: - - level2-server - - level2-workstation - - automated - - audit - - rule_1.1.4.1 - - var - -- name: | - "1.1.4.2 | PATCH | Ensure /var/tmp partition includes the noexec option" - "1.1.4.3 | PATCH | Ensure /var/tmp partition includes the nosuid option" - "1.1.4.4 | PATCH | Ensure /var/tmp partition includes the nodev option" - ansible.posix.mount: - path: /var/tmp - src: "{{ item.device }}" - state: present - fstype: "{{ item.fstype }}" - opts: defaults,{% if ubtu22cis_rule_1_1_4_2 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if ubtu22cis_rule_1_1_4_4 %}nodev{% endif %} - notify: Remount var_tmp - with_items: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - when: - - item.mount == "/var/tmp" - - ubtu22cis_rule_1_1_4_2 or - ubtu22cis_rule_1_1_4_3 or - ubtu22cis_rule_1_1_4_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.4.2 - - rule_1.1.4.3 - - rule_1.1.4.4 - - var diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml deleted file mode 100644 index 87336843..00000000 --- a/tasks/section_1/cis_1.1.5.x.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- - -- name: "1.1.5.1 | AUDIT | Ensure /var/log is a separate partition" - block: - - name: "1.1.5.1 | AUDIT | Ensure /var/log is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - - name: "1.1.5.1 | WARN | Ensure /var/log is a separate partition | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '1.1.5.1' - required_mount: '/var/log' - when: - - required_mount not in mount_names - - ubtu22cis_rule_1_1_5_1 - tags: - - level2-server - - level2-workstation - - automated - - audit - - rule_1.1.5.1 - - varlog - -- name: | - "1.1.5.2 | PATCH | Ensure /var/log partition includes the nodev option" - "1.1.5.3 | PATCH | Ensure /var/log partition includes the noexec option" - "1.1.5.4 | PATCH | Ensure /var/log partition includes the nosuid option" - ansible.posix.mount: - path: /var/log - src: "{{ item.device }}" - state: present - fstype: "{{ item.fstype }}" - opts: defaults,{% if ubtu22cis_rule_1_1_5_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_5_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_5_4 %}nosuid{% endif %} - notify: Remount var_log - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - when: - - item.mount == "/var/log" - - ubtu22cis_rule_1_1_5_2 or - ubtu22cis_rule_1_1_5_3 or - ubtu22cis_rule_1_1_5_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.5.2 - - rule_1.1.5.3 - - rule_1.1.5.4 - - varlog diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml deleted file mode 100644 index 215db097..00000000 --- a/tasks/section_1/cis_1.1.6.x.yml +++ /dev/null @@ -1,53 +0,0 @@ ---- - -- name: "1.1.6.1 | AUDIT | Ensure /var/log/audit is a separate partition" - block: - - name: "1.1.6.1 | AUDIT | Ensure /var/log/audit is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - - name: "1.1.6.1 | WARN | Ensure /var/log/audit is a separate partition | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '1.1.6.1' - required_mount: '/var/log/audit' - when: - - required_mount not in mount_names - - ubtu22cis_rule_1_1_6_1 - tags: - - level2-server - - level2-workstation - - automated - - audit - - rule_1.1.6.1 - - varlogaudit - -- name: | - "1.1.6.2 | PATCH | Ensure /var/log/audit partition includes the noexec option" - "1.1.6.3 | PATCH | Ensure /var/log/audit partition includes the nodev option" - "1.1.6.4 | PATCH | Ensure /var/log/audit partition includes the nosuid option" - ansible.posix.mount: - path: /var/log/audit - src: "{{ item.device }}" - state: present - fstype: "{{ item.fstype }}" - opts: defaults,{% if ubtu22cis_rule_1_1_6_2 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_6_3 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_6_4 %}nosuid{% endif %} - notify: Remount var_log_audit - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - when: - - item.mount == "/var/log/audit" - - ubtu22cis_rule_1_1_6_2 or - ubtu22cis_rule_1_1_6_3 or - ubtu22cis_rule_1_1_6_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.6.2 - - rule_1.1.6.3 - - rule_1.1.6.4 - - varlogaudit diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml deleted file mode 100644 index e644655a..00000000 --- a/tasks/section_1/cis_1.1.7.x.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- - -- name: "1.1.7.1 | AUDIT | Ensure /home is a separate partition" - block: - - name: "1.1.7.1 | AUDIT | Ensure /home is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - - name: "1.1.7.1 | WARN | Ensure /home is a separate partition | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '1.1.7.1' - required_mount: '/home' - when: - - required_mount not in mount_names - - ubtu22cis_rule_1_1_7_1 - tags: - - level2-server - - level2-workstation - - automated - - audit - - rule_1.1.7.1 - - home - -- name: | - "1.1.7.2 | PATCH | Ensure /home partition includes the nodev option" - "1.1.7.3 | PATCH | Ensure /home partition includes the nosuid option" - ansible.posix.mount: - path: /home - src: "{{ item.device }}" - state: present - fstype: "{{ item.fstype }}" - opts: defaults,{% if ubtu22cis_rule_1_1_7_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_7_3 %}nosuid,{% endif %} - notify: Remount home - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - when: - - item.mount == "/home" - - ubtu22cis_rule_1_1_7_2 or - ubtu22cis_rule_1_1_7_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.7.2 - - rule_1.1.7.3 - - home diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml deleted file mode 100644 index d2b6935c..00000000 --- a/tasks/section_1/cis_1.1.8.x.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- - -- name: | - "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition" - "1.1.8.2 | PATCH | Ensure nosuid option set on /dev/shm partition" - "1.1.8.3 | PATCH | Ensure noexec option set on /dev/shm partition" - ansible.posix.mount: - path: /dev/shm - src: /dev/shm - fstype: tmpfs - state: present - opts: "defaults,{% if ubtu22cis_rule_1_1_8_1 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_8_2 %}nosuid,{% endif %}{% if ubtu22cis_rule_1_1_8_3 %}noexec{% endif %}" - notify: Remount dev_shm - when: - - ubtu22cis_rule_1_1_8_1 or - ubtu22cis_rule_1_1_8_2 or - ubtu22cis_rule_1_1_8_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.8.1 - - rule_1.1.8.2 - - rule_1.1.8.3 - - dev_shm diff --git a/tasks/section_1/cis_1.1.9.yml b/tasks/section_1/cis_1.1.9.yml deleted file mode 100644 index 0327fefd..00000000 --- a/tasks/section_1/cis_1.1.9.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- - -- name: "1.1.9 | PATCH | Disable Automounting" - ansible.builtin.service: - name: autofs - state: stopped - enabled: false - when: - - ubtu22cis_rule_1_1_9 - - ubtu22cis_autofs_service_status.stdout == "loaded" - - not ubtu22cis_allow_autofs - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_1.1.9 - - automounting diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml new file mode 100644 index 00000000..03e91cab --- /dev/null +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -0,0 +1,63 @@ +--- + +- name: "1.2.1 | AUDIT | Ensure GPG keys are configured" + when: + - ubtu22cis_rule_1_2_1 + tags: + - level1-server + - level1-workstation + - audit + - rule_1.2.1 + - gpg + - keys + vars: + warn_control_id: '1.2.1' + block: + - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" + ansible.builtin.shell: apt-key list + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_1_2_1_apt_gpgkeys + + - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" + ansible.builtin.debug: + msg: + - "Warning!! Below are the apt gpg keys configured" + - "Please review to make sure they are configured" + - "in accordance with site policy" + - "{{ ubtu22cis_1_2_1_apt_gpgkeys.stdout_lines }}" + + - name: "1.2.1 | WARN | Ensure GPG keys are configured | warn_count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "1.2.2 | AUDIT | Ensure package manager repositories are configured" + when: + - ubtu22cis_rule_1_2_2 + tags: + - level1-server + - level1-workstation + - audit + - rule_1.2.2 + - apt + vars: + warn_control_id: '1.2.2' + block: + - name: "1.2.2 | AUDIT | Ensure package manager repositories are configured | Get repositories" + ansible.builtin.shell: apt-cache policy + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_1_2_2_apt_policy + + - name: "1.2.2 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" + ansible.builtin.debug: + msg: + - "Warning!! Below are the apt package repositories" + - "Please review to make sure they conform to your sites policies" + - "{{ ubtu22cis_1_2_2_apt_policy.stdout_lines }}" + + - name: "1.2.2 | WARN | Ensure package manager repositories are configured | warn_count" + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/section_1/cis_1.2.2.x.yml b/tasks/section_1/cis_1.2.2.x.yml new file mode 100644 index 00000000..7f5231ee --- /dev/null +++ b/tasks/section_1/cis_1.2.2.x.yml @@ -0,0 +1,14 @@ +--- + +- name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed" + when: + - ubtu22cis_rule_1_2_2_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.2.2.1 + - patch + ansible.builtin.package: + name: "*" + state: latest diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml deleted file mode 100644 index 578aa5f5..00000000 --- a/tasks/section_1/cis_1.2.x.yml +++ /dev/null @@ -1,65 +0,0 @@ ---- - -- name: "1.2.1 | AUDIT | Ensure package manager repositories are configured" - block: - - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Get repositories" - ansible.builtin.shell: apt-cache policy - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_1_2_1_apt_policy - - - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" - ansible.builtin.debug: - msg: - - "Warning!! Below are the apt package repositories" - - "Please review to make sure they conform to your sites policies" - - "{{ ubtu22cis_1_2_1_apt_policy.stdout_lines }}" - - - name: "1.2.1 | WARN | Ensure package manager repositories are configured | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '1.2.1' - when: - - ubtu22cis_rule_1_2_1 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.2.1 - - apt - -- name: "1.2.2 | AUDIT | Ensure GPG keys are configured" - block: - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" - ansible.builtin.shell: apt-key list - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_1_2_2_apt_gpgkeys - - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" - ansible.builtin.debug: - msg: - - "Warning!! Below are the apt gpg keys configured" - - "Please review to make sure they are configured" - - "in accordance with site policy" - - "{{ ubtu22cis_1_2_2_apt_gpgkeys.stdout_lines }}" - - - name: "1.2.2 | WARN | Ensure GPG keys are configured | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '1.2.2' - when: - - ubtu22cis_rule_1_2_2 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_1.2.2 - - gpg - - keys diff --git a/tasks/section_1/cis_1.3.1.x.yml b/tasks/section_1/cis_1.3.1.x.yml new file mode 100644 index 00000000..74dc89da --- /dev/null +++ b/tasks/section_1/cis_1.3.1.x.yml @@ -0,0 +1,169 @@ +--- + +- name: "1.3.1.1 | PATCH | Ensure AppArmor is installed" + when: + - ubtu22cis_rule_1_3_1_1 + - "'apparmor' not in ansible_facts.packages or + 'apparmor-utils' not in ansible_facts.packages" + tags: + - level1-server + - level1-workstation + - patch + - rule_1.3.1.1 + - apparmor + ansible.builtin.package: + name: ['apparmor', 'apparmor-utils'] + state: present + +- name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" + when: + - ubtu22cis_rule_1_3_1_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.3.1.2 + - apparmor + block: + - name: "1.3.1.2 | AUDIT | Ensure AppArmor is enabled in the bootloader configuration | Get current settings" + ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_1_3_1_2_cmdline_settings + + - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" + when: ubtu22cis_1_3_1_2_cmdline_settings.stdout is not search('apparmor=') + ansible.builtin.lineinfile: + path: /etc/default/grub + regexp: ^(GRUB_CMDLINE_LINUX=")(|apparmor=\d\s)(.*\w+") + line: \1apparmor=1 \3 + backrefs: true + notify: Grub update + + - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set security settings if none exist" + when: ubtu22cis_1_3_1_2_cmdline_settings.stdout is not search('security=') + ansible.builtin.lineinfile: + path: /etc/default/grub + regexp: ^(GRUB_CMDLINE_LINUX=")(|security=\w+\s)(.*\w+") + line: \1security=apparmor \3 + backrefs: true + notify: Grub update + + - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" + when: + - "'apparmor' not in ubtu22cis_1_3_1_2_cmdline_settings.stdout" + - "'security' not in ubtu22cis_1_3_1_2_cmdline_settings.stdout" + ansible.builtin.lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ ubtu22cis_1_3_1_2_cmdline_settings.stdout }}"' + insertafter: '^GRUB_' + notify: Grub update + + - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Replace apparmor settings when exists" + when: + - "'apparmor' in ubtu22cis_1_3_1_2_cmdline_settings.stdout or + 'security' in ubtu22cis_1_3_1_2_cmdline_settings.stdout" + ansible.builtin.replace: + path: /etc/default/grub + regexp: "{{ item.regexp }}" + replace: "{{ item.replace }}" + with_items: + - { regexp: 'apparmor=\w+', replace: 'apparmor=1' } + - { regexp: 'security=\w+', replace: 'security=apparmor' } + notify: Grub update + +# Controls 1.3.1.4 and 1.3.1.3 target the same setting and thus should not be run together. +# Because control 1.3.1.4 is stricter than 1.3.1.3, we need to change the order -- +# control 1.3.1.4 then registers the fact that is has run and thus keeps 1.3.1.3 from running. + +- name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" + when: + - ubtu22cis_rule_1_3_1_4 + - not ubtu22cis_apparmor_disable + tags: + - level2-server + - level2-workstation + - scored + - patch + - rule_1.3.1.4 + - apparmor + block: + - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Make sure that 1.3.1.3 is not run" + ansible.builtin.set_fact: + control_1_3_1_4_was_run: true + ubtu22cis_apparmor_enforce_only: true + changed_when: false + + - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get pre apply enforce count" + ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 + changed_when: false + failed_when: false + register: ubtu22cis_1_3_1_4_pre_count + + - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Apply enforcing to /etc/apparmor.d profiles" + ansible.builtin.shell: aa-enforce /etc/apparmor.d/* + changed_when: false + failed_when: false + + - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get post apply enforce count" + ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 + changed_when: false + failed_when: false + register: ubtu22cis_1_3_1_4_post_count + + - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | This flags for idempotency" + when: ubtu22cis_1_3_1_4_pre_count.stdout != ubtu22cis_1_3_1_4_post_count.stdout + ansible.builtin.debug: + msg: Changed! The profiles in /etc/apparmor.d were set to enforcing + changed_when: true + +- name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" + when: + - ubtu22cis_rule_1_3_1_3 + - not ubtu22cis_apparmor_disable + - not control_1_3_1_4_was_run + tags: + - level1-server + - level1-workstation + - patch + - rule_1.3.1.3 + - apparmor + block: + - name: "1.3.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only true for GOSS" + when: + - ubtu22cis_apparmor_mode == "enforce" + ansible.builtin.set_fact: + ubtu22cis_apparmor_enforce_only: true + changed_when: false + + - name: "1.3.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only false for GOSS" + when: + - ubtu22cis_apparmor_mode == "complain" + ansible.builtin.set_fact: + ubtu22cis_apparmor_enforce_only: false + changed_when: false + + - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get pre apply enforce count" + ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu22cis_apparmor_mode}} mode" | tr -d -c 0-9 + changed_when: false + failed_when: false + register: ubtu22cis_1_3_1_3_pre_count + + - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Apply complaining/enforcing to /etc/apparmor.d profiles" + ansible.builtin.shell: aa-{{ubtu22cis_apparmor_mode}} /etc/apparmor.d/* + changed_when: false + failed_when: false + + - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get post apply enforce count" + ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu22cis_apparmor_mode}} mode" | tr -d -c 0-9 + changed_when: false + failed_when: false + register: ubtu22cis_1_3_1_3_post_count + + - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | This flags for idempotency" + when: ubtu22cis_1_3_1_3_pre_count.stdout != ubtu22cis_1_3_1_3_post_count.stdout + ansible.builtin.debug: + msg: Changed! The profiles in /etc/apparmor.d were set to {{ubtu22cis_apparmor_mode}} mode + changed_when: true diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml deleted file mode 100644 index 7b1d2750..00000000 --- a/tasks/section_1/cis_1.3.x.yml +++ /dev/null @@ -1,61 +0,0 @@ ---- - -- name: "1.3.1 | PATCH | Ensure AIDE is installed" - block: - - name: "1.3.1 | PATCH | Ensure AIDE is installed" - ansible.builtin.package: - name: ['aide', 'aide-common'] - state: present - update_cache: true - register: ubtu22cis_rule_1_3_1_aide_added - when: - - "'aide' not in ansible_facts.packages or - 'aide-common' not in ansible_facts.packages" - - - name: "1.3.1 | PATCH | Ensure AIDE is installed | Recapture packages" - ansible.builtin.package_facts: - manager: auto - when: ubtu22cis_rule_1_3_1_aide_added.skipped is not defined - - - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - ansible.builtin.shell: aideinit && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db - args: - creates: /var/lib/aide/aide.db - changed_when: false - failed_when: false - async: "{{ ubtu22cis_aide_init.async }}" - poll: "{{ ubtu22cis_aide_init.poll }}" - when: not ansible_check_mode - when: - - ubtu22cis_rule_1_3_1 - - ubtu22cis_config_aide - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.3.1 - - aide - -- name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" - ansible.builtin.cron: - name: Run AIDE integrity check - cron_file: "{{ ubtu22cis_aide_cron['cron_file'] }}" - user: "{{ ubtu22cis_aide_cron['cron_user'] }}" - minute: "{{ ubtu22cis_aide_cron['aide_minute'] | default('0') }}" - hour: "{{ ubtu22cis_aide_cron['aide_hour'] | default('5') }}" - day: "{{ ubtu22cis_aide_cron['aide_day'] | default('*') }}" - month: "{{ ubtu22cis_aide_cron['aide_month'] | default('*') }}" - weekday: "{{ ubtu22cis_aide_cron['aide_weekday'] | default('*') }}" - job: "{{ ubtu22cis_aide_cron['aide_job'] }}" - when: - - ubtu22cis_config_aide - - ubtu22cis_rule_1_3_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.3.2 - - cron - - aide diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index bf764ef0..97bb4e09 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -1,73 +1,55 @@ --- - name: "1.4.1 | PATCH | Ensure bootloader password is set" - block: - - name: "1.4.1 | PATCH | Ensure bootloader password is set" - ansible.builtin.template: - src: etc/grub.d/00_user.j2 - dest: "{{ ubtu22cis_grub_user_file }}" - owner: root - group: root - mode: '0755' - notify: Grub update - - - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot" - ansible.builtin.lineinfile: - path: "/etc/grub.d/10_linux" - regexp: '(^CLASS="--class gnu-linux --class gnu --class os).*"$' - line: '\g<1> --unrestricted"' - backrefs: true - notify: Grub update - when: not ubtu22cis_ask_passwd_to_boot when: - - ubtu22cis_set_boot_pass - - ubtu22cis_rule_1_4_1 + - ubtu22cis_set_boot_pass + - ubtu22cis_rule_1_4_1 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.4.1 - - grub - -- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" + - level1-server + - level1-workstation + - patch + - rule_1.4.1 + - grub block: - - name: "1.4.2 | AUDIT | Ensure permissions on bootloader config are configured | Check for Grub file" - ansible.builtin.stat: - path: "{{ ubtu22cis_grub_file }}" - check_mode: false - register: ubtu22cis_1_4_2_grub_cfg_status + - name: "1.4.1 | PATCH | Ensure bootloader password is set" + ansible.builtin.template: + src: etc/grub.d/00_user.j2 + dest: "{{ ubtu22cis_grub_user_file }}" + owner: root + group: root + mode: '0755' + notify: Grub update - - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | Set permissions" - ansible.builtin.file: - path: "{{ ubtu22cis_grub_file }}" - owner: root - group: root - mode: '0400' - when: - - ubtu22cis_1_4_2_grub_cfg_status.stat.exists - when: - - ubtu22cis_rule_1_4_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.4.2 - - grub + - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot" + when: not ubtu22cis_ask_passwd_to_boot + ansible.builtin.lineinfile: + path: "/etc/grub.d/10_linux" + regexp: '(^CLASS="--class gnu-linux --class gnu --class os).*"$' + line: '\g<1> --unrestricted"' + backrefs: true + notify: Grub update -- name: "1.4.3 | PATCH | Ensure authentication required for single user mode" - ansible.builtin.user: - name: "{{ ubtu22cis_grub_user }}" - password: "{{ ubtu22cis_grub_user_passwd }}" +- name: "1.4.2 | PATCH | Ensure access to bootloader config is configured" when: - - ubtu22cis_rule_1_4_3 - - ubtu22cis_set_grub_user_pass + - ubtu22cis_rule_1_4_2 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.4.3 - - passwd - - grub + - level1-server + - level1-workstation + - patch + - rule_1.4.2 + - grub + block: + - name: "1.4.2 | AUDIT | Ensure access to bootloader config is configured | Check for Grub file" + ansible.builtin.stat: + path: "{{ ubtu22cis_grub_file }}" + check_mode: false + register: ubtu22cis_1_4_2_grub_cfg_status + + - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | Set permissions" + when: + - ubtu22cis_1_4_2_grub_cfg_status.stat.exists + ansible.builtin.file: + path: "{{ ubtu22cis_grub_file }}" + owner: root + group: root + mode: '0400' diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 40b43edd..3ec69b6b 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,127 +1,141 @@ --- - name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" - ansible.posix.sysctl: - name: kernel.randomize_va_space - value: '2' - state: present - sysctl_file: "{{ ubtu22cis_sysctl_kernel_conf }}" - reload: true - sysctl_set: true - ignoreerrors: true when: - - ubtu22cis_rule_1_5_1 + - ubtu22cis_rule_1_5_1 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.5.1 - - aslr - -- name: "1.5.2 | PATCH | Ensure prelink is not installed" - block: - - name: "1.5.2 | PATCH | Ensure prelink is not installed | Restore binaries to normal" - ansible.builtin.shell: prelink -ua - changed_when: false - failed_when: false + - level1-server + - level1-workstation + - patch + - rule_1.5.1 + - aslr + ansible.posix.sysctl: + name: kernel.randomize_va_space + value: '2' + state: present + sysctl_file: "{{ ubtu22cis_sysctl_kernel_conf }}" + reload: true + sysctl_set: true + ignoreerrors: true - - name: "1.5.2 | PATCH | Ensure prelink is not installed| Remove prelink package" - ansible.builtin.package: - name: prelink - state: absent - purge: "{{ ubtu22cis_purge_apt }}" +- name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted" when: - - ubtu22cis_rule_1_5_2 - - "'prelink' in ansible_facts.packages" + - ubtu22cis_rule_1_5_2 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.5.2 - - prelink + - level1-server + - level1-workstation + - patch + - rule_1.5.2 + - ptrace + ansible.posix.sysctl: + name: kernel.yama.ptrace_scope + value: '1' + state: present + sysctl_file: "{{ ubtu22cis_sysctl_kernel_conf }}" + reload: true + sysctl_set: true + ignoreerrors: true -- name: "1.5.3 | PATCH | Ensure Automatic Error Reporting is not enabled" +- name: "1.5.3 | PATCH | Ensure core dumps are restricted" + when: + - ubtu22cis_rule_1_5_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.5.3 + - coredump block: - - name: "1.5.3 | PATCH | Ensure Automatic Error Reporting is not enabled | disable" - ansible.builtin.lineinfile: - path: /etc/default/apport - regexp: ^enabled - line: enabled=0 - create: true - owner: root - group: root - mode: '0644' + - name: "1.5.3 | PATCH | Ensure core dumps are restricted | kernel sysctl" + ansible.posix.sysctl: + name: fs.suid_dumpable + value: '0' + state: present + sysctl_file: "{{ ubtu22cis_sysctl_kernel_conf }}" + reload: true + sysctl_set: true + ignoreerrors: true - - name: "1.5.3 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package" - ansible.builtin.package: - name: apport - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - "'apport' in ansible_facts.packages" + - name: "1.5.3 | PATCH | Ensure core dumps are restricted | security limits" + ansible.builtin.lineinfile: + path: /etc/security/limits.d/99_zero_core.conf + regexp: '^\* hard core' + line: '* hard core 0' + create: true + owner: root + group: root + mode: '0644' + + - name: "1.5.3 | PATCH | Ensure core dumps are restricted | sysctl.conf" + ansible.builtin.lineinfile: + path: /etc/sysctl.conf + regexp: '^fs.suid_dumpable' + line: fs.suid_dumpable=0 + owner: root + group: root + mode: '0644' + notify: Reload systemctl + + - name: "1.5.3 | PATCH | Ensure core dumps are restricted | coredump.conf" + when: "'systemd-coredump' in ansible_facts.packages" + ansible.builtin.lineinfile: + path: /etc/systemd/coredump.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + create: true + owner: root + group: root + mode: '0644' + loop: + - { regexp: '^Storage', line: 'Storage=none' } + - { regexp: '^ProcessSizeMax', line: 'ProcessSizeMax=0' } + +- name: "1.5.4 | PATCH | Ensure prelink is not installed" when: - - ubtu22cis_rule_1_5_3 + - ubtu22cis_rule_1_5_4 + - "'prelink' in ansible_facts.packages" tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.5.3 - - apport - -- name: "1.5.4 | PATCH | Ensure core dumps are restricted" + - level1-server + - level1-workstation + - patch + - rule_1.5.4 + - prelink block: - - name: "1.5.4 | PATCH | Ensure core dumps are restricted | kernel sysctl" - ansible.posix.sysctl: - name: fs.suid_dumpable - value: '0' - state: present - sysctl_file: "{{ ubtu22cis_sysctl_kernel_conf }}" - reload: true - sysctl_set: true - ignoreerrors: true + - name: "1.5.4 | PATCH | Ensure prelink is not installed | Restore binaries to normal" + ansible.builtin.shell: prelink -ua + changed_when: false + failed_when: false - - name: "1.5.4 | PATCH | Ensure core dumps are restricted | security limits" - ansible.builtin.lineinfile: - path: /etc/security/limits.d/99_zero_core.conf - regexp: '^\* hard core' - line: '* hard core 0' - create: true - owner: root - group: root - mode: '0644' + - name: "1.5.4 | PATCH | Ensure prelink is not installed| Remove prelink package" + ansible.builtin.package: + name: prelink + state: absent + purge: "{{ ubtu22cis_purge_apt }}" - - name: "1.5.4 | PATCH | Ensure core dumps are restricted | sysctl.conf" - ansible.builtin.lineinfile: - path: /etc/sysctl.conf - regexp: '^fs.suid_dumpable' - line: fs.suid_dumpable=0 - owner: root - group: root - mode: '0644' - notify: Reload systemctl - - - name: "1.5.4 | PATCH | Ensure core dumps are restricted | coredump.conf" - ansible.builtin.lineinfile: - path: /etc/systemd/coredump.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - create: true - owner: root - group: root - mode: '0644' - loop: - - { regexp: '^Storage', line: 'Storage=none' } - - { regexp: '^ProcessSizeMax', line: 'ProcessSizeMax=0' } - when: "'systemd-coredump' in ansible_facts.packages" +- name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled" when: - - ubtu22cis_rule_1_5_4 + - ubtu22cis_rule_1_5_5 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.5.4 - - coredump + - level1-server + - level1-workstation + - patch + - rule_1.5.5 + - apport + block: + - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled | disable" + ansible.builtin.lineinfile: + path: /etc/default/apport + regexp: ^enabled + line: enabled=0 + create: true + owner: root + group: root + mode: '0644' + + - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package" + when: + - "'apport' in ansible_facts.packages" + ansible.builtin.package: + name: apport + state: absent + purge: "{{ ubtu22cis_purge_apt }}" diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 22cc7616..7da814cd 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -1,172 +1,114 @@ --- -- name: "1.6.1.1 | PATCH | Ensure AppArmor is installed" - ansible.builtin.package: - name: ['apparmor', 'apparmor-utils'] - state: present +- name: "1.6.1 | PATCH | Ensure message of the day is configured properly" when: - - ubtu22cis_rule_1_6_1_1 - - "'apparmor' not in ansible_facts.packages or - 'apparmor-utils' not in ansible_facts.packages" + - ubtu22cis_rule_1_6_1 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.6.1.1 - - apparmor - -- name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" + - level1-server + - level1-workstation + - patch + - rule_1.6.1 + - motd block: - - name: "1.6.1.2 | AUDIT | Ensure AppArmor is enabled in the bootloader configuration | Get current settings" - ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_1_6_1_2_cmdline_settings - - - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" - ansible.builtin.lineinfile: - path: /etc/default/grub - regexp: ^(GRUB_CMDLINE_LINUX=")(|apparmor=\d\s)(.*\w+") - line: \1apparmor=1 \3 - backrefs: true - notify: Grub update - when: ubtu22cis_1_6_1_2_cmdline_settings.stdout is not search('apparmor=') - - - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set security settings if none exist" - ansible.builtin.lineinfile: - path: /etc/default/grub - regexp: ^(GRUB_CMDLINE_LINUX=")(|security=\w+\s)(.*\w+") - line: \1security=apparmor \3 - backrefs: true - notify: Grub update - when: ubtu22cis_1_6_1_2_cmdline_settings.stdout is not search('security=') - - - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" - ansible.builtin.lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ ubtu22cis_1_6_1_2_cmdline_settings.stdout }}"' - insertafter: '^GRUB_' - when: - - "'apparmor' not in ubtu22cis_1_6_1_2_cmdline_settings.stdout" - - "'security' not in ubtu22cis_1_6_1_2_cmdline_settings.stdout" - notify: Grub update - - - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Replace apparmor settings when exists" - ansible.builtin.replace: - path: /etc/default/grub - regexp: "{{ item.regexp }}" - replace: "{{ item.replace }}" - with_items: - - { regexp: 'apparmor=\w+', replace: 'apparmor=1' } - - { regexp: 'security=\w+', replace: 'security=apparmor' } - when: - - "'apparmor' in ubtu22cis_1_6_1_2_cmdline_settings.stdout or - 'security' in ubtu22cis_1_6_1_2_cmdline_settings.stdout" - notify: Grub update + - name: "1.6.1 | PATCH | Ensure message of the day is configured properly | motd" + ansible.builtin.template: + src: etc/motd.j2 + dest: /etc/motd + + - name: "1.6.1 | PATCH | Ensure message of the day is configured properly | disable dynamic_motd" + when: ubtu22cis_disable_dynamic_motd + ansible.builtin.lineinfile: + path: /etc/pam.d/sshd + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + backrefs: true + loop: + - { regexp: '(session\s+optional\s+pam_motd.so\s+motd=/run/motd.dynamic)', line: '# \1' } + - { regexp: '(session\s+optional\s+pam_motd.so noupdate)', line: '# \1' } + - { regexp: '# Pam_motd.so disabled for CIS benchmark', line: '# Pam_motd.so disabled for CIS benchmark' } + +- name: "1.6.2 | PATCH | Ensure local login warning banner is configured properly" when: - - ubtu22cis_rule_1_6_1_2 + - ubtu22cis_rule_1_6_2 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.6.1.2 - - apparmor - -# Controls 1.6.1.4 and 1.6.1.3 target the same setting and thus should not be run together. -# Because control 1.6.1.4 is stricter than 1.6.1.3, we need to change the order -- -# control 1.6.1.4 then registers the fact that is has run and thus keeps 1.6.1.3 from running. - -- name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" + - level1-server + - level1-workstation + - patch + - rule_1.6.2 + - banner block: - - name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Make sure that 1.6.1.3 is not run" - ansible.builtin.set_fact: - control_1_6_1_4_was_run: true - ubtu22cis_apparmor_enforce_only: true - changed_when: false - - - name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get pre apply enforce count" - ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 - changed_when: false - failed_when: false - register: ubtu22cis_1_6_1_4_pre_count + - name: "1.6.2 | PATCH | Ensure local login warning banner is configured properly | issue" + ansible.builtin.template: + src: etc/issue.j2 + dest: /etc/issue - - name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Apply enforcing to /etc/apparmor.d profiles" - ansible.builtin.shell: aa-enforce /etc/apparmor.d/* - changed_when: false - failed_when: false + - name: "1.6.2 | PATCH | Ensure local login warning banner is kept on package upgrade | issue" + community.general.dpkg_divert: + path: /etc/issue - - name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get post apply enforce count" - ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 - changed_when: false - failed_when: false - register: ubtu22cis_1_6_1_4_post_count - - - name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | This flags for idempotency" - ansible.builtin.debug: - msg: Changed! The profiles in /etc/apparmor.d were set to enforcing - changed_when: true - when: ubtu22cis_1_6_1_4_pre_count.stdout != ubtu22cis_1_6_1_4_post_count.stdout +- name: "1.6.3 | PATCH | Ensure remote login warning banner is configured properly" when: - - ubtu22cis_rule_1_6_1_4 - - not ubtu22cis_apparmor_disable + - ubtu22cis_rule_1_6_3 tags: - - level2-server - - level2-workstation - - automated - - scored - - patch - - rule_1.6.1.4 - - apparmor - -- name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" + - level1-server + - level1-workstation + - patch + - rule_1.6.3 + - banner block: - - name: "1.6.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only true for GOSS" - ansible.builtin.set_fact: - ubtu22cis_apparmor_enforce_only: true - changed_when: false - when: - - ubtu22cis_apparmor_mode == "enforce" - - - name: "1.6.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only false for GOSS" - ansible.builtin.set_fact: - ubtu22cis_apparmor_enforce_only: false - changed_when: false - when: - - ubtu22cis_apparmor_mode == "complain" - - name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get pre apply enforce count" - ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu22cis_apparmor_mode}} mode" | tr -d -c 0-9 - changed_when: false - failed_when: false - register: ubtu22cis_1_6_1_3_pre_count - - - name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Apply complaining/enforcing to /etc/apparmor.d profiles" - ansible.builtin.shell: aa-{{ubtu22cis_apparmor_mode}} /etc/apparmor.d/* - changed_when: false - failed_when: false + - name: "1.6.3 | PATCH | Ensure remote login warning banner is configured properly | issue.net" + ansible.builtin.template: + src: etc/issue.net.j2 + dest: /etc/issue.net - - name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get post apply enforce count" - ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu22cis_apparmor_mode}} mode" | tr -d -c 0-9 - changed_when: false - failed_when: false - register: ubtu22cis_1_6_1_3_post_count + - name: "1.6.3 | PATCH | Ensure remote login warning banner is kept on package upgrade | issue.net" + community.general.dpkg_divert: + path: /etc/issue.net - - name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | This flags for idempotency" - ansible.builtin.debug: - msg: Changed! The profiles in /etc/apparmor.d were set to {{ubtu22cis_apparmor_mode}} mode - changed_when: true - when: ubtu22cis_1_6_1_3_pre_count.stdout != ubtu22cis_1_6_1_3_post_count.stdout +- name: "1.6.4 | PATCH | Ensure permissions on /etc/motd are configured" + when: + - ubtu22cis_rule_1_6_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.6.4 + - permissions + - motd + ansible.builtin.file: + path: /etc/motd + owner: root + group: root + mode: 'u-x,go-wx' + +- name: "1.6.5 | PATCH | Ensure permissions on /etc/issue are configured" + when: + - ubtu22cis_rule_1_6_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_1.6.5 + - permissions + - banner + ansible.builtin.file: + path: /etc/issue + owner: root + group: root + mode: 'u-x,go-wx' + +- name: "1.6.6 | PATCH | Ensure permissions on /etc/issue.net are configured" when: - - ubtu22cis_rule_1_6_1_3 - - not ubtu22cis_apparmor_disable - - not control_1_6_1_4_was_run + - ubtu22cis_rule_1_6_6 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.6.1.3 - - apparmor + - level1-server + - level1-workstation + - patch + - rule_1.6.6 + - permissions + - banner + ansible.builtin.file: + path: /etc/issue.net + owner: root + group: root + mode: 'u-x,go-wx' diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 298563bc..dfd75077 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -1,120 +1,303 @@ --- -- name: "1.7.1 | PATCH | Ensure message of the day is configured properly" +- name: "1.7.1 | PATCH | Ensure GNOME Display Manager is removed" + ansible.builtin.package: + name: gdm3 + state: absent + when: + - ubtu22cis_rule_1_7_1 + - not ubtu22cis_desktop_required + - ubtu22cis_disruption_high + - "'gdm3' in ansible_facts.packages" + tags: + - level2-server + - patch + - rule_1.7.1 + - gnome + +- name: "1.7.2 | PATCH | Ensure GDM login banner is configured" + when: + - ubtu22cis_rule_1_7_2 + - ubtu22cis_desktop_required + tags: + - level1-server + - level1-workstation + - patch + - rule_1.7.2 + - gnome block: - - name: "1.7.1 | PATCH | Ensure message of the day is configured properly | motd" - ansible.builtin.template: - src: etc/motd.j2 - dest: /etc/motd - - - name: "1.7.1 | PATCH | Ensure message of the day is configured properly | disable dynamic_motd" - ansible.builtin.lineinfile: - path: /etc/pam.d/sshd - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - backrefs: true + - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | make directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" + owner: root + group: root + mode: '0755' + state: directory + + - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | banner settings" + ansible.builtin.lineinfile: + path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-login-screen" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: true + owner: root + group: root + mode: '0644' loop: - - { regexp: '(session\s+optional\s+pam_motd.so\s+motd=/run/motd.dynamic)', line: '# \1' } - - { regexp: '(session\s+optional\s+pam_motd.so noupdate)', line: '# \1' } - - { regexp: '# Pam_motd.so disabled for CIS benchmark', line: '# Pam_motd.so disabled for CIS benchmark' } - when: ubtu22cis_disable_dynamic_motd + - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } + - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'} + - { regexp: 'banner-message-text', line: "banner-message-text='{{ ubtu22cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: 'banner-message-enable' } + notify: Update dconf + +- name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled" + when: + - ubtu22cis_rule_1_7_3 + - ubtu22cis_desktop_required + tags: + - level1-server + - level1-workstation + - patch + - rule_1.7.3 + - gnome + block: + - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | make directories" + ansible.builtin.file: + path: "{{ item }}" + owner: root + group: root + mode: '0755' + state: directory + loop: + - /etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d + - /etc/dconf/profile + + - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | disable-user-list setting login-screen" + ansible.builtin.lineinfile: + path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-login-screen" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: true + owner: root + group: root + mode: '0644' + loop: + - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } + - { regexp: 'disable-user-list', line: 'disable-user-list=true', insertafter: '\[org\/gnome\/login-screen\]'} + + - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | disable-user-list setting profile" + ansible.builtin.lineinfile: + path: "/etc/dconf/profile/{{ ubtu22cis_dconf_db_name }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.insertafter }}" + create: true + owner: root + group: root + mode: '0644' + loop: + - { regexp: '^user-db:user', line: 'user-db:user', insertafter: EOF } + - { regexp: '^system-db:{{ ubtu22cis_dconf_db_name }}', line: 'system-db:{{ ubtu22cis_dconf_db_name }}', insertafter: 'user-db:user'} + - { regexp: '^file-db:/usr/share/gdm/greeter-dconf-defaults', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults', insertafter: 'system-db:{{ ubtu22cis_dconf_db_name }}'} + notify: Update dconf + +- name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle" + when: + - ubtu22cis_rule_1_7_4 + - ubtu22cis_desktop_required + tags: + - level1-server + - level1-workstation + - patch + - rule_1.7.4 + - gnome + block: + - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | session profile" + ansible.builtin.lineinfile: + path: "/etc/dconf/profile/{{ ubtu22cis_dconf_db_name }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertafter: "{{ item.after | default(omit) }}" + create: true + loop: + - { regexp: 'user-db:user', line: 'user-db:user' } + - { regexp: 'system-db:{{ ubtu22cis_dconf_db_name }}', line: 'system-db:{{ ubtu22cis_dconf_db_name }}', after: '^user-db.*' } + + - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | make directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" + owner: root + group: root + mode: '0755' + state: directory + notify: Update dconf + + - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | session script" + ansible.builtin.template: + src: etc/dconf/db/00-screensaver.j2 + dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-screensaver" + owner: root + group: root + mode: '0644' + notify: Update dconf + +- name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden" when: - - ubtu22cis_rule_1_7_1 + - ubtu22cis_rule_1_7_5 + - ubtu22cis_desktop_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.1 - - motd - -- name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" + - level1-server + - level1-workstation + - patch + - rule_1.7.5 + - gnome block: - - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly | issue" - ansible.builtin.template: - src: etc/issue.j2 - dest: /etc/issue - - - name: "1.7.2 | PATCH | Ensure local login warning banner is kept on package upgrade | issue" - community.general.dpkg_divert: - path: /etc/issue + - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lock directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" + owner: root + group: root + mode: '0755' + state: directory + notify: Update dconf + + - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lockfile" + ansible.builtin.template: + src: etc/dconf/db/00-screensaver_lock.j2 + dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-screensaver" + owner: root + group: root + mode: '0644' + notify: Update dconf + +- name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled" when: - - ubtu22cis_rule_1_7_2 + - ubtu22cis_rule_1_7_6 + - ubtu22cis_desktop_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.2 - - banner - -- name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" + - level1-server + - level2-workstation + - patch + - rule_1.7.6 + - gnome block: - - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly | issue.net" - ansible.builtin.template: - src: etc/issue.net.j2 - dest: /etc/issue.net - - - name: "1.7.3 | PATCH | Ensure remote login warning banner is kept on package upgrade | issue.net" - community.general.dpkg_divert: - path: /etc/issue.net + - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | make directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" + owner: root + group: root + mode: '0755' + state: directory + notify: Update dconf + + - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | session script" + ansible.builtin.template: + src: etc/dconf/db/00-media-automount.j2 + dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-media-automount" + owner: root + group: root + mode: '0644' + notify: Update dconf + +- name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden" when: - - ubtu22cis_rule_1_7_3 + - ubtu22cis_rule_1_7_7 + - ubtu22cis_desktop_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.3 - - banner - -- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" - ansible.builtin.file: - path: /etc/motd - owner: root - group: root - mode: '0644' + - level1-server + - level2-workstation + - patch + - rule_1.7.7 + - gnome + block: + - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lock directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" + owner: root + group: root + mode: '0755' + state: directory + notify: Update dconf + + - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lockfile" + ansible.builtin.template: + src: etc/dconf/db/00-automount_lock.j2 + dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-automount_lock" + owner: root + group: root + mode: '0644' + notify: Update dconf + +- name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled" when: - - ubtu22cis_rule_1_7_4 + - ubtu22cis_rule_1_7_8 + - ubtu22cis_desktop_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.4 - - permissions - - motd - -- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" - ansible.builtin.file: - path: /etc/issue - owner: root - group: root - mode: '0644' + - level1-server + - level2-workstation + - patch + - rule_1.7.8 + - gnome + block: + - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled | make directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" + owner: root + group: root + mode: '0755' + state: directory + notify: Update dconf + + - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled | session script" + ansible.builtin.template: + src: etc/dconf/db/00-media-autorun.j2 + dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-media-autorun" + owner: root + group: root + mode: '0644' + notify: Update dconf + +- name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden" when: - - ubtu22cis_rule_1_7_5 + - ubtu22cis_rule_1_7_9 + - ubtu22cis_desktop_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.5 - - permissions - - banner - -- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - ansible.builtin.file: - path: /etc/issue.net - owner: root - group: root - mode: '0644' + - level1-server + - level2-workstation + - patch + - rule_1.7.9 + - gnome + block: + - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden | make lock directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" + owner: root + group: root + mode: '0755' + state: directory + notify: Update dconf + + - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden | make lockfile" + ansible.builtin.template: + src: etc/dconf/db/00-autorun_lock.j2 + dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-autorun_lock" + owner: root + group: root + mode: '0644' + notify: Update dconf + +- name: "1.7.10 | PATCH | Ensure XDCMP is not enabled" when: - - ubtu22cis_rule_1_7_6 + - ubtu22cis_rule_1_7_10 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.7.6 - - permissions - - banner + - level1-server + - level1-workstation + - patch + - rule_1.7.10 + - gnome + - xdcmp + ansible.builtin.lineinfile: + path: /etc/gdm3/custom.conf + regexp: '^Enable.*=.*true' + state: absent diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml deleted file mode 100644 index 0681df50..00000000 --- a/tasks/section_1/cis_1.8.x.yml +++ /dev/null @@ -1,313 +0,0 @@ ---- - -- name: "1.8.1 | PATCH | Ensure GNOME Display Manager is removed" - ansible.builtin.package: - name: gdm3 - state: absent - when: - - ubtu22cis_rule_1_8_1 - - not ubtu22cis_desktop_required - - ubtu22cis_disruption_high - - "'gdm3' in ansible_facts.packages" - tags: - - level2-server - - manual - - patch - - rule_1.8.1 - - gnome - -- name: "1.8.2 | PATCH | Ensure GDM login banner is configured" - block: - - name: "1.8.2 | PATCH | Ensure GDM login banner is configured | make directory" - ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" - owner: root - group: root - mode: '0755' - state: directory - - - name: "1.8.2 | PATCH | Ensure GDM login banner is configured | banner settings" - ansible.builtin.lineinfile: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-login-screen" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - create: true - owner: root - group: root - mode: '0644' - loop: - - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } - - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'} - - { regexp: 'banner-message-text', line: "banner-message-text='{{ ubtu22cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: 'banner-message-enable' } - notify: Update dconf - when: - - ubtu22cis_rule_1_8_2 - - ubtu22cis_desktop_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.8.2 - - gnome - -- name: "1.8.3 | PATCH | Ensure disable-user-list is enabled" - block: - - name: "1.8.3 | PATCH | Ensure disable-user-list is enabled | make directories" - ansible.builtin.file: - path: "{{ item }}" - owner: root - group: root - mode: '0755' - state: directory - loop: - - /etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d - - /etc/dconf/profile - - - name: "1.8.3 | PATCH | Ensure disable-user-list is enabled | disable-user-list setting login-screen" - ansible.builtin.lineinfile: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-login-screen" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - create: true - owner: root - group: root - mode: '0644' - loop: - - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } - - { regexp: 'disable-user-list', line: 'disable-user-list=true', insertafter: '\[org\/gnome\/login-screen\]'} - - - name: "1.8.3 | PATCH | Ensure disable-user-list is enabled | disable-user-list setting profile" - ansible.builtin.lineinfile: - path: "/etc/dconf/profile/{{ ubtu22cis_dconf_db_name }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - create: true - owner: root - group: root - mode: '0644' - loop: - - { regexp: '^user-db:user', line: 'user-db:user', insertafter: EOF } - - { regexp: '^system-db:{{ ubtu22cis_dconf_db_name }}', line: 'system-db:{{ ubtu22cis_dconf_db_name }}', insertafter: 'user-db:user'} - - { regexp: '^file-db:/usr/share/gdm/greeter-dconf-defaults', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults', insertafter: 'system-db:{{ ubtu22cis_dconf_db_name }}'} - notify: Update dconf - when: - - ubtu22cis_rule_1_8_3 - - ubtu22cis_desktop_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.8.3 - - gnome - -- name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle" - block: - - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | session profile" - ansible.builtin.lineinfile: - path: "/etc/dconf/profile/{{ ubtu22cis_dconf_db_name }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.after | default(omit) }}" - create: true - loop: - - { regexp: 'user-db:user', line: 'user-db:user' } - - { regexp: 'system-db:{{ ubtu22cis_dconf_db_name }}', line: 'system-db:{{ ubtu22cis_dconf_db_name }}', after: '^user-db.*' } - - - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | make directory" - ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" - owner: root - group: root - mode: '0755' - state: directory - notify: Update dconf - - - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | session script" - ansible.builtin.template: - src: etc/dconf/db/00-screensaver.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-screensaver" - owner: root - group: root - mode: '0644' - notify: Update dconf - when: - - ubtu22cis_rule_1_8_4 - - ubtu22cis_desktop_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.8.4 - - gnome - -- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden" - block: - - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lock directory" - ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" - owner: root - group: root - mode: '0755' - state: directory - notify: Update dconf - - - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lockfile" - ansible.builtin.template: - src: etc/dconf/db/00-screensaver_lock.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-screensaver" - owner: root - group: root - mode: '0644' - notify: Update dconf - when: - - ubtu22cis_rule_1_8_5 - - ubtu22cis_desktop_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.8.5 - - gnome - -- name: "1.8.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled" - block: - - name: "1.8.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | make directory" - ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" - owner: root - group: root - mode: '0755' - state: directory - notify: Update dconf - - - name: "1.8.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | session script" - ansible.builtin.template: - src: etc/dconf/db/00-media-automount.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-media-automount" - owner: root - group: root - mode: '0644' - notify: Update dconf - when: - - ubtu22cis_rule_1_8_6 - - ubtu22cis_desktop_required - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_1.8.6 - - gnome - -- name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden" - block: - - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lock directory" - ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" - owner: root - group: root - mode: '0755' - state: directory - notify: Update dconf - - - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lockfile" - ansible.builtin.template: - src: etc/dconf/db/00-automount_lock.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-automount_lock" - owner: root - group: root - mode: '0644' - notify: Update dconf - when: - - ubtu22cis_rule_1_8_7 - - ubtu22cis_desktop_required - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_1.8.7 - - gnome - -- name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled" - block: - - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | make directory" - ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" - owner: root - group: root - mode: '0755' - state: directory - notify: Update dconf - - - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | session script" - ansible.builtin.template: - src: etc/dconf/db/00-media-autorun.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-media-autorun" - owner: root - group: root - mode: '0644' - notify: Update dconf - when: - - ubtu22cis_rule_1_8_8 - - ubtu22cis_desktop_required - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_1.8.8 - - gnome - -- name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden" - block: - - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | make lock directory" - ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" - owner: root - group: root - mode: '0755' - state: directory - notify: Update dconf - - - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | make lockfile" - ansible.builtin.template: - src: etc/dconf/db/00-autorun_lock.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-autorun_lock" - owner: root - group: root - mode: '0644' - notify: Update dconf - when: - - ubtu22cis_rule_1_8_9 - - ubtu22cis_desktop_required - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_1.8.9 - - gnome - -- name: "1.8.10 | PATCH | Ensure XDCMP is not enabled" - ansible.builtin.lineinfile: - path: /etc/gdm3/custom.conf - regexp: '^Enable.*=.*true' - state: absent - when: - - ubtu22cis_rule_1_8_10 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.8.10 - - gnome - - xdcmp diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml deleted file mode 100644 index 8d43f42a..00000000 --- a/tasks/section_1/cis_1.9.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -- name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed" - ansible.builtin.package: - name: "*" - state: latest - when: - - ubtu22cis_rule_1_9 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_1.9 - - patch diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index aebcb187..137b9593 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,88 +1,75 @@ --- -- name: "SECTION | 1.1.1 | Disable Unused Filesystems" +- name: "SECTION | 1.1.1 | Configure Filesystem Kernel Modules" ansible.builtin.import_tasks: - file: cis_1.1.1.x.yml + file: cis_1.1.1.x.yml when: not system_is_container -- name: "SECTION | 1.1.2 | configure /tmp" +- name: "SECTION | 1.1.2.1 | Configure /tmp" ansible.builtin.import_tasks: - file: cis_1.1.2.x.yml + file: cis_1.1.2.1.x.yml when: not system_is_container -- name: "SECTION | 1.1.3 | configure /var" +- name: "SECTION | 1.1.2.2 | Configure /dev/shm" ansible.builtin.import_tasks: - file: cis_1.1.3.x.yml + file: cis_1.1.2.2.x.yml when: not system_is_container -- name: "SECTION | 1.1.4 | configure /var/tmp" +- name: "SECTION | 1.1.2.3 | Configure /home" ansible.builtin.import_tasks: - file: cis_1.1.4.x.yml + file: cis_1.1.2.3.x.yml -- name: "SECTION | 1.1.5 | configure /var/log" +- name: "SECTION | 1.1.2.4 | Configure /var" ansible.builtin.import_tasks: - file: cis_1.1.5.x.yml + file: cis_1.1.2.4.x.yml when: not system_is_container -- name: "SECTION | 1.1.6 | configure /var/log/audit" +- name: "SECTION | 1.1.2.5 | Configure /var/tmp" ansible.builtin.import_tasks: - file: cis_1.1.6.x.yml + file: cis_1.1.2.5.x.yml when: not system_is_container -- name: "SECTION | 1.1.7 | configure /home" +- name: "SECTION | 1.1.2.6 | Configure /var/log" ansible.builtin.import_tasks: - file: cis_1.1.7.x.yml + file: cis_1.1.2.6.x.yml when: not system_is_container -- name: "SECTION | 1.1.8 | configure /dev/shm" +- name: "SECTION | 1.1.2.7 | Configure /var/log/audit" ansible.builtin.import_tasks: - file: cis_1.1.8.x.yml + file: cis_1.1.2.7.x.yml when: not system_is_container -- name: "SECTION | 1.1.9 | configure software updates" +- name: "SECTION | 1.2.1 | Configure Package Repositories" ansible.builtin.import_tasks: - file: cis_1.1.9.yml + file: cis_1.2.1.x.yml when: not system_is_container -- name: "SECTION | 1.1.10 | Disable USB storage" +- name: "SECTION | 1.2.2 | Configure Package Updates" ansible.builtin.import_tasks: - file: cis_1.1.10.yml + file: cis_1.2.2.x.yml when: not system_is_container -- name: "SECTION | 1.2 | Configure Software Updates" +- name: "SECTION | 1.3 | Configure AppArmor" ansible.builtin.import_tasks: - file: cis_1.2.x.yml + file: cis_1.3.1.x.yml when: not system_is_container -- name: "SECTION | 1.3. | Filesystem Integrity Checking" +- name: "SECTION | 1.4 | Configure Bootloader" ansible.builtin.import_tasks: - file: cis_1.3.x.yml + file: cis_1.4.x.yml -- name: "SECTION | 1.4 | Secure Boot Settings" +- name: "SECTION | 1.5 | Configure Additional Process Hardening" ansible.builtin.import_tasks: - file: cis_1.4.x.yml - -- name: "SECTION | 1.5 | Additional Process Hardening" - ansible.builtin.import_tasks: - file: cis_1.5.x.yml + file: cis_1.5.x.yml when: not system_is_container -- name: "SECTION | 1.6 | Mandatory Access Control" - ansible.builtin.import_tasks: - file: cis_1.6.x.yml - -- name: "SECTION | 1.7 | Command Line Warning Banners" +- name: "SECTION | 1.6 | Command Line Warning Banners" ansible.builtin.import_tasks: - file: cis_1.7.x.yml + file: cis_1.6.x.yml -- name: "SECTION | 1.8 | GNOME Display Manager" - ansible.builtin.import_tasks: - file: cis_1.8.x.yml +- name: "SECTION | 1.7 | Configure DNOME Display Manager" when: - - "'gdm3' in ansible_facts.packages" - - not system_is_container - -- name: "SECTION | 1.9 | Ensure updates, patches, and additional security software are installed" + - "'gdm3' in ansible_facts.packages" + - not system_is_container ansible.builtin.import_tasks: - file: cis_1.9.yml - when: not system_is_container + file: cis_1.7.x.yml diff --git a/tasks/section_2/cis_2.1.1.x.yml b/tasks/section_2/cis_2.1.1.x.yml deleted file mode 100644 index 5ff7c933..00000000 --- a/tasks/section_2/cis_2.1.1.x.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- - -- name: "2.1.1.1 | PATCH | Ensure a single time synchronization daemon is in use" - block: - - name: "2.1.1.1 | PATCH | Ensure a single time synchronization daemon is in use | Pkg installed" - ansible.builtin.package: - name: "{{ ubtu22cis_time_sync_tool }}" - state: present - - - name: "2.1.1.1 | PATCH | Ensure a single time synchronization daemon is in use | other pkgs removed" - ansible.builtin.package: - name: "{{ item }}" - state: absent - loop: - - chrony - - ntp - when: item != ubtu22cis_time_sync_tool - - - name: "2.1.1.1 | PATCH | Ensure a single time synchronization daemon is in use | mask service" - ansible.builtin.service: - name: systemd-timesyncd - state: stopped - enabled: false - masked: true - daemon_reload: true - when: - - ubtu22cis_time_sync_tool != "systemd-timesyncd" - - "'systemd-timesyncd' in ansible_facts.packages" - - when: - - ubtu22cis_rule_2_1_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.1.1.1 - - chrony - - ntp - - systemd-timesyncd diff --git a/tasks/section_2/cis_2.1.2.x.yml b/tasks/section_2/cis_2.1.2.x.yml deleted file mode 100644 index a58e69a2..00000000 --- a/tasks/section_2/cis_2.1.2.x.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- - -- name: "2.1.2.1 | PATCH | Ensure chrony is configured with authorized timeserver" - block: - - name: "2.1.2.1 | PATCH | Ensure chrony is configured with authorized timeserver | sources" - ansible.builtin.template: - src: "{{ item }}.j2" - dest: "/{{ item }}" - mode: '0644' - owner: root - group: root - loop: - - etc/chrony/sources.d/pool.sources - - etc/chrony/sources.d/server.sources - notify: Restart timeservice - - - name: "2.1.2.1 | PATCH | Ensure chrony is configured with authorized timeserver | load sources" - ansible.builtin.lineinfile: - path: /etc/chrony/chrony.conf - regexp: '^sourcedir /etc/chrony/sources.d' - line: sourcedir /etc/chrony/sources.d - notify: Restart timeservice - when: - - ubtu22cis_rule_2_1_2_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.2.1 - - chrony - -- name: "2.1.2.2 | PATCH | Ensure chrony is running as user _chrony" - ansible.builtin.lineinfile: - path: /etc/chrony/chrony.conf - regexp: '^user _chrony' - line: 'user _chrony' - when: - - ubtu22cis_rule_2_1_2_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.2.2 - - chrony - -- name: "2.1.2.3 | PATCH | Ensure chrony is enabled and running" - ansible.builtin.systemd: - name: chrony - state: started - enabled: true - when: - - ubtu22cis_rule_2_1_2_3 - tags: - - level1-server - - level1-workstation - - rule_2.1.2.3 - - chrony diff --git a/tasks/section_2/cis_2.1.3.x.yml b/tasks/section_2/cis_2.1.3.x.yml deleted file mode 100644 index a1a39efe..00000000 --- a/tasks/section_2/cis_2.1.3.x.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- - -- name: "2.1.3.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver" - block: - - name: "2.1.3.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver | create conf.d dir" - ansible.builtin.file: - path: /etc/systemd/timesyncd.conf.d - owner: root - group: root - mode: '0755' - state: directory - - - name: "2.1.3.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver | sources" - ansible.builtin.template: - src: "{{ item }}.j2" - dest: "/{{ item }}" - mode: '0644' - owner: root - group: root - loop: - - "etc/systemd/timesyncd.conf.d/50-timesyncd.conf" - notify: Restart timeservice - when: - - ubtu22cis_rule_2_1_3_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.3.1 - - timesyncd - -- name: "2.1.3.2 | PATCH | Ensure systemd-timesyncd is enabled and running" - ansible.builtin.systemd: - name: systemd-timesyncd - state: started - enabled: true - masked: false - when: - - ubtu22cis_rule_2_1_3_2 - tags: - - level1-server - - level1-workstation - - rule_2.1.3.2 - - timesyncd diff --git a/tasks/section_2/cis_2.1.4.x.yml b/tasks/section_2/cis_2.1.4.x.yml deleted file mode 100644 index 869ade0b..00000000 --- a/tasks/section_2/cis_2.1.4.x.yml +++ /dev/null @@ -1,78 +0,0 @@ ---- - -- name: "2.1.4.1 | PATCH | Ensure ntp access control is configured " - ansible.builtin.lineinfile: - path: /etc/ntp.conf - regexp: '^(restrict) (|{{ item }}) .*$' - line: 'restrict {{ item }} default kod nomodify notrap nopeer noquery' - loop: - - '-4' - - '-6' - notify: Restart timeservice - when: - - ubtu22cis_rule_2_1_4_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.4.1 - - ntp - -- name: "2.1.4.2 | PATCH | Ensure ntp is configured with authorized timeserver" - block: - - name: "2.1.4.2 | PATCH | Ensure ntp is configured with authorized timeserver | pool" - ansible.builtin.lineinfile: - path: /etc/ntp.conf - regexp: '^pool.*' - line: 'pool {{ item.name }} {{ item.options }}' - notify: Restart timeservice - loop: "{{ ubtu22cis_time_pool }}" - loop_control: - label: "{{ item.name }}" - - - name: "2.1.4.2 | PATCH | Ensure ntp is configured with authorized timeserver | servers" - ansible.builtin.lineinfile: - path: /etc/ntp.conf - insertafter: '^server' - line: 'server {{ item.name }} {{ item.options }}' - loop: "{{ ubtu22cis_time_servers }}" - loop_control: - label: "{{ item.name }}" - notify: Restart timeservice - when: - - ubtu22cis_rule_2_1_4_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.4.2 - - ntp - -- name: "2.1.4.3 | PATCH | Ensure ntp is running as user ntp" - ansible.builtin.lineinfile: - path: /etc/init.d/ntp - regexp: '^RUNASUSER.*' - line: 'RUNASUSER=ntp' - notify: Restart timeservice - when: - - ubtu22cis_rule_2_1_4_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.1.4.3 - - ntp - -- name: "2.1.4.4 | PATCH | Ensure ntp is enabled and running" - ansible.builtin.systemd: - name: ntp - state: started - enabled: true - masked: false - when: - - ubtu22cis_rule_2_1_4_4 - tags: - - level1-server - - level1-workstation - - rule_2.1.4.4 - - ntp diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml new file mode 100644 index 00000000..2c0eacf7 --- /dev/null +++ b/tasks/section_2/cis_2.1.x.yml @@ -0,0 +1,699 @@ +--- + +- name: "2.1.1 | PATCH | Ensure autofs services are not in use" + when: + - ubtu22cis_rule_2_1_1 + - "'autofs' in ansible_facts.packages" + tags: + - level1-server + - level2-workstation + - patch + - rule_2.1.1 + block: + - name: "2.1.1 | PATCH | Ensure autofs services are not in use | Remove Package" + when: + - not ubtu22cis_autofs_services + - not ubtu22cis_autofs_mask + ansible.builtin.package: + name: autofs + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.1 | PATCH | Ensure autofs services are not in use | Mask service" + when: + - not ubtu22cis_autofs_services + - ubtu22cis_autofs_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: autofs + enabled: false + state: stopped + masked: true + +- name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use" + when: + - ubtu22cis_rule_2_1_2 + - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" + tags: + - level1-server + - level2-workstation + - patch + - avahi + - rule_2.1.2 + block: + - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use | Remove package" + when: + - not ubtu22cis_avahi_server + - not ubtu22cis_avahi_mask + ansible.builtin.package: + name: + - avahi-autoipd + - avahi + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use | Mask service" + when: + - not ubtu22cis_avahi_server + - ubtu22cis_avahi_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - avahi-daemon.socket + - avahi-daemon.service + +- name: "2.1.3 | PATCH | Ensure dhcp server services are not in use" + when: + - "'dhcp-server' in ansible_facts.packages" + - ubtu22cis_rule_2_1_3 + tags: + - level1-server + - level1-workstation + - patch + - dhcp + - rule_2.1.3 + block: + - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use | Remove package" + when: + - not ubtu22cis_dhcp_server + - not ubtu22cis_dhcp_mask + ansible.builtin.package: + name: dhcp-server + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use | Mask service" + when: + - not ubtu22cis_dhcp_server + - ubtu22cis_dhcp_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - dhcpd.service + - dhcpd6.service + +- name: "2.1.4 | PATCH | Ensure dns server services are not in use" + when: + - "'bind' in ansible_facts.packages" + - ubtu22cis_rule_2_1_4 + tags: + - level1-server + - level1-workstation + - patch + - dns + - rule_2.1.4 + block: + - name: "2.1.4 | PATCH | Ensure dns server services are not in use | Remove package" + when: + - not ubtu22cis_dns_server + - not ubtu22cis_dns_mask + ansible.builtin.package: + name: bind + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.4 | PATCH | Ensure dns server services are not in use | Mask service" + when: + - not ubtu22cis_dns_server + - ubtu22cis_dns_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: named.service + enabled: false + state: stopped + masked: true + +- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use" + when: + - "'dnsmasq' in ansible_facts.packages" + - ubtu22cis_rule_2_1_5 + tags: + - level1-server + - level1-workstation + - patch + - dns + - rule_2.1.5 + block: + - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Remove package" + when: + - not ubtu22cis_dnsmasq_server + - not ubtu22cis_dnsmasq_mask + ansible.builtin.package: + name: dnsmasq + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Mask service" + when: + - not ubtu22cis_dnsmasq_server + - ubtu22cis_dnsmasq_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: dnsmasq.service + enabled: false + state: stopped + masked: true + +- name: "2.1.6 | PATCH | Ensure ftp server services are not in use" + when: + - "'ftp' in ansible_facts.packages" + - ubtu22cis_rule_2_1_6 + tags: + - level1-server + - level1-workstation + - automation + - patch + - ftp + - rule_2.1.6 + block: + - name: "2.1.6 | PATCH | Ensure ftp server services are not in use | Remove package" + when: + - not ubtu22cis_ftp_server + - not ubtu22cis_ftp_mask + ansible.builtin.package: + name: vsftpd + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.6 | PATCH | Ensure ftp server services are not in use | Mask service" + when: + - not ubtu22cis_ftp_server + - ubtu22cis_ftp_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: vsftpd.service + enabled: false + state: stopped + masked: true + +- name: "2.1.7 | PATCH | Ensure ldap server services are not in use" + when: + - "'slapd' in ansible_facts.packages" + - ubtu22cis_rule_2_1_7 + tags: + - level1-server + - level1-workstation + - patch + - ldap + - rule_2.1.7 + block: + - name: "2.1.7 | PATCH | Ensure ldap server services are not in use | Remove package" + when: + - not ubtu22cis_ldap_server + - not ubtu22cis_ldap_mask + ansible.builtin.package: + name: slapd + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.7 | PATCH | Ensure ldap server services are not in use | Mask service" + when: + - not ubtu22cis_ldap_server + - ubtu22cis_ldap_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: slapd.service + enabled: false + state: stopped + masked: true + +- name: "2.1.8 | PATCH | Ensure message access server services are not in use" + when: + - "'dovecot-pop3d' in ansible_facts.packages or 'dovecot-imapd' in ansible_facts.packages" + - ubtu22cis_rule_2_1_8 + tags: + - level1-server + - level1-workstation + - patch + - dovecot + - imap + - pop3 + - rule_2.1.8 + block: + - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Remove package" + when: + - not ubtu22cis_message_server + - not ubtu22cis_message_mask + ansible.builtin.package: + name: + - dovecot-pop3d + - dovecot-imapd + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Mask service" + when: + - not ubtu22cis_message_server + - ubtu22cis_message_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - "dovecot.socket" + - "dovecot.service" + +- name: "2.1.9 | PATCH | Ensure network file system services are not in use" + when: + - "'nfs-kernel-server' in ansible_facts.packages" + - ubtu22cis_rule_2_1_9 + tags: + - level1-server + - level1-workstation + - patch + - nfs + - services + - rule_2.1.9 + block: + - name: "2.1.9 | PATCH | Ensure network file system services are not in use | Remove package" + when: + - not ubtu22cis_nfs_server + - not ubtu22cis_nfs_mask + ansible.builtin.package: + name: nfs-kernel-server + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.9 | PATCH | Ensure network file system services are not in use | Mask service" + when: + - not ubtu22cis_nfs_server + - ubtu22cis_nfs_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: nfs-server.service + enabled: false + state: stopped + masked: true + +- name: "2.1.10 | PATCH | Ensure nis server services are not in use" + when: + - "'ypserv' in ansible_facts.packages" + - ubtu22cis_rule_2_1_10 + tags: + - level1-server + - level1-workstation + - patch + - nis + - rule_2.1.10 + notify: Systemd_daemon_reload + block: + - name: "2.1.10 | PATCH | Ensure nis server services are not in use | Remove package" + when: + - not ubtu22cis_nis_server + - not ubtu22cis_nis_mask + ansible.builtin.package: + name: ypserv + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.10 | PATCH | Ensure nis server services are not in use | Mask service" + when: + - not ubtu22cis_nis_server + - ubtu22cis_nis_mask + ansible.builtin.systemd: + name: ypserv.service + enabled: false + state: stopped + masked: true + +- name: "2.1.11 | PATCH | Ensure print server services are not in use" + when: + - "'cups' in ansible_facts.packages" + - ubtu22cis_rule_2_1_11 + tags: + - level1-server + - patch + - cups + - rule_2.1.11 + block: + - name: "2.1.11 | PATCH | Ensure print server services are not in use | Remove package" + when: + - not ubtu22cis_print_server + - not ubtu22cis_print_mask + ansible.builtin.package: + name: cups + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.11 | PATCH | Ensure print server services are not in use | Mask service" + when: + - not ubtu22cis_print_server + - ubtu22cis_print_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - "cups.socket" + - "cups.service" + +- name: "2.1.12 | PATCH | Ensure rpcbind services are not in use" + when: + - "'rpcbind' in ansible_facts.packages" + - ubtu22cis_rule_2_1_12 + tags: + - level1-server + - level1-workstation + - patch + - rpc + - rule_2.1.12 + block: + - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use | Remove package" + when: + - not ubtu22cis_rpc_server + - not ubtu22cis_rpc_mask + ansible.builtin.package: + name: rpcbind + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use | Mask service" + when: + - not ubtu22cis_rpc_server + - ubtu22cis_rpc_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: "{{ item }}" + enabled: false + state: stopped + masked: true + loop: + - rpcbind.service + - rpcbind.socket + +- name: "2.1.13 | PATCH | Ensure rsync services are not in use" + when: + - "'rsync-daemon' in ansible_facts.packages" + - ubtu22cis_rule_2_1_13 + tags: + - level1-server + - level1-workstation + - patch + - rsync + - rule_2.1.13 + block: + - name: "2.1.13 | PATCH | Ensure rsync services are not in use | Remove package" + when: + - not ubtu22cis_rsync_server + - not ubtu22cis_rsync_mask + ansible.builtin.package: + name: rsync + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.13 | PATCH | Ensure rsync services are not in use | Mask service" + when: + - not ubtu22cis_rsync_server + - ubtu22cis_rsync_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: rsyncd.service + enabled: false + state: stopped + masked: true + +- name: "2.1.14 | PATCH | Ensure samba file server services are not in use" + when: + - "'samba' in ansible_facts.packages" + - ubtu22cis_rule_2_1_14 + tags: + - level1-server + - level1-workstation + - patch + - samba + - rule_2.1.14 + block: + - name: "2.1.14 | PATCH | Ensure samba file server services are not in use | Remove package" + when: + - not ubtu22cis_samba_server + - not ubtu22cis_samba_mask + ansible.builtin.package: + name: samba + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.14 | PATCH | Ensure samba file server services are not in use | Mask service" + when: + - not ubtu22cis_samba_server + - ubtu22cis_samba_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: smbd.service + enabled: false + state: stopped + masked: true + +- name: "2.1.15 | PATCH | Ensure snmp services are not in use" + when: + - "'snmpd' in ansible_facts.packages" + - ubtu22cis_rule_2_1_15 + tags: + - level1-server + - level1-workstation + - automation + - patch + - samba + - rule_2.1.15 + block: + - name: "2.1.15 | PATCH | Ensure snmp services are not in use | Remove package" + when: + - not ubtu22cis_snmp_server + - not ubtu22cis_snmp_mask + ansible.builtin.package: + name: snmpd + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.15 | PATCH | Ensure snmp services are not in use | Mask service" + when: + - not ubtu22cis_snmp_server + - ubtu22cis_snmp_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: snmpd.service + enabled: false + state: stopped + masked: true + +- name: "2.1.16 | PATCH | Ensure tftp server services are not in use" + when: + - "'tftpd-hpa' in ansible_facts.packages" + - ubtu22cis_rule_2_1_16 + tags: + - level1-server + - level1-workstation + - patch + - tftp + - rule_2.1.16 + block: + - name: "2.1.16 | PATCH | Ensure tftp server services are not in use | Remove package" + when: + - not ubtu22cis_tftp_server + - not ubtu22cis_tftp_mask + ansible.builtin.package: + name: tftpd-hpa + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.16 | PATCH | Ensure tftp server services are not in use | Mask service" + when: + - not ubtu22cis_tftp_server + - ubtu22cis_tftp_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: tftpd-hpa.service + enabled: false + state: stopped + masked: true + +- name: "2.1.17 | PATCH | Ensure web proxy server services are not in use" + when: + - "'squid' in ansible_facts.packages" + - ubtu22cis_rule_2_1_17 + tags: + - level1-server + - level1-workstation + - patch + - squid + - rule_2.1.17 + block: + - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use | Remove package" + when: + - not ubtu22cis_squid_server + - not ubtu22cis_squid_mask + ansible.builtin.package: + name: squid + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use | Mask service" + when: + - not ubtu22cis_squid_server + - ubtu22cis_squid_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: squid.service + enabled: false + state: stopped + masked: true + +- name: "2.1.18 | PATCH | Ensure web server services are not in use" + when: + - ubtu22cis_rule_2_1_18 + tags: + - level1-server + - level1-workstation + - patch + - httpd + - nginx + - webserver + - rule_2.1.18 + block: + - name: "2.1.18 | PATCH | Ensure web server services are not in use | Remove httpd server" + when: + - not ubtu22cis_httpd_server + - not ubtu22cis_httpd_mask + - "'httpd' in ansible_facts.packages" + ansible.builtin.package: + name: httpd + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.18 | PATCH | Ensure web server services are not in use | Remove nginx server" + when: + - not ubtu22cis_nginx_server + - not ubtu22cis_nginx_mask + - "'nginx' in ansible_facts.packages" + ansible.builtin.package: + name: nginx + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask httpd service" + when: + - not ubtu22cis_httpd_server + - ubtu22cis_httpd_mask + - "'httpd' in ansible_facts.packages" + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: httpd.service + enabled: false + state: stopped + masked: true + + - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service" + when: + - not ubtu22cis_nginx_server + - ubtu22cis_nginx_mask + - "'nginx' in ansible_facts.packages" + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: ngnix.service + enabled: false + state: stopped + masked: true + +- name: "2.1.19 | PATCH | Ensure xinetd services are not in use" + when: + - "'xinetd' in ansible_facts.packages" + - ubtu22cis_rule_2_1_19 + tags: + - level1-server + - level1-workstation + - patch + - xinetd + - rule_2.1.19 + block: + - name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Remove package" + when: + - not ubtu22cis_xinetd_server + - not ubtu22cis_xinetd_mask + ansible.builtin.package: + name: xinetd + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + + - name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Mask service" + when: + - not ubtu22cis_xinetd_server + - ubtu22cis_xinetd_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: xinetd.service + enabled: false + state: stopped + masked: true + +- name: "2.1.20 | PATCH | Ensure X window server services are not in use" + when: + - not ubtu22cis_xwindow_server + - "'xorg-x11-server-common' in ansible_facts.packages" + - ubtu22cis_rule_2_1_20 + tags: + - level2-server + - patch + - xwindow + - rule_2.1.20 + ansible.builtin.package: + name: xorg-x11-server-common + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + +- name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode" + when: + - not ubtu22cis_is_mail_server + - "'postfix' in ansible_facts.packages" + - ubtu22cis_rule_2_1_21 + tags: + - level1-server + - level1-workstation + - patch + - postfix + - rule_2.1.21 + notify: Restart_postfix + ansible.builtin.lineinfile: + path: /etc/postfix/main.cf + regexp: "^(#)?inet_interfaces" + line: "inet_interfaces = loopback-only" + +- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface" + when: + - ubtu22cis_rule_2_1_22 + tags: + - level1-server + - level1-workstation + - audit + - services + - rule_2.1.22 + vars: + warn_control_id: '2.1.22' + block: + - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" + ansible.builtin.shell: systemctl list-units --type=service + changed_when: false + failed_when: ubtu22cis_2_1_22_services.rc not in [ 0, 1 ] + check_mode: false + register: ubtu22cis_2_1_22_services + + - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Display list of services" + ansible.builtin.debug: + msg: + - "Warning!! Below are the list of services, both active and inactive" + - "Please review to make sure all are essential" + - "{{ ubtu22cis_2_1_22_services.stdout_lines }}" + + - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index baa622ea..38be68ab 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -1,359 +1,90 @@ --- -- name: "2.2.1 | PATCH | Ensure X Window System is not installed" - ansible.builtin.package: - name: xserver-xorg* - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_1 - - not ubtu22cis_desktop_required - tags: - - level1-server - - automated - - patch - - rule_2.2.1 - - xwindows - -- name: "2.2.2 | PATCH | Ensure Avahi Server is not installed" - block: - - name: "2.2.2 | PATCH | Ensure Avahi Server is not installed| Stop/Disable avahi-daemon.service" - ansible.builtin.service: - name: avahi-daemon.service - state: stopped - enabled: false - when: avahi_service_status.stdout == "loaded" - - - name: "2.2.2 | PATCH | Ensure Avahi Server is not installed | Stop/Disable avahi-daemon.socket" - ansible.builtin.systemd: - name: avahi-daemon.socket - state: stopped - enabled: false - when: avahi_service_status.stdout == "loaded" - - - name: "2.2.2 | PATCH | Ensure Avahi Server is not installed | Remove avahi-daemon" - ansible.builtin.package: - name: avahi-daemon - state: absent - purge: "{{ ubtu22cis_purge_apt }}" +- name: "2.2.1 | PATCH | Ensure NIS Client is not installed" when: - - ubtu22cis_rule_2_2_2 - - not ubtu22cis_avahi_server - - ubtu22cis_disruption_high - - "'avahi-daemon' in ansible_facts.packages" + - ubtu22cis_rule_2_2_1 + - not ubtu22cis_nis_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.2 - - avahi - - services - -- name: "2.2.3 | PATCH | Ensure CUPS is not installed" + - level1-server + - level1-workstation + - rule_2.2.1 + - nis ansible.builtin.package: - name: cups - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_3 - - not ubtu22cis_cups_server - - "'cups' in ansible_facts.packages" - tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_2.2.3 - - cups - - services + name: nis + state: absent + purge: "{{ ubtu22cis_purge_apt }}" -- name: "2.2.4 | PATCH | Ensure DHCP Server is not installed" - ansible.builtin.package: - name: isc-dhcp-server - state: absent - purge: "{{ ubtu22cis_purge_apt }}" +- name: "2.2.2 | PATCH | Ensure rsh client is not installed" when: - - ubtu22cis_rule_2_2_4 - - not ubtu22cis_dhcp_server - - "'isc-dhcp-server' in ansible_facts.packages" + - ubtu22cis_rule_2_2_2 + - not ubtu22cis_rsh_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.4 - - dhcp - - services - -- name: "2.2.5 | PATCH | Ensure LDAP server is not installed" + - level1-server + - level1-workstation + - patch + - rule_2.2.2 + - rsh ansible.builtin.package: - name: slapd - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_5 - - not ubtu22cis_ldap_server - - "'slapd' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.5 - - ldap - - services + name: rsh-client + state: absent + purge: "{{ ubtu22cis_purge_apt }}" -- name: "2.2.6 | PATCH | Ensure NFS is not installed" - ansible.builtin.package: - name: nfs-kernel-server - state: absent - purge: "{{ ubtu22cis_purge_apt }}" +- name: "2.2.3 | PATCH | Ensure talk client is not installed" when: - - ubtu22cis_rule_2_2_6 - - not ubtu22cis_nfs_server - - "'nfs-kernel-server' in ansible_facts.packages" + - ubtu22cis_rule_2_2_3 + - not ubtu22cis_talk_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.6 - - nfs - - rpc - - services - -- name: "2.2.7 | PATCH | Ensure DNS Server is not installed" + - level1-server + - level1-workstation + - patch + - rule_2.2.3 + - talk ansible.builtin.package: - name: bind9 - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_7 - - not ubtu22cis_dns_server - - "'bind9' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.7 - - dns - - service + name: talk + state: absent + purge: "{{ ubtu22cis_purge_apt }}" -- name: "2.2.8 | PATCH | Ensure FTP Server is not installed" - ansible.builtin.package: - name: vsftpd - state: absent - purge: "{{ ubtu22cis_purge_apt }}" +- name: "2.2.4 | PATCH | Ensure telnet client is not installed" when: - - ubtu22cis_rule_2_2_8 - - not ubtu22cis_vsftpd_server - - "'vsftpd' in ansible_facts.packages" + - ubtu22cis_rule_2_2_4 + - not ubtu22cis_telnet_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.8 - - ftp - - service - -- name: "2.2.9 | PATCH | Ensure HTTP server is not installed" + - level1-server + - level1-workstation + - patch + - rule_2.2.4 + - telnet ansible.builtin.package: - name: apache2 - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_9 - - not ubtu22cis_httpd_server - - "'apache2' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.9 - - httpd - - service + name: telnet + state: absent + purge: "{{ ubtu22cis_purge_apt }}" -- name: "2.2.10 | PATCH | Ensure IMAP and POP3 server are not installed" - ansible.builtin.package: - name: ['dovecot-imapd', 'dovecot-pop3d'] - state: absent - purge: "{{ ubtu22cis_purge_apt }}" +- name: "2.2.5 | PATCH | Ensure ldap client is not installed" when: - - ubtu22cis_rule_2_2_10 - - not ubtu22cis_dovecot_server - - "'dovecot-imapd' in ansible_facts.packages or - 'dovecot-pop3d' in ansible_facts.packages" + - ubtu22cis_rule_2_2_5 + - not ubtu22cis_ldap_clients_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.10 - - dovecot - - service - -- name: "2.2.11 | PATCH | Ensure Samba is not installed" + - level1-server + - level1-workstation + - patch + - rule_2.2.5 + - ldap ansible.builtin.package: - name: samba - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_11 - - not ubtu22cis_smb_server - - "'samba' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.11 - - samba - - service + name: ldap-utils + state: absent + purge: "{{ ubtu22cis_purge_apt }}" -- name: "2.2.12 | PATCH | Ensure HTTP Proxy Server is not installed" - ansible.builtin.package: - name: squid - state: absent - purge: "{{ ubtu22cis_purge_apt }}" +- name: "2.2.6 | PATCH | Ensure ftp is not installed" when: - - ubtu22cis_rule_2_2_12 - - not ubtu22cis_squid_server - - "'squid' in ansible_facts.packages" + - ubtu22cis_rule_2_2_6 + - not ubtu22cis_ftp_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.12 - - http_proxy - - service - -- name: "2.2.13 | PATCH | Ensure SNMP Server is not installed" + - level1-server + - level1-workstation + - patch + - rule_2.2.6 + - ftp ansible.builtin.package: - name: snmpd - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_13 - - not ubtu22cis_snmp_server - - "'snmpd' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.13 - - snmp - - service - -- name: "2.2.14 | PATCH | Ensure NIS Server is not installed" - ansible.builtin.package: - name: nis - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_14 - - not ubtu22cis_nis_server - - "'nis' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - rule_2.2.14 - - nis - - service - -- name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" - block: - - name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" - ansible.builtin.lineinfile: - path: /etc/exim4/update-exim4.conf.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^dc_eximconfig_configtype', line: "dc_eximconfig_configtype='local'" } - - { regexp: '^dc_local_interfaces', line: "dc_local_interfaces='127.0.0.1 ; ::1'" } - - { regexp: '^dc_readhost', line: "dc_readhost=''" } - - { regexp: '^dc_relay_domains', line: "dc_relay_domains=''" } - - { regexp: '^dc_minimaldns', line: "dc_minimaldns='false'" } - - { regexp: '^dc_relay_nets', line: "dc_relay_nets=''" } - - { regexp: '^dc_smarthost', line: "dc_smarthost=''" } - - { regexp: '^dc_use_split_config', line: "dc_use_split_config='false'" } - - { regexp: '^dc_hide_mailname', line: "dc_hide_mailname=''" } - - { regexp: '^dc_mailname_in_oh', line: "dc_mailname_in_oh='true'" } - - { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" } - notify: Restart exim4 - when: "'exim4' in ansible_facts.packages" - - - name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if postfix is installed" - ansible.builtin.lineinfile: - path: /etc/postfix/main.cf - regexp: '^(#)?inet_interfaces' - line: 'inet_interfaces = loopback-only' - notify: Restart postfix - when: "'postfix' in ansible_facts.packages" - - - name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode | Message out other main agents" - ansible.builtin.debug: - msg: - - "Warning!! You are not using either exim4 or postfix" - - "Please review your vendors documentation to configure local-only mode" - when: - - "'exim4' not in ansible_facts.packages" - - "'postfix' not in ansible_facts.packages" - - - name: "2.2.15 | WARN | Ensure mail transfer agent is configured for local-only mode | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: - - "'exim4' not in ansible_facts.packages" - - "'postfix' not in ansible_facts.packages" - vars: - warn_control_id: '2.2.15' - when: - - ubtu22cis_rule_2_2_15 - - not ubtu22cis_is_mail_server - tags: - - level1-server - - level1-workstation - - automated - - scored - - patch - - rule_2.2.15 - - postfix - -- name: "2.2.16 | PATCH | Ensure rsync service is either not installed or masked" - block: - - name: "2.2.16 | PATCH | Ensure rsync service is either not installed or masked | remove pkg" - ansible.builtin.package: - name: rsync - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_2_16 - - ubtu22cis_rsync_server == 'remove' - - - name: "2.2.16 | PATCH | Ensure rsync service is either not installed or masked | mask service" - ansible.builtin.systemd: - name: rsync - masked: true - enabled: false - state: stopped - daemon_reload: true - when: - - ubtu22cis_rule_2_2_16 - - ubtu22cis_rsync_server == 'mask' - when: - - "'rsync' in ansible_facts.packages" - - ubtu22cis_rule_2_2_16 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.16 - - rsync + name: ftp + state: absent + purge: "{{ ubtu22cis_purge_apt }}" diff --git a/tasks/section_2/cis_2.3.1.x.yml b/tasks/section_2/cis_2.3.1.x.yml new file mode 100644 index 00000000..44eb9ee3 --- /dev/null +++ b/tasks/section_2/cis_2.3.1.x.yml @@ -0,0 +1,38 @@ +--- + +- name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use" + when: + - ubtu22cis_rule_2_3_1_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.3.1.1 + - chrony + - ntp + - systemd-timesyncd + block: + - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | Pkg installed" + ansible.builtin.package: + name: "{{ ubtu22cis_time_sync_tool }}" + state: present + + - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | other pkgs removed" + when: item != ubtu22cis_time_sync_tool + ansible.builtin.package: + name: "{{ item }}" + state: absent + loop: + - chrony + - ntp + + - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | mask service" + when: + - ubtu22cis_time_sync_tool != "systemd-timesyncd" + - "'systemd-timesyncd' in ansible_facts.packages" + ansible.builtin.service: + name: systemd-timesyncd + state: stopped + enabled: false + masked: true + daemon_reload: true diff --git a/tasks/section_2/cis_2.3.2.x.yml b/tasks/section_2/cis_2.3.2.x.yml new file mode 100644 index 00000000..b7000829 --- /dev/null +++ b/tasks/section_2/cis_2.3.2.x.yml @@ -0,0 +1,62 @@ +--- + +- name: "2.3.2.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver" + when: + - ubtu22cis_rule_2_3_2_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.3.2.1 + - timesyncd + block: + - name: "2.3.2.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver | create conf.d dir" + ansible.builtin.file: + path: /etc/systemd/timesyncd.conf.d + owner: root + group: root + mode: '0755' + state: directory + + - name: "2.3.2.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver | sources" + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/{{ item }}" + mode: '0644' + owner: root + group: root + loop: + - "etc/systemd/timesyncd.conf.d/50-timesyncd.conf" + notify: Restart timeservice + +- name: "2.3.2.2 | PATCH | Ensure systemd-timesyncd is enabled and running" + when: + - ubtu22cis_rule_2_3_2_2 + tags: + - level1-server + - level1-workstation + - rule_2.3.2.2 + - timesyncd + block: + - name: "2.3.2.2 | PATCH | Ensure systemd-timesyncd is enabled and running | enable if timesyncd" + ansible.builtin.systemd: + name: systemd-timesyncd + state: started + enabled: true + masked: false + + - name: "2.3.2.2 | PATCH | Ensure systemd-timesyncd is enabled and running | disable other time sources | chrony" + when: "'chrony' in ansible_facts.packages" + ansible.builtin.systemd: + name: chrony + state: stopped + enabled: false + masked: true + + - name: "2.3.2.2 | PATCH | Ensure systemd-timesyncd is enabled and running | disable other time sources | ntp" + when: "'ntp' in ansible_facts.packages" + ansible.builtin.systemd: + name: ntp + state: stopped + enabled: false + masked: true diff --git a/tasks/section_2/cis_2.3.3.x.yml b/tasks/section_2/cis_2.3.3.x.yml new file mode 100644 index 00000000..f87d275a --- /dev/null +++ b/tasks/section_2/cis_2.3.3.x.yml @@ -0,0 +1,75 @@ +--- + +- name: "2.3.3.1 | PATCH | Ensure chrony is configured with authorized timeserver" + when: + - ubtu22cis_rule_2_3_3_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.3.3.1 + - chrony + block: + - name: "2.3.3.1 | PATCH | Ensure chrony is configured with authorized timeserver | sources" + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/{{ item }}" + mode: '0644' + owner: root + group: root + loop: + - etc/chrony/sources.d/pool.sources + - etc/chrony/sources.d/server.sources + notify: Restart timeservice + + - name: "2.3.3.1 | PATCH | Ensure chrony is configured with authorized timeserver | load sources" + ansible.builtin.lineinfile: + path: /etc/chrony/chrony.conf + regexp: '^sourcedir /etc/chrony/sources.d' + line: sourcedir /etc/chrony/sources.d + notify: Restart timeservice + +- name: "2.3.3.2 | PATCH | Ensure chrony is running as user _chrony" + when: + - ubtu22cis_rule_2_3_3_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.3.3.2 + - chrony + ansible.builtin.lineinfile: + path: /etc/chrony/chrony.conf + regexp: '^user _chrony' + line: 'user _chrony' + +- name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running" + when: + - ubtu22cis_rule_2_3_3_3 + tags: + - level1-server + - level1-workstation + - rule_2.3.3.3 + - chrony + block: + - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running" + ansible.builtin.systemd: + name: chrony + state: started + enabled: true + + - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | timesyncd" + when: "'systemd-timesyncd' in ansible_facts.packages" + ansible.builtin.systemd: + name: systemd-timesyncd + state: stopped + enabled: false + masked: true + + - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running | disable other time sources | ntpd" + when: "'ntpd' in ansible_facts.packages" + ansible.builtin.systemd: + name: ntpd + state: stopped + enabled: false + masked: true diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml deleted file mode 100644 index b2e2ce3a..00000000 --- a/tasks/section_2/cis_2.3.x.yml +++ /dev/null @@ -1,95 +0,0 @@ ---- - -- name: "2.3.1 | PATCH | Ensure NIS Client is not installed" - ansible.builtin.package: - name: nis - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_3_1 - - not ubtu22cis_nis_required - tags: - - level1-server - - level1-workstation - - rule_2.3.1 - - nis - -- name: "2.3.2 | PATCH | Ensure rsh client is not installed" - ansible.builtin.package: - name: rsh-client - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_3_2 - - not ubtu22cis_rsh_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.3.2 - - rsh - -- name: "2.3.3 | PATCH | Ensure talk client is not installed" - ansible.builtin.package: - name: talk - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_3_3 - - not ubtu22cis_talk_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.3.3 - - talk - -- name: "2.3.4 | PATCH | Ensure telnet client is not installed" - ansible.builtin.package: - name: telnet - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_3_4 - - not ubtu22cis_telnet_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.3.4 - - telnet - -- name: "2.3.5 | PATCH | Ensure LDAP client is not installed" - ansible.builtin.package: - name: ldap-utils - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_3_5 - - not ubtu22cis_ldap_clients_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.3.5 - - ldap - -- name: "2.3.6 | PATCH | Ensure RPC is not installed" - ansible.builtin.package: - name: rpcbind - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_2_3_6 - - not ubtu22cis_rpc_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.3.6 - - rpbc diff --git a/tasks/section_2/cis_2.4.1.x.yml b/tasks/section_2/cis_2.4.1.x.yml new file mode 100644 index 00000000..ec796376 --- /dev/null +++ b/tasks/section_2/cis_2.4.1.x.yml @@ -0,0 +1,142 @@ +--- + +- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and running" + when: + - ubtu22cis_rule_2_4_1_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.1 + - cron + ansible.builtin.systemd: + name: cron + state: started + enabled: true + +- name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" + when: + - ubtu22cis_rule_2_4_1_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.2 + - cron + ansible.builtin.file: + path: /etc/crontab + owner: root + group: root + mode: '0600' + +- name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" + when: + - ubtu22cis_rule_2_4_1_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.3 + - cron + ansible.builtin.file: + path: /etc/cron.hourly + owner: root + group: root + mode: '0700' + +- name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" + when: + - ubtu22cis_rule_2_4_1_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.4 + - cron + ansible.builtin.file: + path: /etc/cron.daily + owner: root + group: root + mode: '0700' + +- name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" + when: + - ubtu22cis_rule_2_4_1_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.5 + - cron + ansible.builtin.file: + path: /etc/cron.weekly + owner: root + group: root + mode: '0700' + +- name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" + when: + - ubtu22cis_rule_2_4_1_6 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.6 + - cron + ansible.builtin.file: + path: /etc/cron.monthly + owner: root + group: root + mode: '0700' + +- name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" + when: + - ubtu22cis_rule_2_4_1_7 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.7 + - cron + ansible.builtin.file: + path: /etc/cron.d + owner: root + group: root + mode: '0700' + +- name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users" + when: + - ubtu22cis_rule_2_4_1_8 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.8 + - cron + block: + - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" + ansible.builtin.file: + path: /etc/cron.deny + state: absent + + - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Check for cron.allow" + ansible.builtin.stat: + path: /etc/cron.allow + register: ubtu22cis_2_4_1_8_status + + - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Create cron.allow if doesn't exist" + when: not ubtu22cis_2_4_1_8_status.stat.exists + ansible.builtin.file: + path: /etc/cron.allow + owner: root + group: root + mode: '0640' + state: touch + + - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Update cron.allow if exists" + when: ubtu22cis_2_4_1_8_status.stat.exists + ansible.builtin.file: + path: /etc/cron.allow + owner: root + group: root + mode: '0640' diff --git a/tasks/section_2/cis_2.4.2.x.yml b/tasks/section_2/cis_2.4.2.x.yml new file mode 100644 index 00000000..5e873575 --- /dev/null +++ b/tasks/section_2/cis_2.4.2.x.yml @@ -0,0 +1,38 @@ +--- + +- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users" + when: + - - ubtu22cis_rule_2_4_2_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.2.1 + - cron + block: + - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" + ansible.builtin.file: + path: /etc/at.deny + state: absent + + - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Check for at.allow" + ansible.builtin.stat: + path: /etc/at.allow + register: ubtu22cis_2_4_2_1_status + + - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Create at.allow if doesn't exist" + when: not ubtu22cis_2_4_2_1_status.stat.exists + ansible.builtin.file: + path: /etc/at.allow + owner: root + group: root + mode: '0640' + state: touch + + - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | update at.allow if exists" + when: ubtu22cis_2_4_2_1_status.stat.exists + ansible.builtin.file: + path: /etc/at.allow + owner: root + group: root + mode: '0640' diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml deleted file mode 100644 index ef209e7f..00000000 --- a/tasks/section_2/cis_2.4.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- - -- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked" - block: - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Check for services" - ansible.builtin.shell: lsof -i -P -n | grep -v "(ESTABLISHED)" - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_2_3_services - - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Message out running services" - ansible.builtin.debug: - msg: - - "Warning!! Below are the running services. Please review and remove as well as mask un-needed services" - - "{{ ubtu22cis_2_3_services.stdout_lines }}" - when: ubtu22cis_2_3_services.stdout | length > 0 - - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ubtu22cis_2_3_services.stdout | length > 0 - vars: - warn_control_id: '2.4' - when: - - ubtu22cis_rule_2_4 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_2.4 - - services diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 567de2a3..03fccd34 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,35 +1,33 @@ --- -- name: "SECTION | 2.1.1.x | time service " +- name: "SECTION | 2.1.x | Configure Server Services" ansible.builtin.import_tasks: - file: cis_2.1.1.x.yml + file: cis_2.1.x.yml -- name: "SECTION | 2.1.2.x | chrony time service" +- name: "SECTION | 2.2.x | Configure Clients Services" ansible.builtin.import_tasks: - file: cis_2.1.2.x.yml - when: - - ubtu22cis_time_sync_tool == "chrony" + file: cis_2.2.x.yml -- name: "SECTION | 2.1.3.x | systemd-timesyncd time service" +- name: "SECTION | 2.3.1.x | Time service " ansible.builtin.import_tasks: - file: cis_2.1.3.x.yml - when: - - ubtu22cis_time_sync_tool == "systemd-timesyncd" + file: cis_2.3.1.x.yml -- name: "SECTION | 2.1.4.x | ntp time service " - ansible.builtin.import_tasks: - file: cis_2.1.4.x.yml +- name: "SECTION | 2.3.2.x | Configure systemd-timesyncd" when: - - ubtu22cis_time_sync_tool == "ntp" + - ubtu22cis_time_sync_tool == "systemd-timesyncd" + ansible.builtin.import_tasks: + file: cis_2.3.2.x.yml -- name: "SECTION | 2.1.x | Services" +- name: "SECTION | 2.3.3.x | Configure Chrony" + when: + - ubtu22cis_time_sync_tool == "chrony" ansible.builtin.import_tasks: - file: cis_2.2.x.yml + file: cis_2.3.3.x.yml -- name: "SECTION | 2.2.x | Service Clients" +- name: "SECTION | 2.4.1.x | Configure Cron" ansible.builtin.import_tasks: - file: cis_2.3.x.yml + file: cis_2.4.1.x.yml -- name: "SECTION | 2.3.x | Ensure nonessential services are removed or masked" +- name: "SECTION | 2.4.2.x | Configure At" ansible.builtin.import_tasks: - file: cis_2.4.yml + file: cis_2.4.2.x.yml diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index c8fbe0cf..6b82d912 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -1,91 +1,118 @@ --- -- name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled" +- name: "3.1.1 | PATCH | Ensure IPv6 status is identified" + when: + - ubtu22cis_rule_3_1_1 + - not ubtu22cis_ipv6_required + tags: + - level1-server + - level1-workstation + - patch + - rule_3.1.1 + - ipv6 block: - - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Replace ipv6.disable if it exists" - ansible.builtin.replace: - path: /etc/default/grub - regexp: '^(GRUB_CMDLINE_LINUX=.*)\bipv6\.disable=\d\b(.*$)' - replace: '\1ipv6.disable=1\2' - when: ubtu22cis_ipv6_disable == 'grub' - register: ipv6disable_replaced - notify: Grub update + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Replace ipv6.disable if it exists" + when: ubtu22cis_ipv6_disable == 'grub' + ansible.builtin.replace: + path: /etc/default/grub + regexp: '^(GRUB_CMDLINE_LINUX=.*)\bipv6\.disable=\d\b(.*$)' + replace: '\1ipv6.disable=1\2' + register: ipv6disable_replaced + notify: Grub update - - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Check grub cmdline linux" - ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_3_1_1_cmdline_settings + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Check grub cmdline linux" + ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_3_1_1_cmdline_settings - - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist" - ansible.builtin.lineinfile: - path: /etc/default/grub - regexp: '^(GRUB_CMDLINE_LINUX=".*)"$' - line: '\1 ipv6.disable=1"' - backrefs: true - when: - - ubtu22cis_ipv6_disable == 'grub' - - ipv6disable_replaced is not changed - - "'ipv6.disable' not in ubtu22cis_3_1_1_cmdline_settings.stdout" - notify: Grub update + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Insert ipv6.disable if it doesn't exist" + when: + - ubtu22cis_ipv6_disable == 'grub' + - ipv6disable_replaced is not changed + - "'ipv6.disable' not in ubtu22cis_3_1_1_cmdline_settings.stdout" + ansible.builtin.lineinfile: + path: /etc/default/grub + regexp: '^(GRUB_CMDLINE_LINUX=".*)"$' + line: '\1 ipv6.disable=1"' + backrefs: true + notify: Grub update - - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Remove net.ipv6.conf.all.disable_ipv6" - ansible.builtin.template: - src: "{{ item }}.j2" - dest: "/{{ item }}" - owner: root - group: root - mode: '0640' - notify: Flush ipv6 route table - loop: - - etc/sysctl.d/60-disable_ipv6.conf - when: ubtu22cis_ipv6_disable == 'sysctl' - when: - - ubtu22cis_rule_3_1_1 - - not ubtu22cis_ipv6_required - tags: - - level1-server - - level1-workstation - - patch - - rule_3.1.1 - - ipv6 + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Remove net.ipv6.conf.all.disable_ipv6" + when: ubtu22cis_ipv6_disable == 'sysctl' + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/{{ item }}" + owner: root + group: root + mode: '0640' + notify: Flush ipv6 route table + loop: + - etc/sysctl.d/60-disable_ipv6.conf - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" + when: + - ubtu22cis_rule_3_1_2 + tags: + - level1-server + - patch + - rule_3.1.2 + - wireless + vars: + warn_control_id: '3.1.2' block: - - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" - ansible.builtin.shell: nmcli radio wifi - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_3_1_2_wifi_status - when: "'network-manager' in ansible_facts.packages" + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" + when: "'network-manager' in ansible_facts.packages" + ansible.builtin.shell: nmcli radio wifi + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_3_1_2_wifi_status - - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" - ansible.builtin.shell: nmcli radio all off - changed_when: ubtu22cis_3_1_2_nmcli_radio_off.rc == 0 - register: ubtu22cis_3_1_2_nmcli_radio_off - when: - - "'network-manager' in ansible_facts.packages" - - "'enabled' in ubtu22cis_3_1_2_wifi_status.stdout" + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" + when: + - "'network-manager' in ansible_facts.packages" + - "'enabled' in ubtu22cis_3_1_2_wifi_status.stdout" + ansible.builtin.shell: nmcli radio all off + changed_when: ubtu22cis_3_1_2_nmcli_radio_off.rc == 0 + register: ubtu22cis_3_1_2_nmcli_radio_off - - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" - ansible.builtin.debug: - msg: "Warning!! You need to disable wireless interfaces manually since network-manager is not installed" - when: "'network-manager' not in ansible_facts.packages" + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" + when: "'network-manager' not in ansible_facts.packages" + ansible.builtin.debug: + msg: "Warning!! You need to disable wireless interfaces manually since network-manager is not installed" - - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: "'network-manager' not in ansible_facts.packages" - vars: - warn_control_id: '3.1.2' + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Set warning count" + when: "'network-manager' not in ansible_facts.packages" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "3.1.3 | PATCH | Ensure bluetooth services are not in use" when: - - ubtu22cis_rule_3_1_2 + - ubtu22cis_rule_3_1_3 tags: - - level1-server - - level2-workstation - - automated - - patch - - rule_3.1.2 - - wireless + - level1-server + - level2-workstation + - patch + - sctp + - rule_3.1.3 + block: + - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use | pkg" + when: + - not ubtu22cis_bluetooth_service + - not ubtu22cis_bluetooth_mask + ansible.builtin.package: + name: bluez + state: absent + + - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use | mask" + when: + - not ubtu22cis_bluetooth_service + - ubtu22cis_bluetooth_mask + notify: Systemd_daemon_reload + ansible.builtin.systemd: + name: bluetooth.service + enabled: false + state: stopped + masked: true diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index e12f9118..c9c9e9ae 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -1,65 +1,113 @@ --- -- name: "3.2.1 | PATCH | Ensure packet redirect sending is disabled" - ansible.posix.sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - with_items: - - net.ipv4.conf.all.send_redirects - - net.ipv4.conf.default.send_redirects - notify: Flush ipv4 route table +- name: "3.2.1 | PATCH | Ensure dccp kernel module is not available" when: - - ubtu22cis_rule_3_2_1 - - not ubtu22cis_is_router + - ubtu22cis_rule_3_2_1 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.2.1 - - packet_redirect - - sysctl + - level2-server + - level2-workstation + - patch + - rule_3.2.1 + - dccp + block: + - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available | modprobe" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/dccp.conf + regexp: '^(#)?install dccp(\\s|$)' + line: "{{ item }}" + create: true + loop: + - install dccp /bin/true + - blacklist dccp + + - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist cramfs(\\s|$)" + line: "blacklist cramfs" + create: true + mode: '0600' -- name: "3.2.2 | PATCH | Ensure IP forwarding is disabled" +- name: "3.2.2 | PATCH | Ensure tipc kernel module is not available" + when: + - ubtu22cis_rule_3_2_2 + tags: + - level2-server + - level2-workstation + - patch + - rule_3.2.2 + - tipc block: - - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv4 settings" - ansible.posix.sysctl: - name: net.ipv4.ip_forward - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - notify: - - Flush ipv4 route table + - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available | modprobe" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/tipc.conf + regexp: '^(#)?install tipc(\\s|$)' + line: "{{ item }}" + create: true + loop: + - install tipc /bin/true + - blacklist tipc - - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv6 settings" - ansible.posix.sysctl: - name: net.ipv6.conf.all.forwarding - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - when: ubtu22cis_ipv6_disable == 'sysctl' - notify: - - Flush ipv6 route table + - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist tipc(\\s|$)" + line: "blacklist tipc" + create: true + mode: '0600' +- name: "3.2.3 | PATCH | Ensure rds kernel module is not available" when: - - ubtu22cis_rule_3_2_2 - - not ubtu22cis_is_router + - ubtu22cis_rule_3_2_3 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.2.2 - - ip_forwarding - - sysctl + - level2-server + - level2-workstation + - patch + - rule_3.2.3 + - rds + block: + - name: "3.2.3 | PATCH | Ensure rds kernel module is not available | modprobe" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/rds.conf + regexp: '^(#)?install rds(\\s|$)' + line: "{{ item }}" + create: true + loop: + - install rds /bin/true + - blacklist rds + + - name: "3.2.3 | PATCH | Ensure rds kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist rds(\\s|$)" + line: "blacklist rds" + create: true + mode: '0600' + +- name: "3.2.4 | PATCH | Ensure sctp kernel module is not available" + when: + - ubtu22cis_rule_3_2_4 + tags: + - level2-server + - level2-workstation + - patch + - rule_3.2.4 + - sctp + block: + - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available | modprobe" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/sctp.conf + regexp: '^(#)?install sctp(\\s|$)' + line: "{{ item }}" + create: true + loop: + - install sctp /bin/true + - blacklist sctp + + - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist sctp(\\s|$)" + line: "blacklist sctp" + create: true + mode: '0600' diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 67b13df4..c79e634f 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -1,245 +1,297 @@ --- -- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" - block: - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 settings" - ansible.posix.sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - with_items: - - net.ipv4.conf.all.accept_source_route - - net.ipv4.conf.default.accept_source_route - notify: Flush ipv4 route table - - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 settings" - ansible.posix.sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - when: ubtu22cis_ipv6_disable == 'sysctl' - with_items: - - net.ipv6.conf.all.accept_source_route - - net.ipv6.conf.default.accept_source_route - notify: Flush ipv6 route table +- name: "3.3.1 | PATCH | Ensure IP forwarding is disabled" when: - - ubtu22cis_rule_3_3_1 - - not ubtu22cis_is_router + - ubtu22cis_rule_3_3_1 + - not ubtu22cis_is_router tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.1 - - routed_packets - - sysctl - -- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" + - level1-server + - level1-workstation + - patch + - rule_3.3.1 + - ip_forwarding + - sysctl block: - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 settings" - ansible.posix.sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - with_items: - - net.ipv4.conf.all.accept_redirects - - net.ipv4.conf.default.accept_redirects - notify: Flush ipv4 route table + - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | IPv4 settings" + ansible.posix.sysctl: + name: net.ipv4.ip_forward + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + notify: + - Flush ipv4 route table + + - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | IPv6 settings" + when: ubtu22cis_ipv6_disable == 'sysctl' + ansible.posix.sysctl: + name: net.ipv6.conf.all.forwarding + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + notify: + - Flush ipv6 route table - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 settings" - ansible.posix.sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - when: ubtu22cis_ipv6_disable == 'sysctl' - with_items: - - net.ipv6.conf.all.accept_redirects - - net.ipv6.conf.default.accept_redirects - notify: Flush ipv6 route table +- name: "3.3.2 | PATCH | Ensure packet redirect sending is disabled" when: - - ubtu22cis_rule_3_3_2 + - ubtu22cis_rule_3_3_2 + - not ubtu22cis_is_router tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.2 - - icmp - - sysctl - -- name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" + - level1-server + - level1-workstation + - patch + - rule_3.3.2 + - packet_redirect + - sysctl ansible.posix.sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - with_items: - - net.ipv4.conf.all.secure_redirects - - net.ipv4.conf.default.secure_redirects + name: "{{ item }}" + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + loop: + - net.ipv4.conf.all.send_redirects + - net.ipv4.conf.default.send_redirects notify: Flush ipv4 route table + +- name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored" when: - - ubtu22cis_rule_3_3_3 + - ubtu22cis_rule_3_3_3 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.3 - - icmp - - sysctl - -- name: "3.3.4 | PATCH | Ensure suspicious packets are logged" + - level1-server + - level1-workstation + - patch + - rule_3.3.3 + - icmp + - sysctl ansible.posix.sysctl: - name: "{{ item }}" - value: '1' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - with_items: - - net.ipv4.conf.all.log_martians - - net.ipv4.conf.default.log_martians + name: net.ipv4.icmp_ignore_bogus_error_responses + value: '1' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true notify: Flush ipv4 route table + +- name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored" when: - - ubtu22cis_rule_3_3_4 + - ubtu22cis_rule_3_3_4 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.4 - - suspicious_packets - - sysctl - -- name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" + - level1-server + - level1-workstation + - patch + - rule_3.3.4 + - icmp + - sysctl ansible.posix.sysctl: - name: net.ipv4.icmp_echo_ignore_broadcasts - value: '1' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true + name: net.ipv4.icmp_echo_ignore_broadcasts + value: '1' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true notify: Flush ipv4 route table + +- name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted" when: - - ubtu22cis_rule_3_3_5 + - ubtu22cis_rule_3_3_5 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.5 - - icmp - - sysctl + - level1-server + - level1-workstation + - patch + - rule_3.3.5 + - icmp + - sysctl + block: + - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv4 settings" + ansible.posix.sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + loop: + - net.ipv4.conf.all.accept_redirects + - net.ipv4.conf.default.accept_redirects + notify: Flush ipv4 route table -- name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" - ansible.posix.sysctl: - name: net.ipv4.icmp_ignore_bogus_error_responses - value: '1' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - notify: Flush ipv4 route table + - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv6 settings" + ansible.posix.sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + when: ubtu22cis_ipv6_disable == 'sysctl' + loop: + - net.ipv6.conf.all.accept_redirects + - net.ipv6.conf.default.accept_redirects + notify: Flush ipv6 route table + +- name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted" when: - - ubtu22cis_rule_3_3_6 + - ubtu22cis_rule_3_3_6 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.6 - - icmp - - sysctl + - level1-server + - level1-workstation + - patch + - rule_3.3.6 + - icmp + - sysctl + ansible.posix.sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + loop: + - net.ipv4.conf.all.secure_redirects + - net.ipv4.conf.default.secure_redirects + notify: Flush ipv4 route table - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" + when: + - ubtu22cis_rule_3_3_7 + tags: + - level1-server + - level1-workstation + - patch + - rule_3.3.7 + - reverse_path_filtering + - sysctl ansible.posix.sysctl: - name: "{{ item }}" - value: '1' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - with_items: - - net.ipv4.conf.all.rp_filter - - net.ipv4.conf.default.rp_filter + name: "{{ item }}" + value: '1' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + loop: + - net.ipv4.conf.all.rp_filter + - net.ipv4.conf.default.rp_filter notify: Flush ipv4 route table + +- name: "3.3.8 | PATCH | Ensure source routed packets are not accepted" when: - - ubtu22cis_rule_3_3_7 + - ubtu22cis_rule_3_3_8 + - not ubtu22cis_is_router tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.7 - - reverse_path_filtering - - sysctl + - level1-server + - level1-workstation + - patch + - rule_3.3.8 + - routed_packets + - sysctl + block: + - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv4 settings" + ansible.posix.sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + loop: + - net.ipv4.conf.all.accept_source_route + - net.ipv4.conf.default.accept_source_route + notify: Flush ipv4 route table + + - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv6 settings" + ansible.posix.sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + when: ubtu22cis_ipv6_disable == 'sysctl' + loop: + - net.ipv6.conf.all.accept_source_route + - net.ipv6.conf.default.accept_source_route + notify: Flush ipv6 route table -- name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" +- name: "3.3.9 | PATCH | Ensure suspicious packets are logged" + when: + - ubtu22cis_rule_3_3_9 + tags: + - level1-server + - level1-workstation + - patch + - rule_3.3.9 + - suspicious_packets + - sysctl ansible.posix.sysctl: - name: net.ipv4.tcp_syncookies - value: '1' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true + name: "{{ item }}" + value: '1' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + loop: + - net.ipv4.conf.all.log_martians + - net.ipv4.conf.default.log_martians notify: Flush ipv4 route table + +- name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled" when: - - ubtu22cis_rule_3_3_8 + - ubtu22cis_rule_3_3_10 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.8 - - tcp_syn_cookies - - sysctl - -- name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" + - level1-server + - level1-workstation + - patch + - rule_3.3.10 + - tcp_syn_cookies + - sysctl ansible.posix.sysctl: - name: "{{ item }}" - value: '0' - sysctl_set: true - sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" - state: present - reload: true - ignoreerrors: true - with_items: - - net.ipv6.conf.all.accept_ra - - net.ipv6.conf.default.accept_ra - notify: Flush ipv6 route table + name: net.ipv4.tcp_syncookies + value: '1' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + notify: Flush ipv4 route table + +- name: "3.3.11 | PATCH | Ensure IPv6 router advertisements are not accepted" when: - - ubtu22cis_rule_3_3_9 - - ubtu22cis_ipv6_required + - ubtu22cis_rule_3_3_11 + - ubtu22cis_ipv6_required tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.3.9 - - ipv6 - - router_advertisements - - sysctl + - level1-server + - level1-workstation + - patch + - rule_3.3.11 + - ipv6 + - router_advertisements + - sysctl + ansible.posix.sysctl: + name: "{{ item }}" + value: '0' + sysctl_set: true + sysctl_file: "{{ ubtu22cis_sysctl_network_conf }}" + state: present + reload: true + ignoreerrors: true + loop: + - net.ipv6.conf.all.accept_ra + - net.ipv6.conf.default.accept_ra + notify: Flush ipv6 route table diff --git a/tasks/section_3/cis_3.4.x.yml b/tasks/section_3/cis_3.4.x.yml deleted file mode 100644 index a7cc06db..00000000 --- a/tasks/section_3/cis_3.4.x.yml +++ /dev/null @@ -1,120 +0,0 @@ ---- - -- name: "3.4.1 | PATCH | Ensure DCCP is disabled" - block: - - name: "3.4.1 | PATCH | Ensure DCCP is disabled | modprobe" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/dccp.conf - regexp: '^(#)?install dccp(\\s|$)' - line: "{{ item }}" - create: true - loop: - - install dccp /bin/true - - blacklist dccp - - - name: "3.4.1 | PATCH | Ensure DCCP is disabled | blacklist" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "^(#)?blacklist cramfs(\\s|$)" - line: "blacklist cramfs" - create: true - mode: '0600' - - when: - - ubtu22cis_rule_3_4_1 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_3.4.1 - - dccp - -- name: "3.4.2 | PATCH | Ensure SCTP is disabled" - block: - - name: "3.4.2 | PATCH | Ensure SCTP is disabled modprobe" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/sctp.conf - regexp: '^(#)?install sctp(\\s|$)' - line: "{{ item }}" - create: true - loop: - - install sctp /bin/true - - blacklist sctp - - - name: "3.4.2 | PATCH | Ensure SCTP is disabled | blacklist" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "^(#)?blacklist sctp(\\s|$)" - line: "blacklist sctp" - create: true - mode: '0600' - - when: - - ubtu22cis_rule_3_4_2 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_3.4.2 - - sctp - -- name: "3.4.3 | PATCH | Ensure RDS is disabled" - block: - - name: "3.4.3 | PATCH | Ensure RDS is disabled | modprobe" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/rds.conf - regexp: '^(#)?install rds(\\s|$)' - line: "{{ item }}" - create: true - loop: - - install rds /bin/true - - blacklist rds - - - name: "3.4.3 | PATCH | Ensure RDS is disabled | blacklist" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "^(#)?blacklist rds(\\s|$)" - line: "blacklist rds" - create: true - mode: '0600' - when: - - ubtu22cis_rule_3_4_3 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_3.4.3 - - rds - -- name: "3.4.4 | PATCH | Ensure TIPC is disabled" - block: - - name: "3.4.4 | PATCH | Ensure TIPC is disabled | modprobe" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/tipc.conf - regexp: '^(#)?install tipc(\\s|$)' - line: "{{ item }}" - create: true - loop: - - install tipc /bin/true - - blacklist tipc - - - name: "3.4.4 | PATCH | Ensure TIPC is disabled | blacklist" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - regexp: "^(#)?blacklist tipc(\\s|$)" - line: "blacklist tipc" - create: true - mode: '0600' - - when: - - ubtu22cis_rule_3_4_4 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_3.4.4 - - tipc diff --git a/tasks/section_3/cis_3.5.1.x.yml b/tasks/section_3/cis_3.5.1.x.yml deleted file mode 100644 index 835e3826..00000000 --- a/tasks/section_3/cis_3.5.1.x.yml +++ /dev/null @@ -1,185 +0,0 @@ ---- - -- name: "3.5.1.1 | PATCH | Ensure ufw is installed" - ansible.builtin.package: - name: ufw - state: present - when: - - ubtu22cis_rule_3_5_1_1 - - "'ufw' not in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.1.1 - - apt - - ufw - -- name: "3.5.1.2 | PATCH | Ensure iptables-persistent is not installed with ufw" - ansible.builtin.package: - name: iptables-persistent - state: absent - when: - - ubtu22cis_rule_3_5_1_2 - - "'iptables-persistent' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.1.2 - - ufw - -# Adding the allow OpenSSH rule while enabling ufw to allow ansible to run after enabling -- name: "3.5.1.3 | PATCH | Ensure ufw service is enabled" - block: - - name: "3.5.1.3 | PATCH | Ensure ufw service is enabled | ssh port enabled" - community.general.ufw: - rule: allow - name: OpenSSH - state: enabled - - - name: "3.5.1.3 | PATCH | Ensure ufw service is enabled | service" - ansible.builtin.systemd: - name: ufw - enabled: true - state: started - masked: false - when: - - ubtu22cis_rule_3_5_1_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.1.3 - - ufw - -- name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured" - block: - - name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set allow in ufw rules" - community.general.ufw: - rule: allow - direction: in - interface: lo - notify: Reload ufw - - - name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set allow out ufw rules" - community.general.ufw: - rule: allow - direction: out - interface: lo - notify: Reload ufw - - - name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv4" - community.general.ufw: - rule: deny - direction: in - from_ip: 127.0.0.0/8 - notify: Reload ufw - - - name: "3.5.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv6" - community.general.ufw: - rule: deny - direction: in - from_ip: '::1' - when: ubtu22cis_ipv6_required - notify: Reload ufw - when: - - ubtu22cis_rule_3_5_1_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.1.4 - - ufw - -- name: "3.5.1.5 | PATCH | Ensure ufw outbound connections are configured" - block: - - name: "3.5.1.5 | PATCH | Ensure ufw outbound connections are configured | Custom ports" - community.general.ufw: - rule: allow - direction: out - to_port: '{{ item }}' - with_items: - - "{{ ubtu22cis_ufw_allow_out_ports }}" - notify: Reload ufw - when: ubtu22cis_ufw_allow_out_ports != "all" - - - name: "3.5.1.5 | PATCH | Ensure ufw outbound connections are configured | Allow all" - community.general.ufw: - rule: allow - direction: out - notify: Reload ufw - when: "'all' in ubtu22cis_ufw_allow_out_ports" - when: - - ubtu22cis_rule_3_5_1_5 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_3.5.1.5 - - ufw - -- name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports" - block: - - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.shell: ss -4tuln - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_3_5_1_6_open_listen_ports - - - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules" - ansible.builtin.shell: ufw status - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_3_5_1_6_firewall_rules - - - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings" - ansible.builtin.debug: - msg: - - "Warning!! Below are the listening ports and firewall rules" - - "Please create firewall rule for any open ports if not already done" - - "*****---Open Listen Ports---*****" - - "{{ ubtu22cis_3_5_1_6_open_listen_ports.stdout_lines }}" - - "*****---Firewall Rules---*****" - - "{{ ubtu22cis_3_5_1_6_firewall_rules.stdout_lines }}" - - - name: "3.5.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.1.6' - when: - - ubtu22cis_rule_3_5_1_6 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_3.5.1.6 - - ufw - -- name: "3.5.1.7 | PATCH | Ensure ufw default deny firewall policy" - community.general.ufw: - default: deny - direction: "{{ item }}" - notify: Reload ufw - with_items: - - incoming - - outgoing - - routed - when: - - ubtu22cis_rule_3_5_1_7 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.1.7 - - ufw diff --git a/tasks/section_3/cis_3.5.2.x.yml b/tasks/section_3/cis_3.5.2.x.yml deleted file mode 100644 index c23973d6..00000000 --- a/tasks/section_3/cis_3.5.2.x.yml +++ /dev/null @@ -1,240 +0,0 @@ ---- - -# --------------- -# --------------- -# NFTables is unsupported with this role. However I have the actions commented out as a guide -# --------------- -# --------------- -- name: "3.5.2.1 | AUDIT | Ensure nftables is installed" - block: - - name: "3.5.2.1 | AUDIT | Ensure nftables is installed | Message out warning" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - - - name: "3.5.2.1 | AUDIT | Ensure nftables is installed | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.1' - when: - - ubtu22cis_rule_3_5_2_1 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.1 - - nftables - -- name: "3.5.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables" - block: - - name: "3.5.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables | Message out warning" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - # ansible.builtin.package: - # name: ufw - # state: absent - - - name: "3.5.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.2' - when: - - ubtu22cis_rule_3_5_2_2 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.2 - - nftables - -- name: "3.5.2.3 | AUDIT | Ensure iptables are flushed with nftables" - block: - - name: "3.5.2.3 | AUDIT | Ensure iptables are flushed with nftables | Message out warning" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - # ansible.builtin.iptables: - # flush: yes - - - name: "3.5.2.3 | AUDIT | Ensure iptables are flushed with nftables | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.3' - when: - - ubtu22cis_rule_3_5_2_3 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_3.5.2.3 - - nftables - -- name: "3.5.2.4 | AUDIT | Ensure a nftables table exists" - block: - - name: "3.5.2.4 | AUDIT | Ensure a nftables table exists" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning" - # ansible.builtin.shell: "nft create table {{ ubtu22cis_nftables_table_name }}" - # changed_when: ubtu22cis_3_5_2_4_new_table.rc == 0 - # failed_when: false - # check_mode: false - # register: ubtu22cis_3_5_2_4_new_table - - - name: "3.5.2.4 | AUDIT | Ensure a nftables table exists | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.4' - when: - - ubtu22cis_rule_3_5_2_4 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.2.4 - - nftables - -- name: "3.5.2.5 | AUDIT | Ensure nftables base chains exist" - block: - - name: "3.5.2.5 | AUDIT | Ensure nftables base chains exist" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning" - - - name: "3.5.2.5 | AUDIT | Ensure nftables base chains exist | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.5' - when: - - ubtu22cis_rule_3_5_2_5 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.5 - - nftables - -- name: "3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured" - block: - - name: "3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Message out warning" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - - - name: "3.5.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.6' - when: - - ubtu22cis_rule_3_5_2_6 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.6 - - nftables - -- name: "3.5.2.7 | AUDIT | Ensure nftables outbound and established connections are configured" - block: - - name: "3.5.2.7 | AUDIT | Ensure nftables outbound and established connections are configured | Message out warning" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - - - name: "3.5.2.7 | AUDIT | Ensure nftables outbound and established connections are configured | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.7' - when: - - ubtu22cis_rule_3_5_2_7 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_3.5.2.7 - - nftables - -- name: "3.5.2.8 | AUDIT | Ensure nftables default deny firewall policy" - block: - - name: "3.5.2.8 | AUDIT | Ensure nftables default deny firewall policy | Message out warning" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - - - name: "3.5.2.8 | AUDIT | Ensure nftables default deny firewall policy | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.8' - when: - - ubtu22cis_rule_3_5_2_8 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.8 - - nftables - -- name: "3.5.2.9 | AUDIT | Ensure nftables service is enabled" - block: - - name: "3.5.2.9 | AUDIT | Ensure nftables service is enabled | Message out warning" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - # ansible.builtin.service: - # name: nftables - # state: started - # enabled: yes - - - name: "3.5.2.9 | AUDIT | Ensure nftables service is enabled | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.9' - when: - - ubtu22cis_rule_3_5_2_9 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.9 - - nftables - -- name: "3.5.2.10 | AUDIT | Ensure nftables rules are permanent" - block: - - name: "3.5.2.10 | AUDIT | Ensure nftables rules are permanent | Message out warning" - ansible.builtin.debug: - msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - - - name: "3.5.2.10 | AUDIT | Ensure nftables rules are permanent | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.2.10' - when: - - ubtu22cis_rule_3_5_2_10 - - ubtu22cis_firewall_package == "nftables" - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.2.10 - - nftables diff --git a/tasks/section_3/cis_3.5.3.x.yml b/tasks/section_3/cis_3.5.3.x.yml deleted file mode 100644 index e7af1fda..00000000 --- a/tasks/section_3/cis_3.5.3.x.yml +++ /dev/null @@ -1,417 +0,0 @@ ---- - -- name: "3.5.3.1.1 | PATCH | Ensure iptables packages are installed" - ansible.builtin.package: - name: ['iptables', 'iptables-persistent'] - state: present - when: - - ubtu22cis_rule_3_5_3_1_1 - - ubtu22cis_firewall_package == "iptables" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.1.1 - - iptables - -- name: "3.5.3.1.2 | PATCH | Ensure nftables is not installed with iptables" - ansible.builtin.package: - name: nftables - state: absent - purge: "{{ ubtu22cis_purge_apt }}" - when: - - ubtu22cis_rule_3_5_3_1_2 - - ubtu22cis_firewall_package == "iptables" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.1.2 - - iptables - -- name: "3.5.3.1.3 | PATCH | Ensure ufw is uninstalled or disabled with iptables" - ansible.builtin.package: - name: ufw - state: absent - when: - - ubtu22cis_rule_3_5_3_1_3 - - ubtu22cis_firewall_package == "iptables" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.1.3 - - iptables - -- name: "3.5.3.2.1 | PATCH | Ensure iptables default deny firewall policy" - block: - - name: "3.5.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - notify: Iptables persistent - - - name: "3.5.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - source_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - notify: Iptables persistent - - - name: "3.5.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" - ansible.builtin.iptables: - chain: INPUT - ctstate: 'ESTABLISHED' - jump: ACCEPT - notify: Iptables persistent - - - name: "3.5.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Set drop items" - ansible.builtin.iptables: - policy: DROP - chain: "{{ item }}" - notify: Iptables persistent - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - ubtu22cis_rule_3_5_3_2_1 - - ubtu22cis_ipv4_required - - not system_is_ec2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.2.1 - - iptables - -- name: "3.5.3.2.2 | PATCH | Ensure iptables loopback traffic is configured" - block: - - name: "3.5.3.2.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - notify: Iptables persistent - - - name: "3.5.3.2.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - notify: Iptables persistent - - - name: "3.5.3.2.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: INPUT - source: 127.0.0.0/8 - jump: DROP - notify: Iptables persistent - when: - - ubtu22cis_rule_3_5_3_2_2 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.2.2 - - iptables - -- name: "3.5.3.2.3 | PATCH | Ensure iptables outbound and established connections are configured" - ansible.builtin.iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - notify: Iptables persistent - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } - when: - - ubtu22cis_rule_3_5_3_2_3 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_3.5.3.2.3 - - iptables - -- name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" - block: - - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.shell: ss -4tuln - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_3_5_3_2_4_open_ports - - - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.shell: iptables -L INPUT -v -n - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_3_5_3_2_4_current_rules - - - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" - ansible.builtin.debug: - msg: - - "Warning!! Below is the list the open ports and current rules" - - "Please create a rule for any open port that does not have a current rule" - - "Open Ports:" - - "{{ ubtu22cis_3_5_3_2_4_open_ports.stdout_lines }}" - - "Current Rules:" - - "{{ ubtu22cis_3_5_3_2_4_current_rules.stdout_lines }}" - - - name: "3.5.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.3.2.4' - when: - - ubtu22cis_rule_3_5_3_2_4 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.3.2.4 - - iptables - -# --------------- -# --------------- -# This is not a control however using the iptables module only writes to memery -# if a reboot occurs that means changes can revert. This task will make the -# above iptables settings permanent -# --------------- -# --------------- -# - name: "Make IPTables persistent | Not a control" -# block: -# - name: "Make IPTables persistent | Install iptables-persistent" -# ansible.builtin.package: -# name: iptables-persistent -# state: present - -# - name: "Make IPTables persistent | Save to persistent files" -# ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" -# changed_when: ubtu22cis_iptables_save.rc == 0 -# failed_when: ubtu22cis_iptables_save.rc > 0 -# register: ubtu22cis_iptables_save -# when: -# - ubtu22cis_firewall_package == "iptables" -# - ubtu22cis_save_iptables_cis_rules -# - ubtu22cis_rule_3_5_3_2_1 or -# ubtu22cis_rule_3_5_3_2_2 or -# ubtu22cis_rule_3_5_3_2_3 or -# ubtu22cis_rule_3_5_3_2_4 - -- name: "3.5.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy" - block: - - name: "3.5.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - source_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "3.5.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" - ansible.builtin.iptables: - chain: INPUT - ctstate: 'ESTABLISHED' - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "3.5.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" - ansible.builtin.iptables: - policy: DROP - chain: "{{ item }}" - ip_version: ipv6 - notify: Ip6tables persistent - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - ubtu22cis_rule_3_5_3_3_1 - - ubtu22cis_ipv6_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.3.1 - - ip6tables - -- name: "3.5.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured" - block: - - name: "3.5.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "3.5.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "3.5.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop" - ansible.builtin.iptables: - action: append - chain: INPUT - source: ::1 - jump: DROP - ip_version: ipv6 - notify: Ip6tables persistent - when: - - ubtu22cis_rule_3_5_3_3_2 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv6_required - - not ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_3.5.3.3.2 - - ip6tables - -- name: "3.5.3.3.3 | PATCH | Ensure ip6tables outbound and established connections are configured" - ansible.builtin.iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } - when: - - ubtu22cis_rule_3_5_3_3_3 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv6_required - - not ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_3.5.3.3.3 - - ip6tables - -- name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" - block: - - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.shell: ss -6tuln - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_3_5_3_3_4_open_ports - - - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.shell: ip6tables -L INPUT -v -n - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_3_5_3_3_4_current_rules - - - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" - ansible.builtin.debug: - msg: - - "Warning!! Below is the list the open ports and current rules" - - "Please create a rule for any open port that does not have a current rule" - - "Open Ports:" - - "{{ ubtu22cis_3_5_3_3_4_open_ports.stdout_lines }}" - - "Current Rules:" - - "{{ ubtu22cis_3_5_3_3_4_current_rules.stdout_lines }}" - - - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '3.5.3.3.4' - when: - - ubtu22cis_rule_3_5_3_3_4 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv6_required - - not ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_3.5.3.3.4 - - ip6tables - -# --------------- -# --------------- -# This is not a control however using the ip6tables module only writes to memery -# if a reboot occurs that means changes can revert. This task will make the -# above ip6tables settings permanent -# --------------- -# --------------- -# via handler -# - name: "Make IP6Tables persistent | Not a control" -# block: -# - name: "Make IP6Tables persistent | Install iptables-persistent" -# ansible.builtin.package: -# name: iptables-persistent -# state: present -# when: "'iptables-persistent' not in ansible_facts.packages" - -# - name: "Make IP6Tables persistent | Save to persistent files" -# ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" -# changed_when: ubtu22cis_ip6tables_save.rc == 0 -# failed_when: ubtu22cis_ip6tables_save.rc > 0 -# register: ubtu22cis_ip6tables_save -# when: -# - ubtu22cis_firewall_package == "iptables" -# - ubtu22cis_ipv6_required -# - not ubtu22cis_ipv4_required -# - ubtu22cis_save_iptables_cis_rules -# - ubtu22cis_rule_3_5_3_3_1 or -# ubtu22cis_rule_3_5_3_3_2 or -# ubtu22cis_rule_3_5_3_3_3 or -# ubtu22cis_rule_3_5_3_3_4 diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index a3b9162a..5bc0bec0 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,32 +1,13 @@ --- -- name: "SECTION | 3.1 | Disable unused network protocols and devices" +- name: "SECTION | 3.1 | Configure Network Devices" ansible.builtin.import_tasks: - file: cis_3.1.x.yml + file: cis_3.1.x.yml -- name: "SECTION | 3.2 | Network Parameters Host Only" +- name: "SECTION | 3.2 | Configure Network Kernel Modules" ansible.builtin.import_tasks: - file: cis_3.2.x.yml + file: cis_3.2.x.yml -- name: "SECTION | 3.3 | Network Parameters Host and Router" +- name: "SECTION | 3.3 | Configure Network Kernel Parameters" ansible.builtin.import_tasks: - file: cis_3.3.x.yml - -- name: "SECTION | 3.4 | Uncommon Network Protocols" - ansible.builtin.import_tasks: - file: cis_3.4.x.yml - -- name: "SECTION | 3.5.1 | UFW Firewall Configuration" - ansible.builtin.import_tasks: - file: cis_3.5.1.x.yml - when: ubtu22cis_firewall_package == "ufw" - -- name: "SECTION | 3.5.2 | nftables Firewall Configuration" - ansible.builtin.import_tasks: - file: cis_3.5.2.x.yml - when: ubtu22cis_firewall_package == "nftables" - -- name: "SECTION | 3.5.3 | iptables Firewall Configuration" - ansible.builtin.import_tasks: - file: cis_3.5.3.x.yml - when: ubtu22cis_firewall_package == "iptables" + file: cis_3.3.x.yml diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml deleted file mode 100644 index a3e5ad5b..00000000 --- a/tasks/section_4/cis_4.1.1.x.yml +++ /dev/null @@ -1,103 +0,0 @@ ---- - -- name: "4.1.1.1 | PATCH | Ensure auditd is installed" - ansible.builtin.package: - name: ['auditd', 'audispd-plugins'] - state: present - when: - - ubtu22cis_rule_4_1_1_1 - - "'auditd' not in ansible_facts.packages or - 'auditd-plugins' not in ansible_facts.packages" - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.1.1 - - auditd - -- name: "4.1.1.2 | PATCH | Ensure auditd service is enabled" - ansible.builtin.service: - name: auditd - state: started - enabled: true - when: - - ubtu22cis_rule_4_1_1_2 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.1.2 - - auditd - -- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" - block: - - name: "4.1.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" - ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_4_1_1_3_cmdline_settings - - - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist" - ansible.builtin.lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu22cis_4_1_1_3_cmdline_settings.stdout }} audit=1"' - when: "'audit=' not in ubtu22cis_4_1_1_3_cmdline_settings.stdout" - notify: Grub update - - - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists" - ansible.builtin.replace: - dest: /etc/default/grub - regexp: 'audit=([0-9]+)' - replace: 'audit=1' - after: '^GRUB_CMDLINE_LINUX="' - before: '"' - notify: Grub update - when: "'audit=' in ubtu22cis_4_1_1_3_cmdline_settings.stdout" - when: - - ubtu22cis_rule_4_1_1_3 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.1.3 - - auditd - -- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" - block: - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Get current GRUB_CMDLINE_LINUX" - ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_4_1_1_4_cmdline_settings - - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist" - ansible.builtin.lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu22cis_4_1_1_4_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu22cis_audit_back_log_limit }}"' - notify: Grub update - when: "'audit_backlog_limit=' not in ubtu22cis_4_1_1_4_cmdline_settings.stdout" - - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists" - ansible.builtin.replace: - dest: /etc/default/grub - regexp: 'audit_backlog_limit=([0-9]+)' - replace: 'audit_backlog_limit={{ ubtu22cis_audit_back_log_limit }}' - after: '^GRUB_CMDLINE_LINUX="' - before: '"' - notify: Grub update - when: - - ubtu22cis_rule_4_1_1_4 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.1.4 - - auditd diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml deleted file mode 100644 index f1886c7b..00000000 --- a/tasks/section_4/cis_4.1.2.x.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- - -- name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured" - ansible.builtin.lineinfile: - dest: /etc/audit/auditd.conf - regexp: "^max_log_file( |=)" - line: "max_log_file = {{ ubtu22cis_max_log_file_size }}" - state: present - register: rule_4_1_2_1 - notify: Restart auditd - when: - - ubtu22cis_rule_4_1_2_1 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.2.1 - - auditd - -- name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" - ansible.builtin.lineinfile: - path: /etc/audit/auditd.conf - regexp: '^max_log_file_action' - line: "max_log_file_action = {{ ubtu22cis_auditd['max_log_file_action'] }}" - register: rule_4_1_2_2 - notify: Restart auditd - when: - - ubtu22cis_rule_4_1_2_2 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.2.2 - - auditd - -- name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" - ansible.builtin.lineinfile: - path: /etc/audit/auditd.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - register: rule_4_1_2_3 - notify: Restart auditd - with_items: - - { regexp: '^space_left_action', line: "space_left_action = {{ ubtu22cis_auditd['space_left_action'] }}" } - - { regexp: '^action_mail_acct', line: "action_mail_acct = {{ ubtu22cis_auditd['action_mail_acct'] }}" } - - { regexp: '^admin_space_left_action', line: "admin_space_left_action = {{ ubtu22cis_auditd['admin_space_left_action'] }}" } - when: - - ubtu22cis_rule_4_1_2_3 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.2.3 - - auditd diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml deleted file mode 100644 index 6c1018d2..00000000 --- a/tasks/section_4/cis_4.1.3.x.yml +++ /dev/null @@ -1,287 +0,0 @@ ---- - -- name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_1 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.1 - - auditd - -- name: "4.1.3.2 | PATCH | Ensure actions as another user are always logged" - ansible.builtin.set_fact: - update_audit_template: true - notify: restart auditd - when: - - ubtu22cis_rule_4_1_3_2 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.2 - - auditd - -- name: "4.1.3.3 | PATCH | Ensure events that modify the sudo log file are collected" - ansible.builtin.set_fact: - update_audit_template: true - notify: restart auditd - when: - - ubtu22cis_rule_4_1_3_3 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.3 - - auditd - -- name: "4.1.3.4 | PATCH | Ensure events that modify date and time information are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_4 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.4 - - auditd - -- name: "4.1.3.5 | PATCH | Ensure events that modify the system's network environment are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_5 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.5 - - auditd - -- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - block: - - name: "4.1.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" - ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done - register: priv_procs - changed_when: false - check_mode: false - - - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected | Set privileged rules" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_6 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.6 - - auditd - -- name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_7 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.7 - - auditd - -- name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_8 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.8 - - auditd - -- name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_9 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.9 - - auditd - -- name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - ubtu22cis_rule_4_1_3_10 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.10 - - auditd - -- name: "4.1.3.11 | PATCH | Ensure session initiation information is collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_11 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.11 - - auditd - -- name: "4.1.3.12 | PATCH | Ensure login and logout events are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_12 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.12 - - auditd - -- name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_13 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.13 - - auditd - -- name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_14 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.14 - - auditd - -- name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_15 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.15 - - auditd - -- name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_16 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.16 - - auditd - -- name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_17 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.17 - - auditd - -- name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_18 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.18 - - auditd - -- name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_19 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_4.1.3.19 - - auditd - -- name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable" - ansible.builtin.set_fact: - update_audit_template: true - when: - - ubtu22cis_rule_4_1_3_20 - tags: - - level2-server - - level2-workstation - - automated - - scored - - patch - - rule_4.1.3.20 - - auditd - -- name: "4.1.3.21 | PATCH | Ensure the running and on disk configuration is the same" - ansible.builtin.shell: augenrules --check - changed_when: false - register: ubtu22cis_rule_4_1_3_21_augen_check - when: - - ubtu22cis_rule_4_1_3_21 - tags: - - level2-server - - level2-workstation - - automated - - scored - - patch - - rule_4.1.3.21 - - auditd diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml deleted file mode 100644 index b97e9b71..00000000 --- a/tasks/section_4/cis_4.1.4.x.yml +++ /dev/null @@ -1,207 +0,0 @@ ---- - -- name: | - "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive" - "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" - "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" - - block: - - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | discover file" - ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' - changed_when: false - register: audit_discovered_logfile - - - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | stat file" - ansible.builtin.stat: - path: "{{ audit_discovered_logfile.stdout }}" - changed_when: false - register: auditd_logfile - - - name: | - "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive" - "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" - "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" - ansible.builtin.file: - path: "{{ audit_discovered_logfile.stdout }}" - mode: "{% if auditd_logfile.stat.mode > '0640' %}0640{% endif %}" - owner: root - group: root - when: - - ubtu22cis_rule_4_1_4_1 or - ubtu22cis_rule_4_1_4_2 or - ubtu22cis_rule_4_1_4_3 - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.1 - - rule_4.1.4.2 - - rule_4.1.4.3 - -- name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive" - block: - - name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions" - ansible.builtin.stat: - path: "{{ audit_discovered_logfile.stdout | dirname }}" - register: auditlog_dir - - - name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set" - ansible.builtin.file: - path: "{{ audit_discovered_logfile.stdout | dirname }}" - state: directory - mode: '0750' - when: not auditlog_dir.stat.mode is match('07(0|5)0') - when: - - ubtu22cis_rule_4_1_4_4 - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.4 - -- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" - ansible.builtin.file: - path: "{{ item.path }}" - mode: '0640' - loop: "{{ auditd_conf_files.files }}" - loop_control: - label: "{{ item.path }}" - when: - - ubtu22cis_rule_4_1_4_5 - - item.mode > '0640' - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.5 - -- name: "4.1.4.6 | PATCH | Ensure audit configuration files are owned by root" - ansible.builtin.file: - path: "{{ item.path }}" - owner: root - loop: "{{ auditd_conf_files.files }}" - loop_control: - label: "{{ item.path }}" - when: - - ubtu22cis_rule_4_1_4_6 - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.6 - -- name: "4.1.4.7 | PATCH | Ensure audit configuration files belong to group root" - ansible.builtin.file: - path: "{{ item.path }}" - group: root - loop: "{{ auditd_conf_files.files }}" - loop_control: - label: "{{ item.path }}" - when: - - ubtu22cis_rule_4_1_4_7 - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.7 - -- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive" - block: - - name: "4.1.4.8 | AUDIT | Get audit binary file stat | get current mode" - ansible.builtin.stat: - path: "{{ item }}" - register: "audit_bins" - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules - - - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" - ansible.builtin.file: - path: "{{ item.item }}" - mode: '0750' - - loop: "{{ audit_bins.results }}" - loop_control: - label: "{{ item.item }}" - when: not item.stat.mode is match('07(0|5)0') - when: - - ubtu22cis_rule_4_1_4_8 - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.8 - -- name: "4.1.4.9 | PATCH | Ensure audit tools are owned by root" - ansible.builtin.file: - path: "{{ item }}" - owner: root - group: root - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules - when: - - ubtu22cis_rule_4_1_4_9 - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.9 - -- name: "4.1.4.10 | PATCH | Ensure audit tools belong to group root" - ansible.builtin.file: - path: "{{ item }}" - group: root - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules - when: - - ubtu22cis_rule_4_1_4_10 - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.10 - -- name: "4.1.4.11 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" - ansible.builtin.lineinfile: - path: /etc/aide/aide.conf - regexp: "{{ item }}" - line: "{{ item }}" - loop: - - '# Audit tools' - - /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 - - /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 - - /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 - - /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - - /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 - - /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 - when: - - ubtu22cis_rule_4_1_4_11 and - ubtu22cis_config_aide - tags: - - level1-server - - level1-workstation - - patch - - auditd - - rule_4.1.4.11 diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml new file mode 100644 index 00000000..38795f24 --- /dev/null +++ b/tasks/section_4/cis_4.1.x.yml @@ -0,0 +1,178 @@ +--- + +- name: "4.1.1 | PATCH | Ensure ufw is installed" + when: + - ubtu22cis_rule_4_1_1 + - "'ufw' not in ansible_facts.packages" + tags: + - level1-server + - level1-workstation + - patch + - rule_4.1.1 + - apt + - ufw + ansible.builtin.package: + name: ufw + state: present + +- name: "4.1.2 | PATCH | Ensure iptables-persistent is not installed with ufw" + when: + - ubtu22cis_rule_4_1_2 + - "'iptables-persistent' in ansible_facts.packages" + tags: + - level1-server + - level1-workstation + - patch + - rule_4.1.2 + - ufw + ansible.builtin.package: + name: iptables-persistent + state: absent + +# Adding the allow OpenSSH rule while enabling ufw to allow ansible to run after enabling +- name: "4.1.3 | PATCH | Ensure ufw service is enabled" + when: + - ubtu22cis_rule_4_1_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_4.1.3 + - ufw + block: + - name: "4.1.3 | PATCH | Ensure ufw service is enabled | ssh port enabled" + community.general.ufw: + rule: allow + name: OpenSSH + state: enabled + + - name: "4.1.3 | PATCH | Ensure ufw service is enabled | service" + ansible.builtin.systemd: + name: ufw + enabled: true + state: started + masked: false + +- name: "4.1.4 | PATCH | Ensure loopback traffic is configured" + when: + - ubtu22cis_rule_4_1_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_4.1.4 + - ufw + block: + - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set allow in ufw rules" + community.general.ufw: + rule: allow + direction: in + interface: lo + notify: Reload ufw + + - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set allow out ufw rules" + community.general.ufw: + rule: allow + direction: out + interface: lo + notify: Reload ufw + + - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv4" + community.general.ufw: + rule: deny + direction: in + from_ip: 127.0.0.0/8 + notify: Reload ufw + + - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv6" + when: ubtu22cis_ipv6_required + community.general.ufw: + rule: deny + direction: in + from_ip: '::1' + notify: Reload ufw + +- name: "4.1.5 | PATCH | Ensure ufw outbound connections are configured" + when: + - ubtu22cis_rule_4_1_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_4.1.5 + - ufw + block: + - name: "4.1.5 | PATCH | Ensure ufw outbound connections are configured | Custom ports" + when: ubtu22cis_ufw_allow_out_ports != "all" + community.general.ufw: + rule: allow + direction: out + to_port: '{{ item }}' + with_items: + - "{{ ubtu22cis_ufw_allow_out_ports }}" + notify: Reload ufw + + - name: "4.1.5 | PATCH | Ensure ufw outbound connections are configured | Allow all" + when: "'all' in ubtu22cis_ufw_allow_out_ports" + community.general.ufw: + rule: allow + direction: out + notify: Reload ufw + +- name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports" + when: + - ubtu22cis_rule_4_1_6 + tags: + - level1-server + - level1-workstation + - audit + - rule_4.1.6 + - ufw + vars: + warn_control_id: '4.1.6' + block: + - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of open ports" + ansible.builtin.shell: ss -4tuln + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_4_1_6_open_listen_ports + + - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules" + ansible.builtin.shell: ufw status + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_4_1_6_firewall_rules + + - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings" + ansible.builtin.debug: + msg: + - "Warning!! Below are the listening ports and firewall rules" + - "Please create firewall rule for any open ports if not already done" + - "*****---Open Listen Ports---*****" + - "{{ ubtu22cis_4_1_6_open_listen_ports.stdout_lines }}" + - "*****---Firewall Rules---*****" + - "{{ ubtu22cis_4_1_6_firewall_rules.stdout_lines }}" + + - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.1.7 | PATCH | Ensure ufw default deny firewall policy" + when: + - ubtu22cis_rule_4_1_7 + tags: + - level1-server + - level1-workstation + - patch + - rule_4.1.7 + - ufw + community.general.ufw: + default: deny + direction: "{{ item }}" + loop: + - incoming + - outgoing + - routed + notify: Reload ufw diff --git a/tasks/section_4/cis_4.2.1.1.x.yml b/tasks/section_4/cis_4.2.1.1.x.yml deleted file mode 100644 index 4159572c..00000000 --- a/tasks/section_4/cis_4.2.1.1.x.yml +++ /dev/null @@ -1,70 +0,0 @@ ---- - -- name: "4.2.1.1.1 | PATCH | Ensure systemd-journal-remote is installed" - ansible.builtin.package: - name: systemd-journal-remote - state: present - when: - - ubtu22cis_rule_4_2_1_1_1 - - not ubtu22cis_system_is_log_server - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.1.1.1 - -- name: "4.2.1.1.2 | PATCH | Ensure systemd-journal-remote is configured" - ansible.builtin.lineinfile: - path: /etc/systemd/journal-upload.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - notify: Restart journald - loop: - - { regexp: 'URL=', line: 'URL={{ ubtu22cis_remote_log_server }}'} - - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ ubtu22cis_journal_upload_serverkeyfile }}'} - - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ ubtu22cis_journal_servercertificatefile }}'} - - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ ubtu22cis_journal_trustedcertificatefile }}'} - when: - - ubtu22cis_rule_4_2_1_1_2 - - not ubtu22cis_system_is_log_server - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.1.1.2 - -- name: "4.2.1.1.3 | PATCH | Ensure systemd-journal-remote is enabled" - ansible.builtin.systemd: - name: systemd-journal-upload - state: started - enabled: true - when: - - not ubtu22cis_system_is_log_server - - ubtu22cis_rule_4_2_1_1_3 - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.1.1.3 - -- name: "4.2.1.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" - ansible.builtin.systemd: - name: systemd-journal-remote.socket - state: stopped - enabled: false - masked: true - when: - - not ubtu22cis_system_is_log_server - - ubtu22cis_rule_4_2_1_1_4 - tags: - - level1-server - - level1-workstation - - patch - - journald - - rule_4.2.1.1.4 diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml deleted file mode 100644 index bdf81c98..00000000 --- a/tasks/section_4/cis_4.2.1.x.yml +++ /dev/null @@ -1,125 +0,0 @@ ---- - -- name: "4.2.1.2 | PATCH | Ensure journald service is enabled" - block: - - name: "4.2.1.2 | AUDIT | Ensure journald service is enabled | Capture status" - ansible.builtin.shell: systemctl is-enabled systemd-journald.service - changed_when: false - failed_when: false - register: ubtu22cis_4_2_1_2_status - - - name: "4.2.1.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" - ansible.builtin.debug: - msg: - - "Warning!! The status of systemd-journald should be static and it is not. Please investigate" - when: "'static' not in ubtu22cis_4_2_1_2_status.stdout" - - - name: "4.2.1.2 | AUDIT | Ensure journald service is enabled | Warn Count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: "'static' not in ubtu22cis_4_2_1_2_status.stdout" - vars: - warn_control_id: '4.2.1.2' - when: - - ubtu22cis_rule_4_2_1_2 - tags: - - level1-server - - level1-workstation - - audit - - journald - - rule_4.2.1.2 - -- name: "4.2.1.3 | PATCH | Ensure journald is configured to compress large log files" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: '^(#|)Compress=' - line: Compress=yes - notify: Restart journald - when: - - ubtu22cis_rule_4_2_1_3 - tags: - - level1-server - - level1-workstation - - patch - - journald - - rule_4.2.1.3 - -- name: "4.2.1.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: '^(#|)Storage=' - line: Storage=persistent - notify: Restart journald - when: - - ubtu22cis_rule_4_2_1_4 - tags: - - level1-server - - level1-workstation - - patch - - journald - - rule_4.2.1.4 - -- name: "4.2.1.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: '^ForwardToSyslog=' - line: '#ForwardToSyslog=yes' - notify: Restart journald - when: - - ubtu22cis_rule_4_2_1_5 - tags: - - level1-server - - level2-workstation - - manual - - patch - - journald - - rule_4.2.1.5 - -- name: "4.2.1.6 | PATCH | Ensure journald log rotation is configured per site policy" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - notify: Restart journald - loop: - - { regexp: '^(#|\s+)SystemMaxUse=', line: "{{ ubtu22cis_journald_systemmaxuse }}" } - - { regexp: '^(#|\s+)SystemKeepFree=', line: "{{ ubtu22cis_journald_systemkeepfree }}" } - - { regexp: '^(#|\s+)RuntimeMaxUse=', line: "{{ ubtu22cis_journald_runtimemaxuse }}" } - - { regexp: '^(#|\s+)RuntimeKeepFree=', line: "{{ ubtu22cis_journald_runtimekeepfree }}" } - - { regexp: '^(#|\s+)MaxFileSec=', line: "{{ ubtu22cis_journald_maxfilesec }}" } - when: - - ubtu22cis_rule_4_2_1_6 - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.1.6 - -- name: "4.2.1.7 | AUDIT | Ensure journald default file permissions configured" - block: - - name: "4.2.1.7 | AUDIT | Ensure journald default file permissions configured | Check for override file" - ansible.builtin.stat: - path: /etc/tmpfiles.d/systemd.conf - register: ubtu22cis_4_2_1_7_override - - - name: "4.2.1.7 | AUDIT | Ensure journald default file permissions configured | Set live file" - ansible.builtin.set_fact: - systemd_conf_file: /etc/tmpfiles.d/systemd.conf - when: ubtu22cis_4_2_1_7_override.stat.exists - - - name: "4.2.1.7 | PATCH | Ensure journald default file permissions configured | Set permission" - ansible.builtin.lineinfile: - path: "{{ systemd_conf_file | default('/usr/lib/tmpfiles.d/systemd.conf') }}" - regexp: '^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root' - line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -' - when: - - ubtu22cis_rule_4_2_1_7 - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.1.7 diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml deleted file mode 100644 index 7775936c..00000000 --- a/tasks/section_4/cis_4.2.2.x.yml +++ /dev/null @@ -1,179 +0,0 @@ ---- - -- name: "4.2.2.1 | PATCH | Ensure rsyslog is installed" - ansible.builtin.package: - name: rsyslog - state: present - when: - - ubtu22cis_rule_4_2_2_1 - - "'rsyslog' not in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_4.2.2.1 - - rsyslog - - apt - -- name: "4.2.2.2 | PATCH | Ensure rsyslog Service is enabled" - ansible.builtin.systemd: - name: rsyslog - enabled: true - when: - - ubtu22cis_rule_4_2_2_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_4.2.2.2 - - rsyslog - -- name: "4.2.2.3 | PATCH | Ensure journald is configured to send logs to rsyslog" - ansible.builtin.lineinfile: - path: /etc/systemd/journald.conf - regexp: ^ForwardToSyslog= - line: ForwardToSyslog=yes - notify: Restart syslog service - when: - - ubtu22cis_rule_4_2_2_3 - tags: - - level1-server - - level1-workstation - - manual - - patch - - journald - - rule_4.2.2.3 - -- name: "4.2.2.4 | PATCH | Ensure rsyslog default file permissions configured" - ansible.builtin.lineinfile: - path: /etc/rsyslog.conf - regexp: '^\$FileCreateMode|^#\$FileCreateMode' - line: '$FileCreateMode 0640' - notify: Restart syslog service - when: - - ubtu22cis_rule_4_2_2_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_4.2.2.4 - - rsyslog - -- name: "4.2.2.5 | PATCH | Ensure logging is configured" - block: - - name: "4.2.2.5 | AUDIT | Ensure logging is configured | Find configuration file" - ansible.builtin.shell: grep -r "*.emerg" /etc/* | cut -f1 -d":" - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_4_2_2_5_rsyslog_config_path - - - name: "4.2.2.5 | AUDIT | Ensure logging is configured | Gather rsyslog current config" - ansible.builtin.shell: "cat {{ ubtu22cis_4_2_2_5_rsyslog_config_path.stdout }}" - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_4_2_2_5_rsyslog_config - - - name: "4.2.2.5 | AUDIT | Ensure logging is configured | Message out config" - ansible.builtin.debug: - msg: - - "Warning!! Below is the current logging configurations for rsyslog, please review" - - "{{ ubtu22cis_4_2_2_5_rsyslog_config.stdout_lines }}" - when: not ubtu22cis_rsyslog_ansible_managed - - - name: "4.2.2.5 | PATCH | Ensure logging is configured | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: not ubtu22cis_rsyslog_ansible_managed - - - name: "4.2.2.5 | PATCH | Ensure logging is configured | Automated rsyslog configuration" - ansible.builtin.lineinfile: - path: "{{ ubtu22cis_4_2_2_5_rsyslog_config_path.stdout }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: "{{ item.insertafter }}" - with_items: - - { regexp: '^\*.emerg', line: '*.emerg :omusrmsg:*', insertafter: '^# Emergencies are sent to everybody logged in' } - - { regexp: '^auth,authpriv.\*', line: 'auth,authpriv.* /var/log/secure', insertafter: '^# First some standard log files. Log by facility' } - - { regexp: '^mail.\*|^#mail.\*', line: 'mail.* -/var/log/mail', insertafter: '^# First some standard log files' } - - { regexp: '^cron.\*|^#cron.\*', line: 'cron.* /var/log/cron', insertafter: '^# First some standard log files' } - - { regexp: '^mail.info|^#mail.info', line: 'mail.info -/var/log/mail.info', insertafter: '^# Logging for the mail system' } - - { regexp: '^mail.warn|^#mail.warn', line: 'mail.warning -/var/log/mail.warn', insertafter: '^# Logging for the mail system.' } - - { regexp: '^mail.err|^#mail.err', line: 'mail.err /var/log/mail.err', insertafter: '^# Logging for the mail system.' } - - { regexp: '^\*.=warning;\*.=err|^#\*.=warning;\*.=err', line: '*.=warning;*.=err -/var/log/warn', insertafter: '^# First some standard log files' } - - { regexp: '^\*.crit|^#\*.crit', line: '*.crit /var/log/warn', insertafter: '^# First some standard log files' } - - { regexp: '^\*.\*;mail.none;news.none|^#\*.\*;mail.none;news.none', line: '*.*;mail.none;news.none -/var/log/messages', insertafter: '^# First some standard log files' } - - { regexp: '^local0,local1.\*|^#local0,local1.\*', line: 'local0,local1.* -/var/log/localmessages', insertafter: '^# First some standard log files' } - - { regexp: '^local2,local3.\*|^#local2,local3.\*', line: 'local2,local3.* -/var/log/localmessages', insertafter: '^# First some standard log files' } - - { regexp: '^local4,local5.\*|^#local4,local5.\*', line: 'local4,local5.* -/var/log/localmessages', insertafter: '^# First some standard log files' } - - { regexp: '^local6,local7.\*|^#local6,local7.\*', line: 'local6,local7.* -/var/log/localmessages', insertafter: '^# First some standard log files' } - loop_control: - label: "{{ item.line }}" - notify: Restart syslog service - when: ubtu22cis_rsyslog_ansible_managed - vars: - warn_control_id: '4.2.2.5' - when: - - ubtu22cis_rule_4_2_2_5 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_4.2.2.5 - - rsyslog - -- name: "4.2.2.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" - ansible.builtin.blockinfile: - path: /etc/rsyslog.conf - block: | - ##Enable sending of logs over TCP add the following line: - *.* @@{{ ubtu22cis_remote_log_server }} - insertafter: EOF - when: - - ubtu22cis_rule_4_2_2_6 - - not ubtu22cis_system_is_log_server - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_4.2.2.6 - - rsyslog - -- name: "4.2.2.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client" - block: - - name: "4.2.2.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When not a log host" - ansible.builtin.replace: - path: /etc/rsyslog.conf - regexp: '({{ item }})' - replace: '#\1' - with_items: - - '^(\$ModLoad|module(load="imtcp"))' - - '^(\$(InputTCP|InputRELP|UDP)ServerRun|input(type="imtcp" port=".*"))' - notify: Restart syslog service - when: not ubtu22cis_system_is_log_server - - - name: "4.2.2.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When a log server" - ansible.builtin.lineinfile: - path: /etc/rsyslog.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - with_items: - - { regexp: '^\$ModLoad|^#\$ModLoad', line: '$ModLoad imtcp' } - - { regexp: '^\$InputTCPServerRun|^#\$InputTCPServerRun', line: '$InputTCPServerRun 514' } - notify: Restart syslog service - when: ubtu22cis_system_is_log_server - when: - - ubtu22cis_rule_4_2_2_7 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_4.2.2.7 - - rsyslog diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml deleted file mode 100644 index da728946..00000000 --- a/tasks/section_4/cis_4.2.3.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- - -- name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" - block: - - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" - ansible.builtin.find: - paths: "/var/log" - file_type: file - recurse: true - hidden: true - register: logfiles - - - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" - ansible.builtin.file: - path: "{{ item.path }}" - mode: '0640' - loop: "{{ logfiles.files }}" - loop_control: - label: "{{ item.path }}" - when: - - item.path != "/var/log/btmp" - - item.path != "/var/log/utmp" - - item.path != "/var/log/wtmp" - when: - - ubtu22cis_rule_4_2_3 - tags: - - level1-server - - level1-workstation - - patch - - logfiles - - rule_4.2.3 diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml new file mode 100644 index 00000000..a2c85701 --- /dev/null +++ b/tasks/section_4/cis_4.2.x.yml @@ -0,0 +1,230 @@ +--- + +# --------------- +# --------------- +# NFTables is unsupported with this role. However I have the actions commented out as a guide +# --------------- +# --------------- +- name: "4.2.1 | AUDIT | Ensure nftables is installed" + when: + - ubtu22cis_rule_4_2_1 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.1 + - nftables + vars: + warn_control_id: '4.2.1' + block: + - name: "4.2.1 | AUDIT | Ensure nftables is installed | Message out warning" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + + - name: "4.2.1 | AUDIT | Ensure nftables is installed | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables" + when: + - ubtu22cis_rule_4_2_2 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.2 + - nftables + vars: + warn_control_id: '4.2.2' + block: + - name: "4.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables | Message out warning" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + # ansible.builtin.package: + # name: ufw + # state: absent + + - name: "4.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.3 | AUDIT | Ensure iptables are flushed with nftables" + when: + - ubtu22cis_rule_4_2_3 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.3 + - nftables + vars: + warn_control_id: '4.2.3' + block: + - name: "4.2.3 | AUDIT | Ensure iptables are flushed with nftables | Message out warning" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + # ansible.builtin.iptables: + # flush: yes + + - name: "4.2.3 | AUDIT | Ensure iptables are flushed with nftables | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.4 | AUDIT | Ensure a nftables table exists" + when: + - ubtu22cis_rule_4_2_4 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - patch + - rule_4.2.4 + - nftables + vars: + warn_control_id: '4.2.4' + block: + - name: "4.2.4 | AUDIT | Ensure a nftables table exists" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning" + # ansible.builtin.shell: "nft create table {{ ubtu22cis_nftables_table_name }}" + # changed_when: ubtu22cis_4_2_4_new_table.rc == 0 + # failed_when: false + # check_mode: false + # register: ubtu22cis_4_2_4_new_table + + - name: "4.2.4 | AUDIT | Ensure a nftables table exists | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.5 | AUDIT | Ensure nftables base chains exist" + when: + - ubtu22cis_rule_4_2_5 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.5 + - nftables + vars: + warn_control_id: '4.2.5' + block: + - name: "4.2.5 | AUDIT | Ensure nftables base chains exist" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning" + + - name: "4.2.5 | AUDIT | Ensure nftables base chains exist | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.6 | AUDIT | Ensure nftables loopback traffic is configured" + when: + - ubtu22cis_rule_4_2_6 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.6 + - nftables + vars: + warn_control_id: '4.2.6' + block: + - name: "4.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Message out warning" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + + - name: "4.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.7 | AUDIT | Ensure nftables outbound and established connections are configured" + when: + - ubtu22cis_rule_4_2_7 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.7 + - nftables + vars: + warn_control_id: '4.2.7' + block: + - name: "4.2.7 | AUDIT | Ensure nftables outbound and established connections are configured | Message out warning" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + + - name: "4.2.7 | AUDIT | Ensure nftables outbound and established connections are configured | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.8 | AUDIT | Ensure nftables default deny firewall policy" + when: + - ubtu22cis_rule_4_2_8 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.8 + - nftables + vars: + warn_control_id: '4.2.8' + block: + - name: "4.2.8 | AUDIT | Ensure nftables default deny firewall policy | Message out warning" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + + - name: "4.2.8 | AUDIT | Ensure nftables default deny firewall policy | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.9 | AUDIT | Ensure nftables service is enabled" + when: + - ubtu22cis_rule_4_2_9 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.9 + - nftables + vars: + warn_control_id: '4.2.9' + block: + - name: "4.2.9 | AUDIT | Ensure nftables service is enabled | Message out warning" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + # ansible.builtin.service: + # name: nftables + # state: started + # enabled: yes + + - name: "4.2.9 | AUDIT | Ensure nftables service is enabled | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "4.2.10 | AUDIT | Ensure nftables rules are permanent" + when: + - ubtu22cis_rule_4_2_10 + - ubtu22cis_firewall_package == "nftables" + tags: + - level1-server + - level1-workstation + - audit + - rule_4.2.10 + - nftables + vars: + warn_control_id: '4.2.10' + block: + - name: "4.2.10 | AUDIT | Ensure nftables rules are permanent | Message out warning" + ansible.builtin.debug: + msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" + + - name: "4.2.10 | AUDIT | Ensure nftables rules are permanent | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/section_4/cis_4.3.1.x.yml b/tasks/section_4/cis_4.3.1.x.yml new file mode 100644 index 00000000..434391dd --- /dev/null +++ b/tasks/section_4/cis_4.3.1.x.yml @@ -0,0 +1,406 @@ +--- + +- name: "4.3.1.1 | PATCH | Ensure iptables packages are installed" + when: + - ubtu22cis_rule_4_3_1_1 + - ubtu22cis_firewall_package == "iptables" + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.1.1 + - iptables + ansible.builtin.package: + name: ['iptables', 'iptables-persistent'] + state: present + +- name: "4.3.1.2 | PATCH | Ensure nftables is not installed with iptables" + when: + - ubtu22cis_rule_4_3_1_2 + - ubtu22cis_firewall_package == "iptables" + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.1.2 + - iptables + ansible.builtin.package: + name: nftables + state: absent + purge: "{{ ubtu22cis_purge_apt }}" + +- name: "4.3.1.3 | PATCH | Ensure ufw is uninstalled or disabled with iptables" + when: + - ubtu22cis_rule_4_3_1_3 + - ubtu22cis_firewall_package == "iptables" + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.1.3 + - iptables + ansible.builtin.package: + name: ufw + state: absent + +- name: "4.3.1.1 | PATCH | Ensure iptables default deny firewall policy" + when: + - ubtu22cis_rule_4_3_1_1 + - ubtu22cis_ipv4_required + - not system_is_ec2 + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.1.1 + - iptables + block: + - name: "4.3.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + notify: Iptables persistent + + - name: "4.3.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" + ansible.builtin.iptables: + chain: OUTPUT + protocol: tcp + source_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + notify: Iptables persistent + + - name: "4.3.1.1 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" + ansible.builtin.iptables: + chain: INPUT + ctstate: 'ESTABLISHED' + jump: ACCEPT + notify: Iptables persistent + + - name: "4.3.1.1 | PATCH | Ensure iptables default deny firewall policy | Set drop items" + ansible.builtin.iptables: + policy: DROP + chain: "{{ item }}" + notify: Iptables persistent + with_items: + - INPUT + - FORWARD + - OUTPUT + +- name: "4.3.1.2 | PATCH | Ensure iptables loopback traffic is configured" + when: + - ubtu22cis_rule_4_3_1_2 + - ubtu22cis_firewall_package == "iptables" + - ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.1.2 + - iptables + block: + - name: "4.3.1.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" + ansible.builtin.iptables: + action: append + chain: INPUT + in_interface: lo + jump: ACCEPT + notify: Iptables persistent + + - name: "4.3.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" + ansible.builtin.iptables: + action: append + chain: OUTPUT + out_interface: lo + jump: ACCEPT + notify: Iptables persistent + + - name: "4.3.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" + ansible.builtin.iptables: + action: append + chain: INPUT + source: 127.0.0.0/8 + jump: DROP + notify: Iptables persistent + +- name: "4.3.1.3 | PATCH | Ensure iptables outbound and established connections are configured" + when: + - ubtu22cis_rule_4_3_1_3 + - ubtu22cis_firewall_package == "iptables" + - ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.1.3 + - iptables + ansible.builtin.iptables: + action: append + chain: '{{ item.chain }}' + protocol: '{{ item.protocol }}' + match: state + ctstate: '{{ item.ctstate }}' + jump: ACCEPT + notify: Iptables persistent + with_items: + - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } + - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } + - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } + - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } + - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } + - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + +- name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" + when: + - ubtu22cis_rule_4_3_1_4 + - ubtu22cis_firewall_package == "iptables" + - ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - audit + - rule_4.3.1.4 + - iptables + block: + - name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" + ansible.builtin.shell: ss -4tuln + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_4_3_1_4_open_ports + + - name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" + ansible.builtin.shell: iptables -L INPUT -v -n + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_4_3_1_4_current_rules + + - name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" + ansible.builtin.debug: + msg: + - "Warning!! Below is the list the open ports and current rules" + - "Please create a rule for any open port that does not have a current rule" + - "Open Ports:" + - "{{ ubtu22cis_4_3_1_4_open_ports.stdout_lines }}" + - "Current Rules:" + - "{{ ubtu22cis_4_3_1_4_current_rules.stdout_lines }}" + + - name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '4.3.1.4' + +# --------------- +# --------------- +# This is not a control however using the iptables module only writes to memery +# if a reboot occurs that means changes can revert. This task will make the +# above iptables settings permanent +# --------------- +# --------------- +# - name: "Make IPTables persistent | Not a control" +# block: +# - name: "Make IPTables persistent | Install iptables-persistent" +# ansible.builtin.package: +# name: iptables-persistent +# state: present + +# - name: "Make IPTables persistent | Save to persistent files" +# ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" +# changed_when: ubtu22cis_iptables_save.rc == 0 +# failed_when: ubtu22cis_iptables_save.rc > 0 +# register: ubtu22cis_iptables_save +# when: +# - ubtu22cis_firewall_package == "iptables" +# - ubtu22cis_save_iptables_cis_rules +# - ubtu22cis_rule_4_3_1_1 or +# ubtu22cis_rule_4_3_1_2 or +# ubtu22cis_rule_4_3_1_3 or +# ubtu22cis_rule_4_3_1_4 + +- name: "4.3.1.1 | PATCH | Ensure ip6tables default deny firewall policy" + when: + - ubtu22cis_rule_4_3_1_1 + - ubtu22cis_ipv6_required + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.1.1 + - ip6tables + block: + - name: "4.3.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" + ansible.builtin.iptables: + chain: OUTPUT + protocol: tcp + source_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + ip_version: ipv6 + notify: Ip6tables persistent + + - name: "4.3.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" + ansible.builtin.iptables: + chain: INPUT + ctstate: 'ESTABLISHED' + jump: ACCEPT + ip_version: ipv6 + notify: Ip6tables persistent + + - name: "4.3.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" + ansible.builtin.iptables: + policy: DROP + chain: "{{ item }}" + ip_version: ipv6 + notify: Ip6tables persistent + loop: + - INPUT + - FORWARD + - OUTPUT + +- name: "4.3.1.2 | PATCH | Ensure ip6tables loopback traffic is configured" + when: + - ubtu22cis_rule_4_3_1_2 + - ubtu22cis_firewall_package == "iptables" + - ubtu22cis_ipv6_required + - not ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.1.2 + - ip6tables + block: + - name: "4.3.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" + ansible.builtin.iptables: + action: append + chain: INPUT + in_interface: lo + jump: ACCEPT + ip_version: ipv6 + notify: Ip6tables persistent + + - name: "4.3.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" + ansible.builtin.iptables: + action: append + chain: OUTPUT + out_interface: lo + jump: ACCEPT + ip_version: ipv6 + notify: Ip6tables persistent + + - name: "4.3.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop" + ansible.builtin.iptables: + action: append + chain: INPUT + source: ::1 + jump: DROP + ip_version: ipv6 + notify: Ip6tables persistent + +- name: "4.3.1.3 | PATCH | Ensure ip6tables outbound and established connections are configured" + when: + - ubtu22cis_rule_4_3_1_3 + - ubtu22cis_firewall_package == "iptables" + - ubtu22cis_ipv6_required + - not ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.1.3 + - ip6tables + ansible.builtin.iptables: + action: append + chain: '{{ item.chain }}' + protocol: '{{ item.protocol }}' + match: state + ctstate: '{{ item.ctstate }}' + jump: ACCEPT + ip_version: ipv6 + notify: Ip6tables persistent + loop: + - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } + - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } + - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } + - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } + - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } + - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + +- name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" + when: + - ubtu22cis_rule_4_3_1_4 + - ubtu22cis_firewall_package == "iptables" + - ubtu22cis_ipv6_required + - not ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - audit + - rule_4.3.1.4 + - ip6tables + vars: + warn_control_id: '4.3.1.4' + block: + - name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" + ansible.builtin.shell: ss -6tuln + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_4_3_1_4_open_ports + + - name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" + ansible.builtin.shell: ip6tables -L INPUT -v -n + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_4_3_1_4_current_rules + + - name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" + ansible.builtin.debug: + msg: + - "Warning!! Below is the list the open ports and current rules" + - "Please create a rule for any open port that does not have a current rule" + - "Open Ports:" + - "{{ ubtu22cis_4_3_1_4_open_ports.stdout_lines }}" + - "Current Rules:" + - "{{ ubtu22cis_4_3_1_4_current_rules.stdout_lines }}" + + - name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +# --------------- +# --------------- +# This is not a control however using the ip6tables module only writes to memery +# if a reboot occurs that means changes can revert. This task will make the +# above ip6tables settings permanent +# --------------- +# --------------- +# via handler +# - name: "Make IP6Tables persistent | Not a control" +# block: +# - name: "Make IP6Tables persistent | Install iptables-persistent" +# ansible.builtin.package: +# name: iptables-persistent +# state: present +# when: "'iptables-persistent' not in ansible_facts.packages" + +# - name: "Make IP6Tables persistent | Save to persistent files" +# ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" +# changed_when: ubtu22cis_ip6tables_save.rc == 0 +# failed_when: ubtu22cis_ip6tables_save.rc > 0 +# register: ubtu22cis_ip6tables_save +# when: +# - ubtu22cis_firewall_package == "iptables" +# - ubtu22cis_ipv6_required +# - not ubtu22cis_ipv4_required +# - ubtu22cis_save_iptables_cis_rules +# - ubtu22cis_rule_4_3_1_1 or +# ubtu22cis_rule_4_3_1_2 or +# ubtu22cis_rule_4_3_1_3 or +# ubtu22cis_rule_4_3_1_4 diff --git a/tasks/section_4/cis_4.3.2.x.yml b/tasks/section_4/cis_4.3.2.x.yml new file mode 100644 index 00000000..89f30d5c --- /dev/null +++ b/tasks/section_4/cis_4.3.2.x.yml @@ -0,0 +1,180 @@ +--- + +- name: "4.3.2.1 | PATCH | Ensure iptables default deny firewall policy" + when: + - ubtu22cis_rule_4_3_2_1 + - ubtu22cis_ipv4_required + - not system_is_ec2 + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.2.1 + - iptables + block: + - name: "4.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" + ansible.builtin.iptables: + chain: INPUT + protocol: tcp + destination_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + notify: Iptables persistent + + - name: "4.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" + ansible.builtin.iptables: + chain: OUTPUT + protocol: tcp + source_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + notify: Iptables persistent + + - name: "4.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" + ansible.builtin.iptables: + chain: INPUT + ctstate: 'ESTABLISHED' + jump: ACCEPT + notify: Iptables persistent + + - name: "4.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Set drop items" + ansible.builtin.iptables: + policy: DROP + chain: "{{ item }}" + notify: Iptables persistent + loop: + - INPUT + - FORWARD + - OUTPUT + +- name: "4.3.2.2 | PATCH | Ensure iptables loopback traffic is configured" + when: + - ubtu22cis_rule_4_3_2_2 + - ubtu22cis_firewall_package == "iptables" + - ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.2.2 + - iptables + block: + - name: "4.3.2.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" + ansible.builtin.iptables: + action: append + chain: INPUT + in_interface: lo + jump: ACCEPT + notify: Iptables persistent + + - name: "4.3.2.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" + ansible.builtin.iptables: + action: append + chain: OUTPUT + out_interface: lo + jump: ACCEPT + notify: Iptables persistent + + - name: "4.3.2.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" + ansible.builtin.iptables: + action: append + chain: INPUT + source: 127.0.0.0/8 + jump: DROP + notify: Iptables persistent + +- name: "4.3.2.3 | PATCH | Ensure iptables outbound and established connections are configured" + when: + - ubtu22cis_rule_4_3_2_3 + - ubtu22cis_firewall_package == "iptables" + - ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.2.3 + - iptables + ansible.builtin.iptables: + action: append + chain: '{{ item.chain }}' + protocol: '{{ item.protocol }}' + match: state + ctstate: '{{ item.ctstate }}' + jump: ACCEPT + notify: Iptables persistent + with_items: + - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } + - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } + - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } + - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } + - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } + - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + +- name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" + when: + - ubtu22cis_rule_4_3_2_4 + - ubtu22cis_firewall_package == "iptables" + - ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - audit + - rule_4.3.2.4 + - iptables + vars: + warn_control_id: '4.3.2.4' + block: + - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" + ansible.builtin.shell: ss -4tuln + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_4_3_1_4_open_ports + + - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" + ansible.builtin.shell: iptables -L INPUT -v -n + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_4_3_2_4_current_rules + + - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" + ansible.builtin.debug: + msg: + - "Warning!! Below is the list the open ports and current rules" + - "Please create a rule for any open port that does not have a current rule" + - "Open Ports:" + - "{{ ubtu22cis_4_3_2_4_open_ports.stdout_lines }}" + - "Current Rules:" + - "{{ ubtu22cis_4_3_2_4_current_rules.stdout_lines }}" + + - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +# --------------- +# --------------- +# This is not a control however using the iptables module only writes to memory +# if a reboot occurs that means changes can revert. This task will make the +# above iptables settings permanent +# --------------- +# --------------- +# - name: "Make IPTables persistent | Not a control" +# block: +# - name: "Make IPTables persistent | Install iptables-persistent" +# ansible.builtin.package: +# name: iptables-persistent +# state: present + +# - name: "Make IPTables persistent | Save to persistent files" +# ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" +# changed_when: ubtu22cis_iptables_save.rc == 0 +# failed_when: ubtu22cis_iptables_save.rc > 0 +# register: ubtu22cis_iptables_save +# when: +# - ubtu22cis_firewall_package == "iptables" +# - ubtu22cis_save_iptables_cis_rules +# - ubtu22cis_rule_4_3_2_1 or +# ubtu22cis_rule_4_3_2_2 or +# ubtu22cis_rule_4_3_2_3 or +# ubtu22cis_rule_4_3_2_4 diff --git a/tasks/section_4/cis_4.3.3.x.yml b/tasks/section_4/cis_4.3.3.x.yml new file mode 100644 index 00000000..4078a72b --- /dev/null +++ b/tasks/section_4/cis_4.3.3.x.yml @@ -0,0 +1,177 @@ +--- + +- name: "4.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy" + when: + - ubtu22cis_rule_4_3_3_1 + tags: + - level1-server + - level1-workstationå + - patch + - rule_4.3.3.1 + - ip6tables + block: + - name: "4.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" + ansible.builtin.iptables: + chain: OUTPUT + protocol: tcp + source_port: 22 + jump: ACCEPT + ctstate: 'NEW,ESTABLISHED' + ip_version: ipv6 + notify: Ip6tables persistent + + - name: "4.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" + ansible.builtin.iptables: + chain: INPUT + ctstate: 'ESTABLISHED' + jump: ACCEPT + ip_version: ipv6 + notify: Ip6tables persistent + + - name: "4.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" + ansible.builtin.iptables: + policy: DROP + chain: "{{ item }}" + ip_version: ipv6 + notify: Ip6tables persistent + loop: + - INPUT + - FORWARD + - OUTPUT + +- name: "4.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured" + when: + - ubtu22cis_rule_4_3_3_2 + - not ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.3.2 + - ip6tables + block: + - name: "4.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" + ansible.builtin.iptables: + action: append + chain: INPUT + in_interface: lo + jump: ACCEPT + ip_version: ipv6 + notify: Ip6tables persistent + + - name: "4.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" + ansible.builtin.iptables: + action: append + chain: OUTPUT + out_interface: lo + jump: ACCEPT + ip_version: ipv6 + notify: Ip6tables persistent + + - name: "4.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop" + ansible.builtin.iptables: + action: append + chain: INPUT + source: ::1 + jump: DROP + ip_version: ipv6 + notify: Ip6tables persistent + +- name: "4.3.3.3 | PATCH | Ensure ip6tables outbound and established connections are configured" + when: + - ubtu22cis_rule_4_3_3_3 + - not ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - patch + - rule_4.3.3.3 + - ip6tables + ansible.builtin.iptables: + action: append + chain: '{{ item.chain }}' + protocol: '{{ item.protocol }}' + match: state + ctstate: '{{ item.ctstate }}' + jump: ACCEPT + ip_version: ipv6 + notify: Ip6tables persistent + loop: + - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } + - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } + - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } + - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } + - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } + - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + +- name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" + when: + - ubtu22cis_rule_4_3_3_4 + - not ubtu22cis_ipv4_required + tags: + - level1-server + - level1-workstation + - audit + - rule_4.3.3.4 + - ip6tables + vars: + warn_control_id: '4.3.3.4' + block: + - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" + ansible.builtin.shell: ss -6tuln + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_4_3_3_4_open_ports + + - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" + ansible.builtin.shell: ip6tables -L INPUT -v -n + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_4_3_3_4_current_rules + + - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" + ansible.builtin.debug: + msg: + - "Warning!! Below is the list the open ports and current rules" + - "Please create a rule for any open port that does not have a current rule" + - "Open Ports:" + - "{{ ubtu22cis_4_3_3_4_open_ports.stdout_lines }}" + - "Current Rules:" + - "{{ ubtu22cis_4_3_3_4_current_rules.stdout_lines }}" + + - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + +# --------------- +# --------------- +# This is not a control however using the ip6tables module only writes to memory +# if a reboot occurs that means changes can revert. This task will make the +# above ip6tables settings permanent +# --------------- +# --------------- +# via handler +# - name: "Make IP6Tables persistent | Not a control" +# block: +# - name: "Make IP6Tables persistent | Install iptables-persistent" +# ansible.builtin.package: +# name: iptables-persistent +# state: present +# when: "'iptables-persistent' not in ansible_facts.packages" + +# - name: "Make IP6Tables persistent | Save to persistent files" +# ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" +# changed_when: ubtu22cis_ip6tables_save.rc == 0 +# failed_when: ubtu22cis_ip6tables_save.rc > 0 +# register: ubtu22cis_ip6tables_save +# when: +# - ubtu22cis_firewall_package == "iptables" +# - ubtu22cis_ipv6_required +# - not ubtu22cis_ipv4_required +# - ubtu22cis_save_iptables_cis_rules +# - ubtu22cis_rule_4_3_1_1 or +# ubtu22cis_rule_4_3_1_2 or +# ubtu22cis_rule_4_3_1_3 or +# ubtu22cis_rule_4_3_1_4 diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index c56e79bc..8cf4b76b 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,36 +1,28 @@ --- -- name: "SECTION | 4.1.1 | Ensure auditing is enabled" +- name: "SECTION | 4.1 | Configure UnComplicatedFirewall" + when: ubtu22cis_firewall_package == "ufw" ansible.builtin.import_tasks: - file: cis_4.1.1.x.yml + file: cis_4.1.x.yml -- name: "SECTION | 4.1.2 | Configure Data Retention" +- name: "SECTION | 4.2 | Configure nftables software" + when: ubtu22cis_firewall_package == "nftables" ansible.builtin.import_tasks: - file: cis_4.1.2.x.yml + file: cis_4.2.x.yml -- name: "SECTION | 4.1.3 | Configure auditd rules" +- name: "SECTION | 4.3.1.x | Configure iptables software" + when: ubtu22cis_firewall_package == "iptables" ansible.builtin.import_tasks: - file: cis_4.1.3.x.yml + file: cis_4.3.1.x.yml -- name: "SECTION | 4.1.4 | Configure auditd file access" +- name: "SECTION | 4.3.2.x | Configure ipv4 iptables" + when: ubtu22cis_firewall_package == "iptables" ansible.builtin.import_tasks: - file: cis_4.1.4.x.yml + file: cis_4.3.2.x.yml -- name: "SECTION | 4.2.1.1.x | Configure journald" +- name: "SECTION | 4.3.3.x | Configure ipv6 iptables" + when: + - ubtu22cis_firewall_package == "iptables" + - ubtu22cis_ipv6_required ansible.builtin.import_tasks: - file: cis_4.2.1.1.x.yml - when: ubtu22cis_syslog_service == 'journald' - -- name: "SECTION | 4.2.1.x | Configure journald" - ansible.builtin.import_tasks: - file: cis_4.2.1.x.yml - when: ubtu22cis_syslog_service == 'journald' - -- name: "SECTION | 4.2.2.x | Configure rsyslog" - ansible.builtin.import_tasks: - file: cis_4.2.2.x.yml - when: ubtu22cis_syslog_service == 'rsyslog' - -- name: "SECTION | 4.2.3 | Ensure permissions on all logfiles are configured" - ansible.builtin.import_tasks: - file: cis_4.2.3.yml + file: cis_4.3.3.x.yml diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index b8bcea4c..27e32eb1 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -1,188 +1,418 @@ --- -- name: "5.1.1 | PATCH | Ensure cron daemon is enabled and running" - ansible.builtin.systemd: - name: cron - state: started - enabled: true - when: - - ubtu22cis_rule_5_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.1 - - cron - -- name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" +- name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" + when: + - ubtu22cis_rule_5_1_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.1 + - ssh ansible.builtin.file: - path: /etc/crontab - owner: root - group: root - mode: '0600' + path: /etc/ssh/sshd_config + owner: root + group: root + mode: '0600' + +- name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured" when: - - ubtu22cis_rule_5_1_2 + - ubtu22cis_rule_5_1_2 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.2 - - cron + - level1-server + - level1-workstation + - patch + - rule_5.1.2 + - ssh + block: + - name: "5.1.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find ssh_host private keys" + ansible.builtin.find: + paths: /etc/ssh + patterns: 'ssh_host_*_key' + register: ubtu22cis_5_1_2_ssh_host_priv_keys -- name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" - ansible.builtin.file: - path: /etc/cron.hourly - owner: root - group: root - mode: '0700' + - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" + ansible.builtin.file: + path: "{{ item.path }}" + owner: root + group: root + mode: 'o-x,go-rwx' + with_items: + - "{{ ubtu22cis_5_1_2_ssh_host_priv_keys.files }}" + loop_control: + label: "{{ item.path }}" + +- name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured" when: - - ubtu22cis_rule_5_1_3 + - ubtu22cis_rule_5_1_3 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.3 - - cron + - level1-server + - level1-workstation + - patch + - rule_5.1.3 + - ssh + block: + - name: "5.1.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find ssh_host public keys" + ansible.builtin.find: + paths: /etc/ssh + patterns: 'ssh_host_*_key.pub' + register: ubtu22cis_5_1_3_ssh_host_pub_keys -- name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" - ansible.builtin.file: - path: /etc/cron.daily - owner: root - group: root - mode: '0700' + - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" + ansible.builtin.file: + path: "{{ item.path }}" + owner: root + group: root + mode: '0644' + with_items: + - "{{ ubtu22cis_5_1_3_ssh_host_pub_keys.files }}" + loop_control: + label: "{{ item.path }}" + +- name: "5.1.4 | PATCH | Ensure sshd access is configured" when: - - ubtu22cis_rule_5_1_4 + - ubtu22cis_rule_5_1_4 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.4 - - cron + - level1-server + - level1-workstation + - patch + - rule_5.1.4 + - ssh + block: + - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed users" + when: "ubtu22cis_sshd['allow_users']| default('') | length > 0 " + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^AllowUsers|^#AllowUsers' + line: 'AllowUsers {{ ubtu22cis_sshd.allow_users }}' + validate: 'sshd -t -f %s' + notify: Restart sshd -- name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" - ansible.builtin.file: - path: /etc/cron.weekly - owner: root - group: root - mode: '0700' + - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed groups" + when: "ubtu22cis_sshd['allow_groups']| default('') | length > 0" + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^AllowGroups|^#AllowGroups' + line: 'AllowGroups {{ ubtu22cis_sshd.allow_groups }}' + validate: 'sshd -t -f %s' + notify: Restart sshd + + - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add deny users" + when: "ubtu22cis_sshd['deny_users']| default('') | length > 0" + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^DenyUsers|^#DenyUsers' + line: 'DenyUsers {{ ubtu22cis_sshd.deny_users }} ' + validate: 'sshd -t -f %s' + notify: Restart sshd + + - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add deny groups" + when: "ubtu22cis_sshd['deny_groups']| default('') | length > 0" + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^DenyGroups|^#DenyGroups' + line: 'DenyGroups {{ ubtu22cis_sshd.deny_groups }}' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.5| PATCH | Ensure sshd Banner is configured" when: - - ubtu22cis_rule_5_1_5 + - ubtu22cis_rule_5_1_5 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.5 - - cron + - level1-server + - level1-workstation + - patch + - rule_5.1.5 + - ssh + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^Banner|^#Banner' + line: Banner /etc/issue.net + insertafter: '^# no default banner path' + validate: 'sshd -t -f %s' + notify: Restart sshd -- name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" - ansible.builtin.file: - path: /etc/cron.monthly - owner: root - group: root - mode: '0700' +- name: "5.1.6 | PATCH | Ensure only strong Ciphers are used" when: - - ubtu22cis_rule_5_1_6 + - ubtu22cis_rule_5_1_6 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.6 - - cron + - level1-server + - level1-workstation + - patch + - rule_5.1.6 + - ssh + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^Ciphers|^#Ciphers' + line: "Ciphers {{ ubtu22cis_sshd.ciphers | default(ubtu22cis_sshd_default_ciphers) | join(',') }}" + insertafter: '^# Ciphers and keying' + validate: 'sshd -t -f %s' + notify: Restart sshd -- name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" - ansible.builtin.file: - path: /etc/cron.d - owner: root - group: root - mode: '0700' +- name: "5.1.7 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured" when: - - ubtu22cis_rule_5_1_7 + - ubtu22cis_rule_5_1_7 tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.7 - - cron + - level1-server + - level1-workstation + - patch + - rule_5.1.7 + - sshd + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + validate: 'sshd -t -f %s' + with_items: + - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu22cis_sshd.client_alive_interval | default(ubtu22cis_sshd_default_client_alive_interval) }}' } + - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu22cis_sshd.client_alive_count_max | default(ubtu22cis_sshd_default_client_alive_count_max) }}' } + notify: Restart sshd -- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users" - block: - - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" - ansible.builtin.file: - path: /etc/cron.deny - state: absent - - - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check for cron.allow" - ansible.builtin.stat: - path: /etc/cron.allow - register: ubtu22cis_5_1_8_status - - - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Create cron.allow if doesn't exist" - ansible.builtin.file: - path: /etc/cron.allow - owner: root - group: root - mode: '0640' - state: touch - when: not ubtu22cis_5_1_8_status.stat.exists - - - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Update cron.allow if exists" - ansible.builtin.file: - path: /etc/cron.allow - owner: root - group: root - mode: '0640' - when: ubtu22cis_5_1_8_status.stat.exists - when: - - ubtu22cis_rule_5_1_8 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.8 - - cron - -- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users" - block: - - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" - ansible.builtin.file: - path: /etc/at.deny - state: absent - - - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check for at.allow" - ansible.builtin.stat: - path: /etc/at.allow - register: ubtu22cis_5_1_9_status - - - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Create at.allow if doesn't exist" - ansible.builtin.file: - path: /etc/at.allow - owner: root - group: root - mode: '0640' - state: touch - when: not ubtu22cis_5_1_9_status.stat.exists - - - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | update at.allow if exists" - ansible.builtin.file: - path: /etc/at.allow - owner: root - group: root - mode: '0640' - when: ubtu22cis_5_1_9_status.stat.exists - when: - - ubtu22cis_rule_5_1_9 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.1.9 - - cron +- name: "5.1.8 | PATCH | Ensure sshd DisableForwarding is enabled" + when: + - ubtu22cis_rule_5_1_8 + tags: + - level2-server + - level1-workstation + - patch + - rule_5.1.8 + - ssh + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^DisableForwarding|^#DisableForwarding' + line: 'DisableForwarding yes' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is is disabled" + when: + - ubtu22cis_rule_5_1_9 + tags: + - level2-server + - level1-workstation + - patch + - rule_5.1.9 + - ssh + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^(?i)GSSAPIAuthentication|^(?i)#GSSAPIAuthentication' + line: 'GSSAPIAuthentication no' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.10 | PATCH | Ensure SSH HostbasedAuthentication is disabled" + when: + - ubtu22cis_rule_5_1_10 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.10 + - ssh + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^HostbasedAuthentication|^#HostbasedAuthentication' + line: 'HostbasedAuthentication no' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" + when: + - ubtu22cis_rule_5_1_11 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.11 + - ssh + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^IgnoreRhosts|^#IgnoreRhosts' + line: 'IgnoreRhosts yes' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.12 | PATCH | Ensure only strong Key Exchange algorithms are used" + when: + - ubtu22cis_rule_5_1_12 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.12 + - ssh + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^KexAlgorithms|^#KexAlgorithms' + line: "KexAlgorithms {{ ubtu22cis_sshd.kex_algorithms | default(ubtu22cis_sshd_default_kex_algorithms) | join(',') }}" + insertafter: '^# Ciphers and keying' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.13 | PATCH | Ensure SSH LoginGraceTime is configured" + when: + - ubtu22cis_rule_5_1_13 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.13 + - ssh + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^LoginGraceTime|^#LoginGraceTime' + line: 'LoginGraceTime {{ ubtu22cis_sshd.login_grace_time | default(ubtu22cis_sshd_default_login_grace_time) }}' + insertafter: '^# Authentication' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.14 | PATCH | Ensure SSH LogLevel is configured" + when: + - ubtu22cis_rule_5_1_14 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.14 + - ssh + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^LogLevel|^#LogLevel' + line: 'LogLevel {{ ubtu22cis_sshd.log_level | default(ubtu22cis_sshd_default_log_level) }}' + insertafter: '^# Logging' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.15 | PATCH | Ensure only strong MAC algorithms are used" + when: + - ubtu22cis_rule_5_1_15 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.15 + - ssh + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MACs|^#MACs' + line: "MACs {{ ubtu22cis_sshd.macs | default(ubtu22cis_sshd_default_macs) | join(',') }}" + insertafter: '^# Ciphers and keying' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" + when: + - ubtu22cis_rule_5_1_16 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.16 + - ssh + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MaxAuthTries|^#MaxAuthTries' + line: 'MaxAuthTries {{ ubtu22cis_sshd.max_auth_tries | default(ubtu22cis_sshd_default_max_auth_tries) }}' + insertafter: '^# Authentication' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.17 | PATCH | Ensure sshd MaxSessions is configured" + when: + - ubtu22cis_rule_5_1_17 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.17 + - ssh + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MaxSessions|^#MaxSessions' + line: 'MaxSessions {{ ubtu22cis_sshd.max_sessions | default(ubtu22cis_sshd_default_max_sessions) }}' + insertafter: '^# Authentication' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.18 | PATCH | Ensure SSH MaxStartups is configured" + when: + - ubtu22cis_rule_5_1_18 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.18 + - ssh + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^MaxStartups|^#MaxStartups' + line: 'MaxStartups 10:30:60' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.19 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" + when: + - ubtu22cis_rule_5_1_19 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.19 + - ssh + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitEmptyPasswords|^#PermitEmptyPasswords' + line: 'PermitEmptyPasswords no' + insertafter: '# To disable tunneled clear text passwords' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.120 | PATCH | Ensure sshd PermitRootLogin is disabled" + when: + - ubtu22cis_rule_5_1_20 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.20 + - ssh + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitRootLogin|^#PermitRootLogin' + line: 'PermitRootLogin no' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.21 | PATCH | Ensure SSH PermitUserEnvironment is disabled" + when: + - ubtu22cis_rule_5_1_21 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.21 + - ssh + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^PermitUserEnvironment|^#PermitUserEnvironment' + line: 'PermitUserEnvironment no' + validate: 'sshd -t -f %s' + notify: Restart sshd + +- name: "5.1.22 | PATCH | Ensure sshd UsePAM is enabled" + when: + - ubtu22cis_rule_5_1_22 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.1.22 + - ssh + - pam + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config + regexp: '^UsePAM|^#UsePAM' + line: 'UsePAM yes' + insertafter: '^# and ChallengeResponseAuthentication' + validate: 'sshd -t -f %s' + notify: Restart sshd diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index d0b0f042..b6c57522 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,440 +1,139 @@ --- -- name: "5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" - ansible.builtin.file: - path: /etc/ssh/sshd_config - owner: root - group: root - mode: '0600' +- name: "5.2.1 | PATCH | Ensure sudo is installed" when: - ubtu22cis_rule_5_2_1 tags: - level1-server - level1-workstation - - automated - patch - rule_5.2.1 - - ssh + - sudo + ansible.builtin.package: + name: "{{ ubtu22cis_sudo_package }}" + state: present -- name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured" - block: - - name: "5.2.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find ssh_host private keys" - ansible.builtin.find: - paths: /etc/ssh - patterns: 'ssh_host_*_key' - register: ubtu22cis_5_2_2_ssh_host_priv_keys - - - name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" - ansible.builtin.file: - path: "{{ item.path }}" - owner: root - group: root - mode: '0600' - with_items: - - "{{ ubtu22cis_5_2_2_ssh_host_priv_keys.files }}" - loop_control: - label: "{{ item.path }}" +- name: "5.2.2 | PATCH | Ensure sudo commands use pty" when: - ubtu22cis_rule_5_2_2 tags: - level1-server - level1-workstation - - automated - patch - rule_5.2.2 - - ssh - -- name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured" - block: - - name: "5.2.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find ssh_host public keys" - ansible.builtin.find: - paths: /etc/ssh - patterns: 'ssh_host_*_key.pub' - register: ubtu22cis_5_2_3_ssh_host_pub_keys + - sudo + ansible.builtin.lineinfile: + path: /etc/sudoers + regexp: '^Defaults\s+use_' + line: 'Defaults use_pty' + insertafter: '^\s*Defaults' - - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" - ansible.builtin.file: - path: "{{ item.path }}" - owner: root - group: root - mode: '0644' - with_items: - - "{{ ubtu22cis_5_2_3_ssh_host_pub_keys.files }}" - loop_control: - label: "{{ item.path }}" +- name: "5.2.3 | PATCH | Ensure sudo log file exists" when: - ubtu22cis_rule_5_2_3 tags: - level1-server - level1-workstation - - automated - patch - rule_5.2.3 - - ssh - -- name: "5.2.4 | PATCH | Ensure SSH access is limited" - block: - - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add allowed users" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^AllowUsers|^#AllowUsers' - line: 'AllowUsers {{ ubtu22cis_sshd.allow_users }}' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: "ubtu22cis_sshd['allow_users']| default('') | length > 0 " - - - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add allowed groups" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^AllowGroups|^#AllowGroups' - line: 'AllowGroups {{ ubtu22cis_sshd.allow_groups }}' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: "ubtu22cis_sshd['allow_groups']| default('') | length > 0" - - - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add deny users" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^DenyUsers|^#DenyUsers' - line: 'DenyUsers {{ ubtu22cis_sshd.deny_users }} ' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: "ubtu22cis_sshd['deny_users']| default('') | length > 0" + - sudo + ansible.builtin.lineinfile: + path: /etc/sudoers + regexp: '^Defaults\s+logfile' + line: 'Defaults logfile="{{ ubtu22cis_sudo_logfile }}"' + insertafter: '^\s*Defaults' - - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add deny groups" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^DenyGroups|^#DenyGroups' - line: 'DenyGroups {{ ubtu22cis_sshd.deny_groups }}' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: "ubtu22cis_sshd['deny_groups']| default('') | length > 0" +- name: "5.2.4 | PATCH | Ensure users must provide password for escalation" when: - ubtu22cis_rule_5_2_4 tags: - - level1-server - - level1-workstation - - automated + - level2-server + - level2-workstation - patch + - sudo - rule_5.2.4 - - ssh + ansible.builtin.replace: + path: "{{ item }}" + regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' + replace: '\1PASSWD\2' + validate: '/usr/sbin/visudo -cf %s' + loop: "{{ ubtu22cis_sudoers_files.stdout_lines }}" -- name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^LogLevel|^#LogLevel' - line: 'LogLevel {{ ubtu22cis_sshd.log_level | default(ubtu22cis_sshd_default_log_level) }}' - insertafter: '^# Logging' - validate: 'sshd -t -f %s' - notify: Restart sshd +- name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" when: - ubtu22cis_rule_5_2_5 tags: - level1-server - level1-workstation - - automated - patch + - sudo - rule_5.2.5 - - ssh + ansible.builtin.replace: + path: "{{ item }}" + regexp: '^([^#].*)!authenticate(.*)' + replace: '\1authenticate\2' + validate: '/usr/sbin/visudo -cf %s' + loop: "{{ ubtu22cis_sudoers_files.stdout_lines }}" -- name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^UsePAM|^#UsePAM' - line: 'UsePAM yes' - insertafter: '^# and ChallengeResponseAuthentication' - validate: 'sshd -t -f %s' - notify: Restart sshd +- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly" when: - ubtu22cis_rule_5_2_6 tags: - level1-server - level1-workstation - - automated - patch + - sudo - rule_5.2.6 - - ssh - - pam - -- name: "5.2.7 | PATCH | Ensure SSH root login is disabled" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitRootLogin|^#PermitRootLogin' - line: 'PermitRootLogin no' - validate: 'sshd -t -f %s' - notify: Restart sshd + block: + - name: "5.2.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" + ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + changed_when: false + failed_when: false + register: ubtu22cis_5_2_6_timeout_files + + - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" + when: ubtu22cis_5_2_6_timeout_files.stdout | length == 0 + ansible.builtin.lineinfile: + path: /etc/sudoers + regexp: '^\s*Defaults/s+timestamp_timeout=' + line: "Defaults timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" + insertafter: '^\s*Defaults' + validate: '/usr/sbin/visudo -cf %s' + + - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" + when: ubtu22cis_5_2_6_timeout_files.stdout | length > 0 + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'timestamp_timeout=(\d+)' + replace: "timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" + validate: '/usr/sbin/visudo -cf %s' + loop: "{{ ubtu22cis_5_2_6_timeout_files.stdout_lines }}" + +- name: "5.2.7 | PATCH | Ensure access to the su command is restricted" when: - ubtu22cis_rule_5_2_7 tags: - level1-server - level1-workstation - - automated - patch + - sudo - rule_5.2.7 - - ssh - -- name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^HostbasedAuthentication|^#HostbasedAuthentication' - line: 'HostbasedAuthentication no' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_8 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.8 - - ssh - -- name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitEmptyPasswords|^#PermitEmptyPasswords' - line: 'PermitEmptyPasswords no' - insertafter: '# To disable tunneled clear text passwords' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_9 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.9 - - ssh - -- name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^PermitUserEnvironment|^#PermitUserEnvironment' - line: 'PermitUserEnvironment no' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_10 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.10 - - ssh - -- name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^IgnoreRhosts|^#IgnoreRhosts' - line: 'IgnoreRhosts yes' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_11 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.11 - - ssh - -- name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^X11Forwarding|^#X11Forwarding' - line: 'X11Forwarding no' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_12 - tags: - - level2-server - - level1-workstation - - automated - - patch - - rule_5.2.12 - - ssh - -- name: "5.2.13 | PATCH | Ensure only strong Ciphers are used" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^Ciphers|^#Ciphers' - line: "Ciphers {{ ubtu22cis_sshd.ciphers | default(ubtu22cis_sshd_default_ciphers) | join(',') }}" - insertafter: '^# Ciphers and keying' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_13 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.13 - - ssh - -- name: "5.2.14 | PATCH | Ensure only strong MAC algorithms are used" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^MACs|^#MACs' - line: "MACs {{ ubtu22cis_sshd.macs | default(ubtu22cis_sshd_default_macs) | join(',') }}" - insertafter: '^# Ciphers and keying' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_14 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.14 - - ssh - -- name: "5.2.15 | PATCH | Ensure only strong Key Exchange algorithms are used" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^KexAlgorithms|^#KexAlgorithms' - line: "KexAlgorithms {{ ubtu22cis_sshd.kex_algorithms | default(ubtu22cis_sshd_default_kex_algorithms) | join(',') }}" - insertafter: '^# Ciphers and keying' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_15 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.15 - - ssh - -- name: "5.2.16 | PATCH | Ensure SSH AllowTcpForwarding is disabled" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^AllowTcpForwarding|^#AllowTcpForwarding' - line: 'AllowTcpForwarding no' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_16 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_5.2.16 - - ssh - -- name: "5.2.17 | PATCH | Ensure SSH warning banner is configured" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^Banner|^#Banner' - line: Banner /etc/issue.net - insertafter: '^# no default banner path' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_17 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.17 - - ssh - -- name: "5.2.18 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^MaxAuthTries|^#MaxAuthTries' - line: 'MaxAuthTries {{ ubtu22cis_sshd.max_auth_tries | default(ubtu22cis_sshd_default_max_auth_tries) }}' - insertafter: '^# Authentication' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_18 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.18 - - ssh - -- name: "5.2.19 | PATCH | Ensure SSH MaxStartups is configured" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^MaxStartups|^#MaxStartups' - line: 'MaxStartups 10:30:60' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_19 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.19 - - ssh - -- name: "5.2.20 | PATCH | Ensure SSH MaxSessions is set to 10 or less" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^MaxSessions|^#MaxSessions' - line: 'MaxSessions {{ ubtu22cis_sshd.max_sessions | default(ubtu22cis_sshd_default_max_sessions) }}' - insertafter: '^# Authentication' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_20 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.20 - - ssh + block: + - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists" + ansible.builtin.group: + name: "{{ ubtu22cis_sugroup }}" + state: present + register: ubtu22cis_5_2_7_sugroup -- name: "5.2.21 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: '^LoginGraceTime|^#LoginGraceTime' - line: 'LoginGraceTime {{ ubtu22cis_sshd.login_grace_time | default(ubtu22cis_sshd_default_login_grace_time) }}' - insertafter: '^# Authentication' - validate: 'sshd -t -f %s' - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_21 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.21 - - ssh + - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | remove users from group" + ansible.builtin.lineinfile: + path: /etc/group + regexp: '^{{ ubtu22cis_sugroup }}(:.:.*:).*$' + line: '{{ ubtu22cis_sugroup }}\g<1>' + backrefs: true -- name: "5.2.22 | PATCH | Ensure SSH Idle Timeout Interval is configured" - ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - validate: 'sshd -t -f %s' - with_items: - - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu22cis_sshd.client_alive_interval | default(ubtu22cis_sshd_default_client_alive_interval) }}' } - - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu22cis_sshd.client_alive_count_max | default(ubtu22cis_sshd_default_client_alive_count_max) }}' } - notify: Restart sshd - when: - - ubtu22cis_rule_5_2_22 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.2.22 - - sshd + - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" + ansible.builtin.lineinfile: + path: /etc/pam.d/su + regexp: '^(#)?auth\s+required\s+pam_wheel\.so' + line: 'auth required pam_wheel.so use_uid group={{ ubtu22cis_sugroup }}' diff --git a/tasks/section_5/cis_5.3.1.x.yml b/tasks/section_5/cis_5.3.1.x.yml new file mode 100644 index 00000000..44d6a479 --- /dev/null +++ b/tasks/section_5/cis_5.3.1.x.yml @@ -0,0 +1,45 @@ +--- + +- name: "5.3.1.1 | PATCH | Ensure latest version of pam is installed" + when: + - ubtu22cis_rule_5_3_1_1 + - ansible_facts.packages['libpam-runtime'][0]['version'] is version('1.5.2-6', '<=') or + "'libpam-runtime' not in ansible_facts.packages" + tags: + - level1-server + - level1-workstation + - patch + - pam + - rule_5.3.1.1 + ansible.builtin.package: + name: libpam-runtime + state: latest + +- name: "5.3.1.2 | PATCH | Ensure libpam-modules is installed" + when: + - ubtu22cis_rule_5_3_1_2 + - ansible_facts.packages['libpam-modules'][0]['version'] is version('1.5.2-6', '<=') or + "'libpam-modules' not in ansible_facts.packages" + tags: + - level1-server + - level1-workstation + - patch + - pam + - rule_5.3.1.2 + ansible.builtin.package: + name: libpam-modules + state: latest + +- name: "5.3.1.3 | PATCH | Ensure libpam-pwquality is installed" + when: + - ubtu22cis_rule_5_3_1_3 + - "'libpam-pwquality' not in ansible_facts.packages" + tags: + - level1-server + - level1-workstation + - patch + - pam + - rule_5.3.1.3 + ansible.builtin.package: + name: libpam-pwquality + state: latest diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml new file mode 100644 index 00000000..e3a2f072 --- /dev/null +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -0,0 +1,88 @@ +--- + +- name: "5.3.2.1 | PATCH | Ensure pam_unix module is enabled" + when: + - ubtu22cis_rule_5_3_2_1 + - ubtu22cis_disruption_high + - ubtu22cis_pam_auth_unix + - ubtu22cis_pam_create_pamunix_file + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.2.1 + - pam_auth_update + - pam_unix + ansible.builtin.template: + src: "{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}.j2" + dest: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" + owner: root + group: root + mode: '0600' + notify: pam_auth_update_pwunix + +- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled" + when: + - ubtu22cis_rule_5_3_2_2 + - ubtu22cis_disruption_high + - ubtu22cis_pam_auth_faillock + - ubtu22cis_pam_create_faillock_files + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.2.2 + - pam_auth_update + - pam_faillock + ansible.builtin.template: + src: "{{ ubtu22cis_pam_confd_dir }}{{ item }}.j2" + dest: "/{ ubtu22cis_pam_confd_dir }}{{ item }}" + owner: root + group: root + mode: '0600' + loop: + - "{{ ubtu22cis_pam_faillock_file }}" + - "{{ ubtu22cis_pam_faillock_notify_file }}" + notify: + - pam_auth_update_pwfaillock + - pam_auth_update_pwfaillock_notify + +- name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled" + when: + - ubtu22cis_rule_5_3_2_3 + - ubtu22cis_disruption_high + - ubtu22cis_pam_create_pwquality_files + - pam_quality + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.2.3 + - pam_auth_update + ansible.builtin.template: + src: "{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwquality_file }}.j2" + dest: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwquality_file }}" + owner: root + group: root + mode: '0600' + notify: pam_auth_update_pwquality + +- name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled" + when: + - ubtu22cis_rule_5_3_2_4 + - ubtu22cis_disruption_high + - ubtu22cis_pam_create_pwhistory_files + - pam_history + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.2.4 + - pam_auth_update + ansible.builtin.template: + src: "{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}.j2" + dest: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" + owner: root + group: root + mode: '0600' + notify: pam_auth_update_pwhistory diff --git a/tasks/section_5/cis_5.3.3.1.x.yml b/tasks/section_5/cis_5.3.3.1.x.yml new file mode 100644 index 00000000..7af4acb1 --- /dev/null +++ b/tasks/section_5/cis_5.3.3.1.x.yml @@ -0,0 +1,103 @@ +--- + +- name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured" + when: + - ubtu22cis_rule_5_3_3_1_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.1.1 + - pam + block: + - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | configure faillock.conf" + ansible.builtin.lineinfile: + path: /etc/security/faillock.conf + regexp: '^deny' + line: "deny = {{ ubtu22cis_faillock_deny }}" + insertafter: '^# end of pam-auth-update config' + create: true + + # - name: "5.3.3.1.1 | AUDIT | Ensure password failed attempts lockout is configured | discover pam config with deny" + # ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?deny\b' /usr/share/pam-configs/* + # register: ubtu22cis_faillock_deny_files + # changed_when: false + # failed_when: ubtu22cis_faillock_deny_files.rc not in [ 0, 1 ] + + - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | if exists remove deny from faillock line in pam-auth conf files" + when: ubtu22cis_faillock_deny_files.stdout | length > 0 + ansible.builtin.replace: + path: "{{ item }}" + regexp: '(*.pam_faillock.so\s*)deny\s*=\s*\d+\b(.*)' + replace: \1\2 + with_fileglob: + - '/usr/share/pam-configs/*' + - '/etc/pam.d/*' + +- name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured" + when: + - ubtu22cis_rule_5_3_3_1_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.1.2 + - pam + block: + - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | configure faillock.conf" + ansible.builtin.lineinfile: + path: /etc/security/faillock.conf + regexp: '^unlock_time' + line: "unlock_time = {{ ubtu22cis_faillock_unlock_time }}" + insertafter: '^# end of pam-auth-update config' + create: true + + # - name: "5.3.3.1.2 | AUDIT | Ensure password unlock time is configured | discover pam config with unlock_time" + # ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?unlock_time\b' /usr/share/pam-configs/* + # register: ubtu22cis_faillock_unlock_files + # changed_when: false + # failed_when: ubtu22cis_faillock_unlock_files.rc not in [ 0, 1 ] + + - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | if exists remove unlock_time from faillock line in pam-auth conf files" + when: ubtu22cis_faillock_unlock_files.stdout | length > 0 + ansible.builtin.replace: + path: "{{ item }}" + regexp: '(*.pam_faillock.so\s*)unlock_time\s*=\s*\b(.*)' + replace: \1\2 + with_fileglob: + - '/usr/share/pam-configs/*' + - '/etc/pam.d/*' + +- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account" + when: + - ubtu22cis_rule_5_3_3_1_3 + tags: + - level2-server + - level2-workstation + - patch + - rule_5.3.3.1.3 + - pam + block: + - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | configure faillock.conf" + ansible.builtin.lineinfile: + path: /etc/security/faillock.conf + regexp: '^{{ ubtu22cis_pamroot_lock_option }}' + line: "{{ ubtu22cis_pamroot_lock_string }}" + insertafter: '^# end of pam-auth-update config' + create: true + + # - name: "5.3.3.1.3 | AUDIT | Ensure password failed attempts lockout includes root account | discover pam config with unlock_time" + # ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)' /usr/share/pam-configs/* + # register: ubtu22cis_faillock_root_files + # changed_when: false + # failed_when: ubtu22cis_faillock_rootlock_files.rc not in [ 0, 1 ] + + - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | if exists remove unlock_time from faillock line in pam-auth conf files" + when: ubtu22cis_faillock_root_files.stdout | length > 0 + ansible.builtin.replace: + path: "{{ item }}" + regexp: '(*.pam_faillock.so\s*)(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)(.*)' + replace: \1\3 + with_fileglob: + - '/usr/share/pam-configs/*' + - '/etc/pam.d/*' diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml new file mode 100644 index 00000000..ba315f6b --- /dev/null +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -0,0 +1,242 @@ +--- + +- name: "Ensure conf.d directory exists required for 5.3.3.2.x" + when: + - ubtu22cis_rule_5_3_3_2_1 or + ubtu22cis_rule_5_3_3_2_2 or + ubtu22cis_rule_5_3_3_2_3 or + ubtu22cis_rule_5_3_3_2_4 or + ubtu22cis_rule_5_3_3_2_5 or + ubtu22cis_rule_5_3_3_2_6 + ansible.builtin.file: + path: '/etc/security/pwquality.conf.d' + state: directory + owner: root + group: root + mode: '0750' + +- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured" + when: + - ubtu22cis_rule_5_3_3_2_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.2.1 + - pam + block: + - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file" + when: + - item != ubtu22cis_passwd_difok_file + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'difok\s*=\s*\d+\b' + replace: '' + with_fileglob: + - '/etc/security/pwquality.conf' + - '/etc/security/pwquality.conf.d/*.conf' + - '/etc/pam.d/common-password' + + - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists" + ansible.builtin.template: + src: "{{ ubtu22cis_passwd_difok_file }}.j2" + dest: "/{{ ubtu22cis_passwd_difok_file }}" + owner: root + group: root + mode: '0600' + +- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured" + when: + - ubtu22cis_rule_5_3_3_2_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.2.2 + - pam + block: + - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file" + when: + - item != ubtu22cis_passwd_minlen_file + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'difok\s*=\s*\d+\b' + replace: '' + with_fileglob: + - '/etc/security/pwquality.conf' + - '/etc/security/pwquality.conf.d/*.conf' + - '/etc/pam.d/common-password' + + - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists" + ansible.builtin.template: + src: "{{ ubtu22cis_passwd_minlen_file }}.j2" + dest: "/{{ ubtu22cis_passwd_minlen_file }}" + owner: root + group: root + mode: '0600' + +- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured" + when: + - ubtu22cis_rule_5_3_3_2_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.2.3 + - pam + block: + - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file" + when: + - item != ubtu22cis_passwd_complex_file + ansible.builtin.replace: + path: "{{ item }}" + regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b' + replace: '' + with_fileglob: + - '/etc/security/pwquality.conf' + - '/etc/security/pwquality.conf.d/*.conf' + - '/etc/pam.d/common-password' + + - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists" + ansible.builtin.template: + src: "{{ ubtu22cis_passwd_complex_file }}.j2" + dest: "/{{ ubtu22cis_passwd_complex_file }}" + owner: root + group: root + mode: '0600' + +- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured" + when: + - ubtu22cis_rule_5_3_3_2_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.2.4 + - pam + block: + - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file" + when: + - item != ubtu22cis_passwd_maxrepeat_file + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'maxrepeat\s*=\s*\d+\b' + replace: '' + with_fileglob: + - '/etc/security/pwquality.conf' + - '/etc/security/pwquality.conf.d/*.conf' + - '/etc/pam.d/common-password' + + - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists" + ansible.builtin.template: + src: "{{ ubtu22cis_passwd_maxrepeat_file }}.j2" + dest: "/{{ ubtu22cis_passwd_maxrepeat_file }}" + owner: root + group: root + mode: '0600' + +- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured" + when: + - ubtu22cis_rule_5_3_3_2_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.2.5 + - pam + block: + - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file" + when: + - item != ubtu22cis_passwd_maxsequence_file + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'maxsequence\s*=\s*\d+\b' + replace: '' + with_fileglob: + - '/etc/security/pwquality.conf' + - '/etc/security/pwquality.conf.d/*.conf' + - '/etc/pam.d/common-password' + + - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists" + ansible.builtin.template: + src: "{{ ubtu22cis_passwd_maxsequence_file }}.j2" + dest: "/{{ ubtu22cis_passwd_maxsequence_file }}" + owner: root + group: root + mode: '0600' + +- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled" + when: + - ubtu22cis_rule_5_3_3_2_6 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.2.6 + - pam + block: + - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file" + when: + - item != ubtu22cis_passwd_dictcheck_file + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'dictcheck\s*=\s*\d+\b' + replace: '' + with_fileglob: + - '/etc/security/pwquality.conf' + - '/etc/security/pwquality.conf.d/*.conf' + - '/etc/pam.d/common-password' + + - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists" + ansible.builtin.template: + src: "{{ ubtu22cis_passwd_dictcheck_file }}.j2" + dest: "/{{ ubtu22cis_passwd_dictcheck_file }}" + owner: root + group: root + mode: '0600' + +- name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced" + when: + - ubtu22cis_rule_5_3_3_2_7 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.2.7 + - pam + block: + - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Remove quality enforcement settings from conf files except expected file" + when: + - item != ubtu22cis_passwd_quality_enforce_file + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'enforcing\s*=\s*\d+\b' + replace: '' + with_fileglob: + - '/etc/security/pwquality.conf' + - '/etc/security/pwquality.conf.d/*.conf' + - '/etc/pam.d/common-password' + + - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Ensure quality enforcement file exists" + ansible.builtin.template: + src: "{{ ubtu22cis_passwd_quality_enforce_file }}.j2" + dest: "/{{ ubtu22cis_passwd_quality_enforce_file }}" + owner: root + group: root + mode: '0600' + +- name: "5.3.3.2.8 | PATCH | Ensure password quality is enforced for the root user" + when: + - ubtu22cis_rule_5_3_3_2_8 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.2.8 + - pam + ansible.builtin.template: + src: "{{ ubtu22cis_passwd_quality_enforce_root_file }}.j2" + dest: "/{{ ubtu22cis_passwd_quality_enforce_root_file }}" + owner: root + group: root + mode: '0600' diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml new file mode 100644 index 00000000..20e609e3 --- /dev/null +++ b/tasks/section_5/cis_5.3.3.3.x.yml @@ -0,0 +1,79 @@ +--- + +- name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured" + when: + - ubtu22cis_rule_5_3_3_3_1 + - ubtu22cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.3.1 + - pam + block: + - name: "5.3.3.3.1 | AUDIT | Ensure password history remember is configured | Check existing files" + ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?remember=\d+\b' /etc/pam.d/common-password + register: ubtu22_pwhistory_remember + changed_when: false + failed_when: ubtu22_pwhistory_remember.rc not in [0, 1] + + - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set" + when: ubtu22_pwhistory_remember.stdout | length > 0 + ansible.builtin.lineinfile: + path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" + regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(remember=\d+) + line: '\1\2\3 remember={{ ubtu22cis_pamd_pwhistory_remember }}' + backrefs: true + notify: pam_auth_update_pwhistory + +- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user" + when: + - ubtu22cis_rule_5_3_3_3_2 + - ubtu22cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.3.2 + - pam + block: + - name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files" + ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?enforce_for_root\b' /etc/pam.d/common-password + register: ubtu22_pwhistory_enforce_for_root + changed_when: false + failed_when: ubtu22_pwhistory_enforce_for_root.rc not in [0, 1] + + - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure remember is set" + when: ubtu22_pwhistory_enforce_for_root.stdout | length > 0 + ansible.builtin.lineinfile: + path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" + regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(enforce_for_root) + line: '\1\2\3 enforce_for_root' + backrefs: true + notify: pam_auth_update_pwhistory + +- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok" + when: + - ubtu22cis_rule_5_3_3_3_3 + - ubtu22cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.3.2 + - pam + block: + - name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files" + ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password + register: ubtu22_pwhistory_use_authtok + changed_when: false + failed_when: ubtu22_pwhistory_use_authtok.rc not in [0, 1] + + - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure remember is set" + when: ubtu22_pwhistory_use_authtok.stdout | length > 0 + ansible.builtin.lineinfile: + path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" + regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok) + line: '\1\2\3 use_authtok' + backrefs: true + notify: pam_auth_update_pwhistory diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml new file mode 100644 index 00000000..17effce5 --- /dev/null +++ b/tasks/section_5/cis_5.3.3.4.x.yml @@ -0,0 +1,100 @@ +--- + +- name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok" + when: + - ubtu22cis_rule_5_3_3_4_1 + - ubtu22cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - rule_5.3.3.4.1 + - pam + block: + - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | capture state" + ansible.builtin.shell: grep -PH -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} | grep -P -- '\bnullok\b' + changed_when: false + failed_when: ubtu22cis_pam_nullok.rc not in [ 0, 1 ] + register: ubtu22cis_pam_nullok + + - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Ensure nullok removed" + when: ubtu22cis_pam_nullok.stdout | length > 0 + ansible.builtin.replace: + path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" + regexp: nullok + replace: '' + notify: pam_auth_update_pwunix + +- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember" + when: + - ubtu22cis_rule_5_3_3_4_2 + tags: + - level1-server + - level1-workstation + - patch + - pam + - rule_5.3.3.4.2 + block: + - name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state" + ansible.builtin.shell: grep -PH -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} | grep -Pv -- '\bremember=\d\b' + changed_when: false + failed_when: ubtu22cis_pam_remember.rc not in [ 0, 1 ] + register: ubtu22cis_pam_remember + + - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Ensure remember removed" + when: ubtu22cis_pam_remember.stdout | length > 0 + ansible.builtin.replace: + path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" + regexp: remember=\d+ + replace: '' + notify: pam_auth_update_pwunix + +- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm" + when: + - ubtu22cis_rule_5_3_3_4_3 + tags: + - level1-server + - level1-workstation + - patch + - pam + - rule_5.3.3.4.3 + block: + - name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state" + ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?("{{ ubtu22cis_passwd_hash_algo }}")\b' /etc/pam.d/common-password + changed_when: false + failed_when: ubtu22cis_pam_pwhash.rc not in [ 0, 1 ] + register: ubtu22cis_pam_pwhash + + - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Ensure hash algorithm set" + when: ubtu22cis_pam_remember.stdout | length > 0 + ansible.builtin.replace: + path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" + regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)" + replace: '{{ ubtu22cis_passwd_hash_algo }}' + notify: pam_auth_update_pwunix + +- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok" + when: + - ubtu22cis_rule_5_3_3_4_4 + tags: + - level1-server + - level1-workstation + - patch + - pam + - rule_5.3.3.4.4 + block: + - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state" + ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password + changed_when: false + failed_when: ubtu22cis_pam_authtok.rc not in [ 0, 1 ] + register: ubtu22cis_pam_authtok + + - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | pam_files" + when: + - ubtu22cis_pam_authtok is defined + - ubtu22cis_pam_authtok | length > 0 + ansible.builtin.lineinfile: + path: "/etc/pam.d/{{ item }}-auth" + regexp: ^(\s*password\s+[success=end.*]\s+pam_unix\.so)(.*)\s+use_authtok\s*=\s*\S+(.*$) + line: \1\2\3 use_authtok + backrefs: true diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml deleted file mode 100644 index bd495b19..00000000 --- a/tasks/section_5/cis_5.3.x.yml +++ /dev/null @@ -1,142 +0,0 @@ ---- - -- name: "5.3.1 | PATCH | Ensure sudo is installed" - ansible.builtin.package: - name: "{{ ubtu22cis_sudo_package }}" - state: present - when: - - ubtu22cis_rule_5_3_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.1 - - sudo - -- name: "5.3.2 | PATCH | Ensure sudo commands use pty" - ansible.builtin.lineinfile: - path: /etc/sudoers - regexp: '^Defaults\s+use_' - line: 'Defaults use_pty' - insertafter: '^\s*Defaults' - when: - - ubtu22cis_rule_5_3_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.2 - - sudo - -- name: "5.3.3 | PATCH | Ensure sudo log file exists" - ansible.builtin.lineinfile: - path: /etc/sudoers - regexp: '^Defaults\s+logfile' - line: 'Defaults logfile="{{ ubtu22cis_sudo_logfile }}"' - insertafter: '^\s*Defaults' - when: - - ubtu22cis_rule_5_3_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.3.3 - - sudo - -- name: "5.3.4 | PATCH | Ensure users must provide password for escalation" - ansible.builtin.replace: - path: "{{ item }}" - regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' - replace: '\1PASSWD\2' - validate: '/usr/sbin/visudo -cf %s' - loop: "{{ ubtu22cis_sudoers_files.stdout_lines }}" - when: - - ubtu22cis_rule_5_3_4 - tags: - - level2-server - - level2-workstation - - patch - - sudo - - rule_5.3.4 - -- name: "5.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" - ansible.builtin.replace: - path: "{{ item }}" - regexp: '^([^#].*)!authenticate(.*)' - replace: '\1authenticate\2' - validate: '/usr/sbin/visudo -cf %s' - loop: "{{ ubtu22cis_sudoers_files.stdout_lines }}" - when: - - ubtu22cis_rule_5_3_5 - tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.3.5 - -- name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly" - block: - - name: "5.3.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" - ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort - changed_when: false - failed_when: false - register: ubtu22cis_5_3_6_timeout_files - - - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" - ansible.builtin.lineinfile: - path: /etc/sudoers - regexp: '^\s*Defaults/s+timestamp_timeout=' - line: "Defaults timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" - insertafter: '^\s*Defaults' - validate: '/usr/sbin/visudo -cf %s' - when: ubtu22cis_5_3_6_timeout_files.stdout | length == 0 - - - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" - ansible.builtin.replace: - path: "{{ item }}" - regexp: 'timestamp_timeout=(\d+)' - replace: "timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" - validate: '/usr/sbin/visudo -cf %s' - loop: "{{ ubtu22cis_5_3_6_timeout_files.stdout_lines }}" - when: ubtu22cis_5_3_6_timeout_files.stdout | length > 0 - when: - - ubtu22cis_rule_5_3_6 - tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.3.6 - -- name: "5.3.7 | PATCH | Ensure access to the su command is restricted" - block: - - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists" - ansible.builtin.group: - name: "{{ ubtu22cis_sugroup }}" - state: present - register: ubtu22cis_5_3_7_sugroup - - - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group" - ansible.builtin.lineinfile: - path: /etc/group - regexp: '^{{ ubtu22cis_sugroup }}(:.:.*:).*$' - line: '{{ ubtu22cis_sugroup }}\g<1>' - backrefs: true - - - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" - ansible.builtin.lineinfile: - path: /etc/pam.d/su - regexp: '^(#)?auth\s+required\s+pam_wheel\.so' - line: 'auth required pam_wheel.so use_uid group={{ ubtu22cis_sugroup }}' - when: - - ubtu22cis_rule_5_3_7 - tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.3.7 diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml new file mode 100644 index 00000000..5b6c57ec --- /dev/null +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -0,0 +1,198 @@ +--- + +- name: "5.4.1.1 | PATCH | Ensure password expiration is configured" + when: + - ubtu22cis_rule_5_4_1_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.4.1.1 + - user + - login + block: + - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set /etc/login.defs PASS_MAX_DAYS" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS' + line: 'PASS_MAX_DAYS {{ ubtu22cis_pass.max_days }}' + insertafter: '# Password aging controls' + + - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Get existing users PASS_MAX_DAYS" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ ubtu22cis_pass.max_days }} || $5<{{ ubtu22cis_pass.min_days }} || $5 == -1)){print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: ubtu22cis_max_days + + - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set existing users PASS_MAX_DAYS" + when: + - ubtu22cis_disruption_high + - (item != 'root') or (not ubtu22cis_uses_root) + ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass.max_days }} {{ item }} + failed_when: false + changed_when: ubtu22cis_max_days.stdout | length > 0 + loop: "{{ ubtu22cis_max_days.stdout_lines }}" + +- name: "5.4.1.2 | PATCH | Ensure minimum password age is configured" + when: + - ubtu22cis_rule_5_4_1_2 + tags: + - level2-server + - level2-workstation + - patch + - rule_5.4.1.2 + - user + - login + block: + - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Set /etc/login.defs PASS_MIN_DAYS" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS' + line: 'PASS_MIN_DAYS {{ ubtu22cis_pass.min_days }}' + + - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Get existing users PASS_MIN_DAYS" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu22cis_pass.min_days }})) {print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: ubtu22cis_5_4_1_1_min_days + + - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Set existing users PASS_MIN_DAYS" + ansible.builtin.shell: chage --mindays {{ ubtu22cis_pass.min_days }} {{ item }} + failed_when: false + changed_when: ubtu22cis_min_days.stdout |length > 0 + loop: "{{ ubtu22cis_min_days.stdout_lines }}" + when: + - ubtu22cis_disruption_high + - (item != 'root') or (not ubtu22cis_uses_root) + +- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured" + when: + - ubtu22cis_rule_5_4_1_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.4.1.3 + - user + - login + block: + - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set /etc/login.defs PASS_WARN_AGE" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE' + line: 'PASS_WARN_AGE {{ ubtu22cis_pass.warn_age }}' + + - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Get existing users PASS_WARN_AGE" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu22cis_pass.warn_age }}){print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: ubtu22cis_warn_days + + - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users PASS_WARN_AGE" + when: + - ubtu22cis_disruption_high + - (item != 'root') or (not ubtu22cis_uses_root) + ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass.warn_age }} {{ item }} + failed_when: false + changed_when: ubtu22cis_warn_days.stdout | length > 0 + loop: "{{ ubtu22cis_warn_days.stdout_lines }}" + +- name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured" + when: + - ubtu22cis_rule_5_4_1_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.4.1.4 + - pam + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^ENCRYPT_METHOD' + line: 'ENCRYPT_METHOD {{ ubtu22cis_passwd_hash_algo | upper }}' + +- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured" + when: + - ubtu22cis_rule_5_4_1_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.4.1.5 + - user + - login + block: + - name: "5.4.1.4 | AUDIT | Ensure inactive password lock is configured | General setting" + ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2 + changed_when: false + failed_when: false + register: ubtu22cis_inactive_setting + + - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured| Set inactive period for new users" + ansible.builtin.shell: useradd -D -f {{ ubtu22cis_pass.inactive }} + failed_when: false + when: ubtu22cis_inactive_setting.stdout != ubtu22cis_pass.inactive | string + + - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | Get Individual users" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<{{ ubtu22cis_pass.inactive }}))) {print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: ubtu22cis_inactive_users + + - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set inactive period for existing users" + when: + - ubtu22cis_disruption_high + - ubtu22cis_inactive_users.stdout | length > 0 + - (item != 'root') and (not ubtu22cis_uses_root) + ansible.builtin.shell: chage --inactive {{ ubtu22cis_pass.inactive }} {{ item }} + failed_when: false + with_items: + - "{{ ubtu22cis_passwd | map(attribute='id') | list | intersect(ubtu22cis_inactive_users.stdout_lines) | list }}" + +- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past" + when: + - ubtu22cis_rule_5_4_1_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.4.1.5 + - user + - login + vars: + warn_control_id: '5.4.1.5' + block: + - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" + ansible.builtin.shell: echo $(($(date --utc --date "$1" +%s)/86400)) + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis__current_time + + - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" + ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu22cis_current_time.stdout }})print$1}'" + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_user_list + + - name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past | Warn about users" + when: ubtu22cis_user_list.stdout | length > 0 + ansible.builtin.debug: + msg: + - "WARNING!! The following accounts have the last PW change date in the future" + - "{{ ubtu22cis_user_list.stdout_lines }}" + + - name: "5.4.1.5 | WARN | Ensure all users last password change date is in the past | warn_count" + ansible.builtin.import_tasks: + file: warning_facts.yml + when: ubtu22cis_user_list.stdout | length > 0 + + - name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with future PW changed dates" + when: + - ubtu22cis_disruption_high + - ubtu22cis_user_list.stdout | length > 0 + ansible.builtin.shell: passwd --expire {{ item }} + failed_when: false + with_items: + - "{{ ubtu22cis_user_list.stdout_lines }}" diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml new file mode 100644 index 00000000..e1ba27ef --- /dev/null +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -0,0 +1,200 @@ +--- + +- name: "5.4.2.1 | PATCH | Ensure root is the only UID 0 account" + when: + - ubtu22cis_rule_5_4_2_1 + - ubtu22cis_uid_zero_accounts_except_root.rc + - ubtu22cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - accounts + - users + - rule_5.4.2.1 + ansible.builtin.shell: passwd -l {{ item }} + changed_when: false + failed_when: false + loop: "{{ ubtu22cis_uid_zero_accounts_except_root.stdout_lines }}" + +- name: "5.4.2.2 | PATCH | Ensure root is the only GID 0 account" + when: + - ubtu22cis_rule_5_4_2_2 + - ubtu22cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - rule_5.4.2.2 + - user + - system + block: + - name: "5.4.2.2 | AUDIT | Ensure root is the only GID 0 account | Get members of gid 0" + ansible.builtin.shell: "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4==\"0\") {print $1}' /etc/passwd | grep -wv 'root'" + register: ubtu22cis_gid0_members + changed_when: false + failed_when: ubtu22cis_gid0_members.rc not in [ 0, 1 ] + + - name: "5.4.2.2 | PATCH | Ensure root is the only GID 0 account | Remove users not root from gid 0" + when: ubtu22cis_gid0_members.std | length > 0 + ansible.builtin.user: + name: "{{ item }}" + gid: 0 + state: absent + loop: ubtu22cis_gid0_members.stdout_lines + +- name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group" + when: + - ubtu22cis_rule_5_4_2_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.4.2.2 + - user + - system + block: + - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group | Get groups with gid 0" + ansible.builtin.shell: "awk -F: '$3==\"0\"{print $1}' /etc/group | grep -vw 'root'" + register: ubtu22cis_gid0_groups + changed_when: false + failed_when: ubtu22cis_gid0_groups.rc not in [ 0, 1 ] + + - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group | Warning if others gid 0 groups" + when: ubtu22cis_gid0_groups.stdout | length > 0 + ansible.builtin.debug: + msg: + - "Warning!! You have other groups assigned to GID 0 - Please resolve" + - "{{ ubtu22cis_gid0_groups.stdout_lines }}" + + - name: "5.4.2.3 | WARN | Ensure group root is the only GID 0 group | warn_count" + when: ubtu22cis_gid0_groups.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '5.4.2.3' + +- name: "5.4.2.4 | PATCH | Ensure root password is set" + when: + - ubtu22cis_rule_5_4_2_4 + tags: + - level1-server + - level1-workstation + - patch + - shadow_suite + - rule_5.4.2.4 + ansible.builtin.debug: + msg: "This is set as an assert in tasks/main" + +- name: "5.4.2.5 | PATCH | Ensure root PATH Integrity" + when: + - ubtu22cis_rule_5_4_2_5 + tags: + - level1-server + - level1-workstation + - patch + - paths + - rule_5.4.2.5 + block: + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Get root paths" + ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 + changed_when: false + register: ubtu22cis_root_paths + + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Get root paths" + ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 | tr ":" "\n" + changed_when: false + register: ubtu22cis_root_paths_split + + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Set fact" + ansible.builtin.set_fact: + root_paths: "{{ ubtu22cis_root_paths.stdout }}" + + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs" + ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"' + changed_when: false + failed_when: root_path_empty_dir.rc not in [ 0, 1 ] + register: root_path_empty_dir + + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for trailing ':'" + ansible.builtin.shell: '{{ root_paths }} | cut -d= -f2 | grep -q ":$" && echo "roots path contains a trailing (:)"' + changed_when: false + failed_when: root_path_trailing_colon.rc not in [ 0, 1 ] + register: root_path_trailing_colon + + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" + block: + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" + ansible.builtin.stat: + path: "{{ item }}" + register: root_path_perms + loop: "{{ ubtu22cis_root_paths_split.stdout_lines }}" + + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Set permissions" + when: + - item.stat.exists + - item.stat.isdir + - item.stat.pw_name != 'root' or item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp + - (item != 'root') and (not ubtu22cis_uses_root) + ansible.builtin.file: + path: "{{ item.stat.path }}" + state: directory + owner: root + group: root + mode: '0755' + follow: false + loop: "{{ root_path_perms.results }}" + loop_control: + label: "{{ item }}" + +- name: "5.4.2.6 | PATCH | Ensure root user umask is configured" + when: + - ubtu22cis_rule_5_4_2_6 + tags: + - level1-server + - level1-workstation + - patch + - shadow_suite + - rule_5.4.2.6 + ansible.builtin.lineinfile: + path: /root/.bash_profile + regexp: \s*umask + line: "umask {{ ubtu22cis_root_umask }}" + +- name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell" + when: + - ubtu22cis_rule_5_4_2_7 + - item.id not in discovered_interactive_usernames.stdout + - "'root' not in item.id" + - ubtu22cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - shadow_suite + - rule_5.4.2.7 + ansible.builtin.user: + name: "{{ item.id }}" + shell: /usr/sbin/nologin + loop: "{{ ubtu22cis_passwd }}" + loop_control: + label: "{{ item.id }}" + +- name: "5.4.2.8 | PATCH | Ensure accounts without a valid login shell are locked | Lock accounts" + when: + - ubtu22cis_rule_5_4_2_8 + - ubtu22cis_disruption_high + - "item.id not in discovered_interactive_usernames.stdout" + - "'root' not in item.id" + tags: + - level1-server + - level1-workstation + - patch + - shadow_suite + - rule_5.4.2.8 + ansible.builtin.user: + name: "{{ item.id }}" + password_lock: true + loop: "{{ ubtu22cis_passwd }}" + loop_control: + label: "{{ item.id }}" diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml new file mode 100644 index 00000000..3eb3ac06 --- /dev/null +++ b/tasks/section_5/cis_5.4.3.x.yml @@ -0,0 +1,56 @@ +--- + +- name: "5.4.3.1 | PATCH | Ensure nologin is not listed in /etc/shells" + when: + - ubtu22cis_rule_5_4_3_1 + tags: + - level2-server + - level2-workstation + - patch + - shells + - rule_5.4.3.1 + ansible.builtin.replace: + path: /etc/shells + regexp: nologin + replace: "" + +- name: "5.4.3.2 | PATCH | Ensure default user shell timeout is configured" + when: + - ubtu22cis_rule_5_4_3_2 + tags: + - level1-server + - level1-workstation + - patch + - shell + - rule_5.4.3.2 + ansible.builtin.blockinfile: + path: "{{ item.path }}" + state: "{{ item.state }}" + marker: "# {mark} - CIS benchmark - Ansible-lockdown" + create: true + mode: '0644' + block: | + TMOUT={{ ubtu22cis_shell_session_timeout.timeout }} + readonly TMOUT + export TMOUT + loop: + - { path: "{{ ubtu22cis_shell_session_timeout.file }}", state: present } + - { path: /etc/profile, state: "{{ (ubtu22cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } + +- name: "5.4.3.3 | PATCH | Ensure default user umask is configured" + when: + - ubtu22cis_rule_5_4_3_3 + tags: + - level1-server + - level1-workstation + - patch + - umask + - rule_5.4.3.3 + ansible.builtin.replace: + path: "{{ item.path }}" + regexp: (?i)(umask\s+\d\d\d) + replace: '{{ item.line }} 027' + loop: + - { path: '/etc/bashrc', line: 'umask' } + - { path: '/etc/profile', line: 'umask' } + - { path: '/etc/login.defs', line: 'UMASK' } diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml deleted file mode 100644 index f04e27c3..00000000 --- a/tasks/section_5/cis_5.4.x.yml +++ /dev/null @@ -1,216 +0,0 @@ ---- - -- name: "5.4.1 | PATCH | Ensure password creation requirements are configured" - block: - - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Install pam_pwquality module" - ansible.builtin.package: - name: libpam-pwquality - state: present - - - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add minlen" - ansible.builtin.lineinfile: - path: /etc/security/pwquality.conf - regexp: '^minlen|^# minlen' - line: minlen = 14 - - - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add minclass" - ansible.builtin.lineinfile: - path: /etc/security/pwquality.conf - regexp: ^minclass - line: "minclass = {{ ubtu22cis_pwquality_minclass_value }}" - when: ubtu22cis_pwquality_minclass - - - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add extended keys" - ansible.builtin.lineinfile: - path: /etc/security/pwquality.conf - regexp: ^{{ item.key }} - line: "{{ item.key }} = {{ item.value }}" - loop: "{{ ubtu22cis_pwquality }}" - when: not ubtu22cis_pwquality_minclass - - - name: "5.4.1 | AUDIT | Ensure password creation requirements are configured | Confirm pwquality module in common-password" - ansible.builtin.shell: grep 'password.*requisite.*pam_pwquality.so' /etc/pam.d/common-password - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_5_4_1_pam_pwquality_state - - - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality exists" - community.general.pamd: - name: common-password - type: password - control: requisite - module_path: pam_pwquality.so - module_arguments: 'retry=3' - state: args_present - when: ubtu22cis_5_4_1_pam_pwquality_state.stdout | length > 0 - - - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Set retry to 3 if pwquality does not exist" - community.general.pamd: - name: common-password - type: password - control: required - module_path: pam_permit.so - new_type: password - new_control: requisite - new_module_path: pam_pwquality.so - module_arguments: 'retry=3' - state: after - when: ubtu22cis_5_4_1_pam_pwquality_state.stdout | length == 0 - when: - - ubtu22cis_rule_5_4_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.4.1 - - pam - -- name: "5.4.2 | AUDIT | Ensure lockout for failed password attempts is configured" - block: - - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Check pam faillock is set" - ansible.builtin.shell: grep -E "preauth|authfail|authsucc" /etc/pam.d/common-auth | grep pam_faillock.so - register: faillock_state - failed_when: faillock_state.rc not in [0, 1] - changed_when: false - - ## Issues have been seen with this control that can't always be replicated - ## Please ensure you understand what this control is doing before overriding the current settings - - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock in common-auth" - ansible.builtin.replace: - path: /etc/pam.d/common-auth - before: .*pam_deny.so - regexp: .*pam_unix.so nullok - replace: "{{ ubtu22cis_rule_5_4_2_faillock_config }}" - when: - - "'pam_faillock.so' not in faillock_state.stdout" - - ubtu22cis_allow_common_auth_rewrite - - - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock common-account" - ansible.builtin.lineinfile: - path: /etc/pam.d/common-account - regexp: '^account\s+required\s+pam_faillock.so' - line: 'account required pam_faillock.so' - - - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | Set pam_deny.so and pam_tally.so" - ansible.builtin.lineinfile: - path: /etc/security/faillock.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - insertafter: '^# end of pam-auth-update config' - create: true - loop: - - { regexp: '^deny', line: 'deny = 4' } - - { regexp: '^fail_interval', line: 'fail_interval = 900' } - - { regexp: '^unlock_time', line: 'unlock_time = 600' } - when: - - ubtu22cis_rule_5_4_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.4.2 - - pam - - notimplemented - -- name: "5.4.3 | PATCH | Ensure password reuse is limited" - block: - - name: "5.4.3 | PATCH | Ensure password reuse is limited | Add pam_unix or edit it accordingly" - community.general.pamd: - name: common-password - type: password - control: '[success=1 default=ignore]' - module_path: pam_unix.so - module_arguments: 'obscure - yescrypt' - state: args_present - - - name: "5.4.3 | PATCH | Ensure password reuse is limited| Set remember value after adding pam unix" - community.general.pamd: - name: common-password - type: password - control: '[success=1 default=ignore]' - module_path: pam_unix.so - new_type: password - new_module_path: pam_pwhistory.so - new_control: required - module_arguments: 'use_authtok - remember={{ ubtu22cis_pamd_pwhistory_remember }}' - state: before - when: - - ubtu22cis_rule_5_4_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.4.3 - - pam - -- name: "5.4.4 | PATCH | Ensure password hashing algorithm is up to date with the latest standards" - block: - - name: "5.4.4 | AUDIT | Ensure password hashing algorithm is up to date with the latest standards | Confirm pam_unix.so" - ansible.builtin.shell: grep -v ^# /etc/pam.d/common-password | grep -E "(yescrypt|md5|bigcrypt|sha256|sha512|blowfish)" - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_5_4_4_pam_unix_state - - - name: "5.4.4 | PATCH | Ensure password hashing algorithm is up to date with the latest standards | Set hashing if pam_unix.so exists" - community.general.pamd: - name: common-password - type: password - control: '[success=1 default=ignore]' - module_path: pam_unix.so - module_arguments: "{{ ubtu22cis_passwd_hash_algo }}" - state: "{{ ubtu22cis_passwd_setpam_hash_algo | ternary('args_present', 'args_absent') }}" - when: - - ubtu22cis_5_4_4_pam_unix_state.stdout | length > 0 - - - name: "5.4.4 | PATCH | Ensure password hashing algorithm is up to date with the latest standards | Set hashing if pam_unix.so does not exist" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^ENCRYPT_METHOD' - line: 'ENCRYPT_METHOD {{ ubtu22cis_passwd_hash_algo }}' - when: - - ubtu22cis_rule_5_4_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.4.4 - - pam - -- name: "5.4.5 | PATCH | Ensure password hashing algorithm is up to date with the latest standards" - block: - - name: "5.4.5 | AUDIT | Ensure all current passwords uses the configured hashing algorithm | capture hash" - ansible.builtin.shell: cat /etc/shadow | awk -F':' '{print $1" "$2}' | grep -Ev '(!|\*)' - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_5_4_5_passwd_hash_used - - # This is only looking for yescrypt if sha512 need to change the $y$ to $6$ - - name: "5.4.5 | AUDIT | Ensure all current passwords uses the configured hashing algorithm | check has found" - ansible.builtin.debug: - msg: "Warning!! Passwords found using not using {{ ubtu22cis_passwd_hash_algo }} algorithm - This required manual intervention" - when: "' $y$' not in ubtu22cis_5_4_5_passwd_hash_used.stdout" - - - name: "5.4.5 | WARN | Ensure all current passwords uses the configured hashing algorithm | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: "' $y$' not in ubtu22cis_5_4_5_passwd_hash_used.stdout" - vars: - warn_control_id: '5.4.5' - when: - - ubtu22cis_rule_5_4_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.4.5 - - pam diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml deleted file mode 100644 index ada449c0..00000000 --- a/tasks/section_5/cis_5.5.x.yml +++ /dev/null @@ -1,313 +0,0 @@ ---- - -- name: "5.5.1.1 | PATCH | Ensure minimum days between password changes is configured" - block: - - name: "5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set /etc/login.defs PASS_MIN_DAYS" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS' - line: 'PASS_MIN_DAYS {{ ubtu22cis_pass.min_days }}' - - - name: "5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Get existing users PASS_MIN_DAYS" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu22cis_pass.min_days }})) {print $1}' /etc/shadow" - changed_when: false - failed_when: false - register: ubtu22cis_5_5_1_1_min_days - - - name: "5.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS" - ansible.builtin.shell: chage --mindays {{ ubtu22cis_pass.min_days }} {{ item }} - failed_when: false - changed_when: ubtu22cis_5_5_1_1_min_days.stdout |length > 0 - loop: "{{ ubtu22cis_5_5_1_1_min_days.stdout_lines }}" - when: - - ubtu22cis_disruption_high - - (item != 'root') or (not ubtu22cis_uses_root) - when: - - ubtu22cis_rule_5_5_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.1.1 - - user - - login - -- name: "5.5.1.2 | PATCH | Ensure password expiration is 365 days or less" - block: - - name: "5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set /etc/login.defs PASS_MAX_DAYS" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS' - line: 'PASS_MAX_DAYS {{ ubtu22cis_pass.max_days }}' - insertafter: '# Password aging controls' - - - name: "5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ ubtu22cis_pass.max_days }} || $5<{{ ubtu22cis_pass.min_days }} || $5 == -1)){print $1}' /etc/shadow" - changed_when: false - failed_when: false - register: ubtu22cis_5_5_1_2_max_days - - - name: "5.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" - ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass.max_days }} {{ item }} - failed_when: false - changed_when: ubtu22cis_5_5_1_2_max_days.stdout | length > 0 - loop: "{{ ubtu22cis_5_5_1_2_max_days.stdout_lines }}" - when: - - ubtu22cis_disruption_high - - (item != 'root') or (not ubtu22cis_uses_root) - when: - - ubtu22cis_rule_5_5_1_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.1.2 - - user - - login - -- name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more" - block: - - name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set /etc/login.defs PASS_WARN_AGE" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE' - line: 'PASS_WARN_AGE {{ ubtu22cis_pass.warn_age }}' - - - name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Get existing users PASS_WARN_AGE" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu22cis_pass.warn_age }}){print $1}' /etc/shadow" - changed_when: false - failed_when: false - register: ubtu22cis_5_5_1_3_warn_days - - - name: "5.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users PASS_WARN_AGE" - ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass.warn_age }} {{ item }} - failed_when: false - changed_when: ubtu22cis_5_5_1_3_warn_days.stdout | length > 0 - loop: "{{ ubtu22cis_5_5_1_3_warn_days.stdout_lines }}" - when: - - ubtu22cis_disruption_high - - (item != 'root') or (not ubtu22cis_uses_root) - when: - - ubtu22cis_rule_5_5_1_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.1.3 - - user - - login - -- name: "5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less" - block: - - name: "5.5.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | General setting" - ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2 - changed_when: false - failed_when: false - register: ubtu22cis_5_5_1_4_inactive_setting - - - name: "5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for new users" - ansible.builtin.shell: useradd -D -f {{ ubtu22cis_pass.inactive }} - failed_when: false - when: ubtu22cis_5_5_1_4_inactive_setting.stdout != ubtu22cis_pass.inactive | string - - - name: "5.5.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Get Individual users" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<{{ ubtu22cis_pass.inactive }}))) {print $1}' /etc/shadow" - changed_when: false - failed_when: false - register: ubtu22cis_5_5_1_4_inactive_users - - - name: "5.5.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set inactive period for existing users" - ansible.builtin.shell: chage --inactive {{ ubtu22cis_pass.inactive }} {{ item }} - failed_when: false - with_items: - - "{{ ubtu22cis_passwd | map(attribute='id') | list | intersect(ubtu22cis_5_5_1_4_inactive_users.stdout_lines) | list }}" - when: - - ubtu22cis_disruption_high - - ubtu22cis_5_5_1_4_inactive_users.stdout | length > 0 - - (item != 'root') and (not ubtu22cis_uses_root) - when: - - ubtu22cis_rule_5_5_1_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.1.4 - - user - - login - -- name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past" - block: - - name: "5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" - ansible.builtin.shell: echo $(($(date --utc --date "$1" +%s)/86400)) - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_5_5_1_5_current_time - - - name: "5.5.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" - ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu22cis_5_5_1_5_current_time.stdout }})print$1}'" - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_5_5_1_5_user_list - - - name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Warn about users" - ansible.builtin.debug: - msg: - - "WARNING!! The following accounts have the last PW change date in the future" - - "{{ ubtu22cis_5_5_1_5_user_list.stdout_lines }}" - when: ubtu22cis_5_5_1_5_user_list.stdout | length > 0 - - - name: "5.5.1.5 | WARN | Ensure all users last password change date is in the past | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ubtu22cis_5_5_1_5_user_list.stdout | length > 0 - - - name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with future PW changed dates" - ansible.builtin.shell: passwd --expire {{ item }} - failed_when: false - with_items: - - "{{ ubtu22cis_5_5_1_5_user_list.stdout_lines }}" - when: - - ubtu22cis_disruption_high - - ubtu22cis_5_5_1_5_user_list.stdout | length > 0 - vars: - warn_control_id: '5.5.1.5' - when: - - ubtu22cis_rule_5_5_1_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.1.5 - - user - - login - -- name: "5.5.2 | PATCH | Ensure system accounts are secured" - block: - - name: "5.5.2 | PATCH | Ensure system accounts are secured | Set system accounts to login" - ansible.builtin.user: - name: "{{ item }}" - shell: /sbin/nologin - with_items: - - "{{ ubtu22cis_passwd | selectattr('uid', '<', 1000) | map(attribute='id') | list }}" - when: - - item != "root" - - item != "sync" - - item != "shutdown" - - item != "halt" - - - name: "5.5.2 | PATCH | Ensure system accounts are secured | Lock non-root system accounts" - ansible.builtin.user: - name: "{{ item }}" - password_lock: true - with_items: - - "{{ ubtu22cis_passwd | selectattr('uid', '<', 1000) | map(attribute='id') | list }}" - when: - - item != "root" - when: - - ubtu22cis_rule_5_5_2 - - ubtu22cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.2 - - user - - system - -- name: "5.5.3 | PATCH | Ensure default group for the root account is GID 0" - block: - - name: "5.5.3 | PATCH | Ensure default group for the root account is GID 0 | Set root group to GUID 0" - ansible.builtin.group: - name: root - gid: 0 - - - name: "5.5.3 | PATCH | Ensure default group for the root account is GID 0 | Set root user to root group" - ansible.builtin.user: - name: root - group: root - when: - - ubtu22cis_rule_5_5_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.3 - - user - - system - -- name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" - block: - - name: "5.5.4 | AUDIT | Ensure default user umask is 027 or more restrictive" - ansible.builtin.shell: grep -E '^session\s+optional\s+pam_umask.so' /etc/pam.d/common-session - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_5_5_4_umask_pam_status - - - name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" - ansible.builtin.lineinfile: - path: /etc/pam.d/common-session - line: 'session optional pam_umask.so' - insertbefore: '^# end of pam-auth-update config' - when: ubtu22cis_5_5_4_umask_pam_status.stdout | length == 0 - - - name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" - ansible.builtin.lineinfile: - path: "{{ item.path }}" - regexp: '(?i)(umask\s*\d\d\d)' - line: '{{ item.line }} {{ ubtu22cis_bash_umask }}' - with_items: - - { path: '/etc/bash.bashrc', line: 'umask' } - - { path: '/etc/profile', line: 'umask' } - - { path: '/etc/login.defs', line: 'UMASK' } - - - name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^USERGROUPS_ENAB' - line: USERGROUPS_ENAB no - when: - - ubtu22cis_rule_5_5_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.4 - - user - -- name: "5.5.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" - ansible.builtin.blockinfile: - create: true - mode: '0644' - dest: "{{ item.dest }}" - state: "{{ item.state }}" - marker: "# {mark} ANSIBLE MANAGED" - block: | - # Set session timeout - CIS ID 5.5.5 - # only set TMOUT if it isn't set yet to avoid a shell error - : ${TMOUT={{ ubtu22cis_shell_session_timeout.timeout }}} - readonly TMOUT - export TMOUT - with_items: - - { dest: "{{ ubtu22cis_shell_session_timeout.file }}", state: present } - - { dest: /etc/profile, state: "{{ (ubtu22cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } - - { dest: /etc/bash.bashrc, state: present } - when: - - ubtu22cis_rule_5_5_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_5.5.5 - - user diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index b5bc9184..140a824a 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -1,24 +1,48 @@ --- -- name: "SECTION | 5.1 | Configure time-based job schedulers" +- name: "SECTION | 5.1 | Configure SSH Server" ansible.builtin.import_tasks: file: cis_5.1.x.yml -- name: "SECTION | 5.2 | Configure sudo" +- name: "SECTION | 5.2 | Configure privilege escalation" ansible.builtin.import_tasks: file: cis_5.2.x.yml when: not system_is_container -- name: "SECTION | 5.3 | Configure SSH Server" +- name: "SECTION | 5.3.1.x | Configure PAM software packages" ansible.builtin.import_tasks: - file: cis_5.3.x.yml + file: cis_5.3.1.x.yml when: not system_is_container -- name: "SECTION | 5.4.x | User PAM" +- name: "SECTION | 5.3.2.x | Configure pam-auth-update" ansible.builtin.import_tasks: - file: cis_5.4.x.yml + file: cis_5.3.2.x.yml when: not system_is_container -- name: "SECTION | 5.5.x | User Accounts and Environment" +- name: "SECTION | 5.3.3.1.x | Configure pam_faillock module" ansible.builtin.import_tasks: - file: cis_5.5.x.yml + file: cis_5.3.3.1.x.yml + +- name: "SECTION | 5.3.3.2.x | Configure pam_pwquality module" + ansible.builtin.import_tasks: + file: cis_5.3.3.2.x.yml + +- name: "SECTION | 5.3.3.3.x | Configure pam_pwhistory module" + ansible.builtin.import_tasks: + file: cis_5.3.3.3.x.yml + +- name: "SECTION | 5.3.3.4.x | Configure pam_unix module" + ansible.builtin.import_tasks: + file: cis_5.3.3.4.x.yml + +- name: "SECTION | 5.4.1.x | Configure shadow password suite parameters" + ansible.builtin.import_tasks: + file: cis_5.4.1.x.yml + +- name: "SECTION | 5.4.2.x | Configure root and system accounts and environment" + ansible.builtin.import_tasks: + file: cis_5.4.2.x.yml + +- name: "SECTION | 5.4.3.x | Configure user default environment" + ansible.builtin.import_tasks: + file: cis_5.4.3.x.yml diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 9c4c677d..53f54af2 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -1,368 +1,81 @@ --- -- name: "6.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" - ansible.builtin.file: - path: /etc/passwd - owner: root - group: root - mode: '0644' +- name: "6.1.1 | PATCH | Ensure AIDE is installed" when: - - ubtu22cis_rule_6_1_1 + - ubtu22cis_rule_6_1_1 + - ubtu22cis_config_aide tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.1 - -- name: "6.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" - ansible.builtin.file: - path: /etc/passwd- - owner: root - group: root - mode: '0644' - when: - - ubtu22cis_rule_6_1_2 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.2 - -- name: "6.1.3 | PATCH | Ensure permissions on /etc/group are configured" - ansible.builtin.file: - path: /etc/group - owner: root - group: root - mode: '0644' - when: - - ubtu22cis_rule_6_1_3 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.3 - -- name: "6.1.4 | PATCH | Ensure permissions on /etc/group- are configured" - ansible.builtin.file: - path: /etc/group- - owner: root - group: root - mode: '0644' - when: - - ubtu22cis_rule_6_1_4 - tags: - - level1-server - - level1-workstation - - patch - - permissionss - - rule_6.1.4 - -- name: "6.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" - ansible.builtin.file: - path: /etc/shadow - owner: root - group: root - mode: '0640' - when: - - ubtu22cis_rule_6_1_5 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.5 - -- name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" - ansible.builtin.file: - path: /etc/shadow- - owner: root - group: root - mode: '0640' - when: - - ubtu22cis_rule_6_1_6 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.6 - -- name: "6.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" - ansible.builtin.file: - path: /etc/gshadow - owner: root - group: root - mode: '0640' - when: - - ubtu22cis_rule_6_1_7 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.7 - -- name: "6.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" - ansible.builtin.file: - path: /etc/gshadow- - owner: root - group: root - mode: '0640' - when: - - ubtu22cis_rule_6_1_8 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.8 - -- name: "6.1.9 | PATCH | Ensure no world writable files exist" + - level1-server + - level1-workstation + - patch + - rule_6.1.1 + - aide block: - - name: "6.1.9 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" - ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 - failed_when: false - changed_when: false - register: rhel_09_6_1_9_perms_results - - - name: "6.1.9 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" - ansible.builtin.file: - path: '{{ item }}' - mode: o-w - state: touch - loop: "{{ rhel_09_6_1_9_perms_results.stdout_lines }}" - when: - - rhel_09_6_1_9_perms_results.stdout_lines is defined - - ubtu22cis_no_world_write_adjust + - name: "6.1.1 | PATCH | Ensure AIDE is installed" + when: + - "'aide' not in ansible_facts.packages or + 'aide-common' not in ansible_facts.packages" + ansible.builtin.package: + name: ['aide', 'aide-common'] + state: present + update_cache: true + register: ubtu22cis_rule_6_1_1_aide_added + + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Recapture packages" + when: ubtu22cis_rule_6_1_1_aide_added.skipped is not defined + ansible.builtin.package_facts: + manager: auto + + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Configure AIDE" + ansible.builtin.shell: aideinit && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db + args: + creates: /var/lib/aide/aide.db + changed_when: false + failed_when: false + async: "{{ ubtu22cis_aide_init.async }}" + poll: "{{ ubtu22cis_aide_init.poll }}" + when: not ansible_check_mode + +- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked" when: - - ubtu22cis_rule_6_1_9 + - ubtu22cis_config_aide + - ubtu22cis_rule_6_1_2 tags: - - level1-server - - level1-workstation - - patch - - files - - permissions - - rule_6.1.9 - -- name: "6.1.10 | PATCH | Ensure no unowned files or directories exist" - block: - - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Get unowned files or directories" - ansible.builtin.shell: find {{ item.mount }} -xdev -nouser -not -fstype nfs - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_1_10_no_user_items - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.mount }}" - - - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use" - ansible.builtin.set_fact: - ubtu22cis_6_1_10_no_user_items_flatten: "{{ ubtu22cis_6_1_10_no_user_items.results | map(attribute='stdout_lines') | flatten }}" - - - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Alert on unowned files and directories" - ansible.builtin.debug: - msg: - - "Warning!! You have unowned files and are configured to not auto-remediate for this task" - - "Please review the files/directories below and assign an owner" - - "{{ ubtu22cis_6_1_10_no_user_items_flatten }}" - when: - - not ubtu22cis_no_owner_adjust - - ubtu22cis_6_1_10_no_user_items_flatten | length > 0 - - - name: "6.1.10 | PATCH | Ensure no unowned files or directories exist | Set unowned files/directories to configured owner" - ansible.builtin.file: - path: "{{ item }}" - owner: "{{ ubtu22cis_unowned_owner }}" - with_items: - - "{{ ubtu22cis_6_1_10_no_user_items_flatten }}" - when: - - ubtu22cis_no_owner_adjust - - ubtu22cis_6_1_10_no_user_items_flatten | length > 0 - - - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Warn Count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: - - not ubtu22cis_no_owner_adjust - - ubtu22cis_6_1_10_no_user_items_flatten | length > 0 - vars: - warn_control_id: '6.1.10' - when: - - ubtu22cis_rule_6_1_10 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.1.10 - - permissions - -- name: "6.1.11 | PATCH | Ensure no ungrouped files or directories exist" - block: - - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Get ungrouped files or directories" - ansible.builtin.shell: find {{ item.mount }} -xdev -nogroup -not -fstype nfs - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_1_11_ungrouped_items - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.mount }}" - - - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Flatten ungrouped_items results for easier use" - ansible.builtin.set_fact: - ubtu22cis_6_1_11_ungrouped_items_flatten: "{{ ubtu22cis_6_1_11_ungrouped_items.results | map(attribute='stdout_lines') | flatten }}" - - - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Alert on ungrouped files and directories" - ansible.builtin.debug: - msg: - - "Warning!! You have ungrouped files/directories and are configured to not auto-remediate for this task" - - "Please review the files/directories below and assign a group" - - "{{ ubtu22cis_6_1_11_ungrouped_items_flatten }}" - when: - - not ubtu22cis_no_group_adjust - - ubtu22cis_6_1_11_ungrouped_items_flatten | length > 0 - - - name: "6.1.11 | PATCH | Ensure no ungrouped files or directories exist | Set ungrouped files/directories to configured group" - ansible.builtin.file: - path: "{{ item }}" - group: "{{ ubtu22cis_ungrouped_group }}" - with_items: - - "{{ ubtu22cis_6_1_11_ungrouped_items_flatten }}" - when: - - ubtu22cis_no_group_adjust - - ubtu22cis_6_1_11_ungrouped_items_flatten | length > 0 - - - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Warn Count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: - - not ubtu22cis_no_group_adjust - - ubtu22cis_6_1_11_ungrouped_items_flatten | length > 0 - vars: - warn_control_id: '6.1.11' - when: - - ubtu22cis_rule_6_1_11 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.1.11 - - permissions - -- name: "6.1.12 | AUDIT | Audit SUID executables" - block: - - name: "6.1.12 | AUDIT | Audit SUID executables | Find SUID executables" - ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm -4000 -not -fstype nfs - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_1_12_suid_executables - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.mount }}" - - - name: "6.1.12 | AUDIT | Audit SUID executables | Flatten suid_executables results for easier use" - ansible.builtin.set_fact: - ubtu22cis_6_1_12_suid_executables_flatten: "{{ ubtu22cis_6_1_12_suid_executables.results | map(attribute='stdout_lines') | flatten }}" - - - name: "6.1.12 | AUDIT | Audit SUID executables | Alert SUID executables exist" - ansible.builtin.debug: - msg: - - "Warning!! You have SUID executables" - - "The files are listed below, please confirm the integrity of these binaries" - - "{{ ubtu22cis_6_1_12_suid_executables_flatten }}" - when: - - ubtu22cis_6_1_12_suid_executables_flatten | length > 0 - - not ubtu22cis_suid_adjust - - - name: "6.1.12 | PATCH | Audit SUID executables | Remove SUID bit" - ansible.builtin.file: - path: "{{ item }}" - mode: 'u-s' - with_items: - - "{{ ubtu22cis_6_1_12_suid_executables_flatten }}" - when: - - ubtu22cis_suid_adjust - - ubtu22cis_6_1_12_suid_executables_flatten | length > 0 - - - name: "6.1.12 | AUDIT | Audit SUID executables | Warn Count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: - - ubtu22cis_6_1_12_suid_executables_flatten | length > 0 - - not ubtu22cis_suid_adjust - vars: - warn_control_id: '6.1.12' - when: - - ubtu22cis_rule_6_1_12 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_6.1.12 - - permissions - -- name: "6.1.13 | AUDIT | Audit SGID executables" - block: - - name: "6.1.13 | AUDIT | Audit SGID executables | Find SGID executables" - ansible.builtin.shell: find {{ item }} -xdev -type f -perm -2000 -not -fstype nfs - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_1_13_sgid_executables - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.mount }}" - - - name: "6.1.13 | AUDIT | Audit SGID executables | Flatten sgid_executables results for easier use" - ansible.builtin.set_fact: - ubtu22cis_6_1_13_sgid_executables_flatten: "{{ ubtu22cis_6_1_13_sgid_executables.results | map(attribute='stdout_lines') | flatten }}" - - - name: "6.1.13 | AUDIT | Audit SGID executables | Alert SGID executables exist" - ansible.builtin.debug: - msg: - - "Warning!! You have SGID executables" - - "The files are listed below, please review the integrity of these binaries" - - "{{ ubtu22cis_6_1_13_sgid_executables_flatten }}" - when: - - ubtu22cis_6_1_13_sgid_executables_flatten | length > 0 - - not ubtu22cis_sgid_adjust - - - name: "6.1.13 | AUDIT | Audit SGID executables | Warn Count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: - - ubtu22cis_6_1_13_sgid_executables_flatten | length > 0 - - not ubtu22cis_sgid_adjust - - - name: "6.1.13 | PATCH | Audit SGID executables | Remove SGID bit" - ansible.builtin.file: - path: "{{ item }}" - mode: 'g-s' - with_items: - - "{{ ubtu22cis_6_1_13_sgid_executables_flatten }}" - when: - - ubtu22cis_sgid_adjust - - ubtu22cis_6_1_13_sgid_executables_flatten | length > 0 - vars: - warn_control_id: '6.1.13' + - level1-server + - level1-workstation + - patch + - rule_6.1.2 + - cron + - aide + ansible.builtin.cron: + name: Run AIDE integrity check + cron_file: "{{ ubtu22cis_aide_cron['cron_file'] }}" + user: "{{ ubtu22cis_aide_cron['cron_user'] }}" + minute: "{{ ubtu22cis_aide_cron['aide_minute'] | default('0') }}" + hour: "{{ ubtu22cis_aide_cron['aide_hour'] | default('5') }}" + day: "{{ ubtu22cis_aide_cron['aide_day'] | default('*') }}" + month: "{{ ubtu22cis_aide_cron['aide_month'] | default('*') }}" + weekday: "{{ ubtu22cis_aide_cron['aide_weekday'] | default('*') }}" + job: "{{ ubtu22cis_aide_cron['aide_job'] }}" + +- name: "6.1.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" when: - - ubtu22cis_rule_6_1_13 + - ubtu22cis_rule_6_1_3 tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_6.1.13 - - permissions + - level1-server + - level1-workstation + - aide + - file_integrity + - patch + - rule_6.1.3 + ansible.builtin.blockinfile: + path: /etc/aide.conf + marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown" + block: | + /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 + validate: aide -D --config %s diff --git a/tasks/section_6/cis_6.2.1.1.x.yml b/tasks/section_6/cis_6.2.1.1.x.yml new file mode 100644 index 00000000..7fe90b30 --- /dev/null +++ b/tasks/section_6/cis_6.2.1.1.x.yml @@ -0,0 +1,164 @@ +--- + +- name: "6.2.1.1.1 | PATCH | Ensure journald service is enabled and active" + when: + - ubtu22cis_rule_6_2_1_1_1 + tags: + - level1-server + - level1-workstation + - audit + - journald + - rule_6.2.1.1.1 + ansible.builtin.systemd: + name: systemd-journald.service + mask: false + state: started + +- name: "6.2.1.1.2 | PATCH | Ensure journald log file access is configured" + when: + - ubtu22cis_rule_6_2_1_1_2 + tags: + - level1-server + - level1-workstation + - audit + - journald + - rule_6.2.1.1.2 + block: + - name: "6.2.1.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions" + ansible.builtin.file: + path: /usr/lib/tmpfiles.d/systemd.conf + mode: '0640' + + - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file" + ansible.builtin.stat: + path: /etc/tmpfiles.d/systemd.conf + register: tmpfile_override + + - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | If override file check for journal" + when: tmpfile_override.stat.exists + ansible.builtin.shell: grep -E 'z /var/log/journal/%m/system.journal \d*' /usr/lib/tmpfiles.d/systemd.conf + register: journald_fileperms_override + changed_when: false + failed_when: journald_fileperms_override.rc not in [ 0, 1 ] + + - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found" + when: + - tmpfile_override.stat.exists + - journald_fileperms_override.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! - tmpfiles override found /usr/lib/tmpfiles.d/systemd.conf affecting journald files please confirm matches site policy" + + - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found" + when: + - tmpfile_override.stat.exists + - journald_fileperms_override.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '6.2.1.1.2' + +- name: "6.2.1.1.3 | PATCH | Ensure journald log file rotation is configured" + when: + - ubtu22cis_rule_6_2_1_1_3 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.1.1.3 + notify: Restart journald + block: + - name: "6.2.1.1.3 | PATCH | Ensure journald log file rotation is configured | Add file" + ansible.builtin.template: + src: etc/systemd/journald.conf.d/rotation.conf.j2 + dest: /etc/systemd/journald.conf.d/rotation.conf + owner: root + group: root + mode: '0640' + + - name: "6.2.1.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries" + ansible.builtin.replace: + path: /etc/systemd/journald.conf + regexp: "{{ item }}" + replace: '#\1' + loop: + - '^(\s*SystemMaxUse\s*=.*)' + - '^(\s*SystemKeepFree\s*=.*)' + - '^(\s*RuntimeMaxUse\s*=)' + - '^(\s*RuntimeKeepFree\s*=.*)' + - '^(\s*MaxFileSec\s*=.*)' + +- name: "6.2.1.1.4 | PATCH | Ensure journald ForwardToSyslog is disabled" + when: + - ubtu22cis_rule_6_2_1_1_4 + tags: + - level1-server + - level2-workstation + - patch + - journald + - rule_6.2.1.1.4 + notify: Restart journald + block: + - name: "6.2.1.1.4 | PATCH | Ensure journald ForwardToSyslog is disabled | Add file" + ansible.builtin.template: + src: etc/systemd/journald.conf.d/forwardtosyslog.conf.j2 + dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf + owner: root + group: root + mode: '0640' + + - name: "6.2.1.1.4 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" + ansible.builtin.replace: + path: /etc/systemd/journald.conf + regexp: ^\s*ForwardToSyslog + replace: '#\1' + +- name: "6.2.1.1.5 | PATCH | Ensure journald Storage is configured" + when: + - ubtu22cis_rule_6_2_1_1_5 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.1.1.5 + notify: Restart journald + block: + - name: "6.2.1.1.5 | PATCH | Ensure journald Storage is configured | Add file" + ansible.builtin.template: + src: etc/systemd/journald.conf.d/storage.conf.j2 + dest: /etc/systemd/journald.conf.d/storage.conf + owner: root + group: root + mode: '0640' + + - name: "6.2.1.1.5 | PATCH | Ensure journald Storage is configured | comment out current entries" + ansible.builtin.replace: + path: /etc/systemd/journald.conf + regexp: ^(?i)\s*storage= + replace: '#\1' + +- name: "6.2.1.1.6 | PATCH | Ensure journald Compress is configured" + when: + - ubtu22cis_rule_6_2_1_1_6 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.1.1.6 + notify: Restart journald + block: + - name: "6.2.1.1.6 | PATCH | Ensure journald Compress is configured | Add file" + ansible.builtin.template: + src: etc/systemd/journald.conf.d/storage.conf.j2 # Added to the same file as 6.2.1.1.5 + dest: /etc/systemd/journald.conf.d/storage.conf + owner: root + group: root + mode: '0640' + + - name: "6.2.1.1.6 | PATCH | Ensure journald Compress is configured | comment out current entries" + ansible.builtin.replace: + path: /etc/systemd/journald.conf + regexp: ^(?i)\s*compress= + replace: '#\1' diff --git a/tasks/section_6/cis_6.2.1.2.x.yml b/tasks/section_6/cis_6.2.1.2.x.yml new file mode 100644 index 00000000..79de3875 --- /dev/null +++ b/tasks/section_6/cis_6.2.1.2.x.yml @@ -0,0 +1,67 @@ +--- + +- name: "6.2.1.2.1 | PATCH | Ensure systemd-journal-remote is installed" + when: + - ubtu22cis_rule_6_2_1_2_1 + - not ubtu22cis_system_is_log_server + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.1.2.1 + ansible.builtin.package: + name: systemd-journal-remote + state: present + +- name: "6.2.1.2.2 | PATCH | Ensure systemd-journal-remote authentication is configured" + when: + - ubtu22cis_rule_6_2_1_2_2 + - not ubtu22cis_system_is_log_server + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.1.2.2 + notify: Restart journald + ansible.builtin.lineinfile: + path: /etc/systemd/journal-upload.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: 'URL=', line: 'URL={{ ubtu22cis_remote_log_server }}'} + - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ ubtu22cis_journal_upload_serverkeyfile }}'} + - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ ubtu22cis_journal_servercertificatefile }}'} + - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ ubtu22cis_journal_trustedcertificatefile }}'} + +- name: "6.2.1.2.3 | PATCH | Ensure systemd-journal-remote is enabled and active" + when: + - not ubtu22cis_system_is_log_server + - ubtu22cis_rule_6_2_1_2_3 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.1.2.3 + ansible.builtin.systemd: + name: systemd-journal-upload + state: started + enabled: true + +- name: "6.2.1.2.4 | PATCH | Ensure systemd-journal-remote service is not in use" + when: + - not ubtu22cis_system_is_log_server + - ubtu22cis_rule_6_2_1_2_4 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.1.2.4 + ansible.builtin.systemd: + name: systemd-journal-remote.socket + state: stopped + enabled: false + masked: true diff --git a/tasks/section_6/cis_6.2.2.yml b/tasks/section_6/cis_6.2.2.yml new file mode 100644 index 00000000..0d4ae805 --- /dev/null +++ b/tasks/section_6/cis_6.2.2.yml @@ -0,0 +1,35 @@ +--- + +- name: "6.2.2 | PATCH | Ensure access to all logfiles has been configured" + when: + - rhel8cis_rule_6_2_2 + tags: + - level1-server + - level1-workstation + - patch + - logfiles + - rule_6.2.2 + block: + - name: "6.2.2 | AUDIT | Ensure access to all logfiles has been configured | find files" + ansible.builtin.shell: find /var/log/ -type f -perm /g+wx,o+rwx -exec ls {} \; + changed_when: false + failed_when: false + register: discovered_logfiles + + - name: "6.2.2 | AUDIT | Ensure access to all logfiles has been configured | set_fact" + ansible.builtin.set_fact: + discovered_logfiles_flattened: "{{ discovered_logfiles | json_query('stdout_lines[*]') | flatten }}" # noqa: jinja[invalid] + when: + - discovered_logfiles.stdout_lines | length > 0 + - discovered_logfiles is defined + + - name: "6.2.2 | PATCH | Ensure access to all logfiles has been configured | change permissions" + ansible.builtin.file: + path: "{{ item }}" + mode: g-rx,o-rwx + loop: "{{ discovered_logfiles_flattened }}" + when: + - discovered_logfiles_flattened is defined + - item != "/var/log/btmp" + - item != "/var/log/utmp" + - item != "/var/log/wtmp" diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml deleted file mode 100644 index ed3166ae..00000000 --- a/tasks/section_6/cis_6.2.x.yml +++ /dev/null @@ -1,528 +0,0 @@ ---- - -- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" - block: - - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Get users not using shadowed passwords" - ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd - changed_when: false - failed_when: false - register: ubtu22cis_6_2_1_nonshadowed_users - - - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Warn on findings" - ansible.builtin.debug: - msg: - - "Warning!! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password" - - "{{ ubtu22cis_6_2_1_nonshadowed_users.stdout_lines }}" - when: ubtu22cis_6_2_1_nonshadowed_users.stdout | length > 0 - - - name: "6.2.1 | WARN | Ensure accounts in /etc/passwd use shadowed passwords | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ubtu22cis_6_2_1_nonshadowed_users.stdout | length > 0 - vars: - warn_control_id: '6.2.1' - when: - - ubtu22cis_rule_6_2_1 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.1 - - user_accounts - -- name: "6.2.2 | PATCH | Ensure /etc/shadow password fields are not empty" - block: - - name: "6.2.2 | AUDIT | Ensure /etc/shadow password fields are not empty | Find users with no password" - ansible.builtin.shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow - changed_when: false - check_mode: false - register: ubtu22cis_6_2_2_empty_password_acct - - - name: "6.2.2 | PATCH | Ensure /etc/shadow password fields are not empty | Lock users with empty password" - ansible.builtin.user: - name: "{{ item }}" - password_lock: true - with_items: - - "{{ ubtu22cis_6_2_2_empty_password_acct.stdout_lines }}" - when: ubtu22cis_6_2_2_empty_password_acct.stdout | length > 0 - when: - - ubtu22cis_rule_6_2_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.2 - - user - - permissions - -- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" - block: - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" - ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_2_3_passwd_gid_check - - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" - ansible.builtin.debug: - msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: ubtu22cis_6_2_3_passwd_gid_check.stdout | length == 0 - - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" - ansible.builtin.debug: - msg: "Warning!! The following users have non-existent GIDs (Groups): {{ ubtu22cis_6_2_3_passwd_gid_check.stdout_lines | join (', ') }}" - when: ubtu22cis_6_2_3_passwd_gid_check.stdout | length > 0 - - - name: "6.2.3 | WARN | Ensure all groups in /etc/passwd exist in /etc/group | warn_count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ubtu22cis_6_2_3_passwd_gid_check.stdout | length > 0 - vars: - warn_control_id: '6.2.3' - when: - - ubtu22cis_rule_6_2_3 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.3 - - groups - -- name: "6.2.4 | PATCH | Ensure shadow group is empty" - block: - - name: "6.2.4 | AUDIT | Ensure shadow group is empty | check users in group" - ansible.builtin.getent: - database: group - split: ':' - key: shadow - - - name: "6.2.4 | AUDIT | Ensure shadow group is empty | check users in group" - ansible.builtin.debug: - msg: "Warning!! - You have users in the shadow group" - when: ansible_facts.getent_group.shadow[2] | length > 0 - - - name: "6.2.4 | AUDIT | Ensure shadow group is empty | check users in group" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ansible_facts.getent_group.shadow[2] | length > 0 - vars: - warn_control_id: '6.2.4' - when: - - ubtu22cis_rule_6_2_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.4 - - user - -- name: "6.2.5 | AUDIT | Ensure no duplicate UIDs exist" - block: - - name: "6.2.5 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" - ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_2_5_user_uid_check - - - name: "6.2.5 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" - ansible.builtin.debug: - msg: "Warning!! The following users have UIDs that are duplicates: {{ ubtu22cis_6_2_5_user_uid_check.stdout_lines }}" - when: ubtu22cis_6_2_5_user_uid_check.stdout | length > 0 - - - name: "6.2.5 | AUDIT | Ensure no duplicate UIDs exist | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ubtu22cis_6_2_5_user_uid_check.stdout | length > 0 - vars: - warn_control_id: '6.2.5' - when: - - ubtu22cis_rule_6_2_5 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.5 - - user - -- name: "6.2.6 | AUDIT | Ensure no duplicate GIDs exist" - block: - - name: "6.2.6 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" - ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_2_6_user_user_check - - - name: "6.2.6 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" - ansible.builtin.debug: - msg: "Warning!! The following groups have duplicate GIDs: {{ ubtu22cis_6_2_14_user_user_check.stdout_lines }}" - when: ubtu22cis_6_2_6_user_user_check.stdout | length > 0 - - - name: "6.2.6 | AUDIT | Ensure no duplicate GIDs exist | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ubtu22cis_6_2_6_user_user_check.stdout | length > 0 - vars: - warn_control_id: '6.2.6' - when: - - ubtu22cis_rule_6_2_6 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.6 - - groups - -- name: "6.2.7 | AUDIT | Ensure no duplicate user names exist" - block: - - name: "6.2.7 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" - ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_2_7_user_username_check - - - name: "6.2.7 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" - ansible.builtin.debug: - msg: "Warning!! The following user names are duplicates: {{ ubtu22cis_6_2_7_user_username_check.stdout_lines }}" - when: ubtu22cis_6_2_7_user_username_check.stdout | length > 0 - - - name: "6.2.7 | AUDIT | Ensure no duplicate user names exist | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ubtu22cis_6_2_7_user_username_check.stdout | length > 0 - vars: - warn_control_id: '6.2.7' - when: - - ubtu22cis_rule_6_2_7 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.7 - - user - -- name: "6.2.8 | AUDIT | Ensure no duplicate group names exist" - block: - - name: "6.2.8 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" - ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_2_8_group_group_check - - - name: "6.2.8 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" - ansible.builtin.debug: - msg: "Warning!! The following group names are duplicates: {{ ubtu22cis_6_2_8_group_group_check.stdout_lines }}" - when: ubtu22cis_6_2_8_group_group_check.stdout | length > 0 - - - name: "6.2.8 | AUDIT | Ensure no duplicate group names exist | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ubtu22cis_6_2_8_group_group_check.stdout | length > 0 - vars: - warn_control_id: '6.2.8' - when: - - ubtu22cis_rule_6_2_8 - tags: - - level1-server - - level1-workstation - - automated - - audit - - rule_6.2.8 - - groups - -- name: "6.2.9 | PATCH | Ensure root PATH Integrity" - block: - - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Get root paths" - ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 - changed_when: false - register: ubtu22cis_6_2_9_root_paths - - - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Get root paths" - ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 | tr ":" "\n" - changed_when: false - register: ubtu22cis_6_2_9_root_paths_split - - - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Set fact" - ansible.builtin.set_fact: - root_paths: "{{ ubtu22cis_6_2_9_root_paths.stdout }}" - - - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Check for empty dirs" - ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"' - changed_when: false - failed_when: root_path_empty_dir.rc not in [ 0, 1 ] - register: root_path_empty_dir - - - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Check for trailing ':'" - ansible.builtin.shell: '{{ root_paths }} | cut -d= -f2 | grep -q ":$" && echo "roots path contains a trailing (:)"' - changed_when: false - failed_when: root_path_trailing_colon.rc not in [ 0, 1 ] - register: root_path_trailing_colon - - - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" - block: - - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" - ansible.builtin.stat: - path: "{{ item }}" - register: root_path_perms - loop: "{{ ubtu22cis_6_2_9_root_paths_split.stdout_lines }}" - - - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Set permissions" - ansible.builtin.file: - path: "{{ item.stat.path }}" - state: directory - owner: root - group: root - mode: '0755' - follow: false - loop: "{{ root_path_perms.results }}" - loop_control: - label: "{{ item }}" - when: - - item.stat.exists - - item.stat.isdir - - item.stat.pw_name != 'root' or item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp - - (item != 'root') and (not ubtu22cis_uses_root) - - when: - - ubtu22cis_rule_6_2_9 - tags: - - level1-server - - level1-workstation - - patch - - paths - - rule_6.2.9 - -- name: "6.2.10 | PATCH | Ensure root is the only UID 0 account" - ansible.builtin.shell: passwd -l {{ item }} - changed_when: false - failed_when: false - loop: "{{ ubtu22cis_uid_zero_accounts_except_root.stdout_lines }}" - when: - - ubtu22cis_rule_6_2_10 - - ubtu22cis_uid_zero_accounts_except_root.rc - tags: - - level1-server - - level1-workstation - - patch - - accounts - - users - - rule_6.2.10 - -- name: "6.2.11 | PATCH | Ensure local interactive user home directories exist" - block: - - name: "6.2.11 | PATCH | Ensure local interactive user home directories exist | Create dir if absent" - ansible.builtin.file: - path: "{{ item.dir }}" - state: directory - owner: "{{ item.id }}" - group: "{{ item.gid }}" - register: ubtu22cis_6_2_11_home_dir - loop: "{{ ubtu22cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" - loop_control: - label: "{{ item.id }}" - - # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.11 | PATCH | Ensure local interactive user home directories exist | Set group ACL" - ansible.posix.acl: - path: "{{ item }}" - default: true - etype: group - permissions: rx - state: present - loop: "{{ interactive_users_home.stdout_lines }}" - when: not system_is_container - - - name: "6.2.11 | PATCH | Ensure local interactive user home directories exist | Set other ACL" - ansible.posix.acl: - path: "{{ item }}" - default: true - etype: other - permissions: 0 - state: present - loop: "{{ interactive_users_home.stdout_lines }}" - when: not system_is_container - when: - - ubtu22cis_rule_6_2_11 - tags: - - level1-server - - level1-workstation - - patch - - users - - rule_6.2.11 - -- name: "6.2.12 | PATCH | Ensure local interactive users own their home directories" - ansible.builtin.file: - path: "{{ item.dir }}" - owner: "{{ item.id }}" - state: directory - loop: "{{ ubtu22cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" - loop_control: - label: "{{ item.id }}" - when: - - item.uid >= min_int_uid | int - - item.id != 'nobody' - - (item.id != 'tss' and item.dir != '/dev/null') - - item.shell != '/sbin/nologin' - - ubtu22cis_rule_6_2_12 - tags: - - level1-server - - level1-workstation - - patch - - users - - rule_6.2.12 - -- name: "6.2.13 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" - block: - - name: "6.2.13 | AUDIT | Ensure local interactive user home directories are mode 750 or more restrictive | get stat" - ansible.builtin.stat: - path: "{{ item }}" - register: rhel_09_6_2_13_home_dir_perms - loop: "{{ interactive_users_home.stdout_lines }}" - - - name: "6.2.13 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | amend if needed" - ansible.builtin.file: - path: "{{ item.stat.path }}" - state: directory - mode: '0750' - loop: "{{ rhel_09_6_2_13_home_dir_perms.results }}" - loop_control: - label: "{{ item }}" - when: - - item.stat.mode > '0750' - - # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.13 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | Set group ACL" - ansible.posix.acl: - path: "{{ item }}" - default: true - etype: group - permissions: rx - state: present - loop: "{{ interactive_users_home.stdout_lines }}" - when: not system_is_container - - - name: "6.2.13 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | Set other ACL" - ansible.posix.acl: - path: "{{ item }}" - default: true - etype: other - permissions: 0 - state: present - loop: "{{ interactive_users_home.stdout_lines }}" - when: not system_is_container - when: - - ubtu22cis_rule_6_2_13 - tags: - - level1-server - - level1-workstation - - patch - - users - - permissions - - rule_6.2.13 - -- name: "6.2.14 | PATCH | Ensure no interactive users have .netrc files" - ansible.builtin.file: - dest: "~{{ item }}/.netrc" - state: absent - with_items: - - "{{ interactive_users_home.stdout_lines }}" - when: - - ubtu22cis_rule_6_2_14 - - ubtu22cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.14 - - user - -- name: "6.2.15 | PATCH | Ensure no interactive users have .forward files" - ansible.builtin.file: - dest: "~{{ item }}/.forward" - state: absent - with_items: - - "{{ interactive_users_home.stdout_lines }}" - when: - - ubtu22cis_rule_6_2_15 - - ubtu22cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.15 - - user - -- name: "6.2.16 | PATCH | Ensure no users have .rhosts files" - ansible.builtin.file: - dest: "~{{ item }}/.rhosts" - state: absent - with_items: - - "{{ interactive_users_home.stdout_lines }}" - when: - - ubtu22cis_rule_6_2_16 - - ubtu22cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.16 - - user - -- name: "6.2.17 | PATCH | Ensure users' dot files are not group or world writable" - block: - - name: "6.2.17 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" - ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w - changed_when: false - failed_when: false - check_mode: false - register: ubtu22cis_6_2_17_audit - - - name: "6.2.17 | AUDIT | Ensure users' dot files are not group or world-writable | Warning on files found" - ansible.builtin.debug: - msg: - - "Warning!! You have group or world-writable dot files on your system and have configured for manual intervention" - when: - - ubtu22cis_6_2_17_audit.stdout | length > 0 - - ubtu22cis_dotperm_ansiblemanaged - - - name: "6.2.17 | PATCH | Ensure users' dot files are not group or world writable | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: - - ubtu22cis_6_2_17_audit.stdout | length > 0 - - ubtu22cis_dotperm_ansiblemanaged - - - name: "6.2.17 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" - ansible.builtin.file: - path: '{{ item }}' - mode: go-w - with_items: "{{ ubtu22cis_6_2_17_audit.stdout_lines }}" - when: - - ubtu22cis_6_2_17_audit.stdout | length > 0 - - ubtu22cis_dotperm_ansiblemanaged - vars: - warn_control_id: '6.2.17' - when: - - ubtu22cis_rule_6_2_17 - - ubtu22cis_disruption_high - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_6.2.17 - - user diff --git a/tasks/section_6/cis_6.3.1.x.yml b/tasks/section_6/cis_6.3.1.x.yml new file mode 100644 index 00000000..142b9c84 --- /dev/null +++ b/tasks/section_6/cis_6.3.1.x.yml @@ -0,0 +1,100 @@ +--- + +- name: "6.3.1.1 | PATCH | Ensure auditd packages are installed" + when: + - ubtu22cis_rule_6_3_1_1 + - "'auditd' not in ansible_facts.packages or + 'audisd-plugins' not in ansible_facts.packages" + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.1.1 + - auditd + ansible.builtin.package: + name: ['auditd', 'audispd-plugins'] + state: present + +- name: "6.3.1.2 | PATCH | Ensure auditd service is enabled and active" + when: + - ubtu22cis_rule_6_3_1_2 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.1.2 + - auditd + ansible.builtin.service: + name: auditd + state: started + enabled: true + masked: false + +- name: "6.3.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" + when: + - ubtu22cis_rule_6_3_1_3 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.1.3 + - auditd + block: + - name: "6.3.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" + ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_6_3_1_3_cmdline_settings + + - name: "6.3.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist" + when: "'audit=' not in ubtu22cis_6_3_1_3_cmdline_settings.stdout" + ansible.builtin.lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ ubtu22cis_6_3_1_3_cmdline_settings.stdout }} audit=1"' + notify: Grub update + + - name: "6.3.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists" + when: "'audit=' in ubtu22cis_6_3_1_3_cmdline_settings.stdout" + ansible.builtin.replace: + dest: /etc/default/grub + regexp: 'audit=([0-9]+)' + replace: 'audit=1' + after: '^GRUB_CMDLINE_LINUX="' + before: '"' + notify: Grub update + +- name: "6.3.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" + when: + - ubtu22cis_rule_6_3_1_4 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.1.4 + - auditd + block: + - name: "6.3.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Get current GRUB_CMDLINE_LINUX" + ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' + changed_when: false + failed_when: false + check_mode: false + register: ubtu22cis_6_3_1_4_cmdline_settings + + - name: "6.3.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist" + when: "'audit_backlog_limit=' not in ubtu22cis_6_3_1_4_cmdline_settings.stdout" + ansible.builtin.lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: 'GRUB_CMDLINE_LINUX="{{ ubtu22cis_6_3_1_4_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu22cis_audit_back_log_limit }}"' + notify: Grub update + + - name: "6.3.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists" + ansible.builtin.replace: + dest: /etc/default/grub + regexp: 'audit_backlog_limit=([0-9]+)' + replace: 'audit_backlog_limit={{ ubtu22cis_audit_back_log_limit }}' + after: '^GRUB_CMDLINE_LINUX="' + before: '"' + notify: Grub update diff --git a/tasks/section_6/cis_6.3.2.x.yml b/tasks/section_6/cis_6.3.2.x.yml new file mode 100644 index 00000000..1e915ee4 --- /dev/null +++ b/tasks/section_6/cis_6.3.2.x.yml @@ -0,0 +1,69 @@ +--- + +- name: "6.3.2.1 | PATCH | Ensure audit log storage size is configured" + when: + - ubtu22cis_rule_6_3_2_1 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.2.1 + - auditd + notify: Restart auditd + ansible.builtin.lineinfile: + dest: /etc/audit/auditd.conf + regexp: "^max_log_file( |=)" + line: "max_log_file = {{ ubtu22cis_max_log_file_size }}" + state: present + +- name: "6.3.2.2 | PATCH | Ensure audit logs are not automatically deleted" + when: + - ubtu22cis_rule_6_3_2_2 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.2.2 + - auditd + notify: Restart auditd + ansible.builtin.lineinfile: + path: /etc/audit/auditd.conf + regexp: '^max_log_file_action' + line: "max_log_file_action = {{ ubtu22cis_auditd['max_log_file_action'] }}" + +- name: "6.3.2.3 | PATCH | Ensure system is disabled when audit logs are full" + when: + - ubtu22cis_rule_6_3_2_3 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.2.3 + - auditd + ansible.builtin.lineinfile: + path: /etc/audit/auditd.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^space_left_action', line: "space_left_action = {{ ubtu22cis_auditd['space_left_action'] }}" } + - { regexp: '^action_mail_acct', line: "action_mail_acct = {{ ubtu22cis_auditd['action_mail_acct'] }}" } + - { regexp: '^admin_space_left_action', line: "admin_space_left_action = {{ ubtu22cis_auditd['admin_space_left_action'] }}" } + notify: Restart auditd + +- name: "6.3.2.4 | PATCH | Ensure system warns when audit logs are low on space" + when: + - ubtu22cis_rule_6_3_2_4 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.2.4 + notify: Restart_auditd + ansible.builtin.lineinfile: + path: /etc/audit/auditd.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ ubtu22cis_auditd_admin_space_left_action }}' } + - { regexp: '^space_left_action', line: 'space_left_action = {{ ubtu22cis_auditd_space_left_action }}' } diff --git a/tasks/section_6/cis_6.3.3.x.yml b/tasks/section_6/cis_6.3.3.x.yml new file mode 100644 index 00000000..54d9569c --- /dev/null +++ b/tasks/section_6/cis_6.3.3.x.yml @@ -0,0 +1,263 @@ +--- + +- name: "6.3.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" + when: + - ubtu22cis_rule_6_3_3_1 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.2 | PATCH | Ensure actions as another user are always logged" + when: + - ubtu22cis_rule_6_3_3_2 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.3 | PATCH | Ensure events that modify the sudo log file are collected" + when: + - ubtu22cis_rule_6_3_3_3 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.4 | PATCH | Ensure events that modify date and time information are collected" + when: + - ubtu22cis_rule_6_3_3_4 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.5 | PATCH | Ensure events that modify the system's network environment are collected" + when: + - ubtu22cis_rule_6_3_3_5 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" + when: + - ubtu22cis_rule_6_3_3_6 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.6 + - auditd + block: + - name: "6.3.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" + ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done + register: priv_procs + changed_when: false + check_mode: false + + - name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected | Set privileged rules" + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" + when: + - ubtu22cis_rule_6_3_3_7 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.8 | PATCH | Ensure events that modify user/group information are collected" + when: + - ubtu22cis_rule_6_3_3_8 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" + when: + - ubtu22cis_rule_6_3_3_9 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.10 | PATCH | Ensure successful file system mounts are collected" + when: + - ubtu22cis_rule_6_3_3_10 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.11 | PATCH | Ensure session initiation information is collected" + when: + - ubtu22cis_rule_6_3_3_11 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.12 | PATCH | Ensure login and logout events are collected" + when: + - ubtu22cis_rule_6_3_3_12 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.13 | PATCH | Ensure file deletion events by users are collected" + when: + - ubtu22cis_rule_6_3_3_13 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" + when: + - ubtu22cis_rule_6_3_3_14 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" + when: + - ubtu22cis_rule_6_3_3_15 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" + when: + - ubtu22cis_rule_6_3_3_16 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" + when: + - ubtu22cis_rule_6_3_3_17 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" + when: + - ubtu22cis_rule_6_3_3_18 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading is collected" + when: + - ubtu22cis_rule_6_3_3_19 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.20 | PATCH | Ensure the audit configuration is immutable" + when: + - ubtu22cis_rule_6_3_3_20 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.3.1 + - auditd + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.21 | PATCH | Ensure the running and on disk configuration is the same" + when: + - ubtu22cis_rule_6_3_3_21 + tags: + - level2-server + - level2-workstation + - scored + - patch + - rule_6.3.3.21 + - auditd + ansible.builtin.shell: augenrules --check + changed_when: false + register: ubtu22cis_rule_6_3_3_21_augen_check diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml new file mode 100644 index 00000000..120bd3a9 --- /dev/null +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -0,0 +1,181 @@ +--- + +- name: | + "6.3.4.1 | PATCH | Ensure audit log files mode is configured" + "6.3.4.2 | PATCH | Ensure audit log files owner is configured" + "6.3.4.3 | PATCH | Ensure audit log files group owner is configured" + when: + - ubtu22cis_rule_6_3_4_1 or + ubtu22cis_rule_6_3_4_2 or + ubtu22cis_rule_6_3_4_3 + tags: + - level1-server + - level1-workstation + - patch + - auditd + - rule_6.3.4.1 + - rule_6.3.4.2 + - rule_6.3.4.3 + block: + - name: "6.3.4.1 | AUDIT | Ensure audit log files mode is configured | discover file" + ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' + changed_when: false + register: discovered_audit_logfile + + - name: "6.3.4.1 | AUDIT | Ensure audit log files mode is configured | stat file" + ansible.builtin.stat: + path: "{{ discovered_audit_logfile.stdout }}" + changed_when: false + register: auditd_logfile + + - name: | + "6.3.4.1 | PATCH | Ensure audit log files mode is configured" + "6.3.4.2 | PATCH | Ensure audit log files owner is configured" + "6.3.4.3 | PATCH | Ensure audit log files group owner is configured" + ansible.builtin.file: + path: "{{ discovered_audit_logfile.stdout }}" + mode: "{% if auditd_logfile.stat.mode > '0640' %}0640{% endif %}" + owner: root + group: root + +- name: "6.3.4.4 | PATCH | Ensure the audit log file directory mode is configured" + when: + - ubtu22cis_rule_6_3_4_4 + tags: + - level1-server + - level1-workstation + - patch + - auditd + - rule_6.3.4.4 + block: + - name: "6.3.4.4 | AUDIT | Ensure the audit log file directory mode is configured | get current permissions" + ansible.builtin.stat: + path: "{{ audit_discovered_logfile.stdout | dirname }}" + register: auditlog_dir + + - name: "6.3.4.4 | PATCH | Ensure the audit log file directory mode is configured | set" + when: not auditlog_dir.stat.mode is match('07(0|5)0') + ansible.builtin.file: + path: "{{ audit_discovered_logfile.stdout | dirname }}" + state: directory + mode: '0750' + +- name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured" + when: + - ubtu22cis_rule_6_3_4_5 + tags: + - level1-server + - level1-workstation + - patch + - auditd + - rule_6.3.4.5 + ansible.builtin.file: + path: "{{ item.path }}" + mode: u-x,g-wx,o-rwx + loop: "{{ auditd_conf_files.files }}" + loop_control: + label: "{{ item.path }}" + +- name: "6.3.4.6 | PATCH | Ensure audit configuration files owner is configured" + when: + - ubtu22cis_rule_6_3_4_6 + tags: + - level1-server + - level1-workstation + - patch + - auditd + - rule_6.3.4.6 + ansible.builtin.file: + path: "{{ item.path }}" + owner: root + loop: "{{ auditd_conf_files.files }}" + loop_control: + label: "{{ item.path }}" + +- name: "6.3.4.7 | PATCH | Ensure audit configuration files group owner is configured" + when: + - ubtu22cis_rule_6_3_4_7 + tags: + - level1-server + - level1-workstation + - patch + - auditd + - rule_6.3.4.7 + ansible.builtin.file: + path: "{{ item.path }}" + group: root + loop: "{{ auditd_conf_files.files }}" + loop_control: + label: "{{ item.path }}" + +- name: "6.3.4.8 | PATCH | Ensure audit tools mode is configured" + when: + - ubtu22cis_rule_6_3_4_8 + tags: + - level1-server + - level1-workstation + - patch + - auditd + - rule_6.3.4.8 + block: + - name: "6.3.4.8 | AUDIT | Ensure audit tools mode is configured | get current mode" + ansible.builtin.stat: + path: "{{ item }}" + register: "audit_bins" + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + + - name: "6.3.4.8 | PATCH | Ensure audit tools mode is configured | set if required" + when: not item.stat.mode is match('07(0|5)0') + ansible.builtin.file: + path: "{{ item.item }}" + mode: '0750' + loop: "{{ audit_bins.results }}" + loop_control: + label: "{{ item.item }}" + +- name: "6.3.4.9 | PATCH | Ensure audit tools owner is configured" + when: + - ubtu22cis_rule_6_3_4_9 + tags: + - level1-server + - level1-workstation + - patch + - auditd + - rule_6.3.4.9 + ansible.builtin.file: + path: "{{ item }}" + owner: root + group: root + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + +- name: "6.3.4.10 | PATCH | Ensure audit tools group owner is configured" + when: + - ubtu22cis_rule_6_3_4_10 + tags: + - level1-server + - level1-workstation + - patch + - auditd + - rule_6.3.4.10 + ansible.builtin.file: + path: "{{ item }}" + group: root + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index b194fdc8..89042854 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,9 +1,33 @@ --- -- name: "SECTION | 6.1 | System File Permissions" +- name: "SECTION | 6.1 | Configure Filesystem Integrity Checking" ansible.builtin.import_tasks: file: cis_6.1.x.yml -- name: "SECTION | 6.2 | User and Group Settings" +- name: "SECTION | 6.2.1.1 | Configure systemd-journald service" ansible.builtin.import_tasks: - file: cis_6.2.x.yml + file: cis_6.2.1.1.x.yml + +- name: "SECTION | 6.2.1.2 | Configure systemd-journal-remote" + ansible.builtin.import_tasks: + file: cis_6.2.1.2.x.yml + +- name: "SECTION | 6.2.2 | Configure Logfiles" + ansible.builtin.import_tasks: + file: cis_6.2.2.yml + +- name: "SECTION | 6.3.1 | Configure auditd Service" + ansible.builtin.import_tasks: + file: cis_6.3.1.x.yml + +- name: "SECTION | 6.3.2 | Configure data retention" + ansible.builtin.import_tasks: + file: cis_6.3.2.x.yml + +- name: "SECTION | 6.3.3 | Configure auditd rules" + ansible.builtin.import_tasks: + file: cis_6.3.3.x.yml + +- name: "SECTION | 6.3.4 | Configure auditd file access" + ansible.builtin.import_tasks: + file: cis_6.3.4.x.yml diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml new file mode 100644 index 00000000..0557de2a --- /dev/null +++ b/tasks/section_7/cis_7.1.x.yml @@ -0,0 +1,295 @@ +--- + +- name: "7.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" + when: + - ubtu22cis_rule_7_1_1 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.1 + ansible.builtin.file: + path: /etc/passwd + owner: root + group: root + mode: '0644' + +- name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" + when: + - ubtu22cis_rule_7_1_2 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.2 + ansible.builtin.file: + path: /etc/passwd- + owner: root + group: root + mode: '0644' + +- name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured" + when: + - ubtu22cis_rule_7_1_3 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.3 + ansible.builtin.file: + path: /etc/group + owner: root + group: root + mode: '0644' + +- name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured" + when: + - ubtu22cis_rule_7_1_4 + tags: + - level1-server + - level1-workstation + - patch + - permissionss + - rule_7.1.4 + ansible.builtin.file: + path: /etc/group- + owner: root + group: root + mode: '0644' + +- name: "7.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" + when: + - ubtu22cis_rule_7_1_5 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.5 + ansible.builtin.file: + path: /etc/shadow + owner: root + group: root + mode: '0640' + +- name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" + when: + - ubtu22cis_rule_7_1_6 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.6 + ansible.builtin.file: + path: /etc/shadow- + owner: root + group: root + mode: '0640' + +- name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" + when: + - ubtu22cis_rule_7_1_7 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.7 + ansible.builtin.file: + path: /etc/gshadow + owner: root + group: root + mode: '0640' + +- name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" + when: + - ubtu22cis_rule_7_1_8 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.8 + ansible.builtin.file: + path: /etc/gshadow- + owner: root + group: root + mode: '0640' + +- name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured" + when: + - ubtu22cis_rule_7_1_9 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.9 + ansible.builtin.file: + path: /etc/shells + owner: root + group: root + mode: u-x,go-wx + +- name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured" + loop: + - /etc/security/opasswd + - /etc/security/opasswd.old + when: + - ubtu22cis_rule_7_1_10 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.10 + ansible.builtin.file: + path: /etc/security/opasswd + owner: root + group: root + mode: u-x,go-rwx + +- name: "7.1.11 | PATCH | Ensure world writable files and directories are secured" + when: + - ubtu22cis_rule_7_1_11 + tags: + - level1-server + - level1-workstation + - patch + - files + - permissions + - rule_7.1.11 + block: + - name: "7.1.11 | AUDIT | Ensure world writable files and directories are secured | Get list of world-writable files" + ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + failed_when: false + changed_when: false + register: ubtu22cis_worldwriteable + + - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable files if they exist (Configurable)" + ansible.builtin.file: + path: '{{ item }}' + mode: o-w + state: touch + loop: "{{ ubtu22cis_worldwriteable.stdout_lines }}" + when: + - ubtu22cis_worldwriteable.stdout_lines is defined + - ubtu22cis_no_world_write_adjust + + - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | sticky bit set on world-writable directories" + ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + changed_when: false + failed_when: false + +- name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist" + when: + - ubtu22cis_rule_7_1_12 + tags: + - level1-server + - level1-workstation + - patch + - rule_7.1.12 + - permissions + vars: + warn_control_id: '7.1.12' + block: + - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories" + ansible.builtin.shell: find {{ ubtu22cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs + changed_when: false + failed_when: false + check_mode: false + register: discovered_unowned_files + with_items: + - "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.mount }}" + + - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Flatten no_user_items results for easier use" + ansible.builtin.set_fact: + discovered_unowned_files_flatten: "{{ discovered_unowned_files.results | map(attribute='stdout_lines') | flatten }}" + + - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Alert on unowned files and directories" + when: + - not ubtu22cis_ownership_adjust + - discovered_unowned_files_flatten | length > 0 + ansible.builtin.debug: + msg: + - "Warning!! You have unowned files and are configured to not auto-remediate for this task" + - "Please review the files/directories below and assign an owner" + - "{{ discovered_unowned_files_flatten }}" + + - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist | Set files/directories to configured owner and group" + when: + - ubtu22cis_ownership_adjust + - discovered_unowned_files_flatten | length > 0 + ansible.builtin.file: + path: "{{ item }}" + owner: "{{ ubtu22cis_unowned_owner }}" + group: "{{ ubtu22cis_unowned_group }}" + with_items: + - "{{ udiscovered_unowned_files_flatten }}" + + - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Warn Count" + when: + - not ubtu22cis_ownership_adjust + - discovered_unowned_files_flatten | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed" + when: + - ubtu22cis_rule_7_1_13 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.1.13 + - permissions + vars: + warn_control_id: '7.1.13' + block: + - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID" + ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs + changed_when: false + failed_when: false + check_mode: false + register: discovered_suid_sgid_files + with_items: + - "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.mount }}" + + - name: "7.1.13 | AUDIT | Audit SUID executables | Flatten suid_executables results for easier use" + ansible.builtin.set_fact: + discovered_suid_sgid_files_flatten: "{{ discovered_suid_sgid_files.results | map(attribute='stdout_lines') | flatten }}" + + - name: "7.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" + when: + - discovered_suid_sgid_files_flatten | length > 0 + - not ubtu22cis_suid_sgid_adjust + ansible.builtin.debug: + msg: + - "Warning!! You have SUID executables" + - "The files are listed below, please confirm the integrity of these binaries" + - "{{ discovered_suid_sgid_files_flatten }}" + + - name: "7.1.13 | PATCH | Audit SUID executables | Remove SUID bit" + when: + - ubtu22cis_suid_sgid_adjust + - discovered_suid_sgid_files_flatten | length > 0 + ansible.builtin.file: + path: "{{ item }}" + mode: 'u-s' + with_items: + - "{{ discovered_suid_sgid_files_flatten }}" + + - name: "7.1.13 | AUDIT | Audit SUID executables | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + when: + - discovered_suid_sgid_files_flatten | length > 0 + - not ubtu22cis_suid_sgid_adjust diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml new file mode 100644 index 00000000..217b017d --- /dev/null +++ b/tasks/section_7/cis_7.2.x.yml @@ -0,0 +1,314 @@ +--- + +- name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" + when: + - ubtu22cis_rule_7_2_1 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.1 + - user_accounts + vars: + warn_control_id: '7.2.1' + block: + - name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Get users not using shadowed passwords" + ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd + changed_when: false + failed_when: false + register: discovered_nonshadowed_users + + - name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Warn on findings" + when: discovered_nonshadowed_users.stdout | length > 0 + ansible.builtin.debug: + msg: + - "Warning!! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password" + - "{{ discovered_nonshadowed_users.stdout_lines }}" + + - name: "7.2.1 | WARNING | Ensure accounts in /etc/passwd use shadowed passwords | warn_count" + when: discovered_nonshadowed_users.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty" + when: + - ubtu22cis_rule_7_2_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_7.2.2 + - user + - permissions + block: + - name: "7.2.2 | AUDIT | Ensure /etc/shadow password fields are not empty | Find users with no password" + ansible.builtin.shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow + changed_when: false + check_mode: false + register: discovered_empty_password_acct + + - name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty | Lock users with empty password" + when: discovered_empty_password_acct.stdout | length > 0 + ansible.builtin.user: + name: "{{ item }}" + password_lock: true + loop: + - "{{ discovered_empty_password_acct.stdout_lines }}" + +- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" + when: + - ubtu22cis_rule_7_2_3 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.3 + - groups + vars: + warn_control_id: '7.2.3' + block: + - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" + ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + changed_when: false + failed_when: false + check_mode: false + register: discovered_passwd_gid_check + + - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" + when: discovered_passwd_gid_check.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join (', ') }}" + + - name: "7.2.3 | WARNING | Ensure all groups in /etc/passwd exist in /etc/group | warn_count" + when: discovered_passwd_gid_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.4 | PATCH | Ensure shadow group is empty" + when: + - ubtu22cis_rule_7_2_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_6.2.4 + - user + vars: + warn_control_id: '7.2.4' + block: + - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group" + ansible.builtin.getent: + database: group + split: ':' + key: shadow + + - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group" + ansible.builtin.debug: + msg: "Warning!! - You have users in the shadow group" + when: ansible_facts.getent_group.shadow[2] | length > 0 + + - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group" + ansible.builtin.import_tasks: + file: warning_facts.yml + when: ansible_facts.getent_group.shadow[2] | length > 0 + +- name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist" + when: + - ubtu22cis_rule_7_2_5 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.4 + - user + vars: + warn_control_id: '7.2.5' + block: + - name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" + changed_when: false + failed_when: false + check_mode: false + register: discovered_user_uid_check + + - name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" + when: discovered_user_uid_check.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! The following users have UIDs that are duplicates: {{ discovered_user_uid_check.stdout_lines }}" + + - name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist | Set warning count" + when: discovered_user_uid_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist" + when: + - ubtu22cis_rule_7_2_6 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.6 + - groups + vars: + warn_control_id: '7.2.6' + block: + - name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" + changed_when: false + failed_when: false + check_mode: false + register: discovered_user_gid_check + + - name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" + when: discovered_user_gid_check.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! The following groups have duplicate GIDs: {{ discovered_user_gid_check.stdout_lines }}" + + - name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist | Set warning count" + when: discovered_user_gid_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.7 | AUDIT | Ensure no duplicate user names exist" + vars: + warn_control_id: '7.2.67' + when: + - ubtu22cis_rule_7_2_7 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.7 + - user + block: + - name: "7.2.7 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" + changed_when: false + failed_when: false + check_mode: false + register: discovered_username_check + + - name: "7.2.7 | WARNING | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" + when: discovered_username_check.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! The following user names are duplicates: {{ discovered_user_username_check.stdout_lines }}" + + - name: "7.2.7 | WARNING | Ensure no duplicate user names exist | Set warning count" + when: discovered_username_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.8 | AUDIT | Ensure no duplicate group names exist" + when: + - ubtu22cis_rule_7_2_8 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.8 + - groups + vars: + warn_control_id: '7.2.8' + block: + - name: "7.2.8 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" + ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' + changed_when: false + failed_when: false + check_mode: false + register: discovered_group_check + + - name: "7.2.8 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" + when: discovered_group_check.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! The following group names are duplicates: {{ discovered_group_group_check.stdout_lines }}" + + - name: "7.2.8 | AUDIT | Ensure no duplicate group names exist | Set warning count" + when: discovered_group_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured" + when: + - ubtu22cis_rule_7_2_9 + tags: + - level1-server + - level1-workstation + - patch + - users + - rule_7.2.9 + block: + - name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent" + ansible.builtin.file: + path: "{{ item.dir }}" + state: directory + owner: "{{ item.id }}" + group: "{{ item.gid }}" + loop: "{{ ubtu22cis_passwd | selectattr('uid', '>=', ubtu22uid_uid_start | int ) | selectattr('uid', '<=', ubtu22uid_uid_stop | int ) | list }}" + loop_control: + label: "{{ item.id }}" + + # set default ACLs so the homedir has an effective umask of 0027 + - name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured | Set group ACL" + when: not system_is_container + ansible.posix.acl: + path: "{{ item }}" + default: true + etype: group + permissions: rx + state: present + loop: "{{ discovered_interactive_users_home.stdout_lines }}" + + - name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured | Set other ACL" + when: not system_is_container + ansible.posix.acl: + path: "{{ item }}" + default: true + etype: other + permissions: 0 + state: present + loop: "{{ discovered_interactive_users_home.stdout_lines }}" + +- name: "7.2.10 | PATCH | Ensure local interactive user dot files access is configured" + when: + - ubtu22cis_rule_7_2_10 + - ubtu22cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - rule_7.2.10 + - user + vars: + warn_control_id: '7.2.10' + block: + - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Check for files" + ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w + changed_when: false + failed_when: discovered_dot_files.rc not in [ 0, 1 ] + check_mode: false + register: discovered_dot_files + + - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Warning on files found" + when: + - discovered_dot_files.stdout | length > 0 + - ubtu22cis_dotperm_ansiblemanaged + ansible.builtin.debug: + msg: + - "Warning!! We have discovered group or world-writable dot files on your system and this host is configured for manual intervention. Please investigate these files further." + + - name: "7.2.10 | PATCH | Ensure local interactive user dot files access is configured | Set warning count" + when: + - discovered_dot_files.stdout | length > 0 + - ubtu22cis_dotperm_ansiblemanaged + ansible.builtin.import_tasks: + file: warning_facts.yml + + - name: "7.2.10 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured" + when: + - discovered_dot_files.stdout | length > 0 + - ubtu22cis_dotperm_ansiblemanaged + ansible.builtin.file: + path: '{{ item }}' + mode: go-w + with_items: "{{ discovered_dot_files.stdout_lines }}" diff --git a/tasks/section_7/main.yml b/tasks/section_7/main.yml new file mode 100644 index 00000000..2d1247ae --- /dev/null +++ b/tasks/section_7/main.yml @@ -0,0 +1,9 @@ +--- + +- name: "SECTION | 7.1 | System File Permissions" + ansible.builtin.import_tasks: + file: cis_7.1.x.yml + +- name: "SECTION | 7.2 | Local User and Group Settings" + ansible.builtin.import_tasks: + file: cis_7.2.x.yml diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index 0da92a67..45497267 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -16,5 +16,5 @@ # the count increases by a value of 1 - name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." ansible.builtin.set_fact: - warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" - warn_count: "{{ warn_count | int + 1 }}" + warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" + warn_count: "{{ warn_count | int + 1 }}" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index b6429ca5..ed20877b 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -30,68 +30,102 @@ ubtu22_set_boot_pass: true ## Section 1 Fixes # Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, # Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) +# 1.1 Filesystems +# 1.1.1 Configure Filesystem Kernel Modules ubtu22cis_rule_1_1_1_1: {{ ubtu22cis_rule_1_1_1_1 }} ubtu22cis_rule_1_1_1_2: {{ ubtu22cis_rule_1_1_1_2 }} -ubtu22cis_rule_1_1_1_3: {{ ubtu22cis_rule_1_1_1_3 }} -ubtu22cis_rule_1_1_2_1: {{ ubtu22cis_rule_1_1_2_1 }} -ubtu22cis_rule_1_1_2_2: {{ ubtu22cis_rule_1_1_2_2 }} -ubtu22cis_rule_1_1_2_3: {{ ubtu22cis_rule_1_1_2_3 }} -ubtu22cis_rule_1_1_2_4: {{ ubtu22cis_rule_1_1_2_4 }} -ubtu22cis_rule_1_1_3_1: {{ ubtu22cis_rule_1_1_3_1 }} -ubtu22cis_rule_1_1_3_2: {{ ubtu22cis_rule_1_1_3_2 }} -ubtu22cis_rule_1_1_3_3: {{ ubtu22cis_rule_1_1_3_3 }} -ubtu22cis_rule_1_1_4_1: {{ ubtu22cis_rule_1_1_4_1 }} -ubtu22cis_rule_1_1_4_2: {{ ubtu22cis_rule_1_1_4_2 }} -ubtu22cis_rule_1_1_4_3: {{ ubtu22cis_rule_1_1_4_3 }} -ubtu22cis_rule_1_1_4_4: {{ ubtu22cis_rule_1_1_4_4 }} -ubtu22cis_rule_1_1_5_1: {{ ubtu22cis_rule_1_1_5_1 }} -ubtu22cis_rule_1_1_5_2: {{ ubtu22cis_rule_1_1_5_2 }} -ubtu22cis_rule_1_1_5_3: {{ ubtu22cis_rule_1_1_5_3 }} -ubtu22cis_rule_1_1_5_4: {{ ubtu22cis_rule_1_1_5_4 }} -ubtu22cis_rule_1_1_6_1: {{ ubtu22cis_rule_1_1_6_1 }} -ubtu22cis_rule_1_1_6_2: {{ ubtu22cis_rule_1_1_6_2 }} -ubtu22cis_rule_1_1_6_3: {{ ubtu22cis_rule_1_1_6_3 }} -ubtu22cis_rule_1_1_6_4: {{ ubtu22cis_rule_1_1_6_4 }} -ubtu22cis_rule_1_1_7_1: {{ ubtu22cis_rule_1_1_7_1 }} -ubtu22cis_rule_1_1_7_2: {{ ubtu22cis_rule_1_1_7_2 }} -ubtu22cis_rule_1_1_7_3: {{ ubtu22cis_rule_1_1_7_3 }} -ubtu22cis_rule_1_1_8_1: {{ ubtu22cis_rule_1_1_8_1 }} -ubtu22cis_rule_1_1_8_2: {{ ubtu22cis_rule_1_1_8_2 }} -ubtu22cis_rule_1_1_8_3: {{ ubtu22cis_rule_1_1_8_3 }} -ubtu22cis_rule_1_1_9: {{ ubtu22cis_rule_1_1_9 }} -ubtu22cis_rule_1_1_10: {{ ubtu22cis_rule_1_1_10 }} -ubtu22cis_rule_1_2_1: {{ ubtu22cis_rule_1_2_1 }} -ubtu22cis_rule_1_2_2: {{ ubtu22cis_rule_1_2_2 }} -ubtu22cis_rule_1_3_1: {{ ubtu22cis_rule_1_3_1 }} -ubtu22cis_rule_1_3_2: {{ ubtu22cis_rule_1_3_2 }} -ubtu22cis_rule_1_4_1: {{ ubtu22cis_rule_1_4_1 }} -ubtu22cis_rule_1_4_2: {{ ubtu22cis_rule_1_4_2 }} -ubtu22cis_rule_1_4_3: {{ ubtu22cis_rule_1_4_3 }} -ubtu22cis_rule_1_5_1: {{ ubtu22cis_rule_1_5_1 }} -ubtu22cis_rule_1_5_2: {{ ubtu22cis_rule_1_5_2 }} -ubtu22cis_rule_1_5_3: {{ ubtu22cis_rule_1_5_3 }} -ubtu22cis_rule_1_5_4: {{ ubtu22cis_rule_1_5_4 }} -ubtu22cis_rule_1_6_1_1: {{ ubtu22cis_rule_1_6_1_1 }} -ubtu22cis_rule_1_6_1_2: {{ ubtu22cis_rule_1_6_1_2 }} -ubtu22cis_rule_1_6_1_3: {{ ubtu22cis_rule_1_6_1_3 }} -ubtu22cis_rule_1_6_1_4: {{ ubtu22cis_rule_1_6_1_4 }} -ubtu22cis_rule_1_7_1: {{ ubtu22cis_rule_1_7_1 }} -ubtu22cis_rule_1_7_2: {{ ubtu22cis_rule_1_7_2 }} -ubtu22cis_rule_1_7_3: {{ ubtu22cis_rule_1_7_3 }} -ubtu22cis_rule_1_7_4: {{ ubtu22cis_rule_1_7_4 }} -ubtu22cis_rule_1_7_5: {{ ubtu22cis_rule_1_7_5 }} -ubtu22cis_rule_1_7_6: {{ ubtu22cis_rule_1_7_6 }} -ubtu22cis_rule_1_8_1: {{ ubtu22cis_rule_1_8_1 }} -ubtu22cis_rule_1_8_2: {{ ubtu22cis_rule_1_8_2 }} -ubtu22cis_rule_1_8_3: {{ ubtu22cis_rule_1_8_3 }} -ubtu22cis_rule_1_8_4: {{ ubtu22cis_rule_1_8_4 }} -ubtu22cis_rule_1_8_5: {{ ubtu22cis_rule_1_8_5 }} -ubtu22cis_rule_1_8_6: {{ ubtu22cis_rule_1_8_6 }} -ubtu22cis_rule_1_8_7: {{ ubtu22cis_rule_1_8_7 }} -ubtu22cis_rule_1_8_8: {{ ubtu22cis_rule_1_8_8 }} -ubtu22cis_rule_1_8_9: {{ ubtu22cis_rule_1_8_9 }} -ubtu22cis_rule_1_8_10: {{ ubtu22cis_rule_1_8_10 }} -ubtu22cis_rule_1_9: {{ ubtu22cis_rule_1_9 }} +ubtu22cis_rule_1_1_1_3: {{ ubtu22cis_rule_1_1_1_3 } +ubtu22cis_rule_1_1_1_4: {{ ubtu22cis_rule_1_1_1_4 }} +ubtu22cis_rule_1_1_1_5: {{ ubtu22cis_rule_1_1_1_5 }} +ubtu22cis_rule_1_1_1_6: {{ ubtu22cis_rule_1_1_1_6 }} +ubtu22cis_rule_1_1_1_7: {{ ubtu22cis_rule_1_1_1_7 }} +ubtu22cis_rule_1_1_1_8: {{ ubtu22cis_rule_1_1_1_8 }} + +# 1.1.2 Configure Filesystem Partitions +# /tmp +ubtu22cis_rule_1_1_2_1_1: {{ ubtu22cis_rule_1_1_2_1_1 }} +ubtu22cis_rule_1_1_2_1_2: {{ ubtu22cis_rule_1_1_2_1_2 }} +ubtu22cis_rule_1_1_2_1_3: {{ ubtu22cis_rule_1_1_2_1_3 }} +ubtu22cis_rule_1_1_2_1_4: {{ ubtu22cis_rule_1_1_2_1_4 }} + +# /dev/shm +ubtu22cis_rule_1_1_2_2_1: {{ ubtu22cis_rule_1_1_2_2_1 }} +ubtu22cis_rule_1_1_2_2_2: {{ ubtu22cis_rule_1_1_2_2_2 }} +ubtu22cis_rule_1_1_2_2_3: {{ ubtu22cis_rule_1_1_2_2_3 }} +ubtu22cis_rule_1_1_2_2_4: {{ ubtu22cis_rule_1_1_2_2_4 }} + +# /home +ubtu22cis_rule_1_1_2_3_1: {{ ubtu22cis_rule_1_1_2_3_1 }} +ubtu22cis_rule_1_1_2_3_2: {{ ubtu22cis_rule_1_1_2_3_2 }} +ubtu22cis_rule_1_1_2_3_3: {{ ubtu22cis_rule_1_1_2_3_3 }} + +# /var +ubtu22cis_rule_1_1_2_4_1: {{ ubtu22cis_rule_1_1_2_4_1 }} +ubtu22cis_rule_1_1_2_4_2: {{ ubtu22cis_rule_1_1_2_4_2 }} +ubtu22cis_rule_1_1_2_4_3: {{ ubtu22cis_rule_1_1_2_4_3 }} + +# /var/tmp +ubtu22cis_rule_1_1_2_5_1: {{ ubtu22cis_rule_1_1_2_5_1 }} +ubtu22cis_rule_1_1_2_5_2: {{ ubtu22cis_rule_1_1_2_5_2 }} +ubtu22cis_rule_1_1_2_5_3: {{ ubtu22cis_rule_1_1_2_5_3 }} +ubtu22cis_rule_1_1_2_5_4: {{ ubtu22cis_rule_1_1_2_5_4 }} + +# /var/log +ubtu22cis_rule_1_1_2_6_1: {{ ubtu22cis_rule_1_1_2_6_1 }} +ubtu22cis_rule_1_1_2_6_2: {{ ubtu22cis_rule_1_1_2_6_2 }} +ubtu22cis_rule_1_1_2_6_3: {{ ubtu22cis_rule_1_1_2_6_3 }} +ubtu22cis_rule_1_1_2_6_4: {{ ubtu22cis_rule_1_1_2_6_4 }} + +# /var/log/audit +ubtu22cis_rule_1_1_2_7_1: {{ ubtu22cis_rule_1_1_2_7_1 }} +ubtu22cis_rule_1_1_2_7_2: {{ ubtu22cis_rule_1_1_2_7_2 }} +ubtu22cis_rule_1_1_2_7_3: {{ ubtu22cis_rule_1_1_2_7_3 }} +ubtu22cis_rule_1_1_2_7_4: {{ ubtu22cis_rule_1_1_2_7_4 }} + +# 1.2 Package mgmt +# 1.2.1 Configure Package repositories +ubtu22cis_rule_1_2_1_1: {{ ubtu22cis_rule_1_2_1_1 }} +ubtu22cis_rule_1_2_1_2: {{ ubtu22cis_rule_1_2_1_2 }} +# 1.2.2 Configure Package updates +ubtu22cis_rule_1_2_2_1: {{ ubtu22cis_rule_1_2_2_1 }} + +# 1.3 Mandatory Access Control +## 1.3.1 Configure AppArmor +ubtu22cis_1_3_1_1: {{ ubtu22cis_1_3_1_1 }} +ubtu22cis_1_3_1_2: {{ ubtu22cis_1_3_1_2 }} +ubtu22cis_1_3_1_3: {{ ubtu22cis_1_3_1_3 }} +ubtu22cis_1_3_1_4: {{ ubtu22cis_1_3_1_4 }} + +# 1.4 Configure Bootloader +ubtu22cis_1_4_1: {{ ubtu22cis_1_4_1 }} +ubtu22cis_1_4_2: {{ ubtu22cis_1_4_2 }} + +# 1.5 Configure additional Process Hardening +ubtu22cis_1_5_1: {{ ubtu22cis_1_5_1 }} +ubtu22cis_1_5_2: {{ ubtu22cis_1_5_2 }} +ubtu22cis_1_5_3: {{ ubtu22cis_1_5_3 }} +ubtu22cis_1_5_4: {{ ubtu22cis_1_5_4 }} +ubtu22cis_1_5_5: {{ ubtu22cis_1_5_5 }} + +# 1.6 Configure Command Line Warning Banners +ubtu22cis_1_6_1: {{ ubtu22cis_1_6_1 }} +ubtu22cis_1_6_2: {{ ubtu22cis_1_6_2 }} +ubtu22cis_1_6_3: {{ ubtu22cis_1_6_3 }} +ubtu22cis_1_6_4: {{ ubtu22cis_1_6_4 }} +ubtu22cis_1_6_5: {{ ubtu22cis_1_6_5 }} +ubtu22cis_1_6_6: {{ ubtu22cis_1_6_6 }} + +# 1.7 Configure GNOME Display Manager +ubtu22cis_1_7_1: {{ ubtu22cis_1_7_1 }} +ubtu22cis_1_7_2: {{ ubtu22cis_1_7_2 }} +ubtu22cis_1_7_3: {{ ubtu22cis_1_7_3 }} +ubtu22cis_1_7_4: {{ ubtu22cis_1_7_4 }} +ubtu22cis_1_7_5: {{ ubtu22cis_1_7_5 }} +ubtu22cis_1_7_6: {{ ubtu22cis_1_7_6 }} +ubtu22cis_1_7_7: {{ ubtu22cis_1_7_7 }} +ubtu22cis_1_7_8: {{ ubtu22cis_1_7_8 }} +ubtu22cis_1_7_9: {{ ubtu22cis_1_7_9 }} +ubtu22cis_1_7_10: {{ ubtu22cis_1_7_10 }} # Section 2 Fixes # Section 2 is Services (Special Purpose Services, and service clients) diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 2992d208..8ecb54ce 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -5,23 +5,23 @@ # This template will set all of the auditd configurations via a handler in the role in one task instead of individually -{% if ubtu22cis_rule_4_1_3_1 %} +{% if ubtu22cis_rule_6_3_3_1 %} -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope {% endif %} -{% if ubtu22cis_rule_4_1_3_2 %} +{% if ubtu22cis_rule_6_3_3_2 %} -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation {% endif %} -{% if ubtu22cis_rule_4_1_3_3 %} +{% if ubtu22cis_rule_6_3_3_3 %} -w {{ ubtu22cis_sudo_logfile }} -p wa -k sudo_log_file {% endif %} -{% if ubtu22cis_rule_4_1_3_4 %} +{% if ubtu22cis_rule_6_3_3_4 %} -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change -w /etc/localtime -p wa -k time-change {% endif %} -{% if ubtu22cis_rule_4_1_3_5 %} +{% if ubtu22cis_rule_6_3_3_5 %} -a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale -w /etc/issue -p wa -k system-locale @@ -29,73 +29,76 @@ -w /etc/hosts -p wa -k system-locale -w /etc/networks -p wa -k system-locale -w /etc/network/ -p wa -k system-locale +-w /etc/netplan -p wa -k system-locale {% endif %} -{% if ubtu22cis_rule_4_1_3_6 %} +{% if ubtu22cis_rule_6_3_3_6 %} {% if priv_procs is defined %} {% for proc in priv_procs.stdout_lines -%} --a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged +-a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=unset -k privileged {% endfor %} {% endif %} {% endif %} -{% if ubtu22cis_rule_4_1_3_7 %} --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access --a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access +{% if ubtu22cis_rule_6_3_3_7 %} +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -k access {% endif %} -{% if ubtu22cis_rule_4_1_3_8 %} +{% if ubtu22cis_rule_6_3_3_8 %} -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity -{% endif %} -{% if ubtu22cis_rule_4_1_3_9 %} --a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -{% endif %} -{% if ubtu22cis_rule_4_1_3_10 %} --a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts --a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -{% endif %} -{% if ubtu22cis_rule_4_1_3_11 %} +-w /etc/nsswitch.conf -p wa -k identity +-w /etc/pam.conf -p wa -k identity +-w /etc/pam.d -p wa -k identity +{% endif %} +{% if ubtu22cis_rule_6_3_3_9 %} +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -k perm_mod +-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -k perm_mod +{% endif %} +{% if ubtu22cis_rule_6_3_3_10 %} +-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k mounts +-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k mounts +{% endif %} +{% if ubtu22cis_rule_6_3_3_11 %} -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session {% endif %} -{% if ubtu22cis_rule_4_1_3_12 %} +{% if ubtu22cis_rule_6_3_3_12 %} -w /var/log/lastlog -p wa -k logins -w /var/run/faillock -p wa -k logins {% endif %} -{% if ubtu22cis_rule_4_1_3_13 %} --a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete --a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete +{% if ubtu22cis_rule_6_3_3_13 %} +-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete +-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=unset -k delete {% endif %} -{% if ubtu22cis_rule_4_1_3_14 %} +{% if ubtu22cis_rule_6_3_3_14 %} -w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy {% endif %} -{% if ubtu22cis_rule_4_1_3_15 %} --a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng +{% if ubtu22cis_rule_6_3_3_15 %} +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng {% endif %} -{% if ubtu22cis_rule_4_1_3_16 %} --a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng +{% if ubtu22cis_rule_6_3_3_16 %} +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng {% endif %} -{% if ubtu22cis_rule_4_1_3_17 %} --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd +{% if ubtu22cis_rule_6_3_3_17 %} +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng {% endif %} -{% if ubtu22cis_rule_4_1_3_18 %} --a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k usermod +{% if ubtu22cis_rule_6_3_3_18 %} +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k usermod {% endif %} -{% if ubtu22cis_rule_4_1_3_19 %} --a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k kernel_modules --a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules --a always,exit -F arch=b32 -S init_module,finit_module,delete_module,create_module,query_module -F auid>=1000 -F auid!=unset -k kernel_modules +{% if ubtu22cis_rule_6_3_3_19 %} +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=-1 -k kernel_modules +-a always,exit -F arch=b64 -S init_module,finit_module,delete_module -F auid>=1000 -F auid!=-1 -k kernel_modules {% endif %} -{% if ubtu22cis_rule_4_1_3_20 %} +{% if ubtu22cis_rule_6_3_3_20 %} -e 2 {% endif %} diff --git a/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 new file mode 100644 index 00000000..9440c7bb --- /dev/null +++ b/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 @@ -0,0 +1,7 @@ +# CIS Configurations +# 5.3.3.2.3 Ensure password complexity is configured +minclass = {{ ubtu22cis_passwd_minclass }} +dcredit = {{ubtu22cis_passwd_dcredit }} +ucredit = {{ ubtu22cis_passwd_ucredit }} +ocredit = {{ ubtu22cis_passwd_ocredit }} +lcredit = {{ ubtu22cis_passwd_lcredit }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2 new file mode 100644 index 00000000..e72b0bc4 --- /dev/null +++ b/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2 @@ -0,0 +1,3 @@ +# CIS Configurations +# 5.3.3.2.6 Ensure password dictionary check is enabled +dictcheck = {{ ubtu22cis_passwd_dictcheck_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2 new file mode 100644 index 00000000..48ab6ab2 --- /dev/null +++ b/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2 @@ -0,0 +1,3 @@ +# CIS Configurations +# 5.3.3.2.1 Ensure password number of changed characters is configured +difok = {{ ubtu22cis_passwd_difok_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2 new file mode 100644 index 00000000..40f9cf2a --- /dev/null +++ b/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2 @@ -0,0 +1,3 @@ +# CIS Configurations +# 5.3.3.2.2 Ensure minimum password length is configured +minlen = {{ ubtu22cis_passwd_minlen_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2 new file mode 100644 index 00000000..e80427da --- /dev/null +++ b/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2 @@ -0,0 +1,3 @@ +# CIS Configurations +# 5.3.3.2.5 Ensure password maximum sequential characters is configured +maxsequence = {{ ubtu22cis_passwd_maxsequence_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 new file mode 100644 index 00000000..8ebb926c --- /dev/null +++ b/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 @@ -0,0 +1,4 @@ +# CIS Configurations +# 5.3.3.2.7 Ensure password quality checking is enforced +enforcing = {{ ubtu22cis_passwd_quality_enforce_value }} + diff --git a/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2 new file mode 100644 index 00000000..f257432b --- /dev/null +++ b/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2 @@ -0,0 +1,3 @@ +# CIS Configurations +# 5.3.3.2.4 Ensure password same consecutive characters is configured +maxrepeat = {{ ubtu22cis_passwd_maxrepeat_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2 new file mode 100644 index 00000000..9bd30c55 --- /dev/null +++ b/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2 @@ -0,0 +1,3 @@ +# CIS Configurations +# 5.3.3.2.8 Ensure password quality is enforced for the root user +{{ ubtu22cis_passwd_quality_enforce_root_value }} diff --git a/templates/etc/systemd/journald.conf.d/forwardtosyslog.j2 b/templates/etc/systemd/journald.conf.d/forwardtosyslog.j2 new file mode 100644 index 00000000..7be1a9f4 --- /dev/null +++ b/templates/etc/systemd/journald.conf.d/forwardtosyslog.j2 @@ -0,0 +1,4 @@ +# File created for CIS benchmark +# CIS rule 6_2_1_1_4 +[Journal] +ForwardToSyslog=no diff --git a/templates/etc/systemd/journald.conf.d/rotation.conf.j2 b/templates/etc/systemd/journald.conf.d/rotation.conf.j2 new file mode 100644 index 00000000..0e9c68a3 --- /dev/null +++ b/templates/etc/systemd/journald.conf.d/rotation.conf.j2 @@ -0,0 +1,8 @@ +# File created for CIS benchmark +# CIS rule 6_2_1_1_3 +[Journal] +SystemMaxUse={{ ubtu22cis_journald_systemmaxuse }} +SystemKeepFree={{ ubtu22cis_journald_systemkeepfree }} +RuntimeMaxUse={{ ubtu22cis_journald_runtimemaxuse }} +RuntimeKeepFree={{ ubtu22cis_journald_runtimekeepfree }} +MaxFileSec={{ ubtu22cis_journald_maxfilesec }} diff --git a/templates/etc/systemd/journald.conf.d/storage.j2 b/templates/etc/systemd/journald.conf.d/storage.j2 new file mode 100644 index 00000000..56ac0cab --- /dev/null +++ b/templates/etc/systemd/journald.conf.d/storage.j2 @@ -0,0 +1,11 @@ +# File created for CIS benchmark +[Journal] +{% if ubtu22cis_rule_6_2_1_1_5 %} +# Set persistent storage CIS rule 6_2_1_1_5 +Storage=persistent +{% endif %} + +{% if ubtu22cis_rule_6_2_1_1_6 %} +# Set compress CIS rule 6_2_1_1_6 +Compress=yes +{% endif %} diff --git a/templates/usr/share/pam-config/faillock.j2 b/templates/usr/share/pam-config/faillock.j2 new file mode 100644 index 00000000..738eff5b --- /dev/null +++ b/templates/usr/share/pam-config/faillock.j2 @@ -0,0 +1,6 @@ +Name: Enable pam_faillock to deny access +Default: yes +Priority: 0 +Auth-Type: Primary +Auth: + [default=die] pam_faillock.so authfail diff --git a/templates/usr/share/pam-config/faillock_notify.j2 b/templates/usr/share/pam-config/faillock_notify.j2 new file mode 100644 index 00000000..287839db --- /dev/null +++ b/templates/usr/share/pam-config/faillock_notify.j2 @@ -0,0 +1,9 @@ +Name: Notify of failed login attempts and reset count upon success +Default: yes +Priority: 1024 +Auth-Type: Primary +Auth: + requisite pam_faillock.so preauth +Account-Type: Primary +Account: + required pam_faillock.so diff --git a/templates/usr/share/pam-config/pam_unix.j2 b/templates/usr/share/pam-config/pam_unix.j2 new file mode 100644 index 00000000..900ae72a --- /dev/null +++ b/templates/usr/share/pam-config/pam_unix.j2 @@ -0,0 +1,23 @@ +Name: Unix authentication +Default: yes +Priority: 256 +Auth-Type: Primary +Auth: + [success=end default=ignore] pam_unix.so try_first_pass +Auth-Initial: + [success=end default=ignore] pam_unix.so +Account-Type: Primary +Account: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Account-Initial: + [success=end new_authtok_reqd=done default=ignore] pam_unix.so +Session-Type: Additional +Session: + required pam_unix.so +Session-Initial: + required pam_unix.so +Password-Type: Primary +Password: + [success=end default=ignore] pam_unix.so obscure{% if ubtu22cis_rule_5.3.3.4.4 %} use_authtok{% endif %} try_first_pass{% if ubtu22cis_rule_5.3.3.4.3 %} {{ ubtu22cis_passwd_hash_algo }}{% endif %} +Password-Initial: + [success=end default=ignore] pam_unix.so obscure{% if ubtu22cis_rule_5.3.3.4.3 %} {{ ubtu22cis_passwd_hash_algo }}{% endif %} diff --git a/templates/usr/share/pam-config/pwhistory.j2 b/templates/usr/share/pam-config/pwhistory.j2 new file mode 100644 index 00000000..5f4b3c01 --- /dev/null +++ b/templates/usr/share/pam-config/pwhistory.j2 @@ -0,0 +1,6 @@ +Name: pwhistory password history checking +Default: yes +Priority: 1024 +Password-Type: Primary +Password: + requisite pam_pwhistory.so enforce_for_root try_first_pass{% if ubtu22cis_rule_5_3_3_3_1 %} remember={{ ubtu22cis_pamd_pwhistory_remember }}{% endif %}{% if ubtu22cis_rule_5_3_3_3_2 %} enforce_for_root{% endif %}{% if ubtu22cis_rule_5_3_3_3_3 %} use_authtok{% endif %} diff --git a/templates/usr/share/pam-config/pwquality.j2 b/templates/usr/share/pam-config/pwquality.j2 new file mode 100644 index 00000000..50638987 --- /dev/null +++ b/templates/usr/share/pam-config/pwquality.j2 @@ -0,0 +1,8 @@ +Name: Pwquality password strength checking +Default: yes +Priority: 1024 +Conflicts: cracklib +Password-Type: Primary +Password: + requisite pam_pwquality.so retry=3 +Password-Initial: requisite From d8f3311fa8d098d9c8f43a6b0015be759c6ed6a1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 1 Jul 2024 09:07:31 +0100 Subject: [PATCH 002/135] updated 5.4.3.2 variables Signed-off-by: Mark Bolwell --- defaults/main.yml | 27 ++++++++++++++------------- tasks/section_5/cis_5.4.3.x.yml | 10 +++++----- 2 files changed, 19 insertions(+), 18 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 06f03b8a..ff9545dd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,12 +5,12 @@ # E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true. # to "true". If you do not want the tasks from that section to get executed you simply set the variable to "false". ubtu22cis_section1: true -ubtu22cis_section2: true -ubtu22cis_section3: true -ubtu22cis_section4: true -ubtu22cis_section5: true -ubtu22cis_section6: true -ubtu22cis_section7: true +ubtu22cis_section2: false +ubtu22cis_section3: false +ubtu22cis_section4: false +ubtu22cis_section5: false +ubtu22cis_section6: false +ubtu22cis_section7: false ## Reboot system before audit # System will reboot if false, can give better audit results @@ -1163,20 +1163,21 @@ ubtu22cis_passwd_setpam_hash_algo: false # The value needs to be `027` or more restrictive to comply with CIS standards ubtu22cis_bash_umask: '027' -## Control 5.5.5 - Configuring user shell timeout +## Control 5.4.3.2 - Configuring user shell timeout # This dictionary is related to ensuring the rule about user shell timeout -ubtu22cis_shell_session_timeout: + # This variable represents the amount of seconds a command or process is allowed to + # run before being forcefully terminated. + # CIS requires a value of at most 900 seconds. +ubtu22cis_shell_session_timeout: 900 # This variable specifies the path of the timeout setting file. # (TMOUT setting can be set in multiple files, but only one is required for the # rule to pass. Options are: # - a file in `/etc/profile.d/` ending in `.s`, # - `/etc/profile`, or # - `/etc/bash.bashrc`. - file: /etc/profile.d/tmout.sh - # This variable represents the amount of seconds a command or process is allowed to - # run before being forcefully terminated. - # CIS requires a value of at most 900 seconds. - timeout: 900 +ubtu22cis_shell_session_file: /etc/profile.d/tmout.sh + + ## ## Section 6 Control Variables diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml index 3eb3ac06..98bc8765 100644 --- a/tasks/section_5/cis_5.4.3.x.yml +++ b/tasks/section_5/cis_5.4.3.x.yml @@ -30,12 +30,12 @@ create: true mode: '0644' block: | - TMOUT={{ ubtu22cis_shell_session_timeout.timeout }} - readonly TMOUT - export TMOUT + TMOUT={{ ubtu22cis_shell_session_timeout }} + readonly TMOUT + export TMOUT loop: - - { path: "{{ ubtu22cis_shell_session_timeout.file }}", state: present } - - { path: /etc/profile, state: "{{ (ubtu22cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } + - { path: "{{ ubtu22cis_shell_session_file }}", state: present } + - { path: /etc/profile, state: "{{ (ubtu22cis_shell_session_file == '/etc/profile') | ternary('present', 'absent') }}" } - name: "5.4.3.3 | PATCH | Ensure default user umask is configured" when: From ed5b7cc5b45f1a731ce208171e13b03ba7c73c03 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 1 Jul 2024 13:51:48 +0100 Subject: [PATCH 003/135] fix confditionals if skipped Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.2.x.yml | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index e1ba27ef..2f9df9a7 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -36,12 +36,15 @@ failed_when: ubtu22cis_gid0_members.rc not in [ 0, 1 ] - name: "5.4.2.2 | PATCH | Ensure root is the only GID 0 account | Remove users not root from gid 0" - when: ubtu22cis_gid0_members.std | length > 0 + when: + - ubtu22cis_gid0_members is defined + - ubtu22cis_gid0_members.std | length > 0 ansible.builtin.user: name: "{{ item }}" gid: 0 state: absent - loop: ubtu22cis_gid0_members.stdout_lines + loop: + - ubtu22cis_gid0_members.stdout_lines - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group" when: @@ -61,14 +64,18 @@ failed_when: ubtu22cis_gid0_groups.rc not in [ 0, 1 ] - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group | Warning if others gid 0 groups" - when: ubtu22cis_gid0_groups.stdout | length > 0 + when: + - ubtu22cis_gid0_groups is defined + - ubtu22cis_gid0_groups.stdout | length > 0 ansible.builtin.debug: msg: - "Warning!! You have other groups assigned to GID 0 - Please resolve" - "{{ ubtu22cis_gid0_groups.stdout_lines }}" - name: "5.4.2.3 | WARN | Ensure group root is the only GID 0 group | warn_count" - when: ubtu22cis_gid0_groups.stdout | length > 0 + when: + - ubtu22cis_gid0_groups is defined + - ubtu22cis_gid0_groups.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml vars: @@ -102,27 +109,32 @@ register: ubtu22cis_root_paths - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Get root paths" + when: ubtu22cis_root_paths is defined ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 | tr ":" "\n" changed_when: false register: ubtu22cis_root_paths_split - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Set fact" + when: ubtu22cis_root_paths is defined ansible.builtin.set_fact: root_paths: "{{ ubtu22cis_root_paths.stdout }}" - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs" + when: root_paths is defined ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"' changed_when: false failed_when: root_path_empty_dir.rc not in [ 0, 1 ] register: root_path_empty_dir - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for trailing ':'" + when: root_paths is defined ansible.builtin.shell: '{{ root_paths }} | cut -d= -f2 | grep -q ":$" && echo "roots path contains a trailing (:)"' changed_when: false failed_when: root_path_trailing_colon.rc not in [ 0, 1 ] register: root_path_trailing_colon - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" + when: root_paths is defined block: - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" ansible.builtin.stat: From 72a47e71fa9e74b9d52e9c912d0ee41a0d776fc0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 1 Jul 2024 14:31:26 +0100 Subject: [PATCH 004/135] updated conditionals Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.2.x.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 38be68ab..898dc06b 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -3,7 +3,7 @@ - name: "2.2.1 | PATCH | Ensure NIS Client is not installed" when: - ubtu22cis_rule_2_2_1 - - not ubtu22cis_nis_required + - not ubtu22cis_nis_server tags: - level1-server - level1-workstation @@ -17,7 +17,7 @@ - name: "2.2.2 | PATCH | Ensure rsh client is not installed" when: - ubtu22cis_rule_2_2_2 - - not ubtu22cis_rsh_required + - not ubtu22cis_rsh_client tags: - level1-server - level1-workstation @@ -32,7 +32,7 @@ - name: "2.2.3 | PATCH | Ensure talk client is not installed" when: - ubtu22cis_rule_2_2_3 - - not ubtu22cis_talk_required + - not ubtu22cis_talk_client tags: - level1-server - level1-workstation @@ -77,7 +77,7 @@ - name: "2.2.6 | PATCH | Ensure ftp is not installed" when: - ubtu22cis_rule_2_2_6 - - not ubtu22cis_ftp_required + - not ubtu22cis_ftp_client tags: - level1-server - level1-workstation From d39d92ee8987019de6b6a8f2e82dace26c384102 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 1 Jul 2024 14:31:36 +0100 Subject: [PATCH 005/135] updated ID references Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.1.x.yml | 36 ++++++++++++++++----------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml index 03e91cab..0932713a 100644 --- a/tasks/section_1/cis_1.2.1.x.yml +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -1,63 +1,63 @@ --- -- name: "1.2.1 | AUDIT | Ensure GPG keys are configured" +- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured" when: - - ubtu22cis_rule_1_2_1 + - ubtu22cis_rule_1_2_1_1 tags: - level1-server - level1-workstation - audit - - rule_1.2.1 + - rule_1.2.1.1 - gpg - keys vars: - warn_control_id: '1.2.1' + warn_control_id: '1.2.1.1' block: - - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" + - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" ansible.builtin.shell: apt-key list changed_when: false failed_when: false check_mode: false - register: ubtu22cis_1_2_1_apt_gpgkeys + register: ubtu22cis_1_2_1_1_apt_gpgkeys - - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" + - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" ansible.builtin.debug: msg: - "Warning!! Below are the apt gpg keys configured" - "Please review to make sure they are configured" - "in accordance with site policy" - - "{{ ubtu22cis_1_2_1_apt_gpgkeys.stdout_lines }}" + - "{{ ubtu22cis_1_2_1_1_apt_gpgkeys.stdout_lines }}" - - name: "1.2.1 | WARN | Ensure GPG keys are configured | warn_count" + - name: "1.2.1.1 | WARN | Ensure GPG keys are configured | warn_count" ansible.builtin.import_tasks: file: warning_facts.yml -- name: "1.2.2 | AUDIT | Ensure package manager repositories are configured" +- name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured" when: - - ubtu22cis_rule_1_2_2 + - ubtu22cis_rule_1_2_1_2 tags: - level1-server - level1-workstation - audit - - rule_1.2.2 + - rule_1.2.1.2 - apt vars: - warn_control_id: '1.2.2' + warn_control_id: '1.2.1.2' block: - - name: "1.2.2 | AUDIT | Ensure package manager repositories are configured | Get repositories" + - name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured | Get repositories" ansible.builtin.shell: apt-cache policy changed_when: false failed_when: false check_mode: false - register: ubtu22cis_1_2_2_apt_policy + register: ubtu22cis_1_2_1_2_apt_policy - - name: "1.2.2 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" + - name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" ansible.builtin.debug: msg: - "Warning!! Below are the apt package repositories" - "Please review to make sure they conform to your sites policies" - - "{{ ubtu22cis_1_2_2_apt_policy.stdout_lines }}" + - "{{ ubtu22cis_1_2_1_2_apt_policy.stdout_lines }}" - - name: "1.2.2 | WARN | Ensure package manager repositories are configured | warn_count" + - name: "1.2.1.2 | WARN | Ensure package manager repositories are configured | warn_count" ansible.builtin.import_tasks: file: warning_facts.yml From 58a76a18722403dae7bdfd610fc3c693de4b3d4c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 1 Jul 2024 14:31:47 +0100 Subject: [PATCH 006/135] fix typo Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 0ea0ddf0..35f97b99 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -92,11 +92,11 @@ create: true mode: '0600' - - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable squashfs" + - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable hfs" when: - not system_is_container community.general.modprobe: - name: squashfs + name: hfs state: absent - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available" @@ -168,6 +168,8 @@ - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available" when: - ubtu22cis_rule_1_1_1_6 + - not squashfs_builtin + - snap_pkg_mgr.rc != 0 tags: - level2-server - level2-workstation From 4061505094a6f5cc12d5a38156cc496265020f41 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 1 Jul 2024 14:31:55 +0100 Subject: [PATCH 007/135] updated Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 07b54d33..8b917502 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -15,7 +15,7 @@ - rule_1.1.1.2 - always when: - - ubtu22cis_rule_1_1_1_2 + - ubtu22cis_rule_1_1_1_6 - name: "PRELIM | AUDIT | Register if squashfs is built into the kernel" ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs" @@ -25,7 +25,7 @@ tags: - always when: - - ubtu22cis_rule_1_1_1_2 + - ubtu22cis_rule_1_1_1_6 - name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points" ansible.builtin.set_fact: @@ -78,7 +78,7 @@ - name: "PRELIM | AUDIT | Check for autofs service" when: - - ubtu22cis_rule_1_1_9 + - ubtu22cis_rule_2_1_1 tags: - skip_ansible_lint - section1 @@ -109,8 +109,8 @@ - name: "PRELIM | PATCH | Run apt update" when: - - ubtu22cis_rule_1_3_1 or - ubtu22cis_rule_1_9 + - ubtu22cis_rule_1_2_1_1 or + ubtu22cis_rule_1_2_2_1 tags: - always ansible.builtin.package: @@ -129,7 +129,7 @@ changed_when: false failed_when: discover_wireless_adapters.rc not in [ 0, 1 ] - - name: "PRELIM | PATCH | Install Network-Manager | if wireless adpater present" + - name: "PRELIM | PATCH | Install Network-Manager | if wireless adapter present" when: - ubtu22cis_install_network_manager - discover_wireless_adapters.rc == 0 @@ -140,10 +140,10 @@ - name: "PRELIM | PATCH | Ensure auditd is installed" when: - - ubtu22cis_rule_4_1_1_1 or - ubtu22cis_rule_4_1_4_5 or - ubtu22cis_rule_4_1_4_6 or - ubtu22cis_rule_4_1_4_7 + - ubtu22cis_rule_6_3_1_1 or + ubtu22cis_rule_6_3_4_1 or + ubtu22cis_rule_6_3_4_6 or + ubtu22cis_rule_6_3_4_8 tags: - level2-server - level2-workstation @@ -183,8 +183,8 @@ check_mode: false register: ubtu22cis_sudoers_files when: - - ubtu22cis_rule_5_3_4 or - ubtu22cis_rule_5_3_5 + - ubtu22cis_rule_5_2_4 or + ubtu22cis_rule_5_2_5 tags: - always @@ -241,7 +241,7 @@ - name: "PRELIM | PATCH | Install ACL" when: - - ubtu22cis_rule_6_2_6 + - ubtu22cis_rule_7_2_9 - "'acl' not in ansible_facts.packages" tags: - always @@ -251,9 +251,9 @@ - name: "PRELIM | AUDIT | Gather UID 0 accounts other than root" when: - - ubtu22cis_rule_6_2_10 + - ubtu22cis_rule_5_4_2_1 tags: - - rule_6.2.10 + - rule_5.4.2.1 - level1-server - level1-workstation - users From f7fd57de4858d1aa195fc99fa8b1ea5c2d4c1049 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 1 Jul 2024 14:32:15 +0100 Subject: [PATCH 008/135] adjusted rule ids Signed-off-by: Mark Bolwell --- tasks/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index b54d9ae2..386c1d86 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -20,7 +20,7 @@ # This control should always run as this can pass on unintended issues. - name: "Check password set for connecting user" when: - - ubtu22cis_rule_5_3_4 + - ubtu22cis_rule_5_2_4 - ansible_env.SUDO_USER is defined tags: - always @@ -38,7 +38,7 @@ fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for sudo user {{ ansible_env.SUDO_USER }}" vars: - sudo_password_rule: ubtu22cis_rule_5_3_4 # pragma: allowlist secret + sudo_password_rule: ubtu22cis_rule_5_2_4 # pragma: allowlist secret - name: Ensure root password is set when: @@ -69,7 +69,7 @@ msg: "This role will not be able to run single user password commands as ubtu22cis_bootloader_password_hash variable has not been set correctly" - name: Check ubtu22cis_grub_user password variable has been changed - when: ubtu22cis_rule_1_4_3 + when: ubtu22cis_rule_1_4_1 tags: - always block: @@ -82,7 +82,7 @@ when: - "'$y$' in ubtu22cis_password_set_grub_user.stdout" - ubtu22cis_set_grub_user_pass - - ubtu22cis_rule_1_4_3 + - ubtu22cis_rule_1_4_1 ansible.builtin.assert: that: ubtu22cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu22cis_grub_user_passwd.find('$y$') != -1 and ubtu22cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' msg: "This role will not set the {{ ubtu22cis_grub_user }} user password is not set or ubtu22cis_grub_user_passwd variable has not been set correctly" From 327ba530b79455bac2ae204d07811035155114d8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 09:04:24 +0100 Subject: [PATCH 009/135] 1.1.1.6 updated conditionals Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 35f97b99..2254a666 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -168,8 +168,8 @@ - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available" when: - ubtu22cis_rule_1_1_1_6 - - not squashfs_builtin - - snap_pkg_mgr.rc != 0 + - not prelim_squashfs_builtin + - prelim_snap_pkg_mgr.rc != 0 tags: - level2-server - level2-workstation From e4db7a62bf2f5c86d08f096861ab7dae47b5b5c7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 09:04:37 +0100 Subject: [PATCH 010/135] fixed typo Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 27e32eb1..35bb5647 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -367,7 +367,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.120 | PATCH | Ensure sshd PermitRootLogin is disabled" +- name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled" when: - ubtu22cis_rule_5_1_20 tags: From 83123bf33bc0be9265059ffc63683e137ed434db Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 09:06:42 +0100 Subject: [PATCH 011/135] updated var naming Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 91 ++++++++++++++++----------------- tasks/section_5/cis_5.2.x.yml | 4 +- tasks/section_5/cis_5.4.1.x.yml | 44 ++++++++-------- tasks/section_5/cis_5.4.2.x.yml | 69 +++++++++++++------------ tasks/section_6/cis_6.1.x.yml | 2 +- tasks/section_6/cis_6.3.2.x.yml | 2 +- tasks/section_6/cis_6.3.4.x.yml | 6 +-- tasks/section_7/cis_7.2.x.yml | 4 +- 8 files changed, 110 insertions(+), 112 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 8b917502..ed89c1f3 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -9,8 +9,8 @@ - name: "PRELIM | AUDIT | Register if snap being used" ansible.builtin.shell: df -h | grep -wc "/snap" changed_when: false - failed_when: snap_pkg_mgr.rc not in [ 0, 1 ] - register: snap_pkg_mgr + failed_when: prelim_snap_pkg_mgr.rc not in [ 0, 1 ] + register: prelim_snap_pkg_mgr tags: - rule_1.1.1.2 - always @@ -20,8 +20,8 @@ - name: "PRELIM | AUDIT | Register if squashfs is built into the kernel" ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs" changed_when: false - failed_when: squashfs_builtin.rc not in [ 0, 1 ] - register: squashfs_builtin + failed_when: prelim_squashfs_builtin.rc not in [ 0, 1 ] + register: prelim_squashfs_builtin tags: - always when: @@ -45,17 +45,17 @@ block: - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type ansible.builtin.shell: systemctl is-enabled tmp.mount - register: discover_tmp_mnt_type + register: prelim_tmp_mnt_type changed_when: false - failed_when: discover_tmp_mnt_type.rc not in [ 0, 1 ] + failed_when: prelim_tmp_mnt_type.rc not in [ 0, 1 ] - name: PRELIM | AUDIT | Capture tmp mount type | Set to expected_tmp_mnt variable - when: "'generated' in discover_tmp_mnt_type.stdout" + when: "'generated' in prelim_tmp_mnt_type.stdout" ansible.builtin.set_fact: tmp_mnt_type: "{{ expected_tmp_mnt }}" - name: PRELIM | AUDIT | Capture tmp mount type | Set systemd service - when: "'generated' not in discover_tmp_mnt_type.stdout" + when: "'generated' not in prelim_tmp_mnt_type.stdout" ansible.builtin.set_fact: tmp_mnt_type: tmp_systemd @@ -76,18 +76,6 @@ tmp_partition_mount_options: "{{ item.options.split(',') }}" loop: "{{ ansible_facts.mounts }}" -- name: "PRELIM | AUDIT | Check for autofs service" - when: - - ubtu22cis_rule_2_1_1 - tags: - - skip_ansible_lint - - section1 - - always - ansible.builtin.shell: "systemctl show autofs | grep LoadState | cut -d = -f 2" - register: ubtu22cis_autofs_service_status - changed_when: false - check_mode: false - - name: Include audit specific variables when: - run_audit or audit_only @@ -125,14 +113,14 @@ block: - name: "PRELIM | AUDIT | Discover is wirelss adapter on system" ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless - register: discover_wireless_adapters + register: prelim_wireless_adapters changed_when: false - failed_when: discover_wireless_adapters.rc not in [ 0, 1 ] + failed_when: prelim_wireless_adapters.rc not in [ 0, 1 ] - name: "PRELIM | PATCH | Install Network-Manager | if wireless adapter present" when: - ubtu22cis_install_network_manager - - discover_wireless_adapters.rc == 0 + - prelim_wireless_adapters.rc == 0 - "'network-manager' not in ansible_facts.packages" ansible.builtin.package: name: network-manager @@ -165,29 +153,46 @@ file_type: file recurse: true patterns: '*.conf,*.rules' - register: auditd_conf_files + register: prelim_auditd_conf_files - name: "PRELIM | AUDIT | Check if auditd is immutable before changes" + tags: + - always ansible.builtin.shell: auditctl -l | grep -c '-e 2' changed_when: false - failed_when: auditd_immutable_check.rc not in [ 0, 1 ] - register: auditd_immutable_check + failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ] + register: prelim_auditd_immutable_check when: "'auditd' in ansible_facts.packages" - tags: - - always - name: "PRELIM | PATCH | 5.3.4/5 | Find all sudoers files." ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false check_mode: false - register: ubtu22cis_sudoers_files + register: prelim_sudoers_files when: - ubtu22cis_rule_5_2_4 or ubtu22cis_rule_5_2_5 tags: - always +- name: "PRELIM | PATCH | Ensure conf.d directory exists required for 5.3.3.2.x" + when: + - ubtu22cis_rule_5_3_3_2_1 or + ubtu22cis_rule_5_3_3_2_2 or + ubtu22cis_rule_5_3_3_2_3 or + ubtu22cis_rule_5_3_3_2_4 or + ubtu22cis_rule_5_3_3_2_5 or + ubtu22cis_rule_5_3_3_2_6 + tags: + - always + ansible.builtin.file: + path: '/etc/security/pwquality.conf.d' + state: directory + owner: root + group: root + mode: '0750' + - name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" when: - not discover_int_uid @@ -197,23 +202,23 @@ - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false - register: uid_min_id + register: prelim_uid_min_id - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' changed_when: false - register: uid_max_id + register: prelim_uid_max_id - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false - register: gid_min_id + register: prelim_gid_min_id - name: "PRELIM | AUDIT | Set_facts for interactive uid/gid" ansible.builtin.set_fact: - min_int_uid: "{{ uid_min_id.stdout }}" - max_int_uid: "{{ uid_max_id.stdout }}" - min_int_gid: "{{ gid_min_id.stdout }}" + min_int_uid: "{{ prelim_uid_min_id.stdout }}" + max_int_uid: "{{ prelim_uid_max_id.stdout }}" + min_int_gid: "{{ prelim_gid_min_id.stdout }}" - name: "PRELIM | AUDIT | Interactive Users" tags: @@ -221,7 +226,7 @@ ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }' changed_when: false - register: discovered_interactive_usernames + register: prelim_interactive_usernames - name: "PRELIM | AUDIT | Interactive User accounts home directories" tags: @@ -229,7 +234,7 @@ ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $6 }' changed_when: false - register: discovered_interactive_users_home + register: prelim_interactive_users_home - name: "PRELIM | AUDIT | Interactive UIDs" tags: @@ -237,7 +242,7 @@ ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }' changed_when: false - register: discovered_interactive_uids + register: prelim_interactive_uids - name: "PRELIM | PATCH | Install ACL" when: @@ -261,15 +266,7 @@ ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" changed_when: false check_mode: false - register: ubtu22cis_uid_zero_accounts_except_root - -- name: "PRELIM | AUDIT | List users accounts" - tags: - - always - ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd" - changed_when: false - check_mode: false - register: ubtu22cis_users + register: prelim_uid_zero_accounts_except_root ## Optional diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index b6c57522..33434d4b 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -57,7 +57,7 @@ regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' replace: '\1PASSWD\2' validate: '/usr/sbin/visudo -cf %s' - loop: "{{ ubtu22cis_sudoers_files.stdout_lines }}" + loop: "{{ prelim_sudoers_files.stdout_lines }}" - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" when: @@ -73,7 +73,7 @@ regexp: '^([^#].*)!authenticate(.*)' replace: '\1authenticate\2' validate: '/usr/sbin/visudo -cf %s' - loop: "{{ ubtu22cis_sudoers_files.stdout_lines }}" + loop: "{{ prelim_sudoers_files.stdout_lines }}" - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly" when: diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 5b6c57ec..05c7773d 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -54,16 +54,16 @@ ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu22cis_pass.min_days }})) {print $1}' /etc/shadow" changed_when: false failed_when: false - register: ubtu22cis_5_4_1_1_min_days + register: ubtu22cis_passwd_min_days - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Set existing users PASS_MIN_DAYS" - ansible.builtin.shell: chage --mindays {{ ubtu22cis_pass.min_days }} {{ item }} - failed_when: false - changed_when: ubtu22cis_min_days.stdout |length > 0 - loop: "{{ ubtu22cis_min_days.stdout_lines }}" when: - ubtu22cis_disruption_high - (item != 'root') or (not ubtu22cis_uses_root) + ansible.builtin.shell: chage --mindays {{ ubtu22cis_pass.min_days }} {{ item }} + failed_when: false + changed_when: ubtu22cis_passwd_min_days.stdout |length > 0 + loop: "{{ ubtu22cis_passwd_min_days.stdout_lines }}" - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured" when: @@ -86,7 +86,7 @@ ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu22cis_pass.warn_age }}){print $1}' /etc/shadow" changed_when: false failed_when: false - register: ubtu22cis_warn_days + register: ubtu22cis_passwd_warn_days - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users PASS_WARN_AGE" when: @@ -94,8 +94,8 @@ - (item != 'root') or (not ubtu22cis_uses_root) ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass.warn_age }} {{ item }} failed_when: false - changed_when: ubtu22cis_warn_days.stdout | length > 0 - loop: "{{ ubtu22cis_warn_days.stdout_lines }}" + changed_when: ubtu22cis_passwd_warn_days.stdout | length > 0 + loop: "{{ ubtu22cis_passwd_warn_days.stdout_lines }}" - name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured" when: @@ -122,32 +122,32 @@ - user - login block: - - name: "5.4.1.4 | AUDIT | Ensure inactive password lock is configured | General setting" + - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | General setting" ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2 changed_when: false failed_when: false - register: ubtu22cis_inactive_setting + register: ubtu22cis_passwd_inactive_setting - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured| Set inactive period for new users" + when: ubtu22cis_passwd_inactive_setting.stdout != ubtu22cis_pass.inactive | string ansible.builtin.shell: useradd -D -f {{ ubtu22cis_pass.inactive }} failed_when: false - when: ubtu22cis_inactive_setting.stdout != ubtu22cis_pass.inactive | string - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | Get Individual users" ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<{{ ubtu22cis_pass.inactive }}))) {print $1}' /etc/shadow" changed_when: false failed_when: false - register: ubtu22cis_inactive_users + register: ubtu22cis_passwd_inactive_users - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set inactive period for existing users" when: - ubtu22cis_disruption_high - - ubtu22cis_inactive_users.stdout | length > 0 + - ubtu22cis_passwd_inactive_users.stdout | length > 0 - (item != 'root') and (not ubtu22cis_uses_root) ansible.builtin.shell: chage --inactive {{ ubtu22cis_pass.inactive }} {{ item }} failed_when: false with_items: - - "{{ ubtu22cis_passwd | map(attribute='id') | list | intersect(ubtu22cis_inactive_users.stdout_lines) | list }}" + - "{{ ubtu22cis_passwd | map(attribute='id') | list | intersect(ubtu22cis_passwd_inactive_users.stdout_lines) | list }}" - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past" when: @@ -167,32 +167,32 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis__current_time + register: ubtu22cis_current_time - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu22cis_current_time.stdout }})print$1}'" changed_when: false failed_when: false check_mode: false - register: ubtu22cis_user_list + register: ubtu22cis_passwd_future_user_list - - name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past | Warn about users" - when: ubtu22cis_user_list.stdout | length > 0 + - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Warn about users" + when: ubtu22cis_passwd_future_user_list.stdout | length > 0 ansible.builtin.debug: msg: - "WARNING!! The following accounts have the last PW change date in the future" - - "{{ ubtu22cis_user_list.stdout_lines }}" + - "{{ ubtu22cis_passwd_future_user_list.stdout_lines }}" - name: "5.4.1.5 | WARN | Ensure all users last password change date is in the past | warn_count" + when: ubtu22cis_passwd_future_user_list.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml - when: ubtu22cis_user_list.stdout | length > 0 - name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with future PW changed dates" when: - ubtu22cis_disruption_high - - ubtu22cis_user_list.stdout | length > 0 + - ubtu22cis_passwd_future_user_list.stdout | length > 0 ansible.builtin.shell: passwd --expire {{ item }} failed_when: false with_items: - - "{{ ubtu22cis_user_list.stdout_lines }}" + - "{{ ubtu22cis_passwd_future_user_list.stdout_lines }}" diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index 2f9df9a7..8fb3abe9 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -3,7 +3,7 @@ - name: "5.4.2.1 | PATCH | Ensure root is the only UID 0 account" when: - ubtu22cis_rule_5_4_2_1 - - ubtu22cis_uid_zero_accounts_except_root.rc + - prelim_uid_zero_accounts_except_root.rc - ubtu22cis_disruption_high tags: - level1-server @@ -15,7 +15,7 @@ ansible.builtin.shell: passwd -l {{ item }} changed_when: false failed_when: false - loop: "{{ ubtu22cis_uid_zero_accounts_except_root.stdout_lines }}" + loop: "{{ prelim_uid_zero_accounts_except_root.stdout_lines }}" - name: "5.4.2.2 | PATCH | Ensure root is the only GID 0 account" when: @@ -31,20 +31,20 @@ block: - name: "5.4.2.2 | AUDIT | Ensure root is the only GID 0 account | Get members of gid 0" ansible.builtin.shell: "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4==\"0\") {print $1}' /etc/passwd | grep -wv 'root'" - register: ubtu22cis_gid0_members + register: discovered_gid0_members changed_when: false - failed_when: ubtu22cis_gid0_members.rc not in [ 0, 1 ] + failed_when: discovered_gid0_members.rc not in [ 0, 1 ] - name: "5.4.2.2 | PATCH | Ensure root is the only GID 0 account | Remove users not root from gid 0" when: - - ubtu22cis_gid0_members is defined - - ubtu22cis_gid0_members.std | length > 0 + - discovered_gid0_members is defined + - discovered_gid0_members.stdout | length > 0 ansible.builtin.user: name: "{{ item }}" gid: 0 state: absent loop: - - ubtu22cis_gid0_members.stdout_lines + - discovered_gid0_members.stdout_lines - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group" when: @@ -59,23 +59,23 @@ block: - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group | Get groups with gid 0" ansible.builtin.shell: "awk -F: '$3==\"0\"{print $1}' /etc/group | grep -vw 'root'" - register: ubtu22cis_gid0_groups + register: discovered_gid0_groups changed_when: false - failed_when: ubtu22cis_gid0_groups.rc not in [ 0, 1 ] + failed_when: discovered_gid0_groups.rc not in [ 0, 1 ] - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group | Warning if others gid 0 groups" when: - - ubtu22cis_gid0_groups is defined - - ubtu22cis_gid0_groups.stdout | length > 0 + - discovered_gid0_groups is defined + - discovered_gid0_groups.stdout | length > 0 ansible.builtin.debug: msg: - "Warning!! You have other groups assigned to GID 0 - Please resolve" - - "{{ ubtu22cis_gid0_groups.stdout_lines }}" + - "{{ discovered_gid0_groups.stdout_lines }}" - name: "5.4.2.3 | WARN | Ensure group root is the only GID 0 group | warn_count" when: - - ubtu22cis_gid0_groups is defined - - ubtu22cis_gid0_groups.stdout | length > 0 + - discovered_gid0_groups is defined + - discovered_gid0_groups.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml vars: @@ -106,41 +106,41 @@ - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Get root paths" ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 changed_when: false - register: ubtu22cis_root_paths + register: discovered_root_paths - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Get root paths" - when: ubtu22cis_root_paths is defined + when: discovered_root_paths is defined ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 | tr ":" "\n" changed_when: false - register: ubtu22cis_root_paths_split + register: discovered_root_paths_split - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Set fact" - when: ubtu22cis_root_paths is defined + when: discovered_root_paths is defined ansible.builtin.set_fact: - root_paths: "{{ ubtu22cis_root_paths.stdout }}" + root_paths: "{{ discovered_root_paths.stdout }}" - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs" - when: root_paths is defined + when: discovered_root_paths is defined ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"' changed_when: false - failed_when: root_path_empty_dir.rc not in [ 0, 1 ] - register: root_path_empty_dir + failed_when: discovered_root_path_empty_dir.rc not in [ 0, 1 ] + register: discovered_root_path_empty_dir - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for trailing ':'" - when: root_paths is defined + when: discovered_root_paths is defined ansible.builtin.shell: '{{ root_paths }} | cut -d= -f2 | grep -q ":$" && echo "roots path contains a trailing (:)"' changed_when: false - failed_when: root_path_trailing_colon.rc not in [ 0, 1 ] - register: root_path_trailing_colon + failed_when: discovered_root_path_trailing_colon.rc not in [ 0, 1 ] + register: discovered_root_path_trailing_colon - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" - when: root_paths is defined + when: discovered_root_paths is defined block: - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" ansible.builtin.stat: path: "{{ item }}" - register: root_path_perms - loop: "{{ ubtu22cis_root_paths_split.stdout_lines }}" + register: discovered_root_path_perms + loop: "{{ discovered_root_paths_split.stdout_lines }}" - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Set permissions" when: @@ -155,7 +155,7 @@ group: root mode: '0755' follow: false - loop: "{{ root_path_perms.results }}" + loop: "{{ discovered_root_path_perms.results }}" loop_control: label: "{{ item }}" @@ -172,11 +172,12 @@ path: /root/.bash_profile regexp: \s*umask line: "umask {{ ubtu22cis_root_umask }}" + create: true - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell" when: - ubtu22cis_rule_5_4_2_7 - - item.id not in discovered_interactive_usernames.stdout + - "item.id not in prelim_interactive_usernames.stdout" - "'root' not in item.id" - ubtu22cis_disruption_high tags: @@ -188,15 +189,15 @@ ansible.builtin.user: name: "{{ item.id }}" shell: /usr/sbin/nologin - loop: "{{ ubtu22cis_passwd }}" - loop_control: - label: "{{ item.id }}" + loop: "{{ ubtu22cis_passwd }}" + loop_control: + label: "{{ item.id }}" - name: "5.4.2.8 | PATCH | Ensure accounts without a valid login shell are locked | Lock accounts" when: - ubtu22cis_rule_5_4_2_8 - ubtu22cis_disruption_high - - "item.id not in discovered_interactive_usernames.stdout" + - "item.id not in prelim_interactive_usernames.stdout" - "'root' not in item.id" tags: - level1-server diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 53f54af2..8d2d903b 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -69,7 +69,7 @@ - patch - rule_6.1.3 ansible.builtin.blockinfile: - path: /etc/aide.conf + path: /etc/aide/aide.conf marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown" block: | /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 diff --git a/tasks/section_6/cis_6.3.2.x.yml b/tasks/section_6/cis_6.3.2.x.yml index 1e915ee4..b13ce611 100644 --- a/tasks/section_6/cis_6.3.2.x.yml +++ b/tasks/section_6/cis_6.3.2.x.yml @@ -29,7 +29,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^max_log_file_action' - line: "max_log_file_action = {{ ubtu22cis_auditd['max_log_file_action'] }}" + line: "max_log_file_action = {{ ubtu22cis_auditd_max_log_file_action }}" - name: "6.3.2.3 | PATCH | Ensure system is disabled when audit logs are full" when: diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml index 120bd3a9..d2b941d7 100644 --- a/tasks/section_6/cis_6.3.4.x.yml +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -72,7 +72,7 @@ ansible.builtin.file: path: "{{ item.path }}" mode: u-x,g-wx,o-rwx - loop: "{{ auditd_conf_files.files }}" + loop: "{{ prelim_auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -88,7 +88,7 @@ ansible.builtin.file: path: "{{ item.path }}" owner: root - loop: "{{ auditd_conf_files.files }}" + loop: "{{ prelim_auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -104,7 +104,7 @@ ansible.builtin.file: path: "{{ item.path }}" group: root - loop: "{{ auditd_conf_files.files }}" + loop: "{{ prelim_auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index 217b017d..d132b832 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -257,7 +257,7 @@ etype: group permissions: rx state: present - loop: "{{ discovered_interactive_users_home.stdout_lines }}" + loop: "{{ prelim_interactive_users_home.stdout_lines }}" - name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured | Set other ACL" when: not system_is_container @@ -267,7 +267,7 @@ etype: other permissions: 0 state: present - loop: "{{ discovered_interactive_users_home.stdout_lines }}" + loop: "{{ prelim_interactive_users_home.stdout_lines }}" - name: "7.2.10 | PATCH | Ensure local interactive user dot files access is configured" when: From c887a754144e38b7509ca81bafb06e19af62ff60 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 09:06:50 +0100 Subject: [PATCH 012/135] fix layout Signed-off-by: Mark Bolwell --- tasks/parse_etc_password.yml | 47 ++++++++++++++++++------------------ 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index dc8eb21e..605cb442 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -4,29 +4,30 @@ tags: - always block: - - name: "PRELIM | Parse /etc/passwd | Get /etc/password contents" - ansible.builtin.shell: cat /etc/passwd - changed_when: false - check_mode: false - register: ubtu22cis_passwd_file_audit + - name: "PRELIM | Parse /etc/passwd | Get /etc/password contents" + ansible.builtin.shell: cat /etc/passwd + changed_when: false + check_mode: false + register: ubtu22cis_passwd_file_audit - - name: "PRELIM | Parse /etc/passwd | Split passwd entries" - ansible.builtin.set_fact: - ubtu22cis_passwd: "{{ ubtu22cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" - # with_items: "{{ ubtu22cis_passwd_file_audit.stdout_lines }}" - vars: + - name: "PRELIM | Parse /etc/passwd | Split passwd entries" + ansible.builtin.set_fact: + ubtu22cis_passwd: "{{ ubtu22cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" + + with_items: "{{ ubtu22cis_passwd_file_audit.stdout_lines }}" + vars: ld_passwd_regex: >- - ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) + ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) ld_passwd_yaml: | - id: >-4 - \g - password: >-4 - \g - uid: \g - gid: \g - gecos: >-4 - \g - dir: >-4 - \g - shell: >-4 - \g + id: >-4 + \g + password: >-4 + \g + uid: \g + gid: \g + gecos: >-4 + \g + dir: >-4 + \g + shell: >-4 + \g From f302e527be75369e0ce32e0bc6e58bc313982b7a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 09:07:18 +0100 Subject: [PATCH 013/135] reomved comments Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.3.1.x.yml | 32 +++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/tasks/section_5/cis_5.3.3.1.x.yml b/tasks/section_5/cis_5.3.3.1.x.yml index 7af4acb1..0b753028 100644 --- a/tasks/section_5/cis_5.3.3.1.x.yml +++ b/tasks/section_5/cis_5.3.3.1.x.yml @@ -18,11 +18,11 @@ insertafter: '^# end of pam-auth-update config' create: true - # - name: "5.3.3.1.1 | AUDIT | Ensure password failed attempts lockout is configured | discover pam config with deny" - # ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?deny\b' /usr/share/pam-configs/* - # register: ubtu22cis_faillock_deny_files - # changed_when: false - # failed_when: ubtu22cis_faillock_deny_files.rc not in [ 0, 1 ] + - name: "5.3.3.1.1 | AUDIT | Ensure password failed attempts lockout is configured | discover pam config with deny" + ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?deny\b' /usr/share/pam-configs/* + register: ubtu22cis_faillock_deny_files + changed_when: false + failed_when: ubtu22cis_faillock_deny_files.rc not in [ 0, 1 ] - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | if exists remove deny from faillock line in pam-auth conf files" when: ubtu22cis_faillock_deny_files.stdout | length > 0 @@ -52,11 +52,11 @@ insertafter: '^# end of pam-auth-update config' create: true - # - name: "5.3.3.1.2 | AUDIT | Ensure password unlock time is configured | discover pam config with unlock_time" - # ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?unlock_time\b' /usr/share/pam-configs/* - # register: ubtu22cis_faillock_unlock_files - # changed_when: false - # failed_when: ubtu22cis_faillock_unlock_files.rc not in [ 0, 1 ] + - name: "5.3.3.1.2 | AUDIT | Ensure password unlock time is configured | discover pam config with unlock_time" + ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?unlock_time\b' /usr/share/pam-configs/* + register: ubtu22cis_faillock_unlock_files + changed_when: false + failed_when: ubtu22cis_faillock_unlock_files.rc not in [ 0, 1 ] - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | if exists remove unlock_time from faillock line in pam-auth conf files" when: ubtu22cis_faillock_unlock_files.stdout | length > 0 @@ -86,14 +86,14 @@ insertafter: '^# end of pam-auth-update config' create: true - # - name: "5.3.3.1.3 | AUDIT | Ensure password failed attempts lockout includes root account | discover pam config with unlock_time" - # ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)' /usr/share/pam-configs/* - # register: ubtu22cis_faillock_root_files - # changed_when: false - # failed_when: ubtu22cis_faillock_rootlock_files.rc not in [ 0, 1 ] + - name: "5.3.3.1.3 | AUDIT | Ensure password failed attempts lockout includes root account | discover pam config with unlock_time" + ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)' /usr/share/pam-configs/* + register: ubtu22cis_faillock_rootlock_files + changed_when: false + failed_when: ubtu22cis_faillock_rootlock_files.rc not in [ 0, 1 ] - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | if exists remove unlock_time from faillock line in pam-auth conf files" - when: ubtu22cis_faillock_root_files.stdout | length > 0 + when: ubtu22cis_faillock_rootlock_files.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: '(*.pam_faillock.so\s*)(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)(.*)' From e1d43b64f1956ee0916ba556567a4778c2839228 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 09:07:34 +0100 Subject: [PATCH 014/135] 5.3.3.4.4 fixed path Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.3.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml index 17effce5..3139f59f 100644 --- a/tasks/section_5/cis_5.3.3.4.x.yml +++ b/tasks/section_5/cis_5.3.3.4.x.yml @@ -94,7 +94,7 @@ - ubtu22cis_pam_authtok is defined - ubtu22cis_pam_authtok | length > 0 ansible.builtin.lineinfile: - path: "/etc/pam.d/{{ item }}-auth" + path: "/etc/pam.d/common-password" regexp: ^(\s*password\s+[success=end.*]\s+pam_unix\.so)(.*)\s+use_authtok\s*=\s*\S+(.*$) line: \1\2\3 use_authtok backrefs: true From 48df824e60644abfeed86aad61c1760804446718 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 09:07:50 +0100 Subject: [PATCH 015/135] moved directory creation to prelim Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.3.2.x.yml | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml index ba315f6b..bd0af5b8 100644 --- a/tasks/section_5/cis_5.3.3.2.x.yml +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -1,20 +1,5 @@ --- -- name: "Ensure conf.d directory exists required for 5.3.3.2.x" - when: - - ubtu22cis_rule_5_3_3_2_1 or - ubtu22cis_rule_5_3_3_2_2 or - ubtu22cis_rule_5_3_3_2_3 or - ubtu22cis_rule_5_3_3_2_4 or - ubtu22cis_rule_5_3_3_2_5 or - ubtu22cis_rule_5_3_3_2_6 - ansible.builtin.file: - path: '/etc/security/pwquality.conf.d' - state: directory - owner: root - group: root - mode: '0750' - - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured" when: - ubtu22cis_rule_5_3_3_2_1 From 0b123a49b1fcaae180d7b584fc9a931f20129214 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 09:08:03 +0100 Subject: [PATCH 016/135] removed path as not valid for OS Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.3.x.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml index 98bc8765..3213a749 100644 --- a/tasks/section_5/cis_5.4.3.x.yml +++ b/tasks/section_5/cis_5.4.3.x.yml @@ -49,8 +49,7 @@ ansible.builtin.replace: path: "{{ item.path }}" regexp: (?i)(umask\s+\d\d\d) - replace: '{{ item.line }} 027' + replace: '{{ item.line }} {{ ubtu22cis_bash_umask }}' loop: - - { path: '/etc/bashrc', line: 'umask' } - { path: '/etc/profile', line: 'umask' } - { path: '/etc/login.defs', line: 'UMASK' } From 1604af653d52c246d15a6391e9116b557314b513 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 09:09:31 +0100 Subject: [PATCH 017/135] fix layout and conditionals Signed-off-by: Mark Bolwell --- tasks/section_5/main.yml | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 140a824a..e8d9d951 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -2,47 +2,54 @@ - name: "SECTION | 5.1 | Configure SSH Server" ansible.builtin.import_tasks: - file: cis_5.1.x.yml + file: cis_5.1.x.yml - name: "SECTION | 5.2 | Configure privilege escalation" - ansible.builtin.import_tasks: - file: cis_5.2.x.yml when: not system_is_container + ansible.builtin.import_tasks: + file: cis_5.2.x.yml - name: "SECTION | 5.3.1.x | Configure PAM software packages" - ansible.builtin.import_tasks: - file: cis_5.3.1.x.yml when: not system_is_container + ansible.builtin.import_tasks: + file: cis_5.3.1.x.yml - name: "SECTION | 5.3.2.x | Configure pam-auth-update" - ansible.builtin.import_tasks: - file: cis_5.3.2.x.yml when: not system_is_container + ansible.builtin.import_tasks: + file: cis_5.3.2.x.yml - name: "SECTION | 5.3.3.1.x | Configure pam_faillock module" + when: not system_is_container ansible.builtin.import_tasks: - file: cis_5.3.3.1.x.yml + file: cis_5.3.3.1.x.yml - name: "SECTION | 5.3.3.2.x | Configure pam_pwquality module" + when: not system_is_container ansible.builtin.import_tasks: - file: cis_5.3.3.2.x.yml + file: cis_5.3.3.2.x.yml - name: "SECTION | 5.3.3.3.x | Configure pam_pwhistory module" + when: not system_is_container ansible.builtin.import_tasks: - file: cis_5.3.3.3.x.yml + file: cis_5.3.3.3.x.yml - name: "SECTION | 5.3.3.4.x | Configure pam_unix module" + when: not system_is_container ansible.builtin.import_tasks: - file: cis_5.3.3.4.x.yml + file: cis_5.3.3.4.x.yml - name: "SECTION | 5.4.1.x | Configure shadow password suite parameters" + when: not system_is_container ansible.builtin.import_tasks: - file: cis_5.4.1.x.yml + file: cis_5.4.1.x.yml - name: "SECTION | 5.4.2.x | Configure root and system accounts and environment" + when: not system_is_container ansible.builtin.import_tasks: - file: cis_5.4.2.x.yml + file: cis_5.4.2.x.yml - name: "SECTION | 5.4.3.x | Configure user default environment" + when: not system_is_container ansible.builtin.import_tasks: - file: cis_5.4.3.x.yml + file: cis_5.4.3.x.yml From dcf74dc735e21eafb024ced9b0088333a71b67d3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 09:09:50 +0100 Subject: [PATCH 018/135] layout and naming updates Signed-off-by: Mark Bolwell --- handlers/main.yml | 141 +++++++++++++++++++++++----------------------- 1 file changed, 71 insertions(+), 70 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 1fe9f435..124749c9 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,37 +1,37 @@ --- - name: Writing the tmp file | tmp_systemd + when: + - "'/tmp' in mount_names" + - item.mount == "/tmp" + - tmp_mnt_type == 'tmp_systemd' ansible.builtin.template: - src: etc/systemd/system/tmp.mount.j2 - dest: /etc/systemd/system/tmp.mount - owner: root - group: root - mode: '0644' + src: etc/systemd/system/tmp.mount.j2 + dest: /etc/systemd/system/tmp.mount + owner: root + group: root + mode: '0644' with_items: - - "{{ ansible_facts.mounts }}" + - "{{ ansible_facts.mounts }}" loop_control: - label: "{{ item.device }}" - when: - - "'/tmp' in mount_names" - - item.mount == "/tmp" - - tmp_mnt_type == 'tmp_systemd' + label: "{{ item.device }}" listen: Writing and remounting tmp - name: Writing the tmp file | fstab + when: + - "'/tmp' in mount_names" + - tmp_mnt_type == 'fstab' + - item.mount == "/tmp" ansible.posix.mount: - path: /tmp - src: "{{ item.device }}" - state: present - fstype: "{{ item.fstype }}" - opts: defaults,{{ tmp_partition_mount_options | unique | join(',') }} + path: /tmp + src: "{{ item.device }}" + state: present + fstype: "{{ item.fstype }}" + opts: defaults,{{ tmp_partition_mount_options | unique | join(',') }} with_items: - - "{{ ansible_facts.mounts }}" + - "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" - when: - - "'/tmp' in mount_names" - - tmp_mnt_type == 'fstab' - - item.mount == "/tmp" listen: Writing and remounting tmp - name: Update_Initramfs @@ -40,42 +40,42 @@ - name: Remount tmp ansible.posix.mount: - path: /tmp - state: remounted + path: /tmp + state: remounted when: - - "'/tmp' in mount_names" + - "'/tmp' in mount_names" listen: Writing and remounting tmp - name: Remount var ansible.posix.mount: - path: /var - state: remounted + path: /var + state: remounted - name: Remount var_tmp ansible.posix.mount: - path: /var/tmp - state: remounted + path: /var/tmp + state: remounted - name: Remount var_log ansible.posix.mount: - path: /var/log - state: remounted + path: /var/log + state: remounted - name: Remount var_log_audit ansible.posix.mount: - path: /var/log/audit - state: remounted + path: /var/log/audit + state: remounted - name: Remount home ansible.posix.mount: - path: /home - state: remounted + path: /home + state: remounted - name: Remount dev_shm ansible.posix.mount: - path: /dev/shm - src: /dev/shm - state: remounted + path: /dev/shm + src: /dev/shm + state: remounted - name: Grub update ansible.builtin.shell: update-grub @@ -84,12 +84,12 @@ - name: Restart timeservice ansible.builtin.systemd: - name: "{{ ubtu22cis_time_sync_tool }}" - state: restarted + name: "{{ ubtu22cis_time_sync_tool }}" + state: restarted - name: Reload systemctl ansible.builtin.systemd: - daemon_reload: true + daemon_reload: true - name: Update dconf ansible.builtin.shell: dconf update @@ -97,39 +97,39 @@ - name: Restart postfix ansible.builtin.service: - name: postfix - state: restarted + name: postfix + state: restarted - name: Restart syslog service ansible.builtin.systemd: - name: "{{ ubtu22cis_syslog_service }}" - state: restarted + name: "{{ ubtu22cis_syslog_service }}" + state: restarted - name: Restart journald ansible.builtin.systemd: - name: systemd-journald - state: restarted + name: systemd-journald + state: restarted - name: Restart exim4 ansible.builtin.systemd: - name: exim4 - state: restarted + name: exim4 + state: restarted - name: Flush ipv4 route table - ansible.posix.sysctl: - name: net.ipv4.route.flush - value: '1' - sysctl_set: true when: ansible_facts.virtualization_type != "docker" + ansible.posix.sysctl: + name: net.ipv4.route.flush + value: '1' + sysctl_set: true - name: Flush ipv6 route table - ansible.posix.sysctl: - name: net.ipv6.route.flush - value: '1' - sysctl_set: true when: - - ansible_facts.virtualization_type != "docker" - - ubtu22cis_ipv6_required + - ansible_facts.virtualization_type != "docker" + - ubtu22cis_ipv6_required + ansible.posix.sysctl: + name: net.ipv6.route.flush + value: '1' + sysctl_set: true - name: Reload ufw community.general.ufw: @@ -163,30 +163,31 @@ ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_pwhistory_file }} - name: Auditd rules reload - ansible.builtin.shell: augenrules --load when: - - not auditd_immutable_check or '"No change" not in ubtu22cis_rule_4_1_3_21_augen_check.stdout' + - not prelim_auditd_immutable_check or + '"No change" not in ubtu22cis_rule_4_1_3_21_augen_check.stdout' + ansible.builtin.shell: augenrules --load - name: Audit_immutable_fact + when: + - audit_rules_updated.changed + - auditd_immutable_check is defined ansible.builtin.debug: - msg: "Reboot required for auditd to apply new rules as immutable set" + msg: "Reboot required for auditd to apply new rules as immutable set" notify: set_reboot_required - when: - - audit_rules_updated.changed - - auditd_immutable_check is defined - name: Restart auditd - ansible.builtin.shell: service auditd restart when: - - audit_rules_updated is defined + - audit_rules_updated is defined tags: - - skip_ansible_lint + - skip_ansible_lint + ansible.builtin.shell: service auditd restart - name: Restart sshd ansible.builtin.systemd: - name: sshd - state: restarted + name: sshd + state: restarted - name: set_reboot_required ansible.builtin.set_fact: - change_requires_reboot: true + change_requires_reboot: true From d3caf0fcf488b8dde631d2610c0c5a9753d137de Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 09:10:14 +0100 Subject: [PATCH 019/135] tidy up and remove uneccessary items Signed-off-by: Mark Bolwell --- tasks/main.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 386c1d86..c5115b87 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -140,18 +140,13 @@ - name: Run parse /etc/passwd when: - ubtu22cis_section5 or - ubtu22cis_section6 + ubtu22cis_section6 or + ubtu22cis_section7 tags: - always ansible.builtin.import_tasks: file: parse_etc_password.yml -- name: Gather the package facts - tags: - - always - ansible.builtin.package_facts: - manager: auto - - name: Include section 1 patches when: ubtu22cis_section1 tags: From ee4cec7b62c627138111ec0a8ba6a93b9755febb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 09:10:27 +0100 Subject: [PATCH 020/135] handler naming correction Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 2c0eacf7..24641852 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -662,7 +662,7 @@ - patch - postfix - rule_2.1.21 - notify: Restart_postfix + notify: Restart postfix ansible.builtin.lineinfile: path: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" From e89587fb67dc7f3ec8160e4f0a5f3d564ff596f5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 10:57:56 +0100 Subject: [PATCH 021/135] updated handler naming Signed-off-by: Mark Bolwell --- handlers/main.yml | 18 +++++++++--------- tasks/section_5/cis_5.3.2.x.yml | 18 +++++++++--------- tasks/section_5/cis_5.3.3.3.x.yml | 6 +++--- tasks/section_5/cis_5.3.3.4.x.yml | 6 +++--- 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 124749c9..5e1c7738 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -36,7 +36,7 @@ - name: Update_Initramfs ansible.builtin.shell: update-initramfs -u - notify: set_reboot_required + notify: Set_reboot_required - name: Remount tmp ansible.posix.mount: @@ -80,7 +80,7 @@ - name: Grub update ansible.builtin.shell: update-grub failed_when: false - notify: set_reboot_required + notify: Set_reboot_required - name: Restart timeservice ansible.builtin.systemd: @@ -147,19 +147,19 @@ failed_when: ubtu22cis_ip6tables_save.rc > 0 register: ubtu22cis_ip6tables_save -- name: pam_auth_update_pwunix +- name: Pam_auth_update_pwunix ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_pwunix_file }} -- name: pam_auth_update_pwfaillock +- name: Pam_auth_update_pwfaillock ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_faillock_file }} -- name: pam_auth_update_pwfaillock_notify +- name: Pam_auth_update_pwfaillock_notify ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_faillock_file_notify }} -- name: pam_auth_update_pwquality +- name: Pam_auth_update_pwquality ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_pwquality_file }} -- name: pam_auth_update_pwhistory +- name: Pam_auth_update_pwhistory ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_pwhistory_file }} - name: Auditd rules reload @@ -174,7 +174,7 @@ - auditd_immutable_check is defined ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" - notify: set_reboot_required + notify: Set_reboot_required - name: Restart auditd when: @@ -188,6 +188,6 @@ name: sshd state: restarted -- name: set_reboot_required +- name: Set_reboot_required ansible.builtin.set_fact: change_requires_reboot: true diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index e3a2f072..1a98328b 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -11,7 +11,7 @@ - level1-workstation - patch - rule_5.3.2.1 - - pam_auth_update + - Pam_auth_update - pam_unix ansible.builtin.template: src: "{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}.j2" @@ -19,7 +19,7 @@ owner: root group: root mode: '0600' - notify: pam_auth_update_pwunix + notify: Pam_auth_update_pwunix - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled" when: @@ -32,7 +32,7 @@ - level1-workstation - patch - rule_5.3.2.2 - - pam_auth_update + - Pam_auth_update - pam_faillock ansible.builtin.template: src: "{{ ubtu22cis_pam_confd_dir }}{{ item }}.j2" @@ -44,8 +44,8 @@ - "{{ ubtu22cis_pam_faillock_file }}" - "{{ ubtu22cis_pam_faillock_notify_file }}" notify: - - pam_auth_update_pwfaillock - - pam_auth_update_pwfaillock_notify + - Pam_auth_update_pwfaillock + - Pam_auth_update_pwfaillock_notify - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled" when: @@ -58,14 +58,14 @@ - level1-workstation - patch - rule_5.3.2.3 - - pam_auth_update + - Pam_auth_update ansible.builtin.template: src: "{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwquality_file }}.j2" dest: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwquality_file }}" owner: root group: root mode: '0600' - notify: pam_auth_update_pwquality + notify: Pam_auth_update_pwquality - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled" when: @@ -78,11 +78,11 @@ - level1-workstation - patch - rule_5.3.2.4 - - pam_auth_update + - Pam_auth_update ansible.builtin.template: src: "{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}.j2" dest: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" owner: root group: root mode: '0600' - notify: pam_auth_update_pwhistory + notify: Pam_auth_update_pwhistory diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml index 20e609e3..d5d0c8d0 100644 --- a/tasks/section_5/cis_5.3.3.3.x.yml +++ b/tasks/section_5/cis_5.3.3.3.x.yml @@ -24,7 +24,7 @@ regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(remember=\d+) line: '\1\2\3 remember={{ ubtu22cis_pamd_pwhistory_remember }}' backrefs: true - notify: pam_auth_update_pwhistory + notify: Pam_auth_update_pwhistory - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user" when: @@ -50,7 +50,7 @@ regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(enforce_for_root) line: '\1\2\3 enforce_for_root' backrefs: true - notify: pam_auth_update_pwhistory + notify: Pam_auth_update_pwhistory - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok" when: @@ -76,4 +76,4 @@ regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok) line: '\1\2\3 use_authtok' backrefs: true - notify: pam_auth_update_pwhistory + notify: Pam_auth_update_pwhistory diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml index 3139f59f..ff0821a3 100644 --- a/tasks/section_5/cis_5.3.3.4.x.yml +++ b/tasks/section_5/cis_5.3.3.4.x.yml @@ -23,7 +23,7 @@ path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" regexp: nullok replace: '' - notify: pam_auth_update_pwunix + notify: Pam_auth_update_pwunix - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember" when: @@ -47,7 +47,7 @@ path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" regexp: remember=\d+ replace: '' - notify: pam_auth_update_pwunix + notify: Pam_auth_update_pwunix - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm" when: @@ -71,7 +71,7 @@ path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)" replace: '{{ ubtu22cis_passwd_hash_algo }}' - notify: pam_auth_update_pwunix + notify: Pam_auth_update_pwunix - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok" when: From 9b62df3aef527f466cecb792e1037027bd3680a7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 10:58:11 +0100 Subject: [PATCH 022/135] renamed files Signed-off-by: Mark Bolwell --- .../{forwardtosyslog.j2 => forwardtosyslog.conf.j2} | 0 .../etc/systemd/journald.conf.d/{storage.j2 => storage.conf.j2} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename templates/etc/systemd/journald.conf.d/{forwardtosyslog.j2 => forwardtosyslog.conf.j2} (100%) rename templates/etc/systemd/journald.conf.d/{storage.j2 => storage.conf.j2} (100%) diff --git a/templates/etc/systemd/journald.conf.d/forwardtosyslog.j2 b/templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2 similarity index 100% rename from templates/etc/systemd/journald.conf.d/forwardtosyslog.j2 rename to templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2 diff --git a/templates/etc/systemd/journald.conf.d/storage.j2 b/templates/etc/systemd/journald.conf.d/storage.conf.j2 similarity index 100% rename from templates/etc/systemd/journald.conf.d/storage.j2 rename to templates/etc/systemd/journald.conf.d/storage.conf.j2 From 78d17cca41bf07918e27963b53c1143a058665f0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 10:58:33 +0100 Subject: [PATCH 023/135] fix tasks Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.1.1.x.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_6/cis_6.2.1.1.x.yml b/tasks/section_6/cis_6.2.1.1.x.yml index 7fe90b30..15b4a593 100644 --- a/tasks/section_6/cis_6.2.1.1.x.yml +++ b/tasks/section_6/cis_6.2.1.1.x.yml @@ -11,7 +11,7 @@ - rule_6.2.1.1.1 ansible.builtin.systemd: name: systemd-journald.service - mask: false + masked: false state: started - name: "6.2.1.1.2 | PATCH | Ensure journald log file access is configured" @@ -110,7 +110,7 @@ - name: "6.2.1.1.4 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf - regexp: ^\s*ForwardToSyslog + regexp: ^(\s*ForwardToSyslog) replace: '#\1' - name: "6.2.1.1.5 | PATCH | Ensure journald Storage is configured" @@ -135,7 +135,7 @@ - name: "6.2.1.1.5 | PATCH | Ensure journald Storage is configured | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf - regexp: ^(?i)\s*storage= + regexp: ^(?i)(\s*storage=) replace: '#\1' - name: "6.2.1.1.6 | PATCH | Ensure journald Compress is configured" @@ -160,5 +160,5 @@ - name: "6.2.1.1.6 | PATCH | Ensure journald Compress is configured | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf - regexp: ^(?i)\s*compress= + regexp: ^(?i)(\s*compress=) replace: '#\1' From c4dbd7c57fa5556db9da22df24985d0dee08cd57 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 10:58:55 +0100 Subject: [PATCH 024/135] fix typo Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.2.2.yml b/tasks/section_6/cis_6.2.2.yml index 0d4ae805..1d4b967c 100644 --- a/tasks/section_6/cis_6.2.2.yml +++ b/tasks/section_6/cis_6.2.2.yml @@ -2,7 +2,7 @@ - name: "6.2.2 | PATCH | Ensure access to all logfiles has been configured" when: - - rhel8cis_rule_6_2_2 + - ubtu22cis_rule_6_2_2 tags: - level1-server - level1-workstation From 8a03ed81506ab4c8432ac60fd043d153cdb79e9d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 10:59:11 +0100 Subject: [PATCH 025/135] rename handler Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 2 +- tasks/section_6/cis_6.3.2.x.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index a65a5521..09a6da34 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -13,7 +13,7 @@ - Auditd rules reload - Audit_immutable_fact - Restart auditd - - set_reboot_required + - Set_reboot_required - name: POST | Set up auditd user logging exceptions when: ubtu22cis_allow_auditd_uid_user_exclusions diff --git a/tasks/section_6/cis_6.3.2.x.yml b/tasks/section_6/cis_6.3.2.x.yml index b13ce611..b5188dfa 100644 --- a/tasks/section_6/cis_6.3.2.x.yml +++ b/tasks/section_6/cis_6.3.2.x.yml @@ -59,7 +59,7 @@ - patch - auditd - rule_6.3.2.4 - notify: Restart_auditd + notify: Restart auditd ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" From cddb6399fd0e578bd2e3ad384be2305d950751fb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 10:59:26 +0100 Subject: [PATCH 026/135] rename var Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.3.4.x.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml index d2b941d7..bd37b219 100644 --- a/tasks/section_6/cis_6.3.4.x.yml +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -50,15 +50,14 @@ block: - name: "6.3.4.4 | AUDIT | Ensure the audit log file directory mode is configured | get current permissions" ansible.builtin.stat: - path: "{{ audit_discovered_logfile.stdout | dirname }}" + path: "{{ prelim_auditd_logfile.stdout | dirname }}" register: auditlog_dir - - name: "6.3.4.4 | PATCH | Ensure the audit log file directory mode is configured | set" - when: not auditlog_dir.stat.mode is match('07(0|5)0') + - name: "6.3.4.4 | PATCH | Ensure the audit log file directory mode is configured | set permissions" ansible.builtin.file: - path: "{{ audit_discovered_logfile.stdout | dirname }}" + path: "{{ auditlog_dir.stat.path }}" state: directory - mode: '0750' + mode: g-w,o-rwx - name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured" when: From 0d0e2d02bf962d4fe19bbb2b5df6980851ab10b4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 10:59:39 +0100 Subject: [PATCH 027/135] moved tasks and updated Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 124 +++++++++++++++++++++++++++++------------------ 1 file changed, 76 insertions(+), 48 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index ed89c1f3..eff6ec60 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -126,44 +126,6 @@ name: network-manager state: present -- name: "PRELIM | PATCH | Ensure auditd is installed" - when: - - ubtu22cis_rule_6_3_1_1 or - ubtu22cis_rule_6_3_4_1 or - ubtu22cis_rule_6_3_4_6 or - ubtu22cis_rule_6_3_4_8 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - always - block: - - name: "PRELIM | PATCH | Ensure auditd is installed" - when: - - "'auditd' not in ansible_facts.packages or - 'auditd-plugins' not in ansible_facts.packages" - ansible.builtin.package: - name: ['auditd', 'audispd-plugins'] - state: present - - - name: "PRELIM | AUDIT | Audit conf and rules files | list files" - ansible.builtin.find: - path: /etc/audit/ - file_type: file - recurse: true - patterns: '*.conf,*.rules' - register: prelim_auditd_conf_files - -- name: "PRELIM | AUDIT | Check if auditd is immutable before changes" - tags: - - always - ansible.builtin.shell: auditctl -l | grep -c '-e 2' - changed_when: false - failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ] - register: prelim_auditd_immutable_check - when: "'auditd' in ansible_facts.packages" - - name: "PRELIM | PATCH | 5.3.4/5 | Find all sudoers files." ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false @@ -244,16 +206,6 @@ changed_when: false register: prelim_interactive_uids -- name: "PRELIM | PATCH | Install ACL" - when: - - ubtu22cis_rule_7_2_9 - - "'acl' not in ansible_facts.packages" - tags: - - always - ansible.builtin.package: - name: acl - state: present - - name: "PRELIM | AUDIT | Gather UID 0 accounts other than root" when: - ubtu22cis_rule_5_4_2_1 @@ -268,6 +220,82 @@ check_mode: false register: prelim_uid_zero_accounts_except_root +- name: "PRELIM | PATCH | create journald conf.d directory" + when: + - ubtu22cis_rule_6_2_1_1_3 or + ubtu22cis_rule_6_2_1_1_5 or + ubtu22cis_rule_6_2_1_1_6 + tags: + - always + ansible.builtin.file: + path: /etc/systemd/journald.conf.d + state: directory + owner: root + group: root + mode: '0755' + +- name: "PRELIM | PATCH | Ensure auditd is installed" + when: + - ubtu22cis_rule_6_3_1_1 or + ubtu22cis_rule_6_3_4_1 or + ubtu22cis_rule_6_3_4_6 or + ubtu22cis_rule_6_3_4_8 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - always + block: + - name: "PRELIM | PATCH | Ensure auditd is installed" + when: + - "'auditd' not in ansible_facts.packages or + 'auditd-plugins' not in ansible_facts.packages" + ansible.builtin.package: + name: ['auditd', 'audispd-plugins'] + state: present + + - name: "PRELIM | AUDIT | Audit conf and rules files | list files" + ansible.builtin.find: + path: /etc/audit/ + file_type: file + recurse: true + patterns: '*.conf,*.rules' + register: prelim_auditd_conf_files + +- name: "PRELIM | AUDIT | Check if auditd is immutable before changes" + tags: + - always + ansible.builtin.shell: auditctl -l | grep -c '-e 2' + changed_when: false + failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ] + register: prelim_auditd_immutable_check + when: "'auditd' in ansible_facts.packages" + +- name: "PRELIM | AUDIT | 6.3.4.x | Capture information about auditd logfile path | discover file" + when: + - ubtu22cis_rule_6_3_4_4 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.4.4 + ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'" + changed_when: false + failed_when: prelim_auditd_logfile.rc not in [0, 1] + register: prelim_auditd_logfile + +- name: "PRELIM | PATCH | Install ACL" + when: + - ubtu22cis_rule_7_2_9 + - "'acl' not in ansible_facts.packages" + tags: + - always + ansible.builtin.package: + name: acl + state: present + ## Optional - name: "Optional | PATCH | UFW firewall force to use /etc/sysctl.conf settings" From c0e6da2a5ecf3551153d4752fdcb50568ddc82b8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 10:59:48 +0100 Subject: [PATCH 028/135] update var Signed-off-by: Mark Bolwell --- tasks/section_7/cis_7.2.x.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index d132b832..381f602d 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -244,7 +244,7 @@ state: directory owner: "{{ item.id }}" group: "{{ item.gid }}" - loop: "{{ ubtu22cis_passwd | selectattr('uid', '>=', ubtu22uid_uid_start | int ) | selectattr('uid', '<=', ubtu22uid_uid_stop | int ) | list }}" + loop: "{{ ubtu22cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" loop_control: label: "{{ item.id }}" @@ -285,13 +285,13 @@ - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Check for files" ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w changed_when: false - failed_when: discovered_dot_files.rc not in [ 0, 1 ] + failed_when: discovered_homedir_dot_files.rc not in [ 0, 1 ] check_mode: false - register: discovered_dot_files + register: discovered_homedir_dot_files - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Warning on files found" when: - - discovered_dot_files.stdout | length > 0 + - discovered_homedir_dot_files.stdout | length > 0 - ubtu22cis_dotperm_ansiblemanaged ansible.builtin.debug: msg: @@ -299,16 +299,16 @@ - name: "7.2.10 | PATCH | Ensure local interactive user dot files access is configured | Set warning count" when: - - discovered_dot_files.stdout | length > 0 + - discovered_homedir_dot_files.stdout | length > 0 - ubtu22cis_dotperm_ansiblemanaged ansible.builtin.import_tasks: file: warning_facts.yml - name: "7.2.10 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured" when: - - discovered_dot_files.stdout | length > 0 + - discovered_homedir_dot_files.stdout | length > 0 - ubtu22cis_dotperm_ansiblemanaged ansible.builtin.file: path: '{{ item }}' mode: go-w - with_items: "{{ discovered_dot_files.stdout_lines }}" + with_items: "{{ discovered_homedir_dot_files.stdout_lines }}" From fe594fd6c982d198bf20574980e1d0dcfe259334 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 11:00:04 +0100 Subject: [PATCH 029/135] aligned variables Signed-off-by: Mark Bolwell --- defaults/main.yml | 213 +++++++++++++++++++++++++--------------------- 1 file changed, 118 insertions(+), 95 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ff9545dd..06c69ffc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,12 +5,12 @@ # E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true. # to "true". If you do not want the tasks from that section to get executed you simply set the variable to "false". ubtu22cis_section1: true -ubtu22cis_section2: false -ubtu22cis_section3: false -ubtu22cis_section4: false -ubtu22cis_section5: false -ubtu22cis_section6: false -ubtu22cis_section7: false +ubtu22cis_section2: true +ubtu22cis_section3: true +ubtu22cis_section4: true +ubtu22cis_section5: true +ubtu22cis_section6: true +ubtu22cis_section7: true ## Reboot system before audit # System will reboot if false, can give better audit results @@ -181,41 +181,41 @@ ubtu22cis_rule_1_2_2_1: true # 1.3 Mandatory Access Control ## 1.3.1 Configure AppArmor -ubtu22cis_1_3_1_1: true -ubtu22cis_1_3_1_2: true -ubtu22cis_1_3_1_3: true -ubtu22cis_1_3_1_4: true +ubtu22cis_rule_1_3_1_1: true +ubtu22cis_rule_1_3_1_2: true +ubtu22cis_rule_1_3_1_3: true +ubtu22cis_rule_1_3_1_4: true # 1.4 Configure Bootloader -ubtu22cis_1_4_1: true -ubtu22cis_1_4_2: true +ubtu22cis_rule_1_4_1: true +ubtu22cis_rule_1_4_2: true # 1.5 Configure additional Process Hardening -ubtu22cis_1_5_1: true -ubtu22cis_1_5_2: true -ubtu22cis_1_5_3: true -ubtu22cis_1_5_4: true -ubtu22cis_1_5_5: true +ubtu22cis_rule_1_5_1: true +ubtu22cis_rule_1_5_2: true +ubtu22cis_rule_1_5_3: true +ubtu22cis_rule_1_5_4: true +ubtu22cis_rule_1_5_5: true # 1.6 Configure Command Line Warning Banners -ubtu22cis_1_6_1: true -ubtu22cis_1_6_2: true -ubtu22cis_1_6_3: true -ubtu22cis_1_6_4: true -ubtu22cis_1_6_5: true -ubtu22cis_1_6_6: true +ubtu22cis_rule_1_6_1: true +ubtu22cis_rule_1_6_2: true +ubtu22cis_rule_1_6_3: true +ubtu22cis_rule_1_6_4: true +ubtu22cis_rule_1_6_5: true +ubtu22cis_rule_1_6_6: true # 1.7 Configure GNOME Display Manager -ubtu22cis_1_7_1: true -ubtu22cis_1_7_2: true -ubtu22cis_1_7_3: true -ubtu22cis_1_7_4: true -ubtu22cis_1_7_5: true -ubtu22cis_1_7_6: true -ubtu22cis_1_7_7: true -ubtu22cis_1_7_8: true -ubtu22cis_1_7_9: true -ubtu22cis_1_7_10: true +ubtu22cis_rule_1_7_1: true +ubtu22cis_rule_1_7_2: true +ubtu22cis_rule_1_7_3: true +ubtu22cis_rule_1_7_4: true +ubtu22cis_rule_1_7_5: true +ubtu22cis_rule_1_7_6: true +ubtu22cis_rule_1_7_7: true +ubtu22cis_rule_1_7_8: true +ubtu22cis_rule_1_7_9: true +ubtu22cis_rule_1_7_10: true ## Section 2 Fixes # Section 2 is Services (Special Purpose Services, and service clients) @@ -426,17 +426,17 @@ ubtu22cis_rule_6_1_1: true ubtu22cis_rule_6_1_2: true ubtu22cis_rule_6_1_3: true # 6.2.1.1 Configure systemd-journald service -ubtu22cis_rule_6_1_1_1_1: true -ubtu22cis_rule_6_1_1_1_2: true -ubtu22cis_rule_6_1_1_1_3: true -ubtu22cis_rule_6_1_1_1_4: true -ubtu22cis_rule_6_1_1_1_5: true -ubtu22cis_rule_6_1_1_1_6: true +ubtu22cis_rule_6_2_1_1_1: true +ubtu22cis_rule_6_2_1_1_2: true +ubtu22cis_rule_6_2_1_1_3: true +ubtu22cis_rule_6_2_1_1_4: true +ubtu22cis_rule_6_2_1_1_5: true +ubtu22cis_rule_6_2_1_1_6: true # 6.2.1.2 Configure systemd-journald service -ubtu22cis_rule_6_1_1_2_1: true -ubtu22cis_rule_6_1_1_2_2: true -ubtu22cis_rule_6_1_1_2_3: true -ubtu22cis_rule_6_1_1_2_4: true +ubtu22cis_rule_6_2_1_2_1: true +ubtu22cis_rule_6_2_1_2_2: true +ubtu22cis_rule_6_2_1_2_3: true +ubtu22cis_rule_6_2_1_2_4: true # 6.2.2 Configure Logfiles ubtu22cis_rule_6_2_2: true # 6.3.1 Configure auditd Service @@ -740,12 +740,26 @@ ubtu22cis_ipv6_disable: grub # it, ensuring that wireless interfaces are disabled will not be possible! ubtu22cis_install_network_manager: true + +## Control 3.1.3 - Ensure bluetooth Services are not in use +# This control managed how the bluetooth service is managaed +# Options are +# true to leave installed if exists not changes take place +# false - this removes the package +# mask - if a dependancy for product so cannot be removed +ubtu22cis_bluetooth_service: false +ubtu22cis_bluetooth_mask: false + ## Control 3.3.x - Networking configuration # This variable contains the path to the file in which, sysctl saves its configurations. # Its default value is `/etc/sysctl.conf`. ubtu22cis_sysctl_network_conf: /etc/sysctl.conf -## Controls 3.5.1.x, 3.5.2.x, and 3.5.3.x - Firewall configuration +## +## Section 4 Control Variables +## + +## Controls 4.1.x, 4.2.x, and 4.3.x - Firewall configuration # This variable represents the toggle for which firewall package is used. # The options that have an effect on the system are `ufw` and `iptables`. # The option `nftables` is also possible, but will only result in a message, @@ -757,7 +771,7 @@ ubtu22cis_firewall_package: "ufw" # settings. If set to "true" the task will get done in the prelim section of the role. ubtu22cis_ufw_use_sysctl: true -## Control 3.5.1.5 - Ensure ufw outbound connections are configured +## Control 4.1.5 - Ensure ufw outbound connections are configured # The value of this variable represents the ports for the firewall to allow oubound traffic from. # If you want to allow outbound traffic on all ports, set the variable to `all`, e.g., # `ubtu22cis_ufw_allow_out_ports: "all"`. @@ -766,7 +780,7 @@ ubtu22cis_ufw_allow_out_ports: - 80 - 443 -## Controls 3.5.2.x - nftables +## Controls 4.2.x - nftables # Nftables is not supported in this role. Some tasks have parts of them commented out, this is one example # of such a task. # "ubtu22cis_nftables_table_name" is the name of the table in nftables you want to create. @@ -774,55 +788,7 @@ ubtu22cis_ufw_allow_out_ports: # nftables configs are applied to. # ubtu22cis_nftables_table_name: "inet filter" -## -## Section 4 Control Variables -## - -## Controls 4.1.3.x - Audit template -# This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the -# audit settings are overwritten with the role's template. In order to exclude -# specific rules, you must set the variable of form `ubtu22cis_rule_4_1_3_x` above -# to `false`. -update_audit_template: false - -## Advanced option found in auditd post -## users whose actions are not logged by auditd -ubtu22cis_allow_auditd_uid_user_exclusions: false -# add a list of uids -ubtu22cis_auditd_uid_exclude: - - 1999 - -## Controls 4.1.2.2 and 4.1.2.3 - What to do when log files fill up -# This variable controls how the audit system behaves when -# log files are getting too full and space is getting too low. -ubtu22cis_auditd: - action_mail_acct: root - space_left_action: email - # This variable determines the action the audit system should take when disk - # space runs low. - # The options for setting this variable are as follows: - # - `ignore`: the system does nothing when presented with the aforementioned issue; - # - `syslog`: a message is sent to the system log about disk space running low; - # - `suspend`: the system suspends recording audit events until more space is available; - # - `halt`: the system is halted when disk space is critically low. - # - `single`: the audit daemon will put the computer system in single user mode - # CIS prescribes either `halt` or `single`. - admin_space_left_action: halt - # This variable determines what action the audit system should take when the maximum - # size of a log file is reached. - # The options for setting this variable are as follows: - # - `ignore`: the system does nothing when the size of a log file is full; - # - `syslog`: a message is sent to the system log indicating the problem; - # - `suspend`: the system suspends recording audit events until the log file is cleared or rotated; - # - `rotate`: the log file is rotated (archived) and a new empty log file is created; - # - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints. - # CIS prescribes the value `keep_logs`. - max_log_file_action: keep_logs - ## Controls 6.2.1.x journald -# This variable governs which logging system is used. -# The options for this variable are `rsyslog` or `journald`. -ubtu22cis_syslog_service: rsyslog # This variable specifies the address of the remote log host where logs are being sent. ubtu22cis_remote_log_server: 192.168.2.100 # This variable expresses whether the system is used as a log server or not. @@ -865,7 +831,7 @@ ubtu22cis_sshd_default_ciphers: ubtu22cis_sshd_default_macs: - hmac-sha1 - hmac-sha2-256 - - hmac-sha2-384 +# - hmac-sha2-384 # hashed out seen as bad ssh2 MAC - hmac-sha2-512 ubtu22cis_sshd_default_kex_algorithms: - ecdh-sha2-nistp256 @@ -976,6 +942,9 @@ ubtu22cis_pam_pwhistory_file: 'pwhistory' # 5.3.3.1.1 - faillock_deny ubtu22cis_faillock_deny: 3 +# 5.3.3.1.2 - faillock unlock time +ubtu22cis_faillock_unlock_time: 900 + # 5.3.3.1.3 - lock root # This allow optional - even_deny_root or root_unlock_time ubtu22cis_pamroot_lock_option: even_deny_root @@ -1102,6 +1071,21 @@ ubtu22cis_journald_runtimekeepfree: "#RuntimeKeepFree=" # ATTENTION: Uncomment the keyword below when values are set! ubtu22cis_journald_maxfilesec: "#MaxFileSec=" +## Controls 6.3.3.x - Audit template +# This variable is set to true by tasks 6.3.3.1 to 6.3.3.20. As a result, the +# audit settings are overwritten with the role's template. In order to exclude +# specific rules, you must set the variable of form `ubtu22cis_rule_4_1_3_x` above +# to `false`. +update_audit_template: false + +## Advanced option found in auditd post +## users whose actions are not logged by auditd +ubtu22cis_allow_auditd_uid_user_exclusions: false + +# add a list of uids +ubtu22cis_auditd_uid_exclude: + - 1999 + ## Control 6.3.1.4 - Ensure audit_backlog_limit is sufficient # This variable represents the audit backlog limit, i.e., the maximum number of audit records that the # system can buffer in memory, if the audit subsystem is unable to process them in real-time. @@ -1110,12 +1094,51 @@ ubtu22cis_journald_maxfilesec: "#MaxFileSec=" # This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value. ubtu22cis_audit_back_log_limit: 8192 +## Controls 6.3.2.x - What to do when log files fill up +# This variable controls how the audit system behaves when +# log files are getting too full and space is getting too low. +ubtu22cis_auditd: + action_mail_acct: root + space_left_action: email + # This variable determines the action the audit system should take when disk + # space runs low. + # The options for setting this variable are as follows: + # - `ignore`: the system does nothing when presented with the aforementioned issue; + # - `syslog`: a message is sent to the system log about disk space running low; + # - `suspend`: the system suspends recording audit events until more space is available; + # - `halt`: the system is halted when disk space is critically low. + # - `single`: the audit daemon will put the computer system in single user mode + # CIS prescribes either `halt` or `single`. + admin_space_left_action: halt + # This variable determines what action the audit system should take when the maximum + # size of a log file is reached. + # The options for setting this variable are as follows: + # - `ignore`: the system does nothing when the size of a log file is full; + # - `syslog`: a message is sent to the system log indicating the problem; + # - `suspend`: the system suspends recording audit events until the log file is cleared or rotated; + # - `rotate`: the log file is rotated (archived) and a new empty log file is created; + # - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints. + # CIS prescribes the value `keep_logs`. + max_log_file_action: keep_logs + ## Control 6.3.2.1 - Ensure audit log storage size is configured # This variable specifies the maximum size in MB that an audit log file can reach # before it is archived or deleted to make space for the new audit data. # This should be set based on your sites policy. CIS does not provide a specific value. ubtu22cis_max_log_file_size: 10 +## Control 6.2.3.2 +# This variable determines what action the audit system should take when the maximum + # size of a log file is reached. + # The options for setting this variable are as follows: + # - `ignore`: the system does nothing when the size of a log file is full; + # - `syslog`: a message is sent to the system log indicating the problem; + # - `suspend`: the system suspends recording audit events until the log file is cleared or rotated; + # - `rotate`: the log file is rotated (archived) and a new empty log file is created; + # - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints. + # CIS prescribes the value `keep_logs`. +ubtu22cis_auditd_max_log_file_action: keep_logs + # Control 6.3.2.4 # Wait to do when space left is low. ubtu22cis_auditd_space_left_action: email From a56603f94075d37d15c0034b34480d3f25734071 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 11:16:42 +0100 Subject: [PATCH 030/135] tidy up 6.4.3.1-4 Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 8 +++++++- tasks/section_6/cis_6.3.4.x.yml | 26 +++++--------------------- 2 files changed, 12 insertions(+), 22 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index eff6ec60..64683432 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -274,12 +274,18 @@ - name: "PRELIM | AUDIT | 6.3.4.x | Capture information about auditd logfile path | discover file" when: - - ubtu22cis_rule_6_3_4_4 + - ubtu22cis_rule_6_3_4_1 or + ubtu22cis_rule_6_3_4_2 or + ubtu22cis_rule_6_3_4_3 or + ubtu22cis_rule_6_3_4_4 tags: - level2-server - level2-workstation - patch - auditd + - rule_6.3.4.1 + - rule_6.3.4.2 + - rule_6.3.4.3 - rule_6.3.4.4 ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'" changed_when: false diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml index bd37b219..3522c2ad 100644 --- a/tasks/section_6/cis_6.3.4.x.yml +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -16,27 +16,11 @@ - rule_6.3.4.1 - rule_6.3.4.2 - rule_6.3.4.3 - block: - - name: "6.3.4.1 | AUDIT | Ensure audit log files mode is configured | discover file" - ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' - changed_when: false - register: discovered_audit_logfile - - - name: "6.3.4.1 | AUDIT | Ensure audit log files mode is configured | stat file" - ansible.builtin.stat: - path: "{{ discovered_audit_logfile.stdout }}" - changed_when: false - register: auditd_logfile - - - name: | - "6.3.4.1 | PATCH | Ensure audit log files mode is configured" - "6.3.4.2 | PATCH | Ensure audit log files owner is configured" - "6.3.4.3 | PATCH | Ensure audit log files group owner is configured" - ansible.builtin.file: - path: "{{ discovered_audit_logfile.stdout }}" - mode: "{% if auditd_logfile.stat.mode > '0640' %}0640{% endif %}" - owner: root - group: root + ansible.builtin.file: + path: "{{ prelim_auditd_logfile.stdout }}" + owner: root + group: root + mode: u-x,g-wx-o-rwx - name: "6.3.4.4 | PATCH | Ensure the audit log file directory mode is configured" when: From 8bf0743d57786315b6226835205f6c90b3d062d7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 11:17:05 +0100 Subject: [PATCH 031/135] 6.3.2.3 updated Signed-off-by: Mark Bolwell --- defaults/main.yml | 46 ++++++++++++++------------------- tasks/section_6/cis_6.3.2.x.yml | 7 +++-- 2 files changed, 23 insertions(+), 30 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 06c69ffc..5dce1142 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1095,32 +1095,6 @@ ubtu22cis_auditd_uid_exclude: ubtu22cis_audit_back_log_limit: 8192 ## Controls 6.3.2.x - What to do when log files fill up -# This variable controls how the audit system behaves when -# log files are getting too full and space is getting too low. -ubtu22cis_auditd: - action_mail_acct: root - space_left_action: email - # This variable determines the action the audit system should take when disk - # space runs low. - # The options for setting this variable are as follows: - # - `ignore`: the system does nothing when presented with the aforementioned issue; - # - `syslog`: a message is sent to the system log about disk space running low; - # - `suspend`: the system suspends recording audit events until more space is available; - # - `halt`: the system is halted when disk space is critically low. - # - `single`: the audit daemon will put the computer system in single user mode - # CIS prescribes either `halt` or `single`. - admin_space_left_action: halt - # This variable determines what action the audit system should take when the maximum - # size of a log file is reached. - # The options for setting this variable are as follows: - # - `ignore`: the system does nothing when the size of a log file is full; - # - `syslog`: a message is sent to the system log indicating the problem; - # - `suspend`: the system suspends recording audit events until the log file is cleared or rotated; - # - `rotate`: the log file is rotated (archived) and a new empty log file is created; - # - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints. - # CIS prescribes the value `keep_logs`. - max_log_file_action: keep_logs - ## Control 6.3.2.1 - Ensure audit log storage size is configured # This variable specifies the maximum size in MB that an audit log file can reach # before it is archived or deleted to make space for the new audit data. @@ -1139,6 +1113,26 @@ ubtu22cis_max_log_file_size: 10 # CIS prescribes the value `keep_logs`. ubtu22cis_auditd_max_log_file_action: keep_logs +## Control 6.2.3.3 +# This variable determines how the system should act in case of issues with disk +# The disk_full_action parameter tells the system what action to take when no free space is available on the partition that holds the audit log files. +# Valid values are ignore, syslog, rotate, exec, suspend, single, and halt. +# +# The disk_error_action parameter tells the system what action to take when an error is detected on the partition that holds the audit log files. +# Valid values are ignore, syslog, exec, suspend, single, and halt. +# +# CIS prescribes +# disk_full_action parameter: +# Set to halt - the auditd daemon will shutdown the system when the disk partition containing the audit logs becomes full. +# Set to single - the auditd daemon will put the computer system in single user mode when the disk partition containing the audit logs becomes full. +# +# disk_error_action parameter: +# Set to halt - the auditd daemon will shutdown the system when an error is detected on the partition that holds the audit log files. +# Set to single - the auditd daemon will put the computer system in single user mode when an error is detected on the partition that holds the audit log files. +# Set to syslog - the auditd daemon will issue no more than 5 consecutive warnings to syslog when an error is detected on the partition that holds the audit log files. +ubtu22cis_auditd_disk_full_action: halt +ubtu22cis_auditd_disk_error_action: syslog + # Control 6.3.2.4 # Wait to do when space left is low. ubtu22cis_auditd_space_left_action: email diff --git a/tasks/section_6/cis_6.3.2.x.yml b/tasks/section_6/cis_6.3.2.x.yml index b5188dfa..2ed32d21 100644 --- a/tasks/section_6/cis_6.3.2.x.yml +++ b/tasks/section_6/cis_6.3.2.x.yml @@ -40,15 +40,14 @@ - patch - rule_6.3.2.3 - auditd + notify: Restart auditd ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" with_items: - - { regexp: '^space_left_action', line: "space_left_action = {{ ubtu22cis_auditd['space_left_action'] }}" } - - { regexp: '^action_mail_acct', line: "action_mail_acct = {{ ubtu22cis_auditd['action_mail_acct'] }}" } - - { regexp: '^admin_space_left_action', line: "admin_space_left_action = {{ ubtu22cis_auditd['admin_space_left_action'] }}" } - notify: Restart auditd + - { regexp: '^disk_full_action', line: "disk_full_action = {{ ubtu22cis_auditd_disk_full_action }}" } + - { regexp: '^disk_error_action', line: "disk_error_action = {{ ubtu22cis_auditd_disk_error_action }}" } - name: "6.3.2.4 | PATCH | Ensure system warns when audit logs are low on space" when: From 9653e6b7760cbefa5432ef0dda113c0383e07591 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 11:32:15 +0100 Subject: [PATCH 032/135] fix 6.2.1.2.3 Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.1.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.2.1.2.x.yml b/tasks/section_6/cis_6.2.1.2.x.yml index 79de3875..049d36cf 100644 --- a/tasks/section_6/cis_6.2.1.2.x.yml +++ b/tasks/section_6/cis_6.2.1.2.x.yml @@ -47,7 +47,7 @@ - rule_6.2.1.2.3 ansible.builtin.systemd: name: systemd-journal-upload - state: started + masked: false enabled: true - name: "6.2.1.2.4 | PATCH | Ensure systemd-journal-remote service is not in use" From c35ff9d4deb1af2cd6df5a48647997b017e22254 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 11:41:35 +0100 Subject: [PATCH 033/135] tidy up Signed-off-by: Mark Bolwell --- defaults/main.yml | 86 +++++++++++++++++++++++------------------------ 1 file changed, 43 insertions(+), 43 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5dce1142..df9b91da 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -618,21 +618,22 @@ ubtu22cis_purge_apt: false # Possible values are `tmp_systemd` or `fstab`- expected_tmp_mnt: fstab -## Control 1.3.1 - allow aide to be configured -# AIDE is a file integrity checking tool, similar in nature to Tripwire. -# While it cannot prevent intrusions, it can detect unauthorized changes -# to configuration files by alerting when the files are changed. Review -# the AIDE quick start guide and AIDE documentation before proceeding. -# By setting this variable to `true`, all of the settings related to AIDE will be applied! -ubtu22cis_config_aide: true +## Controls 1.3.1.x - apparmor +# AppArmor security policies define what system resources applications can access and their privileges. +# This automatically limits the damage that the software can do to files accessible by the calling user. +# The following variables are related to the set of rules from section 1.6.1.x -## When Initializing aide this can take longer on some systems -# changing the values enables user to change to thier own requirements -ubtu22cis_aide_init: - # Maximum Time in seconds - async: 45 - # Polling Interval in seconds - poll: 0 +## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode + +# This variable disables the implementation of rules 1.3.1.3 and 1.3.1.4 +# regarding enforcing profiles or putting them in complain mode +ubtu22cis_apparmor_disable: false + +# This variable specifies whether enforce mode or complain mode is set in Control 1.3.1.3. +# Possible values are `enforce` and `complain`. +# ATTENTION: if Control 1.3.1.4 is run (e.g., when running level 2 rules), it OVERRIDES control 1.3.1.3 +# and sets `enforce` mode, no matter what this variable's value is. +ubtu22cis_apparmor_mode: complain ## Controls 1.4.x - Boot password # @@ -652,25 +653,8 @@ ubtu22cis_grub_file: /boot/grub/grub.cfg # Ability to set file in which the kernel systcl changes are placed ubtu22cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf -## Controls 1.6.1.x - apparmor -# AppArmor security policies define what system resources applications can access and their privileges. -# This automatically limits the damage that the software can do to files accessible by the calling user. -# The following variables are related to the set of rules from section 1.6.1.x - -## Controls 1.6.1.3 and 1.6.1.4 Ensure all AppArmor Profiles are in enforce (1.6.1.3/4) or complain (1.6.1.3) mode - -# This variable disables the implementation of rules 1.6.1.3 and 1.6.1.4 -# regarding enforcing profiles or putting them in complain mode -ubtu22cis_apparmor_disable: false - -# This variable specifies whether enforce mode or complain mode is set in Control 1.6.1.3. -# Possible values are `enforce` and `complain`. -# ATTENTION: if Control 1.6.1.4 is run (e.g., when running level 2 rules), it OVERRIDES control 1.6.1.3 -# and sets `enforce` mode, no matter what this variable's value is. -ubtu22cis_apparmor_mode: complain - -## Controls 1.7.x - Warning banners -# The controls 1.7.x set various warning banners and protect the respective files +## Controls 1.6.x - Warning banners +# The controls 1.6.x set various warning banners and protect the respective files # by tightening the access rights. # This variable specifies the warning banner displayed to the user @@ -683,7 +667,7 @@ ubtu22cis_warning_banner: | # This variable governs, whether dynamic motd is disabled (as required by control 1.7.1) ubtu22cis_disable_dynamic_motd: true -## Controls 1.8.x - Settings for GDM +## Controls 1.7.x - Settings for GDM # This variable specifies the GNOME configuration database file to which configurations are written. # (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) # The default database is `local`. @@ -697,14 +681,14 @@ ubtu22cis_screensaver_lock_delay: 5 ## Section 2 Control Variables ## -## Control 2.1.1.1 +## Control 2.3.1.1 # This variable choses the tool used for time synchronization -# The three options are `chrony`, `ntp`, and `systemd-timesyncd`. -ubtu22cis_time_sync_tool: "ntp" +# The two options are `chrony`and `systemd-timesyncd`. +ubtu22cis_time_sync_tool: "chrony" -## Controls 2.1.2.1 2.1.3.1, 2.1.4.1 - Configure time pools & servers for chrony, timesyncd, and ntp +## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd # The following variable represents a list of of time server pools used -# for configuring chrony, timesyncd, and ntp. +# for configuring chrony and timesyncd. # Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`. # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation # of the time synchronization mechanism you are using. @@ -712,7 +696,7 @@ ubtu22cis_time_pool: - name: time.nist.gov options: iburst maxsources 4 # The following variable represents a list of of time servers used -# for configuring chrony, timesyncd, and ntp. +# for configuring chrony and timesyncd # Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. # The default setting for the `options` is `iburst` -- please refer to the documentation # of the time synchronization mechanism you are using. @@ -1015,9 +999,25 @@ ubtu22cis_pass: # 5.4.2.6 root umask ubtu22cis_root_umask: '0027' # 0027 or more restrictive -### -# Section 6 -### +## +## Section 6 Control Variables +## +## Control 6.1.x - allow aide to be configured +# AIDE is a file integrity checking tool, similar in nature to Tripwire. +# While it cannot prevent intrusions, it can detect unauthorized changes +# to configuration files by alerting when the files are changed. Review +# the AIDE quick start guide and AIDE documentation before proceeding. +# By setting this variable to `true`, all of the settings related to AIDE will be applied! +ubtu22cis_config_aide: true + +## When Initializing aide this can take longer on some systems +# changing the values enables user to change to thier own requirements +ubtu22cis_aide_init: + # Maximum Time in seconds + async: 45 + # Polling Interval in seconds + poll: 0 + ## Control 6.1.2 # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. # The sub-settings of this variable provide the parameters required to configure From d967816d6b8936bb2430f2ab7ed33df91b9ff239 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 11:41:43 +0100 Subject: [PATCH 034/135] fix mode in quotes Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 2254a666..9d1ab241 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -16,7 +16,7 @@ regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" create: true - mode: 0600 + mode: '0600' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | blacklist" ansible.builtin.lineinfile: From f710cc246f105cd647b654affe3a2dcbdfb975e9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 11:41:54 +0100 Subject: [PATCH 035/135] remove empty line Signed-off-by: Mark Bolwell --- .../etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 index 8ebb926c..7e1672e6 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 @@ -1,4 +1,3 @@ # CIS Configurations # 5.3.3.2.7 Ensure password quality checking is enforced enforcing = {{ ubtu22cis_passwd_quality_enforce_value }} - From eeb9c030f04b3dc5d1dd063301ca9804c1367d75 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 11:49:51 +0100 Subject: [PATCH 036/135] lint updates Signed-off-by: Mark Bolwell --- defaults/main.yml | 57 ++++++++++++++++----------------- handlers/main.yml | 4 +-- tasks/prelim.yml | 24 +++++++------- tasks/section_5/cis_5.4.2.x.yml | 8 ++--- 4 files changed, 45 insertions(+), 48 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index df9b91da..f738e344 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -724,7 +724,6 @@ ubtu22cis_ipv6_disable: grub # it, ensuring that wireless interfaces are disabled will not be possible! ubtu22cis_install_network_manager: true - ## Control 3.1.3 - Ensure bluetooth Services are not in use # This control managed how the bluetooth service is managaed # Options are @@ -815,7 +814,7 @@ ubtu22cis_sshd_default_ciphers: ubtu22cis_sshd_default_macs: - hmac-sha1 - hmac-sha2-256 -# - hmac-sha2-384 # hashed out seen as bad ssh2 MAC + # - hmac-sha2-384 # hashed out seen as bad ssh2 MAC - hmac-sha2-512 ubtu22cis_sshd_default_kex_algorithms: - ecdh-sha2-nistp256 @@ -935,15 +934,15 @@ ubtu22cis_pamroot_lock_option: even_deny_root ubtu22cis_pamroot_lock_string: even_deny_root # 5.3.3.2.1 - password difok -ubtu22cis_passwd_difok_file: etc/security/pwquality.conf.d/50-pwdifok.conf +ubtu22cis_passwd_difok_file: etc/security/pwquality.conf.d/50-pwdifok.conf # pragma: allowlist secret ubtu22cis_passwd_difok_value: 2 # 5.3.3.2.2 - password minlength -ubtu22cis_passwd_minlen_file: etc/security/pwquality.conf.d/50-pwlength.conf +ubtu22cis_passwd_minlen_file: etc/security/pwquality.conf.d/50-pwlength.conf # pragma: allowlist secret ubtu22cis_passwd_minlen_value: 14 # 5.3.3.2.3 - password complex -ubtu22cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf +ubtu22cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf # pragma: allowlist secret ubtu22cis_passwd_minclass: 3 ubtu22cis_passwd_dcredit: -1 ubtu22cis_passwd_ucredit: -2 @@ -951,24 +950,24 @@ ubtu22cis_passwd_ocredit: 0 ubtu22cis_passwd_lcredit: -2 # 5.3.3.2.4 - password maxrepeat -ubtu22cis_passwd_maxrepeat_file: etc/security/pwquality.conf.d/50-pwrepeat.conf +ubtu22cis_passwd_maxrepeat_file: etc/security/pwquality.conf.d/50-pwrepeat.conf # pragma: allowlist secret ubtu22cis_passwd_maxrepeat_value: 3 # 5.3.3.2.5 - password maxsequence -ubtu22cis_passwd_maxsequence_file: etc/security/pwquality.conf.d/50-pwmaxsequence.conf +ubtu22cis_passwd_maxsequence_file: etc/security/pwquality.conf.d/50-pwmaxsequence.conf # pragma: allowlist secret ubtu22cis_passwd_maxsequence_value: 3 # 5.3.3.2.6 - password dictcheck -ubtu22cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.conf +ubtu22cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.conf # pragma: allowlist secret ubtu22cis_passwd_dictcheck_value: 1 # 5.3.3.2.7 - password quality enforce -ubtu22cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwquality_enforce.conf +ubtu22cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwquality_enforce.conf # pragma: allowlist secret ubtu22cis_passwd_quality_enforce_value: 1 # 5.3.3.2.8 - password quality enforce for root included with 5.3.3.2.7 -ubtu22cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf -ubtu22cis_passwd_quality_enforce_root_value: enforce_for_root +ubtu22cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf # pragma: allowlist secret +ubtu22cis_passwd_quality_enforce_root_value: enforce_for_root # pragma: allowlist secret ## 5.3.3.3 Configure pam_pwhistory module # Uses value for ubtu22cis_pam_pwhistory_file in 5.3.2.4 @@ -1103,14 +1102,14 @@ ubtu22cis_max_log_file_size: 10 ## Control 6.2.3.2 # This variable determines what action the audit system should take when the maximum - # size of a log file is reached. - # The options for setting this variable are as follows: - # - `ignore`: the system does nothing when the size of a log file is full; - # - `syslog`: a message is sent to the system log indicating the problem; - # - `suspend`: the system suspends recording audit events until the log file is cleared or rotated; - # - `rotate`: the log file is rotated (archived) and a new empty log file is created; - # - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints. - # CIS prescribes the value `keep_logs`. +# size of a log file is reached. +# The options for setting this variable are as follows: +# - `ignore`: the system does nothing when the size of a log file is full; +# - `syslog`: a message is sent to the system log indicating the problem; +# - `suspend`: the system suspends recording audit events until the log file is cleared or rotated; +# - `rotate`: the log file is rotated (archived) and a new empty log file is created; +# - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints. +# CIS prescribes the value `keep_logs`. ubtu22cis_auditd_max_log_file_action: keep_logs ## Control 6.2.3.3 @@ -1182,20 +1181,18 @@ ubtu22cis_bash_umask: '027' ## Control 5.4.3.2 - Configuring user shell timeout # This dictionary is related to ensuring the rule about user shell timeout - # This variable represents the amount of seconds a command or process is allowed to - # run before being forcefully terminated. - # CIS requires a value of at most 900 seconds. +# This variable represents the amount of seconds a command or process is allowed to +# run before being forcefully terminated. +# CIS requires a value of at most 900 seconds. ubtu22cis_shell_session_timeout: 900 - # This variable specifies the path of the timeout setting file. - # (TMOUT setting can be set in multiple files, but only one is required for the - # rule to pass. Options are: - # - a file in `/etc/profile.d/` ending in `.s`, - # - `/etc/profile`, or - # - `/etc/bash.bashrc`. +# This variable specifies the path of the timeout setting file. +# (TMOUT setting can be set in multiple files, but only one is required for the +# rule to pass. Options are: +# - a file in `/etc/profile.d/` ending in `.s`, +# - `/etc/profile`, or +# - `/etc/bash.bashrc`. ubtu22cis_shell_session_file: /etc/profile.d/tmout.sh - - ## ## Section 6 Control Variables ## diff --git a/handlers/main.yml b/handlers/main.yml index 5e1c7738..7d6c44b6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -31,7 +31,7 @@ with_items: - "{{ ansible_facts.mounts }}" loop_control: - label: "{{ item.device }}" + label: "{{ item.device }}" listen: Writing and remounting tmp - name: Update_Initramfs @@ -133,7 +133,7 @@ - name: Reload ufw community.general.ufw: - state: reloaded + state: reloaded - name: Iptables persistent ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 64683432..6c59bed0 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -274,19 +274,19 @@ - name: "PRELIM | AUDIT | 6.3.4.x | Capture information about auditd logfile path | discover file" when: - - ubtu22cis_rule_6_3_4_1 or - ubtu22cis_rule_6_3_4_2 or - ubtu22cis_rule_6_3_4_3 or - ubtu22cis_rule_6_3_4_4 + - ubtu22cis_rule_6_3_4_1 or + ubtu22cis_rule_6_3_4_2 or + ubtu22cis_rule_6_3_4_3 or + ubtu22cis_rule_6_3_4_4 tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_6.3.4.1 - - rule_6.3.4.2 - - rule_6.3.4.3 - - rule_6.3.4.4 + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.4.1 + - rule_6.3.4.2 + - rule_6.3.4.3 + - rule_6.3.4.4 ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'" changed_when: false failed_when: prelim_auditd_logfile.rc not in [0, 1] diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index 8fb3abe9..275abb57 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -65,8 +65,8 @@ - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group | Warning if others gid 0 groups" when: - - discovered_gid0_groups is defined - - discovered_gid0_groups.stdout | length > 0 + - discovered_gid0_groups is defined + - discovered_gid0_groups.stdout | length > 0 ansible.builtin.debug: msg: - "Warning!! You have other groups assigned to GID 0 - Please resolve" @@ -74,8 +74,8 @@ - name: "5.4.2.3 | WARN | Ensure group root is the only GID 0 group | warn_count" when: - - discovered_gid0_groups is defined - - discovered_gid0_groups.stdout | length > 0 + - discovered_gid0_groups is defined + - discovered_gid0_groups.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml vars: From 65e10cce2f1b8db9840d15961390fc2359246911 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 12:19:22 +0100 Subject: [PATCH 037/135] fix typo Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.3.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml index 3522c2ad..1eb74fab 100644 --- a/tasks/section_6/cis_6.3.4.x.yml +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -20,7 +20,7 @@ path: "{{ prelim_auditd_logfile.stdout }}" owner: root group: root - mode: u-x,g-wx-o-rwx + mode: u-x,g-wx,o-rwx - name: "6.3.4.4 | PATCH | Ensure the audit log file directory mode is configured" when: From bd31db516279cda124a242b7fbccb0f3759e551b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 12:19:39 +0100 Subject: [PATCH 038/135] update comments Signed-off-by: Mark Bolwell --- defaults/main.yml | 43 +++++++++++++++++++++++++------------------ 1 file changed, 25 insertions(+), 18 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f738e344..54182b45 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -890,37 +890,44 @@ ubtu22cis_sshd: ## 5.3.2.x # Path to find templates and where to put file for pam-auth ubtu22cis_pam_confd_dir: 'usr/share/pam-config.d/' +### Note: controls also managed with disruption high due to the nature of pam changes +# Create file will create/replace with the name # Controls 5.3.2.1 - pam_unix -# Note: controls also managed with disruption high due to the nature of pam changes -# Allow pam-auth-update --enable unix to run -# should not be enabled if allowing custom config that enabled pam_faillock -ubtu22cis_pam_create_pamunix_file: false -ubtu22cis_pam_auth_unix: false +# Name of file ubtu22cis_pam_pwunix_file: 'pam_unix' +# Should NOT be enabled if allowing custom config that enabled pam_faillock +ubtu22cis_pam_create_pamunix_file: false +# Allow pam-auth-update --enable ubtu22cis_pam_pwunix_file to run +ubtu22cis_pam_auth_unix: true # 5.3.2.2 - pam_faillock -# Enables pam auth update with new files -ubtu22cis_pam_auth_faillock: false -# Will create file - change paths to existing files if managed elsewhere -ubtu22cis_pam_create_faillock_files: false +# Name of files ubtu22cis_pam_faillock_file: 'faillock' ubtu22cis_pam_faillock_notify_file: 'faillock_notify' +# Allow pam-auth-update --enable ubtu22cis_pam_faillock_file +# and +# Allow pam-auth-update --enable ubtu22cis_pam_faillock_notify_file +ubtu22cis_pam_auth_faillock: true +# Allow new file to be created or overwrite existing with same name +ubtu22cis_pam_create_faillock_files: true # 5.3.2.3 - pam_pwquality -# Enables pam auth update with new files -ubtu22cis_pam_auth_pwquality: false -# Will create file - change paths to existing files if managed elsewhere -ubtu22cis_pam_create_pwquality_files: false +# Name of files ubtu22cis_pam_pwquality_file: 'pwquality' +# Allow new file to be created or overwrite existing with same name +ubtu22cis_pam_create_pwquality_files: true +# Allow pam-auth-update --enable ubtu22cis_pam_pwquality_file +ubtu22cis_pam_auth_pwquality: true # 5.3.2.4 - pam_pwhistory -# Enables pam auth update with new files -ubtu22cis_pam_auth_pwhistory: false -# Will create file - change paths to existing files if managed elsewhere -# filepath also affects controls 5.3.3.3.1, 5.3.3.3.2, 5.3.3.3.3 -ubtu22cis_pam_create_pwhistory_files: false +# Name of file ubtu22cis_pam_pwhistory_file: 'pwhistory' +# Allow new file to be created or overwrite existing with same name +# filepath also affects controls 5.3.3.3.1, 5.3.3.3.2, 5.3.3.3.3 +ubtu22cis_pam_create_pwhistory_files: true +# Allow pam-auth-update --enable ubtu22cis_pam_pwhistory_file +ubtu22cis_pam_auth_pwhistory: true # 5.3.3.1.1 - faillock_deny ubtu22cis_faillock_deny: 3 From ea9fec3b28a30a63b595689304828654b16b819f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 12:19:45 +0100 Subject: [PATCH 039/135] lint Signed-off-by: Mark Bolwell --- tasks/parse_etc_password.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 605cb442..cc591182 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -4,18 +4,18 @@ tags: - always block: - - name: "PRELIM | Parse /etc/passwd | Get /etc/password contents" - ansible.builtin.shell: cat /etc/passwd - changed_when: false - check_mode: false - register: ubtu22cis_passwd_file_audit + - name: "PRELIM | Parse /etc/passwd | Get /etc/password contents" + ansible.builtin.shell: cat /etc/passwd + changed_when: false + check_mode: false + register: ubtu22cis_passwd_file_audit - - name: "PRELIM | Parse /etc/passwd | Split passwd entries" - ansible.builtin.set_fact: - ubtu22cis_passwd: "{{ ubtu22cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" + - name: "PRELIM | Parse /etc/passwd | Split passwd entries" + ansible.builtin.set_fact: + ubtu22cis_passwd: "{{ ubtu22cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" - with_items: "{{ ubtu22cis_passwd_file_audit.stdout_lines }}" - vars: + with_items: "{{ ubtu22cis_passwd_file_audit.stdout_lines }}" + vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) ld_passwd_yaml: | From 477c6d0097eac620252a0fdec2dbcae791d8f7ef Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 12:20:01 +0100 Subject: [PATCH 040/135] add pragma Signed-off-by: Mark Bolwell --- templates/usr/share/pam-config/pwquality.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/usr/share/pam-config/pwquality.j2 b/templates/usr/share/pam-config/pwquality.j2 index 50638987..18e8dd48 100644 --- a/templates/usr/share/pam-config/pwquality.j2 +++ b/templates/usr/share/pam-config/pwquality.j2 @@ -4,5 +4,5 @@ Priority: 1024 Conflicts: cracklib Password-Type: Primary Password: - requisite pam_pwquality.so retry=3 + requisite pam_pwquality.so retry=3 {# # pragma: allowlist secret #} Password-Initial: requisite From d60280ba94f5705645b4b4d13e47238b31590dca Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 13:53:21 +0100 Subject: [PATCH 041/135] fix directory layout Signed-off-by: Mark Bolwell --- templates/usr/share/{pam-config => pam-configs}/faillock.j2 | 0 .../usr/share/{pam-config => pam-configs}/faillock_notify.j2 | 0 templates/usr/share/{pam-config => pam-configs}/pam_unix.j2 | 0 templates/usr/share/{pam-config => pam-configs}/pwhistory.j2 | 0 templates/usr/share/{pam-config => pam-configs}/pwquality.j2 | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename templates/usr/share/{pam-config => pam-configs}/faillock.j2 (100%) rename templates/usr/share/{pam-config => pam-configs}/faillock_notify.j2 (100%) rename templates/usr/share/{pam-config => pam-configs}/pam_unix.j2 (100%) rename templates/usr/share/{pam-config => pam-configs}/pwhistory.j2 (100%) rename templates/usr/share/{pam-config => pam-configs}/pwquality.j2 (100%) diff --git a/templates/usr/share/pam-config/faillock.j2 b/templates/usr/share/pam-configs/faillock.j2 similarity index 100% rename from templates/usr/share/pam-config/faillock.j2 rename to templates/usr/share/pam-configs/faillock.j2 diff --git a/templates/usr/share/pam-config/faillock_notify.j2 b/templates/usr/share/pam-configs/faillock_notify.j2 similarity index 100% rename from templates/usr/share/pam-config/faillock_notify.j2 rename to templates/usr/share/pam-configs/faillock_notify.j2 diff --git a/templates/usr/share/pam-config/pam_unix.j2 b/templates/usr/share/pam-configs/pam_unix.j2 similarity index 100% rename from templates/usr/share/pam-config/pam_unix.j2 rename to templates/usr/share/pam-configs/pam_unix.j2 diff --git a/templates/usr/share/pam-config/pwhistory.j2 b/templates/usr/share/pam-configs/pwhistory.j2 similarity index 100% rename from templates/usr/share/pam-config/pwhistory.j2 rename to templates/usr/share/pam-configs/pwhistory.j2 diff --git a/templates/usr/share/pam-config/pwquality.j2 b/templates/usr/share/pam-configs/pwquality.j2 similarity index 100% rename from templates/usr/share/pam-config/pwquality.j2 rename to templates/usr/share/pam-configs/pwquality.j2 From 6b5e1c7f667bd92867dca2d5420b60c61b69001c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 13:53:33 +0100 Subject: [PATCH 042/135] typo resolved Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ++-- tasks/section_6/cis_6.2.2.yml | 26 +++++++++++++++++++------- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 54182b45..b17c90b0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -438,7 +438,7 @@ ubtu22cis_rule_6_2_1_2_2: true ubtu22cis_rule_6_2_1_2_3: true ubtu22cis_rule_6_2_1_2_4: true # 6.2.2 Configure Logfiles -ubtu22cis_rule_6_2_2: true +ubtu22cis_rule_6_2_2_1: true # 6.3.1 Configure auditd Service ubtu22cis_rule_6_3_1_1: true ubtu22cis_rule_6_3_1_2: true @@ -889,7 +889,7 @@ ubtu22cis_sshd: ## 5.3.2.x # Path to find templates and where to put file for pam-auth -ubtu22cis_pam_confd_dir: 'usr/share/pam-config.d/' +ubtu22cis_pam_confd_dir: 'usr/share/pam-configs/' ### Note: controls also managed with disruption high due to the nature of pam changes # Create file will create/replace with the name diff --git a/tasks/section_6/cis_6.2.2.yml b/tasks/section_6/cis_6.2.2.yml index 1d4b967c..4b3da72c 100644 --- a/tasks/section_6/cis_6.2.2.yml +++ b/tasks/section_6/cis_6.2.2.yml @@ -1,35 +1,47 @@ --- -- name: "6.2.2 | PATCH | Ensure access to all logfiles has been configured" +- name: "6.2.2.1 | PATCH | Ensure access to all logfiles has been configured" when: - - ubtu22cis_rule_6_2_2 + - ubtu22cis_rule_6_2_2_1 tags: - level1-server - level1-workstation - patch - logfiles - - rule_6.2.2 + - rule_6.2.2.1 block: - - name: "6.2.2 | AUDIT | Ensure access to all logfiles has been configured | find files" + - name: "6.2.2.1 | AUDIT | Ensure access to all logfiles has been configured | find files" ansible.builtin.shell: find /var/log/ -type f -perm /g+wx,o+rwx -exec ls {} \; changed_when: false failed_when: false register: discovered_logfiles - - name: "6.2.2 | AUDIT | Ensure access to all logfiles has been configured | set_fact" + - name: "6.2.2.1 | AUDIT | Ensure access to all logfiles has been configured | set_fact" ansible.builtin.set_fact: discovered_logfiles_flattened: "{{ discovered_logfiles | json_query('stdout_lines[*]') | flatten }}" # noqa: jinja[invalid] when: - discovered_logfiles.stdout_lines | length > 0 - discovered_logfiles is defined - - name: "6.2.2 | PATCH | Ensure access to all logfiles has been configured | change permissions" + - name: "6.2.2.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" ansible.builtin.file: path: "{{ item }}" - mode: g-rx,o-rwx + mode: u-x,g-wx,o-rwx loop: "{{ discovered_logfiles_flattened }}" when: - discovered_logfiles_flattened is defined - item != "/var/log/btmp" - item != "/var/log/utmp" - item != "/var/log/wtmp" + - item != "/var/log/lastlog" + + - name: "6.2.2.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" + ansible.builtin.file: + path: "{{ item.file }}" + mode: "{{ item.mode | default('ug-x,o-wx') }}" + with_fileglob: + - { file: /var/log/*tmp } + - { file: /var/log/lastlog* } + - { file: /var/log/sssd* } + - { file: /var/log/SSSD* } + From a69e16334856dedddad294b7405621e39487943f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 13:53:43 +0100 Subject: [PATCH 043/135] moved conditional to tag Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.2.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 1a98328b..861ecf9c 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -52,13 +52,13 @@ - ubtu22cis_rule_5_3_2_3 - ubtu22cis_disruption_high - ubtu22cis_pam_create_pwquality_files - - pam_quality tags: - level1-server - level1-workstation - patch - rule_5.3.2.3 - Pam_auth_update + - pam_quality ansible.builtin.template: src: "{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwquality_file }}.j2" dest: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwquality_file }}" @@ -72,13 +72,13 @@ - ubtu22cis_rule_5_3_2_4 - ubtu22cis_disruption_high - ubtu22cis_pam_create_pwhistory_files - - pam_history tags: - level1-server - level1-workstation - patch - rule_5.3.2.4 - Pam_auth_update + - pam_history ansible.builtin.template: src: "{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}.j2" dest: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" From 0d95f2410073da836f2997cff79a68ebc7d85692 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 2 Jul 2024 14:23:19 +0100 Subject: [PATCH 044/135] improved mail 2.1.21 Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 52 +++++++++++++++++++++++++++++++---- 1 file changed, 46 insertions(+), 6 deletions(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 24641852..048b1392 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -654,7 +654,6 @@ - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode" when: - not ubtu22cis_is_mail_server - - "'postfix' in ansible_facts.packages" - ubtu22cis_rule_2_1_21 tags: - level1-server @@ -662,11 +661,52 @@ - patch - postfix - rule_2.1.21 - notify: Restart postfix - ansible.builtin.lineinfile: - path: /etc/postfix/main.cf - regexp: "^(#)?inet_interfaces" - line: "inet_interfaces = loopback-only" + vars: + warn_control_id: '2.2.21' + block: + - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed" + when: "'exim4' in ansible_facts.packages" + notify: Restart exim4 + ansible.builtin.lineinfile: + path: /etc/exim4/update-exim4.conf.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + with_items: + - { regexp: '^dc_eximconfig_configtype', line: "dc_eximconfig_configtype='local'" } + - { regexp: '^dc_local_interfaces', line: "dc_local_interfaces='127.0.0.1 ; ::1'" } + - { regexp: '^dc_readhost', line: "dc_readhost=''" } + - { regexp: '^dc_relay_domains', line: "dc_relay_domains=''" } + - { regexp: '^dc_minimaldns', line: "dc_minimaldns='false'" } + - { regexp: '^dc_relay_nets', line: "dc_relay_nets=''" } + - { regexp: '^dc_smarthost', line: "dc_smarthost=''" } + - { regexp: '^dc_use_split_config', line: "dc_use_split_config='false'" } + - { regexp: '^dc_hide_mailname', line: "dc_hide_mailname=''" } + - { regexp: '^dc_mailname_in_oh', line: "dc_mailname_in_oh='true'" } + - { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" } + + - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if postfix is installed" + when: "'postfix' in ansible_facts.packages" + notify: Restart postfix + ansible.builtin.lineinfile: + path: /etc/postfix/main.cf + regexp: '^(#)?inet_interfaces' + line: 'inet_interfaces = loopback-only' + + - name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | Message out other main agents" + when: + - "'exim4' not in ansible_facts.packages" + - "'postfix' not in ansible_facts.packages" + ansible.builtin.debug: + msg: + - "Warning!! You are not using either exim4 or postfix, please ensure mail services set for local only mode" + - "Please review your vendors documentation to configure local-only mode" + + - name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | warn_count" + when: + - "'exim4' not in ansible_facts.packages" + - "'postfix' not in ansible_facts.packages" + ansible.builtin.import_tasks: + file: warning_facts.yml - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface" when: From ac856083f1ca9fc81b85660c805acb5e1d62a40c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 3 Jul 2024 15:52:22 +0100 Subject: [PATCH 045/135] improved tasks Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.5.x.yml | 1 - tasks/section_2/cis_2.3.2.x.yml | 1 - tasks/section_4/cis_4.1.x.yml | 1 - tasks/section_6/cis_6.2.2.yml | 26 +++++++++++++------------- 4 files changed, 13 insertions(+), 16 deletions(-) diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 3ec69b6b..cf4e62a7 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -77,7 +77,6 @@ notify: Reload systemctl - name: "1.5.3 | PATCH | Ensure core dumps are restricted | coredump.conf" - when: "'systemd-coredump' in ansible_facts.packages" ansible.builtin.lineinfile: path: /etc/systemd/coredump.conf regexp: "{{ item.regexp }}" diff --git a/tasks/section_2/cis_2.3.2.x.yml b/tasks/section_2/cis_2.3.2.x.yml index b7000829..bce50669 100644 --- a/tasks/section_2/cis_2.3.2.x.yml +++ b/tasks/section_2/cis_2.3.2.x.yml @@ -43,7 +43,6 @@ name: systemd-timesyncd state: started enabled: true - masked: false - name: "2.3.2.2 | PATCH | Ensure systemd-timesyncd is enabled and running | disable other time sources | chrony" when: "'chrony' in ansible_facts.packages" diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index 38795f24..9c69f929 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -51,7 +51,6 @@ name: ufw enabled: true state: started - masked: false - name: "4.1.4 | PATCH | Ensure loopback traffic is configured" when: diff --git a/tasks/section_6/cis_6.2.2.yml b/tasks/section_6/cis_6.2.2.yml index 4b3da72c..0e0b2b1e 100644 --- a/tasks/section_6/cis_6.2.2.yml +++ b/tasks/section_6/cis_6.2.2.yml @@ -11,37 +11,37 @@ - rule_6.2.2.1 block: - name: "6.2.2.1 | AUDIT | Ensure access to all logfiles has been configured | find files" - ansible.builtin.shell: find /var/log/ -type f -perm /g+wx,o+rwx -exec ls {} \; + ansible.builtin.shell: find /var/log/ -type f -exec ls {} \; changed_when: false failed_when: false register: discovered_logfiles - name: "6.2.2.1 | AUDIT | Ensure access to all logfiles has been configured | set_fact" - ansible.builtin.set_fact: - discovered_logfiles_flattened: "{{ discovered_logfiles | json_query('stdout_lines[*]') | flatten }}" # noqa: jinja[invalid] when: - discovered_logfiles.stdout_lines | length > 0 - discovered_logfiles is defined + ansible.builtin.set_fact: + discovered_logfiles_flattened: "{{ discovered_logfiles | json_query('stdout_lines[*]') | flatten }}" # noqa: jinja[invalid] - name: "6.2.2.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" - ansible.builtin.file: - path: "{{ item }}" - mode: u-x,g-wx,o-rwx - loop: "{{ discovered_logfiles_flattened }}" when: - discovered_logfiles_flattened is defined - item != "/var/log/btmp" - item != "/var/log/utmp" - item != "/var/log/wtmp" - item != "/var/log/lastlog" + ansible.builtin.file: + path: "{{ item }}" + mode: u-x,g-wx,o-rwx + loop: "{{ discovered_logfiles_flattened }}" - name: "6.2.2.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" ansible.builtin.file: - path: "{{ item.file }}" - mode: "{{ item.mode | default('ug-x,o-wx') }}" + path: "{{ item }}" + mode: 'ug-x,o-wx' with_fileglob: - - { file: /var/log/*tmp } - - { file: /var/log/lastlog* } - - { file: /var/log/sssd* } - - { file: /var/log/SSSD* } + - "/var/log/*tmp" + - "/var/log/lastlog*" + - "/var/log/sssd*" + - "/var/log/SSSD*" From 533681aac427d45be4b57146429de9b12985d6d6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 3 Jul 2024 15:52:35 +0100 Subject: [PATCH 046/135] fix tasks Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 048b1392..1eb1ef5f 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -82,7 +82,7 @@ - not ubtu22cis_dhcp_server - not ubtu22cis_dhcp_mask ansible.builtin.package: - name: dhcp-server + name: isc-dhcp-server state: absent purge: "{{ ubtu22cis_purge_apt }}" @@ -97,12 +97,12 @@ state: stopped masked: true loop: - - dhcpd.service - - dhcpd6.service + - isc-dhcp-server.service + - isc-dhcp-server6.service - name: "2.1.4 | PATCH | Ensure dns server services are not in use" when: - - "'bind' in ansible_facts.packages" + - "'bind9' in ansible_facts.packages" - ubtu22cis_rule_2_1_4 tags: - level1-server @@ -116,7 +116,7 @@ - not ubtu22cis_dns_server - not ubtu22cis_dns_mask ansible.builtin.package: - name: bind + name: bind9 state: absent purge: "{{ ubtu22cis_purge_apt }}" @@ -126,7 +126,7 @@ - ubtu22cis_dns_mask notify: Systemd_daemon_reload ansible.builtin.systemd: - name: named.service + name: bind9.service enabled: false state: stopped masked: true @@ -395,7 +395,7 @@ - name: "2.1.13 | PATCH | Ensure rsync services are not in use" when: - - "'rsync-daemon' in ansible_facts.packages" + - "'rsync' in ansible_facts.packages" - ubtu22cis_rule_2_1_13 tags: - level1-server @@ -563,11 +563,11 @@ block: - name: "2.1.18 | PATCH | Ensure web server services are not in use | Remove httpd server" when: - - not ubtu22cis_httpd_server - - not ubtu22cis_httpd_mask - - "'httpd' in ansible_facts.packages" + - not ubtu22cis_apache2_server + - not ubtu22cis_apache2_mask + - "'apache2' in ansible_facts.packages" ansible.builtin.package: - name: httpd + name: apache2 state: absent purge: "{{ ubtu22cis_purge_apt }}" @@ -583,15 +583,18 @@ - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask httpd service" when: - - not ubtu22cis_httpd_server - - ubtu22cis_httpd_mask - - "'httpd' in ansible_facts.packages" + - not ubtu22cis_apache2_server + - ubtu22cis_apache2_mask + - "'apache2' in ansible_facts.packages" notify: Systemd_daemon_reload ansible.builtin.systemd: - name: httpd.service + name: enabled: false state: stopped masked: true + loop: + - apache2.service + - apache2.socket - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service" when: From 20d3934f4e12c17e767e8df20c9d733cce6d87a7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 3 Jul 2024 15:52:53 +0100 Subject: [PATCH 047/135] update defaults Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index b17c90b0..481f4e65 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -558,8 +558,8 @@ ubtu22cis_tftp_server: false ubtu22cis_tftp_mask: false ubtu22cis_squid_server: false ubtu22cis_squid_mask: false -ubtu22cis_httpd_server: false -ubtu22cis_httpd_mask: false +ubtu22cis_apache2_server: false +ubtu22cis_apache2_mask: false ubtu22cis_nginx_server: false ubtu22cis_nginx_mask: false ubtu22cis_xinetd_server: false @@ -684,7 +684,7 @@ ubtu22cis_screensaver_lock_delay: 5 ## Control 2.3.1.1 # This variable choses the tool used for time synchronization # The two options are `chrony`and `systemd-timesyncd`. -ubtu22cis_time_sync_tool: "chrony" +ubtu22cis_time_sync_tool: "systemd-timesyncd" ## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd # The following variable represents a list of of time server pools used From 500af8ab7a3b341de94cc6ed3e076c0b984aefff Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Jul 2024 17:17:56 +0100 Subject: [PATCH 048/135] improve controls Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 36 +++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 1eb1ef5f..14a4c693 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -3,7 +3,6 @@ - name: "2.1.1 | PATCH | Ensure autofs services are not in use" when: - ubtu22cis_rule_2_1_1 - - "'autofs' in ansible_facts.packages" tags: - level1-server - level2-workstation @@ -14,6 +13,7 @@ when: - not ubtu22cis_autofs_services - not ubtu22cis_autofs_mask + - "'autofs' in ansible_facts.packages" ansible.builtin.package: name: autofs state: absent @@ -33,7 +33,6 @@ - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use" when: - ubtu22cis_rule_2_1_2 - - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" tags: - level1-server - level2-workstation @@ -45,6 +44,7 @@ when: - not ubtu22cis_avahi_server - not ubtu22cis_avahi_mask + - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" ansible.builtin.package: name: - avahi-autoipd @@ -68,7 +68,6 @@ - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use" when: - - "'dhcp-server' in ansible_facts.packages" - ubtu22cis_rule_2_1_3 tags: - level1-server @@ -81,6 +80,7 @@ when: - not ubtu22cis_dhcp_server - not ubtu22cis_dhcp_mask + - "'dhcp-server' in ansible_facts.packages" ansible.builtin.package: name: isc-dhcp-server state: absent @@ -102,7 +102,6 @@ - name: "2.1.4 | PATCH | Ensure dns server services are not in use" when: - - "'bind9' in ansible_facts.packages" - ubtu22cis_rule_2_1_4 tags: - level1-server @@ -113,6 +112,7 @@ block: - name: "2.1.4 | PATCH | Ensure dns server services are not in use | Remove package" when: + - "'bind9' in ansible_facts.packages" - not ubtu22cis_dns_server - not ubtu22cis_dns_mask ansible.builtin.package: @@ -133,7 +133,6 @@ - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use" when: - - "'dnsmasq' in ansible_facts.packages" - ubtu22cis_rule_2_1_5 tags: - level1-server @@ -144,6 +143,7 @@ block: - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Remove package" when: + - "'dnsmasq' in ansible_facts.packages" - not ubtu22cis_dnsmasq_server - not ubtu22cis_dnsmasq_mask ansible.builtin.package: @@ -164,7 +164,6 @@ - name: "2.1.6 | PATCH | Ensure ftp server services are not in use" when: - - "'ftp' in ansible_facts.packages" - ubtu22cis_rule_2_1_6 tags: - level1-server @@ -176,6 +175,7 @@ block: - name: "2.1.6 | PATCH | Ensure ftp server services are not in use | Remove package" when: + - "'ftp' in ansible_facts.packages" - not ubtu22cis_ftp_server - not ubtu22cis_ftp_mask ansible.builtin.package: @@ -196,7 +196,6 @@ - name: "2.1.7 | PATCH | Ensure ldap server services are not in use" when: - - "'slapd' in ansible_facts.packages" - ubtu22cis_rule_2_1_7 tags: - level1-server @@ -207,6 +206,7 @@ block: - name: "2.1.7 | PATCH | Ensure ldap server services are not in use | Remove package" when: + - "'slapd' in ansible_facts.packages" - not ubtu22cis_ldap_server - not ubtu22cis_ldap_mask ansible.builtin.package: @@ -227,7 +227,6 @@ - name: "2.1.8 | PATCH | Ensure message access server services are not in use" when: - - "'dovecot-pop3d' in ansible_facts.packages or 'dovecot-imapd' in ansible_facts.packages" - ubtu22cis_rule_2_1_8 tags: - level1-server @@ -240,6 +239,7 @@ block: - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Remove package" when: + - "'dovecot-pop3d' in ansible_facts.packages or 'dovecot-imapd' in ansible_facts.packages" - not ubtu22cis_message_server - not ubtu22cis_message_mask ansible.builtin.package: @@ -265,7 +265,6 @@ - name: "2.1.9 | PATCH | Ensure network file system services are not in use" when: - - "'nfs-kernel-server' in ansible_facts.packages" - ubtu22cis_rule_2_1_9 tags: - level1-server @@ -277,6 +276,7 @@ block: - name: "2.1.9 | PATCH | Ensure network file system services are not in use | Remove package" when: + - "'nfs-kernel-server' in ansible_facts.packages" - not ubtu22cis_nfs_server - not ubtu22cis_nfs_mask ansible.builtin.package: @@ -297,7 +297,6 @@ - name: "2.1.10 | PATCH | Ensure nis server services are not in use" when: - - "'ypserv' in ansible_facts.packages" - ubtu22cis_rule_2_1_10 tags: - level1-server @@ -309,6 +308,7 @@ block: - name: "2.1.10 | PATCH | Ensure nis server services are not in use | Remove package" when: + - "'ypserv' in ansible_facts.packages" - not ubtu22cis_nis_server - not ubtu22cis_nis_mask ansible.builtin.package: @@ -328,7 +328,6 @@ - name: "2.1.11 | PATCH | Ensure print server services are not in use" when: - - "'cups' in ansible_facts.packages" - ubtu22cis_rule_2_1_11 tags: - level1-server @@ -338,6 +337,7 @@ block: - name: "2.1.11 | PATCH | Ensure print server services are not in use | Remove package" when: + - "'cups' in ansible_facts.packages" - not ubtu22cis_print_server - not ubtu22cis_print_mask ansible.builtin.package: @@ -361,7 +361,6 @@ - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use" when: - - "'rpcbind' in ansible_facts.packages" - ubtu22cis_rule_2_1_12 tags: - level1-server @@ -372,6 +371,7 @@ block: - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use | Remove package" when: + - "'rpcbind' in ansible_facts.packages" - not ubtu22cis_rpc_server - not ubtu22cis_rpc_mask ansible.builtin.package: @@ -395,7 +395,6 @@ - name: "2.1.13 | PATCH | Ensure rsync services are not in use" when: - - "'rsync' in ansible_facts.packages" - ubtu22cis_rule_2_1_13 tags: - level1-server @@ -406,6 +405,7 @@ block: - name: "2.1.13 | PATCH | Ensure rsync services are not in use | Remove package" when: + - "'rsync' in ansible_facts.packages" - not ubtu22cis_rsync_server - not ubtu22cis_rsync_mask ansible.builtin.package: @@ -426,7 +426,6 @@ - name: "2.1.14 | PATCH | Ensure samba file server services are not in use" when: - - "'samba' in ansible_facts.packages" - ubtu22cis_rule_2_1_14 tags: - level1-server @@ -437,6 +436,7 @@ block: - name: "2.1.14 | PATCH | Ensure samba file server services are not in use | Remove package" when: + - "'samba' in ansible_facts.packages" - not ubtu22cis_samba_server - not ubtu22cis_samba_mask ansible.builtin.package: @@ -457,7 +457,6 @@ - name: "2.1.15 | PATCH | Ensure snmp services are not in use" when: - - "'snmpd' in ansible_facts.packages" - ubtu22cis_rule_2_1_15 tags: - level1-server @@ -469,6 +468,7 @@ block: - name: "2.1.15 | PATCH | Ensure snmp services are not in use | Remove package" when: + - "'snmpd' in ansible_facts.packages" - not ubtu22cis_snmp_server - not ubtu22cis_snmp_mask ansible.builtin.package: @@ -489,7 +489,6 @@ - name: "2.1.16 | PATCH | Ensure tftp server services are not in use" when: - - "'tftpd-hpa' in ansible_facts.packages" - ubtu22cis_rule_2_1_16 tags: - level1-server @@ -500,6 +499,7 @@ block: - name: "2.1.16 | PATCH | Ensure tftp server services are not in use | Remove package" when: + - "'tftpd-hpa' in ansible_facts.packages" - not ubtu22cis_tftp_server - not ubtu22cis_tftp_mask ansible.builtin.package: @@ -520,7 +520,6 @@ - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use" when: - - "'squid' in ansible_facts.packages" - ubtu22cis_rule_2_1_17 tags: - level1-server @@ -531,6 +530,7 @@ block: - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use | Remove package" when: + - "'squid' in ansible_facts.packages" - not ubtu22cis_squid_server - not ubtu22cis_squid_mask ansible.builtin.package: @@ -610,7 +610,6 @@ - name: "2.1.19 | PATCH | Ensure xinetd services are not in use" when: - - "'xinetd' in ansible_facts.packages" - ubtu22cis_rule_2_1_19 tags: - level1-server @@ -621,6 +620,7 @@ block: - name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Remove package" when: + - "'xinetd' in ansible_facts.packages" - not ubtu22cis_xinetd_server - not ubtu22cis_xinetd_mask ansible.builtin.package: From e135d7591f742a66f052fdad2c23b50d19393375 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Jul 2024 17:18:09 +0100 Subject: [PATCH 049/135] fix typo Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.3.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml index bd0af5b8..99afc8ac 100644 --- a/tasks/section_5/cis_5.3.3.2.x.yml +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -45,7 +45,7 @@ - item != ubtu22cis_passwd_minlen_file ansible.builtin.replace: path: "{{ item }}" - regexp: 'difok\s*=\s*\d+\b' + regexp: 'minlen\s*=\s*\d+\b' replace: '' with_fileglob: - '/etc/security/pwquality.conf' From cdf51dbb87bbca6e781968165bfa50901978e652 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Jul 2024 17:18:24 +0100 Subject: [PATCH 050/135] improved tests Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.3.4.x.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml index ff0821a3..53f0510c 100644 --- a/tasks/section_5/cis_5.3.3.4.x.yml +++ b/tasks/section_5/cis_5.3.3.4.x.yml @@ -12,7 +12,7 @@ - pam block: - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | capture state" - ansible.builtin.shell: grep -PH -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} | grep -P -- '\bnullok\b' + ansible.builtin.shell: grep -E "pam_unix.so.*nullok" /etc/pam.d/common-* /usr/share/pam-configs/* | cut -d ':' -f1 | uniq changed_when: false failed_when: ubtu22cis_pam_nullok.rc not in [ 0, 1 ] register: ubtu22cis_pam_nullok @@ -20,11 +20,13 @@ - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Ensure nullok removed" when: ubtu22cis_pam_nullok.stdout | length > 0 ansible.builtin.replace: - path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" + path: "{{ item }}" regexp: nullok replace: '' + loop: "{{ ubtu22cis_pam_nullok.stdout_lines }}" notify: Pam_auth_update_pwunix + - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember" when: - ubtu22cis_rule_5_3_3_4_2 From f7c090fd65a14491796be2645d5a726e26480a3f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 5 Jul 2024 17:18:35 +0100 Subject: [PATCH 051/135] removed dupes Signed-off-by: Mark Bolwell --- defaults/main.yml | 145 +++++++++++++++++++++------------------------- 1 file changed, 67 insertions(+), 78 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 481f4e65..c7ce75fd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -771,27 +771,6 @@ ubtu22cis_ufw_allow_out_ports: # nftables configs are applied to. # ubtu22cis_nftables_table_name: "inet filter" -## Controls 6.2.1.x journald -# This variable specifies the address of the remote log host where logs are being sent. -ubtu22cis_remote_log_server: 192.168.2.100 -# This variable expresses whether the system is used as a log server or not. -# If set to `true`, controls that interfere with log server functionality or -# require that own system logs be sent to some other log server are skipped. -ubtu22cis_system_is_log_server: false - -## Controls 6.2.1.2.x & 6.2.1.x journald -# This variable specifies the path to the private key file used by the remote journal -# server to authenticate itself to the client. This key is used alongside the server's -# public certificate to establish secure communication. -ubtu22cis_journal_upload_serverkeyfile: -# This variable specifies the path to the public certificate file of the remote journal -# server. This certificate is used to verify the authenticity of the remote server. -ubtu22cis_journal_servercertificatefile: -# This variable specifies the path to a file containing one or more public certificates -# of certificate authorities (CAs) that the client trusts. These trusted certificates are used -# to validate the authenticity of the remote server's certificate. -ubtu22cis_journal_trustedcertificatefile: - ## ## Section 5 Control Variables ## @@ -887,6 +866,26 @@ ubtu22cis_sshd: # For more info, see https://linux.die.net/man/5/sshd_config deny_groups: "" +## Control 5.2.1 +# This variable represents the name of the sudo package to install +# CIS recommends `sudo` or, if LDAP functionality is required, `sudo-ldap`. +ubtu22cis_sudo_package: "sudo" + +## Control 5.2.3 +# This variable defines the path and file name of the sudo log file. +ubtu22cis_sudo_logfile: "/var/log/sudo.log" +## Control 5.2.6 +# This variable sets the duration (in minutes) during which a user's authentication credentials +# are cached after successfully authenticating using "sudo". This allows the user to execute +# multiple commands with elevated privileges without needing to re-enter their password for each +# command within the specified time period. CIS requires a value of at most 15 minutes. +ubtu22cis_sudo_timestamp_timeout: 15 +## Control 5.2.7 +# This variable determines the group of users that are allowed to use the su command. +# one to specify a user group that is allowed to use the "su" command. +# CIS requires that such a group be created (named according to site policy) and be kept empty. +ubtu22cis_sugroup: nosugroup + ## 5.3.2.x # Path to find templates and where to put file for pam-auth ubtu22cis_pam_confd_dir: 'usr/share/pam-configs/' @@ -1004,6 +1003,30 @@ ubtu22cis_pass: # 5.4.2.6 root umask ubtu22cis_root_umask: '0027' # 0027 or more restrictive +## Control 5.4.4 +# ubtu22cis_passwd_hash_algo is the hashing algorithm used +ubtu22cis_passwd_hash_algo: yescrypt # pragma: allowlist secret +# Set pam as well as login defs if PAM is required +ubtu22cis_passwd_setpam_hash_algo: false + +## Control 5.4.3 - Default user mask +# The following variable specifies the "umask" to set in the `/etc/bash.bashrc` and `/etc/profile`. +# The value needs to be `027` or more restrictive to comply with CIS standards +ubtu22cis_bash_umask: '027' + +## Control 5.4.3.2 - Configuring user shell timeout +# This dictionary is related to ensuring the rule about user shell timeout +# This variable represents the amount of seconds a command or process is allowed to +# run before being forcefully terminated. +# CIS requires a value of at most 900 seconds. +ubtu22cis_shell_session_timeout: 900 +# This variable specifies the path of the timeout setting file. +# (TMOUT setting can be set in multiple files, but only one is required for the +# rule to pass. Options are: +# - a file in `/etc/profile.d/` ending in `.s`, +# - `/etc/profile`, or +# - `/etc/bash.bashrc`. +ubtu22cis_shell_session_file: /etc/profile.d/tmout.sh ## ## Section 6 Control Variables @@ -1061,6 +1084,28 @@ ubtu22cis_aide_cron: # can be concatenated with commas. aide_weekday: '*' +## Controls 6.2.1.x journald + +# This variable specifies the address of the remote log host where logs are being sent. +ubtu22cis_remote_log_server: 192.168.2.100 +# This variable expresses whether the system is used as a log server or not. +# If set to `true`, controls that interfere with log server functionality or +# require that own system logs be sent to some other log server are skipped. +ubtu22cis_system_is_log_server: false + +## Controls 6.2.1.2.x & 6.2.1.x journald +# This variable specifies the path to the private key file used by the remote journal +# server to authenticate itself to the client. This key is used alongside the server's +# public certificate to establish secure communication. +ubtu22cis_journal_upload_serverkeyfile: +# This variable specifies the path to the public certificate file of the remote journal +# server. This certificate is used to verify the authenticity of the remote server. +ubtu22cis_journal_servercertificatefile: +# This variable specifies the path to a file containing one or more public certificates +# of certificate authorities (CAs) that the client trusts. These trusted certificates are used +# to validate the authenticity of the remote server's certificate. +ubtu22cis_journal_trustedcertificatefile: + # 6.2.1.1.3 # These variable specifies how much disk space the journal may use up at most # Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. @@ -1144,64 +1189,8 @@ ubtu22cis_auditd_disk_error_action: syslog ubtu22cis_auditd_space_left_action: email ubtu22cis_auditd_admin_space_left_action: email -## Control 5.3.1 -# This variable represents the name of the sudo package to install -# CIS recommends `sudo` or, if LDAP functionality is required, `sudo-ldap`. -ubtu22cis_sudo_package: "sudo" - -## Control 5.3.3 -# This variable defines the path and file name of the sudo log file. -ubtu22cis_sudo_logfile: "/var/log/sudo.log" -## Control 5.3.6 -# This variable sets the duration (in minutes) during which a user's authentication credentials -# are cached after successfully authenticating using "sudo". This allows the user to execute -# multiple commands with elevated privileges without needing to re-enter their password for each -# command within the specified time period. CIS requires a value of at most 15 minutes. -ubtu22cis_sudo_timestamp_timeout: 15 -## Control 5.3.7 -# This variable determines the group of users that are allowed to use the su command. -# one to specify a user group that is allowed to use the "su" command. -# CIS requires that such a group be created (named according to site policy) and be kept empty. -ubtu22cis_sugroup: nosugroup - -## Control 5.4.2 -# This can seriously break access to a system -## The end state the file /etc/pam.d/common-auth need to be understood -## If using external auth providers this will be very different -ubtu22cis_allow_common_auth_rewrite: false -ubtu22cis_rule_5_4_2_faillock_config: | - auth required pam_faillock.so preauth - auth [success=1 default=ignore] pam_unix.so nullok - auth [default=die] pam_faillock.so authfail - auth sufficient pam_faillock.so authsucc - -## Control 5.4.4 -# ubtu22cis_passwd_hash_algo is the hashing algorithm used -ubtu22cis_passwd_hash_algo: yescrypt # pragma: allowlist secret -# Set pam as well as login defs if PAM is required -ubtu22cis_passwd_setpam_hash_algo: false - -## Control 5.5.4 - Default user mask -# The following variable specifies the "umask" to set in the `/etc/bash.bashrc` and `/etc/profile`. -# The value needs to be `027` or more restrictive to comply with CIS standards -ubtu22cis_bash_umask: '027' - -## Control 5.4.3.2 - Configuring user shell timeout -# This dictionary is related to ensuring the rule about user shell timeout -# This variable represents the amount of seconds a command or process is allowed to -# run before being forcefully terminated. -# CIS requires a value of at most 900 seconds. -ubtu22cis_shell_session_timeout: 900 -# This variable specifies the path of the timeout setting file. -# (TMOUT setting can be set in multiple files, but only one is required for the -# rule to pass. Options are: -# - a file in `/etc/profile.d/` ending in `.s`, -# - `/etc/profile`, or -# - `/etc/bash.bashrc`. -ubtu22cis_shell_session_file: /etc/profile.d/tmout.sh - ## -## Section 6 Control Variables +## Section 7 Control Variables ## ## Controls 6.2.11 & 6.2.12 From 86ce8ed4ed040d5044afe563e453cf2b6782b36c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 10:50:47 +0100 Subject: [PATCH 052/135] updated value to be correct Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index c7ce75fd..8d3f23fc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1187,7 +1187,7 @@ ubtu22cis_auditd_disk_error_action: syslog # Control 6.3.2.4 # Wait to do when space left is low. ubtu22cis_auditd_space_left_action: email -ubtu22cis_auditd_admin_space_left_action: email +ubtu22cis_auditd_admin_space_left_action: halt ## ## Section 7 Control Variables From 92a0d48c446e1c60a3ef3c50b94e6a0bce169164 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 10:51:03 +0100 Subject: [PATCH 053/135] updated to add flush handlers Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 09a6da34..d47aca02 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -15,7 +15,7 @@ - Restart auditd - Set_reboot_required -- name: POST | Set up auditd user logging exceptions +- name: POST | AUDITD | Set up auditd user logging exceptions when: ubtu22cis_allow_auditd_uid_user_exclusions ansible.builtin.template: src: audit/98_auditd_exception.rules.j2 @@ -24,3 +24,6 @@ group: root mode: '0600' notify: Restart auditd + +- name: POST | AUDITD | Flush handlers + ansible.builtin.meta: flush_handlers From 5ad25541115738ae61cfbe1cc320ce3abf640928 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 10:51:19 +0100 Subject: [PATCH 054/135] fix tags Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 ++ tasks/section_6/cis_6.3.3.x.yml | 34 ++++++++++++++++----------------- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index c5115b87..1907b857 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -207,6 +207,8 @@ ansible.builtin.meta: flush_handlers - name: Reboot system + tags: + - always block: - name: Reboot system if not skipped when: diff --git a/tasks/section_6/cis_6.3.3.x.yml b/tasks/section_6/cis_6.3.3.x.yml index 54d9569c..cc380d72 100644 --- a/tasks/section_6/cis_6.3.3.x.yml +++ b/tasks/section_6/cis_6.3.3.x.yml @@ -19,7 +19,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.2 - auditd ansible.builtin.set_fact: update_audit_template: true @@ -31,7 +31,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.3 - auditd ansible.builtin.set_fact: update_audit_template: true @@ -43,7 +43,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.4 - auditd ansible.builtin.set_fact: update_audit_template: true @@ -55,7 +55,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.5 - auditd ansible.builtin.set_fact: update_audit_template: true @@ -87,7 +87,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.7 - auditd ansible.builtin.set_fact: update_audit_template: true @@ -99,7 +99,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.8 - auditd ansible.builtin.set_fact: update_audit_template: true @@ -123,7 +123,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.10 - auditd ansible.builtin.set_fact: update_audit_template: true @@ -135,7 +135,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.11 - auditd ansible.builtin.set_fact: update_audit_template: true @@ -147,7 +147,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.12 - auditd ansible.builtin.set_fact: update_audit_template: true @@ -159,7 +159,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.13 - auditd ansible.builtin.set_fact: update_audit_template: true @@ -171,7 +171,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.14 - auditd ansible.builtin.set_fact: update_audit_template: true @@ -183,7 +183,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.15 - auditd ansible.builtin.set_fact: update_audit_template: true @@ -195,7 +195,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.16 - auditd ansible.builtin.set_fact: update_audit_template: true @@ -207,7 +207,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.17 - auditd ansible.builtin.set_fact: update_audit_template: true @@ -219,7 +219,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.18 - auditd ansible.builtin.set_fact: update_audit_template: true @@ -231,7 +231,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.19 - auditd ansible.builtin.set_fact: update_audit_template: true @@ -243,7 +243,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.20 - auditd ansible.builtin.set_fact: update_audit_template: true From 16c969c04a40d6baf304bb07c663aad620992f86 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 10:51:28 +0100 Subject: [PATCH 055/135] updated test Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.1.2.x.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.2.1.2.x.yml b/tasks/section_6/cis_6.2.1.2.x.yml index 049d36cf..3c0e3b8d 100644 --- a/tasks/section_6/cis_6.2.1.2.x.yml +++ b/tasks/section_6/cis_6.2.1.2.x.yml @@ -61,7 +61,10 @@ - journald - rule_6.2.1.2.4 ansible.builtin.systemd: - name: systemd-journal-remote.socket + name: "{{ item }}" state: stopped enabled: false masked: true + loop: + - systemd-journal-remote.socket + - systemd-journal-remote.service From 2906e2f93b600dfe1a01119830df95809c820561 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 10:51:46 +0100 Subject: [PATCH 056/135] fixed 6.3.3.5 Signed-off-by: Mark Bolwell --- templates/audit/99_auditd.rules.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 8ecb54ce..c7eb6639 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -29,7 +29,7 @@ -w /etc/hosts -p wa -k system-locale -w /etc/networks -p wa -k system-locale -w /etc/network/ -p wa -k system-locale --w /etc/netplan -p wa -k system-locale +-w /etc/netplan/ -p wa -k system-locale {% endif %} {% if ubtu22cis_rule_6_3_3_6 %} {% if priv_procs is defined %} From 4fd48c9b0cf0b034d205aadb2ddff09c44316b57 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 11:14:18 +0100 Subject: [PATCH 057/135] initial_v2 Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 915 +++++++++++++++++------------ 1 file changed, 529 insertions(+), 386 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ed20877b..a1c83f4a 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,12 +1,9 @@ ## metadata for Audit benchmark +benchmark_version: '2.0.0' -benchmark_version: '1.1.0' - - -# Some audit tests may need to scan every filesystem or have an impact on a system -# these may need be scheduled to minimise impact also ability to set a timeout if taking too long -timeout_ms: {{ audit_cmd_timeout }} +# timeout for each command to run where set - default = 10seconds/10000ms +timeout_ms: 120000 ubtu22cis_section1: {{ ubtu22cis_section1 }} ubtu22cis_section2: {{ ubtu22cis_section2 }} @@ -14,6 +11,7 @@ ubtu22cis_section3: {{ ubtu22cis_section3 }} ubtu22cis_section4: {{ ubtu22cis_section4 }} ubtu22cis_section5: {{ ubtu22cis_section5 }} ubtu22cis_section6: {{ ubtu22cis_section6 }} +ubtu22cis_section7: {{ ubtu22cis_section7 }} ubtu22cis_level_1: {{ ubtu22cis_level_1 }} ubtu22cis_level_2: {{ ubtu22cis_level_2 }} @@ -27,21 +25,28 @@ ubtu22_legacy_boot: true ubtu22_set_boot_pass: true +## +## Rule-specific switches +## +## Use the switches below to disable specific rules independently of the chosen profile +## + ## Section 1 Fixes # Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, # Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) + # 1.1 Filesystems # 1.1.1 Configure Filesystem Kernel Modules ubtu22cis_rule_1_1_1_1: {{ ubtu22cis_rule_1_1_1_1 }} ubtu22cis_rule_1_1_1_2: {{ ubtu22cis_rule_1_1_1_2 }} -ubtu22cis_rule_1_1_1_3: {{ ubtu22cis_rule_1_1_1_3 } +ubtu22cis_rule_1_1_1_3: {{ ubtu22cis_rule_1_1_1_3 }} ubtu22cis_rule_1_1_1_4: {{ ubtu22cis_rule_1_1_1_4 }} ubtu22cis_rule_1_1_1_5: {{ ubtu22cis_rule_1_1_1_5 }} ubtu22cis_rule_1_1_1_6: {{ ubtu22cis_rule_1_1_1_6 }} ubtu22cis_rule_1_1_1_7: {{ ubtu22cis_rule_1_1_1_7 }} ubtu22cis_rule_1_1_1_8: {{ ubtu22cis_rule_1_1_1_8 }} -# 1.1.2 Configure Filesystem Partitions +# 1.1.2 Configure Filesystem Partitions # /tmp ubtu22cis_rule_1_1_2_1_1: {{ ubtu22cis_rule_1_1_2_1_1 }} ubtu22cis_rule_1_1_2_1_2: {{ ubtu22cis_rule_1_1_2_1_2 }} @@ -91,96 +96,111 @@ ubtu22cis_rule_1_2_2_1: {{ ubtu22cis_rule_1_2_2_1 }} # 1.3 Mandatory Access Control ## 1.3.1 Configure AppArmor -ubtu22cis_1_3_1_1: {{ ubtu22cis_1_3_1_1 }} -ubtu22cis_1_3_1_2: {{ ubtu22cis_1_3_1_2 }} -ubtu22cis_1_3_1_3: {{ ubtu22cis_1_3_1_3 }} -ubtu22cis_1_3_1_4: {{ ubtu22cis_1_3_1_4 }} +ubtu22cis_rule_1_3_1_1: {{ ubtu22cis_rule_1_3_1_1 }} +ubtu22cis_rule_1_3_1_2: {{ ubtu22cis_rule_1_3_1_2 }} +ubtu22cis_rule_1_3_1_3: {{ ubtu22cis_rule_1_3_1_3 }} +ubtu22cis_rule_1_3_1_4: {{ ubtu22cis_rule_1_3_1_4 }} # 1.4 Configure Bootloader -ubtu22cis_1_4_1: {{ ubtu22cis_1_4_1 }} -ubtu22cis_1_4_2: {{ ubtu22cis_1_4_2 }} +ubtu22cis_rule_1_4_1: {{ ubtu22cis_rule_1_4_1 }} +ubtu22cis_rule_1_4_2: {{ ubtu22cis_rule_1_4_2 }} # 1.5 Configure additional Process Hardening -ubtu22cis_1_5_1: {{ ubtu22cis_1_5_1 }} -ubtu22cis_1_5_2: {{ ubtu22cis_1_5_2 }} -ubtu22cis_1_5_3: {{ ubtu22cis_1_5_3 }} -ubtu22cis_1_5_4: {{ ubtu22cis_1_5_4 }} -ubtu22cis_1_5_5: {{ ubtu22cis_1_5_5 }} +ubtu22cis_rule_1_5_1: {{ ubtu22cis_rule_1_5_1 }} +ubtu22cis_rule_1_5_2: {{ ubtu22cis_rule_1_5_2 }} +ubtu22cis_rule_1_5_3: {{ ubtu22cis_rule_1_5_3 }} +ubtu22cis_rule_1_5_4: {{ ubtu22cis_rule_1_5_4 }} +ubtu22cis_rule_1_5_5: {{ ubtu22cis_rule_1_5_5 }} # 1.6 Configure Command Line Warning Banners -ubtu22cis_1_6_1: {{ ubtu22cis_1_6_1 }} -ubtu22cis_1_6_2: {{ ubtu22cis_1_6_2 }} -ubtu22cis_1_6_3: {{ ubtu22cis_1_6_3 }} -ubtu22cis_1_6_4: {{ ubtu22cis_1_6_4 }} -ubtu22cis_1_6_5: {{ ubtu22cis_1_6_5 }} -ubtu22cis_1_6_6: {{ ubtu22cis_1_6_6 }} +ubtu22cis_rule_1_6_1: {{ ubtu22cis_rule_1_6_1 }} +ubtu22cis_rule_1_6_2: {{ ubtu22cis_rule_1_6_2 }} +ubtu22cis_rule_1_6_3: {{ ubtu22cis_rule_1_6_3 }} +ubtu22cis_rule_1_6_4: {{ ubtu22cis_rule_1_6_4 }} +ubtu22cis_rule_1_6_5: {{ ubtu22cis_rule_1_6_5 }} +ubtu22cis_rule_1_6_6: {{ ubtu22cis_rule_1_6_6 }} # 1.7 Configure GNOME Display Manager -ubtu22cis_1_7_1: {{ ubtu22cis_1_7_1 }} -ubtu22cis_1_7_2: {{ ubtu22cis_1_7_2 }} -ubtu22cis_1_7_3: {{ ubtu22cis_1_7_3 }} -ubtu22cis_1_7_4: {{ ubtu22cis_1_7_4 }} -ubtu22cis_1_7_5: {{ ubtu22cis_1_7_5 }} -ubtu22cis_1_7_6: {{ ubtu22cis_1_7_6 }} -ubtu22cis_1_7_7: {{ ubtu22cis_1_7_7 }} -ubtu22cis_1_7_8: {{ ubtu22cis_1_7_8 }} -ubtu22cis_1_7_9: {{ ubtu22cis_1_7_9 }} -ubtu22cis_1_7_10: {{ ubtu22cis_1_7_10 }} - -# Section 2 Fixes +ubtu22cis_rule_1_7_1: {{ ubtu22cis_rule_1_7_1 }} +ubtu22cis_rule_1_7_2: {{ ubtu22cis_rule_1_7_2 }} +ubtu22cis_rule_1_7_3: {{ ubtu22cis_rule_1_7_3 }} +ubtu22cis_rule_1_7_4: {{ ubtu22cis_rule_1_7_4 }} +ubtu22cis_rule_1_7_5: {{ ubtu22cis_rule_1_7_5 }} +ubtu22cis_rule_1_7_6: {{ ubtu22cis_rule_1_7_6 }} +ubtu22cis_rule_1_7_7: {{ ubtu22cis_rule_1_7_7 }} +ubtu22cis_rule_1_7_8: {{ ubtu22cis_rule_1_7_8 }} +ubtu22cis_rule_1_7_9: {{ ubtu22cis_rule_1_7_9 }} +ubtu22cis_rule_1_7_10: {{ ubtu22cis_rule_1_7_10 }} + +## Section 2 Fixes # Section 2 is Services (Special Purpose Services, and service clients) -ubtu22cis_rule_2_1_1_1: {{ ubtu22cis_rule_2_1_1_1 }} -ubtu22cis_rule_2_1_1_2: {{ ubtu22cis_rule_2_1_1_2 }} -ubtu22cis_rule_2_1_1_3: {{ ubtu22cis_rule_2_1_1_3 }} -ubtu22cis_rule_2_1_1_4: {{ ubtu22cis_rule_2_1_1_4 }} -# Chrony -ubtu22cis_rule_2_1_2_1: {{ ubtu22cis_rule_2_1_2_1 }} -ubtu22cis_rule_2_1_2_2: {{ ubtu22cis_rule_2_1_2_2 }} -ubtu22cis_rule_2_1_2_3: {{ ubtu22cis_rule_2_1_2_3 }} -# systemd-timesyncd -ubtu22cis_rule_2_1_3_1: {{ ubtu22cis_rule_2_1_3_1 }} -ubtu22cis_rule_2_1_3_2: {{ ubtu22cis_rule_2_1_3_2 }} -# ntp -ubtu22cis_rule_2_1_4_1: {{ ubtu22cis_rule_2_1_4_1 }} -ubtu22cis_rule_2_1_4_2: {{ ubtu22cis_rule_2_1_4_2 }} -ubtu22cis_rule_2_1_4_3: {{ ubtu22cis_rule_2_1_4_3 }} -ubtu22cis_rule_2_1_4_4: {{ ubtu22cis_rule_2_1_4_4 }} -# Services + +# 2.1 Configure Server Services +ubtu22cis_rule_2_1_1: {{ ubtu22cis_rule_2_1_1 }} +ubtu22cis_rule_2_1_2: {{ ubtu22cis_rule_2_1_2 }} +ubtu22cis_rule_2_1_3: {{ ubtu22cis_rule_2_1_3 }} +ubtu22cis_rule_2_1_4: {{ ubtu22cis_rule_2_1_4 }} +ubtu22cis_rule_2_1_5: {{ ubtu22cis_rule_2_1_5 }} +ubtu22cis_rule_2_1_6: {{ ubtu22cis_rule_2_1_6 }} +ubtu22cis_rule_2_1_7: {{ ubtu22cis_rule_2_1_7 }} +ubtu22cis_rule_2_1_8: {{ ubtu22cis_rule_2_1_8 }} +ubtu22cis_rule_2_1_9: {{ ubtu22cis_rule_2_1_9 }} +ubtu22cis_rule_2_1_10: {{ ubtu22cis_rule_2_1_10 }} +ubtu22cis_rule_2_1_11: {{ ubtu22cis_rule_2_1_11 }} +ubtu22cis_rule_2_1_12: {{ ubtu22cis_rule_2_1_12 }} +ubtu22cis_rule_2_1_13: {{ ubtu22cis_rule_2_1_13 }} +ubtu22cis_rule_2_1_14: {{ ubtu22cis_rule_2_1_14 }} +ubtu22cis_rule_2_1_15: {{ ubtu22cis_rule_2_1_15 }} +ubtu22cis_rule_2_1_16: {{ ubtu22cis_rule_2_1_16 }} +ubtu22cis_rule_2_1_17: {{ ubtu22cis_rule_2_1_17 }} +ubtu22cis_rule_2_1_18: {{ ubtu22cis_rule_2_1_18 }} +ubtu22cis_rule_2_1_19: {{ ubtu22cis_rule_2_1_19 }} +ubtu22cis_rule_2_1_20: {{ ubtu22cis_rule_2_1_20 }} +ubtu22cis_rule_2_1_21: {{ ubtu22cis_rule_2_1_21 }} +ubtu22cis_rule_2_1_22: {{ ubtu22cis_rule_2_1_22 }} + +# 2.2 Configure client services ubtu22cis_rule_2_2_1: {{ ubtu22cis_rule_2_2_1 }} ubtu22cis_rule_2_2_2: {{ ubtu22cis_rule_2_2_2 }} ubtu22cis_rule_2_2_3: {{ ubtu22cis_rule_2_2_3 }} ubtu22cis_rule_2_2_4: {{ ubtu22cis_rule_2_2_4 }} ubtu22cis_rule_2_2_5: {{ ubtu22cis_rule_2_2_5 }} ubtu22cis_rule_2_2_6: {{ ubtu22cis_rule_2_2_6 }} -ubtu22cis_rule_2_2_7: {{ ubtu22cis_rule_2_2_7 }} -ubtu22cis_rule_2_2_8: {{ ubtu22cis_rule_2_2_8 }} -ubtu22cis_rule_2_2_9: {{ ubtu22cis_rule_2_2_9 }} -ubtu22cis_rule_2_2_10: {{ ubtu22cis_rule_2_2_10 }} -ubtu22cis_rule_2_2_11: {{ ubtu22cis_rule_2_2_11 }} -ubtu22cis_rule_2_2_12: {{ ubtu22cis_rule_2_2_12 }} -ubtu22cis_rule_2_2_13: {{ ubtu22cis_rule_2_2_13 }} -ubtu22cis_rule_2_2_14: {{ ubtu22cis_rule_2_2_14 }} -ubtu22cis_rule_2_2_15: {{ ubtu22cis_rule_2_2_15 }} -ubtu22cis_rule_2_2_16: {{ ubtu22cis_rule_2_2_16 }} -ubtu22cis_rule_2_2_17: {{ ubtu22cis_rule_2_2_17 }} -# Service Client -ubtu22cis_rule_2_3_1: {{ ubtu22cis_rule_2_3_1 }} -ubtu22cis_rule_2_3_2: {{ ubtu22cis_rule_2_3_2 }} -ubtu22cis_rule_2_3_3: {{ ubtu22cis_rule_2_3_3 }} -ubtu22cis_rule_2_3_4: {{ ubtu22cis_rule_2_3_4 }} -ubtu22cis_rule_2_3_5: {{ ubtu22cis_rule_2_3_5 }} -ubtu22cis_rule_2_3_6: {{ ubtu22cis_rule_2_3_6 }} -# Non-essential services -ubtu22cis_rule_2_4: {{ ubtu22cis_rule_2_4 }} - -# Section 3 Network Configuration -# Disable Unused Network + +# Ensure time synchronization is in use +ubtu22cis_rule_2_3_1_1: {{ ubtu22cis_rule_2_3_1_1 }} +# Configure systemd-timesyncd +ubtu22cis_rule_2_3_2_1: {{ ubtu22cis_rule_2_3_2_1 }} +ubtu22cis_rule_2_3_2_2: {{ ubtu22cis_rule_2_3_2_2 }} +# Configure Chrony +ubtu22cis_rule_2_3_3_1: {{ ubtu22cis_rule_2_3_3_1 }} +ubtu22cis_rule_2_3_3_2: {{ ubtu22cis_rule_2_3_3_2 }} +ubtu22cis_rule_2_3_3_3: {{ ubtu22cis_rule_2_3_3_3 }} + +# 2.4 Job Schedulers +# 2.4.1 Configure Cron +ubtu22cis_rule_2_4_1_1: {{ ubtu22cis_rule_2_4_1_1 }} +ubtu22cis_rule_2_4_1_2: {{ ubtu22cis_rule_2_4_1_2 }} +ubtu22cis_rule_2_4_1_3: {{ ubtu22cis_rule_2_4_1_3 }} +ubtu22cis_rule_2_4_1_4: {{ ubtu22cis_rule_2_4_1_4 }} +ubtu22cis_rule_2_4_1_5: {{ ubtu22cis_rule_2_4_1_5 }} +ubtu22cis_rule_2_4_1_6: {{ ubtu22cis_rule_2_4_1_6 }} +ubtu22cis_rule_2_4_1_7: {{ ubtu22cis_rule_2_4_1_7 }} +ubtu22cis_rule_2_4_1_8: {{ ubtu22cis_rule_2_4_1_8 }} +# Configure At +ubtu22cis_rule_2_4_2_1: {{ ubtu22cis_rule_2_4_2_1 }} + +## Section 3 Network Configuration +# 3.1 Configure Network Devices ubtu22cis_rule_3_1_1: {{ ubtu22cis_rule_3_1_1 }} ubtu22cis_rule_3_1_2: {{ ubtu22cis_rule_3_1_2 }} -# Network Parameters (Host Only) +ubtu22cis_rule_3_1_3: {{ ubtu22cis_rule_3_1_3 }} +# 3.2 Configure Network Kernel Modules (Host Only) ubtu22cis_rule_3_2_1: {{ ubtu22cis_rule_3_2_1 }} ubtu22cis_rule_3_2_2: {{ ubtu22cis_rule_3_2_2 }} -# Network Parameters (Host and Router) +ubtu22cis_rule_3_2_3: {{ ubtu22cis_rule_3_2_3 }} +ubtu22cis_rule_3_2_4: {{ ubtu22cis_rule_3_2_4 }} +# 3.3 Configure Network Kernel Parameters (Host and Router) ubtu22cis_rule_3_3_1: {{ ubtu22cis_rule_3_3_1 }} ubtu22cis_rule_3_3_2: {{ ubtu22cis_rule_3_3_2 }} ubtu22cis_rule_3_3_3: {{ ubtu22cis_rule_3_3_3 }} @@ -190,115 +210,47 @@ ubtu22cis_rule_3_3_6: {{ ubtu22cis_rule_3_3_6 }} ubtu22cis_rule_3_3_7: {{ ubtu22cis_rule_3_3_7 }} ubtu22cis_rule_3_3_8: {{ ubtu22cis_rule_3_3_8 }} ubtu22cis_rule_3_3_9: {{ ubtu22cis_rule_3_3_9 }} -# Uncommon Network Protocols -ubtu22cis_rule_3_4_1: {{ ubtu22cis_rule_3_4_1 }} -ubtu22cis_rule_3_4_2: {{ ubtu22cis_rule_3_4_2 }} -ubtu22cis_rule_3_4_3: {{ ubtu22cis_rule_3_4_3 }} -ubtu22cis_rule_3_4_4: {{ ubtu22cis_rule_3_4_4 }} -# Firewall Configuration -# UFW -ubtu22cis_rule_3_5_1_1: {{ ubtu22cis_rule_3_5_1_1 }} -ubtu22cis_rule_3_5_1_2: {{ ubtu22cis_rule_3_5_1_2 }} -ubtu22cis_rule_3_5_1_3: {{ ubtu22cis_rule_3_5_1_3 }} -ubtu22cis_rule_3_5_1_4: {{ ubtu22cis_rule_3_5_1_4 }} -ubtu22cis_rule_3_5_1_5: {{ ubtu22cis_rule_3_5_1_5 }} -ubtu22cis_rule_3_5_1_6: {{ ubtu22cis_rule_3_5_1_6 }} -ubtu22cis_rule_3_5_1_7: {{ ubtu22cis_rule_3_5_1_7 }} -# nftables -ubtu22cis_rule_3_5_2_1: {{ ubtu22cis_rule_3_5_2_1 }} -ubtu22cis_rule_3_5_2_2: {{ ubtu22cis_rule_3_5_2_2 }} -ubtu22cis_rule_3_5_2_3: {{ ubtu22cis_rule_3_5_2_3 }} -ubtu22cis_rule_3_5_2_4: {{ ubtu22cis_rule_3_5_2_4 }} -ubtu22cis_rule_3_5_2_5: {{ ubtu22cis_rule_3_5_2_5 }} -ubtu22cis_rule_3_5_2_6: {{ ubtu22cis_rule_3_5_2_6 }} -ubtu22cis_rule_3_5_2_7: {{ ubtu22cis_rule_3_5_2_7 }} -ubtu22cis_rule_3_5_2_8: {{ ubtu22cis_rule_3_5_2_8 }} -ubtu22cis_rule_3_5_2_9: {{ ubtu22cis_rule_3_5_2_9 }} -ubtu22cis_rule_3_5_2_10: {{ ubtu22cis_rule_3_5_2_10 }} -# iptables -ubtu22cis_rule_3_5_3_1_1: {{ ubtu22cis_rule_3_5_3_1_1 }} -ubtu22cis_rule_3_5_3_1_2: {{ ubtu22cis_rule_3_5_3_1_2 }} -ubtu22cis_rule_3_5_3_1_3: {{ ubtu22cis_rule_3_5_3_1_3 }} -ubtu22cis_rule_3_5_3_2_1: {{ ubtu22cis_rule_3_5_3_2_1 }} -ubtu22cis_rule_3_5_3_2_2: {{ ubtu22cis_rule_3_5_3_2_2 }} -ubtu22cis_rule_3_5_3_2_3: {{ ubtu22cis_rule_3_5_3_2_3 }} -ubtu22cis_rule_3_5_3_2_4: {{ ubtu22cis_rule_3_5_3_2_4 }} -ubtu22cis_rule_3_5_3_3_1: {{ ubtu22cis_rule_3_5_3_3_1 }} -ubtu22cis_rule_3_5_3_3_2: {{ ubtu22cis_rule_3_5_3_3_2 }} -ubtu22cis_rule_3_5_3_3_3: {{ ubtu22cis_rule_3_5_3_3_3 }} -ubtu22cis_rule_3_5_3_3_4: {{ ubtu22cis_rule_3_5_3_3_4 }} - -# Section 4 Fixes -# Section 4 is Logging and Auditing (Configure System Accounting (auditd), Configure Data Retention, and Configure Logging) -ubtu22cis_rule_4_1_1_1: {{ ubtu22cis_rule_4_1_1_1 }} -ubtu22cis_rule_4_1_1_2: {{ ubtu22cis_rule_4_1_1_2 }} -ubtu22cis_rule_4_1_1_3: {{ ubtu22cis_rule_4_1_1_3 }} -ubtu22cis_rule_4_1_1_4: {{ ubtu22cis_rule_4_1_1_4 }} -ubtu22cis_rule_4_1_2_1: {{ ubtu22cis_rule_4_1_2_1 }} -ubtu22cis_rule_4_1_2_2: {{ ubtu22cis_rule_4_1_2_2 }} -ubtu22cis_rule_4_1_2_3: {{ ubtu22cis_rule_4_1_2_3 }} -# Auditd rules -ubtu22cis_rule_4_1_3_1: {{ ubtu22cis_rule_4_1_3_1 }} -ubtu22cis_rule_4_1_3_2: {{ ubtu22cis_rule_4_1_3_2 }} -ubtu22cis_rule_4_1_3_3: {{ ubtu22cis_rule_4_1_3_3 }} -ubtu22cis_rule_4_1_3_4: {{ ubtu22cis_rule_4_1_3_4 }} -ubtu22cis_rule_4_1_3_5: {{ ubtu22cis_rule_4_1_3_5 }} -ubtu22cis_rule_4_1_3_6: {{ ubtu22cis_rule_4_1_3_6 }} -ubtu22cis_rule_4_1_3_7: {{ ubtu22cis_rule_4_1_3_7 }} -ubtu22cis_rule_4_1_3_8: {{ ubtu22cis_rule_4_1_3_8 }} -ubtu22cis_rule_4_1_3_9: {{ ubtu22cis_rule_4_1_3_9 }} -ubtu22cis_rule_4_1_3_10: {{ ubtu22cis_rule_4_1_3_10 }} -ubtu22cis_rule_4_1_3_11: {{ ubtu22cis_rule_4_1_3_11 }} -ubtu22cis_rule_4_1_3_12: {{ ubtu22cis_rule_4_1_3_12 }} -ubtu22cis_rule_4_1_3_13: {{ ubtu22cis_rule_4_1_3_13 }} -ubtu22cis_rule_4_1_3_14: {{ ubtu22cis_rule_4_1_3_14 }} -ubtu22cis_rule_4_1_3_15: {{ ubtu22cis_rule_4_1_3_15 }} -ubtu22cis_rule_4_1_3_16: {{ ubtu22cis_rule_4_1_3_16 }} -ubtu22cis_rule_4_1_3_17: {{ ubtu22cis_rule_4_1_3_17 }} -ubtu22cis_rule_4_1_3_18: {{ ubtu22cis_rule_4_1_3_18 }} -ubtu22cis_rule_4_1_3_19: {{ ubtu22cis_rule_4_1_3_19 }} -ubtu22cis_rule_4_1_3_20: {{ ubtu22cis_rule_4_1_3_20 }} -ubtu22cis_rule_4_1_3_21: {{ ubtu22cis_rule_4_1_3_21 }} -# Auditd file access -ubtu22cis_rule_4_1_4_1: {{ ubtu22cis_rule_4_1_4_1 }} -ubtu22cis_rule_4_1_4_2: {{ ubtu22cis_rule_4_1_4_2 }} -ubtu22cis_rule_4_1_4_3: {{ ubtu22cis_rule_4_1_4_3 }} -ubtu22cis_rule_4_1_4_4: {{ ubtu22cis_rule_4_1_4_4 }} -ubtu22cis_rule_4_1_4_5: {{ ubtu22cis_rule_4_1_4_5 }} -ubtu22cis_rule_4_1_4_6: {{ ubtu22cis_rule_4_1_4_6 }} -ubtu22cis_rule_4_1_4_7: {{ ubtu22cis_rule_4_1_4_7 }} -ubtu22cis_rule_4_1_4_8: {{ ubtu22cis_rule_4_1_4_8 }} -ubtu22cis_rule_4_1_4_9: {{ ubtu22cis_rule_4_1_4_9 }} -ubtu22cis_rule_4_1_4_10: {{ ubtu22cis_rule_4_1_4_10 }} -ubtu22cis_rule_4_1_4_11: {{ ubtu22cis_rule_4_1_4_11 }} -# Configure Logging -## journald -ubtu22cis_rule_4_2_1_1_1: {{ ubtu22cis_rule_4_2_1_1_1 }} -ubtu22cis_rule_4_2_1_1_2: {{ ubtu22cis_rule_4_2_1_1_2 }} -ubtu22cis_rule_4_2_1_1_3: {{ ubtu22cis_rule_4_2_1_1_1 }} -ubtu22cis_rule_4_2_1_1_4: {{ ubtu22cis_rule_4_2_1_1_1 }} -ubtu22cis_rule_4_2_1_1: {{ ubtu22cis_rule_4_2_1_1 }} -ubtu22cis_rule_4_2_1_2: {{ ubtu22cis_rule_4_2_1_2 }} -ubtu22cis_rule_4_2_1_3: {{ ubtu22cis_rule_4_2_1_3 }} -ubtu22cis_rule_4_2_1_4: {{ ubtu22cis_rule_4_2_1_4 }} -ubtu22cis_rule_4_2_1_5: {{ ubtu22cis_rule_4_2_1_5 }} -ubtu22cis_rule_4_2_1_6: {{ ubtu22cis_rule_4_2_1_6 }} -ubtu22cis_rule_4_2_1_7: {{ ubtu22cis_rule_4_2_1_7 }} -# rsyslog -ubtu22cis_rule_4_2_2_1: {{ ubtu22cis_rule_4_2_2_1 }} -ubtu22cis_rule_4_2_2_2: {{ ubtu22cis_rule_4_2_2_2 }} -ubtu22cis_rule_4_2_2_3: {{ ubtu22cis_rule_4_2_2_3 }} -ubtu22cis_rule_4_2_2_4: {{ ubtu22cis_rule_4_2_2_4 }} -ubtu22cis_rule_4_2_2_5: {{ ubtu22cis_rule_4_2_2_5 }} -ubtu22cis_rule_4_2_2_6: {{ ubtu22cis_rule_4_2_2_6 }} -ubtu22cis_rule_4_2_2_7: {{ ubtu22cis_rule_4_2_2_7 }} +ubtu22cis_rule_3_3_10: {{ ubtu22cis_rule_3_3_10 }} +ubtu22cis_rule_3_3_11: {{ ubtu22cis_rule_3_3_11 }} + +## Section 4 Host Based Firewall +# 4.1 Configure UncomplicatedFirewall +ubtu22cis_rule_4_1_1: {{ ubtu22cis_rule_4_1_1 }} +ubtu22cis_rule_4_1_2: {{ ubtu22cis_rule_4_1_2 }} +ubtu22cis_rule_4_1_3: {{ ubtu22cis_rule_4_1_3 }} +ubtu22cis_rule_4_1_4: {{ ubtu22cis_rule_4_1_4 }} +ubtu22cis_rule_4_1_5: {{ ubtu22cis_rule_4_1_5 }} +ubtu22cis_rule_4_1_6: {{ ubtu22cis_rule_4_1_6 }} +ubtu22cis_rule_4_1_7: {{ ubtu22cis_rule_4_1_7 }} +# 4.2 Configure nftables +ubtu22cis_rule_4_2_1: {{ ubtu22cis_rule_4_2_1 }} +ubtu22cis_rule_4_2_2: {{ ubtu22cis_rule_4_2_2 }} ubtu22cis_rule_4_2_3: {{ ubtu22cis_rule_4_2_3 }} -ubtu22cis_rule_4_3: {{ ubtu22cis_rule_4_3}} -ubtu22cis_rule_4_4: {{ ubtu22cis_rule_4_4 }} - -# Section 5 Fixes -# Section 5 is Access, Authentication, and Authorization (Configure time-based job schedulers, Configure sudo, Configure SSH Server, Configure PAM -# and User Accounts and Environment) +ubtu22cis_rule_4_2_4: {{ ubtu22cis_rule_4_2_4 }} +ubtu22cis_rule_4_2_5: {{ ubtu22cis_rule_4_2_5 }} +ubtu22cis_rule_4_2_6: {{ ubtu22cis_rule_4_2_6 }} +ubtu22cis_rule_4_2_7: {{ ubtu22cis_rule_4_2_7 }} +ubtu22cis_rule_4_2_8: {{ ubtu22cis_rule_4_2_8 }} +ubtu22cis_rule_4_2_9: {{ ubtu22cis_rule_4_2_9 }} +ubtu22cis_rule_4_2_10: {{ ubtu22cis_rule_4_2_10 }} +# Configure iptables software +ubtu22cis_rule_4_3_1_1: {{ ubtu22cis_rule_4_3_1_1 }} +ubtu22cis_rule_4_3_1_2: {{ ubtu22cis_rule_4_3_1_2 }} +ubtu22cis_rule_4_3_1_3: {{ ubtu22cis_rule_4_3_1_3 }} + +# Configure IPv4 iptables +ubtu22cis_rule_4_3_2_1: {{ ubtu22cis_rule_4_3_2_1 }} +ubtu22cis_rule_4_3_2_2: {{ ubtu22cis_rule_4_3_2_2 }} +ubtu22cis_rule_4_3_2_3: {{ ubtu22cis_rule_4_3_2_3 }} +ubtu22cis_rule_4_3_2_4: {{ ubtu22cis_rule_4_3_2_4 }} +# Configure IPv5 iptables +ubtu22cis_rule_4_3_3_1: {{ ubtu22cis_rule_4_3_3_1 }} +ubtu22cis_rule_4_3_3_2: {{ ubtu22cis_rule_4_3_3_2 }} +ubtu22cis_rule_4_3_3_3: {{ ubtu22cis_rule_4_3_3_3 }} +ubtu22cis_rule_4_3_3_4: {{ ubtu22cis_rule_4_3_3_4 }} + +## Section 5 Access Control +# 5.1 Configure SSH Server ubtu22cis_rule_5_1_1: {{ ubtu22cis_rule_5_1_1 }} ubtu22cis_rule_5_1_2: {{ ubtu22cis_rule_5_1_2 }} ubtu22cis_rule_5_1_3: {{ ubtu22cis_rule_5_1_3 }} @@ -308,7 +260,20 @@ ubtu22cis_rule_5_1_6: {{ ubtu22cis_rule_5_1_6 }} ubtu22cis_rule_5_1_7: {{ ubtu22cis_rule_5_1_7 }} ubtu22cis_rule_5_1_8: {{ ubtu22cis_rule_5_1_8 }} ubtu22cis_rule_5_1_9: {{ ubtu22cis_rule_5_1_9 }} - +ubtu22cis_rule_5_1_10: {{ ubtu22cis_rule_5_1_10 }} +ubtu22cis_rule_5_1_11: {{ ubtu22cis_rule_5_1_11 }} +ubtu22cis_rule_5_1_12: {{ ubtu22cis_rule_5_1_12 }} +ubtu22cis_rule_5_1_13: {{ ubtu22cis_rule_5_1_13 }} +ubtu22cis_rule_5_1_14: {{ ubtu22cis_rule_5_1_14 }} +ubtu22cis_rule_5_1_15: {{ ubtu22cis_rule_5_1_15 }} +ubtu22cis_rule_5_1_16: {{ ubtu22cis_rule_5_1_16 }} +ubtu22cis_rule_5_1_17: {{ ubtu22cis_rule_5_1_17 }} +ubtu22cis_rule_5_1_18: {{ ubtu22cis_rule_5_1_18 }} +ubtu22cis_rule_5_1_19: {{ ubtu22cis_rule_5_1_19 }} +ubtu22cis_rule_5_1_20: {{ ubtu22cis_rule_5_1_20 }} +ubtu22cis_rule_5_1_21: {{ ubtu22cis_rule_5_1_21 }} +ubtu22cis_rule_5_1_22: {{ ubtu22cis_rule_5_1_22 }} +# 5.2 Configure privilege escalation ubtu22cis_rule_5_2_1: {{ ubtu22cis_rule_5_2_1 }} ubtu22cis_rule_5_2_2: {{ ubtu22cis_rule_5_2_2 }} ubtu22cis_rule_5_2_3: {{ ubtu22cis_rule_5_2_3 }} @@ -316,77 +281,181 @@ ubtu22cis_rule_5_2_4: {{ ubtu22cis_rule_5_2_4 }} ubtu22cis_rule_5_2_5: {{ ubtu22cis_rule_5_2_5 }} ubtu22cis_rule_5_2_6: {{ ubtu22cis_rule_5_2_6 }} ubtu22cis_rule_5_2_7: {{ ubtu22cis_rule_5_2_7 }} -ubtu22cis_rule_5_2_8: {{ ubtu22cis_rule_5_2_8 }} -ubtu22cis_rule_5_2_9: {{ ubtu22cis_rule_5_2_9 }} -ubtu22cis_rule_5_2_10: {{ ubtu22cis_rule_5_2_10 }} -ubtu22cis_rule_5_2_11: {{ ubtu22cis_rule_5_2_11 }} -ubtu22cis_rule_5_2_12: {{ ubtu22cis_rule_5_2_12 }} -ubtu22cis_rule_5_2_13: {{ ubtu22cis_rule_5_2_13 }} -ubtu22cis_rule_5_2_14: {{ ubtu22cis_rule_5_2_14 }} -ubtu22cis_rule_5_2_15: {{ ubtu22cis_rule_5_2_15 }} -ubtu22cis_rule_5_2_16: {{ ubtu22cis_rule_5_2_16 }} -ubtu22cis_rule_5_2_17: {{ ubtu22cis_rule_5_2_17 }} -ubtu22cis_rule_5_2_18: {{ ubtu22cis_rule_5_2_18 }} -ubtu22cis_rule_5_2_19: {{ ubtu22cis_rule_5_2_19 }} -ubtu22cis_rule_5_2_20: {{ ubtu22cis_rule_5_2_20 }} -ubtu22cis_rule_5_2_21: {{ ubtu22cis_rule_5_2_21 }} -ubtu22cis_rule_5_2_22: {{ ubtu22cis_rule_5_2_22 }} -ubtu22cis_rule_5_3_1: {{ ubtu22cis_rule_5_3_1 }} -ubtu22cis_rule_5_3_2: {{ ubtu22cis_rule_5_3_2 }} -ubtu22cis_rule_5_3_3: {{ ubtu22cis_rule_5_3_3 }} -ubtu22cis_rule_5_3_4: {{ ubtu22cis_rule_5_3_4 }} -ubtu22cis_rule_5_3_5: {{ ubtu22cis_rule_5_3_5 }} -ubtu22cis_rule_5_3_6: {{ ubtu22cis_rule_5_3_6 }} -ubtu22cis_rule_5_3_7: {{ ubtu22cis_rule_5_3_7 }} -ubtu22cis_rule_5_4_1: {{ ubtu22cis_rule_5_4_1 }} -ubtu22cis_rule_5_4_2: {{ ubtu22cis_rule_5_4_2 }} -ubtu22cis_rule_5_4_3: {{ ubtu22cis_rule_5_4_3 }} -ubtu22cis_rule_5_4_4: {{ ubtu22cis_rule_5_4_4 }} -ubtu22cis_rule_5_4_5: {{ ubtu22cis_rule_5_4_5 }} -ubtu22cis_rule_5_5_1_1: {{ ubtu22cis_rule_5_5_1_1 }} -ubtu22cis_rule_5_5_1_2: {{ ubtu22cis_rule_5_5_1_2 }} -ubtu22cis_rule_5_5_1_3: {{ ubtu22cis_rule_5_5_1_3 }} -ubtu22cis_rule_5_5_1_4: {{ ubtu22cis_rule_5_5_1_4 }} -ubtu22cis_rule_5_5_1_5: {{ ubtu22cis_rule_5_5_1_5 }} -ubtu22cis_rule_5_5_2: {{ ubtu22cis_rule_5_5_2 }} -ubtu22cis_rule_5_5_3: {{ ubtu22cis_rule_5_5_3 }} -ubtu22cis_rule_5_5_4: {{ ubtu22cis_rule_5_5_4 }} -ubtu22cis_rule_5_5_5: {{ ubtu22cis_rule_5_5_5 }} -ubtu22cis_rule_5_6: {{ ubtu22cis_rule_5_6 }} -ubtu22cis_rule_5_7: {{ ubtu22cis_rule_5_7 }} - -# Section 6 Fixes -# Section is Systme Maintenance (System File Permissions and User and Group Settings) +# 5.3.1 Configure PAM software packages +ubtu22cis_rule_5_3_1_1: {{ ubtu22cis_rule_5_3_1_1 }} +ubtu22cis_rule_5_3_1_2: {{ ubtu22cis_rule_5_3_1_2 }} +ubtu22cis_rule_5_3_1_3: {{ ubtu22cis_rule_5_3_1_3 }} +# 5.3.2 Configure pam-auth-update profiles +ubtu22cis_rule_5_3_2_1: {{ ubtu22cis_rule_5_3_2_1 }} +ubtu22cis_rule_5_3_2_2: {{ ubtu22cis_rule_5_3_2_2 }} +ubtu22cis_rule_5_3_2_3: {{ ubtu22cis_rule_5_3_2_3 }} +ubtu22cis_rule_5_3_2_4: {{ ubtu22cis_rule_5_3_2_4 }} +# 5.3.3.1 Configure pam_faillock module +ubtu22cis_rule_5_3_3_1_1: {{ ubtu22cis_rule_5_3_3_1_1 }} +ubtu22cis_rule_5_3_3_1_2: {{ ubtu22cis_rule_5_3_3_1_2 }} +ubtu22cis_rule_5_3_3_1_3: {{ ubtu22cis_rule_5_3_3_1_3 }} +# 5.3.3.2 Configure pam_quality module +ubtu22cis_rule_5_3_3_2_1: {{ ubtu22cis_rule_5_3_3_2_1 }} +ubtu22cis_rule_5_3_3_2_2: {{ ubtu22cis_rule_5_3_3_2_2 }} +ubtu22cis_rule_5_3_3_2_3: {{ ubtu22cis_rule_5_3_3_2_3 }} +ubtu22cis_rule_5_3_3_2_4: {{ ubtu22cis_rule_5_3_3_2_4 }} +ubtu22cis_rule_5_3_3_2_5: {{ ubtu22cis_rule_5_3_3_2_5 }} +ubtu22cis_rule_5_3_3_2_6: {{ ubtu22cis_rule_5_3_3_2_6 }} +ubtu22cis_rule_5_3_3_2_7: {{ ubtu22cis_rule_5_3_3_2_7 }} +ubtu22cis_rule_5_3_3_2_8: {{ ubtu22cis_rule_5_3_3_2_8 }} +# 5.3.3.3 Configure pam_history module +# This are added as part of 5.3.2.4 using jinja2 template +ubtu22cis_rule_5_3_3_3_1: {{ ubtu22cis_rule_5_3_3_3_1 }} +ubtu22cis_rule_5_3_3_3_2: {{ ubtu22cis_rule_5_3_3_3_2 }} +ubtu22cis_rule_5_3_3_3_3: {{ ubtu22cis_rule_5_3_3_3_3 }} +# 5.3.3.4 Configure pam_unix module +ubtu22cis_rule_5_3_3_4_1: {{ ubtu22cis_rule_5_3_3_4_1 }} +ubtu22cis_rule_5_3_3_4_2: {{ ubtu22cis_rule_5_3_3_4_2 }} +ubtu22cis_rule_5_3_3_4_3: {{ ubtu22cis_rule_5_3_3_4_3 }} +ubtu22cis_rule_5_3_3_4_4: {{ ubtu22cis_rule_5_3_3_4_4 }} +# 5.4 User Accounts and Environment +# 5.4.1 Configure shadow password suite parameters +ubtu22cis_rule_5_4_1_1: {{ ubtu22cis_rule_5_4_1_1 }} +ubtu22cis_rule_5_4_1_2: {{ ubtu22cis_rule_5_4_1_2 }} +ubtu22cis_rule_5_4_1_3: {{ ubtu22cis_rule_5_4_1_3 }} +ubtu22cis_rule_5_4_1_4: {{ ubtu22cis_rule_5_4_1_4 }} +ubtu22cis_rule_5_4_1_5: {{ ubtu22cis_rule_5_4_1_5 }} +ubtu22cis_rule_5_4_1_6: {{ ubtu22cis_rule_5_4_1_6 }} +# 5.4.2 Configure root and system accounts and environment +ubtu22cis_rule_5_4_2_1: {{ ubtu22cis_rule_5_4_2_1 }} +ubtu22cis_rule_5_4_2_2: {{ ubtu22cis_rule_5_4_2_2 }} +ubtu22cis_rule_5_4_2_3: {{ ubtu22cis_rule_5_4_2_3 }} +ubtu22cis_rule_5_4_2_4: {{ ubtu22cis_rule_5_4_2_4 }} +ubtu22cis_rule_5_4_2_5: {{ ubtu22cis_rule_5_4_2_5 }} +ubtu22cis_rule_5_4_2_6: {{ ubtu22cis_rule_5_4_2_6 }} +ubtu22cis_rule_5_4_2_7: {{ ubtu22cis_rule_5_4_2_7 }} +ubtu22cis_rule_5_4_2_8: {{ ubtu22cis_rule_5_4_2_8 }} +# 5.4.2 Configure user default environment +ubtu22cis_rule_5_4_3_1: {{ ubtu22cis_rule_5_4_3_1 }} +ubtu22cis_rule_5_4_3_2: {{ ubtu22cis_rule_5_4_3_2 }} +ubtu22cis_rule_5_4_3_3: {{ ubtu22cis_rule_5_4_3_3 }} + +## Section 6 +# 6.1 Configure Filesystem Integrity Checking ubtu22cis_rule_6_1_1: {{ ubtu22cis_rule_6_1_1 }} ubtu22cis_rule_6_1_2: {{ ubtu22cis_rule_6_1_2 }} ubtu22cis_rule_6_1_3: {{ ubtu22cis_rule_6_1_3 }} -ubtu22cis_rule_6_1_4: {{ ubtu22cis_rule_6_1_4 }} -ubtu22cis_rule_6_1_5: {{ ubtu22cis_rule_6_1_5 }} -ubtu22cis_rule_6_1_6: {{ ubtu22cis_rule_6_1_6 }} -ubtu22cis_rule_6_1_7: {{ ubtu22cis_rule_6_1_7 }} -ubtu22cis_rule_6_1_8: {{ ubtu22cis_rule_6_1_8 }} -ubtu22cis_rule_6_1_9: {{ ubtu22cis_rule_6_1_9 }} -ubtu22cis_rule_6_1_10: {{ ubtu22cis_rule_6_1_10 }} -ubtu22cis_rule_6_1_11: {{ ubtu22cis_rule_6_1_11 }} -ubtu22cis_rule_6_1_12: {{ ubtu22cis_rule_6_1_12 }} -ubtu22cis_rule_6_1_13: {{ ubtu22cis_rule_6_1_13 }} -ubtu22cis_rule_6_2_1: {{ ubtu22cis_rule_6_2_1 }} -ubtu22cis_rule_6_2_2: {{ ubtu22cis_rule_6_2_2 }} -ubtu22cis_rule_6_2_3: {{ ubtu22cis_rule_6_2_3 }} -ubtu22cis_rule_6_2_4: {{ ubtu22cis_rule_6_2_4 }} -ubtu22cis_rule_6_2_5: {{ ubtu22cis_rule_6_2_5 }} -ubtu22cis_rule_6_2_6: {{ ubtu22cis_rule_6_2_6 }} -ubtu22cis_rule_6_2_7: {{ ubtu22cis_rule_6_2_7 }} -ubtu22cis_rule_6_2_8: {{ ubtu22cis_rule_6_2_8 }} -ubtu22cis_rule_6_2_9: {{ ubtu22cis_rule_6_2_9 }} -ubtu22cis_rule_6_2_10: {{ ubtu22cis_rule_6_2_10 }} -ubtu22cis_rule_6_2_11: {{ ubtu22cis_rule_6_2_11 }} -ubtu22cis_rule_6_2_12: {{ ubtu22cis_rule_6_2_12 }} -ubtu22cis_rule_6_2_13: {{ ubtu22cis_rule_6_2_13 }} -ubtu22cis_rule_6_2_14: {{ ubtu22cis_rule_6_2_14 }} -ubtu22cis_rule_6_2_15: {{ ubtu22cis_rule_6_2_15 }} -ubtu22cis_rule_6_2_16: {{ ubtu22cis_rule_6_2_16 }} -ubtu22cis_rule_6_2_17: {{ ubtu22cis_rule_6_2_17 }} +# 6.2.1.1 Configure systemd-journald service +ubtu22cis_rule_6_2_1_1_1: {{ ubtu22cis_rule_6_2_1_1_1 }} +ubtu22cis_rule_6_2_1_1_2: {{ ubtu22cis_rule_6_2_1_1_2 }} +ubtu22cis_rule_6_2_1_1_3: {{ ubtu22cis_rule_6_2_1_1_3 }} +ubtu22cis_rule_6_2_1_1_4: {{ ubtu22cis_rule_6_2_1_1_4 }} +ubtu22cis_rule_6_2_1_1_5: {{ ubtu22cis_rule_6_2_1_1_5 }} +ubtu22cis_rule_6_2_1_1_6: {{ ubtu22cis_rule_6_2_1_1_6 }} +# 6.2.1.2 Configure systemd-journald service +ubtu22cis_rule_6_2_1_2_1: {{ ubtu22cis_rule_6_2_1_2_1 }} +ubtu22cis_rule_6_2_1_2_2: {{ ubtu22cis_rule_6_2_1_2_2 }} +ubtu22cis_rule_6_2_1_2_3: {{ ubtu22cis_rule_6_2_1_2_3 }} +ubtu22cis_rule_6_2_1_2_4: {{ ubtu22cis_rule_6_2_1_2_4 }} +# 6.2.2 Configure Logfiles +ubtu22cis_rule_6_2_2_1: {{ ubtu22cis_rule_6_2_2_1 }} +# 6.3.1 Configure auditd Service +ubtu22cis_rule_6_3_1_1: {{ ubtu22cis_rule_6_3_1_1 }} +ubtu22cis_rule_6_3_1_2: {{ ubtu22cis_rule_6_3_1_2 }} +ubtu22cis_rule_6_3_1_3: {{ ubtu22cis_rule_6_3_1_3 }} +ubtu22cis_rule_6_3_1_4: {{ ubtu22cis_rule_6_3_1_4 }} +# 6.3.2 Configure data retention +ubtu22cis_rule_6_3_2_1: {{ ubtu22cis_rule_6_3_2_1 }} +ubtu22cis_rule_6_3_2_2: {{ ubtu22cis_rule_6_3_2_2 }} +ubtu22cis_rule_6_3_2_3: {{ ubtu22cis_rule_6_3_2_3 }} +ubtu22cis_rule_6_3_2_4: {{ ubtu22cis_rule_6_3_2_4 }} +# 6.3.3 Configure auditd rules +ubtu22cis_rule_6_3_3_1: {{ ubtu22cis_rule_6_3_3_1 }} +ubtu22cis_rule_6_3_3_2: {{ ubtu22cis_rule_6_3_3_2 }} +ubtu22cis_rule_6_3_3_3: {{ ubtu22cis_rule_6_3_3_3 }} +ubtu22cis_rule_6_3_3_4: {{ ubtu22cis_rule_6_3_3_4 }} +ubtu22cis_rule_6_3_3_5: {{ ubtu22cis_rule_6_3_3_5 }} +ubtu22cis_rule_6_3_3_6: {{ ubtu22cis_rule_6_3_3_6 }} +ubtu22cis_rule_6_3_3_7: {{ ubtu22cis_rule_6_3_3_7 }} +ubtu22cis_rule_6_3_3_8: {{ ubtu22cis_rule_6_3_3_8 }} +ubtu22cis_rule_6_3_3_9: {{ ubtu22cis_rule_6_3_3_9 }} +ubtu22cis_rule_6_3_3_10: {{ ubtu22cis_rule_6_3_3_10 }} +ubtu22cis_rule_6_3_3_11: {{ ubtu22cis_rule_6_3_3_11 }} +ubtu22cis_rule_6_3_3_12: {{ ubtu22cis_rule_6_3_3_12 }} +ubtu22cis_rule_6_3_3_13: {{ ubtu22cis_rule_6_3_3_13 }} +ubtu22cis_rule_6_3_3_14: {{ ubtu22cis_rule_6_3_3_14 }} +ubtu22cis_rule_6_3_3_15: {{ ubtu22cis_rule_6_3_3_15 }} +ubtu22cis_rule_6_3_3_16: {{ ubtu22cis_rule_6_3_3_16 }} +ubtu22cis_rule_6_3_3_17: {{ ubtu22cis_rule_6_3_3_17 }} +ubtu22cis_rule_6_3_3_18: {{ ubtu22cis_rule_6_3_3_18 }} +ubtu22cis_rule_6_3_3_19: {{ ubtu22cis_rule_6_3_3_19 }} +ubtu22cis_rule_6_3_3_20: {{ ubtu22cis_rule_6_3_3_20 }} +ubtu22cis_rule_6_3_3_21: {{ ubtu22cis_rule_6_3_3_21 }} +# 6.3.4 Configure audit file access +ubtu22cis_rule_6_3_4_1: {{ ubtu22cis_rule_6_3_4_1 }} +ubtu22cis_rule_6_3_4_2: {{ ubtu22cis_rule_6_3_4_2 }} +ubtu22cis_rule_6_3_4_3: {{ ubtu22cis_rule_6_3_4_3 }} +ubtu22cis_rule_6_3_4_4: {{ ubtu22cis_rule_6_3_4_4 }} +ubtu22cis_rule_6_3_4_5: {{ ubtu22cis_rule_6_3_4_5 }} +ubtu22cis_rule_6_3_4_6: {{ ubtu22cis_rule_6_3_4_6 }} +ubtu22cis_rule_6_3_4_7: {{ ubtu22cis_rule_6_3_4_7 }} +ubtu22cis_rule_6_3_4_8: {{ ubtu22cis_rule_6_3_4_8 }} +ubtu22cis_rule_6_3_4_9: {{ ubtu22cis_rule_6_3_4_9 }} +ubtu22cis_rule_6_3_4_10: {{ ubtu22cis_rule_6_3_4_10 }} + +## Section 7 +# 7.1 System File Permissions +ubtu22cis_rule_7_1_1: {{ ubtu22cis_rule_7_1_1 }} +ubtu22cis_rule_7_1_2: {{ ubtu22cis_rule_7_1_2 }} +ubtu22cis_rule_7_1_3: {{ ubtu22cis_rule_7_1_3 }} +ubtu22cis_rule_7_1_4: {{ ubtu22cis_rule_7_1_4 }} +ubtu22cis_rule_7_1_5: {{ ubtu22cis_rule_7_1_5 }} +ubtu22cis_rule_7_1_6: {{ ubtu22cis_rule_7_1_6 }} +ubtu22cis_rule_7_1_7: {{ ubtu22cis_rule_7_1_7 }} +ubtu22cis_rule_7_1_8: {{ ubtu22cis_rule_7_1_8 }} +ubtu22cis_rule_7_1_9: {{ ubtu22cis_rule_7_1_9 }} +ubtu22cis_rule_7_1_10: {{ ubtu22cis_rule_7_1_10 }} +ubtu22cis_rule_7_1_11: {{ ubtu22cis_rule_7_1_11 }} +ubtu22cis_rule_7_1_12: {{ ubtu22cis_rule_7_1_12 }} +ubtu22cis_rule_7_1_13: {{ ubtu22cis_rule_7_1_13 }} +# 7.2 Local User and Group Settings +ubtu22cis_rule_7_2_1: {{ ubtu22cis_rule_7_2_1 }} +ubtu22cis_rule_7_2_2: {{ ubtu22cis_rule_7_2_2 }} +ubtu22cis_rule_7_2_3: {{ ubtu22cis_rule_7_2_3 }} +ubtu22cis_rule_7_2_4: {{ ubtu22cis_rule_7_2_4 }} +ubtu22cis_rule_7_2_5: {{ ubtu22cis_rule_7_2_5 }} +ubtu22cis_rule_7_2_6: {{ ubtu22cis_rule_7_2_6 }} +ubtu22cis_rule_7_2_7: {{ ubtu22cis_rule_7_2_7 }} +ubtu22cis_rule_7_2_8: {{ ubtu22cis_rule_7_2_8 }} +ubtu22cis_rule_7_2_9: {{ ubtu22cis_rule_7_2_9 }} +ubtu22cis_rule_7_2_10: {{ ubtu22cis_rule_7_2_10 }} + + +## System functionality configuration variables +## +## There are certain functionalities of a system +## that may require either to skip certain CIS rules +## or install certain packages. +## Set the respective variable to `true` in order to +## enable a certain functionality on the system + +# This variable governs whether specific CIS rules +# concerned with acceptance and routing of packages +# are skipped. +ubtu22cis_is_router: {{ ubtu22cis_is_router }} + +## IPv4 requirement toggle +# This variable governs whether ipv4 is enabled or disabled. +ubtu22cis_ipv4_required: {{ ubtu22cis_ipv4_required }} + +## IPv6 requirement toggle +# This variable governs whether ipv6 is enabled or disabled. +ubtu22cis_ipv6_required: {{ ubtu22cis_ipv6_required }} + +## Desktop requirement toggle +# This variable governs, whether CIS rules regarding GDM +# and X-Windows are carried out. +ubtu22cis_desktop_required: {{ ubtu22cis_desktop_required }} + +## Section 1 + +# If system uses squahshfs e.gf. snap package manager set true +ubtu22cis_squashfs_required: {{ ubtu22cis_squashfs_required }} # AIDE ubtu22cis_config_aide: {{ ubtu22cis_config_aide }} @@ -396,143 +465,210 @@ ubtu22cis_aide_scan: cron # AIDE cron settings ubtu22_aide_cron: - cron_user: {{ ubtu22cis_aide_cron.cron_user }} - cron_file: {{ ubtu22cis_aide_cron.cron_file }} - aide_job: {{ ubtu22cis_aide_cron.aide_job }} - aide_minute: {{ ubtu22cis_aide_cron.aide_minute }} - aide_hour: {{ ubtu22cis_aide_cron.aide_hour }} - aide_day: '{{ ubtu22cis_aide_cron.aide_day }}' - aide_month: '{{ ubtu22cis_aide_cron.aide_month }}' - aide_weekday: '{{ ubtu22cis_aide_cron.aide_weekday }}' - -# 1.1 -ubtu22cis_allow_autofs: {{ ubtu22cis_allow_autofs }} - -# 1.4 -ubtu22cis_grub_user_file: {{ ubtu22cis_grub_user_file }} -ubtu22cis_grub_username: {{ ubtu22cis_grub_user }} -ubtu22cis_grub_hash: {{ ubtu22cis_bootloader_password_hash }} -# 1.5.1 Bootloader password -ubtu22cis_bootloader_password: {{ ubtu22cis_bootloader_password_hash }} - -# 1.6 - Only have apparmor enforcing + cron_user: root + cron_file: /etc/crontab + aide_job: '/usr/sbin/aide --check' + aide_minute: 0 + aide_hour: 5 + aide_day: '*' + aide_month: '*' + aide_weekday: '*' + +## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode + +# This variable disables the implementation of rules 1.3.1.3 and 1.3.1.4 +# regarding enforcing profiles or putting them in complain mode ubtu22cis_apparmor_disable: {{ ubtu22cis_apparmor_disable }} -ubtu22cis_apparmor_mode: {{ ubtu22cis_apparmor_mode }} -ubtu22cis_apparmor_enforce_only: {{ubtu22cis_apparmor_enforce_only}} - -# Warning Banner Content (issue, issue.net, motd) -ubtu22_warning_banner: | - {{ ubtu22cis_warning_banner|indent(2, false) }} -# End Banner -# If configured to stop dynamic loading of files in /etc/update-motd.d -# optional in remediation +# This variable specifies whether enforce mode or complain mode is set in Control 1.3.1.3. +# Possible values are `enforce` and `complain`. +# ATTENTION: if Control 1.3.1.4 is run (e.g., when running level 2 rules), it OVERRIDES control 1.3.1.3 +# and sets `enforce` mode, no matter what this variable's value is. +ubtu22cis_apparmor_mode: complain + +## Controls 1.4.x - Boot password +# +# THIS VARIABLE SHOULD BE CHANGED AND INCORPORATED INTO VAULT +# THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!! +# HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!! +ubtu22cis_grub_user: root +ubtu22cis_set_grub_user_pass: {{ ubtu22cis_set_grub_user_pass }} +ubtu22cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' # Set to changeme +ubtu22cis_grub_user_file: /etc/grub.d/00_user +ubtu22cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword" # pragma: allowlist secret +ubtu22cis_set_boot_pass: {{ ubtu22cis_set_boot_pass }} + +ubtu22cis_grub_file: /boot/grub/grub.cfg + +## Controls 1.5.x +# Ability to set file in which the kernel systcl changes are placed +ubtu22cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf + +## Controls 1.6.x - Warning banners +# The controls 1.6.x set various warning banners and protect the respective files +# by tightening the access rights. + +# This variable specifies the warning banner displayed to the user +# after local login, remote login, and as motd (message of the day) +# Noe that the banner text must not contain the below items in order to be +# compliant with CIS: \m, \r, \s, \v or references to the OS platform +ubtu22cis_warning_banner: | + Authorized uses only. All activity may be monitored and reported. + +# This variable governs, whether dynamic motd is disabled (as required by control 1.7.1) ubtu22cis_disable_dynamic_motd: {{ ubtu22cis_disable_dynamic_motd }} - +## Controls 1.7.x - Settings for GDM +# This variable specifies the GNOME configuration database file to which configurations are written. +# (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) +# The default database is `local`. +ubtu22cis_dconf_db_name: local +# This variable governs the number of seconds of inactivity before the screen goes blank. +ubtu22cis_screensaver_idle_delay: 900 +# This variable governs the number of seconds the screen remains blank before it is locked. +ubtu22cis_screensaver_lock_delay: 5 + +## # Section 2 -# Time sync - can be timesync or chr0ny or ntp -ubtu22cis_time_service: {{ ubtu22cis_time_sync_tool }} - -# Control 2.1.2.1 2.1.3.1 -# Time settings used for all versions -ubtu22cis_time_pool: -{% for pool in ubtu22cis_time_pool %} -- name: {{ pool.name }} - options: {{ pool.options }} -{% endfor %} - -ubtu22cis_time_servers: -{% for server in ubtu22cis_time_servers %} -- name: {{ server.name }} - options: {{ server.options }} -{% endfor %} - -# Whether or not to run tasks related to auditing/patching the desktop environment -ubtu22cis_gui: {{ ubtu22cis_desktop_required }} - -# Service configuration booleans set true to keep service +## + +## +## Service configuration variables. +## +## Set the respective variable to true to keep the service. +## otherwise the service is stopped and disabled +## +# Service configuration +# Options are +# true to leave installed if exists not changes take place +# false - this removes the package +# mask - if a dependancy for product so cannot be removed +# Server Services +ubtu22cis_autofs_services: {{ ubtu22cis_autofs_services }} +ubtu22cis_autofs_mask: {{ ubtu22cis_autofs_mask }} ubtu22cis_avahi_server: {{ ubtu22cis_avahi_server }} -ubtu22cis_cups_server: {{ ubtu22cis_cups_server }} -ubtu22cis_nfs_server: {{ ubtu22cis_nfs_server }} +ubtu22cis_avahi_mask: {{ ubtu22cis_avahi_mask }} ubtu22cis_dhcp_server: {{ ubtu22cis_dhcp_server }} -ubtu22cis_ldap_server: {{ ubtu22cis_ldap_server }} +ubtu22cis_dhcp_mask: {{ ubtu22cis_dhcp_mask }} ubtu22cis_dns_server: {{ ubtu22cis_dns_server }} -ubtu22cis_vsftpd_server: {{ ubtu22cis_vsftpd_server }} -ubtu22cis_httpd_server: {{ ubtu22cis_httpd_server }} -ubtu22cis_is_mail_server: {{ ubtu22cis_is_mail_server }} -ubtu22cis_dovecot_server: {{ ubtu22cis_dovecot_server }} -ubtu22cis_samba_server: {{ ubtu22cis_smb_server }} -ubtu22cis_squid_server: {{ ubtu22cis_squid_server }} +ubtu22cis_dns_mask: {{ ubtu22cis_dns_mask }} +ubtu22cis_dnsmasq_server: {{ ubtu22cis_dnsmasq_server }} +ubtu22cis_dnsmasq_mask: {{ ubtu22cis_dnsmasq_mask }} +ubtu22cis_ftp_server: {{ ubtu22cis_ftp_server }} +ubtu22cis_ftp_mask: {{ ubtu22cis_ftp_mask }} +ubtu22cis_ldap_server: {{ ubtu22cis_ldap_server }} +ubtu22cis_ldap_mask: {{ ubtu22cis_ldap_mask }} +ubtu22cis_message_server: {{ ubtu22cis_message_server }} # This is for messaging dovecot and dovecot-pop3 +ubtu22cis_message_mask: {{ ubtu22cis_message_mask }} +ubtu22cis_nfs_server: {{ ubtu22cis_nfs_server }} +ubtu22cis_nfs_mask: {{ ubtu22cis_nfs_mask }} +ubtu22cis_nis_server: {{ ubtu22cis_nis_server }} # set to mask if nis client required +ubtu22cis_nis_mask: {{ ubtu22cis_nis_mask }} +ubtu22cis_print_server: {{ ubtu22cis_print_server }} # replaces cups +ubtu22cis_print_mask: {{ ubtu22cis_print_mask }} +ubtu22cis_rpc_server: {{ ubtu22cis_rpc_server }} +ubtu22cis_rpc_mask: {{ ubtu22cis_rpc_mask }} +ubtu22cis_rsync_server: {{ ubtu22cis_rsync_server }} +ubtu22cis_rsync_mask: {{ ubtu22cis_rsync_mask }} +ubtu22cis_samba_server: {{ ubtu22cis_samba_server }} +ubtu22cis_samba_mask: {{ ubtu22cis_samba_mask }} ubtu22cis_snmp_server: {{ ubtu22cis_snmp_server }} +ubtu22cis_snmp_mask: {{ ubtu22cis_snmp_mask }} +ubtu22cis_telnet_server: {{ ubtu22cis_telnet_server }} +ubtu22cis_telnet_mask: {{ ubtu22cis_telnet_mask }} +ubtu22cis_tftp_server: {{ ubtu22cis_tftp_server }} +ubtu22cis_tftp_mask: {{ ubtu22cis_tftp_mask }} +ubtu22cis_squid_server: {{ ubtu22cis_squid_server }} +ubtu22cis_squid_mask: {{ ubtu22cis_squid_mask }} +ubtu22cis_apache2_server: {{ ubtu22cis_apache2_server }} +ubtu22cis_apache2_mask: {{ ubtu22cis_apache2_mask }} +ubtu22cis_nginx_server: {{ ubtu22cis_nginx_server }} +ubtu22cis_nginx_mask: {{ ubtu22cis_nginx_mask }} +ubtu22cis_xinetd_server: {{ ubtu22cis_xinetd_server }} +ubtu22cis_xinetd_mask: {{ ubtu22cis_xinetd_mask }} +ubtu22cis_xwindow_server: {{ ubtu22cis_xwindow_server }} # will remove mask not an option +ubtu22cis_is_mail_server: {{ ubtu22cis_is_mail_server }} -# Mail Server config -{% if ubtu22_cis_mail_transfer_agent is defined %} -ubtu22cis_mailserver: {{ ubtu22_cis_mail_transfer_agent }} -{% else %} -ubtu22cis_mailserver: Not_defined -{% endif %} -ubtu22_exim_conf: - - dc_eximconfig_configtype='local' - - dc_local_interfaces='127.0.0.1 ; ::1' - - dc_readhost='' - - dc_relay_domains='' - - dc_minimaldns='false' - - dc_relay_nets='' - - dc_smarthost='' - - dc_use_split_config='false' - - dc_hide_mailname='' - - dc_mailname_in_oh='true' - - dc_localdelivery='mail_spool' - -ubtu22cis_rsyncd_server: {{ ubtu22cis_rsync_server }} -ubtu22cis_nis_server: {{ ubtu22cis_nis_server }} - -ubtu22cis_xwindows_required: false - -# 2.2 client services -ubtu22cis_rsh_required: {{ ubtu22cis_rsh_required }} -ubtu22cis_talk_required: {{ ubtu22cis_talk_required }} +# Client Services +ubtu22cis_nis_client_required: {{ ubtu22cis_nis_client_required }} # Same package as NIS server +ubtu22cis_rsh_client: {{ ubtu22cis_rsh_client }} +ubtu22cis_talk_client: {{ ubtu22cis_talk_client }} ubtu22cis_telnet_required: {{ ubtu22cis_telnet_required }} ubtu22cis_ldap_clients_required: {{ ubtu22cis_ldap_clients_required }} -ubtu22cis_rpc_required: {{ ubtu22cis_rpc_required }} +ubtu22cis_ftp_client: {{ ubtu22cis_ftp_client }} + +## Control 2.3.1.1 +# This variable choses the tool used for time synchronization +# The two options are `chrony`and `systemd-timesyncd`. +ubtu22cis_time_sync_tool: "systemd-timesyncd" + +## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd +# The following variable represents a list of of time server pools used +# for configuring chrony and timesyncd. +# Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`. +# The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation +# of the time synchronization mechanism you are using. +ubtu22cis_time_pool_name: time.nist.gov +ubtu22cis_time_pool_options: iburst maxsources 4 +# The following variable represents a list of of time servers used +# for configuring chrony and timesyncd +# Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. +# The default setting for the `options` is `iburst` -- please refer to the documentation +# of the time synchronization mechanism you are using. +ubtu22cis_time_servers: +- name: time-a-g.nist.gov + options: iburst +- name: time-b-g.nist.gov + options: iburst +- name: time-c-g.nist.gov + options: iburst # Section 3 -# IPv6 required -ubtu22cis_ipv6_required: {{ ubtu22cis_ipv6_required }} -# How to disable ipv6 either via grub or sysctl settings options: grub or sysctl +## Control 3.1.1 - Ensure system is checked to determine if IPv6 is enabled +# This variable governs the mechanism of how the disabling of IPV6 is carried out. +# Its possible values are `grub` and `sysctl`. ubtu22cis_ipv6_disable: {{ ubtu22cis_ipv6_disable }} - -# System network parameters (host only OR host and router) -ubtu22cis_is_router: {{ ubtu22cis_is_router }} - -ubtu22cis_firewall: {{ ubtu22cis_firewall_package }} - -ubtu22_default_firewall_zone: public -ubtu22_firewall_interface: - - ['ens224'] - - ['ens192'] -ubtu22_firewall_services: - - ssh - - dhcpv6-client - +## Control 3.1.3 - Ensure bluetooth Services are not in use +# This control managed how the bluetooth service is managaed +# Options are +# true to leave installed if exists not changes take place +# false - this removes the package +# mask - if a dependancy for product so cannot be removed +ubtu22cis_bluetooth_service: {{ ubtu22cis_bluetooth_service }} +ubtu22cis_bluetooth_mask: {{ ubtu22cis_bluetooth_mask }} + +## Control 3.3.x - Networking configuration +# This variable contains the path to the file in which, sysctl saves its configurations. +# Its default value is `/etc/sysctl.conf`. +ubtu22cis_sysctl_network_conf: {{ ubtu22cis_sysctl_network_conf }} + +# ### Section 4 +# +## Controls 4.1.x, 4.2.x, and 4.3.x - Firewall configuration +# This variable represents the toggle for which firewall package is used. +# The options that have an effect on the system are `ufw` and `iptables`. +# The option `nftables` is also possible, but will only result in a message, +# that `nftables` has been chosen; all settings have to be carried out manually. +# Any other value, e.g. `none` will skip all firewall-related controls. +ubtu22cis_firewall_package: {{ ubtu22cis_firewall_package }} + ## auditd settings ubtu22cis_auditd: - space_left_action: email - action_mail_acct: root + space_left_action: {{ ubtu22cis_auditd.space_left_action }} + action_mail_acct: {{ ubtu22cis_auditd.action_mail_acct }} admin_space_left_action: {{ ubtu22cis_auditd.admin_space_left_action }} max_log_file_action: {{ ubtu22cis_auditd.max_log_file_action }} - auditd_backlog_limit: {{ ubtu22cis_audit_back_log_limit }} + auditd_backlog_limit: {{ ubtu22cis_auditd.auditd_backlog_limit }} ## syslog -ubtu22cis_is_syslog_server: {{ ubtu22cis_system_is_log_server }} -ubtu22cis_syslog_service: "{{ ubtu22cis_syslog_service }}" -ubtu22cis_remote_log_server: "{{ ubtu22cis_remote_log_server }}" +ubtu22cis_is_syslog_server: {{ ubtu22cis_is_syslog_server }} + +ubtu22cis_syslog_service: {{ ubtu22cis_syslog_service }} ### Section 5 -ubtu22cis_sshd_limited: false +ubtu22cis_sshd_limited: {{ ubtu22cis_sshd_limited }} # Note the following to understand precedence and layout ubtu22cis_sshd_access: - AllowUser @@ -541,15 +677,18 @@ ubtu22cis_sshd_access: - DenyGroup ubtu22cis_ssh_strong_ciphers: -{% for cipher in ubtu22cis_sshd.ciphers %} - - {{ cipher }} -{% endfor %} + - aes256-gcm@openssh.com + - aes128-gcm@openssh.com + - aes256-ctr + - aes192-ctr + - aes128-ctr ubtu22cis_ssh_weak_ciphers: - 3des-cbc - aes128-cbc - aes192-cbc - aes256-cbc - arcfour + - chacha20-poly1305@openssh.com - arcfour128 - arcfour256 - blowfish-cbc @@ -557,14 +696,13 @@ ubtu22cis_ssh_weak_ciphers: - rijndael-cbc@lysator.liu.se ubtu22cis_ssh_strong_macs: -{% for mac in ubtu22cis_sshd.macs %} - - {{ mac }} -{% endfor %} + - HMAC-SHA1 + - hmac-sha2-256 + - hmac-sha2-512 ubtu22cis_ssh_weak_macs: - hmac-md5 - hmac-md5-96 - hmac-ripemd160 - - hmac-sha1 - hmac-sha1-96 - umac-64@openssh.com - umac-128@openssh.com @@ -575,17 +713,21 @@ ubtu22cis_ssh_weak_macs: - hmac-sha1-96-etm@openssh.com - umac-64-etm@openssh.com - umac-128-etm@openssh.com + - hmac-sha2-512-etm@openssh.com + - hmac-sha2-256-etm@openssh.com ubtu22cis_ssh_strong_kex: -{% for kex in ubtu22cis_sshd.kex_algorithms %} - - {{ kex }} -{% endfor %} + - ecdh-sha2-nistp256 + - ecdh-sha2-nistp521 + - diffie-hellman-group-exchange-sha256 + - diffie-hellman-group14-sha256 + - diffie-hellman-group16-sha512 + - diffie-hellman-group18-sha512 ubtu22cis_ssh_weak_kex: - diffie-hellman-group1-sha1 - diffie-hellman-group14-sha1 - diffie-hellman-group-exchange-sha1 - ubtu22cis_ssh_aliveinterval: 300 ubtu22cis_ssh_countmax: 3 ## PAM @@ -597,20 +739,21 @@ ubtu22cis_pam_passwd_retry: "3" # choose one of below ubtu22cis_pwhistory_so: "14" -ubtu22cis_unix_so: false -ubtu22cis_passwd_remember: {{ ubtu22cis_pamd_pwhistory_remember }} +ubtu22cis_unix_so: {{ ubtu22cis_unix_so }} +ubtu22cis_passwd_remember: "5" # logins.def password settings ubtu22cis_pass: - max_days: {{ ubtu22cis_pass.max_days }} - min_days: {{ ubtu22cis_pass.min_days }} - warn_age: {{ ubtu22cis_pass.warn_age }} + max_days: "365" + min_days: "1" + warn_age: "7" # set sugroup if differs from wheel -ubtu22cis_sugroup: {{ ubtu22cis_sugroup }} +ubtu22cis_sugroup: nosugroup # sugroup users list ubtu22_sugroup_users: "root" # var log location variable -ubtu22_varlog_location: {{ ubtu22cis_sudo_logfile }} +ubtu22_varlog_location: "/var/log/sudo.log" + From 254eca540c1655ff50ed879c1f58f90a70bd0387 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 12:52:31 +0100 Subject: [PATCH 058/135] add variable Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 8d3f23fc..7742fbdc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1048,6 +1048,8 @@ ubtu22cis_aide_init: poll: 0 ## Control 6.1.2 +# Set how aide is scanned either cron or timer +ubtu22cis_aide_scan: cron # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. # The sub-settings of this variable provide the parameters required to configure # the cron job on the target system. From d7ff345592b7e1e438d9fa92c8cf3c16635c0bc7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 12:52:51 +0100 Subject: [PATCH 059/135] tidy up space Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 6c59bed0..c7abe684 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -18,7 +18,7 @@ - ubtu22cis_rule_1_1_1_6 - name: "PRELIM | AUDIT | Register if squashfs is built into the kernel" - ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs" + ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs" changed_when: false failed_when: prelim_squashfs_builtin.rc not in [ 0, 1 ] register: prelim_squashfs_builtin From f89c43e1149d1747ded8d58102a46f71c23b83c2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 12:53:02 +0100 Subject: [PATCH 060/135] improve 6.1.2 Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 46 +++++++++++++++++++++++++++-------- 1 file changed, 36 insertions(+), 10 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 8d2d903b..8b7ba48c 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -47,16 +47,42 @@ - rule_6.1.2 - cron - aide - ansible.builtin.cron: - name: Run AIDE integrity check - cron_file: "{{ ubtu22cis_aide_cron['cron_file'] }}" - user: "{{ ubtu22cis_aide_cron['cron_user'] }}" - minute: "{{ ubtu22cis_aide_cron['aide_minute'] | default('0') }}" - hour: "{{ ubtu22cis_aide_cron['aide_hour'] | default('5') }}" - day: "{{ ubtu22cis_aide_cron['aide_day'] | default('*') }}" - month: "{{ ubtu22cis_aide_cron['aide_month'] | default('*') }}" - weekday: "{{ ubtu22cis_aide_cron['aide_weekday'] | default('*') }}" - job: "{{ ubtu22cis_aide_cron['aide_job'] }}" + block: + - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | cron" + when: ubtu22cis_aide_scan == 'cron' + ansible.builtin.cron: + name: Run AIDE integrity check + cron_file: "{{ ubtu22cis_aide_cron['cron_file'] }}" + user: "{{ ubtu22cis_aide_cron['cron_user'] }}" + minute: "{{ ubtu22cis_aide_cron['aide_minute'] | default('0') }}" + hour: "{{ ubtu22cis_aide_cron['aide_hour'] | default('5') }}" + day: "{{ ubtu22cis_aide_cron['aide_day'] | default('*') }}" + month: "{{ ubtu22cis_aide_cron['aide_month'] | default('*') }}" + weekday: "{{ ubtu22cis_aide_cron['aide_weekday'] | default('*') }}" + job: "{{ ubtu22cis_aide_cron['aide_job'] }}" + + - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | timer template" + when: ubtu22cis_aide_scan == 'timer' + ansible.builtin.template: + src: "{{ item }}.j2" + dest: "/{{ item }}" + owner: root + group: root + mode: '0644' + loop: + - etc/systemd/system/aidecheck.service + - etc/systemd/system/aidecheck.timer + + - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | timer service" + when: ubtu22cis_aide_scan == 'timer' + ansible.builtin.systemd: + name: "{{ item }}" + state: started + enabled: true + daemon_reload: true + loop: + - aidecheck.service + - aidecheck.timer - name: "6.1.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" when: From 066cfc2e1716cef9753f3d8703e6b57b7b27f8d4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 12:53:14 +0100 Subject: [PATCH 061/135] 6.1.2 additions Signed-off-by: Mark Bolwell --- templates/etc/systemd/system/aidecheck.service.j2 | 9 +++++++++ templates/etc/systemd/system/aidecheck.timer.j2 | 9 +++++++++ 2 files changed, 18 insertions(+) create mode 100644 templates/etc/systemd/system/aidecheck.service.j2 create mode 100644 templates/etc/systemd/system/aidecheck.timer.j2 diff --git a/templates/etc/systemd/system/aidecheck.service.j2 b/templates/etc/systemd/system/aidecheck.service.j2 new file mode 100644 index 00000000..9a767f33 --- /dev/null +++ b/templates/etc/systemd/system/aidecheck.service.j2 @@ -0,0 +1,9 @@ +[Unit] +Description=Aide Check + +[Service] +Type=simple +ExecStart=/usr/bin/aide.wrapper --config /etc/aide/aide.conf --update + +[Install] +WantedBy=multi-user.target diff --git a/templates/etc/systemd/system/aidecheck.timer.j2 b/templates/etc/systemd/system/aidecheck.timer.j2 new file mode 100644 index 00000000..2a87a88a --- /dev/null +++ b/templates/etc/systemd/system/aidecheck.timer.j2 @@ -0,0 +1,9 @@ +[Unit] +Description=Aide check + +[Timer] +OnCalendar={{ ubtu22cis_aide_cron.aide_day }}-{{ ubtu22cis_aide_cron.aide_month }}-{{ ubtu22cis_aide_cron.aide_weekday }} {{ ubtu22cis_aide_cron.aide_hour }}:{{ ubtu22cis_aide_cron.aide_minute }}:00 +Unit=aidecheck.service + +[Install] +WantedBy=multi-user.target From d268d741a9a9ad17dff306f0cb1843faf5cf6420 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 14:42:19 +0100 Subject: [PATCH 062/135] fixed logic Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 14a4c693..b9216042 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -3,6 +3,7 @@ - name: "2.1.1 | PATCH | Ensure autofs services are not in use" when: - ubtu22cis_rule_2_1_1 + - "'autofs' in ansible_facts.packages" tags: - level1-server - level2-workstation @@ -13,7 +14,6 @@ when: - not ubtu22cis_autofs_services - not ubtu22cis_autofs_mask - - "'autofs' in ansible_facts.packages" ansible.builtin.package: name: autofs state: absent From 4c3e008ed8a7884370a87b03cec5497f95b1bda3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 14:42:35 +0100 Subject: [PATCH 063/135] fixed handler Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index 7d6c44b6..0c0aa23b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -154,7 +154,7 @@ ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_faillock_file }} - name: Pam_auth_update_pwfaillock_notify - ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_faillock_file_notify }} + ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_faillock_notify_file }} - name: Pam_auth_update_pwquality ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_pwquality_file }} From 567385c60b58d81f2a6f8aef982d2072191b19ec Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 14:42:51 +0100 Subject: [PATCH 064/135] Tidy up vars Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 108 ++++++++++------------------- 1 file changed, 36 insertions(+), 72 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index a1c83f4a..581a2f0b 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -23,8 +23,6 @@ run_heavy_tests: true # True is BIOS based system else set to false ubtu22_legacy_boot: true -ubtu22_set_boot_pass: true - ## ## Rule-specific switches ## @@ -455,24 +453,7 @@ ubtu22cis_desktop_required: {{ ubtu22cis_desktop_required }} ## Section 1 # If system uses squahshfs e.gf. snap package manager set true -ubtu22cis_squashfs_required: {{ ubtu22cis_squashfs_required }} - -# AIDE -ubtu22cis_config_aide: {{ ubtu22cis_config_aide }} - -# aide setup via - cron, timer -ubtu22cis_aide_scan: cron - -# AIDE cron settings -ubtu22_aide_cron: - cron_user: root - cron_file: /etc/crontab - aide_job: '/usr/sbin/aide --check' - aide_minute: 0 - aide_hour: 5 - aide_day: '*' - aide_month: '*' - aide_weekday: '*' +ubtu22cis_squashfs_required:{% if prelim_snap_pkg_mgr.rc == 0 %} true {% else %} false{% endif %} ## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode @@ -480,29 +461,15 @@ ubtu22_aide_cron: # regarding enforcing profiles or putting them in complain mode ubtu22cis_apparmor_disable: {{ ubtu22cis_apparmor_disable }} -# This variable specifies whether enforce mode or complain mode is set in Control 1.3.1.3. -# Possible values are `enforce` and `complain`. -# ATTENTION: if Control 1.3.1.4 is run (e.g., when running level 2 rules), it OVERRIDES control 1.3.1.3 -# and sets `enforce` mode, no matter what this variable's value is. -ubtu22cis_apparmor_mode: complain - ## Controls 1.4.x - Boot password # # THIS VARIABLE SHOULD BE CHANGED AND INCORPORATED INTO VAULT # THIS VALUE IS WHAT THE ROOT PW WILL BECOME!!!!!!!! # HAVING THAT PW EXPOSED IN RAW TEXT IS NOT SECURE!!!! -ubtu22cis_grub_user: root -ubtu22cis_set_grub_user_pass: {{ ubtu22cis_set_grub_user_pass }} -ubtu22cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' # Set to changeme -ubtu22cis_grub_user_file: /etc/grub.d/00_user -ubtu22cis_bootloader_password_hash: "grub.pbkdf2.sha512.changethispassword" # pragma: allowlist secret -ubtu22cis_set_boot_pass: {{ ubtu22cis_set_boot_pass }} - -ubtu22cis_grub_file: /boot/grub/grub.cfg +ubtu22cis_grub_user: {{ ubtu22cis_grub_user }} +ubtu22cis_bootloader_password_hash: {{ grub_user_pass }} # pragma: allowlist secret ## Controls 1.5.x -# Ability to set file in which the kernel systcl changes are placed -ubtu22cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf ## Controls 1.6.x - Warning banners # The controls 1.6.x set various warning banners and protect the respective files @@ -523,10 +490,6 @@ ubtu22cis_disable_dynamic_motd: {{ ubtu22cis_disable_dynamic_motd }} # (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) # The default database is `local`. ubtu22cis_dconf_db_name: local -# This variable governs the number of seconds of inactivity before the screen goes blank. -ubtu22cis_screensaver_idle_delay: 900 -# This variable governs the number of seconds the screen remains blank before it is locked. -ubtu22cis_screensaver_lock_delay: 5 ## # Section 2 @@ -608,20 +571,22 @@ ubtu22cis_time_sync_tool: "systemd-timesyncd" # Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`. # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation # of the time synchronization mechanism you are using. -ubtu22cis_time_pool_name: time.nist.gov -ubtu22cis_time_pool_options: iburst maxsources 4 +ubtu22cis_time_pool_name: +{% for pool in ubtu22cis_time_pool %} +- name: {{ pool.name }} + options: {{ pool.options }} +{% endfor %} + # The following variable represents a list of of time servers used # for configuring chrony and timesyncd # Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. # The default setting for the `options` is `iburst` -- please refer to the documentation # of the time synchronization mechanism you are using. ubtu22cis_time_servers: -- name: time-a-g.nist.gov - options: iburst -- name: time-b-g.nist.gov - options: iburst -- name: time-c-g.nist.gov - options: iburst +{% for servers in ubtu22cis_time_servers %} +- name: {{ servers.name }} + options: {{ servers.options }} +{% endfor %} # Section 3 ## Control 3.1.1 - Ensure system is checked to determine if IPv6 is enabled @@ -656,25 +621,22 @@ ubtu22cis_firewall_package: {{ ubtu22cis_firewall_package }} ## auditd settings ubtu22cis_auditd: - space_left_action: {{ ubtu22cis_auditd.space_left_action }} - action_mail_acct: {{ ubtu22cis_auditd.action_mail_acct }} - admin_space_left_action: {{ ubtu22cis_auditd.admin_space_left_action }} - max_log_file_action: {{ ubtu22cis_auditd.max_log_file_action }} - auditd_backlog_limit: {{ ubtu22cis_auditd.auditd_backlog_limit }} + space_left_action: {{ ubtu22cis_auditd_space_left_action }} + admin_space_left_action: {{ ubtu22cis_auditd_admin_space_left_action }} + max_log_file_action: {{ ubtu22cis_auditd_max_log_file_action }} + auditd_backlog_limit: {{ ubtu22cis_audit_back_log_limit }} ## syslog -ubtu22cis_is_syslog_server: {{ ubtu22cis_is_syslog_server }} - -ubtu22cis_syslog_service: {{ ubtu22cis_syslog_service }} +ubtu22cis_is_syslog_server: {{ ubtu22cis_system_is_log_server }} ### Section 5 -ubtu22cis_sshd_limited: {{ ubtu22cis_sshd_limited }} + # Note the following to understand precedence and layout ubtu22cis_sshd_access: - - AllowUser - - AllowGroup - - DenyUser - - DenyGroup + - AllowUser {{ ubtu22cis_sshd.allow_users }} + - AllowGroup {{ ubtu22cis_sshd.allow_groups }} + - DenyUser {{ ubtu22cis_sshd.deny_users }} + - DenyGroup {{ ubtu22cis_sshd.deny_groups }} ubtu22cis_ssh_strong_ciphers: - aes256-gcm@openssh.com @@ -737,23 +699,25 @@ ubtu22cis_pam_password: ubtu22cis_pam_passwd_retry: "3" -# choose one of below -ubtu22cis_pwhistory_so: "14" -ubtu22cis_unix_so: {{ ubtu22cis_unix_so }} -ubtu22cis_passwd_remember: "5" - # logins.def password settings ubtu22cis_pass: - max_days: "365" - min_days: "1" - warn_age: "7" + max_days: {{ ubtu22cis_pass.max_days }} + min_days: {{ ubtu22cis_pass.min_days }} + warn_age: {{ ubtu22cis_pass.warn_age }} # set sugroup if differs from wheel ubtu22cis_sugroup: nosugroup -# sugroup users list -ubtu22_sugroup_users: "root" # var log location variable -ubtu22_varlog_location: "/var/log/sudo.log" +ubtu22_varlog_location: {{ ubtu22cis_sudo_logfile }} + +# Section 6 + +# 6.1.2 +# AIDE +ubtu22cis_config_aide: {{ ubtu22cis_config_aide }} + +# aide setup via - cron, timer +ubtu22cis_aide_scan: {{ ubtu22cis_aide_scan }} From 46cc906346678f9ac1f352777bb4709d0e528304 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 15:37:51 +0100 Subject: [PATCH 065/135] updated precommit Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3942a46b..9e462a37 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,13 +33,11 @@ repos: rev: v1.5.0 hooks: - id: detect-secrets - args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks rev: v8.18.4 hooks: - id: gitleaks - args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint rev: v24.6.1 From c8c48784d9e80584340209e65defbfc3fc24e061 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 15:38:05 +0100 Subject: [PATCH 066/135] updated to new workflow Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 292 ++++++++++-------- .../workflows/main_pipeline_validation.yml | 277 +++++++++-------- .github/workflows/update_galaxy.yml | 30 +- 3 files changed, 324 insertions(+), 275 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 134973f1..e02fe1f0 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -1,139 +1,159 @@ --- - name: Devel pipeline - - on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - - # A workflow run is made up of one or more jobs - # that can run sequentially or in parallel - jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - - # This workflow contains a single job that tests the playbook - playbook-test: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v4 + name: Devel pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + # Allow manual running of workflow + workflow_dispatch: + + # Allow permissions for AWS auth + permissions: + id-token: write + contents: read + pull-requests: read + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: self-hosted + + steps: + - uses: actions/first-interaction@main with: - ref: ${{ github.event.pull_request.head.sha }} - - # Pull in terraform code for linux servers - - name: Clone GitHub IaC plan - uses: actions/checkout@v4 - with: - repository: ansible-lockdown/github_linux_IaC - path: .github/workflows/github_linux_IaC - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - - - name: DEBUG - Show IaC files - if: env.ENABLE_DEBUG == 'true' - run: | - echo "OSVAR = $OSVAR" - echo "benchmark_type = $benchmark_type" - pwd - ls - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Init - id: init - run: terraform init - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Validate - id: validate - run: terraform validate - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Apply - id: apply - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep ${{ vars.BUILD_SLEEPTIME }} - - # Run the Ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/github_linux_IaC/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - ANSIBLE_INJECT_FACT_VARS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + + # This workflow contains a single job that tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: self-hosted + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + AWS_REGION: "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + # working-directory: .github/workflows + + steps: + + - name: Git clone the lockdown repository to test + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi + + + # Pull in terraform code for linux servers + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + ref: ${{ env.IAC_BRANCH }} + + # Uses dedicated restricted role and policy to enable this only for this task + # No credentials are part of github for AWS auth + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} + aws-region: ${{ env.AWS_REGION }} + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" + echo "VPC_ID" = $AWS_VPC_SECGRP_ID" + pwd + ls + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} + VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} + + - name: Tofu init + id: init + run: tofu init + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu validate + id: validate + run: tofu validate + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu apply + id: apply + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep to allow system to come up + run: sleep ${{ vars.BUILD_SLEEPTIME }} + + # Run the Ansible playbook + - name: Run_Ansible_Playbook + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + run: | + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + + # Remove test system - User secrets to keep if necessary + + - name: Tofu Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 8ded7018..4a5adc9c 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -1,127 +1,156 @@ --- - name: Main pipeline - - on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - - # A workflow run is made up of one or more jobs - # that can run sequentially or in parallel - jobs: - - # This workflow contains a single job that tests the playbook - playbook-test: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v4 + name: Main pipeline + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # Allow permissions for AWS auth + permissions: + id-token: write + contents: read + pull-requests: read + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: self-hosted + + steps: + - uses: actions/first-interaction@main with: - ref: ${{ github.event.pull_request.head.sha }} - - # Pull in terraform code for linux servers - - name: Clone GitHub IaC plan - uses: actions/checkout@v4 - with: - repository: ansible-lockdown/github_linux_IaC - path: .github/workflows/github_linux_IaC - - - name: Add_ssh_key - working-directory: .github/workflows - env: - SSH_AUTH_SOCK: /tmp/ssh_agent.sock - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - run: | - mkdir .ssh - chmod 700 .ssh - echo $PRIVATE_KEY > .ssh/github_actions.pem - chmod 600 .ssh/github_actions.pem - - - name: DEBUG - Show IaC files - if: env.ENABLE_DEBUG == 'true' - run: | - echo "OSVAR = $OSVAR" - echo "benchmark_type = $benchmark_type" - pwd - ls - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Init - id: init - run: terraform init - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Validate - id: validate - run: terraform validate - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Terraform_Apply - id: apply - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - - ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - run: cat hosts.yml - - # Aws deployments taking a while to come up insert sleep or playbook fails - - - name: Sleep for 60 seconds - run: sleep ${{ vars.BUILD_SLEEPTIME }} - - # Run the Ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/github_linux_IaC/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - User secrets to keep if necessary - - - name: Terraform_Destroy - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + + # This workflow contains a single job that tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: self-hosted + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + AWS_REGION : "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + # working-directory: .github/workflows + + steps: + + - name: Git clone the lockdown repository to test + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi + + # Pull in terraform code for linux servers + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + ref: ${{ env.IAC_BRANCH }} + + # Uses dedicated restricted role and policy to enable this only for this task + # No credentials are part of github for AWS auth + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} + aws-region: ${{ env.AWS_REGION }} + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" + echo "VPC_ID" = $AWS_VPC_SECGRP_ID" + pwd + ls + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} + VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} + + - name: Tofu init + id: init + run: tofu init + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu validate + id: validate + run: tofu validate + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Tofu apply + id: apply + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false + +## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep to allow system to come up + run: sleep ${{ vars.BUILD_SLEEPTIME }} + + # Run the Ansible playbook + - name: Run_Ansible_Playbook + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + run: | + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + + # Remove test system - User secrets to keep if necessary + + - name: Tofu Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index f9352800..b6ee6a1f 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,19 +1,19 @@ --- -name: update galaxy + name: update galaxy -on: - push: - branches: - - main -jobs: - update_role: - runs-on: ubuntu-latest - steps: - - name: Checkout repo - uses: actions/checkout@v4 + on: + push: + branches: + - main + jobs: + update_role: + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v4 - - name: Action Ansible Galaxy Release ${{ github.ref_name }} - uses: ansible-actions/ansible-galaxy-action@main - with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} From 10578a0358d22ba34c2263ef896f5bb560648d80 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 16:21:47 +0100 Subject: [PATCH 067/135] lint work Signed-off-by: Mark Bolwell --- tasks/parse_etc_password.yml | 2 +- tasks/section_5/cis_5.3.3.4.x.yml | 1 - tasks/section_6/cis_6.2.1.2.x.yml | 4 ++-- tasks/section_6/cis_6.2.2.yml | 1 - 4 files changed, 3 insertions(+), 5 deletions(-) diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index cc591182..d06e1806 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -18,7 +18,7 @@ vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) - ld_passwd_yaml: | + ld_passwd_yaml: | # pragma: allowlist secret id: >-4 \g password: >-4 diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml index 53f0510c..dc1ea0ce 100644 --- a/tasks/section_5/cis_5.3.3.4.x.yml +++ b/tasks/section_5/cis_5.3.3.4.x.yml @@ -26,7 +26,6 @@ loop: "{{ ubtu22cis_pam_nullok.stdout_lines }}" notify: Pam_auth_update_pwunix - - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember" when: - ubtu22cis_rule_5_3_3_4_2 diff --git a/tasks/section_6/cis_6.2.1.2.x.yml b/tasks/section_6/cis_6.2.1.2.x.yml index 3c0e3b8d..9206a4c9 100644 --- a/tasks/section_6/cis_6.2.1.2.x.yml +++ b/tasks/section_6/cis_6.2.1.2.x.yml @@ -66,5 +66,5 @@ enabled: false masked: true loop: - - systemd-journal-remote.socket - - systemd-journal-remote.service + - systemd-journal-remote.socket + - systemd-journal-remote.service diff --git a/tasks/section_6/cis_6.2.2.yml b/tasks/section_6/cis_6.2.2.yml index 0e0b2b1e..5bb8625b 100644 --- a/tasks/section_6/cis_6.2.2.yml +++ b/tasks/section_6/cis_6.2.2.yml @@ -44,4 +44,3 @@ - "/var/log/lastlog*" - "/var/log/sssd*" - "/var/log/SSSD*" - From cdb62ff9a7850a1ab3e818cb6ff469c074715ab0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 8 Jul 2024 17:11:14 +0100 Subject: [PATCH 068/135] updated changelog Signed-off-by: Mark Bolwell --- Changelog.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/Changelog.md b/Changelog.md index 798a150f..f3a31e71 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,21 @@ # Ubuntu22CIS +## Based on CIS v2.0.0 + +### Do not migrate + +CIS have rewritten with a full release including but not limited to + +- reordering +- new sections and controls in differing sections + +This is a rewrite off approx 75% of controls + +- New variables +- improved audit related checks +- greater options on some controls +- linting improvements + ## Based on CIS V1.0.0 ### 1.1.1 From c1f742c67246a32c6c1ac21527e8423fb98ed45a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 23 Jul 2024 15:29:48 +0100 Subject: [PATCH 069/135] removed file not needed Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 119 -------------------------------------- 1 file changed, 119 deletions(-) delete mode 100644 .config/.secrets.baseline diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline deleted file mode 100644 index 45fd9960..00000000 --- a/.config/.secrets.baseline +++ /dev/null @@ -1,119 +0,0 @@ -{ - "version": "1.4.0", - "plugins_used": [ - { - "name": "ArtifactoryDetector" - }, - { - "name": "AWSKeyDetector" - }, - { - "name": "AzureStorageKeyDetector" - }, - { - "name": "Base64HighEntropyString", - "limit": 4.5 - }, - { - "name": "BasicAuthDetector" - }, - { - "name": "CloudantDetector" - }, - { - "name": "DiscordBotTokenDetector" - }, - { - "name": "GitHubTokenDetector" - }, - { - "name": "HexHighEntropyString", - "limit": 3.0 - }, - { - "name": "IbmCloudIamDetector" - }, - { - "name": "IbmCosHmacDetector" - }, - { - "name": "JwtTokenDetector" - }, - { - "name": "KeywordDetector", - "keyword_exclude": "" - }, - { - "name": "MailchimpDetector" - }, - { - "name": "NpmDetector" - }, - { - "name": "PrivateKeyDetector" - }, - { - "name": "SendGridDetector" - }, - { - "name": "SlackDetector" - }, - { - "name": "SoftlayerDetector" - }, - { - "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" - } - ], - "filters_used": [ - { - "path": "detect_secrets.filters.allowlist.is_line_allowlisted" - }, - { - "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", - "min_level": 2 - }, - { - "path": "detect_secrets.filters.heuristic.is_indirect_reference" - }, - { - "path": "detect_secrets.filters.heuristic.is_likely_id_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_lock_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_potential_uuid" - }, - { - "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" - }, - { - "path": "detect_secrets.filters.heuristic.is_sequential_string" - }, - { - "path": "detect_secrets.filters.heuristic.is_swagger_file" - }, - { - "path": "detect_secrets.filters.heuristic.is_templated_secret" - }, - { - "path": "detect_secrets.filters.regex.should_exclude_file", - "pattern": [ - ".config/.gitleaks-report.json", - "tasks/parse_etc_password.yml" - ] - } - ], - "results": {}, - "generated_at": "2023-09-20T07:45:19Z" -} From cabbe8900bf1a064713f8fc45a6e17411038e88e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 13 Aug 2024 11:57:48 +0100 Subject: [PATCH 070/135] updated to enable AMR audit to take place Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 2 +- vars/audit.yml | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index ffbb324a..4b407eb1 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -8,7 +8,7 @@ audit_pkg_arch_name: AMD64 - name: Pre Audit Setup | Set audit package name | ARM64 - when: ansible_facts.machine == "arm64" + when: ansible_facts.machine == "aarch64" ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 diff --git a/vars/audit.yml b/vars/audit.yml index e4252297..6549c534 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -26,8 +26,9 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma ### Audit binary settings ### audit_bin_version: - release: v0.4.4 - AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' + release: v0.4.8 + AMD64_checksum: 'sha256:85d00b7bba5f175bec95de7dfe1f71f8f25204914aad4c6f03c8457868eb6e2f' + ARM64_checksum: 'sha256:bca8c898bfd35b94c51455ece6193c95e2cd7b2b183ac2047b2d76291e73e47d' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json From 8bba2bb56dd2300e1f7d87e3eaff0a672f6953a8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 2 Sep 2024 14:32:10 +0100 Subject: [PATCH 071/135] typos and updates Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 4 ++-- tasks/section_2/cis_2.4.1.x.yml | 9 +++++++-- tasks/section_2/cis_2.4.2.x.yml | 4 ++-- tasks/section_3/cis_3.1.x.yml | 2 +- tasks/section_5/cis_5.4.1.x.yml | 10 +++++----- tasks/section_5/cis_5.4.2.x.yml | 2 +- tasks/section_6/cis_6.3.3.x.yml | 2 +- 7 files changed, 19 insertions(+), 14 deletions(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index b9216042..62c2670e 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -126,7 +126,7 @@ - ubtu22cis_dns_mask notify: Systemd_daemon_reload ansible.builtin.systemd: - name: bind9.service + name: named.service enabled: false state: stopped masked: true @@ -175,7 +175,7 @@ block: - name: "2.1.6 | PATCH | Ensure ftp server services are not in use | Remove package" when: - - "'ftp' in ansible_facts.packages" + - "'vsftp' in ansible_facts.packages" - not ubtu22cis_ftp_server - not ubtu22cis_ftp_mask ansible.builtin.package: diff --git a/tasks/section_2/cis_2.4.1.x.yml b/tasks/section_2/cis_2.4.1.x.yml index ec796376..bf4fe436 100644 --- a/tasks/section_2/cis_2.4.1.x.yml +++ b/tasks/section_2/cis_2.4.1.x.yml @@ -43,6 +43,7 @@ owner: root group: root mode: '0700' + state: directory - name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" when: @@ -58,6 +59,7 @@ owner: root group: root mode: '0700' + state: directory - name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" when: @@ -73,6 +75,7 @@ owner: root group: root mode: '0700' + state: directory - name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" when: @@ -88,6 +91,7 @@ owner: root group: root mode: '0700' + state: directory - name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" when: @@ -103,6 +107,7 @@ owner: root group: root mode: '0700' + state: directory - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users" when: @@ -130,7 +135,7 @@ path: /etc/cron.allow owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' state: touch - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Update cron.allow if exists" @@ -139,4 +144,4 @@ path: /etc/cron.allow owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' diff --git a/tasks/section_2/cis_2.4.2.x.yml b/tasks/section_2/cis_2.4.2.x.yml index 5e873575..cd95e107 100644 --- a/tasks/section_2/cis_2.4.2.x.yml +++ b/tasks/section_2/cis_2.4.2.x.yml @@ -26,7 +26,7 @@ path: /etc/at.allow owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' state: touch - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | update at.allow if exists" @@ -35,4 +35,4 @@ path: /etc/at.allow owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 6b82d912..bf9d773d 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -95,7 +95,7 @@ - level1-server - level2-workstation - patch - - sctp + - bluetooth - rule_3.1.3 block: - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use | pkg" diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 05c7773d..eb4070d3 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -151,16 +151,16 @@ - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past" when: - - ubtu22cis_rule_5_4_1_5 + - ubtu22cis_rule_5_4_1_6 tags: - level1-server - level1-workstation - patch - - rule_5.4.1.5 + - rule_5.4.1.6 - user - login vars: - warn_control_id: '5.4.1.5' + warn_control_id: '5.4.1.6' block: - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" ansible.builtin.shell: echo $(($(date --utc --date "$1" +%s)/86400)) @@ -183,12 +183,12 @@ - "WARNING!! The following accounts have the last PW change date in the future" - "{{ ubtu22cis_passwd_future_user_list.stdout_lines }}" - - name: "5.4.1.5 | WARN | Ensure all users last password change date is in the past | warn_count" + - name: "5.4.1.6 | WARN | Ensure all users last password change date is in the past | warn_count" when: ubtu22cis_passwd_future_user_list.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml - - name: "5.4.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with future PW changed dates" + - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Lock accounts with future PW changed dates" when: - ubtu22cis_disruption_high - ubtu22cis_passwd_future_user_list.stdout | length > 0 diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index 275abb57..dc344775 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -53,7 +53,7 @@ - level1-server - level1-workstation - patch - - rule_5.4.2.2 + - rule_5.4.2.3 - user - system block: diff --git a/tasks/section_6/cis_6.3.3.x.yml b/tasks/section_6/cis_6.3.3.x.yml index cc380d72..b4b11ab5 100644 --- a/tasks/section_6/cis_6.3.3.x.yml +++ b/tasks/section_6/cis_6.3.3.x.yml @@ -111,7 +111,7 @@ - level2-server - level2-workstation - patch - - rule_6.3.3.1 + - rule_6.3.3.9 - auditd ansible.builtin.set_fact: update_audit_template: true From a15058846869f3aa8030aec7ae4eeaba7a365597 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 2 Sep 2024 14:32:31 +0100 Subject: [PATCH 072/135] typos and improvements Signed-off-by: Mark Bolwell --- tasks/section_7/cis_7.1.x.yml | 20 ++++++++++---------- tasks/section_7/cis_7.2.x.yml | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 0557de2a..29fe9323 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -13,7 +13,7 @@ path: /etc/passwd owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' - name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" when: @@ -28,7 +28,7 @@ path: /etc/passwd- owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' - name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured" when: @@ -43,7 +43,7 @@ path: /etc/group owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' - name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured" when: @@ -58,7 +58,7 @@ path: /etc/group- owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' - name: "7.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" when: @@ -73,7 +73,7 @@ path: /etc/shadow owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' - name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" when: @@ -88,7 +88,7 @@ path: /etc/shadow- owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' - name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" when: @@ -103,7 +103,7 @@ path: /etc/gshadow owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' - name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" when: @@ -118,7 +118,7 @@ path: /etc/gshadow- owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' - name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured" when: @@ -133,7 +133,7 @@ path: /etc/shells owner: root group: root - mode: u-x,go-wx + mode: 'u-x,go-wx' - name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured" loop: @@ -151,7 +151,7 @@ path: /etc/security/opasswd owner: root group: root - mode: u-x,go-rwx + mode: 'u-x,go-rwx' - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured" when: diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index 381f602d..6266cd6d 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -119,7 +119,7 @@ - level1-server - level1-workstation - audit - - rule_7.2.4 + - rule_7.2.5 - user vars: warn_control_id: '7.2.5' From 4ed7fab22e6a36cb0cd30b2f666a554ad71a2ae0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 2 Sep 2024 14:32:47 +0100 Subject: [PATCH 073/135] improved variable import Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 581a2f0b..d5a1fb65 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,9 +1,9 @@ ## metadata for Audit benchmark -benchmark_version: '2.0.0' +benchmark_version: {{ benchmark_version }} # timeout for each command to run where set - default = 10seconds/10000ms -timeout_ms: 120000 +timeout_ms: {{ audit_cmd_timeout }} ubtu22cis_section1: {{ ubtu22cis_section1 }} ubtu22cis_section2: {{ ubtu22cis_section2 }} @@ -18,7 +18,7 @@ ubtu22cis_level_2: {{ ubtu22cis_level_2 }} # to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy -run_heavy_tests: true +run_heavy_tests: {{ audit_run_heavy_tests }} # True is BIOS based system else set to false ubtu22_legacy_boot: true From 36818a0e83e65d2983d9ea0cabd7d495b61c2c16 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 2 Sep 2024 15:47:03 +0100 Subject: [PATCH 074/135] fixed bad handler Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.2.x.yml | 2 +- tasks/section_1/cis_1.1.2.3.x.yml | 2 +- tasks/section_1/cis_1.1.2.4.x.yml | 2 +- tasks/section_1/cis_1.1.2.5.x.yml | 2 +- tasks/section_1/cis_1.1.2.6.x.yml | 2 +- tasks/section_1/cis_1.1.2.7.x.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index be1af438..7b59020e 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -41,7 +41,7 @@ - rule_1.1.2.2.1 - rule_1.1.2.2.2 - rule_1.1.2.2.3 - notify: Change_requires_reboot + notify: Set_reboot_required ansible.posix.mount: name: /dev/shm src: tmpfs diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index 4faaf929..33fa9699 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -40,7 +40,7 @@ - mounts - rule_1.1.2.3.2 - rule_1.1.2.3.3 - notify: Change_requires_reboot + notify: Set_reboot_required ansible.posix.mount: name: /home src: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index 44e5c061..af6784e5 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -40,7 +40,7 @@ - mounts - rule_1.1.2.4.2 - rule_1.1.2.4.3 - notify: Change_requires_reboot + notify: Set_reboot_required ansible.posix.mount: name: /var src: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index ba36c01e..f45874c8 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -44,7 +44,7 @@ - rule_1.1.2.5.2 - rule_1.1.2.5.3 - rule_1.1.2.5.4 - notify: Change_requires_reboot + notify: Set_reboot_required ansible.posix.mount: name: /var/tmp src: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index 5a1a7958..d6fa6146 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -43,7 +43,7 @@ - rule_1.1.2.6.2 - rule_1.1.2.6.3 - rule_1.1.2.6.4 - notify: Change_requires_reboot + notify: Set_reboot_required ansible.posix.mount: name: /var/log src: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index 222ba46c..1e76360f 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -43,7 +43,7 @@ - rule_1.1.2.7.2 - rule_1.1.2.7.3 - rule_1.1.2.7.4 - notify: Change_requires_reboot + notify: Set_reboot_required ansible.posix.mount: name: /var/log/audit src: "{{ item.device }}" From 04c62a0b02115816ec3929bdf09d9df30c00131d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 4 Sep 2024 16:47:09 +0100 Subject: [PATCH 075/135] applied fixes Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.2.x.yml | 14 ++++++++++---- tasks/section_5/cis_5.3.2.x.yml | 2 +- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index 7b59020e..77653e51 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -14,13 +14,19 @@ warn_control_id: '1.1.2.2.1' required_mount: '/dev/shm' block: - - name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition | Absent" - when: ubtu22cis_dev_shm_present is undefined + - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check for mount" + ansible.builtin.shell: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_shm_mount.rc not in [ 0, 1 ] + register: discovered_shm_mount + + - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" + when: discovered_shm_mount is undefined ansible.builtin.debug: msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - - name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition | Present" - when: ubtu22cis_dev_shm_present is undefined + - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Present" + when: discovered_shm_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 861ecf9c..7b3110dc 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -36,7 +36,7 @@ - pam_faillock ansible.builtin.template: src: "{{ ubtu22cis_pam_confd_dir }}{{ item }}.j2" - dest: "/{ ubtu22cis_pam_confd_dir }}{{ item }}" + dest: "/{{ ubtu22cis_pam_confd_dir }}{{ item }}" owner: root group: root mode: '0600' From 814599ee7f61d28d865d797ce8889291c87143f1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 09:21:23 +0100 Subject: [PATCH 076/135] remove jmespath_requirement Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.2.yml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/tasks/section_6/cis_6.2.2.yml b/tasks/section_6/cis_6.2.2.yml index 5bb8625b..63364782 100644 --- a/tasks/section_6/cis_6.2.2.yml +++ b/tasks/section_6/cis_6.2.2.yml @@ -16,16 +16,9 @@ failed_when: false register: discovered_logfiles - - name: "6.2.2.1 | AUDIT | Ensure access to all logfiles has been configured | set_fact" - when: - - discovered_logfiles.stdout_lines | length > 0 - - discovered_logfiles is defined - ansible.builtin.set_fact: - discovered_logfiles_flattened: "{{ discovered_logfiles | json_query('stdout_lines[*]') | flatten }}" # noqa: jinja[invalid] - - name: "6.2.2.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" when: - - discovered_logfiles_flattened is defined + - discovered_logfiles.stdout_lines is defined - item != "/var/log/btmp" - item != "/var/log/utmp" - item != "/var/log/wtmp" @@ -33,7 +26,7 @@ ansible.builtin.file: path: "{{ item }}" mode: u-x,g-wx,o-rwx - loop: "{{ discovered_logfiles_flattened }}" + loop: "{{ discovered_logfiles.stdout_lines }}" - name: "6.2.2.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" ansible.builtin.file: From 5a9785fd0f2e56e5f889113e4b3d4c05e58d6436 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 09:21:52 +0100 Subject: [PATCH 077/135] updated root password check Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 1907b857..43ce9224 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -47,7 +47,7 @@ - always block: - name: Ensure root password is set - ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)" + ansible.builtin.shell: passwd -S root | grep -E "root P" changed_when: false failed_when: false register: root_passwd_set From 4a4812c8030e14b9a290ab94fab5de9e6895f168 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 09:24:07 +0100 Subject: [PATCH 078/135] Updated audit Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 2 +- tasks/post_remediation_audit.yml | 20 +++++++++----------- tasks/pre_remediation_audit.yml | 22 ++++++++++------------ vars/audit.yml | 10 +++++----- 4 files changed, 25 insertions(+), 29 deletions(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 4b407eb1..ffbb324a 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -8,7 +8,7 @@ audit_pkg_arch_name: AMD64 - name: Pre Audit Setup | Set audit package name | ARM64 - when: ansible_facts.machine == "aarch64" + when: ansible_facts.machine == "arm64" ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index c887ba64..9b06b24a 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -21,26 +21,24 @@ when: - audit_format == "json" block: - - name: capture data {{ post_audit_outfile }} - ansible.builtin.shell: "cat {{ post_audit_outfile }}" - register: post_audit + - name: Post Audit | Capture audit data if json format + ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 + register: post_audit_summary changed_when: false - - name: Capture post-audit result + - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: summary."summary-line" + post_audit_results: "{{ post_audit_summary.stdout }}" - name: Post Audit | Capture audit data if documentation format when: - audit_format == "documentation" block: - - name: Post Audit | capture data {{ post_audit_outfile }} + - name: Post Audit | Capture audit data if documentation format ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" - register: post_audit + register: post_audit_summary changed_when: false - - name: Post Audit | Capture post-audit result + - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout_lines }}" + post_audit_results: "{{ post_audit_summary.stdout }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index bd1154b8..6f215c31 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -91,29 +91,27 @@ when: - audit_format == "json" block: - - name: Pre Audit | Capture data {{ pre_audit_outfile }} - ansible.builtin.shell: "cat {{ pre_audit_outfile }}" - register: pre_audit + - name: Pre Audit | Capture audit data if json format + ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 + register: pre_audit_summary changed_when: false - - name: Pre Audit | Capture pre-audit result + - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: summary."summary-line" + pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Pre Audit | Capture audit data if documentation format when: - audit_format == "documentation" block: - - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format - ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" - register: pre_audit + - name: Pre Audit | Capture audit data if documentation format + ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' + register: pre_audit_summary changed_when: false - - name: Pre Audit | Capture pre-audit result | documentation format + - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" + pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Audit_Only | Run Audit Only when: diff --git a/vars/audit.yml b/vars/audit.yml index 6549c534..62bb0910 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -26,16 +26,16 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma ### Audit binary settings ### audit_bin_version: - release: v0.4.8 - AMD64_checksum: 'sha256:85d00b7bba5f175bec95de7dfe1f71f8f25204914aad4c6f03c8457868eb6e2f' - ARM64_checksum: 'sha256:bca8c898bfd35b94c51455ece6193c95e2cd7b2b183ac2047b2d76291e73e47d' + release: v0.4.8 + AMD64_checksum: 'sha256:85d00b7bba5f175bec95de7dfe1f71f8f25204914aad4c6f03c8457868eb6e2f' + ARM64_checksum: 'sha256:bca8c898bfd35b94c51455ece6193c95e2cd7b2b183ac2047b2d76291e73e47d' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The audit results are: {{ pre_audit_summary }} - {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %} + The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %} Full breakdown can be found in {{ audit_log_dir }} From 5fd4dc63350691ef7c1dbeaed25cf2371ff2b3b9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 09:24:26 +0100 Subject: [PATCH 079/135] fixed conditionals and requirements Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c7abe684..982afa44 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -36,10 +36,10 @@ - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type when: - "'/tmp' in mount_names" - - ubtu22cis_rule_1_1_2_1 or - ubtu22cis_rule_1_1_2_2 or - ubtu22cis_rule_1_1_2_3 or - ubtu22cis_rule_1_1_2_4 + - ubtu22cis_rule_1_1_2_1_1 or + ubtu22cis_rule_1_1_2_1_2 or + ubtu22cis_rule_1_1_2_1_3 or + ubtu22cis_rule_1_1_2_1_4 tags: - always block: @@ -126,6 +126,22 @@ name: network-manager state: present +- name: "PRELIM | 4.1.1 | PATCH | Ensure ufw is installed" + when: + - ubtu22cis_rule_4_1_1 + - ubtu22cis_ufw_use_sysctl + - "'ufw' not in ansible_facts.packages" + tags: + - level1-server + - level1-workstation + - patch + - rule_4.1.1 + - apt + - ufw + ansible.builtin.package: + name: ufw + state: present + - name: "PRELIM | PATCH | 5.3.4/5 | Find all sudoers files." ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false @@ -305,12 +321,12 @@ ## Optional - name: "Optional | PATCH | UFW firewall force to use /etc/sysctl.conf settings" - ansible.builtin.lineinfile: - path: /etc/default/ufw - regexp: ^IPT_SYSCTL=.* - line: IPT_SYSCTL=/etc/sysctl.conf when: - ubtu22cis_firewall_package == "ufw" - ubtu22cis_ufw_use_sysctl tags: - always + ansible.builtin.lineinfile: + path: /etc/default/ufw + regexp: ^IPT_SYSCTL=.* + line: IPT_SYSCTL=/etc/sysctl.conf From 62e62281460d8760d47b7d16adaea233196f636a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 09:24:44 +0100 Subject: [PATCH 080/135] updated precommit Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9e462a37..8f807963 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v5.0.0 hooks: # Safety - id: detect-aws-credentials @@ -35,12 +35,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.4 + rev: v8.21.1 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.6.1 + rev: v24.9.2 hooks: - id: ansible-lint name: Ansible-lint From 7bd332ee3442618c09690cae6122a0d23399dbf7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Nov 2024 12:35:23 +0000 Subject: [PATCH 081/135] updated 7.1 passwd- thanks to @dlesaffrew Signed-off-by: Mark Bolwell --- tasks/section_7/cis_7.1.x.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 29fe9323..9d28ab7b 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -29,6 +29,8 @@ owner: root group: root mode: 'u-x,go-wx' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists - name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured" when: From 1bbf6eed2062acf7acec2391d052f7e67f2c0629 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Nov 2024 13:00:41 +0000 Subject: [PATCH 082/135] issue #247 addressed thanks to @angaaruriakhil Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 36 +++++++++++++++++------------------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 982afa44..68af08af 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -252,32 +252,30 @@ - name: "PRELIM | PATCH | Ensure auditd is installed" when: - - ubtu22cis_rule_6_3_1_1 or - ubtu22cis_rule_6_3_4_1 or - ubtu22cis_rule_6_3_4_6 or - ubtu22cis_rule_6_3_4_8 + - ubtu22cis_rule_6_3_1_1 + - "'auditd' not in ansible_facts.packages or + 'auditd-plugins' not in ansible_facts.packages" tags: - level2-server - level2-workstation - patch - auditd - always - block: - - name: "PRELIM | PATCH | Ensure auditd is installed" - when: - - "'auditd' not in ansible_facts.packages or - 'auditd-plugins' not in ansible_facts.packages" - ansible.builtin.package: - name: ['auditd', 'audispd-plugins'] - state: present + ansible.builtin.package: + name: ['auditd', 'audispd-plugins'] + state: present - - name: "PRELIM | AUDIT | Audit conf and rules files | list files" - ansible.builtin.find: - path: /etc/audit/ - file_type: file - recurse: true - patterns: '*.conf,*.rules' - register: prelim_auditd_conf_files +- name: "PRELIM | AUDIT | Audit conf and rules files | list files" + ansible.builtin.find: + path: /etc/audit/ + file_type: file + recurse: true + patterns: '*.conf,*.rules' + register: prelim_auditd_conf_files + tags: + - patch + - auditd + - always - name: "PRELIM | AUDIT | Check if auditd is immutable before changes" tags: From 29660b0b31000a8930ce873a20c2a571f217716c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 12 Nov 2024 16:57:17 +0000 Subject: [PATCH 083/135] updated pre-commit Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8f807963..a679c82a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,11 +33,13 @@ repos: rev: v1.5.0 hooks: - id: detect-secrets + args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.21.1 + rev: v8.21.2 hooks: - id: gitleaks + args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint rev: v24.9.2 From 14621eb8d36e13e7002cb9611da8054f926a9a24 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 12 Nov 2024 17:02:22 +0000 Subject: [PATCH 084/135] updated 1st to ubuntu Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index e02fe1f0..afe85e03 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,7 +27,7 @@ jobs: # This will create messages for first time contributers and direct them to the Discord server welcome: - runs-on: self-hosted + runs-on: ubuntu-latest steps: - uses: actions/first-interaction@main From 68968ca315a50ac196a13f5826257f16dafafba7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 19 Nov 2024 09:44:22 +0000 Subject: [PATCH 085/135] removed legacy data Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a471d22c..99cc0a67 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,13 +33,11 @@ repos: rev: v1.5.0 hooks: - id: detect-secrets - args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks rev: v8.21.2 hooks: - id: gitleaks - args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint rev: v24.10.0 From 685f4a04e80256ba5f6e30280c64d3d33b7ffbd1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 19 Nov 2024 11:56:01 +0000 Subject: [PATCH 086/135] Lint on file Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 52 ++++++++++++++++++++++++------------------------ 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 68af08af..2fa01302 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,12 +1,12 @@ --- -- name: "PRELIM | AUDIT | Set default values for facts" +- name: PRELIM | AUDIT | Set default values for facts ansible.builtin.set_fact: control_1_6_1_4_was_run: false ubtu22cis_apparmor_enforce_only: false changed_when: false -- name: "PRELIM | AUDIT | Register if snap being used" +- name: PRELIM | AUDIT | Register if snap being used ansible.builtin.shell: df -h | grep -wc "/snap" changed_when: false failed_when: prelim_snap_pkg_mgr.rc not in [ 0, 1 ] @@ -17,7 +17,7 @@ when: - ubtu22cis_rule_1_1_1_6 -- name: "PRELIM | AUDIT | Register if squashfs is built into the kernel" +- name: PRELIM | AUDIT | Register if squashfs is built into the kernel ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs" changed_when: false failed_when: prelim_squashfs_builtin.rc not in [ 0, 1 ] @@ -27,7 +27,7 @@ when: - ubtu22cis_rule_1_1_1_6 -- name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points" +- name: PRELIM | AUDIT | Section 1.1 | Create list of mount points ansible.builtin.set_fact: mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" tags: @@ -95,7 +95,7 @@ ansible.builtin.import_tasks: file: pre_remediation_audit.yml -- name: "PRELIM | PATCH | Run apt update" +- name: PRELIM | PATCH | Run apt update when: - ubtu22cis_rule_1_2_1_1 or ubtu22cis_rule_1_2_2_1 @@ -104,20 +104,20 @@ ansible.builtin.package: update_cache: true -- name: "PRELIM | AUDIT | Wireless adapter pre-requisites" +- name: PRELIM | AUDIT | Wireless adapter pre-requisites when: - ubtu22cis_rule_3_1_2 - not system_is_container tags: - always block: - - name: "PRELIM | AUDIT | Discover is wirelss adapter on system" + - name: PRELIM | AUDIT | Discover is wirelss adapter on system ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless register: prelim_wireless_adapters changed_when: false failed_when: prelim_wireless_adapters.rc not in [ 0, 1 ] - - name: "PRELIM | PATCH | Install Network-Manager | if wireless adapter present" + - name: PRELIM | PATCH | Install Network-Manager | if wireless adapter present when: - ubtu22cis_install_network_manager - prelim_wireless_adapters.rc == 0 @@ -126,7 +126,7 @@ name: network-manager state: present -- name: "PRELIM | 4.1.1 | PATCH | Ensure ufw is installed" +- name: PRELIM | 4.1.1 | PATCH | Ensure ufw is installed when: - ubtu22cis_rule_4_1_1 - ubtu22cis_ufw_use_sysctl @@ -142,7 +142,7 @@ name: ufw state: present -- name: "PRELIM | PATCH | 5.3.4/5 | Find all sudoers files." +- name: PRELIM | PATCH | 5.3.4/5 | Find all sudoers files. ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false @@ -154,7 +154,7 @@ tags: - always -- name: "PRELIM | PATCH | Ensure conf.d directory exists required for 5.3.3.2.x" +- name: PRELIM | PATCH | Ensure conf.d directory exists required for 5.3.3.2.x when: - ubtu22cis_rule_5_3_3_2_1 or ubtu22cis_rule_5_3_3_2_2 or @@ -171,34 +171,34 @@ group: root mode: '0750' -- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" +- name: PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def when: - not discover_int_uid tags: - always block: - - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" + - name: PRELIM | AUDIT | Capture UID_MIN information from logins.def ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: prelim_uid_min_id - - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" + - name: PRELIM | AUDIT | Capture UID_MAX information from logins.def ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' changed_when: false register: prelim_uid_max_id - - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" + - name: PRELIM | AUDIT | Capture GID_MIN information from logins.def ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: prelim_gid_min_id - - name: "PRELIM | AUDIT | Set_facts for interactive uid/gid" + - name: PRELIM | AUDIT | Set_facts for interactive uid/gid ansible.builtin.set_fact: min_int_uid: "{{ prelim_uid_min_id.stdout }}" max_int_uid: "{{ prelim_uid_max_id.stdout }}" min_int_gid: "{{ prelim_gid_min_id.stdout }}" -- name: "PRELIM | AUDIT | Interactive Users" +- name: PRELIM | AUDIT | Interactive Users tags: - always ansible.builtin.shell: > @@ -206,7 +206,7 @@ changed_when: false register: prelim_interactive_usernames -- name: "PRELIM | AUDIT | Interactive User accounts home directories" +- name: PRELIM | AUDIT | Interactive User accounts home directories tags: - always ansible.builtin.shell: > @@ -214,7 +214,7 @@ changed_when: false register: prelim_interactive_users_home -- name: "PRELIM | AUDIT | Interactive UIDs" +- name: PRELIM | AUDIT | Interactive UIDs tags: - always ansible.builtin.shell: > @@ -222,7 +222,7 @@ changed_when: false register: prelim_interactive_uids -- name: "PRELIM | AUDIT | Gather UID 0 accounts other than root" +- name: PRELIM | AUDIT | Gather UID 0 accounts other than root when: - ubtu22cis_rule_5_4_2_1 tags: @@ -236,7 +236,7 @@ check_mode: false register: prelim_uid_zero_accounts_except_root -- name: "PRELIM | PATCH | create journald conf.d directory" +- name: PRELIM | PATCH | create journald conf.d directory when: - ubtu22cis_rule_6_2_1_1_3 or ubtu22cis_rule_6_2_1_1_5 or @@ -250,7 +250,7 @@ group: root mode: '0755' -- name: "PRELIM | PATCH | Ensure auditd is installed" +- name: PRELIM | PATCH | Ensure auditd is installed when: - ubtu22cis_rule_6_3_1_1 - "'auditd' not in ansible_facts.packages or @@ -265,7 +265,7 @@ name: ['auditd', 'audispd-plugins'] state: present -- name: "PRELIM | AUDIT | Audit conf and rules files | list files" +- name: PRELIM | AUDIT | Audit conf and rules files | list files ansible.builtin.find: path: /etc/audit/ file_type: file @@ -277,7 +277,7 @@ - auditd - always -- name: "PRELIM | AUDIT | Check if auditd is immutable before changes" +- name: PRELIM | AUDIT | Check if auditd is immutable before changes tags: - always ansible.builtin.shell: auditctl -l | grep -c '-e 2' @@ -286,7 +286,7 @@ register: prelim_auditd_immutable_check when: "'auditd' in ansible_facts.packages" -- name: "PRELIM | AUDIT | 6.3.4.x | Capture information about auditd logfile path | discover file" +- name: PRELIM | AUDIT | 6.3.4.x | Capture information about auditd logfile path | discover file when: - ubtu22cis_rule_6_3_4_1 or ubtu22cis_rule_6_3_4_2 or @@ -306,7 +306,7 @@ failed_when: prelim_auditd_logfile.rc not in [0, 1] register: prelim_auditd_logfile -- name: "PRELIM | PATCH | Install ACL" +- name: PRELIM | PATCH | Install ACL when: - ubtu22cis_rule_7_2_9 - "'acl' not in ansible_facts.packages" From c2b422ba51a70c1cf6d363b3f7d2b52452ac4302 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 19 Nov 2024 11:58:36 +0000 Subject: [PATCH 087/135] Improvements to 6.1.1 logic Signed-off-by: Mark Bolwell --- defaults/main.yml | 14 ++++++++++-- tasks/section_6/cis_6.1.x.yml | 40 ++++++++++++++++++++++++++++------- 2 files changed, 44 insertions(+), 10 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7742fbdc..42ce9e30 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1039,13 +1039,23 @@ ubtu22cis_shell_session_file: /etc/profile.d/tmout.sh # By setting this variable to `true`, all of the settings related to AIDE will be applied! ubtu22cis_config_aide: true +# If DB file older than below will automatically rebuild DB +# e.g. options:1w = 1 week, 1d = 1day 1h = 1 hour +ubtu22cis_aide_db_file_age: 1w + +# If aide already setup this forces a new DB to be created +ubtu22cis_aide_db_recreate: false + +# allows to change db file, not config need to be adjusted too +ubtu22cis_aide_db_file: /var/lib/aide/aide.db + ## When Initializing aide this can take longer on some systems # changing the values enables user to change to thier own requirements ubtu22cis_aide_init: # Maximum Time in seconds - async: 45 + async: 600 # Polling Interval in seconds - poll: 0 + poll: 15 ## Control 6.1.2 # Set how aide is scanned either cron or timer diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 8b7ba48c..6971d8fd 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -26,15 +26,39 @@ ansible.builtin.package_facts: manager: auto + - name: "6.1.1 | AUDIT | Ensure AIDE is installed | Check file exists" + ansible.builtin.stat: + path: "{{ ubtu22cis_aide_db_file }}" + register: discovered_aide_db_file + + - name: "6.1.1 | AUDIT | Ensure AIDE is installed | Check current db file age" + when: discovered_aide_db_file.stat.exists + ansible.builtin.find: + path: "{{ ubtu22cis_aide_db_file | dirname }}" + pattern: "{{ ubtu22cis_aide_db_file | basename }}" + age: "{{ ubtu22cis_aide_db_file_age }}" + register: discovered_aide_db_age + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - ansible.builtin.shell: aideinit && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db - args: - creates: /var/lib/aide/aide.db - changed_when: false - failed_when: false - async: "{{ ubtu22cis_aide_init.async }}" - poll: "{{ ubtu22cis_aide_init.poll }}" - when: not ansible_check_mode + when: + - not ansible_check_mode + - not discovered_aide_db_file.stat.exists or + (discovered_aide_db_age.files | length > 0) or + ubtu22cis_aide_db_recreate + block: + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Remove current db file" + ansible.builtin.file: + path: "{{ ubtu22cis_aide_db_file }}" + state: absent + + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Configure AIDE" + when: + - not ansible_check_mode + ansible.builtin.shell: aideinit -y -f + args: + creates: "{{ ubtu22cis_aide_db_file }}" + async: "{{ ubtu22cis_aide_init.async }}" + poll: "{{ ubtu22cis_aide_init.poll }}" - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked" when: From f4f6a2fc2b979336877e4a9cb3883001d8bb1537 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 22 Nov 2024 10:39:33 +0000 Subject: [PATCH 088/135] lint and layout update Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 45 +++++++++++-------------------- tasks/section_1/cis_1.1.2.1.x.yml | 2 +- tasks/section_1/cis_1.1.2.2.x.yml | 2 +- tasks/section_1/cis_1.1.2.3.x.yml | 8 +++--- tasks/section_1/cis_1.1.2.4.x.yml | 8 +++--- tasks/section_1/cis_1.1.2.5.x.yml | 8 +++--- tasks/section_1/cis_1.1.2.6.x.yml | 8 +++--- tasks/section_1/cis_1.1.2.7.x.yml | 8 +++--- tasks/section_1/cis_1.2.1.x.yml | 10 +++---- tasks/section_1/cis_1.2.2.x.yml | 3 +-- tasks/section_1/cis_1.3.1.x.yml | 37 ++++++++++++------------- tasks/section_1/cis_1.4.x.yml | 6 ++--- tasks/section_1/cis_1.5.x.yml | 15 ++++------- tasks/section_1/cis_1.6.x.yml | 18 +++++-------- tasks/section_1/cis_1.7.x.yml | 9 +++---- tasks/section_2/cis_2.1.x.yml | 6 ++--- 16 files changed, 74 insertions(+), 119 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 9d1ab241..9369c7a2 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -1,8 +1,7 @@ --- - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available" - when: - - ubtu22cis_rule_1_1_1_1 + when: ubtu22cis_rule_1_1_1_1 tags: - level1-server - level1-workstation @@ -27,15 +26,13 @@ mode: '0600' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: cramfs state: absent - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available" - when: - - ubtu22cis_rule_1_1_1_2 + when: ubtu22cis_rule_1_1_1_2 tags: - level1-server - level1-workstation @@ -60,15 +57,13 @@ mode: '0600' - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: freevxfs state: absent - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available" - when: - - ubtu22cis_rule_1_1_1_3 + when: ubtu22cis_rule_1_1_1_3 tags: - level1-server - level1-workstation @@ -93,15 +88,13 @@ mode: '0600' - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable hfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: hfs state: absent - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available" - when: - - ubtu22cis_rule_1_1_1_4 + when: ubtu22cis_rule_1_1_1_4 tags: - level1-server - level1-workstation @@ -126,15 +119,13 @@ mode: '0600' - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: hfsplus state: absent - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available" - when: - - ubtu22cis_rule_1_1_1_5 + when: ubtu22cis_rule_1_1_1_5 tags: - level1-server - level1-workstation @@ -159,8 +150,7 @@ mode: '0600' - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: jffs2 state: absent @@ -194,15 +184,13 @@ mode: '0600' - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: squashfs state: absent - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available" - when: - - ubtu22cis_rule_1_1_1_7 + when: ubtu22cis_rule_1_1_1_7 tags: - level2-server - level2-workstation @@ -227,15 +215,13 @@ mode: '0600' - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Disable udf" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: udf state: absent - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available" - when: - - ubtu22cis_rule_1_1_1_8 + when: ubtu22cis_rule_1_1_1_8 tags: - level1-server - level2-workstation @@ -260,8 +246,7 @@ mode: '0600' - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Disable usb" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: usb-storage state: absent diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index 16edfe72..b965374e 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -17,7 +17,7 @@ block: - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.1.1 | WARN | Ensure /tmp is a separate partition | warn_count" ansible.builtin.import_tasks: diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index 77653e51..a4fc59b0 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -3,7 +3,7 @@ - name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition" when: - ubtu22cis_rule_1_1_2_2_1 - - "'/tmp' not in mount_names" + - required_mount not in mount_names tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index 33fa9699..1f295c3e 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -3,7 +3,7 @@ - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home" when: - ubtu22cis_rule_1_1_2_3_1 - - "'/home' not in mount_names" + - required_mount not in mount_names tags: - level2-server - level2-workstation @@ -16,9 +16,7 @@ block: - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Warn if partition is absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: home_mount_absent - changed_when: home_mount_absent.skipped is undefined + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Present" ansible.builtin.import_tasks: @@ -46,7 +44,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if ubtu22cis_rule_1_1_2_3_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3_3 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_3_3) %},nosuid{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index af6784e5..d341d8aa 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -2,7 +2,7 @@ - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var" when: - - "'/var' not in mount_names" + - required_mount not in mount_names - ubtu22cis_rule_1_1_2_4_1 tags: - level2-server @@ -16,9 +16,7 @@ block: - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Warn if partition is absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_mount_absent - changed_when: var_mount_absent.skipped is undefined + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Present" ansible.builtin.import_tasks: @@ -46,7 +44,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if ubtu22cis_rule_1_1_2_4_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_4_3 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_4_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_4_3) %},nosuid{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index f45874c8..b41d723d 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -4,7 +4,7 @@ - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp" when: - ubtu22cis_rule_1_1_2_5_1 - - "'/var/tmp' not in mount_names" + - required_mount not in mount_names tags: - level2-server - level2-workstation @@ -17,9 +17,7 @@ block: - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn if partition is absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_tmp_mount_absent - changed_when: var_tmp_mount_absent.skipped is undefined + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" ansible.builtin.import_tasks: @@ -50,7 +48,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if ubtu22cis_rule_1_1_2_5_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_5_3 %}nosuid,{% endif %}{% if ubtu22cis_rule_1_1_2_5_4 %}noexec{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_5_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_5_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and ubtu22cis_rule_1_1_2_5_4) %},noexec{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index d6fa6146..dacdac2d 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -3,7 +3,7 @@ - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log" when: - ubtu22cis_rule_1_1_2_6_1 - - "'/var/log' not in mount_names" + - required_mount not in mount_names tags: - level2-server - level2-workstation @@ -16,9 +16,7 @@ block: - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Warn if partition is absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_mount_absent - changed_when: var_log_mount_absent.skipped is undefined + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Present" ansible.builtin.import_tasks: @@ -49,7 +47,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if ubtu22cis_rule_1_1_2_6_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_6_3 %}nosuid,{% endif %}{% if ubtu22cis_rule_1_1_2_6_4 %}noexec{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_6_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_6_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and ubtu22cis_rule_1_1_2_6_4) %},noexec{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index 1e76360f..f2b69b42 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -3,7 +3,7 @@ - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit" when: - ubtu22cis_rule_1_1_2_7_1 - - "'/var/log/audit' not in mount_names" + - required_mount not in mount_names tags: - level2-server - level2-workstation @@ -16,9 +16,7 @@ block: - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn if partition is absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_audit_mount_absent - changed_when: var_log_audit_mount_absent.skipped is undefined + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" ansible.builtin.import_tasks: @@ -49,7 +47,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if ubtu22cis_rule_1_1_2_7_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_7_3 %}nosuid,{% endif %}{% if ubtu22cis_rule_1_1_2_7_4 %}noexec{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_7_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_7_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and ubtu22cis_rule_1_1_2_7_4) %},noexec{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml index 0932713a..e5ba8dc7 100644 --- a/tasks/section_1/cis_1.2.1.x.yml +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -1,8 +1,7 @@ --- - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured" - when: - - ubtu22cis_rule_1_2_1_1 + when: ubtu22cis_rule_1_2_1_1 tags: - level1-server - level1-workstation @@ -33,8 +32,7 @@ file: warning_facts.yml - name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured" - when: - - ubtu22cis_rule_1_2_1_2 + when: ubtu22cis_rule_1_2_1_2 tags: - level1-server - level1-workstation @@ -49,14 +47,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_1_2_1_2_apt_policy + register: discovered_apt_policy - name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" ansible.builtin.debug: msg: - "Warning!! Below are the apt package repositories" - "Please review to make sure they conform to your sites policies" - - "{{ ubtu22cis_1_2_1_2_apt_policy.stdout_lines }}" + - "{{ discovered_apt_policy.stdout_lines }}" - name: "1.2.1.2 | WARN | Ensure package manager repositories are configured | warn_count" ansible.builtin.import_tasks: diff --git a/tasks/section_1/cis_1.2.2.x.yml b/tasks/section_1/cis_1.2.2.x.yml index 7f5231ee..6fe9a348 100644 --- a/tasks/section_1/cis_1.2.2.x.yml +++ b/tasks/section_1/cis_1.2.2.x.yml @@ -1,8 +1,7 @@ --- - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed" - when: - - ubtu22cis_rule_1_2_2_1 + when: ubtu22cis_rule_1_2_2_1 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.3.1.x.yml b/tasks/section_1/cis_1.3.1.x.yml index 74dc89da..b87dafa5 100644 --- a/tasks/section_1/cis_1.3.1.x.yml +++ b/tasks/section_1/cis_1.3.1.x.yml @@ -16,8 +16,7 @@ state: present - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" - when: - - ubtu22cis_rule_1_3_1_2 + when: ubtu22cis_rule_1_3_1_2 tags: - level1-server - level1-workstation @@ -30,10 +29,10 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_1_3_1_2_cmdline_settings + register: discovered_cmdline_settings - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" - when: ubtu22cis_1_3_1_2_cmdline_settings.stdout is not search('apparmor=') + when: discovered_cmdline_settings.stdout is not search('apparmor=') ansible.builtin.lineinfile: path: /etc/default/grub regexp: ^(GRUB_CMDLINE_LINUX=")(|apparmor=\d\s)(.*\w+") @@ -42,7 +41,7 @@ notify: Grub update - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set security settings if none exist" - when: ubtu22cis_1_3_1_2_cmdline_settings.stdout is not search('security=') + when: discovered_cmdline_settings.stdout is not search('security=') ansible.builtin.lineinfile: path: /etc/default/grub regexp: ^(GRUB_CMDLINE_LINUX=")(|security=\w+\s)(.*\w+") @@ -52,19 +51,19 @@ - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" when: - - "'apparmor' not in ubtu22cis_1_3_1_2_cmdline_settings.stdout" - - "'security' not in ubtu22cis_1_3_1_2_cmdline_settings.stdout" + - "'apparmor' not in discovered_cmdline_settings.stdout" + - "'security' not in discovered_cmdline_settings.stdout" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ ubtu22cis_1_3_1_2_cmdline_settings.stdout }}"' + line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ discovered_cmdline_settings.stdout }}"' insertafter: '^GRUB_' notify: Grub update - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Replace apparmor settings when exists" when: - - "'apparmor' in ubtu22cis_1_3_1_2_cmdline_settings.stdout or - 'security' in ubtu22cis_1_3_1_2_cmdline_settings.stdout" + - "'apparmor' in discovered_cmdline_settings.stdout or + 'security' in discovered_cmdline_settings.stdout" ansible.builtin.replace: path: /etc/default/grub regexp: "{{ item.regexp }}" @@ -100,7 +99,7 @@ ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 changed_when: false failed_when: false - register: ubtu22cis_1_3_1_4_pre_count + register: discovered_apparmor_pre_count - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Apply enforcing to /etc/apparmor.d profiles" ansible.builtin.shell: aa-enforce /etc/apparmor.d/* @@ -111,10 +110,10 @@ ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 changed_when: false failed_when: false - register: ubtu22cis_1_3_1_4_post_count + register: discovered_apparmor_post_count - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | This flags for idempotency" - when: ubtu22cis_1_3_1_4_pre_count.stdout != ubtu22cis_1_3_1_4_post_count.stdout + when: discovered_apparmor_pre_count.stdout != discovered_apparmor_post_count.stdout ansible.builtin.debug: msg: Changed! The profiles in /etc/apparmor.d were set to enforcing changed_when: true @@ -132,15 +131,13 @@ - apparmor block: - name: "1.3.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only true for GOSS" - when: - - ubtu22cis_apparmor_mode == "enforce" + when: ubtu22cis_apparmor_mode == "enforce" ansible.builtin.set_fact: ubtu22cis_apparmor_enforce_only: true changed_when: false - name: "1.3.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only false for GOSS" - when: - - ubtu22cis_apparmor_mode == "complain" + when: ubtu22cis_apparmor_mode == "complain" ansible.builtin.set_fact: ubtu22cis_apparmor_enforce_only: false changed_when: false @@ -149,7 +146,7 @@ ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu22cis_apparmor_mode}} mode" | tr -d -c 0-9 changed_when: false failed_when: false - register: ubtu22cis_1_3_1_3_pre_count + register: discovered_apparmor_pre_count - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Apply complaining/enforcing to /etc/apparmor.d profiles" ansible.builtin.shell: aa-{{ubtu22cis_apparmor_mode}} /etc/apparmor.d/* @@ -160,10 +157,10 @@ ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu22cis_apparmor_mode}} mode" | tr -d -c 0-9 changed_when: false failed_when: false - register: ubtu22cis_1_3_1_3_post_count + register: discovered_apparmor_post_count - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | This flags for idempotency" - when: ubtu22cis_1_3_1_3_pre_count.stdout != ubtu22cis_1_3_1_3_post_count.stdout + when: discovered_apparmor_pre_count.stdout != discovered_apparmor_post_count.stdout ansible.builtin.debug: msg: Changed! The profiles in /etc/apparmor.d were set to {{ubtu22cis_apparmor_mode}} mode changed_when: true diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 97bb4e09..d889d894 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -30,8 +30,7 @@ notify: Grub update - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured" - when: - - ubtu22cis_rule_1_4_2 + when: ubtu22cis_rule_1_4_2 tags: - level1-server - level1-workstation @@ -46,8 +45,7 @@ register: ubtu22cis_1_4_2_grub_cfg_status - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | Set permissions" - when: - - ubtu22cis_1_4_2_grub_cfg_status.stat.exists + when: ubtu22cis_1_4_2_grub_cfg_status.stat.exists ansible.builtin.file: path: "{{ ubtu22cis_grub_file }}" owner: root diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index cf4e62a7..65157fe6 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,8 +1,7 @@ --- - name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" - when: - - ubtu22cis_rule_1_5_1 + when: ubtu22cis_rule_1_5_1 tags: - level1-server - level1-workstation @@ -19,8 +18,7 @@ ignoreerrors: true - name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted" - when: - - ubtu22cis_rule_1_5_2 + when: ubtu22cis_rule_1_5_2 tags: - level1-server - level1-workstation @@ -37,8 +35,7 @@ ignoreerrors: true - name: "1.5.3 | PATCH | Ensure core dumps are restricted" - when: - - ubtu22cis_rule_1_5_3 + when: ubtu22cis_rule_1_5_3 tags: - level1-server - level1-workstation @@ -112,8 +109,7 @@ purge: "{{ ubtu22cis_purge_apt }}" - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled" - when: - - ubtu22cis_rule_1_5_5 + when: ubtu22cis_rule_1_5_5 tags: - level1-server - level1-workstation @@ -132,8 +128,7 @@ mode: '0644' - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package" - when: - - "'apport' in ansible_facts.packages" + when: "'apport' in ansible_facts.packages" ansible.builtin.package: name: apport state: absent diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 7da814cd..3e8d5ac9 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -1,8 +1,7 @@ --- - name: "1.6.1 | PATCH | Ensure message of the day is configured properly" - when: - - ubtu22cis_rule_1_6_1 + when: ubtu22cis_rule_1_6_1 tags: - level1-server - level1-workstation @@ -28,8 +27,7 @@ - { regexp: '# Pam_motd.so disabled for CIS benchmark', line: '# Pam_motd.so disabled for CIS benchmark' } - name: "1.6.2 | PATCH | Ensure local login warning banner is configured properly" - when: - - ubtu22cis_rule_1_6_2 + when: ubtu22cis_rule_1_6_2 tags: - level1-server - level1-workstation @@ -47,8 +45,7 @@ path: /etc/issue - name: "1.6.3 | PATCH | Ensure remote login warning banner is configured properly" - when: - - ubtu22cis_rule_1_6_3 + when: ubtu22cis_rule_1_6_3 tags: - level1-server - level1-workstation @@ -66,8 +63,7 @@ path: /etc/issue.net - name: "1.6.4 | PATCH | Ensure permissions on /etc/motd are configured" - when: - - ubtu22cis_rule_1_6_4 + when: ubtu22cis_rule_1_6_4 tags: - level1-server - level1-workstation @@ -82,8 +78,7 @@ mode: 'u-x,go-wx' - name: "1.6.5 | PATCH | Ensure permissions on /etc/issue are configured" - when: - - ubtu22cis_rule_1_6_5 + when: ubtu22cis_rule_1_6_5 tags: - level1-server - level1-workstation @@ -98,8 +93,7 @@ mode: 'u-x,go-wx' - name: "1.6.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - when: - - ubtu22cis_rule_1_6_6 + when: ubtu22cis_rule_1_6_6 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index dfd75077..5d11b1f9 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -1,9 +1,6 @@ --- - name: "1.7.1 | PATCH | Ensure GNOME Display Manager is removed" - ansible.builtin.package: - name: gdm3 - state: absent when: - ubtu22cis_rule_1_7_1 - not ubtu22cis_desktop_required @@ -14,6 +11,9 @@ - patch - rule_1.7.1 - gnome + ansible.builtin.package: + name: gdm3 + state: absent - name: "1.7.2 | PATCH | Ensure GDM login banner is configured" when: @@ -288,8 +288,7 @@ notify: Update dconf - name: "1.7.10 | PATCH | Ensure XDCMP is not enabled" - when: - - ubtu22cis_rule_1_7_10 + when: ubtu22cis_rule_1_7_10 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 62c2670e..a6dd7ee5 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -588,7 +588,7 @@ - "'apache2' in ansible_facts.packages" notify: Systemd_daemon_reload ansible.builtin.systemd: - name: + name: "{{ item }}" enabled: false state: stopped masked: true @@ -625,8 +625,8 @@ - not ubtu22cis_xinetd_mask ansible.builtin.package: name: xinetd - state: absent purge: "{{ ubtu22cis_purge_apt }}" + state: absent - name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Mask service" when: @@ -636,8 +636,8 @@ ansible.builtin.systemd: name: xinetd.service enabled: false - state: stopped masked: true + state: stopped - name: "2.1.20 | PATCH | Ensure X window server services are not in use" when: From 6faa6e76f57344407d6c54da1d3abc05d187565a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 22 Nov 2024 10:40:01 +0000 Subject: [PATCH 089/135] lint and layut updates Signed-off-by: Mark Bolwell --- tasks/audit_only.yml | 10 +-- tasks/auditd.yml | 6 +- tasks/main.yml | 91 ++++++++------------ tasks/post_remediation_audit.yml | 12 ++- tasks/pre_remediation_audit.yml | 42 ++++------ tasks/prelim.yml | 140 +++++++++++++------------------ tasks/section_1/main.yml | 20 ++--- 7 files changed, 129 insertions(+), 192 deletions(-) diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index f1623397..56e933de 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -5,26 +5,24 @@ delegate_to: localhost become: false ansible.builtin.file: - mode: '0755' path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" + mode: '0755' recurse: true state: directory - name: Audit_only | Get audits from systems and put in group dir when: fetch_audit_files ansible.builtin.fetch: + src: "{{ pre_audit_outfile }}" dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" flat: true mode: '0644' - src: "{{ pre_audit_outfile }}" - name: Audit_only | Show Audit Summary - when: - - audit_only + when: audit_only ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" - name: Audit_only | Stop Playbook Audit Only selected - when: - - audit_only + when: audit_only ansible.builtin.meta: end_play diff --git a/tasks/auditd.yml b/tasks/auditd.yml index d47aca02..c7b78411 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,6 +1,6 @@ --- -- name: "POST | AUDITD | Apply auditd template for section 4.1.3.x" +- name: POST | Apply auditd template for section 4.1.3.x when: update_audit_template ansible.builtin.template: src: audit/99_auditd.rules.j2 @@ -15,7 +15,7 @@ - Restart auditd - Set_reboot_required -- name: POST | AUDITD | Set up auditd user logging exceptions +- name: POST | Set up auditd user logging exceptions when: ubtu22cis_allow_auditd_uid_user_exclusions ansible.builtin.template: src: audit/98_auditd_exception.rules.j2 @@ -25,5 +25,5 @@ mode: '0600' notify: Restart auditd -- name: POST | AUDITD | Flush handlers +- name: POST | Flush handlers ansible.builtin.meta: flush_handlers diff --git a/tasks/main.yml b/tasks/main.yml index 43ce9224..779c2038 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,57 +4,52 @@ when: - ansible_facts.distribution == 'Ubuntu' - ansible_facts.distribution_major_version is version_compare('22', '!=') - tags: - - always + tags: always ansible.builtin.fail: msg: "This role can only be run against Ubuntu 22. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." - name: Check ansible version + tags: always ansible.builtin.assert: that: ansible_version.full is version_compare(min_ansible_version, '>=') fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" - tags: - - always # This control should always run as this can pass on unintended issues. - name: "Check password set for connecting user" when: - ubtu22cis_rule_5_2_4 - ansible_env.SUDO_USER is defined - tags: - - always + tags: always block: - name: Capture current password state of connecting user" ansible.builtin.shell: "grep -w {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false - register: ansible_user_password_set + register: prelim_ansible_user_password_set - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" ansible.builtin.assert: - that: ansible_user_password_set.stdout != "!!" and ansible_user_password_set.stdout | length > 10 + that: prelim_ansible_user_password_set.stdout != "!!" and prelim_ansible_user_password_set.stdout | length > 10 fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for sudo user {{ ansible_env.SUDO_USER }}" vars: sudo_password_rule: ubtu22cis_rule_5_2_4 # pragma: allowlist secret - name: Ensure root password is set - when: - - ubtu22cis_rule_5_4_2_4 - tags: - - always + when: ubtu22cis_rule_5_4_2_4 + tags: always block: - name: Ensure root password is set ansible.builtin.shell: passwd -S root | grep -E "root P" changed_when: false failed_when: false - register: root_passwd_set + register: prelim_root_passwd_set - name: Ensure root password is set ansible.builtin.assert: - that: root_passwd_set.rc == 0 + that: prelim_root_passwd_set.rc == 0 fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set - Please manually set a root password" success_msg: "You have a root password set" @@ -62,36 +57,34 @@ when: - ubtu22cis_set_boot_pass - ubtu22cis_rule_1_4_1 - tags: - - always + tags: always ansible.builtin.assert: that: ubtu22cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu22cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret msg: "This role will not be able to run single user password commands as ubtu22cis_bootloader_password_hash variable has not been set correctly" - name: Check ubtu22cis_grub_user password variable has been changed when: ubtu22cis_rule_1_4_1 - tags: - - always + tags: always block: - name: Check ubtu22cis_grub_user password variable has been changed | check password is set ansible.builtin.shell: "grep ^{{ ubtu22cis_grub_user }} /etc/shadow | awk -F : '{print $2}'" changed_when: false - register: ubtu22cis_password_set_grub_user + register: prelim_password_set_grub_user - name: Check ubtu22cis_grub_user password variable has been changed | check password is set when: - - "'$y$' in ubtu22cis_password_set_grub_user.stdout" + - "'$y$' in prelim_password_set_grub_user.stdout" - ubtu22cis_set_grub_user_pass - ubtu22cis_rule_1_4_1 ansible.builtin.assert: - that: ubtu22cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu22cis_grub_user_passwd.find('$y$') != -1 and ubtu22cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' + that: prelim_password_set_grub_user.stdout.find('$y$') != -1 or ubtu22cis_grub_user_passwd.find('$y$') != -1 and ubtu22cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' msg: "This role will not set the {{ ubtu22cis_grub_user }} user password is not set or ubtu22cis_grub_user_passwd variable has not been set correctly" - name: Check ubtu22cis_grub_user password variable has been changed | if password blank or incorrect type and not being set when: - not ubtu22cis_set_grub_user_pass ansible.builtin.assert: - that: ( ubtu22cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu22cis_password_set_grub_user.stdout + that: ( prelim_password_set_grub_user.stdout | length > 10 ) and '$y$' in prelim_password_set_grub_user.stdout fail_msg: "Grub User {{ ubtu22cis_grub_user }} has no password set or incorrect encryption" success_msg: "Grub User {{ ubtu22cis_grub_user }} has a valid password set to be used in single user mode" @@ -112,14 +105,12 @@ file: "{{ container_vars_file }}" - name: Output if discovered is a container - when: - - system_is_container + when: system_is_container ansible.builtin.debug: msg: system has been discovered as a container - name: Gather the package facts before prelim - tags: - - always + tags: always ansible.builtin.package_facts: manager: auto @@ -132,8 +123,7 @@ file: prelim.yml - name: Gather the package facts after prelim - tags: - - always + tags: always ansible.builtin.package_facts: manager: auto @@ -142,64 +132,55 @@ - ubtu22cis_section5 or ubtu22cis_section6 or ubtu22cis_section7 - tags: - - always + tags: always ansible.builtin.import_tasks: file: parse_etc_password.yml - name: Include section 1 patches when: ubtu22cis_section1 - tags: - - section1 + tags: section1 ansible.builtin.import_tasks: file: section_1/main.yml - name: Include section 2 patches when: ubtu22cis_section2 - tags: - - section2 + tags: section2 ansible.builtin.import_tasks: file: section_2/main.yml - name: Include section 3 patches when: ubtu22cis_section3 - tags: - - section3 + tags: section3 ansible.builtin.import_tasks: file: section_3/main.yml - name: Include section 4 patches when: ubtu22cis_section4 - tags: - - section4 + tags: section4 ansible.builtin.import_tasks: file: section_4/main.yml - name: Include section 5 patches when: ubtu22cis_section5 - tags: - - section5 + tags: section5 ansible.builtin.import_tasks: file: section_5/main.yml - name: Include section 6 patches when: ubtu22cis_section6 - tags: - - section6 + tags: section6 ansible.builtin.import_tasks: file: section_6/main.yml - name: Include section 7 patches when: ubtu22cis_section7 - tags: - - section7 + tags: section7 ansible.builtin.import_tasks: file: section_7/main.yml - name: Run auditd logic when: update_audit_template - tags: - - always + tags: always ansible.builtin.import_tasks: file: auditd.yml @@ -207,8 +188,7 @@ ansible.builtin.meta: flush_handlers - name: Reboot system - tags: - - always + tags: always block: - name: Reboot system if not skipped when: @@ -225,24 +205,19 @@ changed_when: true - name: Run post remediation audit - when: - - run_audit - tags: - - run_audit + when: run_audit + tags: run_audit ansible.builtin.import_tasks: file: post_remediation_audit.yml - name: Show Audit Summary - when: - - run_audit - tags: - - run_audit + when: run_audit + tags: run_audit ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" - name: If Warnings found Output count and control IDs affected when: warn_count != 0 - tags: - - always + tags: always ansible.builtin.debug: msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 9b06b24a..cac34ed1 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -18,26 +18,24 @@ - "{{ pre_audit_outfile }}" - name: Post Audit | Capture audit data if json format - when: - - audit_format == "json" + when: audit_format == "json" block: - name: Post Audit | Capture audit data if json format ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 - register: post_audit_summary changed_when: false + register: post_audit_summary - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: post_audit_results: "{{ post_audit_summary.stdout }}" - name: Post Audit | Capture audit data if documentation format - when: - - audit_format == "documentation" + when: audit_format == "documentation" block: - name: Post Audit | Capture audit data if documentation format - ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" - register: post_audit_summary + ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' changed_when: false + register: post_audit_summary - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 6f215c31..555eae6c 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,22 +1,19 @@ --- - name: Pre Audit Setup | Setup the LE audit - when: - - setup_audit - tags: - - setup_audit + when: setup_audit + tags: setup_audit ansible.builtin.include_tasks: file: LE_audit_setup.yml - name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: path: "{{ audit_conf_dir }}" - state: directory mode: '0755' + state: directory - name: Pre Audit Setup | If using git for content set up - when: - - audit_content == 'git' + when: audit_content == 'git' block: - name: Pre Audit Setup | Install git ansible.builtin.package: @@ -30,23 +27,20 @@ version: "{{ audit_git_version }}" - name: Pre Audit Setup | Copy to audit content files to server - when: - - audit_content == 'copy' + when: audit_content == 'copy' ansible.builtin.copy: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server - when: - - audit_content == 'archive' + when: audit_content == 'archive' ansible.builtin.unarchive: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url - when: - - audit_content == 'get_url' + when: audit_content == 'get_url' ansible.builtin.unarchive: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" @@ -54,8 +48,7 @@ extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" - name: Pre Audit Setup | Check Goss is available - when: - - run_audit + when: run_audit block: - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: @@ -63,17 +56,15 @@ register: goss_available - name: Pre Audit Setup | If audit ensure goss is available - when: - - not goss_available.stat.exists + when: not goss_available.stat.exists ansible.builtin.assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit + when: run_audit tags: - goss_template - run_audit - when: - - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" @@ -88,33 +79,30 @@ AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format - when: - - audit_format == "json" + when: audit_format == "json" block: - name: Pre Audit | Capture audit data if json format ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 - register: pre_audit_summary changed_when: false + register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Pre Audit | Capture audit data if documentation format - when: - - audit_format == "documentation" + when: audit_format == "documentation" block: - name: Pre Audit | Capture audit data if documentation format ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' - register: pre_audit_summary changed_when: false + register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Audit_Only | Run Audit Only - when: - - audit_only + when: audit_only ansible.builtin.import_tasks: file: audit_only.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 68af08af..1902ef31 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,37 +1,33 @@ --- -- name: "PRELIM | AUDIT | Set default values for facts" +- name: PRELIM | AUDIT | Set default values for facts ansible.builtin.set_fact: control_1_6_1_4_was_run: false ubtu22cis_apparmor_enforce_only: false changed_when: false -- name: "PRELIM | AUDIT | Register if snap being used" +- name: PRELIM | AUDIT | Register if snap being used + when: ubtu22cis_rule_1_1_1_6 + tags: + - rule_1.1.1.2 + - always ansible.builtin.shell: df -h | grep -wc "/snap" changed_when: false failed_when: prelim_snap_pkg_mgr.rc not in [ 0, 1 ] register: prelim_snap_pkg_mgr - tags: - - rule_1.1.1.2 - - always - when: - - ubtu22cis_rule_1_1_1_6 -- name: "PRELIM | AUDIT | Register if squashfs is built into the kernel" +- name: PRELIM | AUDIT | Register if squashfs is built into the kernel + when: ubtu22cis_rule_1_1_1_6 + tags: always ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs" changed_when: false failed_when: prelim_squashfs_builtin.rc not in [ 0, 1 ] register: prelim_squashfs_builtin - tags: - - always - when: - - ubtu22cis_rule_1_1_1_6 -- name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points" +- name: PRELIM | AUDIT | Section 1.1 | Create list of mount points + tags: always ansible.builtin.set_fact: mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" - tags: - - always - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type when: @@ -40,8 +36,7 @@ ubtu22cis_rule_1_1_2_1_2 or ubtu22cis_rule_1_1_2_1_3 or ubtu22cis_rule_1_1_2_1_4 - tags: - - always + tags: always block: - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type ansible.builtin.shell: systemctl is-enabled tmp.mount @@ -60,8 +55,7 @@ tmp_mnt_type: tmp_systemd - name: PRELIM | Initialize the mount options variable - tags: - - always + tags: always block: - name: PRELIM | Initializing the var if there is no /tmp mount | set_fact when: "'/tmp' not in mount_names" @@ -90,34 +84,31 @@ when: - run_audit or audit_only - setup_audit - tags: - - run_audit + tags: run_audit ansible.builtin.import_tasks: file: pre_remediation_audit.yml -- name: "PRELIM | PATCH | Run apt update" +- name: PRELIM | PATCH | Run apt update when: - ubtu22cis_rule_1_2_1_1 or ubtu22cis_rule_1_2_2_1 - tags: - - always + tags: always ansible.builtin.package: update_cache: true -- name: "PRELIM | AUDIT | Wireless adapter pre-requisites" +- name: PRELIM | AUDIT | Wireless adapter pre-requisites when: - ubtu22cis_rule_3_1_2 - not system_is_container - tags: - - always + tags: always block: - - name: "PRELIM | AUDIT | Discover is wirelss adapter on system" + - name: PRELIM | AUDIT | Discover is wirelss adapter on system ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless - register: prelim_wireless_adapters changed_when: false failed_when: prelim_wireless_adapters.rc not in [ 0, 1 ] + register: prelim_wireless_adapters - - name: "PRELIM | PATCH | Install Network-Manager | if wireless adapter present" + - name: PRELIM | PATCH | Install Network-Manager | if wireless adapter present when: - ubtu22cis_install_network_manager - prelim_wireless_adapters.rc == 0 @@ -126,7 +117,7 @@ name: network-manager state: present -- name: "PRELIM | 4.1.1 | PATCH | Ensure ufw is installed" +- name: PRELIM | 4.1.1 | PATCH | Ensure ufw is installed when: - ubtu22cis_rule_4_1_1 - ubtu22cis_ufw_use_sysctl @@ -142,19 +133,19 @@ name: ufw state: present -- name: "PRELIM | PATCH | 5.3.4/5 | Find all sudoers files." +- name: PRELIM | PATCH | 5.3.4/5 | Find all sudoers files. + when: + - ubtu22cis_rule_5_2_4 or + ubtu22cis_rule_5_2_5 + tags: always ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false check_mode: false register: prelim_sudoers_files - when: - - ubtu22cis_rule_5_2_4 or - ubtu22cis_rule_5_2_5 - tags: - - always -- name: "PRELIM | PATCH | Ensure conf.d directory exists required for 5.3.3.2.x" + +- name: PRELIM | PATCH | Ensure conf.d directory exists required for 5.3.3.2.x when: - ubtu22cis_rule_5_3_3_2_1 or ubtu22cis_rule_5_3_3_2_2 or @@ -162,8 +153,7 @@ ubtu22cis_rule_5_3_3_2_4 or ubtu22cis_rule_5_3_3_2_5 or ubtu22cis_rule_5_3_3_2_6 - tags: - - always + tags: always ansible.builtin.file: path: '/etc/security/pwquality.conf.d' state: directory @@ -171,60 +161,54 @@ group: root mode: '0750' -- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" - when: - - not discover_int_uid - tags: - - always +- name: PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def + when: not discover_int_uid + tags: always block: - - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" + - name: PRELIM | AUDIT | Capture UID_MIN information from logins.def ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: prelim_uid_min_id - - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" + - name: PRELIM | AUDIT | Capture UID_MAX information from logins.def ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' changed_when: false register: prelim_uid_max_id - - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" + - name: PRELIM | AUDIT | Capture GID_MIN information from logins.def ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: prelim_gid_min_id - - name: "PRELIM | AUDIT | Set_facts for interactive uid/gid" + - name: PRELIM | AUDIT | Set_facts for interactive uid/gid ansible.builtin.set_fact: min_int_uid: "{{ prelim_uid_min_id.stdout }}" max_int_uid: "{{ prelim_uid_max_id.stdout }}" min_int_gid: "{{ prelim_gid_min_id.stdout }}" -- name: "PRELIM | AUDIT | Interactive Users" - tags: - - always +- name: PRELIM | AUDIT | Interactive Users + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }' changed_when: false register: prelim_interactive_usernames -- name: "PRELIM | AUDIT | Interactive User accounts home directories" - tags: - - always +- name: PRELIM | AUDIT | Interactive User accounts home directories + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $6 }' changed_when: false register: prelim_interactive_users_home -- name: "PRELIM | AUDIT | Interactive UIDs" - tags: - - always +- name: PRELIM | AUDIT | Interactive UIDs + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }' changed_when: false register: prelim_interactive_uids -- name: "PRELIM | AUDIT | Gather UID 0 accounts other than root" - when: - - ubtu22cis_rule_5_4_2_1 +- name: PRELIM | AUDIT | Gather UID 0 accounts other than root + when: ubtu22cis_rule_5_4_2_1 tags: - rule_5.4.2.1 - level1-server @@ -236,13 +220,12 @@ check_mode: false register: prelim_uid_zero_accounts_except_root -- name: "PRELIM | PATCH | create journald conf.d directory" +- name: PRELIM | PATCH | create journald conf.d directory when: - ubtu22cis_rule_6_2_1_1_3 or ubtu22cis_rule_6_2_1_1_5 or ubtu22cis_rule_6_2_1_1_6 - tags: - - always + tags: always ansible.builtin.file: path: /etc/systemd/journald.conf.d state: directory @@ -250,7 +233,7 @@ group: root mode: '0755' -- name: "PRELIM | PATCH | Ensure auditd is installed" +- name: PRELIM | PATCH | Ensure auditd is installed when: - ubtu22cis_rule_6_3_1_1 - "'auditd' not in ansible_facts.packages or @@ -265,28 +248,27 @@ name: ['auditd', 'audispd-plugins'] state: present -- name: "PRELIM | AUDIT | Audit conf and rules files | list files" +- name: PRELIM | AUDIT | Audit conf and rules files | list files + tags: + - patch + - auditd + - always ansible.builtin.find: path: /etc/audit/ file_type: file recurse: true patterns: '*.conf,*.rules' register: prelim_auditd_conf_files - tags: - - patch - - auditd - - always -- name: "PRELIM | AUDIT | Check if auditd is immutable before changes" - tags: - - always +- name: PRELIM | AUDIT | Check if auditd is immutable before changes + when: "'auditd' in ansible_facts.packages" + tags: always ansible.builtin.shell: auditctl -l | grep -c '-e 2' changed_when: false failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ] register: prelim_auditd_immutable_check - when: "'auditd' in ansible_facts.packages" -- name: "PRELIM | AUDIT | 6.3.4.x | Capture information about auditd logfile path | discover file" +- name: PRELIM | AUDIT | 6.3.4.x | Capture information about auditd logfile path | discover file when: - ubtu22cis_rule_6_3_4_1 or ubtu22cis_rule_6_3_4_2 or @@ -306,12 +288,11 @@ failed_when: prelim_auditd_logfile.rc not in [0, 1] register: prelim_auditd_logfile -- name: "PRELIM | PATCH | Install ACL" +- name: PRELIM | PATCH | Install ACL when: - ubtu22cis_rule_7_2_9 - "'acl' not in ansible_facts.packages" - tags: - - always + tags: always ansible.builtin.package: name: acl state: present @@ -322,8 +303,7 @@ when: - ubtu22cis_firewall_package == "ufw" - ubtu22cis_ufw_use_sysctl - tags: - - always + tags: always ansible.builtin.lineinfile: path: /etc/default/ufw regexp: ^IPT_SYSCTL=.* diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 137b9593..c000d403 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,58 +1,57 @@ --- - name: "SECTION | 1.1.1 | Configure Filesystem Kernel Modules" + when: not system_is_container ansible.builtin.import_tasks: file: cis_1.1.1.x.yml - when: not system_is_container - name: "SECTION | 1.1.2.1 | Configure /tmp" + when: not system_is_container ansible.builtin.import_tasks: file: cis_1.1.2.1.x.yml - when: not system_is_container + - name: "SECTION | 1.1.2.2 | Configure /dev/shm" + when: not system_is_container ansible.builtin.import_tasks: file: cis_1.1.2.2.x.yml - when: not system_is_container - name: "SECTION | 1.1.2.3 | Configure /home" ansible.builtin.import_tasks: file: cis_1.1.2.3.x.yml - name: "SECTION | 1.1.2.4 | Configure /var" + when: not system_is_container ansible.builtin.import_tasks: file: cis_1.1.2.4.x.yml - when: not system_is_container - name: "SECTION | 1.1.2.5 | Configure /var/tmp" + when: not system_is_container ansible.builtin.import_tasks: file: cis_1.1.2.5.x.yml - when: not system_is_container - name: "SECTION | 1.1.2.6 | Configure /var/log" + when: not system_is_container ansible.builtin.import_tasks: file: cis_1.1.2.6.x.yml - when: not system_is_container - name: "SECTION | 1.1.2.7 | Configure /var/log/audit" + when: not system_is_container ansible.builtin.import_tasks: file: cis_1.1.2.7.x.yml - when: not system_is_container - name: "SECTION | 1.2.1 | Configure Package Repositories" ansible.builtin.import_tasks: file: cis_1.2.1.x.yml - when: not system_is_container - name: "SECTION | 1.2.2 | Configure Package Updates" ansible.builtin.import_tasks: file: cis_1.2.2.x.yml - when: not system_is_container - name: "SECTION | 1.3 | Configure AppArmor" + when: not system_is_container ansible.builtin.import_tasks: file: cis_1.3.1.x.yml - when: not system_is_container - name: "SECTION | 1.4 | Configure Bootloader" ansible.builtin.import_tasks: @@ -61,7 +60,6 @@ - name: "SECTION | 1.5 | Configure Additional Process Hardening" ansible.builtin.import_tasks: file: cis_1.5.x.yml - when: not system_is_container - name: "SECTION | 1.6 | Command Line Warning Banners" ansible.builtin.import_tasks: From 6d534c79f56b8c58fbce1592d17f893024ef95e4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Nov 2024 09:26:31 +0000 Subject: [PATCH 090/135] updated lint and update Signed-off-by: Mark Bolwell --- .ansible-lint | 31 +++++++++++++++---------------- .pre-commit-config.yaml | 10 ++++------ .yamllint | 1 + 3 files changed, 20 insertions(+), 22 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index c7095e24..3090307c 100755 --- a/.ansible-lint +++ b/.ansible-lint @@ -3,21 +3,20 @@ parseable: true quiet: true skip_list: - - 'schema' - - 'no-changed-when' - - 'var-spacing' - - 'experimental' - - 'name[play]' - - 'name[casing]' - - 'name[template]' - - 'key-order[task]' - - 'yaml[line-length]' - - '204' - - '305' - - '303' - - '403' - - '306' - - '602' - - '208' + - 'schema' + - 'no-changed-when' + - 'var-spacing' + - 'experimental' + - 'name[play]' + - 'name[casing]' + - 'name[template]' + - 'key-order[task]' + - '204' + - '305' + - '303' + - '403' + - '306' + - '602' + - '208' use_default_rules: true verbosity: 0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a679c82a..02c8ec33 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,8 +2,8 @@ ##### CI for use by github no need for action to be added ##### Inherited ci: - autofix_prs: false - skip: [detect-aws-credentials, ansible-lint ] + autofix_prs: false + skip: [detect-aws-credentials, ansible-lint ] repos: - repo: https://github.com/pre-commit/pre-commit-hooks @@ -33,13 +33,11 @@ repos: rev: v1.5.0 hooks: - id: detect-secrets - args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks rev: v8.21.2 hooks: - id: gitleaks - args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint rev: v24.9.2 @@ -53,12 +51,12 @@ repos: # https://github.com/ansible/ansible-lint/issues/611 pass_filenames: false always_run: true - additional_dependencies: + # additional_dependencies: # https://github.com/pre-commit/pre-commit/issues/1526 # If you want to use specific version of ansible-core or ansible, feel # free to override `additional_dependencies` in your own hook config # file. - - ansible-core>=2.10.1 + # - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git rev: v1.35.1 # or higher tag diff --git a/.yamllint b/.yamllint index dff24572..d8eba416 100755 --- a/.yamllint +++ b/.yamllint @@ -11,6 +11,7 @@ ignore: | rules: indentation: + spaces: 2 # Requiring consistent indentation within a file, either indented or not indent-sequences: consistent braces: From 2c5c7a0939f93a9c30cc071c6477c9a05ed931e8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Nov 2024 09:27:55 +0000 Subject: [PATCH 091/135] variable naming and lint updates Signed-off-by: Mark Bolwell --- collections/requirements.yml | 18 +- defaults/main.yml | 301 +++++++++++++++-------------- meta/main.yml | 46 ++--- site.yml | 7 +- tasks/main.yml | 2 +- tasks/parse_etc_password.yml | 26 +-- tasks/prelim.yml | 20 +- tasks/section_1/cis_1.2.1.x.yml | 4 +- tasks/section_1/cis_1.4.x.yml | 4 +- tasks/section_1/cis_1.7.x.yml | 75 +++---- tasks/section_1/main.yml | 5 +- tasks/section_2/cis_2.1.x.yml | 99 ++++------ tasks/section_2/cis_2.3.1.x.yml | 3 +- tasks/section_2/cis_2.3.2.x.yml | 6 +- tasks/section_2/cis_2.3.3.x.yml | 9 +- tasks/section_2/cis_2.4.1.x.yml | 24 +-- tasks/section_2/cis_2.4.2.x.yml | 3 +- tasks/section_2/main.yml | 6 +- tasks/section_3/cis_3.1.x.yml | 20 +- tasks/section_3/cis_3.2.x.yml | 12 +- tasks/section_3/cis_3.3.x.yml | 21 +- tasks/section_4/cis_4.1.x.yml | 17 +- tasks/section_4/cis_4.3.1.x.yml | 22 +-- tasks/section_4/cis_4.3.2.x.yml | 12 +- tasks/section_4/cis_4.3.3.x.yml | 15 +- tasks/section_5/cis_5.1.x.yml | 100 ++++------ tasks/section_5/cis_5.2.x.yml | 200 +++++++++---------- tasks/section_5/cis_5.3.3.1.x.yml | 18 +- tasks/section_5/cis_5.3.3.3.x.yml | 18 +- tasks/section_5/cis_5.3.3.4.x.yml | 28 +-- tasks/section_5/cis_5.4.1.x.yml | 58 +++--- tasks/section_6/cis_6.1.x.yml | 63 ++++-- tasks/section_6/cis_6.2.1.1.x.yml | 46 +++-- tasks/section_6/cis_6.2.1.2.x.yml | 2 +- tasks/section_6/cis_6.2.2.yml | 8 +- tasks/section_6/cis_6.3.1.x.yml | 28 ++- tasks/section_6/cis_6.3.2.x.yml | 17 +- tasks/section_6/cis_6.3.3.x.yml | 66 +++---- tasks/section_6/cis_6.3.4.x.yml | 56 ++---- tasks/section_6/main.yml | 16 +- tasks/section_7/cis_7.1.x.yml | 75 ++++--- tasks/section_7/cis_7.2.x.yml | 43 ++--- templates/audit/99_auditd.rules.j2 | 4 +- 43 files changed, 751 insertions(+), 872 deletions(-) diff --git a/collections/requirements.yml b/collections/requirements.yml index 8ebc6180..810c9afc 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,14 +1,14 @@ --- collections: - - name: community.general - source: https://github.com/ansible-collections/community.general - type: git + - name: community.general + source: https://github.com/ansible-collections/community.general + type: git - - name: community.crypto - source: https://github.com/ansible-collections/community.crypto - type: git + - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git - - name: ansible.posix - source: https://github.com/ansible-collections/ansible.posix - type: git + - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git diff --git a/defaults/main.yml b/defaults/main.yml index 7742fbdc..25369f52 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -34,7 +34,7 @@ ubtu22cis_disruption_high: true ## Unrestricted boot # Setting this variable to false enables the system to # boot *without* querying for the bootloader password. -ubtu22cis_ask_passwd_to_boot: false +ubtu22cis_ask_passwd_to_boot: false # pragma: allowlist secret ## Usage on containerized images # The role discovers dynamically (in tasks/main.yml) whether it @@ -596,10 +596,10 @@ ubtu22cis_ipv4_required: true # This variable governs whether ipv6 is enabled or disabled. ubtu22cis_ipv6_required: false -## Desktop requirement toggle # This variable governs, whether CIS rules regarding GDM # and X-Windows are carried out. -ubtu22cis_desktop_required: false +## Graphical/Gnome interface required +ubtu22cis_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}" ## Purge apt packages # This will allow the purging of any packages that are marked to be removed @@ -671,7 +671,7 @@ ubtu22cis_disable_dynamic_motd: true # This variable specifies the GNOME configuration database file to which configurations are written. # (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) # The default database is `local`. -ubtu22cis_dconf_db_name: local +ubtu22cis_dconf_db_name: "{{ prelim_dconf_db_user|default('local') }}" # This variable governs the number of seconds of inactivity before the screen goes blank. ubtu22cis_screensaver_idle_delay: 900 # This variable governs the number of seconds the screen remains blank before it is locked. @@ -693,20 +693,20 @@ ubtu22cis_time_sync_tool: "systemd-timesyncd" # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation # of the time synchronization mechanism you are using. ubtu22cis_time_pool: - - name: time.nist.gov - options: iburst maxsources 4 + - name: time.nist.gov + options: iburst maxsources 4 # The following variable represents a list of of time servers used # for configuring chrony and timesyncd # Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. # The default setting for the `options` is `iburst` -- please refer to the documentation # of the time synchronization mechanism you are using. ubtu22cis_time_servers: - - name: time-a-g.nist.gov - options: iburst - - name: time-b-g.nist.gov - options: iburst - - name: time-c-g.nist.gov - options: iburst + - name: time-a-g.nist.gov + options: iburst + - name: time-b-g.nist.gov + options: iburst + - name: time-c-g.nist.gov + options: iburst ## ## Section 3 Control Variables @@ -759,9 +759,9 @@ ubtu22cis_ufw_use_sysctl: true # If you want to allow outbound traffic on all ports, set the variable to `all`, e.g., # `ubtu22cis_ufw_allow_out_ports: "all"`. ubtu22cis_ufw_allow_out_ports: - - 53 - - 80 - - 443 + - 53 + - 80 + - 443 ## Controls 4.2.x - nftables # Nftables is not supported in this role. Some tasks have parts of them commented out, this is one example @@ -785,86 +785,85 @@ ubtu22cis_sshd_default_client_alive_count_max: 3 # all Ciphers, KEX and Macs set to FIPS 140 # This will nee dto be adjusted according to your site requirements ubtu22cis_sshd_default_ciphers: - - aes256-gcm@openssh.com - - aes128-gcm@openssh.com - - aes256-ctr - - aes192-ctr - - aes128-ctr + - aes256-gcm@openssh.com + - aes128-gcm@openssh.com + - aes256-ctr + - aes192-ctr + - aes128-ctr ubtu22cis_sshd_default_macs: - - hmac-sha1 - - hmac-sha2-256 - # - hmac-sha2-384 # hashed out seen as bad ssh2 MAC - - hmac-sha2-512 + - hmac-sha1 + - hmac-sha2-256 + # - hmac-sha2-384 # hashed out seen as bad ssh2 MAC + - hmac-sha2-512 ubtu22cis_sshd_default_kex_algorithms: - - ecdh-sha2-nistp256 - - ecdh-sha2-nistp384 - - ecdh-sha2-nistp521 - - diffie-hellman-group-exchange-sha256 - - diffie-hellman-group16-sha512 - - diffie-hellman-group18-sha512 - - diffie-hellman-group14-sha256 - -ubtu22cis_sshd: - # This variable is used to control the verbosity of the logging produced by the SSH server. - # The options for setting it are as follows: - # - `QUIET`: Minimal logging; - # - `FATAL`: logs only fatal errors; - # - `ERROR`: logs error messages; - # - `INFO`: logs informational messages in addition to errors; - # - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; - # - `DEBUG`: generates very detailed debugging information including sensitive information. - log_level: "{{ubtu22cis_sshd_default_log_level}}" - # This variable specifies the maximum number of authentication attempts that are - # allowed for a single SSH session. - max_auth_tries: "{{ubtu22cis_sshd_default_max_auth_tries}}" - # This variable specifies the encryption algorithms that can be used for securing - # data transmission. - ciphers: "{{ubtu22cis_sshd_default_ciphers}}" - # This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying - # the integrity of data exchanged. - macs: "{{ubtu22cis_sshd_default_macs}}" - # This variable is used to state the key exchange algorithms used to establish secure encryption - # keys during the initial connection setup. - kex_algorithms: "{{ubtu22cis_sshd_default_kex_algorithms}}" - # This variable sets the time interval in seconds between sending "keep-alive" - # messages from the server to the client. These types of messages are intended to - # keep the connection alive and prevent it being terminated due to inactivity. - client_alive_interval: "{{ubtu22cis_sshd_default_client_alive_interval}}" - # This variable sets the maximum number of unresponsive "keep-alive" messages - # that can be sent from the server to the client before the connection is considered - # inactive and thus, closed. - client_alive_count_max: "{{ubtu22cis_sshd_default_client_alive_count_max}}" - # This variable specifies the amount of seconds allowed for successful authentication to - # the SSH server. - login_grace_time: "{{ubtu22cis_sshd_default_login_grace_time}}" - # This variables is used to set the maximum number of open sessions per connection. - max_sessions: "{{ubtu22cis_sshd_default_max_sessions}}" - # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH - # access for users whose user name matches one of the patterns. This is done - # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. - # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - allow_users: "" - # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access - # for users whose primary group or supplementary group list matches one of the patterns. This is done - # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, https://linux.die.net/man/5/sshd_config - allow_groups: "" - # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access - # for users whose user name matches one of the patterns. This is done - # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. - # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - deny_users: "" - # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access - # for users whose primary group or supplementary group list matches one of the patterns. This is done - # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - deny_groups: "" + - ecdh-sha2-nistp256 + - ecdh-sha2-nistp384 + - ecdh-sha2-nistp521 + - diffie-hellman-group-exchange-sha256 + - diffie-hellman-group16-sha512 + - diffie-hellman-group18-sha512 + - diffie-hellman-group14-sha256 + +# This variable is used to control the verbosity of the logging produced by the SSH server. +# The options for setting it are as follows: +# - `QUIET`: Minimal logging; +# - `FATAL`: logs only fatal errors; +# - `ERROR`: logs error messages; +# - `INFO`: logs informational messages in addition to errors; +# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; +# - `DEBUG`: generates very detailed debugging information including sensitive information. +ubtu22cis_sshd_log_level: "{{ubtu22cis_sshd_default_log_level}}" +# This variable specifies the maximum number of authentication attempts that are +# allowed for a single SSH session. +ubtu22cis_sshd_max_auth_tries: "{{ubtu22cis_sshd_default_max_auth_tries}}" +# This variable specifies the encryption algorithms that can be used for securing +# data transmission. +ubtu22cis_sshd_ciphers: "{{ubtu22cis_sshd_default_ciphers}}" +# This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying +# the integrity of data exchanged. +ubtu22cis_sshd_macs: "{{ubtu22cis_sshd_default_macs}}" +# This variable is used to state the key exchange algorithms used to establish secure encryption +# keys during the initial connection setup. +ubtu22cis_sshd_kex_algorithms: "{{ubtu22cis_sshd_default_kex_algorithms}}" +# This variable sets the time interval in seconds between sending "keep-alive" +# messages from the server to the client. These types of messages are intended to +# keep the connection alive and prevent it being terminated due to inactivity. +ubtu22cis_sshd_client_alive_interval: "{{ubtu22cis_sshd_default_client_alive_interval}}" +# This variable sets the maximum number of unresponsive "keep-alive" messages +# that can be sent from the server to the client before the connection is considered +# inactive and thus, closed. +ubtu22cis_sshd_client_alive_count_max: "{{ubtu22cis_sshd_default_client_alive_count_max}}" +# This variable specifies the amount of seconds allowed for successful authentication to +# the SSH server. +ubtu22cis_sshd_login_grace_time: "{{ubtu22cis_sshd_default_login_grace_time}}" +# This variables is used to set the maximum number of open sessions per connection. +ubtu22cis_sshd_max_sessions: "{{ubtu22cis_sshd_default_max_sessions}}" +# This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH +# access for users whose user name matches one of the patterns. This is done +# by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. +# If an USER@HOST format will be used, the specified user will be allowed only on that particular host. +# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. +# For more info, see https://linux.die.net/man/5/sshd_config +ubtu22cis_sshd_allow_users: "" +# (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access +# for users whose primary group or supplementary group list matches one of the patterns. This is done +# by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. +# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. +# For more info, https://linux.die.net/man/5/sshd_config +ubtu22cis_sshd_allow_groups: "" +# This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access +# for users whose user name matches one of the patterns. This is done +# by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. +# If an USER@HOST format will be used, the specified user will be restricted only on that particular host. +# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. +# For more info, see https://linux.die.net/man/5/sshd_config +ubtu22cis_sshd_deny_users: "" +# This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access +# for users whose primary group or supplementary group list matches one of the patterns. This is done +# by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. +# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. +# For more info, see https://linux.die.net/man/5/sshd_config +ubtu22cis_sshd_deny_groups: "" ## Control 5.2.1 # This variable represents the name of the sudo package to install @@ -983,23 +982,22 @@ ubtu22cis_passwd_quality_enforce_root_value: enforce_for_root # pragma: allowli ubtu22cis_pamd_pwhistory_remember: 24 ## Controls 5.4.1.x - Password settings -ubtu22cis_pass: - ## Control 5.4.1.1 - # This variable governs after how many days a password expires. - # CIS requires a value of 365 or less. - max_days: 365 - ## Control 5.4.1.2 - # This variable specifies the minimum number of days allowed between changing passwords. - # CIS requires a value of at least 1. - min_days: 1 - ## Control 5.5.1.3 - # This variable governs, how many days before a password expires, the user will be warned. - # CIS requires a value of at least 7. - warn_age: 7 - ## Control 5.4.1.5 - # This variable specifies the number of days of inactivity before an account will be locked. - # CIS requires a value of 45 days or less. - inactive: 45 +## Control 5.4.1.1 +# This variable governs after how many days a password expires. +# CIS requires a value of 365 or less. +ubtu22cis_pass_max_days: 365 +## Control 5.4.1.2 +# This variable specifies the minimum number of days allowed between changing passwords. +# CIS requires a value of at least 1. +ubtu22cis_pass_min_days: 1 +## Control 5.5.1.3 +# This variable governs, how many days before a password expires, the user will be warned. +# CIS requires a value of at least 7. +ubtu22cis_pass_warn_age: 7 +## Control 5.4.1.5 +# This variable specifies the number of days of inactivity before an account will be locked. +# CIS requires a value of 45 days or less. +ubtu22cis_pass_inactive: 45 # 5.4.2.6 root umask ubtu22cis_root_umask: '0027' # 0027 or more restrictive @@ -1007,7 +1005,7 @@ ubtu22cis_root_umask: '0027' # 0027 or more restrictive # ubtu22cis_passwd_hash_algo is the hashing algorithm used ubtu22cis_passwd_hash_algo: yescrypt # pragma: allowlist secret # Set pam as well as login defs if PAM is required -ubtu22cis_passwd_setpam_hash_algo: false +ubtu22cis_passwd_setpam_hash_algo: false # pragma: allowlist secret ## Control 5.4.3 - Default user mask # The following variable specifies the "umask" to set in the `/etc/bash.bashrc` and `/etc/profile`. @@ -1039,13 +1037,22 @@ ubtu22cis_shell_session_file: /etc/profile.d/tmout.sh # By setting this variable to `true`, all of the settings related to AIDE will be applied! ubtu22cis_config_aide: true +# If DB file older than below will automatically rebuild DB +# e.g. options:1w = 1 week, 1d = 1day 1h = 1 hour +ubtu22cis_aide_db_file_age: 1w + +# If aide already setup this forces a new DB to be created +ubtu22cis_aide_db_recreate: false + +# allows to change db file, not config need to be adjusted too +ubtu22cis_aide_db_file: /var/lib/aide/aide.db + ## When Initializing aide this can take longer on some systems # changing the values enables user to change to thier own requirements -ubtu22cis_aide_init: - # Maximum Time in seconds - async: 45 - # Polling Interval in seconds - poll: 0 +# Maximum Time in seconds +ubtu22cis_aide_init_async: 600 +# Polling Interval in seconds +ubtu22cis_aide_init_poll: 15 ## Control 6.1.2 # Set how aide is scanned either cron or timer @@ -1055,36 +1062,36 @@ ubtu22cis_aide_scan: cron # the cron job on the target system. # Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled # and executed automatically at a certain point in time. -ubtu22cis_aide_cron: - # This variable represents the user account under which the cron job for AIDE will run. - cron_user: root - # This variable represents the path to the AIDE crontab file. - cron_file: /etc/cron.d/aide_cron - # This variable represents the actual command or script that the cron job - # will execute for running AIDE. - aide_job: '/usr/bin/aide --config /etc/aide/aide.conf --check' - # These variables define the schedule for the cron job - # This variable governs the minute of the time of day when the AIDE cronjob is run. - # It must be in the range `0-59`. - aide_minute: 0 - # This variable governs the hour of the time of day when the AIDE cronjob is run. - # It must be in the range `0-23`. - aide_hour: 5 - # This variable governs the day of the month when the AIDE cronjob is run. - # `*` signifies that the job is run on all days; furthermore, specific days - # can be given in the range `1-31`; several days can be concatenated with a comma. - # The specified day(s) can must be in the range `1-31`. - aide_day: '*' - # This variable governs months when the AIDE cronjob is run. - # `*` signifies that the job is run in every month; furthermore, specific months - # can be given in the range `1-12`; several months can be concatenated with commas. - # The specified month(s) can must be in the range `1-12`. - aide_month: '*' - # This variable governs the weekdays, when the AIDE cronjob is run. - # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays - # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays - # can be concatenated with commas. - aide_weekday: '*' + +# This variable represents the user account under which the cron job for AIDE will run. +ubtu22cis_aide_cron_user: root +# This variable represents the path to the AIDE crontab file. +ubtu22cis_aide_cron_file: /etc/cron.d/aide_cron +# This variable represents the actual command or script that the cron job +# will execute for running AIDE. +ubtu22cis_aide_cron_job: '/usr/bin/aide --config /etc/aide/aide.conf --check' +# These variables define the schedule for the cron job +# This variable governs the minute of the time of day when the AIDE cronjob is run. +# It must be in the range `0-59`. +ubtu22cis_aide_cron_minute: 0 +# This variable governs the hour of the time of day when the AIDE cronjob is run. +# It must be in the range `0-23`. +ubtu22cis_aide_cron_hour: 5 +# This variable governs the day of the month when the AIDE cronjob is run. +# `*` signifies that the job is run on all days; furthermore, specific days +# can be given in the range `1-31`; several days can be concatenated with a comma. +# The specified day(s) can must be in the range `1-31`. +ubtu22cis_aide_cron_day: '*' +# This variable governs months when the AIDE cronjob is run. +# `*` signifies that the job is run in every month; furthermore, specific months +# can be given in the range `1-12`; several months can be concatenated with commas. +# The specified month(s) can must be in the range `1-12`. +ubtu22cis_aide_cron_month: '*' +# This variable governs the weekdays, when the AIDE cronjob is run. +# `*` signifies that the job is run on all weekdays; furthermore, specific weekdays +# can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays +# can be concatenated with commas. +ubtu22cis_aide_cron_weekday: '*' ## Controls 6.2.1.x journald @@ -1137,7 +1144,7 @@ ubtu22cis_allow_auditd_uid_user_exclusions: false # add a list of uids ubtu22cis_auditd_uid_exclude: - - 1999 + - 1999 ## Control 6.3.1.4 - Ensure audit_backlog_limit is sufficient # This variable represents the audit backlog limit, i.e., the maximum number of audit records that the diff --git a/meta/main.yml b/meta/main.yml index 514dc705..059d32f9 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,28 +1,28 @@ --- galaxy_info: - author: "George Nalen, Mark Bolwell, and DFed" - description: "Apply the Ubuntu 22 CIS benchmarks" - company: "MindPoint Group" - license: MIT - namespace: mindpointgroup - role_name: ubuntu22_cis - min_ansible_version: 2.12.1 - platforms: - - name: Ubuntu - versions: - - jammy - galaxy_tags: - - system - - security - - cis - - hardening - - benchmark - - compliance - - complianceascode - - ubuntu22 + author: George Nalen, Mark Bolwell, and DFed + description: Apply the Ubuntu 22 CIS benchmarks + company: MindPoint Group + license: MIT + namespace: mindpointgroup + role_name: ubuntu22_cis + min_ansible_version: 2.12.1 + platforms: + - name: Ubuntu + versions: + - jammy + galaxy_tags: + - system + - security + - cis + - hardening + - benchmark + - compliance + - complianceascode + - ubuntu22 collections: - - community.general - - community.crypto - - ansible.posix + - community.general + - community.crypto + - ansible.posix dependencies: [] diff --git a/site.yml b/site.yml index 0358dc36..f3f0fae7 100644 --- a/site.yml +++ b/site.yml @@ -1,8 +1,7 @@ --- -- hosts: all +- name: Apply ansible-lockdown hardening + hosts: all become: true - roles: - - - role: "{{ playbook_dir }}" + - role: "{{ playbook_dir }}" diff --git a/tasks/main.yml b/tasks/main.yml index 779c2038..c67abf25 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -132,7 +132,7 @@ - ubtu22cis_section5 or ubtu22cis_section6 or ubtu22cis_section7 - tags: always + tags: always ansible.builtin.import_tasks: file: parse_etc_password.yml diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index d06e1806..2c9c9ee7 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -17,17 +17,17 @@ with_items: "{{ ubtu22cis_passwd_file_audit.stdout_lines }}" vars: ld_passwd_regex: >- - ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) + ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) ld_passwd_yaml: | # pragma: allowlist secret - id: >-4 - \g - password: >-4 - \g - uid: \g - gid: \g - gecos: >-4 - \g - dir: >-4 - \g - shell: >-4 - \g + id: >-4 + \g + password: >-4 + \g + uid: \g + gid: \g + gecos: >-4 + \g + dir: >-4 + \g + shell: >-4 + \g diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1902ef31..06b5271b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -96,6 +96,19 @@ ansible.builtin.package: update_cache: true +- name: PRELIM | Discover Gnome Desktop Environment + tags: always + ansible.builtin.stat: + path: /usr/share/gnome/gnome-version.xml + register: prelim_gnome_present + +- name: PRELIM | Discover dconf systemdb + when: ubtu22cis_gui + ansible.builtin.shell: grep system-db /etc/dconf/profile/user | cut -d ':' -f2 + changed_when: false + failed_when: ubtu22cis_dconf_db.rc not in [ 0, 1 ] + register: prelim_dconf_system_db + - name: PRELIM | AUDIT | Wireless adapter pre-requisites when: - ubtu22cis_rule_3_1_2 @@ -105,13 +118,13 @@ - name: PRELIM | AUDIT | Discover is wirelss adapter on system ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless changed_when: false - failed_when: prelim_wireless_adapters.rc not in [ 0, 1 ] - register: prelim_wireless_adapters + failed_when: prelim_wireless_adapters_exist.rc not in [ 0, 1 ] + register: prelim_wireless_adapters_exist - name: PRELIM | PATCH | Install Network-Manager | if wireless adapter present when: - ubtu22cis_install_network_manager - - prelim_wireless_adapters.rc == 0 + - prelim_wireless_adapters_exist.rc == 0 - "'network-manager' not in ansible_facts.packages" ansible.builtin.package: name: network-manager @@ -144,7 +157,6 @@ check_mode: false register: prelim_sudoers_files - - name: PRELIM | PATCH | Ensure conf.d directory exists required for 5.3.3.2.x when: - ubtu22cis_rule_5_3_3_2_1 or diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml index e5ba8dc7..1acd79b0 100644 --- a/tasks/section_1/cis_1.2.1.x.yml +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -17,7 +17,7 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_1_2_1_1_apt_gpgkeys + register: discovered_apt_gpgkeys - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" ansible.builtin.debug: @@ -25,7 +25,7 @@ - "Warning!! Below are the apt gpg keys configured" - "Please review to make sure they are configured" - "in accordance with site policy" - - "{{ ubtu22cis_1_2_1_1_apt_gpgkeys.stdout_lines }}" + - "{{ discovered_apt_gpgkeys.stdout_lines }}" - name: "1.2.1.1 | WARN | Ensure GPG keys are configured | warn_count" ansible.builtin.import_tasks: diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index d889d894..a216185b 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -42,10 +42,10 @@ ansible.builtin.stat: path: "{{ ubtu22cis_grub_file }}" check_mode: false - register: ubtu22cis_1_4_2_grub_cfg_status + register: discovered_grub_cfg_status - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | Set permissions" - when: ubtu22cis_1_4_2_grub_cfg_status.stat.exists + when: discovered_grub_cfg_status.stat.exists ansible.builtin.file: path: "{{ ubtu22cis_grub_file }}" owner: root diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 5d11b1f9..ad16cfb1 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -16,9 +16,7 @@ state: absent - name: "1.7.2 | PATCH | Ensure GDM login banner is configured" - when: - - ubtu22cis_rule_1_7_2 - - ubtu22cis_desktop_required + when: ubtu22cis_rule_1_7_2 tags: - level1-server - level1-workstation @@ -28,7 +26,7 @@ block: - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | make directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d" owner: root group: root mode: '0755' @@ -36,7 +34,7 @@ - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | banner settings" ansible.builtin.lineinfile: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-login-screen" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-login-screen" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" @@ -51,9 +49,7 @@ notify: Update dconf - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled" - when: - - ubtu22cis_rule_1_7_3 - - ubtu22cis_desktop_required + when: ubtu22cis_rule_1_7_3 tags: - level1-server - level1-workstation @@ -69,12 +65,12 @@ mode: '0755' state: directory loop: - - /etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d + - /etc/dconf/db/{{ prelim_dconf_system_db }}.d - /etc/dconf/profile - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | disable-user-list setting login-screen" ansible.builtin.lineinfile: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-login-screen" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-login-screen" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" @@ -88,7 +84,7 @@ - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | disable-user-list setting profile" ansible.builtin.lineinfile: - path: "/etc/dconf/profile/{{ ubtu22cis_dconf_db_name }}" + path: "/etc/dconf/profile/{{ prelim_dconf_system_db }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" @@ -98,14 +94,12 @@ mode: '0644' loop: - { regexp: '^user-db:user', line: 'user-db:user', insertafter: EOF } - - { regexp: '^system-db:{{ ubtu22cis_dconf_db_name }}', line: 'system-db:{{ ubtu22cis_dconf_db_name }}', insertafter: 'user-db:user'} - - { regexp: '^file-db:/usr/share/gdm/greeter-dconf-defaults', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults', insertafter: 'system-db:{{ ubtu22cis_dconf_db_name }}'} + - { regexp: '^system-db:{{ prelim_dconf_system_db }}', line: 'system-db:{{ prelim_dconf_system_db }}', insertafter: 'user-db:user'} + - { regexp: '^file-db:/usr/share/gdm/greeter-dconf-defaults', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults', insertafter: 'system-db:{{ prelim_dconf_system_db }}'} notify: Update dconf - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle" - when: - - ubtu22cis_rule_1_7_4 - - ubtu22cis_desktop_required + when: ubtu22cis_rule_1_7_4 tags: - level1-server - level1-workstation @@ -115,18 +109,18 @@ block: - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | session profile" ansible.builtin.lineinfile: - path: "/etc/dconf/profile/{{ ubtu22cis_dconf_db_name }}" + path: "/etc/dconf/profile/{{ prelim_dconf_system_db }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.after | default(omit) }}" create: true loop: - { regexp: 'user-db:user', line: 'user-db:user' } - - { regexp: 'system-db:{{ ubtu22cis_dconf_db_name }}', line: 'system-db:{{ ubtu22cis_dconf_db_name }}', after: '^user-db.*' } + - { regexp: 'system-db:{{ prelim_dconf_system_db }}', line: 'system-db:{{ prelim_dconf_system_db }}', after: '^user-db.*' } - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | make directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d" owner: root group: root mode: '0755' @@ -136,16 +130,14 @@ - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | session script" ansible.builtin.template: src: etc/dconf/db/00-screensaver.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-screensaver" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-screensaver" owner: root group: root mode: '0644' notify: Update dconf - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden" - when: - - ubtu22cis_rule_1_7_5 - - ubtu22cis_desktop_required + when: ubtu22cis_rule_1_7_5 tags: - level1-server - level1-workstation @@ -155,7 +147,7 @@ block: - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lock directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks" owner: root group: root mode: '0755' @@ -165,16 +157,14 @@ - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lockfile" ansible.builtin.template: src: etc/dconf/db/00-screensaver_lock.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-screensaver" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks/00-screensaver" owner: root group: root mode: '0644' notify: Update dconf - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled" - when: - - ubtu22cis_rule_1_7_6 - - ubtu22cis_desktop_required + when: ubtu22cis_rule_1_7_6 tags: - level1-server - level2-workstation @@ -184,7 +174,7 @@ block: - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | make directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d" owner: root group: root mode: '0755' @@ -194,16 +184,14 @@ - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | session script" ansible.builtin.template: src: etc/dconf/db/00-media-automount.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-media-automount" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-media-automount" owner: root group: root mode: '0644' notify: Update dconf - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden" - when: - - ubtu22cis_rule_1_7_7 - - ubtu22cis_desktop_required + when: ubtu22cis_rule_1_7_7 tags: - level1-server - level2-workstation @@ -213,7 +201,7 @@ block: - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lock directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks" owner: root group: root mode: '0755' @@ -223,16 +211,14 @@ - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lockfile" ansible.builtin.template: src: etc/dconf/db/00-automount_lock.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-automount_lock" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks/00-automount_lock" owner: root group: root mode: '0644' notify: Update dconf - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled" - when: - - ubtu22cis_rule_1_7_8 - - ubtu22cis_desktop_required + when: ubtu22cis_rule_1_7_8 tags: - level1-server - level2-workstation @@ -242,7 +228,7 @@ block: - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled | make directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d" owner: root group: root mode: '0755' @@ -252,16 +238,15 @@ - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled | session script" ansible.builtin.template: src: etc/dconf/db/00-media-autorun.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-media-autorun" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-media-autorun" owner: root group: root mode: '0644' notify: Update dconf - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden" - when: - - ubtu22cis_rule_1_7_9 - - ubtu22cis_desktop_required + when: ubtu22cis_rule_1_7_9 + tags: - level1-server - level2-workstation @@ -271,7 +256,7 @@ block: - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden | make lock directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks" owner: root group: root mode: '0755' @@ -281,7 +266,7 @@ - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden | make lockfile" ansible.builtin.template: src: etc/dconf/db/00-autorun_lock.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-autorun_lock" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks/00-autorun_lock" owner: root group: root mode: '0644' diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index c000d403..e9f3f54b 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -10,7 +10,6 @@ ansible.builtin.import_tasks: file: cis_1.1.2.1.x.yml - - name: "SECTION | 1.1.2.2 | Configure /dev/shm" when: not system_is_container ansible.builtin.import_tasks: @@ -66,8 +65,6 @@ file: cis_1.6.x.yml - name: "SECTION | 1.7 | Configure DNOME Display Manager" - when: - - "'gdm3' in ansible_facts.packages" - - not system_is_container + when: ubtu22cis_gui ansible.builtin.import_tasks: file: cis_1.7.x.yml diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index a6dd7ee5..c3856db4 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -3,7 +3,6 @@ - name: "2.1.1 | PATCH | Ensure autofs services are not in use" when: - ubtu22cis_rule_2_1_1 - - "'autofs' in ansible_facts.packages" tags: - level1-server - level2-workstation @@ -23,16 +22,15 @@ when: - not ubtu22cis_autofs_services - ubtu22cis_autofs_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: autofs enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use" - when: - - ubtu22cis_rule_2_1_2 + when: ubtu22cis_rule_2_1_2 tags: - level1-server - level2-workstation @@ -56,7 +54,6 @@ when: - not ubtu22cis_avahi_server - ubtu22cis_avahi_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -65,10 +62,10 @@ loop: - avahi-daemon.socket - avahi-daemon.service + notify: Systemd_daemon_reload - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use" - when: - - ubtu22cis_rule_2_1_3 + when: ubtu22cis_rule_2_1_3 tags: - level1-server - level1-workstation @@ -90,7 +87,6 @@ when: - not ubtu22cis_dhcp_server - ubtu22cis_dhcp_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -99,10 +95,10 @@ loop: - isc-dhcp-server.service - isc-dhcp-server6.service + notify: Systemd_daemon_reload - name: "2.1.4 | PATCH | Ensure dns server services are not in use" - when: - - ubtu22cis_rule_2_1_4 + when: ubtu22cis_rule_2_1_4 tags: - level1-server - level1-workstation @@ -124,16 +120,15 @@ when: - not ubtu22cis_dns_server - ubtu22cis_dns_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: named.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use" - when: - - ubtu22cis_rule_2_1_5 + when: ubtu22cis_rule_2_1_5 tags: - level1-server - level1-workstation @@ -155,16 +150,15 @@ when: - not ubtu22cis_dnsmasq_server - ubtu22cis_dnsmasq_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: dnsmasq.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.6 | PATCH | Ensure ftp server services are not in use" - when: - - ubtu22cis_rule_2_1_6 + when: ubtu22cis_rule_2_1_6 tags: - level1-server - level1-workstation @@ -187,16 +181,15 @@ when: - not ubtu22cis_ftp_server - ubtu22cis_ftp_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: vsftpd.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.7 | PATCH | Ensure ldap server services are not in use" - when: - - ubtu22cis_rule_2_1_7 + when: ubtu22cis_rule_2_1_7 tags: - level1-server - level1-workstation @@ -218,16 +211,15 @@ when: - not ubtu22cis_ldap_server - ubtu22cis_ldap_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: slapd.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.8 | PATCH | Ensure message access server services are not in use" - when: - - ubtu22cis_rule_2_1_8 + when: ubtu22cis_rule_2_1_8 tags: - level1-server - level1-workstation @@ -253,7 +245,6 @@ when: - not ubtu22cis_message_server - ubtu22cis_message_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -262,10 +253,10 @@ loop: - "dovecot.socket" - "dovecot.service" + notify: Systemd_daemon_reload - name: "2.1.9 | PATCH | Ensure network file system services are not in use" - when: - - ubtu22cis_rule_2_1_9 + when: ubtu22cis_rule_2_1_9 tags: - level1-server - level1-workstation @@ -288,16 +279,15 @@ when: - not ubtu22cis_nfs_server - ubtu22cis_nfs_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: nfs-server.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.10 | PATCH | Ensure nis server services are not in use" - when: - - ubtu22cis_rule_2_1_10 + when: ubtu22cis_rule_2_1_10 tags: - level1-server - level1-workstation @@ -325,10 +315,10 @@ enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.11 | PATCH | Ensure print server services are not in use" - when: - - ubtu22cis_rule_2_1_11 + when: ubtu22cis_rule_2_1_11 tags: - level1-server - patch @@ -349,7 +339,6 @@ when: - not ubtu22cis_print_server - ubtu22cis_print_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -358,10 +347,10 @@ loop: - "cups.socket" - "cups.service" + notify: Systemd_daemon_reload - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use" - when: - - ubtu22cis_rule_2_1_12 + when: ubtu22cis_rule_2_1_12 tags: - level1-server - level1-workstation @@ -383,7 +372,6 @@ when: - not ubtu22cis_rpc_server - ubtu22cis_rpc_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -392,10 +380,10 @@ loop: - rpcbind.service - rpcbind.socket + notify: Systemd_daemon_reload - name: "2.1.13 | PATCH | Ensure rsync services are not in use" - when: - - ubtu22cis_rule_2_1_13 + when: ubtu22cis_rule_2_1_13 tags: - level1-server - level1-workstation @@ -417,12 +405,12 @@ when: - not ubtu22cis_rsync_server - ubtu22cis_rsync_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: rsyncd.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.14 | PATCH | Ensure samba file server services are not in use" when: @@ -448,12 +436,12 @@ when: - not ubtu22cis_samba_server - ubtu22cis_samba_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: smbd.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.15 | PATCH | Ensure snmp services are not in use" when: @@ -480,16 +468,15 @@ when: - not ubtu22cis_snmp_server - ubtu22cis_snmp_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: snmpd.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.16 | PATCH | Ensure tftp server services are not in use" - when: - - ubtu22cis_rule_2_1_16 + when: ubtu22cis_rule_2_1_16 tags: - level1-server - level1-workstation @@ -511,16 +498,15 @@ when: - not ubtu22cis_tftp_server - ubtu22cis_tftp_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: tftpd-hpa.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use" - when: - - ubtu22cis_rule_2_1_17 + when: ubtu22cis_rule_2_1_17 tags: - level1-server - level1-workstation @@ -542,16 +528,15 @@ when: - not ubtu22cis_squid_server - ubtu22cis_squid_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: squid.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.18 | PATCH | Ensure web server services are not in use" - when: - - ubtu22cis_rule_2_1_18 + when: ubtu22cis_rule_2_1_18 tags: - level1-server - level1-workstation @@ -586,7 +571,6 @@ - not ubtu22cis_apache2_server - ubtu22cis_apache2_mask - "'apache2' in ansible_facts.packages" - notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -595,22 +579,22 @@ loop: - apache2.service - apache2.socket + notify: Systemd_daemon_reload - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service" when: - not ubtu22cis_nginx_server - ubtu22cis_nginx_mask - "'nginx' in ansible_facts.packages" - notify: Systemd_daemon_reload ansible.builtin.systemd: name: ngnix.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.19 | PATCH | Ensure xinetd services are not in use" - when: - - ubtu22cis_rule_2_1_19 + when: ubtu22cis_rule_2_1_19 tags: - level1-server - level1-workstation @@ -632,12 +616,12 @@ when: - not ubtu22cis_xinetd_server - ubtu22cis_xinetd_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: xinetd.service enabled: false masked: true state: stopped + notify: Systemd_daemon_reload - name: "2.1.20 | PATCH | Ensure X window server services are not in use" when: @@ -669,7 +653,6 @@ block: - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed" when: "'exim4' in ansible_facts.packages" - notify: Restart exim4 ansible.builtin.lineinfile: path: /etc/exim4/update-exim4.conf.conf regexp: "{{ item.regexp }}" @@ -686,6 +669,7 @@ - { regexp: '^dc_hide_mailname', line: "dc_hide_mailname=''" } - { regexp: '^dc_mailname_in_oh', line: "dc_mailname_in_oh='true'" } - { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" } + notify: Restart exim4 - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if postfix is installed" when: "'postfix' in ansible_facts.packages" @@ -712,8 +696,7 @@ file: warning_facts.yml - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface" - when: - - ubtu22cis_rule_2_1_22 + when: ubtu22cis_rule_2_1_22 tags: - level1-server - level1-workstation @@ -726,16 +709,16 @@ - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" ansible.builtin.shell: systemctl list-units --type=service changed_when: false - failed_when: ubtu22cis_2_1_22_services.rc not in [ 0, 1 ] + failed_when: discovered_list_of_services.rc not in [ 0, 1 ] check_mode: false - register: ubtu22cis_2_1_22_services + register: discovered_list_of_services - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Display list of services" ansible.builtin.debug: msg: - "Warning!! Below are the list of services, both active and inactive" - "Please review to make sure all are essential" - - "{{ ubtu22cis_2_1_22_services.stdout_lines }}" + - "{{ discovered_list_of_services.stdout_lines }}" - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Warn Count" ansible.builtin.import_tasks: diff --git a/tasks/section_2/cis_2.3.1.x.yml b/tasks/section_2/cis_2.3.1.x.yml index 44eb9ee3..5f6e1335 100644 --- a/tasks/section_2/cis_2.3.1.x.yml +++ b/tasks/section_2/cis_2.3.1.x.yml @@ -1,8 +1,7 @@ --- - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use" - when: - - ubtu22cis_rule_2_3_1_1 + when: ubtu22cis_rule_2_3_1_1 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.3.2.x.yml b/tasks/section_2/cis_2.3.2.x.yml index bce50669..fff911cb 100644 --- a/tasks/section_2/cis_2.3.2.x.yml +++ b/tasks/section_2/cis_2.3.2.x.yml @@ -1,8 +1,7 @@ --- - name: "2.3.2.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver" - when: - - ubtu22cis_rule_2_3_2_1 + when: ubtu22cis_rule_2_3_2_1 tags: - level1-server - level1-workstation @@ -30,8 +29,7 @@ notify: Restart timeservice - name: "2.3.2.2 | PATCH | Ensure systemd-timesyncd is enabled and running" - when: - - ubtu22cis_rule_2_3_2_2 + when: ubtu22cis_rule_2_3_2_2 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.3.3.x.yml b/tasks/section_2/cis_2.3.3.x.yml index f87d275a..1ed92caf 100644 --- a/tasks/section_2/cis_2.3.3.x.yml +++ b/tasks/section_2/cis_2.3.3.x.yml @@ -1,8 +1,7 @@ --- - name: "2.3.3.1 | PATCH | Ensure chrony is configured with authorized timeserver" - when: - - ubtu22cis_rule_2_3_3_1 + when: ubtu22cis_rule_2_3_3_1 tags: - level1-server - level1-workstation @@ -30,8 +29,7 @@ notify: Restart timeservice - name: "2.3.3.2 | PATCH | Ensure chrony is running as user _chrony" - when: - - ubtu22cis_rule_2_3_3_2 + when: ubtu22cis_rule_2_3_3_2 tags: - level1-server - level1-workstation @@ -44,8 +42,7 @@ line: 'user _chrony' - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running" - when: - - ubtu22cis_rule_2_3_3_3 + when: ubtu22cis_rule_2_3_3_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.4.1.x.yml b/tasks/section_2/cis_2.4.1.x.yml index bf4fe436..dc4a5736 100644 --- a/tasks/section_2/cis_2.4.1.x.yml +++ b/tasks/section_2/cis_2.4.1.x.yml @@ -1,8 +1,7 @@ --- - name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and running" - when: - - ubtu22cis_rule_2_4_1_1 + when: ubtu22cis_rule_2_4_1_1 tags: - level1-server - level1-workstation @@ -15,8 +14,7 @@ enabled: true - name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" - when: - - ubtu22cis_rule_2_4_1_2 + when: ubtu22cis_rule_2_4_1_2 tags: - level1-server - level1-workstation @@ -30,8 +28,7 @@ mode: '0600' - name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" - when: - - ubtu22cis_rule_2_4_1_3 + when: ubtu22cis_rule_2_4_1_3 tags: - level1-server - level1-workstation @@ -46,8 +43,7 @@ state: directory - name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" - when: - - ubtu22cis_rule_2_4_1_4 + when: ubtu22cis_rule_2_4_1_4 tags: - level1-server - level1-workstation @@ -62,8 +58,7 @@ state: directory - name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" - when: - - ubtu22cis_rule_2_4_1_5 + when: ubtu22cis_rule_2_4_1_5 tags: - level1-server - level1-workstation @@ -78,8 +73,7 @@ state: directory - name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" - when: - - ubtu22cis_rule_2_4_1_6 + when: ubtu22cis_rule_2_4_1_6 tags: - level1-server - level1-workstation @@ -94,8 +88,7 @@ state: directory - name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" - when: - - ubtu22cis_rule_2_4_1_7 + when: ubtu22cis_rule_2_4_1_7 tags: - level1-server - level1-workstation @@ -110,8 +103,7 @@ state: directory - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users" - when: - - ubtu22cis_rule_2_4_1_8 + when: ubtu22cis_rule_2_4_1_8 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.4.2.x.yml b/tasks/section_2/cis_2.4.2.x.yml index cd95e107..d22a311b 100644 --- a/tasks/section_2/cis_2.4.2.x.yml +++ b/tasks/section_2/cis_2.4.2.x.yml @@ -1,8 +1,7 @@ --- - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users" - when: - - - ubtu22cis_rule_2_4_2_1 + when: ubtu22cis_rule_2_4_2_1 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 03fccd34..06aa0b6e 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -13,14 +13,12 @@ file: cis_2.3.1.x.yml - name: "SECTION | 2.3.2.x | Configure systemd-timesyncd" - when: - - ubtu22cis_time_sync_tool == "systemd-timesyncd" + when: ubtu22cis_time_sync_tool == "systemd-timesyncd" ansible.builtin.import_tasks: file: cis_2.3.2.x.yml - name: "SECTION | 2.3.3.x | Configure Chrony" - when: - - ubtu22cis_time_sync_tool == "chrony" + when: ubtu22cis_time_sync_tool == "chrony" ansible.builtin.import_tasks: file: cis_2.3.3.x.yml diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index bf9d773d..3070ca08 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -17,7 +17,7 @@ path: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=.*)\bipv6\.disable=\d\b(.*$)' replace: '\1ipv6.disable=1\2' - register: ipv6disable_replaced + register: discovered_ipv6disable_replaced notify: Grub update - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Check grub cmdline linux" @@ -25,13 +25,13 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_3_1_1_cmdline_settings + register: discovered_grub_cmdline_settings - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Insert ipv6.disable if it doesn't exist" when: - ubtu22cis_ipv6_disable == 'grub' - - ipv6disable_replaced is not changed - - "'ipv6.disable' not in ubtu22cis_3_1_1_cmdline_settings.stdout" + - discovered_ipv6disable_replaced is not changed + - "'ipv6.disable' not in discovered_grub_cmdline_settings.stdout" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=".*)"$' @@ -54,6 +54,7 @@ - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" when: - ubtu22cis_rule_3_1_2 + - prelim_wireless_adapters_exist tags: - level1-server - patch @@ -68,15 +69,15 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_3_1_2_wifi_status + register: discovered_wifi_status - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" when: - "'network-manager' in ansible_facts.packages" - - "'enabled' in ubtu22cis_3_1_2_wifi_status.stdout" + - "'enabled' in discovered_wifi_status.stdout" ansible.builtin.shell: nmcli radio all off - changed_when: ubtu22cis_3_1_2_nmcli_radio_off.rc == 0 - register: ubtu22cis_3_1_2_nmcli_radio_off + changed_when: discovered_nmcli_radio_off.rc == 0 + register: discovered_nmcli_radio_off - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" when: "'network-manager' not in ansible_facts.packages" @@ -89,8 +90,7 @@ file: warning_facts.yml - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use" - when: - - ubtu22cis_rule_3_1_3 + when: ubtu22cis_rule_3_1_3 tags: - level1-server - level2-workstation diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index c9c9e9ae..aaf050e5 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -1,8 +1,7 @@ --- - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available" - when: - - ubtu22cis_rule_3_2_1 + when: ubtu22cis_rule_3_2_1 tags: - level2-server - level2-workstation @@ -29,8 +28,7 @@ mode: '0600' - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available" - when: - - ubtu22cis_rule_3_2_2 + when: ubtu22cis_rule_3_2_2 tags: - level2-server - level2-workstation @@ -57,8 +55,7 @@ mode: '0600' - name: "3.2.3 | PATCH | Ensure rds kernel module is not available" - when: - - ubtu22cis_rule_3_2_3 + when: ubtu22cis_rule_3_2_3 tags: - level2-server - level2-workstation @@ -85,8 +82,7 @@ mode: '0600' - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available" - when: - - ubtu22cis_rule_3_2_4 + when: ubtu22cis_rule_3_2_4 tags: - level2-server - level2-workstation diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index c79e634f..cd22545d 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -62,8 +62,7 @@ notify: Flush ipv4 route table - name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored" - when: - - ubtu22cis_rule_3_3_3 + when: ubtu22cis_rule_3_3_3 tags: - level1-server - level1-workstation @@ -82,8 +81,7 @@ notify: Flush ipv4 route table - name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored" - when: - - ubtu22cis_rule_3_3_4 + when: ubtu22cis_rule_3_3_4 tags: - level1-server - level1-workstation @@ -102,8 +100,7 @@ notify: Flush ipv4 route table - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted" - when: - - ubtu22cis_rule_3_3_5 + when: ubtu22cis_rule_3_3_5 tags: - level1-server - level1-workstation @@ -142,8 +139,7 @@ notify: Flush ipv6 route table - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted" - when: - - ubtu22cis_rule_3_3_6 + when: ubtu22cis_rule_3_3_6 tags: - level1-server - level1-workstation @@ -165,8 +161,7 @@ notify: Flush ipv4 route table - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - when: - - ubtu22cis_rule_3_3_7 + when: ubtu22cis_rule_3_3_7 tags: - level1-server - level1-workstation @@ -229,8 +224,7 @@ notify: Flush ipv6 route table - name: "3.3.9 | PATCH | Ensure suspicious packets are logged" - when: - - ubtu22cis_rule_3_3_9 + when: ubtu22cis_rule_3_3_9 tags: - level1-server - level1-workstation @@ -252,8 +246,7 @@ notify: Flush ipv4 route table - name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled" - when: - - ubtu22cis_rule_3_3_10 + when: ubtu22cis_rule_3_3_10 tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index 9c69f929..d69b3f83 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -92,8 +92,7 @@ notify: Reload ufw - name: "4.1.5 | PATCH | Ensure ufw outbound connections are configured" - when: - - ubtu22cis_rule_4_1_5 + when: ubtu22cis_rule_4_1_5 tags: - level1-server - level1-workstation @@ -119,8 +118,7 @@ notify: Reload ufw - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports" - when: - - ubtu22cis_rule_4_1_6 + when: ubtu22cis_rule_4_1_6 tags: - level1-server - level1-workstation @@ -135,14 +133,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_1_6_open_listen_ports + register: discovered_list_open_listen_ports - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules" ansible.builtin.shell: ufw status changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_1_6_firewall_rules + register: discovered_firewall_rules - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings" ansible.builtin.debug: @@ -150,17 +148,16 @@ - "Warning!! Below are the listening ports and firewall rules" - "Please create firewall rule for any open ports if not already done" - "*****---Open Listen Ports---*****" - - "{{ ubtu22cis_4_1_6_open_listen_ports.stdout_lines }}" + - "{{ discovered_list_open_listen_ports.stdout_lines }}" - "*****---Firewall Rules---*****" - - "{{ ubtu22cis_4_1_6_firewall_rules.stdout_lines }}" + - "{{ discovered_firewall_rules.stdout_lines }}" - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: file: warning_facts.yml - name: "4.1.7 | PATCH | Ensure ufw default deny firewall policy" - when: - - ubtu22cis_rule_4_1_7 + when: ubtu22cis_rule_4_1_7 tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.3.1.x.yml b/tasks/section_4/cis_4.3.1.x.yml index 434391dd..19391011 100644 --- a/tasks/section_4/cis_4.3.1.x.yml +++ b/tasks/section_4/cis_4.3.1.x.yml @@ -84,11 +84,11 @@ ansible.builtin.iptables: policy: DROP chain: "{{ item }}" - notify: Iptables persistent with_items: - INPUT - FORWARD - OUTPUT + notify: Iptables persistent - name: "4.3.1.2 | PATCH | Ensure iptables loopback traffic is configured" when: @@ -144,7 +144,6 @@ match: state ctstate: '{{ item.ctstate }}' jump: ACCEPT - notify: Iptables persistent with_items: - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } @@ -152,6 +151,7 @@ - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + notify: Iptables persistent - name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" when: @@ -170,14 +170,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_3_1_4_open_ports + register: discovered_open_ports_list - name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" ansible.builtin.shell: iptables -L INPUT -v -n changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_3_1_4_current_rules + register: discovered_current_iptables_rules - name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: @@ -185,9 +185,9 @@ - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ ubtu22cis_4_3_1_4_open_ports.stdout_lines }}" + - "{{ discovered_open_ports_list.stdout_lines }}" - "Current Rules:" - - "{{ ubtu22cis_4_3_1_4_current_rules.stdout_lines }}" + - "{{ discovered_current_iptables_rules.stdout_lines }}" - name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: @@ -322,7 +322,6 @@ ctstate: '{{ item.ctstate }}' jump: ACCEPT ip_version: ipv6 - notify: Ip6tables persistent loop: - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } @@ -330,6 +329,7 @@ - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + notify: Ip6tables persistent - name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" when: @@ -351,14 +351,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_3_1_4_open_ports + register: discovered_open_ports_list - name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" ansible.builtin.shell: ip6tables -L INPUT -v -n changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_3_1_4_current_rules + register: discovered_current_iptables_rules - name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: @@ -366,9 +366,9 @@ - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ ubtu22cis_4_3_1_4_open_ports.stdout_lines }}" + - "{{ discovered_open_ports_list.stdout_lines }}" - "Current Rules:" - - "{{ ubtu22cis_4_3_1_4_current_rules.stdout_lines }}" + - "{{ discovered_current_iptables_rules.stdout_lines }}" - name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: diff --git a/tasks/section_4/cis_4.3.2.x.yml b/tasks/section_4/cis_4.3.2.x.yml index 89f30d5c..fdd940c6 100644 --- a/tasks/section_4/cis_4.3.2.x.yml +++ b/tasks/section_4/cis_4.3.2.x.yml @@ -41,11 +41,11 @@ ansible.builtin.iptables: policy: DROP chain: "{{ item }}" - notify: Iptables persistent loop: - INPUT - FORWARD - OUTPUT + notify: Iptables persistent - name: "4.3.2.2 | PATCH | Ensure iptables loopback traffic is configured" when: @@ -101,7 +101,6 @@ match: state ctstate: '{{ item.ctstate }}' jump: ACCEPT - notify: Iptables persistent with_items: - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } @@ -109,6 +108,7 @@ - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + notify: Iptables persistent - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" when: @@ -129,14 +129,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_3_1_4_open_ports + register: discovered_list_open_ports - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" ansible.builtin.shell: iptables -L INPUT -v -n changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_3_2_4_current_rules + register: discovered_current_iptables_rules - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: @@ -144,9 +144,9 @@ - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ ubtu22cis_4_3_2_4_open_ports.stdout_lines }}" + - "{{ discovered_list_open_ports.stdout_lines }}" - "Current Rules:" - - "{{ ubtu22cis_4_3_2_4_current_rules.stdout_lines }}" + - "{{ discovered_current_iptables_rules.stdout_lines }}" - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: diff --git a/tasks/section_4/cis_4.3.3.x.yml b/tasks/section_4/cis_4.3.3.x.yml index 4078a72b..730ba293 100644 --- a/tasks/section_4/cis_4.3.3.x.yml +++ b/tasks/section_4/cis_4.3.3.x.yml @@ -1,8 +1,7 @@ --- - name: "4.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy" - when: - - ubtu22cis_rule_4_3_3_1 + when: ubtu22cis_rule_4_3_3_1 tags: - level1-server - level1-workstationå @@ -33,11 +32,11 @@ policy: DROP chain: "{{ item }}" ip_version: ipv6 - notify: Ip6tables persistent loop: - INPUT - FORWARD - OUTPUT + notify: Ip6tables persistent - name: "4.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured" when: @@ -95,7 +94,6 @@ ctstate: '{{ item.ctstate }}' jump: ACCEPT ip_version: ipv6 - notify: Ip6tables persistent loop: - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } @@ -103,6 +101,7 @@ - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + notify: Ip6tables persistent - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" when: @@ -122,14 +121,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_3_3_4_open_ports + register: discovered_list_ip6tables_open_ports - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" ansible.builtin.shell: ip6tables -L INPUT -v -n changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_3_3_4_current_rules + register: discovered_ip6tables_current_rules - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: @@ -137,9 +136,9 @@ - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ ubtu22cis_4_3_3_4_open_ports.stdout_lines }}" + - "{{ discovered_list_ip6tables_open_ports.stdout_lines }}" - "Current Rules:" - - "{{ ubtu22cis_4_3_3_4_current_rules.stdout_lines }}" + - "{{ discovered_ip6tables_current_rules.stdout_lines }}" - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 35bb5647..dad495ac 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -1,8 +1,7 @@ --- - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" - when: - - ubtu22cis_rule_5_1_1 + when: ubtu22cis_rule_5_1_1 tags: - level1-server - level1-workstation @@ -16,8 +15,7 @@ mode: '0600' - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured" - when: - - ubtu22cis_rule_5_1_2 + when: ubtu22cis_rule_5_1_2 tags: - level1-server - level1-workstation @@ -29,7 +27,7 @@ ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*_key' - register: ubtu22cis_5_1_2_ssh_host_priv_keys + register: discovered_ssh_host_priv_keys - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" ansible.builtin.file: @@ -38,13 +36,12 @@ group: root mode: 'o-x,go-rwx' with_items: - - "{{ ubtu22cis_5_1_2_ssh_host_priv_keys.files }}" + - "{{ discovered_ssh_host_priv_keys.files }}" loop_control: label: "{{ item.path }}" - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured" - when: - - ubtu22cis_rule_5_1_3 + when: ubtu22cis_rule_5_1_3 tags: - level1-server - level1-workstation @@ -56,7 +53,7 @@ ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*_key.pub' - register: ubtu22cis_5_1_3_ssh_host_pub_keys + register: discovered_ssh_host_pub_keys - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" ansible.builtin.file: @@ -65,13 +62,12 @@ group: root mode: '0644' with_items: - - "{{ ubtu22cis_5_1_3_ssh_host_pub_keys.files }}" + - "{{ discovered_ssh_host_pub_keys.files }}" loop_control: label: "{{ item.path }}" - name: "5.1.4 | PATCH | Ensure sshd access is configured" - when: - - ubtu22cis_rule_5_1_4 + when: ubtu22cis_rule_5_1_4 tags: - level1-server - level1-workstation @@ -84,7 +80,7 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^AllowUsers|^#AllowUsers' - line: 'AllowUsers {{ ubtu22cis_sshd.allow_users }}' + line: 'AllowUsers {{ ubtu22cis_sshd_allow_users }}' validate: 'sshd -t -f %s' notify: Restart sshd @@ -93,7 +89,7 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^AllowGroups|^#AllowGroups' - line: 'AllowGroups {{ ubtu22cis_sshd.allow_groups }}' + line: 'AllowGroups {{ ubtu22cis_sshd_allow_groups }}' validate: 'sshd -t -f %s' notify: Restart sshd @@ -102,7 +98,7 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^DenyUsers|^#DenyUsers' - line: 'DenyUsers {{ ubtu22cis_sshd.deny_users }} ' + line: 'DenyUsers {{ ubtu22cis_sshd_deny_users }} ' validate: 'sshd -t -f %s' notify: Restart sshd @@ -111,13 +107,12 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^DenyGroups|^#DenyGroups' - line: 'DenyGroups {{ ubtu22cis_sshd.deny_groups }}' + line: 'DenyGroups {{ ubtu22cis_sshd_deny_groups }}' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.5| PATCH | Ensure sshd Banner is configured" - when: - - ubtu22cis_rule_5_1_5 + when: ubtu22cis_rule_5_1_5 tags: - level1-server - level1-workstation @@ -133,8 +128,7 @@ notify: Restart sshd - name: "5.1.6 | PATCH | Ensure only strong Ciphers are used" - when: - - ubtu22cis_rule_5_1_6 + when: ubtu22cis_rule_5_1_6 tags: - level1-server - level1-workstation @@ -144,14 +138,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^Ciphers|^#Ciphers' - line: "Ciphers {{ ubtu22cis_sshd.ciphers | default(ubtu22cis_sshd_default_ciphers) | join(',') }}" + line: "Ciphers {{ ubtu22cis_sshd_ciphers | default(ubtu22cis_sshd_default_ciphers) | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.7 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured" - when: - - ubtu22cis_rule_5_1_7 + when: ubtu22cis_rule_5_1_7 tags: - level1-server - level1-workstation @@ -164,13 +157,12 @@ line: "{{ item.line }}" validate: 'sshd -t -f %s' with_items: - - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu22cis_sshd.client_alive_interval | default(ubtu22cis_sshd_default_client_alive_interval) }}' } - - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu22cis_sshd.client_alive_count_max | default(ubtu22cis_sshd_default_client_alive_count_max) }}' } + - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu22cis_sshd_client_alive_interval | default(ubtu22cis_sshd_default_client_alive_interval) }}' } + - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu22cis_sshd_client_alive_count_max | default(ubtu22cis_sshd_default_client_alive_count_max) }}' } notify: Restart sshd - name: "5.1.8 | PATCH | Ensure sshd DisableForwarding is enabled" - when: - - ubtu22cis_rule_5_1_8 + when: ubtu22cis_rule_5_1_8 tags: - level2-server - level1-workstation @@ -185,8 +177,7 @@ notify: Restart sshd - name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is is disabled" - when: - - ubtu22cis_rule_5_1_9 + when: ubtu22cis_rule_5_1_9 tags: - level2-server - level1-workstation @@ -201,8 +192,7 @@ notify: Restart sshd - name: "5.1.10 | PATCH | Ensure SSH HostbasedAuthentication is disabled" - when: - - ubtu22cis_rule_5_1_10 + when: ubtu22cis_rule_5_1_10 tags: - level1-server - level1-workstation @@ -217,8 +207,7 @@ notify: Restart sshd - name: "5.1.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" - when: - - ubtu22cis_rule_5_1_11 + when: ubtu22cis_rule_5_1_11 tags: - level1-server - level1-workstation @@ -233,8 +222,7 @@ notify: Restart sshd - name: "5.1.12 | PATCH | Ensure only strong Key Exchange algorithms are used" - when: - - ubtu22cis_rule_5_1_12 + when: ubtu22cis_rule_5_1_12 tags: - level1-server - level1-workstation @@ -244,14 +232,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^KexAlgorithms|^#KexAlgorithms' - line: "KexAlgorithms {{ ubtu22cis_sshd.kex_algorithms | default(ubtu22cis_sshd_default_kex_algorithms) | join(',') }}" + line: "KexAlgorithms {{ ubtu22cis_sshd_kex_algorithms | default(ubtu22cis_sshd_default_kex_algorithms) | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.13 | PATCH | Ensure SSH LoginGraceTime is configured" - when: - - ubtu22cis_rule_5_1_13 + when: ubtu22cis_rule_5_1_13 tags: - level1-server - level1-workstation @@ -261,14 +248,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^LoginGraceTime|^#LoginGraceTime' - line: 'LoginGraceTime {{ ubtu22cis_sshd.login_grace_time | default(ubtu22cis_sshd_default_login_grace_time) }}' + line: 'LoginGraceTime {{ ubtu22cis_sshd_login_grace_time | default(ubtu22cis_sshd_default_login_grace_time) }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.14 | PATCH | Ensure SSH LogLevel is configured" - when: - - ubtu22cis_rule_5_1_14 + when: ubtu22cis_rule_5_1_14 tags: - level1-server - level1-workstation @@ -278,14 +264,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^LogLevel|^#LogLevel' - line: 'LogLevel {{ ubtu22cis_sshd.log_level | default(ubtu22cis_sshd_default_log_level) }}' + line: 'LogLevel {{ ubtu22cis_sshd_log_level | default(ubtu22cis_sshd_default_log_level) }}' insertafter: '^# Logging' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.15 | PATCH | Ensure only strong MAC algorithms are used" - when: - - ubtu22cis_rule_5_1_15 + when: ubtu22cis_rule_5_1_15 tags: - level1-server - level1-workstation @@ -295,14 +280,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^MACs|^#MACs' - line: "MACs {{ ubtu22cis_sshd.macs | default(ubtu22cis_sshd_default_macs) | join(',') }}" + line: "MACs {{ ubtu22cis_sshd_macs | default(ubtu22cis_sshd_default_macs) | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" - when: - - ubtu22cis_rule_5_1_16 + when: ubtu22cis_rule_5_1_16 tags: - level1-server - level1-workstation @@ -312,14 +296,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxAuthTries|^#MaxAuthTries' - line: 'MaxAuthTries {{ ubtu22cis_sshd.max_auth_tries | default(ubtu22cis_sshd_default_max_auth_tries) }}' + line: 'MaxAuthTries {{ ubtu22cis_sshd_max_auth_tries | default(ubtu22cis_sshd_default_max_auth_tries) }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.17 | PATCH | Ensure sshd MaxSessions is configured" - when: - - ubtu22cis_rule_5_1_17 + when: ubtu22cis_rule_5_1_17 tags: - level1-server - level1-workstation @@ -329,14 +312,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxSessions|^#MaxSessions' - line: 'MaxSessions {{ ubtu22cis_sshd.max_sessions | default(ubtu22cis_sshd_default_max_sessions) }}' + line: 'MaxSessions {{ ubtu22cis_sshd_max_sessions | default(ubtu22cis_sshd_default_max_sessions) }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.18 | PATCH | Ensure SSH MaxStartups is configured" - when: - - ubtu22cis_rule_5_1_18 + when: ubtu22cis_rule_5_1_18 tags: - level1-server - level1-workstation @@ -351,8 +333,7 @@ notify: Restart sshd - name: "5.1.19 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" - when: - - ubtu22cis_rule_5_1_19 + when: ubtu22cis_rule_5_1_19 tags: - level1-server - level1-workstation @@ -368,8 +349,7 @@ notify: Restart sshd - name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled" - when: - - ubtu22cis_rule_5_1_20 + when: ubtu22cis_rule_5_1_20 tags: - level1-server - level1-workstation @@ -384,8 +364,7 @@ notify: Restart sshd - name: "5.1.21 | PATCH | Ensure SSH PermitUserEnvironment is disabled" - when: - - ubtu22cis_rule_5_1_21 + when: ubtu22cis_rule_5_1_21 tags: - level1-server - level1-workstation @@ -400,8 +379,7 @@ notify: Restart sshd - name: "5.1.22 | PATCH | Ensure sshd UsePAM is enabled" - when: - - ubtu22cis_rule_5_1_22 + when: ubtu22cis_rule_5_1_22 tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 33434d4b..27cdb15e 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,139 +1,131 @@ --- - name: "5.2.1 | PATCH | Ensure sudo is installed" - when: - - ubtu22cis_rule_5_2_1 + when: ubtu22cis_rule_5_2_1 tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.1 - - sudo + - level1-server + - level1-workstation + - patch + - rule_5.2.1 + - sudo ansible.builtin.package: - name: "{{ ubtu22cis_sudo_package }}" - state: present + name: "{{ ubtu22cis_sudo_package }}" + state: present - name: "5.2.2 | PATCH | Ensure sudo commands use pty" - when: - - ubtu22cis_rule_5_2_2 + when: ubtu22cis_rule_5_2_2 tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.2 - - sudo + - level1-server + - level1-workstation + - patch + - rule_5.2.2 + - sudo ansible.builtin.lineinfile: - path: /etc/sudoers - regexp: '^Defaults\s+use_' - line: 'Defaults use_pty' - insertafter: '^\s*Defaults' + path: /etc/sudoers + regexp: '^Defaults\s+use_' + line: 'Defaults use_pty' + insertafter: '^\s*Defaults' - name: "5.2.3 | PATCH | Ensure sudo log file exists" - when: - - ubtu22cis_rule_5_2_3 + when: ubtu22cis_rule_5_2_3 tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.3 - - sudo + - level1-server + - level1-workstation + - patch + - rule_5.2.3 + - sudo ansible.builtin.lineinfile: - path: /etc/sudoers - regexp: '^Defaults\s+logfile' - line: 'Defaults logfile="{{ ubtu22cis_sudo_logfile }}"' - insertafter: '^\s*Defaults' + path: /etc/sudoers + regexp: '^Defaults\s+logfile' + line: 'Defaults logfile="{{ ubtu22cis_sudo_logfile }}"' + insertafter: '^\s*Defaults' - name: "5.2.4 | PATCH | Ensure users must provide password for escalation" - when: - - ubtu22cis_rule_5_2_4 + when: ubtu22cis_rule_5_2_4 tags: - - level2-server - - level2-workstation - - patch - - sudo - - rule_5.2.4 + - level2-server + - level2-workstation + - patch + - sudo + - rule_5.2.4 ansible.builtin.replace: - path: "{{ item }}" - regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' - replace: '\1PASSWD\2' - validate: '/usr/sbin/visudo -cf %s' + path: "{{ item }}" + regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' + replace: '\1PASSWD\2' + validate: '/usr/sbin/visudo -cf %s' loop: "{{ prelim_sudoers_files.stdout_lines }}" - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" - when: - - ubtu22cis_rule_5_2_5 + when: ubtu22cis_rule_5_2_5 tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.2.5 + - level1-server + - level1-workstation + - patch + - sudo + - rule_5.2.5 ansible.builtin.replace: - path: "{{ item }}" - regexp: '^([^#].*)!authenticate(.*)' - replace: '\1authenticate\2' - validate: '/usr/sbin/visudo -cf %s' + path: "{{ item }}" + regexp: '^([^#].*)!authenticate(.*)' + replace: '\1authenticate\2' + validate: '/usr/sbin/visudo -cf %s' loop: "{{ prelim_sudoers_files.stdout_lines }}" - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly" - when: - - ubtu22cis_rule_5_2_6 + when: ubtu22cis_rule_5_2_6 tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.2.6 + - level1-server + - level1-workstation + - patch + - sudo + - rule_5.2.6 block: - - name: "5.2.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" - ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort - changed_when: false - failed_when: false - register: ubtu22cis_5_2_6_timeout_files + - name: "5.2.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" + ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + changed_when: false + failed_when: false + register: discovered_timeout_files - - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" - when: ubtu22cis_5_2_6_timeout_files.stdout | length == 0 - ansible.builtin.lineinfile: - path: /etc/sudoers - regexp: '^\s*Defaults/s+timestamp_timeout=' - line: "Defaults timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" - insertafter: '^\s*Defaults' - validate: '/usr/sbin/visudo -cf %s' + - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" + when: discovered_timeout_files.stdout | length == 0 + ansible.builtin.lineinfile: + path: /etc/sudoers + regexp: '^\s*Defaults/s+timestamp_timeout=' + line: "Defaults timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" + insertafter: '^\s*Defaults' + validate: '/usr/sbin/visudo -cf %s' - - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" - when: ubtu22cis_5_2_6_timeout_files.stdout | length > 0 - ansible.builtin.replace: - path: "{{ item }}" - regexp: 'timestamp_timeout=(\d+)' - replace: "timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" - validate: '/usr/sbin/visudo -cf %s' - loop: "{{ ubtu22cis_5_2_6_timeout_files.stdout_lines }}" + - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" + when: discovered_timeout_files.stdout | length > 0 + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'timestamp_timeout=(\d+)' + replace: "timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" + validate: '/usr/sbin/visudo -cf %s' + loop: "{{ discovered_timeout_files.stdout_lines }}" - name: "5.2.7 | PATCH | Ensure access to the su command is restricted" - when: - - ubtu22cis_rule_5_2_7 + when: ubtu22cis_rule_5_2_7 tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.2.7 + - level1-server + - level1-workstation + - patch + - sudo + - rule_5.2.7 block: - - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists" - ansible.builtin.group: - name: "{{ ubtu22cis_sugroup }}" - state: present - register: ubtu22cis_5_2_7_sugroup + - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists" + ansible.builtin.group: + name: "{{ ubtu22cis_sugroup }}" + state: present - - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | remove users from group" - ansible.builtin.lineinfile: - path: /etc/group - regexp: '^{{ ubtu22cis_sugroup }}(:.:.*:).*$' - line: '{{ ubtu22cis_sugroup }}\g<1>' - backrefs: true + - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | remove users from group" + ansible.builtin.lineinfile: + path: /etc/group + regexp: '^{{ ubtu22cis_sugroup }}(:.:.*:).*$' + line: '{{ ubtu22cis_sugroup }}\g<1>' + backrefs: true - - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" - ansible.builtin.lineinfile: - path: /etc/pam.d/su - regexp: '^(#)?auth\s+required\s+pam_wheel\.so' - line: 'auth required pam_wheel.so use_uid group={{ ubtu22cis_sugroup }}' + - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" + ansible.builtin.lineinfile: + path: /etc/pam.d/su + regexp: '^(#)?auth\s+required\s+pam_wheel\.so' + line: 'auth required pam_wheel.so use_uid group={{ ubtu22cis_sugroup }}' diff --git a/tasks/section_5/cis_5.3.3.1.x.yml b/tasks/section_5/cis_5.3.3.1.x.yml index 0b753028..a97f5cf6 100644 --- a/tasks/section_5/cis_5.3.3.1.x.yml +++ b/tasks/section_5/cis_5.3.3.1.x.yml @@ -20,12 +20,12 @@ - name: "5.3.3.1.1 | AUDIT | Ensure password failed attempts lockout is configured | discover pam config with deny" ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?deny\b' /usr/share/pam-configs/* - register: ubtu22cis_faillock_deny_files changed_when: false - failed_when: ubtu22cis_faillock_deny_files.rc not in [ 0, 1 ] + failed_when: discovered_faillock_deny_files.rc not in [ 0, 1 ] + register: discovered_faillock_deny_files - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | if exists remove deny from faillock line in pam-auth conf files" - when: ubtu22cis_faillock_deny_files.stdout | length > 0 + when: discovered_faillock_deny_files.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: '(*.pam_faillock.so\s*)deny\s*=\s*\d+\b(.*)' @@ -54,12 +54,12 @@ - name: "5.3.3.1.2 | AUDIT | Ensure password unlock time is configured | discover pam config with unlock_time" ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?unlock_time\b' /usr/share/pam-configs/* - register: ubtu22cis_faillock_unlock_files + register: discovered_faillock_unlock_files changed_when: false - failed_when: ubtu22cis_faillock_unlock_files.rc not in [ 0, 1 ] + failed_when: discovered_faillock_unlock_files.rc not in [ 0, 1 ] - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | if exists remove unlock_time from faillock line in pam-auth conf files" - when: ubtu22cis_faillock_unlock_files.stdout | length > 0 + when: discovered_faillock_unlock_files.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: '(*.pam_faillock.so\s*)unlock_time\s*=\s*\b(.*)' @@ -88,12 +88,12 @@ - name: "5.3.3.1.3 | AUDIT | Ensure password failed attempts lockout includes root account | discover pam config with unlock_time" ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)' /usr/share/pam-configs/* - register: ubtu22cis_faillock_rootlock_files changed_when: false - failed_when: ubtu22cis_faillock_rootlock_files.rc not in [ 0, 1 ] + failed_when: discovered_faillock_rootlock_files.rc not in [ 0, 1 ] + register: discovered_faillock_rootlock_files - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | if exists remove unlock_time from faillock line in pam-auth conf files" - when: ubtu22cis_faillock_rootlock_files.stdout | length > 0 + when: discovered_faillock_rootlock_files.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: '(*.pam_faillock.so\s*)(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)(.*)' diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml index d5d0c8d0..84bf0489 100644 --- a/tasks/section_5/cis_5.3.3.3.x.yml +++ b/tasks/section_5/cis_5.3.3.3.x.yml @@ -13,12 +13,12 @@ block: - name: "5.3.3.3.1 | AUDIT | Ensure password history remember is configured | Check existing files" ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?remember=\d+\b' /etc/pam.d/common-password - register: ubtu22_pwhistory_remember + register: discovered_pwhistory_remember changed_when: false - failed_when: ubtu22_pwhistory_remember.rc not in [0, 1] + failed_when: discovered_pwhistory_remember.rc not in [0, 1] - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set" - when: ubtu22_pwhistory_remember.stdout | length > 0 + when: discovered_pwhistory_remember.stdout | length > 0 ansible.builtin.lineinfile: path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(remember=\d+) @@ -39,12 +39,12 @@ block: - name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files" ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?enforce_for_root\b' /etc/pam.d/common-password - register: ubtu22_pwhistory_enforce_for_root + register: discovered_pwhistory_remember changed_when: false - failed_when: ubtu22_pwhistory_enforce_for_root.rc not in [0, 1] + failed_when: discovered_pwhistory_remember.rc not in [0, 1] - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure remember is set" - when: ubtu22_pwhistory_enforce_for_root.stdout | length > 0 + when: discovered_pwhistory_remember.stdout | length > 0 ansible.builtin.lineinfile: path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(enforce_for_root) @@ -65,12 +65,12 @@ block: - name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files" ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password - register: ubtu22_pwhistory_use_authtok + register: discovered_pwhistory_use_authtok changed_when: false - failed_when: ubtu22_pwhistory_use_authtok.rc not in [0, 1] + failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1] - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure remember is set" - when: ubtu22_pwhistory_use_authtok.stdout | length > 0 + when: discovered_pwhistory_use_authtok.stdout | length > 0 ansible.builtin.lineinfile: path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok) diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml index dc1ea0ce..6dae89ca 100644 --- a/tasks/section_5/cis_5.3.3.4.x.yml +++ b/tasks/section_5/cis_5.3.3.4.x.yml @@ -14,16 +14,16 @@ - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | capture state" ansible.builtin.shell: grep -E "pam_unix.so.*nullok" /etc/pam.d/common-* /usr/share/pam-configs/* | cut -d ':' -f1 | uniq changed_when: false - failed_when: ubtu22cis_pam_nullok.rc not in [ 0, 1 ] - register: ubtu22cis_pam_nullok + failed_when: discovered_pam_nullok.rc not in [ 0, 1 ] + register: discovered_pam_nullok - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Ensure nullok removed" - when: ubtu22cis_pam_nullok.stdout | length > 0 + when: discovered_pam_nullok.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: nullok replace: '' - loop: "{{ ubtu22cis_pam_nullok.stdout_lines }}" + loop: "{{ discovered_pam_nullok.stdout_lines }}" notify: Pam_auth_update_pwunix - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember" @@ -39,11 +39,11 @@ - name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state" ansible.builtin.shell: grep -PH -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} | grep -Pv -- '\bremember=\d\b' changed_when: false - failed_when: ubtu22cis_pam_remember.rc not in [ 0, 1 ] - register: ubtu22cis_pam_remember + failed_when: discovered_pam_remember.rc not in [ 0, 1 ] + register: discovered_pam_remember - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Ensure remember removed" - when: ubtu22cis_pam_remember.stdout | length > 0 + when: discovered_pam_remember.stdout | length > 0 ansible.builtin.replace: path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" regexp: remember=\d+ @@ -63,11 +63,11 @@ - name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state" ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?("{{ ubtu22cis_passwd_hash_algo }}")\b' /etc/pam.d/common-password changed_when: false - failed_when: ubtu22cis_pam_pwhash.rc not in [ 0, 1 ] - register: ubtu22cis_pam_pwhash + failed_when: discovered_pam_pwhash.rc not in [ 0, 1 ] + register: discovered_pam_pwhash - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Ensure hash algorithm set" - when: ubtu22cis_pam_remember.stdout | length > 0 + when: discovered_pam_remember.stdout | length > 0 ansible.builtin.replace: path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)" @@ -87,13 +87,13 @@ - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state" ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password changed_when: false - failed_when: ubtu22cis_pam_authtok.rc not in [ 0, 1 ] - register: ubtu22cis_pam_authtok + failed_when: discovered_pam_authtok.rc not in [ 0, 1 ] + register: discovered_pam_authtok - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | pam_files" when: - - ubtu22cis_pam_authtok is defined - - ubtu22cis_pam_authtok | length > 0 + - discovered_pam_authtok is defined + - discovered_pam_authtok | length > 0 ansible.builtin.lineinfile: path: "/etc/pam.d/common-password" regexp: ^(\s*password\s+[success=end.*]\s+pam_unix\.so)(.*)\s+use_authtok\s*=\s*\S+(.*$) diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index eb4070d3..a846ed8f 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -15,23 +15,23 @@ ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS' - line: 'PASS_MAX_DAYS {{ ubtu22cis_pass.max_days }}' + line: 'PASS_MAX_DAYS {{ ubtu22cis_pass_max_days }}' insertafter: '# Password aging controls' - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Get existing users PASS_MAX_DAYS" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ ubtu22cis_pass.max_days }} || $5<{{ ubtu22cis_pass.min_days }} || $5 == -1)){print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ ubtu22cis_pass_max_days }} || $5<{{ ubtu22cis_pass_min_days }} || $5 == -1)){print $1}' /etc/shadow" changed_when: false failed_when: false - register: ubtu22cis_max_days + register: discovered_max_days - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set existing users PASS_MAX_DAYS" when: - ubtu22cis_disruption_high - (item != 'root') or (not ubtu22cis_uses_root) - ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass.max_days }} {{ item }} + ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass_max_days }} {{ item }} failed_when: false - changed_when: ubtu22cis_max_days.stdout | length > 0 - loop: "{{ ubtu22cis_max_days.stdout_lines }}" + changed_when: discovered_max_days.stdout | length > 0 + loop: "{{ discovered_max_days.stdout_lines }}" - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured" when: @@ -48,22 +48,22 @@ ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS' - line: 'PASS_MIN_DAYS {{ ubtu22cis_pass.min_days }}' + line: 'PASS_MIN_DAYS {{ ubtu22cis_pass_min_days }}' - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Get existing users PASS_MIN_DAYS" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu22cis_pass.min_days }})) {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu22cis_pass_min_days }})) {print $1}' /etc/shadow" changed_when: false failed_when: false - register: ubtu22cis_passwd_min_days + register: discovered_passwd_min_days - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Set existing users PASS_MIN_DAYS" when: - ubtu22cis_disruption_high - (item != 'root') or (not ubtu22cis_uses_root) - ansible.builtin.shell: chage --mindays {{ ubtu22cis_pass.min_days }} {{ item }} + ansible.builtin.shell: chage --mindays {{ ubtu22cis_pass_min_days }} {{ item }} failed_when: false - changed_when: ubtu22cis_passwd_min_days.stdout |length > 0 - loop: "{{ ubtu22cis_passwd_min_days.stdout_lines }}" + changed_when: discovered_passwd_min_days.stdout |length > 0 + loop: "{{ discovered_passwd_min_days.stdout_lines }}" - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured" when: @@ -80,22 +80,22 @@ ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE' - line: 'PASS_WARN_AGE {{ ubtu22cis_pass.warn_age }}' + line: 'PASS_WARN_AGE {{ ubtu22cis_pass_warn_age }}' - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Get existing users PASS_WARN_AGE" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu22cis_pass.warn_age }}){print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu22cis_pass_warn_age }}){print $1}' /etc/shadow" changed_when: false failed_when: false - register: ubtu22cis_passwd_warn_days + register: discovered_passwd_warn_days - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users PASS_WARN_AGE" when: - ubtu22cis_disruption_high - (item != 'root') or (not ubtu22cis_uses_root) - ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass.warn_age }} {{ item }} + ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass_warn_age }} {{ item }} failed_when: false - changed_when: ubtu22cis_passwd_warn_days.stdout | length > 0 - loop: "{{ ubtu22cis_passwd_warn_days.stdout_lines }}" + changed_when: discovered_passwd_warn_days.stdout | length > 0 + loop: "{{ discovered_passwd_warn_days.stdout_lines }}" - name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured" when: @@ -126,28 +126,28 @@ ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2 changed_when: false failed_when: false - register: ubtu22cis_passwd_inactive_setting + register: discovered_passwd_inactive_setting - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured| Set inactive period for new users" - when: ubtu22cis_passwd_inactive_setting.stdout != ubtu22cis_pass.inactive | string - ansible.builtin.shell: useradd -D -f {{ ubtu22cis_pass.inactive }} + when: discovered_passwd_inactive_setting.stdout != ubtu22cis_pass_inactive | string + ansible.builtin.shell: useradd -D -f {{ ubtu22cis_pass_inactive }} failed_when: false - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | Get Individual users" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<{{ ubtu22cis_pass.inactive }}))) {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<{{ ubtu22cis_pass_inactive }}))) {print $1}' /etc/shadow" changed_when: false failed_when: false - register: ubtu22cis_passwd_inactive_users + register: discovered_passwd_inactive_users - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set inactive period for existing users" when: - ubtu22cis_disruption_high - - ubtu22cis_passwd_inactive_users.stdout | length > 0 + - discovered_passwd_inactive_users.stdout | length > 0 - (item != 'root') and (not ubtu22cis_uses_root) - ansible.builtin.shell: chage --inactive {{ ubtu22cis_pass.inactive }} {{ item }} + ansible.builtin.shell: chage --inactive {{ ubtu22cis_pass_inactive }} {{ item }} failed_when: false with_items: - - "{{ ubtu22cis_passwd | map(attribute='id') | list | intersect(ubtu22cis_passwd_inactive_users.stdout_lines) | list }}" + - "{{ ubtu22cis_passwd | map(attribute='id') | list | intersect(discovered_passwd_inactive_users.stdout_lines) | list }}" - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past" when: @@ -167,14 +167,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_current_time + register: discovered_current_time - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" - ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu22cis_current_time.stdout }})print$1}'" + ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ discovered_current_time.stdout }})print$1}'" changed_when: false failed_when: false check_mode: false - register: ubtu22cis_passwd_future_user_list + register: discovered_passwd_future_user_list - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Warn about users" when: ubtu22cis_passwd_future_user_list.stdout | length > 0 diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 8b7ba48c..af0a21f5 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -19,22 +19,46 @@ name: ['aide', 'aide-common'] state: present update_cache: true - register: ubtu22cis_rule_6_1_1_aide_added + register: discovered_aide_pkg_added - name: "6.1.1 | PATCH | Ensure AIDE is installed | Recapture packages" - when: ubtu22cis_rule_6_1_1_aide_added.skipped is not defined + when: discovered_aide_pkg_added.skipped is not defined ansible.builtin.package_facts: manager: auto + - name: "6.1.1 | AUDIT | Ensure AIDE is installed | Check file exists" + ansible.builtin.stat: + path: "{{ ubtu22cis_aide_db_file }}" + register: discovered_aide_db_file + + - name: "6.1.1 | AUDIT | Ensure AIDE is installed | Check current db file age" + when: discovered_aide_db_file.stat.exists + ansible.builtin.find: + path: "{{ ubtu22cis_aide_db_file | dirname }}" + pattern: "{{ ubtu22cis_aide_db_file | basename }}" + age: "{{ ubtu22cis_aide_db_file_age }}" + register: discovered_aide_db_age + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - ansible.builtin.shell: aideinit && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db - args: - creates: /var/lib/aide/aide.db - changed_when: false - failed_when: false - async: "{{ ubtu22cis_aide_init.async }}" - poll: "{{ ubtu22cis_aide_init.poll }}" - when: not ansible_check_mode + when: + - not ansible_check_mode + - not discovered_aide_db_file.stat.exists or + (discovered_aide_db_age.files | length > 0) or + ubtu22cis_aide_db_recreate + block: + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Remove current db file" + ansible.builtin.file: + path: "{{ ubtu22cis_aide_db_file }}" + state: absent + + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Configure AIDE" + when: + - not ansible_check_mode + ansible.builtin.shell: aideinit -y -f + args: + creates: "{{ ubtu22cis_aide_db_file }}" + async: "{{ ubtu22cis_aide_init.async }}" + poll: "{{ ubtu22cis_aide_init.poll }}" - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked" when: @@ -52,14 +76,14 @@ when: ubtu22cis_aide_scan == 'cron' ansible.builtin.cron: name: Run AIDE integrity check - cron_file: "{{ ubtu22cis_aide_cron['cron_file'] }}" - user: "{{ ubtu22cis_aide_cron['cron_user'] }}" - minute: "{{ ubtu22cis_aide_cron['aide_minute'] | default('0') }}" - hour: "{{ ubtu22cis_aide_cron['aide_hour'] | default('5') }}" - day: "{{ ubtu22cis_aide_cron['aide_day'] | default('*') }}" - month: "{{ ubtu22cis_aide_cron['aide_month'] | default('*') }}" - weekday: "{{ ubtu22cis_aide_cron['aide_weekday'] | default('*') }}" - job: "{{ ubtu22cis_aide_cron['aide_job'] }}" + cron_file: "{{ ubtu22cis_aide_cron_file }}" + user: "{{ ubtu22cis_aide_cron_user }}" + minute: "{{ ubtu22cis_aide_cron_minute | default('0') }}" + hour: "{{ ubtu22cis_aide_cron_hour | default('5') }}" + day: "{{ ubtu22cis_aide_cron_day | default('*') }}" + month: "{{ ubtu22cis_aide_cron_month | default('*') }}" + weekday: "{{ ubtu22cis_aide_cron_weekday | default('*') }}" + job: "{{ ubtu22cis_aide_cron_job }}" - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | timer template" when: ubtu22cis_aide_scan == 'timer' @@ -85,8 +109,7 @@ - aidecheck.timer - name: "6.1.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" - when: - - ubtu22cis_rule_6_1_3 + when: ubtu22cis_rule_6_1_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_6/cis_6.2.1.1.x.yml b/tasks/section_6/cis_6.2.1.1.x.yml index 15b4a593..2e07b158 100644 --- a/tasks/section_6/cis_6.2.1.1.x.yml +++ b/tasks/section_6/cis_6.2.1.1.x.yml @@ -1,8 +1,7 @@ --- - name: "6.2.1.1.1 | PATCH | Ensure journald service is enabled and active" - when: - - ubtu22cis_rule_6_2_1_1_1 + when: ubtu22cis_rule_6_2_1_1_1 tags: - level1-server - level1-workstation @@ -15,8 +14,7 @@ state: started - name: "6.2.1.1.2 | PATCH | Ensure journald log file access is configured" - when: - - ubtu22cis_rule_6_2_1_1_2 + when: ubtu22cis_rule_6_2_1_1_2 tags: - level1-server - level1-workstation @@ -32,41 +30,39 @@ - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file" ansible.builtin.stat: path: /etc/tmpfiles.d/systemd.conf - register: tmpfile_override + register: discovered_tmpfile_override - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | If override file check for journal" - when: tmpfile_override.stat.exists + when: discovered_tmpfile_override.stat.exists ansible.builtin.shell: grep -E 'z /var/log/journal/%m/system.journal \d*' /usr/lib/tmpfiles.d/systemd.conf - register: journald_fileperms_override changed_when: false - failed_when: journald_fileperms_override.rc not in [ 0, 1 ] + failed_when: discovered_journald_fileperms_override.rc not in [ 0, 1 ] + register: discovered_journald_fileperms_override - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found" when: - - tmpfile_override.stat.exists - - journald_fileperms_override.stdout | length > 0 + - discovered_tmpfile_override.stat.exists + - discovered_journald_fileperms_override.stdout | length > 0 ansible.builtin.debug: msg: "Warning!! - tmpfiles override found /usr/lib/tmpfiles.d/systemd.conf affecting journald files please confirm matches site policy" - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found" when: - - tmpfile_override.stat.exists - - journald_fileperms_override.stdout | length > 0 + - discovered_tmpfile_override.stat.exists + - discovered_journald_fileperms_override.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml vars: warn_control_id: '6.2.1.1.2' - name: "6.2.1.1.3 | PATCH | Ensure journald log file rotation is configured" - when: - - ubtu22cis_rule_6_2_1_1_3 + when: ubtu22cis_rule_6_2_1_1_3 tags: - level1-server - level1-workstation - patch - journald - rule_6.2.1.1.3 - notify: Restart journald block: - name: "6.2.1.1.3 | PATCH | Ensure journald log file rotation is configured | Add file" ansible.builtin.template: @@ -75,6 +71,7 @@ owner: root group: root mode: '0640' + notify: Restart journald - name: "6.2.1.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries" ansible.builtin.replace: @@ -87,17 +84,16 @@ - '^(\s*RuntimeMaxUse\s*=)' - '^(\s*RuntimeKeepFree\s*=.*)' - '^(\s*MaxFileSec\s*=.*)' + notify: Restart journald - name: "6.2.1.1.4 | PATCH | Ensure journald ForwardToSyslog is disabled" - when: - - ubtu22cis_rule_6_2_1_1_4 + when: ubtu22cis_rule_6_2_1_1_4 tags: - level1-server - level2-workstation - patch - journald - rule_6.2.1.1.4 - notify: Restart journald block: - name: "6.2.1.1.4 | PATCH | Ensure journald ForwardToSyslog is disabled | Add file" ansible.builtin.template: @@ -106,23 +102,23 @@ owner: root group: root mode: '0640' + notify: Restart journald - name: "6.2.1.1.4 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf regexp: ^(\s*ForwardToSyslog) replace: '#\1' + notify: Restart journald - name: "6.2.1.1.5 | PATCH | Ensure journald Storage is configured" - when: - - ubtu22cis_rule_6_2_1_1_5 + when: ubtu22cis_rule_6_2_1_1_5 tags: - level1-server - level1-workstation - patch - journald - rule_6.2.1.1.5 - notify: Restart journald block: - name: "6.2.1.1.5 | PATCH | Ensure journald Storage is configured | Add file" ansible.builtin.template: @@ -131,23 +127,23 @@ owner: root group: root mode: '0640' + notify: Restart journald - name: "6.2.1.1.5 | PATCH | Ensure journald Storage is configured | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf regexp: ^(?i)(\s*storage=) replace: '#\1' + notify: Restart journald - name: "6.2.1.1.6 | PATCH | Ensure journald Compress is configured" - when: - - ubtu22cis_rule_6_2_1_1_6 + when: ubtu22cis_rule_6_2_1_1_6 tags: - level1-server - level1-workstation - patch - journald - rule_6.2.1.1.6 - notify: Restart journald block: - name: "6.2.1.1.6 | PATCH | Ensure journald Compress is configured | Add file" ansible.builtin.template: @@ -156,9 +152,11 @@ owner: root group: root mode: '0640' + notify: Restart journald - name: "6.2.1.1.6 | PATCH | Ensure journald Compress is configured | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf regexp: ^(?i)(\s*compress=) replace: '#\1' + notify: Restart journald diff --git a/tasks/section_6/cis_6.2.1.2.x.yml b/tasks/section_6/cis_6.2.1.2.x.yml index 9206a4c9..06b4068a 100644 --- a/tasks/section_6/cis_6.2.1.2.x.yml +++ b/tasks/section_6/cis_6.2.1.2.x.yml @@ -24,7 +24,6 @@ - patch - journald - rule_6.2.1.2.2 - notify: Restart journald ansible.builtin.lineinfile: path: /etc/systemd/journal-upload.conf regexp: "{{ item.regexp }}" @@ -34,6 +33,7 @@ - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ ubtu22cis_journal_upload_serverkeyfile }}'} - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ ubtu22cis_journal_servercertificatefile }}'} - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ ubtu22cis_journal_trustedcertificatefile }}'} + notify: Restart journald - name: "6.2.1.2.3 | PATCH | Ensure systemd-journal-remote is enabled and active" when: diff --git a/tasks/section_6/cis_6.2.2.yml b/tasks/section_6/cis_6.2.2.yml index 63364782..bba4f364 100644 --- a/tasks/section_6/cis_6.2.2.yml +++ b/tasks/section_6/cis_6.2.2.yml @@ -14,19 +14,19 @@ ansible.builtin.shell: find /var/log/ -type f -exec ls {} \; changed_when: false failed_when: false - register: discovered_logfiles + register: discovered_system_logfiles - name: "6.2.2.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" when: - - discovered_logfiles.stdout_lines is defined + - discovered_system_logfiles.stdout_lines is defined - item != "/var/log/btmp" - item != "/var/log/utmp" - item != "/var/log/wtmp" - item != "/var/log/lastlog" ansible.builtin.file: path: "{{ item }}" - mode: u-x,g-wx,o-rwx - loop: "{{ discovered_logfiles.stdout_lines }}" + mode: 'u-x,g-wx,o-rwx' + loop: "{{ discovered_system_logfiles.stdout_lines }}" - name: "6.2.2.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" ansible.builtin.file: diff --git a/tasks/section_6/cis_6.3.1.x.yml b/tasks/section_6/cis_6.3.1.x.yml index 142b9c84..22de8f3a 100644 --- a/tasks/section_6/cis_6.3.1.x.yml +++ b/tasks/section_6/cis_6.3.1.x.yml @@ -1,10 +1,7 @@ --- - name: "6.3.1.1 | PATCH | Ensure auditd packages are installed" - when: - - ubtu22cis_rule_6_3_1_1 - - "'auditd' not in ansible_facts.packages or - 'audisd-plugins' not in ansible_facts.packages" + when: ubtu22cis_rule_6_3_1_1 tags: - level2-server - level2-workstation @@ -16,8 +13,7 @@ state: present - name: "6.3.1.2 | PATCH | Ensure auditd service is enabled and active" - when: - - ubtu22cis_rule_6_3_1_2 + when: ubtu22cis_rule_6_3_1_2 tags: - level2-server - level2-workstation @@ -31,8 +27,7 @@ masked: false - name: "6.3.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" - when: - - ubtu22cis_rule_6_3_1_3 + when: ubtu22cis_rule_6_3_1_3 tags: - level2-server - level2-workstation @@ -45,18 +40,18 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_6_3_1_3_cmdline_settings + register: discovered_grub_cmdline_settings - name: "6.3.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist" - when: "'audit=' not in ubtu22cis_6_3_1_3_cmdline_settings.stdout" + when: "'audit=' not in discovered_grub_cmdline_settings.stdout" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu22cis_6_3_1_3_cmdline_settings.stdout }} audit=1"' + line: 'GRUB_CMDLINE_LINUX="{{ discovered_grub_cmdline_settings.stdout }} audit=1"' notify: Grub update - name: "6.3.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists" - when: "'audit=' in ubtu22cis_6_3_1_3_cmdline_settings.stdout" + when: "'audit=' in discovered_grub_cmdline_settings.stdout" ansible.builtin.replace: dest: /etc/default/grub regexp: 'audit=([0-9]+)' @@ -66,8 +61,7 @@ notify: Grub update - name: "6.3.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" - when: - - ubtu22cis_rule_6_3_1_4 + when: ubtu22cis_rule_6_3_1_4 tags: - level2-server - level2-workstation @@ -80,14 +74,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_6_3_1_4_cmdline_settings + register: discovered_grub_cmdline_settings - name: "6.3.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist" - when: "'audit_backlog_limit=' not in ubtu22cis_6_3_1_4_cmdline_settings.stdout" + when: "'audit_backlog_limit=' not in discovered_grub_cmdline_settings.stdout" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu22cis_6_3_1_4_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu22cis_audit_back_log_limit }}"' + line: 'GRUB_CMDLINE_LINUX="{{ discovered_grub_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu22cis_audit_back_log_limit }}"' notify: Grub update - name: "6.3.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists" diff --git a/tasks/section_6/cis_6.3.2.x.yml b/tasks/section_6/cis_6.3.2.x.yml index 2ed32d21..aee59748 100644 --- a/tasks/section_6/cis_6.3.2.x.yml +++ b/tasks/section_6/cis_6.3.2.x.yml @@ -1,46 +1,42 @@ --- - name: "6.3.2.1 | PATCH | Ensure audit log storage size is configured" - when: - - ubtu22cis_rule_6_3_2_1 + when: ubtu22cis_rule_6_3_2_1 tags: - level2-server - level2-workstation - patch - rule_6.3.2.1 - auditd - notify: Restart auditd ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ ubtu22cis_max_log_file_size }}" state: present + notify: Restart auditd - name: "6.3.2.2 | PATCH | Ensure audit logs are not automatically deleted" - when: - - ubtu22cis_rule_6_3_2_2 + when: ubtu22cis_rule_6_3_2_2 tags: - level2-server - level2-workstation - patch - rule_6.3.2.2 - auditd - notify: Restart auditd ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^max_log_file_action' line: "max_log_file_action = {{ ubtu22cis_auditd_max_log_file_action }}" + notify: Restart auditd - name: "6.3.2.3 | PATCH | Ensure system is disabled when audit logs are full" - when: - - ubtu22cis_rule_6_3_2_3 + when: ubtu22cis_rule_6_3_2_3 tags: - level2-server - level2-workstation - patch - rule_6.3.2.3 - auditd - notify: Restart auditd ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" @@ -48,6 +44,7 @@ with_items: - { regexp: '^disk_full_action', line: "disk_full_action = {{ ubtu22cis_auditd_disk_full_action }}" } - { regexp: '^disk_error_action', line: "disk_error_action = {{ ubtu22cis_auditd_disk_error_action }}" } + notify: Restart auditd - name: "6.3.2.4 | PATCH | Ensure system warns when audit logs are low on space" when: @@ -58,7 +55,6 @@ - patch - auditd - rule_6.3.2.4 - notify: Restart auditd ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" @@ -66,3 +62,4 @@ loop: - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ ubtu22cis_auditd_admin_space_left_action }}' } - { regexp: '^space_left_action', line: 'space_left_action = {{ ubtu22cis_auditd_space_left_action }}' } + notify: Restart auditd diff --git a/tasks/section_6/cis_6.3.3.x.yml b/tasks/section_6/cis_6.3.3.x.yml index b4b11ab5..62fd44a2 100644 --- a/tasks/section_6/cis_6.3.3.x.yml +++ b/tasks/section_6/cis_6.3.3.x.yml @@ -1,8 +1,7 @@ --- - name: "6.3.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - when: - - ubtu22cis_rule_6_3_3_1 + when: ubtu22cis_rule_6_3_3_1 tags: - level2-server - level2-workstation @@ -13,8 +12,7 @@ update_audit_template: true - name: "6.3.3.2 | PATCH | Ensure actions as another user are always logged" - when: - - ubtu22cis_rule_6_3_3_2 + when: ubtu22cis_rule_6_3_3_2 tags: - level2-server - level2-workstation @@ -25,8 +23,7 @@ update_audit_template: true - name: "6.3.3.3 | PATCH | Ensure events that modify the sudo log file are collected" - when: - - ubtu22cis_rule_6_3_3_3 + when: ubtu22cis_rule_6_3_3_3 tags: - level2-server - level2-workstation @@ -37,8 +34,7 @@ update_audit_template: true - name: "6.3.3.4 | PATCH | Ensure events that modify date and time information are collected" - when: - - ubtu22cis_rule_6_3_3_4 + when: ubtu22cis_rule_6_3_3_4 tags: - level2-server - level2-workstation @@ -49,8 +45,7 @@ update_audit_template: true - name: "6.3.3.5 | PATCH | Ensure events that modify the system's network environment are collected" - when: - - ubtu22cis_rule_6_3_3_5 + when: ubtu22cis_rule_6_3_3_5 tags: - level2-server - level2-workstation @@ -61,8 +56,7 @@ update_audit_template: true - name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" - when: - - ubtu22cis_rule_6_3_3_6 + when: ubtu22cis_rule_6_3_3_6 tags: - level2-server - level2-workstation @@ -72,7 +66,7 @@ block: - name: "6.3.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done - register: priv_procs + register: discovered_priv_procs changed_when: false check_mode: false @@ -81,8 +75,7 @@ update_audit_template: true - name: "6.3.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - when: - - ubtu22cis_rule_6_3_3_7 + when: ubtu22cis_rule_6_3_3_7 tags: - level2-server - level2-workstation @@ -93,8 +86,7 @@ update_audit_template: true - name: "6.3.3.8 | PATCH | Ensure events that modify user/group information are collected" - when: - - ubtu22cis_rule_6_3_3_8 + when: ubtu22cis_rule_6_3_3_8 tags: - level2-server - level2-workstation @@ -105,8 +97,7 @@ update_audit_template: true - name: "6.3.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" - when: - - ubtu22cis_rule_6_3_3_9 + when: ubtu22cis_rule_6_3_3_9 tags: - level2-server - level2-workstation @@ -117,8 +108,7 @@ update_audit_template: true - name: "6.3.3.10 | PATCH | Ensure successful file system mounts are collected" - when: - - ubtu22cis_rule_6_3_3_10 + when: ubtu22cis_rule_6_3_3_10 tags: - level2-server - level2-workstation @@ -129,8 +119,7 @@ update_audit_template: true - name: "6.3.3.11 | PATCH | Ensure session initiation information is collected" - when: - - ubtu22cis_rule_6_3_3_11 + when: ubtu22cis_rule_6_3_3_11 tags: - level2-server - level2-workstation @@ -141,8 +130,7 @@ update_audit_template: true - name: "6.3.3.12 | PATCH | Ensure login and logout events are collected" - when: - - ubtu22cis_rule_6_3_3_12 + when: ubtu22cis_rule_6_3_3_12 tags: - level2-server - level2-workstation @@ -153,8 +141,7 @@ update_audit_template: true - name: "6.3.3.13 | PATCH | Ensure file deletion events by users are collected" - when: - - ubtu22cis_rule_6_3_3_13 + when: ubtu22cis_rule_6_3_3_13 tags: - level2-server - level2-workstation @@ -165,8 +152,7 @@ update_audit_template: true - name: "6.3.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - when: - - ubtu22cis_rule_6_3_3_14 + when: ubtu22cis_rule_6_3_3_14 tags: - level2-server - level2-workstation @@ -177,8 +163,7 @@ update_audit_template: true - name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - when: - - ubtu22cis_rule_6_3_3_15 + when: ubtu22cis_rule_6_3_3_15 tags: - level2-server - level2-workstation @@ -189,8 +174,7 @@ update_audit_template: true - name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - when: - - ubtu22cis_rule_6_3_3_16 + when: ubtu22cis_rule_6_3_3_16 tags: - level2-server - level2-workstation @@ -201,8 +185,7 @@ update_audit_template: true - name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - when: - - ubtu22cis_rule_6_3_3_17 + when: ubtu22cis_rule_6_3_3_17 tags: - level2-server - level2-workstation @@ -213,8 +196,7 @@ update_audit_template: true - name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - when: - - ubtu22cis_rule_6_3_3_18 + when: ubtu22cis_rule_6_3_3_18 tags: - level2-server - level2-workstation @@ -225,8 +207,7 @@ update_audit_template: true - name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading is collected" - when: - - ubtu22cis_rule_6_3_3_19 + when: ubtu22cis_rule_6_3_3_19 tags: - level2-server - level2-workstation @@ -237,8 +218,7 @@ update_audit_template: true - name: "6.3.3.20 | PATCH | Ensure the audit configuration is immutable" - when: - - ubtu22cis_rule_6_3_3_20 + when: ubtu22cis_rule_6_3_3_20 tags: - level2-server - level2-workstation @@ -249,8 +229,7 @@ update_audit_template: true - name: "6.3.3.21 | PATCH | Ensure the running and on disk configuration is the same" - when: - - ubtu22cis_rule_6_3_3_21 + when: ubtu22cis_rule_6_3_3_21 tags: - level2-server - level2-workstation @@ -260,4 +239,3 @@ - auditd ansible.builtin.shell: augenrules --check changed_when: false - register: ubtu22cis_rule_6_3_3_21_augen_check diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml index 1eb74fab..0ae6df73 100644 --- a/tasks/section_6/cis_6.3.4.x.yml +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -23,8 +23,7 @@ mode: u-x,g-wx,o-rwx - name: "6.3.4.4 | PATCH | Ensure the audit log file directory mode is configured" - when: - - ubtu22cis_rule_6_3_4_4 + when: ubtu22cis_rule_6_3_4_4 tags: - level1-server - level1-workstation @@ -35,17 +34,16 @@ - name: "6.3.4.4 | AUDIT | Ensure the audit log file directory mode is configured | get current permissions" ansible.builtin.stat: path: "{{ prelim_auditd_logfile.stdout | dirname }}" - register: auditlog_dir + register: discovered_auditlog_dir - name: "6.3.4.4 | PATCH | Ensure the audit log file directory mode is configured | set permissions" ansible.builtin.file: - path: "{{ auditlog_dir.stat.path }}" + path: "{{ discovered_auditlog_dir.stat.path }}" state: directory mode: g-w,o-rwx - name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured" - when: - - ubtu22cis_rule_6_3_4_5 + when: ubtu22cis_rule_6_3_4_5 tags: - level1-server - level1-workstation @@ -60,8 +58,7 @@ label: "{{ item.path }}" - name: "6.3.4.6 | PATCH | Ensure audit configuration files owner is configured" - when: - - ubtu22cis_rule_6_3_4_6 + when: ubtu22cis_rule_6_3_4_6 tags: - level1-server - level1-workstation @@ -76,8 +73,7 @@ label: "{{ item.path }}" - name: "6.3.4.7 | PATCH | Ensure audit configuration files group owner is configured" - when: - - ubtu22cis_rule_6_3_4_7 + when: ubtu22cis_rule_6_3_4_7 tags: - level1-server - level1-workstation @@ -92,39 +88,26 @@ label: "{{ item.path }}" - name: "6.3.4.8 | PATCH | Ensure audit tools mode is configured" - when: - - ubtu22cis_rule_6_3_4_8 + when: ubtu22cis_rule_6_3_4_8 tags: - level1-server - level1-workstation - patch - auditd - rule_6.3.4.8 - block: - - name: "6.3.4.8 | AUDIT | Ensure audit tools mode is configured | get current mode" - ansible.builtin.stat: - path: "{{ item }}" - register: "audit_bins" - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules - - - name: "6.3.4.8 | PATCH | Ensure audit tools mode is configured | set if required" - when: not item.stat.mode is match('07(0|5)0') - ansible.builtin.file: - path: "{{ item.item }}" - mode: '0750' - loop: "{{ audit_bins.results }}" - loop_control: - label: "{{ item.item }}" + ansible.builtin.file: + path: "{{ item.item }}" + mode: 'g-w,o-rwx' + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules - name: "6.3.4.9 | PATCH | Ensure audit tools owner is configured" - when: - - ubtu22cis_rule_6_3_4_9 + when: ubtu22cis_rule_6_3_4_9 tags: - level1-server - level1-workstation @@ -144,8 +127,7 @@ - /sbin/augenrules - name: "6.3.4.10 | PATCH | Ensure audit tools group owner is configured" - when: - - ubtu22cis_rule_6_3_4_10 + when: ubtu22cis_rule_6_3_4_10 tags: - level1-server - level1-workstation diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index 89042854..8b46ff82 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -2,32 +2,32 @@ - name: "SECTION | 6.1 | Configure Filesystem Integrity Checking" ansible.builtin.import_tasks: - file: cis_6.1.x.yml + file: cis_6.1.x.yml - name: "SECTION | 6.2.1.1 | Configure systemd-journald service" ansible.builtin.import_tasks: - file: cis_6.2.1.1.x.yml + file: cis_6.2.1.1.x.yml - name: "SECTION | 6.2.1.2 | Configure systemd-journal-remote" ansible.builtin.import_tasks: - file: cis_6.2.1.2.x.yml + file: cis_6.2.1.2.x.yml - name: "SECTION | 6.2.2 | Configure Logfiles" ansible.builtin.import_tasks: - file: cis_6.2.2.yml + file: cis_6.2.2.yml - name: "SECTION | 6.3.1 | Configure auditd Service" ansible.builtin.import_tasks: - file: cis_6.3.1.x.yml + file: cis_6.3.1.x.yml - name: "SECTION | 6.3.2 | Configure data retention" ansible.builtin.import_tasks: - file: cis_6.3.2.x.yml + file: cis_6.3.2.x.yml - name: "SECTION | 6.3.3 | Configure auditd rules" ansible.builtin.import_tasks: - file: cis_6.3.3.x.yml + file: cis_6.3.3.x.yml - name: "SECTION | 6.3.4 | Configure auditd file access" ansible.builtin.import_tasks: - file: cis_6.3.4.x.yml + file: cis_6.3.4.x.yml diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 9d28ab7b..65f1059e 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -1,8 +1,7 @@ --- - name: "7.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" - when: - - ubtu22cis_rule_7_1_1 + when: ubtu22cis_rule_7_1_1 tags: - level1-server - level1-workstation @@ -16,8 +15,7 @@ mode: 'u-x,go-wx' - name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" - when: - - ubtu22cis_rule_7_1_2 + when: ubtu22cis_rule_7_1_2 tags: - level1-server - level1-workstation @@ -33,8 +31,7 @@ register: discovered_file_exists - name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured" - when: - - ubtu22cis_rule_7_1_3 + when: ubtu22cis_rule_7_1_3 tags: - level1-server - level1-workstation @@ -48,8 +45,7 @@ mode: 'u-x,go-wx' - name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured" - when: - - ubtu22cis_rule_7_1_4 + when: ubtu22cis_rule_7_1_4 tags: - level1-server - level1-workstation @@ -61,10 +57,11 @@ owner: root group: root mode: 'u-x,go-wx' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists - name: "7.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" - when: - - ubtu22cis_rule_7_1_5 + when: ubtu22cis_rule_7_1_5 tags: - level1-server - level1-workstation @@ -78,8 +75,7 @@ mode: 'u-x,g-wx,o-rwx' - name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" - when: - - ubtu22cis_rule_7_1_6 + when: ubtu22cis_rule_7_1_6 tags: - level1-server - level1-workstation @@ -91,10 +87,11 @@ owner: root group: root mode: 'u-x,g-wx,o-rwx' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists - name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" - when: - - ubtu22cis_rule_7_1_7 + when: ubtu22cis_rule_7_1_7 tags: - level1-server - level1-workstation @@ -108,8 +105,7 @@ mode: 'u-x,g-wx,o-rwx' - name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" - when: - - ubtu22cis_rule_7_1_8 + when: ubtu22cis_rule_7_1_8 tags: - level1-server - level1-workstation @@ -121,10 +117,11 @@ owner: root group: root mode: 'u-x,g-wx,o-rwx' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists - name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured" - when: - - ubtu22cis_rule_7_1_9 + when: ubtu22cis_rule_7_1_9 tags: - level1-server - level1-workstation @@ -138,11 +135,7 @@ mode: 'u-x,go-wx' - name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured" - loop: - - /etc/security/opasswd - - /etc/security/opasswd.old - when: - - ubtu22cis_rule_7_1_10 + when: ubtu22cis_rule_7_1_10 tags: - level1-server - level1-workstation @@ -150,14 +143,18 @@ - permissions - rule_7.1.10 ansible.builtin.file: - path: /etc/security/opasswd + path: "{{ item }}" owner: root group: root mode: 'u-x,go-rwx' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists + loop: + - /etc/security/opasswd + - /etc/security/opasswd.old - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured" - when: - - ubtu22cis_rule_7_1_11 + when: ubtu22cis_rule_7_1_11 tags: - level1-server - level1-workstation @@ -170,17 +167,17 @@ ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 failed_when: false changed_when: false - register: ubtu22cis_worldwriteable + register: discovered_worldwriteable_files - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable files if they exist (Configurable)" + when: + - discovered_worldwriteable_files.stdout_lines is defined + - ubtu22cis_no_world_write_adjust ansible.builtin.file: path: '{{ item }}' mode: o-w state: touch - loop: "{{ ubtu22cis_worldwriteable.stdout_lines }}" - when: - - ubtu22cis_worldwriteable.stdout_lines is defined - - ubtu22cis_no_world_write_adjust + loop: "{{ discovered_worldwriteable_files.stdout_lines }}" - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | sticky bit set on world-writable directories" ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t @@ -188,8 +185,7 @@ failed_when: false - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist" - when: - - ubtu22cis_rule_7_1_12 + when: ubtu22cis_rule_7_1_12 tags: - level1-server - level1-workstation @@ -205,7 +201,7 @@ failed_when: false check_mode: false register: discovered_unowned_files - with_items: + loop: - "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" @@ -243,8 +239,7 @@ file: warning_facts.yml - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed" - when: - - ubtu22cis_rule_7_1_13 + when: ubtu22cis_rule_7_1_13 tags: - level1-server - level1-workstation @@ -260,7 +255,7 @@ failed_when: false check_mode: false register: discovered_suid_sgid_files - with_items: + loop: - "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" @@ -286,12 +281,12 @@ ansible.builtin.file: path: "{{ item }}" mode: 'u-s' - with_items: + loop: - "{{ discovered_suid_sgid_files_flatten }}" - name: "7.1.13 | AUDIT | Audit SUID executables | Warn Count" - ansible.builtin.import_tasks: - file: warning_facts.yml when: - discovered_suid_sgid_files_flatten | length > 0 - not ubtu22cis_suid_sgid_adjust + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index 6266cd6d..828e1f6d 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -1,8 +1,7 @@ --- - name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" - when: - - ubtu22cis_rule_7_2_1 + when: ubtu22cis_rule_7_2_1 tags: - level1-server - level1-workstation @@ -31,8 +30,7 @@ file: warning_facts.yml - name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty" - when: - - ubtu22cis_rule_7_2_2 + when: ubtu22cis_rule_7_2_2 tags: - level1-server - level1-workstation @@ -56,8 +54,7 @@ - "{{ discovered_empty_password_acct.stdout_lines }}" - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" - when: - - ubtu22cis_rule_7_2_3 + when: ubtu22cis_rule_7_2_3 tags: - level1-server - level1-workstation @@ -85,8 +82,7 @@ file: warning_facts.yml - name: "7.2.4 | PATCH | Ensure shadow group is empty" - when: - - ubtu22cis_rule_7_2_4 + when: ubtu22cis_rule_7_2_4 tags: - level1-server - level1-workstation @@ -113,8 +109,7 @@ when: ansible_facts.getent_group.shadow[2] | length > 0 - name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist" - when: - - ubtu22cis_rule_7_2_5 + when: ubtu22cis_rule_7_2_5 tags: - level1-server - level1-workstation @@ -142,8 +137,7 @@ file: warning_facts.yml - name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist" - when: - - ubtu22cis_rule_7_2_6 + when: ubtu22cis_rule_7_2_6 tags: - level1-server - level1-workstation @@ -171,37 +165,35 @@ file: warning_facts.yml - name: "7.2.7 | AUDIT | Ensure no duplicate user names exist" - vars: - warn_control_id: '7.2.67' - when: - - ubtu22cis_rule_7_2_7 + when: ubtu22cis_rule_7_2_7 tags: - level1-server - level1-workstation - audit - rule_7.2.7 - user + vars: + warn_control_id: '7.2.7' block: - name: "7.2.7 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" changed_when: false failed_when: false check_mode: false - register: discovered_username_check + register: discovered_dup_username - name: "7.2.7 | WARNING | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" - when: discovered_username_check.stdout | length > 0 + when: discovered_dup_username.stdout | length > 0 ansible.builtin.debug: msg: "Warning!! The following user names are duplicates: {{ discovered_user_username_check.stdout_lines }}" - name: "7.2.7 | WARNING | Ensure no duplicate user names exist | Set warning count" - when: discovered_username_check.stdout | length > 0 + when: discovered_dup_username.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml - name: "7.2.8 | AUDIT | Ensure no duplicate group names exist" - when: - - ubtu22cis_rule_7_2_8 + when: ubtu22cis_rule_7_2_8 tags: - level1-server - level1-workstation @@ -216,21 +208,20 @@ changed_when: false failed_when: false check_mode: false - register: discovered_group_check + register: discovered_dup_group - name: "7.2.8 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" - when: discovered_group_check.stdout | length > 0 + when: discovered_dup_group.stdout | length > 0 ansible.builtin.debug: msg: "Warning!! The following group names are duplicates: {{ discovered_group_group_check.stdout_lines }}" - name: "7.2.8 | AUDIT | Ensure no duplicate group names exist | Set warning count" - when: discovered_group_check.stdout | length > 0 + when: discovered_dup_group.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml - name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured" - when: - - ubtu22cis_rule_7_2_9 + when: ubtu22cis_rule_7_2_9 tags: - level1-server - level1-workstation diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index c7eb6639..87512d76 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -32,8 +32,8 @@ -w /etc/netplan/ -p wa -k system-locale {% endif %} {% if ubtu22cis_rule_6_3_3_6 %} -{% if priv_procs is defined %} -{% for proc in priv_procs.stdout_lines -%} +{% if discovered_priv_procs is defined %} +{% for proc in discovered_priv_procs.stdout_lines -%} -a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=unset -k privileged {% endfor %} {% endif %} From e5441bda342cbe09b69cf645bfcba11bdff7fe24 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Nov 2024 09:36:24 +0000 Subject: [PATCH 092/135] merged Signed-off-by: Mark Bolwell --- .ansible-lint | 31 ++- .pre-commit-config.yaml | 8 +- .yamllint | 1 + collections/requirements.yml | 18 +- defaults/main.yml | 291 ++++++++++++++--------------- meta/main.yml | 46 ++--- site.yml | 7 +- tasks/audit_only.yml | 10 +- tasks/auditd.yml | 6 +- tasks/main.yml | 91 ++++----- tasks/parse_etc_password.yml | 26 +-- tasks/post_remediation_audit.yml | 12 +- tasks/pre_remediation_audit.yml | 42 ++--- tasks/prelim.yml | 104 +++++------ tasks/section_1/cis_1.1.1.x.yml | 45 ++--- tasks/section_1/cis_1.1.2.1.x.yml | 2 +- tasks/section_1/cis_1.1.2.2.x.yml | 2 +- tasks/section_1/cis_1.1.2.3.x.yml | 8 +- tasks/section_1/cis_1.1.2.4.x.yml | 8 +- tasks/section_1/cis_1.1.2.5.x.yml | 8 +- tasks/section_1/cis_1.1.2.6.x.yml | 8 +- tasks/section_1/cis_1.1.2.7.x.yml | 8 +- tasks/section_1/cis_1.2.1.x.yml | 14 +- tasks/section_1/cis_1.2.2.x.yml | 3 +- tasks/section_1/cis_1.3.1.x.yml | 37 ++-- tasks/section_1/cis_1.4.x.yml | 8 +- tasks/section_1/cis_1.5.x.yml | 15 +- tasks/section_1/cis_1.6.x.yml | 18 +- tasks/section_1/cis_1.7.x.yml | 84 ++++----- tasks/section_1/main.yml | 23 +-- tasks/section_2/cis_2.1.x.yml | 105 +++++------ tasks/section_2/cis_2.3.1.x.yml | 3 +- tasks/section_2/cis_2.3.2.x.yml | 6 +- tasks/section_2/cis_2.3.3.x.yml | 9 +- tasks/section_2/cis_2.4.1.x.yml | 24 +-- tasks/section_2/cis_2.4.2.x.yml | 3 +- tasks/section_2/main.yml | 6 +- tasks/section_3/cis_3.1.x.yml | 20 +- tasks/section_3/cis_3.2.x.yml | 12 +- tasks/section_3/cis_3.3.x.yml | 21 +-- tasks/section_4/cis_4.1.x.yml | 17 +- tasks/section_4/cis_4.3.1.x.yml | 22 +-- tasks/section_4/cis_4.3.2.x.yml | 12 +- tasks/section_4/cis_4.3.3.x.yml | 15 +- tasks/section_5/cis_5.1.x.yml | 100 ++++------ tasks/section_5/cis_5.2.x.yml | 200 ++++++++++---------- tasks/section_5/cis_5.3.3.1.x.yml | 18 +- tasks/section_5/cis_5.3.3.3.x.yml | 18 +- tasks/section_5/cis_5.3.3.4.x.yml | 28 +-- tasks/section_5/cis_5.4.1.x.yml | 58 +++--- tasks/section_6/cis_6.1.x.yml | 23 ++- tasks/section_6/cis_6.2.1.1.x.yml | 46 +++-- tasks/section_6/cis_6.2.1.2.x.yml | 2 +- tasks/section_6/cis_6.2.2.yml | 8 +- tasks/section_6/cis_6.3.1.x.yml | 28 ++- tasks/section_6/cis_6.3.2.x.yml | 17 +- tasks/section_6/cis_6.3.3.x.yml | 66 +++---- tasks/section_6/cis_6.3.4.x.yml | 56 ++---- tasks/section_6/main.yml | 16 +- tasks/section_7/cis_7.1.x.yml | 75 ++++---- tasks/section_7/cis_7.2.x.yml | 43 ++--- templates/audit/99_auditd.rules.j2 | 4 +- 62 files changed, 901 insertions(+), 1164 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index c7095e24..3090307c 100755 --- a/.ansible-lint +++ b/.ansible-lint @@ -3,21 +3,20 @@ parseable: true quiet: true skip_list: - - 'schema' - - 'no-changed-when' - - 'var-spacing' - - 'experimental' - - 'name[play]' - - 'name[casing]' - - 'name[template]' - - 'key-order[task]' - - 'yaml[line-length]' - - '204' - - '305' - - '303' - - '403' - - '306' - - '602' - - '208' + - 'schema' + - 'no-changed-when' + - 'var-spacing' + - 'experimental' + - 'name[play]' + - 'name[casing]' + - 'name[template]' + - 'key-order[task]' + - '204' + - '305' + - '303' + - '403' + - '306' + - '602' + - '208' use_default_rules: true verbosity: 0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 99cc0a67..10deb27d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,8 +2,8 @@ ##### CI for use by github no need for action to be added ##### Inherited ci: - autofix_prs: false - skip: [detect-aws-credentials, ansible-lint ] + autofix_prs: false + skip: [detect-aws-credentials, ansible-lint ] repos: - repo: https://github.com/pre-commit/pre-commit-hooks @@ -51,12 +51,12 @@ repos: # https://github.com/ansible/ansible-lint/issues/611 pass_filenames: false always_run: true - additional_dependencies: + # additional_dependencies: # https://github.com/pre-commit/pre-commit/issues/1526 # If you want to use specific version of ansible-core or ansible, feel # free to override `additional_dependencies` in your own hook config # file. - - ansible-core>=2.10.1 + # - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git rev: v1.35.1 # or higher tag diff --git a/.yamllint b/.yamllint index dff24572..d8eba416 100755 --- a/.yamllint +++ b/.yamllint @@ -11,6 +11,7 @@ ignore: | rules: indentation: + spaces: 2 # Requiring consistent indentation within a file, either indented or not indent-sequences: consistent braces: diff --git a/collections/requirements.yml b/collections/requirements.yml index 8ebc6180..810c9afc 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,14 +1,14 @@ --- collections: - - name: community.general - source: https://github.com/ansible-collections/community.general - type: git + - name: community.general + source: https://github.com/ansible-collections/community.general + type: git - - name: community.crypto - source: https://github.com/ansible-collections/community.crypto - type: git + - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git - - name: ansible.posix - source: https://github.com/ansible-collections/ansible.posix - type: git + - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git diff --git a/defaults/main.yml b/defaults/main.yml index 42ce9e30..25369f52 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -34,7 +34,7 @@ ubtu22cis_disruption_high: true ## Unrestricted boot # Setting this variable to false enables the system to # boot *without* querying for the bootloader password. -ubtu22cis_ask_passwd_to_boot: false +ubtu22cis_ask_passwd_to_boot: false # pragma: allowlist secret ## Usage on containerized images # The role discovers dynamically (in tasks/main.yml) whether it @@ -596,10 +596,10 @@ ubtu22cis_ipv4_required: true # This variable governs whether ipv6 is enabled or disabled. ubtu22cis_ipv6_required: false -## Desktop requirement toggle # This variable governs, whether CIS rules regarding GDM # and X-Windows are carried out. -ubtu22cis_desktop_required: false +## Graphical/Gnome interface required +ubtu22cis_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}" ## Purge apt packages # This will allow the purging of any packages that are marked to be removed @@ -671,7 +671,7 @@ ubtu22cis_disable_dynamic_motd: true # This variable specifies the GNOME configuration database file to which configurations are written. # (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) # The default database is `local`. -ubtu22cis_dconf_db_name: local +ubtu22cis_dconf_db_name: "{{ prelim_dconf_db_user|default('local') }}" # This variable governs the number of seconds of inactivity before the screen goes blank. ubtu22cis_screensaver_idle_delay: 900 # This variable governs the number of seconds the screen remains blank before it is locked. @@ -693,20 +693,20 @@ ubtu22cis_time_sync_tool: "systemd-timesyncd" # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation # of the time synchronization mechanism you are using. ubtu22cis_time_pool: - - name: time.nist.gov - options: iburst maxsources 4 + - name: time.nist.gov + options: iburst maxsources 4 # The following variable represents a list of of time servers used # for configuring chrony and timesyncd # Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. # The default setting for the `options` is `iburst` -- please refer to the documentation # of the time synchronization mechanism you are using. ubtu22cis_time_servers: - - name: time-a-g.nist.gov - options: iburst - - name: time-b-g.nist.gov - options: iburst - - name: time-c-g.nist.gov - options: iburst + - name: time-a-g.nist.gov + options: iburst + - name: time-b-g.nist.gov + options: iburst + - name: time-c-g.nist.gov + options: iburst ## ## Section 3 Control Variables @@ -759,9 +759,9 @@ ubtu22cis_ufw_use_sysctl: true # If you want to allow outbound traffic on all ports, set the variable to `all`, e.g., # `ubtu22cis_ufw_allow_out_ports: "all"`. ubtu22cis_ufw_allow_out_ports: - - 53 - - 80 - - 443 + - 53 + - 80 + - 443 ## Controls 4.2.x - nftables # Nftables is not supported in this role. Some tasks have parts of them commented out, this is one example @@ -785,86 +785,85 @@ ubtu22cis_sshd_default_client_alive_count_max: 3 # all Ciphers, KEX and Macs set to FIPS 140 # This will nee dto be adjusted according to your site requirements ubtu22cis_sshd_default_ciphers: - - aes256-gcm@openssh.com - - aes128-gcm@openssh.com - - aes256-ctr - - aes192-ctr - - aes128-ctr + - aes256-gcm@openssh.com + - aes128-gcm@openssh.com + - aes256-ctr + - aes192-ctr + - aes128-ctr ubtu22cis_sshd_default_macs: - - hmac-sha1 - - hmac-sha2-256 - # - hmac-sha2-384 # hashed out seen as bad ssh2 MAC - - hmac-sha2-512 + - hmac-sha1 + - hmac-sha2-256 + # - hmac-sha2-384 # hashed out seen as bad ssh2 MAC + - hmac-sha2-512 ubtu22cis_sshd_default_kex_algorithms: - - ecdh-sha2-nistp256 - - ecdh-sha2-nistp384 - - ecdh-sha2-nistp521 - - diffie-hellman-group-exchange-sha256 - - diffie-hellman-group16-sha512 - - diffie-hellman-group18-sha512 - - diffie-hellman-group14-sha256 - -ubtu22cis_sshd: - # This variable is used to control the verbosity of the logging produced by the SSH server. - # The options for setting it are as follows: - # - `QUIET`: Minimal logging; - # - `FATAL`: logs only fatal errors; - # - `ERROR`: logs error messages; - # - `INFO`: logs informational messages in addition to errors; - # - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; - # - `DEBUG`: generates very detailed debugging information including sensitive information. - log_level: "{{ubtu22cis_sshd_default_log_level}}" - # This variable specifies the maximum number of authentication attempts that are - # allowed for a single SSH session. - max_auth_tries: "{{ubtu22cis_sshd_default_max_auth_tries}}" - # This variable specifies the encryption algorithms that can be used for securing - # data transmission. - ciphers: "{{ubtu22cis_sshd_default_ciphers}}" - # This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying - # the integrity of data exchanged. - macs: "{{ubtu22cis_sshd_default_macs}}" - # This variable is used to state the key exchange algorithms used to establish secure encryption - # keys during the initial connection setup. - kex_algorithms: "{{ubtu22cis_sshd_default_kex_algorithms}}" - # This variable sets the time interval in seconds between sending "keep-alive" - # messages from the server to the client. These types of messages are intended to - # keep the connection alive and prevent it being terminated due to inactivity. - client_alive_interval: "{{ubtu22cis_sshd_default_client_alive_interval}}" - # This variable sets the maximum number of unresponsive "keep-alive" messages - # that can be sent from the server to the client before the connection is considered - # inactive and thus, closed. - client_alive_count_max: "{{ubtu22cis_sshd_default_client_alive_count_max}}" - # This variable specifies the amount of seconds allowed for successful authentication to - # the SSH server. - login_grace_time: "{{ubtu22cis_sshd_default_login_grace_time}}" - # This variables is used to set the maximum number of open sessions per connection. - max_sessions: "{{ubtu22cis_sshd_default_max_sessions}}" - # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH - # access for users whose user name matches one of the patterns. This is done - # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. - # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - allow_users: "" - # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access - # for users whose primary group or supplementary group list matches one of the patterns. This is done - # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, https://linux.die.net/man/5/sshd_config - allow_groups: "" - # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access - # for users whose user name matches one of the patterns. This is done - # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. - # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - deny_users: "" - # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access - # for users whose primary group or supplementary group list matches one of the patterns. This is done - # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config - deny_groups: "" + - ecdh-sha2-nistp256 + - ecdh-sha2-nistp384 + - ecdh-sha2-nistp521 + - diffie-hellman-group-exchange-sha256 + - diffie-hellman-group16-sha512 + - diffie-hellman-group18-sha512 + - diffie-hellman-group14-sha256 + +# This variable is used to control the verbosity of the logging produced by the SSH server. +# The options for setting it are as follows: +# - `QUIET`: Minimal logging; +# - `FATAL`: logs only fatal errors; +# - `ERROR`: logs error messages; +# - `INFO`: logs informational messages in addition to errors; +# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; +# - `DEBUG`: generates very detailed debugging information including sensitive information. +ubtu22cis_sshd_log_level: "{{ubtu22cis_sshd_default_log_level}}" +# This variable specifies the maximum number of authentication attempts that are +# allowed for a single SSH session. +ubtu22cis_sshd_max_auth_tries: "{{ubtu22cis_sshd_default_max_auth_tries}}" +# This variable specifies the encryption algorithms that can be used for securing +# data transmission. +ubtu22cis_sshd_ciphers: "{{ubtu22cis_sshd_default_ciphers}}" +# This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying +# the integrity of data exchanged. +ubtu22cis_sshd_macs: "{{ubtu22cis_sshd_default_macs}}" +# This variable is used to state the key exchange algorithms used to establish secure encryption +# keys during the initial connection setup. +ubtu22cis_sshd_kex_algorithms: "{{ubtu22cis_sshd_default_kex_algorithms}}" +# This variable sets the time interval in seconds between sending "keep-alive" +# messages from the server to the client. These types of messages are intended to +# keep the connection alive and prevent it being terminated due to inactivity. +ubtu22cis_sshd_client_alive_interval: "{{ubtu22cis_sshd_default_client_alive_interval}}" +# This variable sets the maximum number of unresponsive "keep-alive" messages +# that can be sent from the server to the client before the connection is considered +# inactive and thus, closed. +ubtu22cis_sshd_client_alive_count_max: "{{ubtu22cis_sshd_default_client_alive_count_max}}" +# This variable specifies the amount of seconds allowed for successful authentication to +# the SSH server. +ubtu22cis_sshd_login_grace_time: "{{ubtu22cis_sshd_default_login_grace_time}}" +# This variables is used to set the maximum number of open sessions per connection. +ubtu22cis_sshd_max_sessions: "{{ubtu22cis_sshd_default_max_sessions}}" +# This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH +# access for users whose user name matches one of the patterns. This is done +# by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. +# If an USER@HOST format will be used, the specified user will be allowed only on that particular host. +# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. +# For more info, see https://linux.die.net/man/5/sshd_config +ubtu22cis_sshd_allow_users: "" +# (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access +# for users whose primary group or supplementary group list matches one of the patterns. This is done +# by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. +# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. +# For more info, https://linux.die.net/man/5/sshd_config +ubtu22cis_sshd_allow_groups: "" +# This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access +# for users whose user name matches one of the patterns. This is done +# by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. +# If an USER@HOST format will be used, the specified user will be restricted only on that particular host. +# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. +# For more info, see https://linux.die.net/man/5/sshd_config +ubtu22cis_sshd_deny_users: "" +# This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access +# for users whose primary group or supplementary group list matches one of the patterns. This is done +# by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. +# The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. +# For more info, see https://linux.die.net/man/5/sshd_config +ubtu22cis_sshd_deny_groups: "" ## Control 5.2.1 # This variable represents the name of the sudo package to install @@ -983,23 +982,22 @@ ubtu22cis_passwd_quality_enforce_root_value: enforce_for_root # pragma: allowli ubtu22cis_pamd_pwhistory_remember: 24 ## Controls 5.4.1.x - Password settings -ubtu22cis_pass: - ## Control 5.4.1.1 - # This variable governs after how many days a password expires. - # CIS requires a value of 365 or less. - max_days: 365 - ## Control 5.4.1.2 - # This variable specifies the minimum number of days allowed between changing passwords. - # CIS requires a value of at least 1. - min_days: 1 - ## Control 5.5.1.3 - # This variable governs, how many days before a password expires, the user will be warned. - # CIS requires a value of at least 7. - warn_age: 7 - ## Control 5.4.1.5 - # This variable specifies the number of days of inactivity before an account will be locked. - # CIS requires a value of 45 days or less. - inactive: 45 +## Control 5.4.1.1 +# This variable governs after how many days a password expires. +# CIS requires a value of 365 or less. +ubtu22cis_pass_max_days: 365 +## Control 5.4.1.2 +# This variable specifies the minimum number of days allowed between changing passwords. +# CIS requires a value of at least 1. +ubtu22cis_pass_min_days: 1 +## Control 5.5.1.3 +# This variable governs, how many days before a password expires, the user will be warned. +# CIS requires a value of at least 7. +ubtu22cis_pass_warn_age: 7 +## Control 5.4.1.5 +# This variable specifies the number of days of inactivity before an account will be locked. +# CIS requires a value of 45 days or less. +ubtu22cis_pass_inactive: 45 # 5.4.2.6 root umask ubtu22cis_root_umask: '0027' # 0027 or more restrictive @@ -1007,7 +1005,7 @@ ubtu22cis_root_umask: '0027' # 0027 or more restrictive # ubtu22cis_passwd_hash_algo is the hashing algorithm used ubtu22cis_passwd_hash_algo: yescrypt # pragma: allowlist secret # Set pam as well as login defs if PAM is required -ubtu22cis_passwd_setpam_hash_algo: false +ubtu22cis_passwd_setpam_hash_algo: false # pragma: allowlist secret ## Control 5.4.3 - Default user mask # The following variable specifies the "umask" to set in the `/etc/bash.bashrc` and `/etc/profile`. @@ -1051,11 +1049,10 @@ ubtu22cis_aide_db_file: /var/lib/aide/aide.db ## When Initializing aide this can take longer on some systems # changing the values enables user to change to thier own requirements -ubtu22cis_aide_init: - # Maximum Time in seconds - async: 600 - # Polling Interval in seconds - poll: 15 +# Maximum Time in seconds +ubtu22cis_aide_init_async: 600 +# Polling Interval in seconds +ubtu22cis_aide_init_poll: 15 ## Control 6.1.2 # Set how aide is scanned either cron or timer @@ -1065,36 +1062,36 @@ ubtu22cis_aide_scan: cron # the cron job on the target system. # Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled # and executed automatically at a certain point in time. -ubtu22cis_aide_cron: - # This variable represents the user account under which the cron job for AIDE will run. - cron_user: root - # This variable represents the path to the AIDE crontab file. - cron_file: /etc/cron.d/aide_cron - # This variable represents the actual command or script that the cron job - # will execute for running AIDE. - aide_job: '/usr/bin/aide --config /etc/aide/aide.conf --check' - # These variables define the schedule for the cron job - # This variable governs the minute of the time of day when the AIDE cronjob is run. - # It must be in the range `0-59`. - aide_minute: 0 - # This variable governs the hour of the time of day when the AIDE cronjob is run. - # It must be in the range `0-23`. - aide_hour: 5 - # This variable governs the day of the month when the AIDE cronjob is run. - # `*` signifies that the job is run on all days; furthermore, specific days - # can be given in the range `1-31`; several days can be concatenated with a comma. - # The specified day(s) can must be in the range `1-31`. - aide_day: '*' - # This variable governs months when the AIDE cronjob is run. - # `*` signifies that the job is run in every month; furthermore, specific months - # can be given in the range `1-12`; several months can be concatenated with commas. - # The specified month(s) can must be in the range `1-12`. - aide_month: '*' - # This variable governs the weekdays, when the AIDE cronjob is run. - # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays - # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays - # can be concatenated with commas. - aide_weekday: '*' + +# This variable represents the user account under which the cron job for AIDE will run. +ubtu22cis_aide_cron_user: root +# This variable represents the path to the AIDE crontab file. +ubtu22cis_aide_cron_file: /etc/cron.d/aide_cron +# This variable represents the actual command or script that the cron job +# will execute for running AIDE. +ubtu22cis_aide_cron_job: '/usr/bin/aide --config /etc/aide/aide.conf --check' +# These variables define the schedule for the cron job +# This variable governs the minute of the time of day when the AIDE cronjob is run. +# It must be in the range `0-59`. +ubtu22cis_aide_cron_minute: 0 +# This variable governs the hour of the time of day when the AIDE cronjob is run. +# It must be in the range `0-23`. +ubtu22cis_aide_cron_hour: 5 +# This variable governs the day of the month when the AIDE cronjob is run. +# `*` signifies that the job is run on all days; furthermore, specific days +# can be given in the range `1-31`; several days can be concatenated with a comma. +# The specified day(s) can must be in the range `1-31`. +ubtu22cis_aide_cron_day: '*' +# This variable governs months when the AIDE cronjob is run. +# `*` signifies that the job is run in every month; furthermore, specific months +# can be given in the range `1-12`; several months can be concatenated with commas. +# The specified month(s) can must be in the range `1-12`. +ubtu22cis_aide_cron_month: '*' +# This variable governs the weekdays, when the AIDE cronjob is run. +# `*` signifies that the job is run on all weekdays; furthermore, specific weekdays +# can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays +# can be concatenated with commas. +ubtu22cis_aide_cron_weekday: '*' ## Controls 6.2.1.x journald @@ -1147,7 +1144,7 @@ ubtu22cis_allow_auditd_uid_user_exclusions: false # add a list of uids ubtu22cis_auditd_uid_exclude: - - 1999 + - 1999 ## Control 6.3.1.4 - Ensure audit_backlog_limit is sufficient # This variable represents the audit backlog limit, i.e., the maximum number of audit records that the diff --git a/meta/main.yml b/meta/main.yml index 514dc705..059d32f9 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,28 +1,28 @@ --- galaxy_info: - author: "George Nalen, Mark Bolwell, and DFed" - description: "Apply the Ubuntu 22 CIS benchmarks" - company: "MindPoint Group" - license: MIT - namespace: mindpointgroup - role_name: ubuntu22_cis - min_ansible_version: 2.12.1 - platforms: - - name: Ubuntu - versions: - - jammy - galaxy_tags: - - system - - security - - cis - - hardening - - benchmark - - compliance - - complianceascode - - ubuntu22 + author: George Nalen, Mark Bolwell, and DFed + description: Apply the Ubuntu 22 CIS benchmarks + company: MindPoint Group + license: MIT + namespace: mindpointgroup + role_name: ubuntu22_cis + min_ansible_version: 2.12.1 + platforms: + - name: Ubuntu + versions: + - jammy + galaxy_tags: + - system + - security + - cis + - hardening + - benchmark + - compliance + - complianceascode + - ubuntu22 collections: - - community.general - - community.crypto - - ansible.posix + - community.general + - community.crypto + - ansible.posix dependencies: [] diff --git a/site.yml b/site.yml index 0358dc36..f3f0fae7 100644 --- a/site.yml +++ b/site.yml @@ -1,8 +1,7 @@ --- -- hosts: all +- name: Apply ansible-lockdown hardening + hosts: all become: true - roles: - - - role: "{{ playbook_dir }}" + - role: "{{ playbook_dir }}" diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index f1623397..56e933de 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -5,26 +5,24 @@ delegate_to: localhost become: false ansible.builtin.file: - mode: '0755' path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" + mode: '0755' recurse: true state: directory - name: Audit_only | Get audits from systems and put in group dir when: fetch_audit_files ansible.builtin.fetch: + src: "{{ pre_audit_outfile }}" dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" flat: true mode: '0644' - src: "{{ pre_audit_outfile }}" - name: Audit_only | Show Audit Summary - when: - - audit_only + when: audit_only ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" - name: Audit_only | Stop Playbook Audit Only selected - when: - - audit_only + when: audit_only ansible.builtin.meta: end_play diff --git a/tasks/auditd.yml b/tasks/auditd.yml index d47aca02..c7b78411 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,6 +1,6 @@ --- -- name: "POST | AUDITD | Apply auditd template for section 4.1.3.x" +- name: POST | Apply auditd template for section 4.1.3.x when: update_audit_template ansible.builtin.template: src: audit/99_auditd.rules.j2 @@ -15,7 +15,7 @@ - Restart auditd - Set_reboot_required -- name: POST | AUDITD | Set up auditd user logging exceptions +- name: POST | Set up auditd user logging exceptions when: ubtu22cis_allow_auditd_uid_user_exclusions ansible.builtin.template: src: audit/98_auditd_exception.rules.j2 @@ -25,5 +25,5 @@ mode: '0600' notify: Restart auditd -- name: POST | AUDITD | Flush handlers +- name: POST | Flush handlers ansible.builtin.meta: flush_handlers diff --git a/tasks/main.yml b/tasks/main.yml index 43ce9224..c67abf25 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -4,57 +4,52 @@ when: - ansible_facts.distribution == 'Ubuntu' - ansible_facts.distribution_major_version is version_compare('22', '!=') - tags: - - always + tags: always ansible.builtin.fail: msg: "This role can only be run against Ubuntu 22. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." - name: Check ansible version + tags: always ansible.builtin.assert: that: ansible_version.full is version_compare(min_ansible_version, '>=') fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" - tags: - - always # This control should always run as this can pass on unintended issues. - name: "Check password set for connecting user" when: - ubtu22cis_rule_5_2_4 - ansible_env.SUDO_USER is defined - tags: - - always + tags: always block: - name: Capture current password state of connecting user" ansible.builtin.shell: "grep -w {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false - register: ansible_user_password_set + register: prelim_ansible_user_password_set - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" ansible.builtin.assert: - that: ansible_user_password_set.stdout != "!!" and ansible_user_password_set.stdout | length > 10 + that: prelim_ansible_user_password_set.stdout != "!!" and prelim_ansible_user_password_set.stdout | length > 10 fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for sudo user {{ ansible_env.SUDO_USER }}" vars: sudo_password_rule: ubtu22cis_rule_5_2_4 # pragma: allowlist secret - name: Ensure root password is set - when: - - ubtu22cis_rule_5_4_2_4 - tags: - - always + when: ubtu22cis_rule_5_4_2_4 + tags: always block: - name: Ensure root password is set ansible.builtin.shell: passwd -S root | grep -E "root P" changed_when: false failed_when: false - register: root_passwd_set + register: prelim_root_passwd_set - name: Ensure root password is set ansible.builtin.assert: - that: root_passwd_set.rc == 0 + that: prelim_root_passwd_set.rc == 0 fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set - Please manually set a root password" success_msg: "You have a root password set" @@ -62,36 +57,34 @@ when: - ubtu22cis_set_boot_pass - ubtu22cis_rule_1_4_1 - tags: - - always + tags: always ansible.builtin.assert: that: ubtu22cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and ubtu22cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret msg: "This role will not be able to run single user password commands as ubtu22cis_bootloader_password_hash variable has not been set correctly" - name: Check ubtu22cis_grub_user password variable has been changed when: ubtu22cis_rule_1_4_1 - tags: - - always + tags: always block: - name: Check ubtu22cis_grub_user password variable has been changed | check password is set ansible.builtin.shell: "grep ^{{ ubtu22cis_grub_user }} /etc/shadow | awk -F : '{print $2}'" changed_when: false - register: ubtu22cis_password_set_grub_user + register: prelim_password_set_grub_user - name: Check ubtu22cis_grub_user password variable has been changed | check password is set when: - - "'$y$' in ubtu22cis_password_set_grub_user.stdout" + - "'$y$' in prelim_password_set_grub_user.stdout" - ubtu22cis_set_grub_user_pass - ubtu22cis_rule_1_4_1 ansible.builtin.assert: - that: ubtu22cis_password_set_grub_user.stdout.find('$y$') != -1 or ubtu22cis_grub_user_passwd.find('$y$') != -1 and ubtu22cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' + that: prelim_password_set_grub_user.stdout.find('$y$') != -1 or ubtu22cis_grub_user_passwd.find('$y$') != -1 and ubtu22cis_grub_user_passwd != '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' msg: "This role will not set the {{ ubtu22cis_grub_user }} user password is not set or ubtu22cis_grub_user_passwd variable has not been set correctly" - name: Check ubtu22cis_grub_user password variable has been changed | if password blank or incorrect type and not being set when: - not ubtu22cis_set_grub_user_pass ansible.builtin.assert: - that: ( ubtu22cis_password_set_grub_user.stdout | length > 10 ) and '$y$' in ubtu22cis_password_set_grub_user.stdout + that: ( prelim_password_set_grub_user.stdout | length > 10 ) and '$y$' in prelim_password_set_grub_user.stdout fail_msg: "Grub User {{ ubtu22cis_grub_user }} has no password set or incorrect encryption" success_msg: "Grub User {{ ubtu22cis_grub_user }} has a valid password set to be used in single user mode" @@ -112,14 +105,12 @@ file: "{{ container_vars_file }}" - name: Output if discovered is a container - when: - - system_is_container + when: system_is_container ansible.builtin.debug: msg: system has been discovered as a container - name: Gather the package facts before prelim - tags: - - always + tags: always ansible.builtin.package_facts: manager: auto @@ -132,8 +123,7 @@ file: prelim.yml - name: Gather the package facts after prelim - tags: - - always + tags: always ansible.builtin.package_facts: manager: auto @@ -142,64 +132,55 @@ - ubtu22cis_section5 or ubtu22cis_section6 or ubtu22cis_section7 - tags: - - always + tags: always ansible.builtin.import_tasks: file: parse_etc_password.yml - name: Include section 1 patches when: ubtu22cis_section1 - tags: - - section1 + tags: section1 ansible.builtin.import_tasks: file: section_1/main.yml - name: Include section 2 patches when: ubtu22cis_section2 - tags: - - section2 + tags: section2 ansible.builtin.import_tasks: file: section_2/main.yml - name: Include section 3 patches when: ubtu22cis_section3 - tags: - - section3 + tags: section3 ansible.builtin.import_tasks: file: section_3/main.yml - name: Include section 4 patches when: ubtu22cis_section4 - tags: - - section4 + tags: section4 ansible.builtin.import_tasks: file: section_4/main.yml - name: Include section 5 patches when: ubtu22cis_section5 - tags: - - section5 + tags: section5 ansible.builtin.import_tasks: file: section_5/main.yml - name: Include section 6 patches when: ubtu22cis_section6 - tags: - - section6 + tags: section6 ansible.builtin.import_tasks: file: section_6/main.yml - name: Include section 7 patches when: ubtu22cis_section7 - tags: - - section7 + tags: section7 ansible.builtin.import_tasks: file: section_7/main.yml - name: Run auditd logic when: update_audit_template - tags: - - always + tags: always ansible.builtin.import_tasks: file: auditd.yml @@ -207,8 +188,7 @@ ansible.builtin.meta: flush_handlers - name: Reboot system - tags: - - always + tags: always block: - name: Reboot system if not skipped when: @@ -225,24 +205,19 @@ changed_when: true - name: Run post remediation audit - when: - - run_audit - tags: - - run_audit + when: run_audit + tags: run_audit ansible.builtin.import_tasks: file: post_remediation_audit.yml - name: Show Audit Summary - when: - - run_audit - tags: - - run_audit + when: run_audit + tags: run_audit ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" - name: If Warnings found Output count and control IDs affected when: warn_count != 0 - tags: - - always + tags: always ansible.builtin.debug: msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index d06e1806..2c9c9ee7 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -17,17 +17,17 @@ with_items: "{{ ubtu22cis_passwd_file_audit.stdout_lines }}" vars: ld_passwd_regex: >- - ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) + ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) ld_passwd_yaml: | # pragma: allowlist secret - id: >-4 - \g - password: >-4 - \g - uid: \g - gid: \g - gecos: >-4 - \g - dir: >-4 - \g - shell: >-4 - \g + id: >-4 + \g + password: >-4 + \g + uid: \g + gid: \g + gecos: >-4 + \g + dir: >-4 + \g + shell: >-4 + \g diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 9b06b24a..cac34ed1 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -18,26 +18,24 @@ - "{{ pre_audit_outfile }}" - name: Post Audit | Capture audit data if json format - when: - - audit_format == "json" + when: audit_format == "json" block: - name: Post Audit | Capture audit data if json format ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 - register: post_audit_summary changed_when: false + register: post_audit_summary - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: post_audit_results: "{{ post_audit_summary.stdout }}" - name: Post Audit | Capture audit data if documentation format - when: - - audit_format == "documentation" + when: audit_format == "documentation" block: - name: Post Audit | Capture audit data if documentation format - ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" - register: post_audit_summary + ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' changed_when: false + register: post_audit_summary - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 6f215c31..555eae6c 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,22 +1,19 @@ --- - name: Pre Audit Setup | Setup the LE audit - when: - - setup_audit - tags: - - setup_audit + when: setup_audit + tags: setup_audit ansible.builtin.include_tasks: file: LE_audit_setup.yml - name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: path: "{{ audit_conf_dir }}" - state: directory mode: '0755' + state: directory - name: Pre Audit Setup | If using git for content set up - when: - - audit_content == 'git' + when: audit_content == 'git' block: - name: Pre Audit Setup | Install git ansible.builtin.package: @@ -30,23 +27,20 @@ version: "{{ audit_git_version }}" - name: Pre Audit Setup | Copy to audit content files to server - when: - - audit_content == 'copy' + when: audit_content == 'copy' ansible.builtin.copy: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server - when: - - audit_content == 'archive' + when: audit_content == 'archive' ansible.builtin.unarchive: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url - when: - - audit_content == 'get_url' + when: audit_content == 'get_url' ansible.builtin.unarchive: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" @@ -54,8 +48,7 @@ extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" - name: Pre Audit Setup | Check Goss is available - when: - - run_audit + when: run_audit block: - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: @@ -63,17 +56,15 @@ register: goss_available - name: Pre Audit Setup | If audit ensure goss is available - when: - - not goss_available.stat.exists + when: not goss_available.stat.exists ansible.builtin.assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit + when: run_audit tags: - goss_template - run_audit - when: - - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" @@ -88,33 +79,30 @@ AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format - when: - - audit_format == "json" + when: audit_format == "json" block: - name: Pre Audit | Capture audit data if json format ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 - register: pre_audit_summary changed_when: false + register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Pre Audit | Capture audit data if documentation format - when: - - audit_format == "documentation" + when: audit_format == "documentation" block: - name: Pre Audit | Capture audit data if documentation format ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' - register: pre_audit_summary changed_when: false + register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Audit_Only | Run Audit Only - when: - - audit_only + when: audit_only ansible.builtin.import_tasks: file: audit_only.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 2fa01302..06b5271b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -7,31 +7,27 @@ changed_when: false - name: PRELIM | AUDIT | Register if snap being used + when: ubtu22cis_rule_1_1_1_6 + tags: + - rule_1.1.1.2 + - always ansible.builtin.shell: df -h | grep -wc "/snap" changed_when: false failed_when: prelim_snap_pkg_mgr.rc not in [ 0, 1 ] register: prelim_snap_pkg_mgr - tags: - - rule_1.1.1.2 - - always - when: - - ubtu22cis_rule_1_1_1_6 - name: PRELIM | AUDIT | Register if squashfs is built into the kernel + when: ubtu22cis_rule_1_1_1_6 + tags: always ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs" changed_when: false failed_when: prelim_squashfs_builtin.rc not in [ 0, 1 ] register: prelim_squashfs_builtin - tags: - - always - when: - - ubtu22cis_rule_1_1_1_6 - name: PRELIM | AUDIT | Section 1.1 | Create list of mount points + tags: always ansible.builtin.set_fact: mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" - tags: - - always - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type when: @@ -40,8 +36,7 @@ ubtu22cis_rule_1_1_2_1_2 or ubtu22cis_rule_1_1_2_1_3 or ubtu22cis_rule_1_1_2_1_4 - tags: - - always + tags: always block: - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type ansible.builtin.shell: systemctl is-enabled tmp.mount @@ -60,8 +55,7 @@ tmp_mnt_type: tmp_systemd - name: PRELIM | Initialize the mount options variable - tags: - - always + tags: always block: - name: PRELIM | Initializing the var if there is no /tmp mount | set_fact when: "'/tmp' not in mount_names" @@ -90,8 +84,7 @@ when: - run_audit or audit_only - setup_audit - tags: - - run_audit + tags: run_audit ansible.builtin.import_tasks: file: pre_remediation_audit.yml @@ -99,28 +92,39 @@ when: - ubtu22cis_rule_1_2_1_1 or ubtu22cis_rule_1_2_2_1 - tags: - - always + tags: always ansible.builtin.package: update_cache: true +- name: PRELIM | Discover Gnome Desktop Environment + tags: always + ansible.builtin.stat: + path: /usr/share/gnome/gnome-version.xml + register: prelim_gnome_present + +- name: PRELIM | Discover dconf systemdb + when: ubtu22cis_gui + ansible.builtin.shell: grep system-db /etc/dconf/profile/user | cut -d ':' -f2 + changed_when: false + failed_when: ubtu22cis_dconf_db.rc not in [ 0, 1 ] + register: prelim_dconf_system_db + - name: PRELIM | AUDIT | Wireless adapter pre-requisites when: - ubtu22cis_rule_3_1_2 - not system_is_container - tags: - - always + tags: always block: - name: PRELIM | AUDIT | Discover is wirelss adapter on system ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless - register: prelim_wireless_adapters changed_when: false - failed_when: prelim_wireless_adapters.rc not in [ 0, 1 ] + failed_when: prelim_wireless_adapters_exist.rc not in [ 0, 1 ] + register: prelim_wireless_adapters_exist - name: PRELIM | PATCH | Install Network-Manager | if wireless adapter present when: - ubtu22cis_install_network_manager - - prelim_wireless_adapters.rc == 0 + - prelim_wireless_adapters_exist.rc == 0 - "'network-manager' not in ansible_facts.packages" ansible.builtin.package: name: network-manager @@ -143,16 +147,15 @@ state: present - name: PRELIM | PATCH | 5.3.4/5 | Find all sudoers files. + when: + - ubtu22cis_rule_5_2_4 or + ubtu22cis_rule_5_2_5 + tags: always ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false check_mode: false register: prelim_sudoers_files - when: - - ubtu22cis_rule_5_2_4 or - ubtu22cis_rule_5_2_5 - tags: - - always - name: PRELIM | PATCH | Ensure conf.d directory exists required for 5.3.3.2.x when: @@ -162,8 +165,7 @@ ubtu22cis_rule_5_3_3_2_4 or ubtu22cis_rule_5_3_3_2_5 or ubtu22cis_rule_5_3_3_2_6 - tags: - - always + tags: always ansible.builtin.file: path: '/etc/security/pwquality.conf.d' state: directory @@ -172,10 +174,8 @@ mode: '0750' - name: PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def - when: - - not discover_int_uid - tags: - - always + when: not discover_int_uid + tags: always block: - name: PRELIM | AUDIT | Capture UID_MIN information from logins.def ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' @@ -199,32 +199,28 @@ min_int_gid: "{{ prelim_gid_min_id.stdout }}" - name: PRELIM | AUDIT | Interactive Users - tags: - - always + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }' changed_when: false register: prelim_interactive_usernames - name: PRELIM | AUDIT | Interactive User accounts home directories - tags: - - always + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $6 }' changed_when: false register: prelim_interactive_users_home - name: PRELIM | AUDIT | Interactive UIDs - tags: - - always + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }' changed_when: false register: prelim_interactive_uids - name: PRELIM | AUDIT | Gather UID 0 accounts other than root - when: - - ubtu22cis_rule_5_4_2_1 + when: ubtu22cis_rule_5_4_2_1 tags: - rule_5.4.2.1 - level1-server @@ -241,8 +237,7 @@ - ubtu22cis_rule_6_2_1_1_3 or ubtu22cis_rule_6_2_1_1_5 or ubtu22cis_rule_6_2_1_1_6 - tags: - - always + tags: always ansible.builtin.file: path: /etc/systemd/journald.conf.d state: directory @@ -266,25 +261,24 @@ state: present - name: PRELIM | AUDIT | Audit conf and rules files | list files + tags: + - patch + - auditd + - always ansible.builtin.find: path: /etc/audit/ file_type: file recurse: true patterns: '*.conf,*.rules' register: prelim_auditd_conf_files - tags: - - patch - - auditd - - always - name: PRELIM | AUDIT | Check if auditd is immutable before changes - tags: - - always + when: "'auditd' in ansible_facts.packages" + tags: always ansible.builtin.shell: auditctl -l | grep -c '-e 2' changed_when: false failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ] register: prelim_auditd_immutable_check - when: "'auditd' in ansible_facts.packages" - name: PRELIM | AUDIT | 6.3.4.x | Capture information about auditd logfile path | discover file when: @@ -310,8 +304,7 @@ when: - ubtu22cis_rule_7_2_9 - "'acl' not in ansible_facts.packages" - tags: - - always + tags: always ansible.builtin.package: name: acl state: present @@ -322,8 +315,7 @@ when: - ubtu22cis_firewall_package == "ufw" - ubtu22cis_ufw_use_sysctl - tags: - - always + tags: always ansible.builtin.lineinfile: path: /etc/default/ufw regexp: ^IPT_SYSCTL=.* diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 9d1ab241..9369c7a2 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -1,8 +1,7 @@ --- - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available" - when: - - ubtu22cis_rule_1_1_1_1 + when: ubtu22cis_rule_1_1_1_1 tags: - level1-server - level1-workstation @@ -27,15 +26,13 @@ mode: '0600' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: cramfs state: absent - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available" - when: - - ubtu22cis_rule_1_1_1_2 + when: ubtu22cis_rule_1_1_1_2 tags: - level1-server - level1-workstation @@ -60,15 +57,13 @@ mode: '0600' - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: freevxfs state: absent - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available" - when: - - ubtu22cis_rule_1_1_1_3 + when: ubtu22cis_rule_1_1_1_3 tags: - level1-server - level1-workstation @@ -93,15 +88,13 @@ mode: '0600' - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable hfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: hfs state: absent - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available" - when: - - ubtu22cis_rule_1_1_1_4 + when: ubtu22cis_rule_1_1_1_4 tags: - level1-server - level1-workstation @@ -126,15 +119,13 @@ mode: '0600' - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: hfsplus state: absent - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available" - when: - - ubtu22cis_rule_1_1_1_5 + when: ubtu22cis_rule_1_1_1_5 tags: - level1-server - level1-workstation @@ -159,8 +150,7 @@ mode: '0600' - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: jffs2 state: absent @@ -194,15 +184,13 @@ mode: '0600' - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: squashfs state: absent - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available" - when: - - ubtu22cis_rule_1_1_1_7 + when: ubtu22cis_rule_1_1_1_7 tags: - level2-server - level2-workstation @@ -227,15 +215,13 @@ mode: '0600' - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Disable udf" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: udf state: absent - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available" - when: - - ubtu22cis_rule_1_1_1_8 + when: ubtu22cis_rule_1_1_1_8 tags: - level1-server - level2-workstation @@ -260,8 +246,7 @@ mode: '0600' - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Disable usb" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: usb-storage state: absent diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index 16edfe72..b965374e 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -17,7 +17,7 @@ block: - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.1.1 | WARN | Ensure /tmp is a separate partition | warn_count" ansible.builtin.import_tasks: diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index 77653e51..a4fc59b0 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -3,7 +3,7 @@ - name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition" when: - ubtu22cis_rule_1_1_2_2_1 - - "'/tmp' not in mount_names" + - required_mount not in mount_names tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index 33fa9699..1f295c3e 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -3,7 +3,7 @@ - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home" when: - ubtu22cis_rule_1_1_2_3_1 - - "'/home' not in mount_names" + - required_mount not in mount_names tags: - level2-server - level2-workstation @@ -16,9 +16,7 @@ block: - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Warn if partition is absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: home_mount_absent - changed_when: home_mount_absent.skipped is undefined + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Present" ansible.builtin.import_tasks: @@ -46,7 +44,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if ubtu22cis_rule_1_1_2_3_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3_3 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_3_3) %},nosuid{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index af6784e5..d341d8aa 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -2,7 +2,7 @@ - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var" when: - - "'/var' not in mount_names" + - required_mount not in mount_names - ubtu22cis_rule_1_1_2_4_1 tags: - level2-server @@ -16,9 +16,7 @@ block: - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Warn if partition is absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_mount_absent - changed_when: var_mount_absent.skipped is undefined + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Present" ansible.builtin.import_tasks: @@ -46,7 +44,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if ubtu22cis_rule_1_1_2_4_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_4_3 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_4_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_4_3) %},nosuid{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index f45874c8..b41d723d 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -4,7 +4,7 @@ - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp" when: - ubtu22cis_rule_1_1_2_5_1 - - "'/var/tmp' not in mount_names" + - required_mount not in mount_names tags: - level2-server - level2-workstation @@ -17,9 +17,7 @@ block: - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn if partition is absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_tmp_mount_absent - changed_when: var_tmp_mount_absent.skipped is undefined + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" ansible.builtin.import_tasks: @@ -50,7 +48,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if ubtu22cis_rule_1_1_2_5_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_5_3 %}nosuid,{% endif %}{% if ubtu22cis_rule_1_1_2_5_4 %}noexec{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_5_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_5_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and ubtu22cis_rule_1_1_2_5_4) %},noexec{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index d6fa6146..dacdac2d 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -3,7 +3,7 @@ - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log" when: - ubtu22cis_rule_1_1_2_6_1 - - "'/var/log' not in mount_names" + - required_mount not in mount_names tags: - level2-server - level2-workstation @@ -16,9 +16,7 @@ block: - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Warn if partition is absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_mount_absent - changed_when: var_log_mount_absent.skipped is undefined + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Present" ansible.builtin.import_tasks: @@ -49,7 +47,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if ubtu22cis_rule_1_1_2_6_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_6_3 %}nosuid,{% endif %}{% if ubtu22cis_rule_1_1_2_6_4 %}noexec{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_6_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_6_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and ubtu22cis_rule_1_1_2_6_4) %},noexec{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index 1e76360f..f2b69b42 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -3,7 +3,7 @@ - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit" when: - ubtu22cis_rule_1_1_2_7_1 - - "'/var/log/audit' not in mount_names" + - required_mount not in mount_names tags: - level2-server - level2-workstation @@ -16,9 +16,7 @@ block: - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn if partition is absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_audit_mount_absent - changed_when: var_log_audit_mount_absent.skipped is undefined + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" ansible.builtin.import_tasks: @@ -49,7 +47,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if ubtu22cis_rule_1_1_2_7_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_7_3 %}nosuid,{% endif %}{% if ubtu22cis_rule_1_1_2_7_4 %}noexec{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_7_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_7_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and ubtu22cis_rule_1_1_2_7_4) %},noexec{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml index 0932713a..1acd79b0 100644 --- a/tasks/section_1/cis_1.2.1.x.yml +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -1,8 +1,7 @@ --- - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured" - when: - - ubtu22cis_rule_1_2_1_1 + when: ubtu22cis_rule_1_2_1_1 tags: - level1-server - level1-workstation @@ -18,7 +17,7 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_1_2_1_1_apt_gpgkeys + register: discovered_apt_gpgkeys - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys" ansible.builtin.debug: @@ -26,15 +25,14 @@ - "Warning!! Below are the apt gpg keys configured" - "Please review to make sure they are configured" - "in accordance with site policy" - - "{{ ubtu22cis_1_2_1_1_apt_gpgkeys.stdout_lines }}" + - "{{ discovered_apt_gpgkeys.stdout_lines }}" - name: "1.2.1.1 | WARN | Ensure GPG keys are configured | warn_count" ansible.builtin.import_tasks: file: warning_facts.yml - name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured" - when: - - ubtu22cis_rule_1_2_1_2 + when: ubtu22cis_rule_1_2_1_2 tags: - level1-server - level1-workstation @@ -49,14 +47,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_1_2_1_2_apt_policy + register: discovered_apt_policy - name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured | Message out repository configs" ansible.builtin.debug: msg: - "Warning!! Below are the apt package repositories" - "Please review to make sure they conform to your sites policies" - - "{{ ubtu22cis_1_2_1_2_apt_policy.stdout_lines }}" + - "{{ discovered_apt_policy.stdout_lines }}" - name: "1.2.1.2 | WARN | Ensure package manager repositories are configured | warn_count" ansible.builtin.import_tasks: diff --git a/tasks/section_1/cis_1.2.2.x.yml b/tasks/section_1/cis_1.2.2.x.yml index 7f5231ee..6fe9a348 100644 --- a/tasks/section_1/cis_1.2.2.x.yml +++ b/tasks/section_1/cis_1.2.2.x.yml @@ -1,8 +1,7 @@ --- - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed" - when: - - ubtu22cis_rule_1_2_2_1 + when: ubtu22cis_rule_1_2_2_1 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.3.1.x.yml b/tasks/section_1/cis_1.3.1.x.yml index 74dc89da..b87dafa5 100644 --- a/tasks/section_1/cis_1.3.1.x.yml +++ b/tasks/section_1/cis_1.3.1.x.yml @@ -16,8 +16,7 @@ state: present - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" - when: - - ubtu22cis_rule_1_3_1_2 + when: ubtu22cis_rule_1_3_1_2 tags: - level1-server - level1-workstation @@ -30,10 +29,10 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_1_3_1_2_cmdline_settings + register: discovered_cmdline_settings - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" - when: ubtu22cis_1_3_1_2_cmdline_settings.stdout is not search('apparmor=') + when: discovered_cmdline_settings.stdout is not search('apparmor=') ansible.builtin.lineinfile: path: /etc/default/grub regexp: ^(GRUB_CMDLINE_LINUX=")(|apparmor=\d\s)(.*\w+") @@ -42,7 +41,7 @@ notify: Grub update - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set security settings if none exist" - when: ubtu22cis_1_3_1_2_cmdline_settings.stdout is not search('security=') + when: discovered_cmdline_settings.stdout is not search('security=') ansible.builtin.lineinfile: path: /etc/default/grub regexp: ^(GRUB_CMDLINE_LINUX=")(|security=\w+\s)(.*\w+") @@ -52,19 +51,19 @@ - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist" when: - - "'apparmor' not in ubtu22cis_1_3_1_2_cmdline_settings.stdout" - - "'security' not in ubtu22cis_1_3_1_2_cmdline_settings.stdout" + - "'apparmor' not in discovered_cmdline_settings.stdout" + - "'security' not in discovered_cmdline_settings.stdout" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ ubtu22cis_1_3_1_2_cmdline_settings.stdout }}"' + line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ discovered_cmdline_settings.stdout }}"' insertafter: '^GRUB_' notify: Grub update - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Replace apparmor settings when exists" when: - - "'apparmor' in ubtu22cis_1_3_1_2_cmdline_settings.stdout or - 'security' in ubtu22cis_1_3_1_2_cmdline_settings.stdout" + - "'apparmor' in discovered_cmdline_settings.stdout or + 'security' in discovered_cmdline_settings.stdout" ansible.builtin.replace: path: /etc/default/grub regexp: "{{ item.regexp }}" @@ -100,7 +99,7 @@ ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 changed_when: false failed_when: false - register: ubtu22cis_1_3_1_4_pre_count + register: discovered_apparmor_pre_count - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Apply enforcing to /etc/apparmor.d profiles" ansible.builtin.shell: aa-enforce /etc/apparmor.d/* @@ -111,10 +110,10 @@ ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9 changed_when: false failed_when: false - register: ubtu22cis_1_3_1_4_post_count + register: discovered_apparmor_post_count - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | This flags for idempotency" - when: ubtu22cis_1_3_1_4_pre_count.stdout != ubtu22cis_1_3_1_4_post_count.stdout + when: discovered_apparmor_pre_count.stdout != discovered_apparmor_post_count.stdout ansible.builtin.debug: msg: Changed! The profiles in /etc/apparmor.d were set to enforcing changed_when: true @@ -132,15 +131,13 @@ - apparmor block: - name: "1.3.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only true for GOSS" - when: - - ubtu22cis_apparmor_mode == "enforce" + when: ubtu22cis_apparmor_mode == "enforce" ansible.builtin.set_fact: ubtu22cis_apparmor_enforce_only: true changed_when: false - name: "1.3.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only false for GOSS" - when: - - ubtu22cis_apparmor_mode == "complain" + when: ubtu22cis_apparmor_mode == "complain" ansible.builtin.set_fact: ubtu22cis_apparmor_enforce_only: false changed_when: false @@ -149,7 +146,7 @@ ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu22cis_apparmor_mode}} mode" | tr -d -c 0-9 changed_when: false failed_when: false - register: ubtu22cis_1_3_1_3_pre_count + register: discovered_apparmor_pre_count - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Apply complaining/enforcing to /etc/apparmor.d profiles" ansible.builtin.shell: aa-{{ubtu22cis_apparmor_mode}} /etc/apparmor.d/* @@ -160,10 +157,10 @@ ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu22cis_apparmor_mode}} mode" | tr -d -c 0-9 changed_when: false failed_when: false - register: ubtu22cis_1_3_1_3_post_count + register: discovered_apparmor_post_count - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | This flags for idempotency" - when: ubtu22cis_1_3_1_3_pre_count.stdout != ubtu22cis_1_3_1_3_post_count.stdout + when: discovered_apparmor_pre_count.stdout != discovered_apparmor_post_count.stdout ansible.builtin.debug: msg: Changed! The profiles in /etc/apparmor.d were set to {{ubtu22cis_apparmor_mode}} mode changed_when: true diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 97bb4e09..a216185b 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -30,8 +30,7 @@ notify: Grub update - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured" - when: - - ubtu22cis_rule_1_4_2 + when: ubtu22cis_rule_1_4_2 tags: - level1-server - level1-workstation @@ -43,11 +42,10 @@ ansible.builtin.stat: path: "{{ ubtu22cis_grub_file }}" check_mode: false - register: ubtu22cis_1_4_2_grub_cfg_status + register: discovered_grub_cfg_status - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | Set permissions" - when: - - ubtu22cis_1_4_2_grub_cfg_status.stat.exists + when: discovered_grub_cfg_status.stat.exists ansible.builtin.file: path: "{{ ubtu22cis_grub_file }}" owner: root diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index cf4e62a7..65157fe6 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,8 +1,7 @@ --- - name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" - when: - - ubtu22cis_rule_1_5_1 + when: ubtu22cis_rule_1_5_1 tags: - level1-server - level1-workstation @@ -19,8 +18,7 @@ ignoreerrors: true - name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted" - when: - - ubtu22cis_rule_1_5_2 + when: ubtu22cis_rule_1_5_2 tags: - level1-server - level1-workstation @@ -37,8 +35,7 @@ ignoreerrors: true - name: "1.5.3 | PATCH | Ensure core dumps are restricted" - when: - - ubtu22cis_rule_1_5_3 + when: ubtu22cis_rule_1_5_3 tags: - level1-server - level1-workstation @@ -112,8 +109,7 @@ purge: "{{ ubtu22cis_purge_apt }}" - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled" - when: - - ubtu22cis_rule_1_5_5 + when: ubtu22cis_rule_1_5_5 tags: - level1-server - level1-workstation @@ -132,8 +128,7 @@ mode: '0644' - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package" - when: - - "'apport' in ansible_facts.packages" + when: "'apport' in ansible_facts.packages" ansible.builtin.package: name: apport state: absent diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 7da814cd..3e8d5ac9 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -1,8 +1,7 @@ --- - name: "1.6.1 | PATCH | Ensure message of the day is configured properly" - when: - - ubtu22cis_rule_1_6_1 + when: ubtu22cis_rule_1_6_1 tags: - level1-server - level1-workstation @@ -28,8 +27,7 @@ - { regexp: '# Pam_motd.so disabled for CIS benchmark', line: '# Pam_motd.so disabled for CIS benchmark' } - name: "1.6.2 | PATCH | Ensure local login warning banner is configured properly" - when: - - ubtu22cis_rule_1_6_2 + when: ubtu22cis_rule_1_6_2 tags: - level1-server - level1-workstation @@ -47,8 +45,7 @@ path: /etc/issue - name: "1.6.3 | PATCH | Ensure remote login warning banner is configured properly" - when: - - ubtu22cis_rule_1_6_3 + when: ubtu22cis_rule_1_6_3 tags: - level1-server - level1-workstation @@ -66,8 +63,7 @@ path: /etc/issue.net - name: "1.6.4 | PATCH | Ensure permissions on /etc/motd are configured" - when: - - ubtu22cis_rule_1_6_4 + when: ubtu22cis_rule_1_6_4 tags: - level1-server - level1-workstation @@ -82,8 +78,7 @@ mode: 'u-x,go-wx' - name: "1.6.5 | PATCH | Ensure permissions on /etc/issue are configured" - when: - - ubtu22cis_rule_1_6_5 + when: ubtu22cis_rule_1_6_5 tags: - level1-server - level1-workstation @@ -98,8 +93,7 @@ mode: 'u-x,go-wx' - name: "1.6.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - when: - - ubtu22cis_rule_1_6_6 + when: ubtu22cis_rule_1_6_6 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index dfd75077..ad16cfb1 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -1,9 +1,6 @@ --- - name: "1.7.1 | PATCH | Ensure GNOME Display Manager is removed" - ansible.builtin.package: - name: gdm3 - state: absent when: - ubtu22cis_rule_1_7_1 - not ubtu22cis_desktop_required @@ -14,11 +11,12 @@ - patch - rule_1.7.1 - gnome + ansible.builtin.package: + name: gdm3 + state: absent - name: "1.7.2 | PATCH | Ensure GDM login banner is configured" - when: - - ubtu22cis_rule_1_7_2 - - ubtu22cis_desktop_required + when: ubtu22cis_rule_1_7_2 tags: - level1-server - level1-workstation @@ -28,7 +26,7 @@ block: - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | make directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d" owner: root group: root mode: '0755' @@ -36,7 +34,7 @@ - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | banner settings" ansible.builtin.lineinfile: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-login-screen" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-login-screen" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" @@ -51,9 +49,7 @@ notify: Update dconf - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled" - when: - - ubtu22cis_rule_1_7_3 - - ubtu22cis_desktop_required + when: ubtu22cis_rule_1_7_3 tags: - level1-server - level1-workstation @@ -69,12 +65,12 @@ mode: '0755' state: directory loop: - - /etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d + - /etc/dconf/db/{{ prelim_dconf_system_db }}.d - /etc/dconf/profile - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | disable-user-list setting login-screen" ansible.builtin.lineinfile: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-login-screen" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-login-screen" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" @@ -88,7 +84,7 @@ - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | disable-user-list setting profile" ansible.builtin.lineinfile: - path: "/etc/dconf/profile/{{ ubtu22cis_dconf_db_name }}" + path: "/etc/dconf/profile/{{ prelim_dconf_system_db }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" @@ -98,14 +94,12 @@ mode: '0644' loop: - { regexp: '^user-db:user', line: 'user-db:user', insertafter: EOF } - - { regexp: '^system-db:{{ ubtu22cis_dconf_db_name }}', line: 'system-db:{{ ubtu22cis_dconf_db_name }}', insertafter: 'user-db:user'} - - { regexp: '^file-db:/usr/share/gdm/greeter-dconf-defaults', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults', insertafter: 'system-db:{{ ubtu22cis_dconf_db_name }}'} + - { regexp: '^system-db:{{ prelim_dconf_system_db }}', line: 'system-db:{{ prelim_dconf_system_db }}', insertafter: 'user-db:user'} + - { regexp: '^file-db:/usr/share/gdm/greeter-dconf-defaults', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults', insertafter: 'system-db:{{ prelim_dconf_system_db }}'} notify: Update dconf - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle" - when: - - ubtu22cis_rule_1_7_4 - - ubtu22cis_desktop_required + when: ubtu22cis_rule_1_7_4 tags: - level1-server - level1-workstation @@ -115,18 +109,18 @@ block: - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | session profile" ansible.builtin.lineinfile: - path: "/etc/dconf/profile/{{ ubtu22cis_dconf_db_name }}" + path: "/etc/dconf/profile/{{ prelim_dconf_system_db }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.after | default(omit) }}" create: true loop: - { regexp: 'user-db:user', line: 'user-db:user' } - - { regexp: 'system-db:{{ ubtu22cis_dconf_db_name }}', line: 'system-db:{{ ubtu22cis_dconf_db_name }}', after: '^user-db.*' } + - { regexp: 'system-db:{{ prelim_dconf_system_db }}', line: 'system-db:{{ prelim_dconf_system_db }}', after: '^user-db.*' } - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | make directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d" owner: root group: root mode: '0755' @@ -136,16 +130,14 @@ - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | session script" ansible.builtin.template: src: etc/dconf/db/00-screensaver.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-screensaver" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-screensaver" owner: root group: root mode: '0644' notify: Update dconf - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden" - when: - - ubtu22cis_rule_1_7_5 - - ubtu22cis_desktop_required + when: ubtu22cis_rule_1_7_5 tags: - level1-server - level1-workstation @@ -155,7 +147,7 @@ block: - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lock directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks" owner: root group: root mode: '0755' @@ -165,16 +157,14 @@ - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lockfile" ansible.builtin.template: src: etc/dconf/db/00-screensaver_lock.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-screensaver" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks/00-screensaver" owner: root group: root mode: '0644' notify: Update dconf - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled" - when: - - ubtu22cis_rule_1_7_6 - - ubtu22cis_desktop_required + when: ubtu22cis_rule_1_7_6 tags: - level1-server - level2-workstation @@ -184,7 +174,7 @@ block: - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | make directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d" owner: root group: root mode: '0755' @@ -194,16 +184,14 @@ - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | session script" ansible.builtin.template: src: etc/dconf/db/00-media-automount.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-media-automount" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-media-automount" owner: root group: root mode: '0644' notify: Update dconf - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden" - when: - - ubtu22cis_rule_1_7_7 - - ubtu22cis_desktop_required + when: ubtu22cis_rule_1_7_7 tags: - level1-server - level2-workstation @@ -213,7 +201,7 @@ block: - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lock directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks" owner: root group: root mode: '0755' @@ -223,16 +211,14 @@ - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lockfile" ansible.builtin.template: src: etc/dconf/db/00-automount_lock.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-automount_lock" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks/00-automount_lock" owner: root group: root mode: '0644' notify: Update dconf - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled" - when: - - ubtu22cis_rule_1_7_8 - - ubtu22cis_desktop_required + when: ubtu22cis_rule_1_7_8 tags: - level1-server - level2-workstation @@ -242,7 +228,7 @@ block: - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled | make directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d" owner: root group: root mode: '0755' @@ -252,16 +238,15 @@ - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled | session script" ansible.builtin.template: src: etc/dconf/db/00-media-autorun.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/00-media-autorun" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-media-autorun" owner: root group: root mode: '0644' notify: Update dconf - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden" - when: - - ubtu22cis_rule_1_7_9 - - ubtu22cis_desktop_required + when: ubtu22cis_rule_1_7_9 + tags: - level1-server - level2-workstation @@ -271,7 +256,7 @@ block: - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden | make lock directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks" + path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks" owner: root group: root mode: '0755' @@ -281,15 +266,14 @@ - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden | make lockfile" ansible.builtin.template: src: etc/dconf/db/00-autorun_lock.j2 - dest: "/etc/dconf/db/{{ ubtu22cis_dconf_db_name }}.d/locks/00-autorun_lock" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks/00-autorun_lock" owner: root group: root mode: '0644' notify: Update dconf - name: "1.7.10 | PATCH | Ensure XDCMP is not enabled" - when: - - ubtu22cis_rule_1_7_10 + when: ubtu22cis_rule_1_7_10 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 137b9593..e9f3f54b 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,58 +1,56 @@ --- - name: "SECTION | 1.1.1 | Configure Filesystem Kernel Modules" + when: not system_is_container ansible.builtin.import_tasks: file: cis_1.1.1.x.yml - when: not system_is_container - name: "SECTION | 1.1.2.1 | Configure /tmp" + when: not system_is_container ansible.builtin.import_tasks: file: cis_1.1.2.1.x.yml - when: not system_is_container - name: "SECTION | 1.1.2.2 | Configure /dev/shm" + when: not system_is_container ansible.builtin.import_tasks: file: cis_1.1.2.2.x.yml - when: not system_is_container - name: "SECTION | 1.1.2.3 | Configure /home" ansible.builtin.import_tasks: file: cis_1.1.2.3.x.yml - name: "SECTION | 1.1.2.4 | Configure /var" + when: not system_is_container ansible.builtin.import_tasks: file: cis_1.1.2.4.x.yml - when: not system_is_container - name: "SECTION | 1.1.2.5 | Configure /var/tmp" + when: not system_is_container ansible.builtin.import_tasks: file: cis_1.1.2.5.x.yml - when: not system_is_container - name: "SECTION | 1.1.2.6 | Configure /var/log" + when: not system_is_container ansible.builtin.import_tasks: file: cis_1.1.2.6.x.yml - when: not system_is_container - name: "SECTION | 1.1.2.7 | Configure /var/log/audit" + when: not system_is_container ansible.builtin.import_tasks: file: cis_1.1.2.7.x.yml - when: not system_is_container - name: "SECTION | 1.2.1 | Configure Package Repositories" ansible.builtin.import_tasks: file: cis_1.2.1.x.yml - when: not system_is_container - name: "SECTION | 1.2.2 | Configure Package Updates" ansible.builtin.import_tasks: file: cis_1.2.2.x.yml - when: not system_is_container - name: "SECTION | 1.3 | Configure AppArmor" + when: not system_is_container ansible.builtin.import_tasks: file: cis_1.3.1.x.yml - when: not system_is_container - name: "SECTION | 1.4 | Configure Bootloader" ansible.builtin.import_tasks: @@ -61,15 +59,12 @@ - name: "SECTION | 1.5 | Configure Additional Process Hardening" ansible.builtin.import_tasks: file: cis_1.5.x.yml - when: not system_is_container - name: "SECTION | 1.6 | Command Line Warning Banners" ansible.builtin.import_tasks: file: cis_1.6.x.yml - name: "SECTION | 1.7 | Configure DNOME Display Manager" - when: - - "'gdm3' in ansible_facts.packages" - - not system_is_container + when: ubtu22cis_gui ansible.builtin.import_tasks: file: cis_1.7.x.yml diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 62c2670e..c3856db4 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -3,7 +3,6 @@ - name: "2.1.1 | PATCH | Ensure autofs services are not in use" when: - ubtu22cis_rule_2_1_1 - - "'autofs' in ansible_facts.packages" tags: - level1-server - level2-workstation @@ -23,16 +22,15 @@ when: - not ubtu22cis_autofs_services - ubtu22cis_autofs_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: autofs enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use" - when: - - ubtu22cis_rule_2_1_2 + when: ubtu22cis_rule_2_1_2 tags: - level1-server - level2-workstation @@ -56,7 +54,6 @@ when: - not ubtu22cis_avahi_server - ubtu22cis_avahi_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -65,10 +62,10 @@ loop: - avahi-daemon.socket - avahi-daemon.service + notify: Systemd_daemon_reload - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use" - when: - - ubtu22cis_rule_2_1_3 + when: ubtu22cis_rule_2_1_3 tags: - level1-server - level1-workstation @@ -90,7 +87,6 @@ when: - not ubtu22cis_dhcp_server - ubtu22cis_dhcp_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -99,10 +95,10 @@ loop: - isc-dhcp-server.service - isc-dhcp-server6.service + notify: Systemd_daemon_reload - name: "2.1.4 | PATCH | Ensure dns server services are not in use" - when: - - ubtu22cis_rule_2_1_4 + when: ubtu22cis_rule_2_1_4 tags: - level1-server - level1-workstation @@ -124,16 +120,15 @@ when: - not ubtu22cis_dns_server - ubtu22cis_dns_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: named.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use" - when: - - ubtu22cis_rule_2_1_5 + when: ubtu22cis_rule_2_1_5 tags: - level1-server - level1-workstation @@ -155,16 +150,15 @@ when: - not ubtu22cis_dnsmasq_server - ubtu22cis_dnsmasq_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: dnsmasq.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.6 | PATCH | Ensure ftp server services are not in use" - when: - - ubtu22cis_rule_2_1_6 + when: ubtu22cis_rule_2_1_6 tags: - level1-server - level1-workstation @@ -187,16 +181,15 @@ when: - not ubtu22cis_ftp_server - ubtu22cis_ftp_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: vsftpd.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.7 | PATCH | Ensure ldap server services are not in use" - when: - - ubtu22cis_rule_2_1_7 + when: ubtu22cis_rule_2_1_7 tags: - level1-server - level1-workstation @@ -218,16 +211,15 @@ when: - not ubtu22cis_ldap_server - ubtu22cis_ldap_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: slapd.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.8 | PATCH | Ensure message access server services are not in use" - when: - - ubtu22cis_rule_2_1_8 + when: ubtu22cis_rule_2_1_8 tags: - level1-server - level1-workstation @@ -253,7 +245,6 @@ when: - not ubtu22cis_message_server - ubtu22cis_message_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -262,10 +253,10 @@ loop: - "dovecot.socket" - "dovecot.service" + notify: Systemd_daemon_reload - name: "2.1.9 | PATCH | Ensure network file system services are not in use" - when: - - ubtu22cis_rule_2_1_9 + when: ubtu22cis_rule_2_1_9 tags: - level1-server - level1-workstation @@ -288,16 +279,15 @@ when: - not ubtu22cis_nfs_server - ubtu22cis_nfs_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: nfs-server.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.10 | PATCH | Ensure nis server services are not in use" - when: - - ubtu22cis_rule_2_1_10 + when: ubtu22cis_rule_2_1_10 tags: - level1-server - level1-workstation @@ -325,10 +315,10 @@ enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.11 | PATCH | Ensure print server services are not in use" - when: - - ubtu22cis_rule_2_1_11 + when: ubtu22cis_rule_2_1_11 tags: - level1-server - patch @@ -349,7 +339,6 @@ when: - not ubtu22cis_print_server - ubtu22cis_print_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -358,10 +347,10 @@ loop: - "cups.socket" - "cups.service" + notify: Systemd_daemon_reload - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use" - when: - - ubtu22cis_rule_2_1_12 + when: ubtu22cis_rule_2_1_12 tags: - level1-server - level1-workstation @@ -383,7 +372,6 @@ when: - not ubtu22cis_rpc_server - ubtu22cis_rpc_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -392,10 +380,10 @@ loop: - rpcbind.service - rpcbind.socket + notify: Systemd_daemon_reload - name: "2.1.13 | PATCH | Ensure rsync services are not in use" - when: - - ubtu22cis_rule_2_1_13 + when: ubtu22cis_rule_2_1_13 tags: - level1-server - level1-workstation @@ -417,12 +405,12 @@ when: - not ubtu22cis_rsync_server - ubtu22cis_rsync_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: rsyncd.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.14 | PATCH | Ensure samba file server services are not in use" when: @@ -448,12 +436,12 @@ when: - not ubtu22cis_samba_server - ubtu22cis_samba_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: smbd.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.15 | PATCH | Ensure snmp services are not in use" when: @@ -480,16 +468,15 @@ when: - not ubtu22cis_snmp_server - ubtu22cis_snmp_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: snmpd.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.16 | PATCH | Ensure tftp server services are not in use" - when: - - ubtu22cis_rule_2_1_16 + when: ubtu22cis_rule_2_1_16 tags: - level1-server - level1-workstation @@ -511,16 +498,15 @@ when: - not ubtu22cis_tftp_server - ubtu22cis_tftp_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: tftpd-hpa.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use" - when: - - ubtu22cis_rule_2_1_17 + when: ubtu22cis_rule_2_1_17 tags: - level1-server - level1-workstation @@ -542,16 +528,15 @@ when: - not ubtu22cis_squid_server - ubtu22cis_squid_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: squid.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.18 | PATCH | Ensure web server services are not in use" - when: - - ubtu22cis_rule_2_1_18 + when: ubtu22cis_rule_2_1_18 tags: - level1-server - level1-workstation @@ -586,31 +571,30 @@ - not ubtu22cis_apache2_server - ubtu22cis_apache2_mask - "'apache2' in ansible_facts.packages" - notify: Systemd_daemon_reload ansible.builtin.systemd: - name: + name: "{{ item }}" enabled: false state: stopped masked: true loop: - apache2.service - apache2.socket + notify: Systemd_daemon_reload - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask nginx service" when: - not ubtu22cis_nginx_server - ubtu22cis_nginx_mask - "'nginx' in ansible_facts.packages" - notify: Systemd_daemon_reload ansible.builtin.systemd: name: ngnix.service enabled: false state: stopped masked: true + notify: Systemd_daemon_reload - name: "2.1.19 | PATCH | Ensure xinetd services are not in use" - when: - - ubtu22cis_rule_2_1_19 + when: ubtu22cis_rule_2_1_19 tags: - level1-server - level1-workstation @@ -625,19 +609,19 @@ - not ubtu22cis_xinetd_mask ansible.builtin.package: name: xinetd - state: absent purge: "{{ ubtu22cis_purge_apt }}" + state: absent - name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Mask service" when: - not ubtu22cis_xinetd_server - ubtu22cis_xinetd_mask - notify: Systemd_daemon_reload ansible.builtin.systemd: name: xinetd.service enabled: false - state: stopped masked: true + state: stopped + notify: Systemd_daemon_reload - name: "2.1.20 | PATCH | Ensure X window server services are not in use" when: @@ -669,7 +653,6 @@ block: - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed" when: "'exim4' in ansible_facts.packages" - notify: Restart exim4 ansible.builtin.lineinfile: path: /etc/exim4/update-exim4.conf.conf regexp: "{{ item.regexp }}" @@ -686,6 +669,7 @@ - { regexp: '^dc_hide_mailname', line: "dc_hide_mailname=''" } - { regexp: '^dc_mailname_in_oh', line: "dc_mailname_in_oh='true'" } - { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" } + notify: Restart exim4 - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if postfix is installed" when: "'postfix' in ansible_facts.packages" @@ -712,8 +696,7 @@ file: warning_facts.yml - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface" - when: - - ubtu22cis_rule_2_1_22 + when: ubtu22cis_rule_2_1_22 tags: - level1-server - level1-workstation @@ -726,16 +709,16 @@ - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" ansible.builtin.shell: systemctl list-units --type=service changed_when: false - failed_when: ubtu22cis_2_1_22_services.rc not in [ 0, 1 ] + failed_when: discovered_list_of_services.rc not in [ 0, 1 ] check_mode: false - register: ubtu22cis_2_1_22_services + register: discovered_list_of_services - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Display list of services" ansible.builtin.debug: msg: - "Warning!! Below are the list of services, both active and inactive" - "Please review to make sure all are essential" - - "{{ ubtu22cis_2_1_22_services.stdout_lines }}" + - "{{ discovered_list_of_services.stdout_lines }}" - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Warn Count" ansible.builtin.import_tasks: diff --git a/tasks/section_2/cis_2.3.1.x.yml b/tasks/section_2/cis_2.3.1.x.yml index 44eb9ee3..5f6e1335 100644 --- a/tasks/section_2/cis_2.3.1.x.yml +++ b/tasks/section_2/cis_2.3.1.x.yml @@ -1,8 +1,7 @@ --- - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use" - when: - - ubtu22cis_rule_2_3_1_1 + when: ubtu22cis_rule_2_3_1_1 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.3.2.x.yml b/tasks/section_2/cis_2.3.2.x.yml index bce50669..fff911cb 100644 --- a/tasks/section_2/cis_2.3.2.x.yml +++ b/tasks/section_2/cis_2.3.2.x.yml @@ -1,8 +1,7 @@ --- - name: "2.3.2.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver" - when: - - ubtu22cis_rule_2_3_2_1 + when: ubtu22cis_rule_2_3_2_1 tags: - level1-server - level1-workstation @@ -30,8 +29,7 @@ notify: Restart timeservice - name: "2.3.2.2 | PATCH | Ensure systemd-timesyncd is enabled and running" - when: - - ubtu22cis_rule_2_3_2_2 + when: ubtu22cis_rule_2_3_2_2 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.3.3.x.yml b/tasks/section_2/cis_2.3.3.x.yml index f87d275a..1ed92caf 100644 --- a/tasks/section_2/cis_2.3.3.x.yml +++ b/tasks/section_2/cis_2.3.3.x.yml @@ -1,8 +1,7 @@ --- - name: "2.3.3.1 | PATCH | Ensure chrony is configured with authorized timeserver" - when: - - ubtu22cis_rule_2_3_3_1 + when: ubtu22cis_rule_2_3_3_1 tags: - level1-server - level1-workstation @@ -30,8 +29,7 @@ notify: Restart timeservice - name: "2.3.3.2 | PATCH | Ensure chrony is running as user _chrony" - when: - - ubtu22cis_rule_2_3_3_2 + when: ubtu22cis_rule_2_3_3_2 tags: - level1-server - level1-workstation @@ -44,8 +42,7 @@ line: 'user _chrony' - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running" - when: - - ubtu22cis_rule_2_3_3_3 + when: ubtu22cis_rule_2_3_3_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.4.1.x.yml b/tasks/section_2/cis_2.4.1.x.yml index bf4fe436..dc4a5736 100644 --- a/tasks/section_2/cis_2.4.1.x.yml +++ b/tasks/section_2/cis_2.4.1.x.yml @@ -1,8 +1,7 @@ --- - name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and running" - when: - - ubtu22cis_rule_2_4_1_1 + when: ubtu22cis_rule_2_4_1_1 tags: - level1-server - level1-workstation @@ -15,8 +14,7 @@ enabled: true - name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" - when: - - ubtu22cis_rule_2_4_1_2 + when: ubtu22cis_rule_2_4_1_2 tags: - level1-server - level1-workstation @@ -30,8 +28,7 @@ mode: '0600' - name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" - when: - - ubtu22cis_rule_2_4_1_3 + when: ubtu22cis_rule_2_4_1_3 tags: - level1-server - level1-workstation @@ -46,8 +43,7 @@ state: directory - name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" - when: - - ubtu22cis_rule_2_4_1_4 + when: ubtu22cis_rule_2_4_1_4 tags: - level1-server - level1-workstation @@ -62,8 +58,7 @@ state: directory - name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" - when: - - ubtu22cis_rule_2_4_1_5 + when: ubtu22cis_rule_2_4_1_5 tags: - level1-server - level1-workstation @@ -78,8 +73,7 @@ state: directory - name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" - when: - - ubtu22cis_rule_2_4_1_6 + when: ubtu22cis_rule_2_4_1_6 tags: - level1-server - level1-workstation @@ -94,8 +88,7 @@ state: directory - name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" - when: - - ubtu22cis_rule_2_4_1_7 + when: ubtu22cis_rule_2_4_1_7 tags: - level1-server - level1-workstation @@ -110,8 +103,7 @@ state: directory - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users" - when: - - ubtu22cis_rule_2_4_1_8 + when: ubtu22cis_rule_2_4_1_8 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.4.2.x.yml b/tasks/section_2/cis_2.4.2.x.yml index cd95e107..d22a311b 100644 --- a/tasks/section_2/cis_2.4.2.x.yml +++ b/tasks/section_2/cis_2.4.2.x.yml @@ -1,8 +1,7 @@ --- - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users" - when: - - - ubtu22cis_rule_2_4_2_1 + when: ubtu22cis_rule_2_4_2_1 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 03fccd34..06aa0b6e 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -13,14 +13,12 @@ file: cis_2.3.1.x.yml - name: "SECTION | 2.3.2.x | Configure systemd-timesyncd" - when: - - ubtu22cis_time_sync_tool == "systemd-timesyncd" + when: ubtu22cis_time_sync_tool == "systemd-timesyncd" ansible.builtin.import_tasks: file: cis_2.3.2.x.yml - name: "SECTION | 2.3.3.x | Configure Chrony" - when: - - ubtu22cis_time_sync_tool == "chrony" + when: ubtu22cis_time_sync_tool == "chrony" ansible.builtin.import_tasks: file: cis_2.3.3.x.yml diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index bf9d773d..3070ca08 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -17,7 +17,7 @@ path: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=.*)\bipv6\.disable=\d\b(.*$)' replace: '\1ipv6.disable=1\2' - register: ipv6disable_replaced + register: discovered_ipv6disable_replaced notify: Grub update - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Check grub cmdline linux" @@ -25,13 +25,13 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_3_1_1_cmdline_settings + register: discovered_grub_cmdline_settings - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Insert ipv6.disable if it doesn't exist" when: - ubtu22cis_ipv6_disable == 'grub' - - ipv6disable_replaced is not changed - - "'ipv6.disable' not in ubtu22cis_3_1_1_cmdline_settings.stdout" + - discovered_ipv6disable_replaced is not changed + - "'ipv6.disable' not in discovered_grub_cmdline_settings.stdout" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=".*)"$' @@ -54,6 +54,7 @@ - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" when: - ubtu22cis_rule_3_1_2 + - prelim_wireless_adapters_exist tags: - level1-server - patch @@ -68,15 +69,15 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_3_1_2_wifi_status + register: discovered_wifi_status - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" when: - "'network-manager' in ansible_facts.packages" - - "'enabled' in ubtu22cis_3_1_2_wifi_status.stdout" + - "'enabled' in discovered_wifi_status.stdout" ansible.builtin.shell: nmcli radio all off - changed_when: ubtu22cis_3_1_2_nmcli_radio_off.rc == 0 - register: ubtu22cis_3_1_2_nmcli_radio_off + changed_when: discovered_nmcli_radio_off.rc == 0 + register: discovered_nmcli_radio_off - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" when: "'network-manager' not in ansible_facts.packages" @@ -89,8 +90,7 @@ file: warning_facts.yml - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use" - when: - - ubtu22cis_rule_3_1_3 + when: ubtu22cis_rule_3_1_3 tags: - level1-server - level2-workstation diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index c9c9e9ae..aaf050e5 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -1,8 +1,7 @@ --- - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available" - when: - - ubtu22cis_rule_3_2_1 + when: ubtu22cis_rule_3_2_1 tags: - level2-server - level2-workstation @@ -29,8 +28,7 @@ mode: '0600' - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available" - when: - - ubtu22cis_rule_3_2_2 + when: ubtu22cis_rule_3_2_2 tags: - level2-server - level2-workstation @@ -57,8 +55,7 @@ mode: '0600' - name: "3.2.3 | PATCH | Ensure rds kernel module is not available" - when: - - ubtu22cis_rule_3_2_3 + when: ubtu22cis_rule_3_2_3 tags: - level2-server - level2-workstation @@ -85,8 +82,7 @@ mode: '0600' - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available" - when: - - ubtu22cis_rule_3_2_4 + when: ubtu22cis_rule_3_2_4 tags: - level2-server - level2-workstation diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index c79e634f..cd22545d 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -62,8 +62,7 @@ notify: Flush ipv4 route table - name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored" - when: - - ubtu22cis_rule_3_3_3 + when: ubtu22cis_rule_3_3_3 tags: - level1-server - level1-workstation @@ -82,8 +81,7 @@ notify: Flush ipv4 route table - name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored" - when: - - ubtu22cis_rule_3_3_4 + when: ubtu22cis_rule_3_3_4 tags: - level1-server - level1-workstation @@ -102,8 +100,7 @@ notify: Flush ipv4 route table - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted" - when: - - ubtu22cis_rule_3_3_5 + when: ubtu22cis_rule_3_3_5 tags: - level1-server - level1-workstation @@ -142,8 +139,7 @@ notify: Flush ipv6 route table - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted" - when: - - ubtu22cis_rule_3_3_6 + when: ubtu22cis_rule_3_3_6 tags: - level1-server - level1-workstation @@ -165,8 +161,7 @@ notify: Flush ipv4 route table - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - when: - - ubtu22cis_rule_3_3_7 + when: ubtu22cis_rule_3_3_7 tags: - level1-server - level1-workstation @@ -229,8 +224,7 @@ notify: Flush ipv6 route table - name: "3.3.9 | PATCH | Ensure suspicious packets are logged" - when: - - ubtu22cis_rule_3_3_9 + when: ubtu22cis_rule_3_3_9 tags: - level1-server - level1-workstation @@ -252,8 +246,7 @@ notify: Flush ipv4 route table - name: "3.3.10 | PATCH | Ensure tcp syn cookies is enabled" - when: - - ubtu22cis_rule_3_3_10 + when: ubtu22cis_rule_3_3_10 tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index 9c69f929..d69b3f83 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -92,8 +92,7 @@ notify: Reload ufw - name: "4.1.5 | PATCH | Ensure ufw outbound connections are configured" - when: - - ubtu22cis_rule_4_1_5 + when: ubtu22cis_rule_4_1_5 tags: - level1-server - level1-workstation @@ -119,8 +118,7 @@ notify: Reload ufw - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports" - when: - - ubtu22cis_rule_4_1_6 + when: ubtu22cis_rule_4_1_6 tags: - level1-server - level1-workstation @@ -135,14 +133,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_1_6_open_listen_ports + register: discovered_list_open_listen_ports - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules" ansible.builtin.shell: ufw status changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_1_6_firewall_rules + register: discovered_firewall_rules - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Message out settings" ansible.builtin.debug: @@ -150,17 +148,16 @@ - "Warning!! Below are the listening ports and firewall rules" - "Please create firewall rule for any open ports if not already done" - "*****---Open Listen Ports---*****" - - "{{ ubtu22cis_4_1_6_open_listen_ports.stdout_lines }}" + - "{{ discovered_list_open_listen_ports.stdout_lines }}" - "*****---Firewall Rules---*****" - - "{{ ubtu22cis_4_1_6_firewall_rules.stdout_lines }}" + - "{{ discovered_firewall_rules.stdout_lines }}" - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: file: warning_facts.yml - name: "4.1.7 | PATCH | Ensure ufw default deny firewall policy" - when: - - ubtu22cis_rule_4_1_7 + when: ubtu22cis_rule_4_1_7 tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.3.1.x.yml b/tasks/section_4/cis_4.3.1.x.yml index 434391dd..19391011 100644 --- a/tasks/section_4/cis_4.3.1.x.yml +++ b/tasks/section_4/cis_4.3.1.x.yml @@ -84,11 +84,11 @@ ansible.builtin.iptables: policy: DROP chain: "{{ item }}" - notify: Iptables persistent with_items: - INPUT - FORWARD - OUTPUT + notify: Iptables persistent - name: "4.3.1.2 | PATCH | Ensure iptables loopback traffic is configured" when: @@ -144,7 +144,6 @@ match: state ctstate: '{{ item.ctstate }}' jump: ACCEPT - notify: Iptables persistent with_items: - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } @@ -152,6 +151,7 @@ - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + notify: Iptables persistent - name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" when: @@ -170,14 +170,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_3_1_4_open_ports + register: discovered_open_ports_list - name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" ansible.builtin.shell: iptables -L INPUT -v -n changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_3_1_4_current_rules + register: discovered_current_iptables_rules - name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: @@ -185,9 +185,9 @@ - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ ubtu22cis_4_3_1_4_open_ports.stdout_lines }}" + - "{{ discovered_open_ports_list.stdout_lines }}" - "Current Rules:" - - "{{ ubtu22cis_4_3_1_4_current_rules.stdout_lines }}" + - "{{ discovered_current_iptables_rules.stdout_lines }}" - name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: @@ -322,7 +322,6 @@ ctstate: '{{ item.ctstate }}' jump: ACCEPT ip_version: ipv6 - notify: Ip6tables persistent loop: - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } @@ -330,6 +329,7 @@ - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + notify: Ip6tables persistent - name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" when: @@ -351,14 +351,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_3_1_4_open_ports + register: discovered_open_ports_list - name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" ansible.builtin.shell: ip6tables -L INPUT -v -n changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_3_1_4_current_rules + register: discovered_current_iptables_rules - name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: @@ -366,9 +366,9 @@ - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ ubtu22cis_4_3_1_4_open_ports.stdout_lines }}" + - "{{ discovered_open_ports_list.stdout_lines }}" - "Current Rules:" - - "{{ ubtu22cis_4_3_1_4_current_rules.stdout_lines }}" + - "{{ discovered_current_iptables_rules.stdout_lines }}" - name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: diff --git a/tasks/section_4/cis_4.3.2.x.yml b/tasks/section_4/cis_4.3.2.x.yml index 89f30d5c..fdd940c6 100644 --- a/tasks/section_4/cis_4.3.2.x.yml +++ b/tasks/section_4/cis_4.3.2.x.yml @@ -41,11 +41,11 @@ ansible.builtin.iptables: policy: DROP chain: "{{ item }}" - notify: Iptables persistent loop: - INPUT - FORWARD - OUTPUT + notify: Iptables persistent - name: "4.3.2.2 | PATCH | Ensure iptables loopback traffic is configured" when: @@ -101,7 +101,6 @@ match: state ctstate: '{{ item.ctstate }}' jump: ACCEPT - notify: Iptables persistent with_items: - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } @@ -109,6 +108,7 @@ - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + notify: Iptables persistent - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" when: @@ -129,14 +129,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_3_1_4_open_ports + register: discovered_list_open_ports - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" ansible.builtin.shell: iptables -L INPUT -v -n changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_3_2_4_current_rules + register: discovered_current_iptables_rules - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: @@ -144,9 +144,9 @@ - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ ubtu22cis_4_3_2_4_open_ports.stdout_lines }}" + - "{{ discovered_list_open_ports.stdout_lines }}" - "Current Rules:" - - "{{ ubtu22cis_4_3_2_4_current_rules.stdout_lines }}" + - "{{ discovered_current_iptables_rules.stdout_lines }}" - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: diff --git a/tasks/section_4/cis_4.3.3.x.yml b/tasks/section_4/cis_4.3.3.x.yml index 4078a72b..730ba293 100644 --- a/tasks/section_4/cis_4.3.3.x.yml +++ b/tasks/section_4/cis_4.3.3.x.yml @@ -1,8 +1,7 @@ --- - name: "4.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy" - when: - - ubtu22cis_rule_4_3_3_1 + when: ubtu22cis_rule_4_3_3_1 tags: - level1-server - level1-workstationå @@ -33,11 +32,11 @@ policy: DROP chain: "{{ item }}" ip_version: ipv6 - notify: Ip6tables persistent loop: - INPUT - FORWARD - OUTPUT + notify: Ip6tables persistent - name: "4.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured" when: @@ -95,7 +94,6 @@ ctstate: '{{ item.ctstate }}' jump: ACCEPT ip_version: ipv6 - notify: Ip6tables persistent loop: - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } @@ -103,6 +101,7 @@ - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } + notify: Ip6tables persistent - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" when: @@ -122,14 +121,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_3_3_4_open_ports + register: discovered_list_ip6tables_open_ports - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" ansible.builtin.shell: ip6tables -L INPUT -v -n changed_when: false failed_when: false check_mode: false - register: ubtu22cis_4_3_3_4_current_rules + register: discovered_ip6tables_current_rules - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" ansible.builtin.debug: @@ -137,9 +136,9 @@ - "Warning!! Below is the list the open ports and current rules" - "Please create a rule for any open port that does not have a current rule" - "Open Ports:" - - "{{ ubtu22cis_4_3_3_4_open_ports.stdout_lines }}" + - "{{ discovered_list_ip6tables_open_ports.stdout_lines }}" - "Current Rules:" - - "{{ ubtu22cis_4_3_3_4_current_rules.stdout_lines }}" + - "{{ discovered_ip6tables_current_rules.stdout_lines }}" - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" ansible.builtin.import_tasks: diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 35bb5647..dad495ac 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -1,8 +1,7 @@ --- - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" - when: - - ubtu22cis_rule_5_1_1 + when: ubtu22cis_rule_5_1_1 tags: - level1-server - level1-workstation @@ -16,8 +15,7 @@ mode: '0600' - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured" - when: - - ubtu22cis_rule_5_1_2 + when: ubtu22cis_rule_5_1_2 tags: - level1-server - level1-workstation @@ -29,7 +27,7 @@ ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*_key' - register: ubtu22cis_5_1_2_ssh_host_priv_keys + register: discovered_ssh_host_priv_keys - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions" ansible.builtin.file: @@ -38,13 +36,12 @@ group: root mode: 'o-x,go-rwx' with_items: - - "{{ ubtu22cis_5_1_2_ssh_host_priv_keys.files }}" + - "{{ discovered_ssh_host_priv_keys.files }}" loop_control: label: "{{ item.path }}" - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured" - when: - - ubtu22cis_rule_5_1_3 + when: ubtu22cis_rule_5_1_3 tags: - level1-server - level1-workstation @@ -56,7 +53,7 @@ ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*_key.pub' - register: ubtu22cis_5_1_3_ssh_host_pub_keys + register: discovered_ssh_host_pub_keys - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions" ansible.builtin.file: @@ -65,13 +62,12 @@ group: root mode: '0644' with_items: - - "{{ ubtu22cis_5_1_3_ssh_host_pub_keys.files }}" + - "{{ discovered_ssh_host_pub_keys.files }}" loop_control: label: "{{ item.path }}" - name: "5.1.4 | PATCH | Ensure sshd access is configured" - when: - - ubtu22cis_rule_5_1_4 + when: ubtu22cis_rule_5_1_4 tags: - level1-server - level1-workstation @@ -84,7 +80,7 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^AllowUsers|^#AllowUsers' - line: 'AllowUsers {{ ubtu22cis_sshd.allow_users }}' + line: 'AllowUsers {{ ubtu22cis_sshd_allow_users }}' validate: 'sshd -t -f %s' notify: Restart sshd @@ -93,7 +89,7 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^AllowGroups|^#AllowGroups' - line: 'AllowGroups {{ ubtu22cis_sshd.allow_groups }}' + line: 'AllowGroups {{ ubtu22cis_sshd_allow_groups }}' validate: 'sshd -t -f %s' notify: Restart sshd @@ -102,7 +98,7 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^DenyUsers|^#DenyUsers' - line: 'DenyUsers {{ ubtu22cis_sshd.deny_users }} ' + line: 'DenyUsers {{ ubtu22cis_sshd_deny_users }} ' validate: 'sshd -t -f %s' notify: Restart sshd @@ -111,13 +107,12 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^DenyGroups|^#DenyGroups' - line: 'DenyGroups {{ ubtu22cis_sshd.deny_groups }}' + line: 'DenyGroups {{ ubtu22cis_sshd_deny_groups }}' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.5| PATCH | Ensure sshd Banner is configured" - when: - - ubtu22cis_rule_5_1_5 + when: ubtu22cis_rule_5_1_5 tags: - level1-server - level1-workstation @@ -133,8 +128,7 @@ notify: Restart sshd - name: "5.1.6 | PATCH | Ensure only strong Ciphers are used" - when: - - ubtu22cis_rule_5_1_6 + when: ubtu22cis_rule_5_1_6 tags: - level1-server - level1-workstation @@ -144,14 +138,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^Ciphers|^#Ciphers' - line: "Ciphers {{ ubtu22cis_sshd.ciphers | default(ubtu22cis_sshd_default_ciphers) | join(',') }}" + line: "Ciphers {{ ubtu22cis_sshd_ciphers | default(ubtu22cis_sshd_default_ciphers) | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.7 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured" - when: - - ubtu22cis_rule_5_1_7 + when: ubtu22cis_rule_5_1_7 tags: - level1-server - level1-workstation @@ -164,13 +157,12 @@ line: "{{ item.line }}" validate: 'sshd -t -f %s' with_items: - - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu22cis_sshd.client_alive_interval | default(ubtu22cis_sshd_default_client_alive_interval) }}' } - - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu22cis_sshd.client_alive_count_max | default(ubtu22cis_sshd_default_client_alive_count_max) }}' } + - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu22cis_sshd_client_alive_interval | default(ubtu22cis_sshd_default_client_alive_interval) }}' } + - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu22cis_sshd_client_alive_count_max | default(ubtu22cis_sshd_default_client_alive_count_max) }}' } notify: Restart sshd - name: "5.1.8 | PATCH | Ensure sshd DisableForwarding is enabled" - when: - - ubtu22cis_rule_5_1_8 + when: ubtu22cis_rule_5_1_8 tags: - level2-server - level1-workstation @@ -185,8 +177,7 @@ notify: Restart sshd - name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is is disabled" - when: - - ubtu22cis_rule_5_1_9 + when: ubtu22cis_rule_5_1_9 tags: - level2-server - level1-workstation @@ -201,8 +192,7 @@ notify: Restart sshd - name: "5.1.10 | PATCH | Ensure SSH HostbasedAuthentication is disabled" - when: - - ubtu22cis_rule_5_1_10 + when: ubtu22cis_rule_5_1_10 tags: - level1-server - level1-workstation @@ -217,8 +207,7 @@ notify: Restart sshd - name: "5.1.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" - when: - - ubtu22cis_rule_5_1_11 + when: ubtu22cis_rule_5_1_11 tags: - level1-server - level1-workstation @@ -233,8 +222,7 @@ notify: Restart sshd - name: "5.1.12 | PATCH | Ensure only strong Key Exchange algorithms are used" - when: - - ubtu22cis_rule_5_1_12 + when: ubtu22cis_rule_5_1_12 tags: - level1-server - level1-workstation @@ -244,14 +232,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^KexAlgorithms|^#KexAlgorithms' - line: "KexAlgorithms {{ ubtu22cis_sshd.kex_algorithms | default(ubtu22cis_sshd_default_kex_algorithms) | join(',') }}" + line: "KexAlgorithms {{ ubtu22cis_sshd_kex_algorithms | default(ubtu22cis_sshd_default_kex_algorithms) | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.13 | PATCH | Ensure SSH LoginGraceTime is configured" - when: - - ubtu22cis_rule_5_1_13 + when: ubtu22cis_rule_5_1_13 tags: - level1-server - level1-workstation @@ -261,14 +248,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^LoginGraceTime|^#LoginGraceTime' - line: 'LoginGraceTime {{ ubtu22cis_sshd.login_grace_time | default(ubtu22cis_sshd_default_login_grace_time) }}' + line: 'LoginGraceTime {{ ubtu22cis_sshd_login_grace_time | default(ubtu22cis_sshd_default_login_grace_time) }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.14 | PATCH | Ensure SSH LogLevel is configured" - when: - - ubtu22cis_rule_5_1_14 + when: ubtu22cis_rule_5_1_14 tags: - level1-server - level1-workstation @@ -278,14 +264,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^LogLevel|^#LogLevel' - line: 'LogLevel {{ ubtu22cis_sshd.log_level | default(ubtu22cis_sshd_default_log_level) }}' + line: 'LogLevel {{ ubtu22cis_sshd_log_level | default(ubtu22cis_sshd_default_log_level) }}' insertafter: '^# Logging' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.15 | PATCH | Ensure only strong MAC algorithms are used" - when: - - ubtu22cis_rule_5_1_15 + when: ubtu22cis_rule_5_1_15 tags: - level1-server - level1-workstation @@ -295,14 +280,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^MACs|^#MACs' - line: "MACs {{ ubtu22cis_sshd.macs | default(ubtu22cis_sshd_default_macs) | join(',') }}" + line: "MACs {{ ubtu22cis_sshd_macs | default(ubtu22cis_sshd_default_macs) | join(',') }}" insertafter: '^# Ciphers and keying' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" - when: - - ubtu22cis_rule_5_1_16 + when: ubtu22cis_rule_5_1_16 tags: - level1-server - level1-workstation @@ -312,14 +296,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxAuthTries|^#MaxAuthTries' - line: 'MaxAuthTries {{ ubtu22cis_sshd.max_auth_tries | default(ubtu22cis_sshd_default_max_auth_tries) }}' + line: 'MaxAuthTries {{ ubtu22cis_sshd_max_auth_tries | default(ubtu22cis_sshd_default_max_auth_tries) }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.17 | PATCH | Ensure sshd MaxSessions is configured" - when: - - ubtu22cis_rule_5_1_17 + when: ubtu22cis_rule_5_1_17 tags: - level1-server - level1-workstation @@ -329,14 +312,13 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxSessions|^#MaxSessions' - line: 'MaxSessions {{ ubtu22cis_sshd.max_sessions | default(ubtu22cis_sshd_default_max_sessions) }}' + line: 'MaxSessions {{ ubtu22cis_sshd_max_sessions | default(ubtu22cis_sshd_default_max_sessions) }}' insertafter: '^# Authentication' validate: 'sshd -t -f %s' notify: Restart sshd - name: "5.1.18 | PATCH | Ensure SSH MaxStartups is configured" - when: - - ubtu22cis_rule_5_1_18 + when: ubtu22cis_rule_5_1_18 tags: - level1-server - level1-workstation @@ -351,8 +333,7 @@ notify: Restart sshd - name: "5.1.19 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" - when: - - ubtu22cis_rule_5_1_19 + when: ubtu22cis_rule_5_1_19 tags: - level1-server - level1-workstation @@ -368,8 +349,7 @@ notify: Restart sshd - name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled" - when: - - ubtu22cis_rule_5_1_20 + when: ubtu22cis_rule_5_1_20 tags: - level1-server - level1-workstation @@ -384,8 +364,7 @@ notify: Restart sshd - name: "5.1.21 | PATCH | Ensure SSH PermitUserEnvironment is disabled" - when: - - ubtu22cis_rule_5_1_21 + when: ubtu22cis_rule_5_1_21 tags: - level1-server - level1-workstation @@ -400,8 +379,7 @@ notify: Restart sshd - name: "5.1.22 | PATCH | Ensure sshd UsePAM is enabled" - when: - - ubtu22cis_rule_5_1_22 + when: ubtu22cis_rule_5_1_22 tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 33434d4b..27cdb15e 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,139 +1,131 @@ --- - name: "5.2.1 | PATCH | Ensure sudo is installed" - when: - - ubtu22cis_rule_5_2_1 + when: ubtu22cis_rule_5_2_1 tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.1 - - sudo + - level1-server + - level1-workstation + - patch + - rule_5.2.1 + - sudo ansible.builtin.package: - name: "{{ ubtu22cis_sudo_package }}" - state: present + name: "{{ ubtu22cis_sudo_package }}" + state: present - name: "5.2.2 | PATCH | Ensure sudo commands use pty" - when: - - ubtu22cis_rule_5_2_2 + when: ubtu22cis_rule_5_2_2 tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.2 - - sudo + - level1-server + - level1-workstation + - patch + - rule_5.2.2 + - sudo ansible.builtin.lineinfile: - path: /etc/sudoers - regexp: '^Defaults\s+use_' - line: 'Defaults use_pty' - insertafter: '^\s*Defaults' + path: /etc/sudoers + regexp: '^Defaults\s+use_' + line: 'Defaults use_pty' + insertafter: '^\s*Defaults' - name: "5.2.3 | PATCH | Ensure sudo log file exists" - when: - - ubtu22cis_rule_5_2_3 + when: ubtu22cis_rule_5_2_3 tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.3 - - sudo + - level1-server + - level1-workstation + - patch + - rule_5.2.3 + - sudo ansible.builtin.lineinfile: - path: /etc/sudoers - regexp: '^Defaults\s+logfile' - line: 'Defaults logfile="{{ ubtu22cis_sudo_logfile }}"' - insertafter: '^\s*Defaults' + path: /etc/sudoers + regexp: '^Defaults\s+logfile' + line: 'Defaults logfile="{{ ubtu22cis_sudo_logfile }}"' + insertafter: '^\s*Defaults' - name: "5.2.4 | PATCH | Ensure users must provide password for escalation" - when: - - ubtu22cis_rule_5_2_4 + when: ubtu22cis_rule_5_2_4 tags: - - level2-server - - level2-workstation - - patch - - sudo - - rule_5.2.4 + - level2-server + - level2-workstation + - patch + - sudo + - rule_5.2.4 ansible.builtin.replace: - path: "{{ item }}" - regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' - replace: '\1PASSWD\2' - validate: '/usr/sbin/visudo -cf %s' + path: "{{ item }}" + regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' + replace: '\1PASSWD\2' + validate: '/usr/sbin/visudo -cf %s' loop: "{{ prelim_sudoers_files.stdout_lines }}" - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" - when: - - ubtu22cis_rule_5_2_5 + when: ubtu22cis_rule_5_2_5 tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.2.5 + - level1-server + - level1-workstation + - patch + - sudo + - rule_5.2.5 ansible.builtin.replace: - path: "{{ item }}" - regexp: '^([^#].*)!authenticate(.*)' - replace: '\1authenticate\2' - validate: '/usr/sbin/visudo -cf %s' + path: "{{ item }}" + regexp: '^([^#].*)!authenticate(.*)' + replace: '\1authenticate\2' + validate: '/usr/sbin/visudo -cf %s' loop: "{{ prelim_sudoers_files.stdout_lines }}" - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly" - when: - - ubtu22cis_rule_5_2_6 + when: ubtu22cis_rule_5_2_6 tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.2.6 + - level1-server + - level1-workstation + - patch + - sudo + - rule_5.2.6 block: - - name: "5.2.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" - ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort - changed_when: false - failed_when: false - register: ubtu22cis_5_2_6_timeout_files + - name: "5.2.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" + ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + changed_when: false + failed_when: false + register: discovered_timeout_files - - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" - when: ubtu22cis_5_2_6_timeout_files.stdout | length == 0 - ansible.builtin.lineinfile: - path: /etc/sudoers - regexp: '^\s*Defaults/s+timestamp_timeout=' - line: "Defaults timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" - insertafter: '^\s*Defaults' - validate: '/usr/sbin/visudo -cf %s' + - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" + when: discovered_timeout_files.stdout | length == 0 + ansible.builtin.lineinfile: + path: /etc/sudoers + regexp: '^\s*Defaults/s+timestamp_timeout=' + line: "Defaults timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" + insertafter: '^\s*Defaults' + validate: '/usr/sbin/visudo -cf %s' - - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" - when: ubtu22cis_5_2_6_timeout_files.stdout | length > 0 - ansible.builtin.replace: - path: "{{ item }}" - regexp: 'timestamp_timeout=(\d+)' - replace: "timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" - validate: '/usr/sbin/visudo -cf %s' - loop: "{{ ubtu22cis_5_2_6_timeout_files.stdout_lines }}" + - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" + when: discovered_timeout_files.stdout | length > 0 + ansible.builtin.replace: + path: "{{ item }}" + regexp: 'timestamp_timeout=(\d+)' + replace: "timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" + validate: '/usr/sbin/visudo -cf %s' + loop: "{{ discovered_timeout_files.stdout_lines }}" - name: "5.2.7 | PATCH | Ensure access to the su command is restricted" - when: - - ubtu22cis_rule_5_2_7 + when: ubtu22cis_rule_5_2_7 tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.2.7 + - level1-server + - level1-workstation + - patch + - sudo + - rule_5.2.7 block: - - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists" - ansible.builtin.group: - name: "{{ ubtu22cis_sugroup }}" - state: present - register: ubtu22cis_5_2_7_sugroup + - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists" + ansible.builtin.group: + name: "{{ ubtu22cis_sugroup }}" + state: present - - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | remove users from group" - ansible.builtin.lineinfile: - path: /etc/group - regexp: '^{{ ubtu22cis_sugroup }}(:.:.*:).*$' - line: '{{ ubtu22cis_sugroup }}\g<1>' - backrefs: true + - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | remove users from group" + ansible.builtin.lineinfile: + path: /etc/group + regexp: '^{{ ubtu22cis_sugroup }}(:.:.*:).*$' + line: '{{ ubtu22cis_sugroup }}\g<1>' + backrefs: true - - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" - ansible.builtin.lineinfile: - path: /etc/pam.d/su - regexp: '^(#)?auth\s+required\s+pam_wheel\.so' - line: 'auth required pam_wheel.so use_uid group={{ ubtu22cis_sugroup }}' + - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" + ansible.builtin.lineinfile: + path: /etc/pam.d/su + regexp: '^(#)?auth\s+required\s+pam_wheel\.so' + line: 'auth required pam_wheel.so use_uid group={{ ubtu22cis_sugroup }}' diff --git a/tasks/section_5/cis_5.3.3.1.x.yml b/tasks/section_5/cis_5.3.3.1.x.yml index 0b753028..a97f5cf6 100644 --- a/tasks/section_5/cis_5.3.3.1.x.yml +++ b/tasks/section_5/cis_5.3.3.1.x.yml @@ -20,12 +20,12 @@ - name: "5.3.3.1.1 | AUDIT | Ensure password failed attempts lockout is configured | discover pam config with deny" ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?deny\b' /usr/share/pam-configs/* - register: ubtu22cis_faillock_deny_files changed_when: false - failed_when: ubtu22cis_faillock_deny_files.rc not in [ 0, 1 ] + failed_when: discovered_faillock_deny_files.rc not in [ 0, 1 ] + register: discovered_faillock_deny_files - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | if exists remove deny from faillock line in pam-auth conf files" - when: ubtu22cis_faillock_deny_files.stdout | length > 0 + when: discovered_faillock_deny_files.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: '(*.pam_faillock.so\s*)deny\s*=\s*\d+\b(.*)' @@ -54,12 +54,12 @@ - name: "5.3.3.1.2 | AUDIT | Ensure password unlock time is configured | discover pam config with unlock_time" ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?unlock_time\b' /usr/share/pam-configs/* - register: ubtu22cis_faillock_unlock_files + register: discovered_faillock_unlock_files changed_when: false - failed_when: ubtu22cis_faillock_unlock_files.rc not in [ 0, 1 ] + failed_when: discovered_faillock_unlock_files.rc not in [ 0, 1 ] - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | if exists remove unlock_time from faillock line in pam-auth conf files" - when: ubtu22cis_faillock_unlock_files.stdout | length > 0 + when: discovered_faillock_unlock_files.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: '(*.pam_faillock.so\s*)unlock_time\s*=\s*\b(.*)' @@ -88,12 +88,12 @@ - name: "5.3.3.1.3 | AUDIT | Ensure password failed attempts lockout includes root account | discover pam config with unlock_time" ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)' /usr/share/pam-configs/* - register: ubtu22cis_faillock_rootlock_files changed_when: false - failed_when: ubtu22cis_faillock_rootlock_files.rc not in [ 0, 1 ] + failed_when: discovered_faillock_rootlock_files.rc not in [ 0, 1 ] + register: discovered_faillock_rootlock_files - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | if exists remove unlock_time from faillock line in pam-auth conf files" - when: ubtu22cis_faillock_rootlock_files.stdout | length > 0 + when: discovered_faillock_rootlock_files.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: '(*.pam_faillock.so\s*)(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)(.*)' diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml index d5d0c8d0..84bf0489 100644 --- a/tasks/section_5/cis_5.3.3.3.x.yml +++ b/tasks/section_5/cis_5.3.3.3.x.yml @@ -13,12 +13,12 @@ block: - name: "5.3.3.3.1 | AUDIT | Ensure password history remember is configured | Check existing files" ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?remember=\d+\b' /etc/pam.d/common-password - register: ubtu22_pwhistory_remember + register: discovered_pwhistory_remember changed_when: false - failed_when: ubtu22_pwhistory_remember.rc not in [0, 1] + failed_when: discovered_pwhistory_remember.rc not in [0, 1] - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set" - when: ubtu22_pwhistory_remember.stdout | length > 0 + when: discovered_pwhistory_remember.stdout | length > 0 ansible.builtin.lineinfile: path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(remember=\d+) @@ -39,12 +39,12 @@ block: - name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files" ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?enforce_for_root\b' /etc/pam.d/common-password - register: ubtu22_pwhistory_enforce_for_root + register: discovered_pwhistory_remember changed_when: false - failed_when: ubtu22_pwhistory_enforce_for_root.rc not in [0, 1] + failed_when: discovered_pwhistory_remember.rc not in [0, 1] - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure remember is set" - when: ubtu22_pwhistory_enforce_for_root.stdout | length > 0 + when: discovered_pwhistory_remember.stdout | length > 0 ansible.builtin.lineinfile: path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(enforce_for_root) @@ -65,12 +65,12 @@ block: - name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files" ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password - register: ubtu22_pwhistory_use_authtok + register: discovered_pwhistory_use_authtok changed_when: false - failed_when: ubtu22_pwhistory_use_authtok.rc not in [0, 1] + failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1] - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure remember is set" - when: ubtu22_pwhistory_use_authtok.stdout | length > 0 + when: discovered_pwhistory_use_authtok.stdout | length > 0 ansible.builtin.lineinfile: path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok) diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml index dc1ea0ce..6dae89ca 100644 --- a/tasks/section_5/cis_5.3.3.4.x.yml +++ b/tasks/section_5/cis_5.3.3.4.x.yml @@ -14,16 +14,16 @@ - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | capture state" ansible.builtin.shell: grep -E "pam_unix.so.*nullok" /etc/pam.d/common-* /usr/share/pam-configs/* | cut -d ':' -f1 | uniq changed_when: false - failed_when: ubtu22cis_pam_nullok.rc not in [ 0, 1 ] - register: ubtu22cis_pam_nullok + failed_when: discovered_pam_nullok.rc not in [ 0, 1 ] + register: discovered_pam_nullok - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Ensure nullok removed" - when: ubtu22cis_pam_nullok.stdout | length > 0 + when: discovered_pam_nullok.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: nullok replace: '' - loop: "{{ ubtu22cis_pam_nullok.stdout_lines }}" + loop: "{{ discovered_pam_nullok.stdout_lines }}" notify: Pam_auth_update_pwunix - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember" @@ -39,11 +39,11 @@ - name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state" ansible.builtin.shell: grep -PH -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} | grep -Pv -- '\bremember=\d\b' changed_when: false - failed_when: ubtu22cis_pam_remember.rc not in [ 0, 1 ] - register: ubtu22cis_pam_remember + failed_when: discovered_pam_remember.rc not in [ 0, 1 ] + register: discovered_pam_remember - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Ensure remember removed" - when: ubtu22cis_pam_remember.stdout | length > 0 + when: discovered_pam_remember.stdout | length > 0 ansible.builtin.replace: path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" regexp: remember=\d+ @@ -63,11 +63,11 @@ - name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state" ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?("{{ ubtu22cis_passwd_hash_algo }}")\b' /etc/pam.d/common-password changed_when: false - failed_when: ubtu22cis_pam_pwhash.rc not in [ 0, 1 ] - register: ubtu22cis_pam_pwhash + failed_when: discovered_pam_pwhash.rc not in [ 0, 1 ] + register: discovered_pam_pwhash - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Ensure hash algorithm set" - when: ubtu22cis_pam_remember.stdout | length > 0 + when: discovered_pam_remember.stdout | length > 0 ansible.builtin.replace: path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)" @@ -87,13 +87,13 @@ - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state" ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password changed_when: false - failed_when: ubtu22cis_pam_authtok.rc not in [ 0, 1 ] - register: ubtu22cis_pam_authtok + failed_when: discovered_pam_authtok.rc not in [ 0, 1 ] + register: discovered_pam_authtok - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | pam_files" when: - - ubtu22cis_pam_authtok is defined - - ubtu22cis_pam_authtok | length > 0 + - discovered_pam_authtok is defined + - discovered_pam_authtok | length > 0 ansible.builtin.lineinfile: path: "/etc/pam.d/common-password" regexp: ^(\s*password\s+[success=end.*]\s+pam_unix\.so)(.*)\s+use_authtok\s*=\s*\S+(.*$) diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index eb4070d3..a846ed8f 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -15,23 +15,23 @@ ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MAX_DAYS|^#PASS_MAX_DAYS' - line: 'PASS_MAX_DAYS {{ ubtu22cis_pass.max_days }}' + line: 'PASS_MAX_DAYS {{ ubtu22cis_pass_max_days }}' insertafter: '# Password aging controls' - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Get existing users PASS_MAX_DAYS" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ ubtu22cis_pass.max_days }} || $5<{{ ubtu22cis_pass.min_days }} || $5 == -1)){print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ ubtu22cis_pass_max_days }} || $5<{{ ubtu22cis_pass_min_days }} || $5 == -1)){print $1}' /etc/shadow" changed_when: false failed_when: false - register: ubtu22cis_max_days + register: discovered_max_days - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set existing users PASS_MAX_DAYS" when: - ubtu22cis_disruption_high - (item != 'root') or (not ubtu22cis_uses_root) - ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass.max_days }} {{ item }} + ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass_max_days }} {{ item }} failed_when: false - changed_when: ubtu22cis_max_days.stdout | length > 0 - loop: "{{ ubtu22cis_max_days.stdout_lines }}" + changed_when: discovered_max_days.stdout | length > 0 + loop: "{{ discovered_max_days.stdout_lines }}" - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured" when: @@ -48,22 +48,22 @@ ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS' - line: 'PASS_MIN_DAYS {{ ubtu22cis_pass.min_days }}' + line: 'PASS_MIN_DAYS {{ ubtu22cis_pass_min_days }}' - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Get existing users PASS_MIN_DAYS" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu22cis_pass.min_days }})) {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu22cis_pass_min_days }})) {print $1}' /etc/shadow" changed_when: false failed_when: false - register: ubtu22cis_passwd_min_days + register: discovered_passwd_min_days - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Set existing users PASS_MIN_DAYS" when: - ubtu22cis_disruption_high - (item != 'root') or (not ubtu22cis_uses_root) - ansible.builtin.shell: chage --mindays {{ ubtu22cis_pass.min_days }} {{ item }} + ansible.builtin.shell: chage --mindays {{ ubtu22cis_pass_min_days }} {{ item }} failed_when: false - changed_when: ubtu22cis_passwd_min_days.stdout |length > 0 - loop: "{{ ubtu22cis_passwd_min_days.stdout_lines }}" + changed_when: discovered_passwd_min_days.stdout |length > 0 + loop: "{{ discovered_passwd_min_days.stdout_lines }}" - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured" when: @@ -80,22 +80,22 @@ ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE' - line: 'PASS_WARN_AGE {{ ubtu22cis_pass.warn_age }}' + line: 'PASS_WARN_AGE {{ ubtu22cis_pass_warn_age }}' - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Get existing users PASS_WARN_AGE" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu22cis_pass.warn_age }}){print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu22cis_pass_warn_age }}){print $1}' /etc/shadow" changed_when: false failed_when: false - register: ubtu22cis_passwd_warn_days + register: discovered_passwd_warn_days - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users PASS_WARN_AGE" when: - ubtu22cis_disruption_high - (item != 'root') or (not ubtu22cis_uses_root) - ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass.warn_age }} {{ item }} + ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass_warn_age }} {{ item }} failed_when: false - changed_when: ubtu22cis_passwd_warn_days.stdout | length > 0 - loop: "{{ ubtu22cis_passwd_warn_days.stdout_lines }}" + changed_when: discovered_passwd_warn_days.stdout | length > 0 + loop: "{{ discovered_passwd_warn_days.stdout_lines }}" - name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured" when: @@ -126,28 +126,28 @@ ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2 changed_when: false failed_when: false - register: ubtu22cis_passwd_inactive_setting + register: discovered_passwd_inactive_setting - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured| Set inactive period for new users" - when: ubtu22cis_passwd_inactive_setting.stdout != ubtu22cis_pass.inactive | string - ansible.builtin.shell: useradd -D -f {{ ubtu22cis_pass.inactive }} + when: discovered_passwd_inactive_setting.stdout != ubtu22cis_pass_inactive | string + ansible.builtin.shell: useradd -D -f {{ ubtu22cis_pass_inactive }} failed_when: false - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | Get Individual users" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<{{ ubtu22cis_pass.inactive }}))) {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<{{ ubtu22cis_pass_inactive }}))) {print $1}' /etc/shadow" changed_when: false failed_when: false - register: ubtu22cis_passwd_inactive_users + register: discovered_passwd_inactive_users - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set inactive period for existing users" when: - ubtu22cis_disruption_high - - ubtu22cis_passwd_inactive_users.stdout | length > 0 + - discovered_passwd_inactive_users.stdout | length > 0 - (item != 'root') and (not ubtu22cis_uses_root) - ansible.builtin.shell: chage --inactive {{ ubtu22cis_pass.inactive }} {{ item }} + ansible.builtin.shell: chage --inactive {{ ubtu22cis_pass_inactive }} {{ item }} failed_when: false with_items: - - "{{ ubtu22cis_passwd | map(attribute='id') | list | intersect(ubtu22cis_passwd_inactive_users.stdout_lines) | list }}" + - "{{ ubtu22cis_passwd | map(attribute='id') | list | intersect(discovered_passwd_inactive_users.stdout_lines) | list }}" - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past" when: @@ -167,14 +167,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_current_time + register: discovered_current_time - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed PW date in future" - ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ ubtu22cis_current_time.stdout }})print$1}'" + ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ discovered_current_time.stdout }})print$1}'" changed_when: false failed_when: false check_mode: false - register: ubtu22cis_passwd_future_user_list + register: discovered_passwd_future_user_list - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Warn about users" when: ubtu22cis_passwd_future_user_list.stdout | length > 0 diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 6971d8fd..af0a21f5 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -19,10 +19,10 @@ name: ['aide', 'aide-common'] state: present update_cache: true - register: ubtu22cis_rule_6_1_1_aide_added + register: discovered_aide_pkg_added - name: "6.1.1 | PATCH | Ensure AIDE is installed | Recapture packages" - when: ubtu22cis_rule_6_1_1_aide_added.skipped is not defined + when: discovered_aide_pkg_added.skipped is not defined ansible.builtin.package_facts: manager: auto @@ -76,14 +76,14 @@ when: ubtu22cis_aide_scan == 'cron' ansible.builtin.cron: name: Run AIDE integrity check - cron_file: "{{ ubtu22cis_aide_cron['cron_file'] }}" - user: "{{ ubtu22cis_aide_cron['cron_user'] }}" - minute: "{{ ubtu22cis_aide_cron['aide_minute'] | default('0') }}" - hour: "{{ ubtu22cis_aide_cron['aide_hour'] | default('5') }}" - day: "{{ ubtu22cis_aide_cron['aide_day'] | default('*') }}" - month: "{{ ubtu22cis_aide_cron['aide_month'] | default('*') }}" - weekday: "{{ ubtu22cis_aide_cron['aide_weekday'] | default('*') }}" - job: "{{ ubtu22cis_aide_cron['aide_job'] }}" + cron_file: "{{ ubtu22cis_aide_cron_file }}" + user: "{{ ubtu22cis_aide_cron_user }}" + minute: "{{ ubtu22cis_aide_cron_minute | default('0') }}" + hour: "{{ ubtu22cis_aide_cron_hour | default('5') }}" + day: "{{ ubtu22cis_aide_cron_day | default('*') }}" + month: "{{ ubtu22cis_aide_cron_month | default('*') }}" + weekday: "{{ ubtu22cis_aide_cron_weekday | default('*') }}" + job: "{{ ubtu22cis_aide_cron_job }}" - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | timer template" when: ubtu22cis_aide_scan == 'timer' @@ -109,8 +109,7 @@ - aidecheck.timer - name: "6.1.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" - when: - - ubtu22cis_rule_6_1_3 + when: ubtu22cis_rule_6_1_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_6/cis_6.2.1.1.x.yml b/tasks/section_6/cis_6.2.1.1.x.yml index 15b4a593..2e07b158 100644 --- a/tasks/section_6/cis_6.2.1.1.x.yml +++ b/tasks/section_6/cis_6.2.1.1.x.yml @@ -1,8 +1,7 @@ --- - name: "6.2.1.1.1 | PATCH | Ensure journald service is enabled and active" - when: - - ubtu22cis_rule_6_2_1_1_1 + when: ubtu22cis_rule_6_2_1_1_1 tags: - level1-server - level1-workstation @@ -15,8 +14,7 @@ state: started - name: "6.2.1.1.2 | PATCH | Ensure journald log file access is configured" - when: - - ubtu22cis_rule_6_2_1_1_2 + when: ubtu22cis_rule_6_2_1_1_2 tags: - level1-server - level1-workstation @@ -32,41 +30,39 @@ - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file" ansible.builtin.stat: path: /etc/tmpfiles.d/systemd.conf - register: tmpfile_override + register: discovered_tmpfile_override - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | If override file check for journal" - when: tmpfile_override.stat.exists + when: discovered_tmpfile_override.stat.exists ansible.builtin.shell: grep -E 'z /var/log/journal/%m/system.journal \d*' /usr/lib/tmpfiles.d/systemd.conf - register: journald_fileperms_override changed_when: false - failed_when: journald_fileperms_override.rc not in [ 0, 1 ] + failed_when: discovered_journald_fileperms_override.rc not in [ 0, 1 ] + register: discovered_journald_fileperms_override - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found" when: - - tmpfile_override.stat.exists - - journald_fileperms_override.stdout | length > 0 + - discovered_tmpfile_override.stat.exists + - discovered_journald_fileperms_override.stdout | length > 0 ansible.builtin.debug: msg: "Warning!! - tmpfiles override found /usr/lib/tmpfiles.d/systemd.conf affecting journald files please confirm matches site policy" - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found" when: - - tmpfile_override.stat.exists - - journald_fileperms_override.stdout | length > 0 + - discovered_tmpfile_override.stat.exists + - discovered_journald_fileperms_override.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml vars: warn_control_id: '6.2.1.1.2' - name: "6.2.1.1.3 | PATCH | Ensure journald log file rotation is configured" - when: - - ubtu22cis_rule_6_2_1_1_3 + when: ubtu22cis_rule_6_2_1_1_3 tags: - level1-server - level1-workstation - patch - journald - rule_6.2.1.1.3 - notify: Restart journald block: - name: "6.2.1.1.3 | PATCH | Ensure journald log file rotation is configured | Add file" ansible.builtin.template: @@ -75,6 +71,7 @@ owner: root group: root mode: '0640' + notify: Restart journald - name: "6.2.1.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries" ansible.builtin.replace: @@ -87,17 +84,16 @@ - '^(\s*RuntimeMaxUse\s*=)' - '^(\s*RuntimeKeepFree\s*=.*)' - '^(\s*MaxFileSec\s*=.*)' + notify: Restart journald - name: "6.2.1.1.4 | PATCH | Ensure journald ForwardToSyslog is disabled" - when: - - ubtu22cis_rule_6_2_1_1_4 + when: ubtu22cis_rule_6_2_1_1_4 tags: - level1-server - level2-workstation - patch - journald - rule_6.2.1.1.4 - notify: Restart journald block: - name: "6.2.1.1.4 | PATCH | Ensure journald ForwardToSyslog is disabled | Add file" ansible.builtin.template: @@ -106,23 +102,23 @@ owner: root group: root mode: '0640' + notify: Restart journald - name: "6.2.1.1.4 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf regexp: ^(\s*ForwardToSyslog) replace: '#\1' + notify: Restart journald - name: "6.2.1.1.5 | PATCH | Ensure journald Storage is configured" - when: - - ubtu22cis_rule_6_2_1_1_5 + when: ubtu22cis_rule_6_2_1_1_5 tags: - level1-server - level1-workstation - patch - journald - rule_6.2.1.1.5 - notify: Restart journald block: - name: "6.2.1.1.5 | PATCH | Ensure journald Storage is configured | Add file" ansible.builtin.template: @@ -131,23 +127,23 @@ owner: root group: root mode: '0640' + notify: Restart journald - name: "6.2.1.1.5 | PATCH | Ensure journald Storage is configured | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf regexp: ^(?i)(\s*storage=) replace: '#\1' + notify: Restart journald - name: "6.2.1.1.6 | PATCH | Ensure journald Compress is configured" - when: - - ubtu22cis_rule_6_2_1_1_6 + when: ubtu22cis_rule_6_2_1_1_6 tags: - level1-server - level1-workstation - patch - journald - rule_6.2.1.1.6 - notify: Restart journald block: - name: "6.2.1.1.6 | PATCH | Ensure journald Compress is configured | Add file" ansible.builtin.template: @@ -156,9 +152,11 @@ owner: root group: root mode: '0640' + notify: Restart journald - name: "6.2.1.1.6 | PATCH | Ensure journald Compress is configured | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf regexp: ^(?i)(\s*compress=) replace: '#\1' + notify: Restart journald diff --git a/tasks/section_6/cis_6.2.1.2.x.yml b/tasks/section_6/cis_6.2.1.2.x.yml index 9206a4c9..06b4068a 100644 --- a/tasks/section_6/cis_6.2.1.2.x.yml +++ b/tasks/section_6/cis_6.2.1.2.x.yml @@ -24,7 +24,6 @@ - patch - journald - rule_6.2.1.2.2 - notify: Restart journald ansible.builtin.lineinfile: path: /etc/systemd/journal-upload.conf regexp: "{{ item.regexp }}" @@ -34,6 +33,7 @@ - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ ubtu22cis_journal_upload_serverkeyfile }}'} - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ ubtu22cis_journal_servercertificatefile }}'} - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ ubtu22cis_journal_trustedcertificatefile }}'} + notify: Restart journald - name: "6.2.1.2.3 | PATCH | Ensure systemd-journal-remote is enabled and active" when: diff --git a/tasks/section_6/cis_6.2.2.yml b/tasks/section_6/cis_6.2.2.yml index 63364782..bba4f364 100644 --- a/tasks/section_6/cis_6.2.2.yml +++ b/tasks/section_6/cis_6.2.2.yml @@ -14,19 +14,19 @@ ansible.builtin.shell: find /var/log/ -type f -exec ls {} \; changed_when: false failed_when: false - register: discovered_logfiles + register: discovered_system_logfiles - name: "6.2.2.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" when: - - discovered_logfiles.stdout_lines is defined + - discovered_system_logfiles.stdout_lines is defined - item != "/var/log/btmp" - item != "/var/log/utmp" - item != "/var/log/wtmp" - item != "/var/log/lastlog" ansible.builtin.file: path: "{{ item }}" - mode: u-x,g-wx,o-rwx - loop: "{{ discovered_logfiles.stdout_lines }}" + mode: 'u-x,g-wx,o-rwx' + loop: "{{ discovered_system_logfiles.stdout_lines }}" - name: "6.2.2.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" ansible.builtin.file: diff --git a/tasks/section_6/cis_6.3.1.x.yml b/tasks/section_6/cis_6.3.1.x.yml index 142b9c84..22de8f3a 100644 --- a/tasks/section_6/cis_6.3.1.x.yml +++ b/tasks/section_6/cis_6.3.1.x.yml @@ -1,10 +1,7 @@ --- - name: "6.3.1.1 | PATCH | Ensure auditd packages are installed" - when: - - ubtu22cis_rule_6_3_1_1 - - "'auditd' not in ansible_facts.packages or - 'audisd-plugins' not in ansible_facts.packages" + when: ubtu22cis_rule_6_3_1_1 tags: - level2-server - level2-workstation @@ -16,8 +13,7 @@ state: present - name: "6.3.1.2 | PATCH | Ensure auditd service is enabled and active" - when: - - ubtu22cis_rule_6_3_1_2 + when: ubtu22cis_rule_6_3_1_2 tags: - level2-server - level2-workstation @@ -31,8 +27,7 @@ masked: false - name: "6.3.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" - when: - - ubtu22cis_rule_6_3_1_3 + when: ubtu22cis_rule_6_3_1_3 tags: - level2-server - level2-workstation @@ -45,18 +40,18 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_6_3_1_3_cmdline_settings + register: discovered_grub_cmdline_settings - name: "6.3.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist" - when: "'audit=' not in ubtu22cis_6_3_1_3_cmdline_settings.stdout" + when: "'audit=' not in discovered_grub_cmdline_settings.stdout" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu22cis_6_3_1_3_cmdline_settings.stdout }} audit=1"' + line: 'GRUB_CMDLINE_LINUX="{{ discovered_grub_cmdline_settings.stdout }} audit=1"' notify: Grub update - name: "6.3.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists" - when: "'audit=' in ubtu22cis_6_3_1_3_cmdline_settings.stdout" + when: "'audit=' in discovered_grub_cmdline_settings.stdout" ansible.builtin.replace: dest: /etc/default/grub regexp: 'audit=([0-9]+)' @@ -66,8 +61,7 @@ notify: Grub update - name: "6.3.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" - when: - - ubtu22cis_rule_6_3_1_4 + when: ubtu22cis_rule_6_3_1_4 tags: - level2-server - level2-workstation @@ -80,14 +74,14 @@ changed_when: false failed_when: false check_mode: false - register: ubtu22cis_6_3_1_4_cmdline_settings + register: discovered_grub_cmdline_settings - name: "6.3.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist" - when: "'audit_backlog_limit=' not in ubtu22cis_6_3_1_4_cmdline_settings.stdout" + when: "'audit_backlog_limit=' not in discovered_grub_cmdline_settings.stdout" ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu22cis_6_3_1_4_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu22cis_audit_back_log_limit }}"' + line: 'GRUB_CMDLINE_LINUX="{{ discovered_grub_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu22cis_audit_back_log_limit }}"' notify: Grub update - name: "6.3.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists" diff --git a/tasks/section_6/cis_6.3.2.x.yml b/tasks/section_6/cis_6.3.2.x.yml index 2ed32d21..aee59748 100644 --- a/tasks/section_6/cis_6.3.2.x.yml +++ b/tasks/section_6/cis_6.3.2.x.yml @@ -1,46 +1,42 @@ --- - name: "6.3.2.1 | PATCH | Ensure audit log storage size is configured" - when: - - ubtu22cis_rule_6_3_2_1 + when: ubtu22cis_rule_6_3_2_1 tags: - level2-server - level2-workstation - patch - rule_6.3.2.1 - auditd - notify: Restart auditd ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ ubtu22cis_max_log_file_size }}" state: present + notify: Restart auditd - name: "6.3.2.2 | PATCH | Ensure audit logs are not automatically deleted" - when: - - ubtu22cis_rule_6_3_2_2 + when: ubtu22cis_rule_6_3_2_2 tags: - level2-server - level2-workstation - patch - rule_6.3.2.2 - auditd - notify: Restart auditd ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^max_log_file_action' line: "max_log_file_action = {{ ubtu22cis_auditd_max_log_file_action }}" + notify: Restart auditd - name: "6.3.2.3 | PATCH | Ensure system is disabled when audit logs are full" - when: - - ubtu22cis_rule_6_3_2_3 + when: ubtu22cis_rule_6_3_2_3 tags: - level2-server - level2-workstation - patch - rule_6.3.2.3 - auditd - notify: Restart auditd ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" @@ -48,6 +44,7 @@ with_items: - { regexp: '^disk_full_action', line: "disk_full_action = {{ ubtu22cis_auditd_disk_full_action }}" } - { regexp: '^disk_error_action', line: "disk_error_action = {{ ubtu22cis_auditd_disk_error_action }}" } + notify: Restart auditd - name: "6.3.2.4 | PATCH | Ensure system warns when audit logs are low on space" when: @@ -58,7 +55,6 @@ - patch - auditd - rule_6.3.2.4 - notify: Restart auditd ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" @@ -66,3 +62,4 @@ loop: - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ ubtu22cis_auditd_admin_space_left_action }}' } - { regexp: '^space_left_action', line: 'space_left_action = {{ ubtu22cis_auditd_space_left_action }}' } + notify: Restart auditd diff --git a/tasks/section_6/cis_6.3.3.x.yml b/tasks/section_6/cis_6.3.3.x.yml index b4b11ab5..62fd44a2 100644 --- a/tasks/section_6/cis_6.3.3.x.yml +++ b/tasks/section_6/cis_6.3.3.x.yml @@ -1,8 +1,7 @@ --- - name: "6.3.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - when: - - ubtu22cis_rule_6_3_3_1 + when: ubtu22cis_rule_6_3_3_1 tags: - level2-server - level2-workstation @@ -13,8 +12,7 @@ update_audit_template: true - name: "6.3.3.2 | PATCH | Ensure actions as another user are always logged" - when: - - ubtu22cis_rule_6_3_3_2 + when: ubtu22cis_rule_6_3_3_2 tags: - level2-server - level2-workstation @@ -25,8 +23,7 @@ update_audit_template: true - name: "6.3.3.3 | PATCH | Ensure events that modify the sudo log file are collected" - when: - - ubtu22cis_rule_6_3_3_3 + when: ubtu22cis_rule_6_3_3_3 tags: - level2-server - level2-workstation @@ -37,8 +34,7 @@ update_audit_template: true - name: "6.3.3.4 | PATCH | Ensure events that modify date and time information are collected" - when: - - ubtu22cis_rule_6_3_3_4 + when: ubtu22cis_rule_6_3_3_4 tags: - level2-server - level2-workstation @@ -49,8 +45,7 @@ update_audit_template: true - name: "6.3.3.5 | PATCH | Ensure events that modify the system's network environment are collected" - when: - - ubtu22cis_rule_6_3_3_5 + when: ubtu22cis_rule_6_3_3_5 tags: - level2-server - level2-workstation @@ -61,8 +56,7 @@ update_audit_template: true - name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" - when: - - ubtu22cis_rule_6_3_3_6 + when: ubtu22cis_rule_6_3_3_6 tags: - level2-server - level2-workstation @@ -72,7 +66,7 @@ block: - name: "6.3.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done - register: priv_procs + register: discovered_priv_procs changed_when: false check_mode: false @@ -81,8 +75,7 @@ update_audit_template: true - name: "6.3.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - when: - - ubtu22cis_rule_6_3_3_7 + when: ubtu22cis_rule_6_3_3_7 tags: - level2-server - level2-workstation @@ -93,8 +86,7 @@ update_audit_template: true - name: "6.3.3.8 | PATCH | Ensure events that modify user/group information are collected" - when: - - ubtu22cis_rule_6_3_3_8 + when: ubtu22cis_rule_6_3_3_8 tags: - level2-server - level2-workstation @@ -105,8 +97,7 @@ update_audit_template: true - name: "6.3.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" - when: - - ubtu22cis_rule_6_3_3_9 + when: ubtu22cis_rule_6_3_3_9 tags: - level2-server - level2-workstation @@ -117,8 +108,7 @@ update_audit_template: true - name: "6.3.3.10 | PATCH | Ensure successful file system mounts are collected" - when: - - ubtu22cis_rule_6_3_3_10 + when: ubtu22cis_rule_6_3_3_10 tags: - level2-server - level2-workstation @@ -129,8 +119,7 @@ update_audit_template: true - name: "6.3.3.11 | PATCH | Ensure session initiation information is collected" - when: - - ubtu22cis_rule_6_3_3_11 + when: ubtu22cis_rule_6_3_3_11 tags: - level2-server - level2-workstation @@ -141,8 +130,7 @@ update_audit_template: true - name: "6.3.3.12 | PATCH | Ensure login and logout events are collected" - when: - - ubtu22cis_rule_6_3_3_12 + when: ubtu22cis_rule_6_3_3_12 tags: - level2-server - level2-workstation @@ -153,8 +141,7 @@ update_audit_template: true - name: "6.3.3.13 | PATCH | Ensure file deletion events by users are collected" - when: - - ubtu22cis_rule_6_3_3_13 + when: ubtu22cis_rule_6_3_3_13 tags: - level2-server - level2-workstation @@ -165,8 +152,7 @@ update_audit_template: true - name: "6.3.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - when: - - ubtu22cis_rule_6_3_3_14 + when: ubtu22cis_rule_6_3_3_14 tags: - level2-server - level2-workstation @@ -177,8 +163,7 @@ update_audit_template: true - name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - when: - - ubtu22cis_rule_6_3_3_15 + when: ubtu22cis_rule_6_3_3_15 tags: - level2-server - level2-workstation @@ -189,8 +174,7 @@ update_audit_template: true - name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - when: - - ubtu22cis_rule_6_3_3_16 + when: ubtu22cis_rule_6_3_3_16 tags: - level2-server - level2-workstation @@ -201,8 +185,7 @@ update_audit_template: true - name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - when: - - ubtu22cis_rule_6_3_3_17 + when: ubtu22cis_rule_6_3_3_17 tags: - level2-server - level2-workstation @@ -213,8 +196,7 @@ update_audit_template: true - name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - when: - - ubtu22cis_rule_6_3_3_18 + when: ubtu22cis_rule_6_3_3_18 tags: - level2-server - level2-workstation @@ -225,8 +207,7 @@ update_audit_template: true - name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading is collected" - when: - - ubtu22cis_rule_6_3_3_19 + when: ubtu22cis_rule_6_3_3_19 tags: - level2-server - level2-workstation @@ -237,8 +218,7 @@ update_audit_template: true - name: "6.3.3.20 | PATCH | Ensure the audit configuration is immutable" - when: - - ubtu22cis_rule_6_3_3_20 + when: ubtu22cis_rule_6_3_3_20 tags: - level2-server - level2-workstation @@ -249,8 +229,7 @@ update_audit_template: true - name: "6.3.3.21 | PATCH | Ensure the running and on disk configuration is the same" - when: - - ubtu22cis_rule_6_3_3_21 + when: ubtu22cis_rule_6_3_3_21 tags: - level2-server - level2-workstation @@ -260,4 +239,3 @@ - auditd ansible.builtin.shell: augenrules --check changed_when: false - register: ubtu22cis_rule_6_3_3_21_augen_check diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml index 1eb74fab..0ae6df73 100644 --- a/tasks/section_6/cis_6.3.4.x.yml +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -23,8 +23,7 @@ mode: u-x,g-wx,o-rwx - name: "6.3.4.4 | PATCH | Ensure the audit log file directory mode is configured" - when: - - ubtu22cis_rule_6_3_4_4 + when: ubtu22cis_rule_6_3_4_4 tags: - level1-server - level1-workstation @@ -35,17 +34,16 @@ - name: "6.3.4.4 | AUDIT | Ensure the audit log file directory mode is configured | get current permissions" ansible.builtin.stat: path: "{{ prelim_auditd_logfile.stdout | dirname }}" - register: auditlog_dir + register: discovered_auditlog_dir - name: "6.3.4.4 | PATCH | Ensure the audit log file directory mode is configured | set permissions" ansible.builtin.file: - path: "{{ auditlog_dir.stat.path }}" + path: "{{ discovered_auditlog_dir.stat.path }}" state: directory mode: g-w,o-rwx - name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured" - when: - - ubtu22cis_rule_6_3_4_5 + when: ubtu22cis_rule_6_3_4_5 tags: - level1-server - level1-workstation @@ -60,8 +58,7 @@ label: "{{ item.path }}" - name: "6.3.4.6 | PATCH | Ensure audit configuration files owner is configured" - when: - - ubtu22cis_rule_6_3_4_6 + when: ubtu22cis_rule_6_3_4_6 tags: - level1-server - level1-workstation @@ -76,8 +73,7 @@ label: "{{ item.path }}" - name: "6.3.4.7 | PATCH | Ensure audit configuration files group owner is configured" - when: - - ubtu22cis_rule_6_3_4_7 + when: ubtu22cis_rule_6_3_4_7 tags: - level1-server - level1-workstation @@ -92,39 +88,26 @@ label: "{{ item.path }}" - name: "6.3.4.8 | PATCH | Ensure audit tools mode is configured" - when: - - ubtu22cis_rule_6_3_4_8 + when: ubtu22cis_rule_6_3_4_8 tags: - level1-server - level1-workstation - patch - auditd - rule_6.3.4.8 - block: - - name: "6.3.4.8 | AUDIT | Ensure audit tools mode is configured | get current mode" - ansible.builtin.stat: - path: "{{ item }}" - register: "audit_bins" - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules - - - name: "6.3.4.8 | PATCH | Ensure audit tools mode is configured | set if required" - when: not item.stat.mode is match('07(0|5)0') - ansible.builtin.file: - path: "{{ item.item }}" - mode: '0750' - loop: "{{ audit_bins.results }}" - loop_control: - label: "{{ item.item }}" + ansible.builtin.file: + path: "{{ item.item }}" + mode: 'g-w,o-rwx' + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules - name: "6.3.4.9 | PATCH | Ensure audit tools owner is configured" - when: - - ubtu22cis_rule_6_3_4_9 + when: ubtu22cis_rule_6_3_4_9 tags: - level1-server - level1-workstation @@ -144,8 +127,7 @@ - /sbin/augenrules - name: "6.3.4.10 | PATCH | Ensure audit tools group owner is configured" - when: - - ubtu22cis_rule_6_3_4_10 + when: ubtu22cis_rule_6_3_4_10 tags: - level1-server - level1-workstation diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index 89042854..8b46ff82 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -2,32 +2,32 @@ - name: "SECTION | 6.1 | Configure Filesystem Integrity Checking" ansible.builtin.import_tasks: - file: cis_6.1.x.yml + file: cis_6.1.x.yml - name: "SECTION | 6.2.1.1 | Configure systemd-journald service" ansible.builtin.import_tasks: - file: cis_6.2.1.1.x.yml + file: cis_6.2.1.1.x.yml - name: "SECTION | 6.2.1.2 | Configure systemd-journal-remote" ansible.builtin.import_tasks: - file: cis_6.2.1.2.x.yml + file: cis_6.2.1.2.x.yml - name: "SECTION | 6.2.2 | Configure Logfiles" ansible.builtin.import_tasks: - file: cis_6.2.2.yml + file: cis_6.2.2.yml - name: "SECTION | 6.3.1 | Configure auditd Service" ansible.builtin.import_tasks: - file: cis_6.3.1.x.yml + file: cis_6.3.1.x.yml - name: "SECTION | 6.3.2 | Configure data retention" ansible.builtin.import_tasks: - file: cis_6.3.2.x.yml + file: cis_6.3.2.x.yml - name: "SECTION | 6.3.3 | Configure auditd rules" ansible.builtin.import_tasks: - file: cis_6.3.3.x.yml + file: cis_6.3.3.x.yml - name: "SECTION | 6.3.4 | Configure auditd file access" ansible.builtin.import_tasks: - file: cis_6.3.4.x.yml + file: cis_6.3.4.x.yml diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 9d28ab7b..65f1059e 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -1,8 +1,7 @@ --- - name: "7.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" - when: - - ubtu22cis_rule_7_1_1 + when: ubtu22cis_rule_7_1_1 tags: - level1-server - level1-workstation @@ -16,8 +15,7 @@ mode: 'u-x,go-wx' - name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" - when: - - ubtu22cis_rule_7_1_2 + when: ubtu22cis_rule_7_1_2 tags: - level1-server - level1-workstation @@ -33,8 +31,7 @@ register: discovered_file_exists - name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured" - when: - - ubtu22cis_rule_7_1_3 + when: ubtu22cis_rule_7_1_3 tags: - level1-server - level1-workstation @@ -48,8 +45,7 @@ mode: 'u-x,go-wx' - name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured" - when: - - ubtu22cis_rule_7_1_4 + when: ubtu22cis_rule_7_1_4 tags: - level1-server - level1-workstation @@ -61,10 +57,11 @@ owner: root group: root mode: 'u-x,go-wx' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists - name: "7.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" - when: - - ubtu22cis_rule_7_1_5 + when: ubtu22cis_rule_7_1_5 tags: - level1-server - level1-workstation @@ -78,8 +75,7 @@ mode: 'u-x,g-wx,o-rwx' - name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" - when: - - ubtu22cis_rule_7_1_6 + when: ubtu22cis_rule_7_1_6 tags: - level1-server - level1-workstation @@ -91,10 +87,11 @@ owner: root group: root mode: 'u-x,g-wx,o-rwx' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists - name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" - when: - - ubtu22cis_rule_7_1_7 + when: ubtu22cis_rule_7_1_7 tags: - level1-server - level1-workstation @@ -108,8 +105,7 @@ mode: 'u-x,g-wx,o-rwx' - name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" - when: - - ubtu22cis_rule_7_1_8 + when: ubtu22cis_rule_7_1_8 tags: - level1-server - level1-workstation @@ -121,10 +117,11 @@ owner: root group: root mode: 'u-x,g-wx,o-rwx' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists - name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured" - when: - - ubtu22cis_rule_7_1_9 + when: ubtu22cis_rule_7_1_9 tags: - level1-server - level1-workstation @@ -138,11 +135,7 @@ mode: 'u-x,go-wx' - name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured" - loop: - - /etc/security/opasswd - - /etc/security/opasswd.old - when: - - ubtu22cis_rule_7_1_10 + when: ubtu22cis_rule_7_1_10 tags: - level1-server - level1-workstation @@ -150,14 +143,18 @@ - permissions - rule_7.1.10 ansible.builtin.file: - path: /etc/security/opasswd + path: "{{ item }}" owner: root group: root mode: 'u-x,go-rwx' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists + loop: + - /etc/security/opasswd + - /etc/security/opasswd.old - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured" - when: - - ubtu22cis_rule_7_1_11 + when: ubtu22cis_rule_7_1_11 tags: - level1-server - level1-workstation @@ -170,17 +167,17 @@ ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 failed_when: false changed_when: false - register: ubtu22cis_worldwriteable + register: discovered_worldwriteable_files - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable files if they exist (Configurable)" + when: + - discovered_worldwriteable_files.stdout_lines is defined + - ubtu22cis_no_world_write_adjust ansible.builtin.file: path: '{{ item }}' mode: o-w state: touch - loop: "{{ ubtu22cis_worldwriteable.stdout_lines }}" - when: - - ubtu22cis_worldwriteable.stdout_lines is defined - - ubtu22cis_no_world_write_adjust + loop: "{{ discovered_worldwriteable_files.stdout_lines }}" - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | sticky bit set on world-writable directories" ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t @@ -188,8 +185,7 @@ failed_when: false - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist" - when: - - ubtu22cis_rule_7_1_12 + when: ubtu22cis_rule_7_1_12 tags: - level1-server - level1-workstation @@ -205,7 +201,7 @@ failed_when: false check_mode: false register: discovered_unowned_files - with_items: + loop: - "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" @@ -243,8 +239,7 @@ file: warning_facts.yml - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed" - when: - - ubtu22cis_rule_7_1_13 + when: ubtu22cis_rule_7_1_13 tags: - level1-server - level1-workstation @@ -260,7 +255,7 @@ failed_when: false check_mode: false register: discovered_suid_sgid_files - with_items: + loop: - "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" @@ -286,12 +281,12 @@ ansible.builtin.file: path: "{{ item }}" mode: 'u-s' - with_items: + loop: - "{{ discovered_suid_sgid_files_flatten }}" - name: "7.1.13 | AUDIT | Audit SUID executables | Warn Count" - ansible.builtin.import_tasks: - file: warning_facts.yml when: - discovered_suid_sgid_files_flatten | length > 0 - not ubtu22cis_suid_sgid_adjust + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index 6266cd6d..828e1f6d 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -1,8 +1,7 @@ --- - name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" - when: - - ubtu22cis_rule_7_2_1 + when: ubtu22cis_rule_7_2_1 tags: - level1-server - level1-workstation @@ -31,8 +30,7 @@ file: warning_facts.yml - name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty" - when: - - ubtu22cis_rule_7_2_2 + when: ubtu22cis_rule_7_2_2 tags: - level1-server - level1-workstation @@ -56,8 +54,7 @@ - "{{ discovered_empty_password_acct.stdout_lines }}" - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" - when: - - ubtu22cis_rule_7_2_3 + when: ubtu22cis_rule_7_2_3 tags: - level1-server - level1-workstation @@ -85,8 +82,7 @@ file: warning_facts.yml - name: "7.2.4 | PATCH | Ensure shadow group is empty" - when: - - ubtu22cis_rule_7_2_4 + when: ubtu22cis_rule_7_2_4 tags: - level1-server - level1-workstation @@ -113,8 +109,7 @@ when: ansible_facts.getent_group.shadow[2] | length > 0 - name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist" - when: - - ubtu22cis_rule_7_2_5 + when: ubtu22cis_rule_7_2_5 tags: - level1-server - level1-workstation @@ -142,8 +137,7 @@ file: warning_facts.yml - name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist" - when: - - ubtu22cis_rule_7_2_6 + when: ubtu22cis_rule_7_2_6 tags: - level1-server - level1-workstation @@ -171,37 +165,35 @@ file: warning_facts.yml - name: "7.2.7 | AUDIT | Ensure no duplicate user names exist" - vars: - warn_control_id: '7.2.67' - when: - - ubtu22cis_rule_7_2_7 + when: ubtu22cis_rule_7_2_7 tags: - level1-server - level1-workstation - audit - rule_7.2.7 - user + vars: + warn_control_id: '7.2.7' block: - name: "7.2.7 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" changed_when: false failed_when: false check_mode: false - register: discovered_username_check + register: discovered_dup_username - name: "7.2.7 | WARNING | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" - when: discovered_username_check.stdout | length > 0 + when: discovered_dup_username.stdout | length > 0 ansible.builtin.debug: msg: "Warning!! The following user names are duplicates: {{ discovered_user_username_check.stdout_lines }}" - name: "7.2.7 | WARNING | Ensure no duplicate user names exist | Set warning count" - when: discovered_username_check.stdout | length > 0 + when: discovered_dup_username.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml - name: "7.2.8 | AUDIT | Ensure no duplicate group names exist" - when: - - ubtu22cis_rule_7_2_8 + when: ubtu22cis_rule_7_2_8 tags: - level1-server - level1-workstation @@ -216,21 +208,20 @@ changed_when: false failed_when: false check_mode: false - register: discovered_group_check + register: discovered_dup_group - name: "7.2.8 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" - when: discovered_group_check.stdout | length > 0 + when: discovered_dup_group.stdout | length > 0 ansible.builtin.debug: msg: "Warning!! The following group names are duplicates: {{ discovered_group_group_check.stdout_lines }}" - name: "7.2.8 | AUDIT | Ensure no duplicate group names exist | Set warning count" - when: discovered_group_check.stdout | length > 0 + when: discovered_dup_group.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml - name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured" - when: - - ubtu22cis_rule_7_2_9 + when: ubtu22cis_rule_7_2_9 tags: - level1-server - level1-workstation diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index c7eb6639..87512d76 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -32,8 +32,8 @@ -w /etc/netplan/ -p wa -k system-locale {% endif %} {% if ubtu22cis_rule_6_3_3_6 %} -{% if priv_procs is defined %} -{% for proc in priv_procs.stdout_lines -%} +{% if discovered_priv_procs is defined %} +{% for proc in discovered_priv_procs.stdout_lines -%} -a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=unset -k privileged {% endfor %} {% endif %} From fa6ebe44928a0a0cdf6c5aa9e5eb6aed40328b35 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Nov 2024 10:05:44 +0000 Subject: [PATCH 093/135] updated desktop logic Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +++ tasks/section_1/cis_1.7.x.yml | 37 +++++++++++++++++++++++++---------- tasks/section_1/main.yml | 3 +-- 3 files changed, 31 insertions(+), 12 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 25369f52..744fbcaf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -601,6 +601,9 @@ ubtu22cis_ipv6_required: false ## Graphical/Gnome interface required ubtu22cis_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}" +# If desktop is required this will set the relevant controls but not remove +ubtu22cis_desktop_required: false + ## Purge apt packages # This will allow the purging of any packages that are marked to be removed # This will also purge any packages not removed via this playbook diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index ad16cfb1..ca60e307 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -16,7 +16,9 @@ state: absent - name: "1.7.2 | PATCH | Ensure GDM login banner is configured" - when: ubtu22cis_rule_1_7_2 + when: + - ubtu22cis_rule_1_7_2 + - ubtu22cis_desktop_required tags: - level1-server - level1-workstation @@ -49,7 +51,9 @@ notify: Update dconf - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled" - when: ubtu22cis_rule_1_7_3 + when: + - ubtu22cis_rule_1_7_3 + - ubtu22cis_desktop_required tags: - level1-server - level1-workstation @@ -99,7 +103,9 @@ notify: Update dconf - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle" - when: ubtu22cis_rule_1_7_4 + when: + - ubtu22cis_rule_1_7_4 + - ubtu22cis_desktop_required tags: - level1-server - level1-workstation @@ -137,7 +143,9 @@ notify: Update dconf - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden" - when: ubtu22cis_rule_1_7_5 + when: + - ubtu22cis_rule_1_7_5 + - ubtu22cis_desktop_required tags: - level1-server - level1-workstation @@ -164,7 +172,9 @@ notify: Update dconf - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled" - when: ubtu22cis_rule_1_7_6 + when: + - ubtu22cis_rule_1_7_6 + - ubtu22cis_desktop_required tags: - level1-server - level2-workstation @@ -191,7 +201,9 @@ notify: Update dconf - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden" - when: ubtu22cis_rule_1_7_7 + when: + - ubtu22cis_rule_1_7_7 + - ubtu22cis_desktop_required tags: - level1-server - level2-workstation @@ -218,7 +230,9 @@ notify: Update dconf - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled" - when: ubtu22cis_rule_1_7_8 + when: + - ubtu22cis_rule_1_7_8 + - ubtu22cis_desktop_required tags: - level1-server - level2-workstation @@ -245,8 +259,9 @@ notify: Update dconf - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden" - when: ubtu22cis_rule_1_7_9 - + when: + - ubtu22cis_rule_1_7_9 + - ubtu22cis_desktop_required tags: - level1-server - level2-workstation @@ -273,7 +288,9 @@ notify: Update dconf - name: "1.7.10 | PATCH | Ensure XDCMP is not enabled" - when: ubtu22cis_rule_1_7_10 + when: + - ubtu22cis_rule_1_7_10 + - ubtu22cis_desktop_required tags: - level1-server - level1-workstation diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index e9f3f54b..442ed469 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -64,7 +64,6 @@ ansible.builtin.import_tasks: file: cis_1.6.x.yml -- name: "SECTION | 1.7 | Configure DNOME Display Manager" - when: ubtu22cis_gui +- name: "SECTION | 1.7 | Configure GNOME Display Manager" ansible.builtin.import_tasks: file: cis_1.7.x.yml From 2eb64a41deb5aa287af99e8525caaa44d5004170 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Nov 2024 10:30:31 +0000 Subject: [PATCH 094/135] updated vars Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index d5a1fb65..fda3bf33 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -633,10 +633,10 @@ ubtu22cis_is_syslog_server: {{ ubtu22cis_system_is_log_server }} # Note the following to understand precedence and layout ubtu22cis_sshd_access: - - AllowUser {{ ubtu22cis_sshd.allow_users }} - - AllowGroup {{ ubtu22cis_sshd.allow_groups }} - - DenyUser {{ ubtu22cis_sshd.deny_users }} - - DenyGroup {{ ubtu22cis_sshd.deny_groups }} + - AllowUser {{ ubtu22cis_sshd_allow_users }} + - AllowGroup {{ ubtu22cis_sshd_allow_groups }} + - DenyUser {{ ubtu22cis_sshd_deny_users }} + - DenyGroup {{ ubtu22cis_sshd_deny_groups }} ubtu22cis_ssh_strong_ciphers: - aes256-gcm@openssh.com @@ -701,9 +701,9 @@ ubtu22cis_pam_passwd_retry: "3" # logins.def password settings ubtu22cis_pass: - max_days: {{ ubtu22cis_pass.max_days }} - min_days: {{ ubtu22cis_pass.min_days }} - warn_age: {{ ubtu22cis_pass.warn_age }} + max_days: {{ ubtu22cis_pass_max_days }} + min_days: {{ ubtu22cis_pass_min_days }} + warn_age: {{ ubtu22cis_pass_warn_age }} # set sugroup if differs from wheel ubtu22cis_sugroup: nosugroup From 78e400d67402af25c3e068e84ef10ad8a3ed39ef Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Nov 2024 10:52:31 +0000 Subject: [PATCH 095/135] updated autofs logic Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index c3856db4..e94c8969 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -3,6 +3,7 @@ - name: "2.1.1 | PATCH | Ensure autofs services are not in use" when: - ubtu22cis_rule_2_1_1 + - "'autofs' in ansible_facts.packages" tags: - level1-server - level2-workstation From 63b765858da8723fa4a8adac3f51b02e0a4b881d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Nov 2024 11:09:50 +0000 Subject: [PATCH 096/135] added ec2 to autofs Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index e94c8969..f1478585 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -4,6 +4,7 @@ when: - ubtu22cis_rule_2_1_1 - "'autofs' in ansible_facts.packages" + - not when system_is_ec2 tags: - level1-server - level2-workstation From 05560564f417987105780f813137e3fb8819f011 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Nov 2024 11:35:27 +0000 Subject: [PATCH 097/135] fixed 5.4.1.6 var Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index a846ed8f..47abf4bc 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -181,7 +181,7 @@ ansible.builtin.debug: msg: - "WARNING!! The following accounts have the last PW change date in the future" - - "{{ ubtu22cis_passwd_future_user_list.stdout_lines }}" + - "{{ discovered_passwd_future_user_list.stdout_lines }}" - name: "5.4.1.6 | WARN | Ensure all users last password change date is in the past | warn_count" when: ubtu22cis_passwd_future_user_list.stdout | length > 0 From 342b90ac466a6cb13f3c6bd5b2f0fceff7572981 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Nov 2024 12:00:03 +0000 Subject: [PATCH 098/135] fixed 5.4.1.6 var Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.1.x.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 47abf4bc..1311a255 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -184,15 +184,15 @@ - "{{ discovered_passwd_future_user_list.stdout_lines }}" - name: "5.4.1.6 | WARN | Ensure all users last password change date is in the past | warn_count" - when: ubtu22cis_passwd_future_user_list.stdout | length > 0 + when: discovered_passwd_future_user_list.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Lock accounts with future PW changed dates" when: - ubtu22cis_disruption_high - - ubtu22cis_passwd_future_user_list.stdout | length > 0 + - discovered_passwd_future_user_list.stdout | length > 0 ansible.builtin.shell: passwd --expire {{ item }} failed_when: false with_items: - - "{{ ubtu22cis_passwd_future_user_list.stdout_lines }}" + - "{{ discovered_passwd_future_user_list.stdout_lines }}" From 5d171cde35f91ba0431af36137f8f3c4d8f2b6d2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Nov 2024 12:32:45 +0000 Subject: [PATCH 099/135] fixed 5.4.1.6 var Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 1311a255..0f015b39 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -177,7 +177,7 @@ register: discovered_passwd_future_user_list - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Warn about users" - when: ubtu22cis_passwd_future_user_list.stdout | length > 0 + when: discovered_passwd_future_user_list.stdout | length > 0 ansible.builtin.debug: msg: - "WARNING!! The following accounts have the last PW change date in the future" From e760890587ab070dcdaf26edfe5a7fede0e5381e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Nov 2024 14:29:37 +0000 Subject: [PATCH 100/135] updated async and poll variable naming Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index af0a21f5..12bcb163 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -57,8 +57,8 @@ ansible.builtin.shell: aideinit -y -f args: creates: "{{ ubtu22cis_aide_db_file }}" - async: "{{ ubtu22cis_aide_init.async }}" - poll: "{{ ubtu22cis_aide_init.poll }}" + async: "{{ ubtu22cis_aide_init_async }}" + poll: "{{ ubtu22cis_aide_init_poll }}" - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked" when: From 9e1f883ce580d2930fe7546f92272894f5f8daf7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Nov 2024 14:58:09 +0000 Subject: [PATCH 101/135] Updated with extra information on some controls Signed-off-by: Mark Bolwell --- defaults/main.yml | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 744fbcaf..6fddd630 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -895,7 +895,7 @@ ubtu22cis_pam_confd_dir: 'usr/share/pam-configs/' # Create file will create/replace with the name # Controls 5.3.2.1 - pam_unix -# Name of file +# Name of file for the pam unix configuration ubtu22cis_pam_pwunix_file: 'pam_unix' # Should NOT be enabled if allowing custom config that enabled pam_faillock ubtu22cis_pam_create_pamunix_file: false @@ -903,7 +903,7 @@ ubtu22cis_pam_create_pamunix_file: false ubtu22cis_pam_auth_unix: true # 5.3.2.2 - pam_faillock -# Name of files +# Name of files for pam ubtu22cis_pam_faillock_file: 'faillock' ubtu22cis_pam_faillock_notify_file: 'faillock_notify' # Allow pam-auth-update --enable ubtu22cis_pam_faillock_file @@ -914,7 +914,7 @@ ubtu22cis_pam_auth_faillock: true ubtu22cis_pam_create_faillock_files: true # 5.3.2.3 - pam_pwquality -# Name of files +# Name of file for pwquality ubtu22cis_pam_pwquality_file: 'pwquality' # Allow new file to be created or overwrite existing with same name ubtu22cis_pam_create_pwquality_files: true @@ -922,7 +922,7 @@ ubtu22cis_pam_create_pwquality_files: true ubtu22cis_pam_auth_pwquality: true # 5.3.2.4 - pam_pwhistory -# Name of file +# Name of file for the pam history file ubtu22cis_pam_pwhistory_file: 'pwhistory' # Allow new file to be created or overwrite existing with same name # filepath also affects controls 5.3.3.3.1, 5.3.3.3.2, 5.3.3.3.3 @@ -931,33 +931,40 @@ ubtu22cis_pam_create_pwhistory_files: true ubtu22cis_pam_auth_pwhistory: true # 5.3.3.1.1 - faillock_deny +# Lock systen using faillock fate 3 bad tries ubtu22cis_faillock_deny: 3 # 5.3.3.1.2 - faillock unlock time +# Timeout before releasing the faillock on an account ubtu22cis_faillock_unlock_time: 900 # 5.3.3.1.3 - lock root -# This allow optional - even_deny_root or root_unlock_time +# This gives the ablity to even_deny_root and or add a root_unlock_time in the options +# Option is used for the regexp to be amended and stirng is what to replace with. ubtu22cis_pamroot_lock_option: even_deny_root ubtu22cis_pamroot_lock_string: even_deny_root # 5.3.3.2.1 - password difok +# Pam difok settings - file and number of difference that must take place in the file +# difok = the minimum number of characters that must be different from the old password ubtu22cis_passwd_difok_file: etc/security/pwquality.conf.d/50-pwdifok.conf # pragma: allowlist secret ubtu22cis_passwd_difok_value: 2 # 5.3.3.2.2 - password minlength +# minlen = minimum password length ubtu22cis_passwd_minlen_file: etc/security/pwquality.conf.d/50-pwlength.conf # pragma: allowlist secret ubtu22cis_passwd_minlen_value: 14 # 5.3.3.2.3 - password complex ubtu22cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf # pragma: allowlist secret -ubtu22cis_passwd_minclass: 3 -ubtu22cis_passwd_dcredit: -1 -ubtu22cis_passwd_ucredit: -2 -ubtu22cis_passwd_ocredit: 0 -ubtu22cis_passwd_lcredit: -2 +ubtu22cis_passwd_minclass: 3 # minclass = the minimum number of character types that must be used (i.e., uppercase, lowercase, digits, other) +ubtu22cis_passwd_dcredit: -1 # dcredit = maximum number of digits that will generate a credit +ubtu22cis_passwd_ucredit: -2 # ucredit = maximum number of uppercase characters that will generate a credit +ubtu22cis_passwd_ocredit: 0 # ocredit = maximum number of other characters that will generate a credit +ubtu22cis_passwd_lcredit: -2 # lcredit = maximum number of lowercase characters that will generate a credit # 5.3.3.2.4 - password maxrepeat +# maxrepeat = the maximum number of times a single character may be repeated ubtu22cis_passwd_maxrepeat_file: etc/security/pwquality.conf.d/50-pwrepeat.conf # pragma: allowlist secret ubtu22cis_passwd_maxrepeat_value: 3 @@ -966,14 +973,17 @@ ubtu22cis_passwd_maxsequence_file: etc/security/pwquality.conf.d/50-pwmaxsequenc ubtu22cis_passwd_maxsequence_value: 3 # 5.3.3.2.6 - password dictcheck +# dictcheck = whether to check for the words from the cracklib dictionary (enabled if the value is not 0) ubtu22cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.conf # pragma: allowlist secret ubtu22cis_passwd_dictcheck_value: 1 # 5.3.3.2.7 - password quality enforce +# enforcing = new password is rejected if it fails the check and the value is not 0 ubtu22cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwquality_enforce.conf # pragma: allowlist secret ubtu22cis_passwd_quality_enforce_value: 1 # 5.3.3.2.8 - password quality enforce for root included with 5.3.3.2.7 +# enforce_for_root: This ensures that the password policies are adhered to even if it’s the root user configuring the passwords. ubtu22cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf # pragma: allowlist secret ubtu22cis_passwd_quality_enforce_root_value: enforce_for_root # pragma: allowlist secret From ace514b1f7e87b1b49397aaf9fb64fd206fe788e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Nov 2024 14:59:51 +0000 Subject: [PATCH 102/135] fix typo in item.item Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.3.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml index 0ae6df73..c6a2a66f 100644 --- a/tasks/section_6/cis_6.3.4.x.yml +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -96,7 +96,7 @@ - auditd - rule_6.3.4.8 ansible.builtin.file: - path: "{{ item.item }}" + path: "{{ item }}" mode: 'g-w,o-rwx' loop: - /sbin/auditctl From 1f20d473882feb377311b1e481719a7ef0512323 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Nov 2024 16:15:14 +0000 Subject: [PATCH 103/135] fixed fregex for python versioning Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.3.3.x.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml index 84bf0489..ec2d9989 100644 --- a/tasks/section_5/cis_5.3.3.3.x.yml +++ b/tasks/section_5/cis_5.3.3.3.x.yml @@ -21,7 +21,7 @@ when: discovered_pwhistory_remember.stdout | length > 0 ansible.builtin.lineinfile: path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" - regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(remember=\d+) + regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(remember=\d+) line: '\1\2\3 remember={{ ubtu22cis_pamd_pwhistory_remember }}' backrefs: true notify: Pam_auth_update_pwhistory @@ -47,7 +47,7 @@ when: discovered_pwhistory_remember.stdout | length > 0 ansible.builtin.lineinfile: path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" - regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(enforce_for_root) + regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(enforce_for_root) line: '\1\2\3 enforce_for_root' backrefs: true notify: Pam_auth_update_pwhistory @@ -73,7 +73,7 @@ when: discovered_pwhistory_use_authtok.stdout | length > 0 ansible.builtin.lineinfile: path: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" - regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok) + regexp: ^(password\s+[^#\n\r]+\s+pam_pwhistory\.so\s+)(.*)(use_authtok) line: '\1\2\3 use_authtok' backrefs: true notify: Pam_auth_update_pwhistory From c4143f14ee117640e480347c2c37756654dd348b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Nov 2024 16:19:59 +0000 Subject: [PATCH 104/135] updated to loop 7.1.11 -13 Signed-off-by: Mark Bolwell --- tasks/section_7/cis_7.1.x.yml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 65f1059e..67d1c334 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -196,13 +196,12 @@ warn_control_id: '7.1.12' block: - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories" - ansible.builtin.shell: find {{ ubtu22cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs + ansible.builtin.shell: 'find {{ ubtu22cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs' changed_when: false failed_when: false check_mode: false register: discovered_unowned_files - loop: - - "{{ ansible_facts.mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" @@ -229,7 +228,7 @@ owner: "{{ ubtu22cis_unowned_owner }}" group: "{{ ubtu22cis_unowned_group }}" with_items: - - "{{ udiscovered_unowned_files_flatten }}" + - "{{ discovered_unowned_files_flatten }}" - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Warn Count" when: @@ -255,8 +254,7 @@ failed_when: false check_mode: false register: discovered_suid_sgid_files - loop: - - "{{ ansible_facts.mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" @@ -281,8 +279,7 @@ ansible.builtin.file: path: "{{ item }}" mode: 'u-s' - loop: - - "{{ discovered_suid_sgid_files_flatten }}" + loop: "{{ discovered_suid_sgid_files_flatten }}" - name: "7.1.13 | AUDIT | Audit SUID executables | Warn Count" when: From 479624813cea3319248f471306844066c643c482 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Nov 2024 18:24:24 +0000 Subject: [PATCH 105/135] Add NIST IDs Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 8 + tasks/section_1/cis_1.1.2.1.x.yml | 4 + tasks/section_1/cis_1.1.2.2.x.yml | 3 + tasks/section_1/cis_1.1.2.3.x.yml | 3 + tasks/section_1/cis_1.1.2.4.x.yml | 3 + tasks/section_1/cis_1.1.2.5.x.yml | 3 + tasks/section_1/cis_1.1.2.6.x.yml | 3 + tasks/section_1/cis_1.1.2.7.x.yml | 4 + tasks/section_1/cis_1.2.1.x.yml | 2 + tasks/section_1/cis_1.2.2.x.yml | 1 + tasks/section_1/cis_1.3.1.x.yml | 4 + tasks/section_1/cis_1.4.x.yml | 2 + tasks/section_1/cis_1.5.x.yml | 7 + tasks/section_1/cis_1.6.x.yml | 15 ++ tasks/section_1/cis_1.7.x.yml | 34 +++ tasks/section_2/cis_2.1.x.yml | 26 +++ tasks/section_2/cis_2.2.x.yml | 9 + tasks/section_2/cis_2.3.1.x.yml | 2 + tasks/section_2/cis_2.3.2.x.yml | 4 + tasks/section_2/cis_2.3.3.x.yml | 4 + tasks/section_2/cis_2.4.1.x.yml | 19 ++ tasks/section_2/cis_2.4.2.x.yml | 2 + tasks/section_3/cis_3.1.x.yml | 3 + tasks/section_3/cis_3.2.x.yml | 8 + tasks/section_3/cis_3.3.x.yml | 51 +++++ tasks/section_4/cis_4.1.x.yml | 7 + tasks/section_4/cis_4.2.x.yml | 17 ++ tasks/section_4/cis_4.3.1.x.yml | 368 +----------------------------- tasks/section_4/cis_4.3.2.x.yml | 8 + tasks/section_4/cis_4.3.3.x.yml | 8 + 30 files changed, 270 insertions(+), 362 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 9369c7a2..0a4146a6 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -8,6 +8,7 @@ - patch - rule_1.1.1.1 - cramfs + - NIST800-53R5_CM-7 block: - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: @@ -39,6 +40,7 @@ - patch - rule_1.1.1.2 - freevxfs + - NIST800-53R5_CM-7 block: - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: @@ -70,6 +72,7 @@ - patch - rule_1.1.1.3 - hfs + - NIST800-53R5_CM-7 block: - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: @@ -101,6 +104,7 @@ - patch - rule_1.1.1.4 - hfsplus + - NIST800-53R5_CM-7 block: - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: @@ -132,6 +136,7 @@ - patch - rule_1.1.1.5 - jffs2 + - NIST800-53R5_CM-7 block: - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: @@ -166,6 +171,7 @@ - patch - rule_1.1.1.6 - squashfs + - NIST800-53R5_CM-7 block: - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: @@ -197,6 +203,7 @@ - patch - rule_1.1.1.7 - udf + - NIST800-53R5_CM-7 block: - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: @@ -228,6 +235,7 @@ - patch - rule_1.1.1.8 - usb + - NIST800-53R5_SI-3 block: - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index b965374e..d667dcfc 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -11,6 +11,7 @@ - mounts - rule_1.1.2.1.1 - tmp + - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.1.1' required_mount: '/tmp' @@ -33,6 +34,9 @@ - patch - rule_1.1.2.1.2 - tmp + - NIST800-53R5_CM-7 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 vars: required_mount: '/tmp' ansible.builtin.set_fact: diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index a4fc59b0..dd988e39 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -10,6 +10,7 @@ - audit - mounts - rule_1.1.2.2.1 + - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.2.1' required_mount: '/dev/shm' @@ -47,6 +48,8 @@ - rule_1.1.2.2.1 - rule_1.1.2.2.2 - rule_1.1.2.2.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 notify: Set_reboot_required ansible.posix.mount: name: /dev/shm diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index 1f295c3e..bfb0040e 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -10,6 +10,7 @@ - audit - mounts - rule_1.1.2.3.1 + - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.3.1' required_mount: '/home' @@ -38,6 +39,8 @@ - mounts - rule_1.1.2.3.2 - rule_1.1.2.3.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 notify: Set_reboot_required ansible.posix.mount: name: /home diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index d341d8aa..d8c0520d 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -10,6 +10,7 @@ - patch - mounts - rule_1.1.2.4.1 + - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.4.1' required_mount: '/var' @@ -38,6 +39,8 @@ - mounts - rule_1.1.2.4.2 - rule_1.1.2.4.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 notify: Set_reboot_required ansible.posix.mount: name: /var diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index b41d723d..de6bfe7c 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -11,6 +11,7 @@ - audit - mounts - rule_1.1.2.5.1 + - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.5.1' required_mount: '/var/tmp' @@ -42,6 +43,8 @@ - rule_1.1.2.5.2 - rule_1.1.2.5.3 - rule_1.1.2.5.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 notify: Set_reboot_required ansible.posix.mount: name: /var/tmp diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index dacdac2d..c5638bbc 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -10,6 +10,7 @@ - audit - mounts - rule_1.1.2.6.1 + - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.6.1' required_mount: '/var/log' @@ -41,6 +42,8 @@ - rule_1.1.2.6.2 - rule_1.1.2.6.3 - rule_1.1.2.6.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 notify: Set_reboot_required ansible.posix.mount: name: /var/log diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index f2b69b42..6c45c0ad 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -10,6 +10,7 @@ - audit - mounts - rule_1.1.2.7.1 + - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.7.1' required_mount: '/var/log/audit' @@ -33,6 +34,9 @@ - ubtu22cis_rule_1_1_2_7_2 or ubtu22cis_rule_1_1_2_7_3 or ubtu22cis_rule_1_1_2_7_4 + - NIST800-53R5_CM-7 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml index 1acd79b0..d31afed5 100644 --- a/tasks/section_1/cis_1.2.1.x.yml +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -9,6 +9,7 @@ - rule_1.2.1.1 - gpg - keys + - NIST800-53R5_SI-2 vars: warn_control_id: '1.2.1.1' block: @@ -39,6 +40,7 @@ - audit - rule_1.2.1.2 - apt + - NIST800-53R5_SI-2 vars: warn_control_id: '1.2.1.2' block: diff --git a/tasks/section_1/cis_1.2.2.x.yml b/tasks/section_1/cis_1.2.2.x.yml index 6fe9a348..3572c8ee 100644 --- a/tasks/section_1/cis_1.2.2.x.yml +++ b/tasks/section_1/cis_1.2.2.x.yml @@ -8,6 +8,7 @@ - patch - rule_1.2.2.1 - patch + - NIST800-53R5_SI-2 ansible.builtin.package: name: "*" state: latest diff --git a/tasks/section_1/cis_1.3.1.x.yml b/tasks/section_1/cis_1.3.1.x.yml index b87dafa5..5ca544cc 100644 --- a/tasks/section_1/cis_1.3.1.x.yml +++ b/tasks/section_1/cis_1.3.1.x.yml @@ -11,6 +11,7 @@ - patch - rule_1.3.1.1 - apparmor + - NIST800-53R5_SI-2 ansible.builtin.package: name: ['apparmor', 'apparmor-utils'] state: present @@ -23,6 +24,7 @@ - patch - rule_1.3.1.2 - apparmor + - NIST800-53R5_AC-3 block: - name: "1.3.1.2 | AUDIT | Ensure AppArmor is enabled in the bootloader configuration | Get current settings" ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' @@ -88,6 +90,7 @@ - patch - rule_1.3.1.4 - apparmor + - NIST800-53R5_AC-3 block: - name: "1.3.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Make sure that 1.3.1.3 is not run" ansible.builtin.set_fact: @@ -129,6 +132,7 @@ - patch - rule_1.3.1.3 - apparmor + - NIST800-53R5_AC-3 block: - name: "1.3.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only true for GOSS" when: ubtu22cis_apparmor_mode == "enforce" diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index a216185b..1730b875 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -10,6 +10,7 @@ - patch - rule_1.4.1 - grub + - NIST800-53R5_AC-3 block: - name: "1.4.1 | PATCH | Ensure bootloader password is set" ansible.builtin.template: @@ -37,6 +38,7 @@ - patch - rule_1.4.2 - grub + - NIST800-53R5_AC-3 block: - name: "1.4.2 | AUDIT | Ensure access to bootloader config is configured | Check for Grub file" ansible.builtin.stat: diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 65157fe6..4e53e1fb 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -8,6 +8,7 @@ - patch - rule_1.5.1 - aslr + - NIST800-53R5_CM-6 ansible.posix.sysctl: name: kernel.randomize_va_space value: '2' @@ -25,6 +26,7 @@ - patch - rule_1.5.2 - ptrace + - NIST800-53R5_CM-6 ansible.posix.sysctl: name: kernel.yama.ptrace_scope value: '1' @@ -42,6 +44,7 @@ - patch - rule_1.5.3 - coredump + - NIST800-53R5_CM-6 block: - name: "1.5.3 | PATCH | Ensure core dumps are restricted | kernel sysctl" ansible.posix.sysctl: @@ -96,6 +99,9 @@ - patch - rule_1.5.4 - prelink + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-3 + - NIST800-53R5_CM-6 block: - name: "1.5.4 | PATCH | Ensure prelink is not installed | Restore binaries to normal" ansible.builtin.shell: prelink -ua @@ -116,6 +122,7 @@ - patch - rule_1.5.5 - apport + - NIST800-53R5_NA block: - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled | disable" ansible.builtin.lineinfile: diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 3e8d5ac9..2134f75d 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -8,6 +8,9 @@ - patch - rule_1.6.1 - motd + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-3 + - NIST800-53R5_CM-6 block: - name: "1.6.1 | PATCH | Ensure message of the day is configured properly | motd" ansible.builtin.template: @@ -34,6 +37,9 @@ - patch - rule_1.6.2 - banner + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-3 + - NIST800-53R5_CM-6 block: - name: "1.6.2 | PATCH | Ensure local login warning banner is configured properly | issue" ansible.builtin.template: @@ -52,6 +58,9 @@ - patch - rule_1.6.3 - banner + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-3 + - NIST800-53R5_CM-6 block: - name: "1.6.3 | PATCH | Ensure remote login warning banner is configured properly | issue.net" ansible.builtin.template: @@ -71,6 +80,8 @@ - rule_1.6.4 - permissions - motd + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/motd owner: root @@ -86,6 +97,8 @@ - rule_1.6.5 - permissions - banner + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/issue owner: root @@ -101,6 +114,8 @@ - rule_1.6.6 - permissions - banner + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/issue.net owner: root diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index ca60e307..f1381b1a 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -11,6 +11,7 @@ - patch - rule_1.7.1 - gnome + - NIST800-53R5_CM-11 ansible.builtin.package: name: gdm3 state: absent @@ -25,6 +26,11 @@ - patch - rule_1.7.2 - gnome + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | make directory" ansible.builtin.file: @@ -60,6 +66,11 @@ - patch - rule_1.7.3 - gnome + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | make directories" ansible.builtin.file: @@ -112,6 +123,7 @@ - patch - rule_1.7.4 - gnome + - NIST800-53R5_NA block: - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | session profile" ansible.builtin.lineinfile: @@ -152,6 +164,7 @@ - patch - rule_1.7.5 - gnome + - NIST800-53R5_CM-11 block: - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lock directory" ansible.builtin.file: @@ -181,6 +194,11 @@ - patch - rule_1.7.6 - gnome + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | make directory" ansible.builtin.file: @@ -210,6 +228,11 @@ - patch - rule_1.7.7 - gnome + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lock directory" ansible.builtin.file: @@ -239,6 +262,11 @@ - patch - rule_1.7.8 - gnome + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled | make directory" ansible.builtin.file: @@ -268,6 +296,11 @@ - patch - rule_1.7.9 - gnome + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden | make lock directory" ansible.builtin.file: @@ -298,6 +331,7 @@ - rule_1.7.10 - gnome - xdcmp + - NIST800-53R5_SI-4 ansible.builtin.lineinfile: path: /etc/gdm3/custom.conf regexp: '^Enable.*=.*true' diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index f1478585..db315764 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -10,6 +10,8 @@ - level2-workstation - patch - rule_2.1.1 + - NIST800-53R5_SI-3 + - NIST800-53R5_MP-7 block: - name: "2.1.1 | PATCH | Ensure autofs services are not in use | Remove Package" when: @@ -39,6 +41,7 @@ - patch - avahi - rule_2.1.2 + - NIST800-53R5_SI-4 block: - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use | Remove package" when: @@ -74,6 +77,7 @@ - patch - dhcp - rule_2.1.3 + - NIST800-53R5_CM-7 block: - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use | Remove package" when: @@ -107,6 +111,7 @@ - patch - dns - rule_2.1.4 + - NIST800-53R5_CM-7 block: - name: "2.1.4 | PATCH | Ensure dns server services are not in use | Remove package" when: @@ -137,6 +142,7 @@ - patch - dns - rule_2.1.5 + - NIST800-53R5_CM-7 block: - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Remove package" when: @@ -168,6 +174,7 @@ - patch - ftp - rule_2.1.6 + - NIST800-53R5_CM-7 block: - name: "2.1.6 | PATCH | Ensure ftp server services are not in use | Remove package" when: @@ -198,6 +205,7 @@ - patch - ldap - rule_2.1.7 + - NIST800-53R5_CM-7 block: - name: "2.1.7 | PATCH | Ensure ldap server services are not in use | Remove package" when: @@ -230,6 +238,7 @@ - imap - pop3 - rule_2.1.8 + - NIST800-53R5_CM-7 block: - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Remove package" when: @@ -266,6 +275,8 @@ - nfs - services - rule_2.1.9 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 block: - name: "2.1.9 | PATCH | Ensure network file system services are not in use | Remove package" when: @@ -296,6 +307,7 @@ - patch - nis - rule_2.1.10 + - NIST800-53R5_CM-7 notify: Systemd_daemon_reload block: - name: "2.1.10 | PATCH | Ensure nis server services are not in use | Remove package" @@ -326,6 +338,7 @@ - patch - cups - rule_2.1.11 + - NIST800-53R5_CM-7 block: - name: "2.1.11 | PATCH | Ensure print server services are not in use | Remove package" when: @@ -359,6 +372,8 @@ - patch - rpc - rule_2.1.12 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 block: - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use | Remove package" when: @@ -392,6 +407,7 @@ - patch - rsync - rule_2.1.13 + - NIST800-53R5_CM-7 block: - name: "2.1.13 | PATCH | Ensure rsync services are not in use | Remove package" when: @@ -423,6 +439,8 @@ - patch - samba - rule_2.1.14 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 block: - name: "2.1.14 | PATCH | Ensure samba file server services are not in use | Remove package" when: @@ -455,6 +473,7 @@ - patch - samba - rule_2.1.15 + - NIST800-53R5_CM-7 block: - name: "2.1.15 | PATCH | Ensure snmp services are not in use | Remove package" when: @@ -485,6 +504,7 @@ - patch - tftp - rule_2.1.16 + - NIST800-53R5_CM-7 block: - name: "2.1.16 | PATCH | Ensure tftp server services are not in use | Remove package" when: @@ -515,6 +535,7 @@ - patch - squid - rule_2.1.17 + - NIST800-53R5_CM-7 block: - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use | Remove package" when: @@ -547,6 +568,7 @@ - nginx - webserver - rule_2.1.18 + - NIST800-53R5_CM-7 block: - name: "2.1.18 | PATCH | Ensure web server services are not in use | Remove httpd server" when: @@ -603,6 +625,7 @@ - patch - xinetd - rule_2.1.19 + - NIST800-53R5_CM-7 block: - name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Remove package" when: @@ -635,6 +658,7 @@ - patch - xwindow - rule_2.1.20 + - NIST800-53R5_CM-11 ansible.builtin.package: name: xorg-x11-server-common state: absent @@ -650,6 +674,7 @@ - patch - postfix - rule_2.1.21 + - NIST800-53R5_CM-7 vars: warn_control_id: '2.2.21' block: @@ -705,6 +730,7 @@ - audit - services - rule_2.1.22 + - NIST800-53R5_CM-7 vars: warn_control_id: '2.1.22' block: diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 898dc06b..076bd4b2 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -9,6 +9,8 @@ - level1-workstation - rule_2.2.1 - nis + - NIST800-53R5_CM-7 + - NIST800-53R5_CM-11 ansible.builtin.package: name: nis state: absent @@ -24,6 +26,7 @@ - patch - rule_2.2.2 - rsh + - NIST800-53R5_CM-7 ansible.builtin.package: name: rsh-client state: absent @@ -39,6 +42,7 @@ - patch - rule_2.2.3 - talk + - NIST800-53R5_CM-7 ansible.builtin.package: name: talk state: absent @@ -54,6 +58,8 @@ - patch - rule_2.2.4 - telnet + - NIST800-53R5_CM-7 + - NIST800-53R5_CM-11 ansible.builtin.package: name: telnet state: absent @@ -69,6 +75,7 @@ - patch - rule_2.2.5 - ldap + - NIST800-53R5_CM-7 ansible.builtin.package: name: ldap-utils state: absent @@ -84,6 +91,8 @@ - patch - rule_2.2.6 - ftp + - NIST800-53R5_CM-7 + - NIST800-53R5_CM-11 ansible.builtin.package: name: ftp state: absent diff --git a/tasks/section_2/cis_2.3.1.x.yml b/tasks/section_2/cis_2.3.1.x.yml index 5f6e1335..a96c70fd 100644 --- a/tasks/section_2/cis_2.3.1.x.yml +++ b/tasks/section_2/cis_2.3.1.x.yml @@ -10,6 +10,8 @@ - chrony - ntp - systemd-timesyncd + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 block: - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | Pkg installed" ansible.builtin.package: diff --git a/tasks/section_2/cis_2.3.2.x.yml b/tasks/section_2/cis_2.3.2.x.yml index fff911cb..f431e6b1 100644 --- a/tasks/section_2/cis_2.3.2.x.yml +++ b/tasks/section_2/cis_2.3.2.x.yml @@ -8,6 +8,8 @@ - patch - rule_2.3.2.1 - timesyncd + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-8 block: - name: "2.3.2.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver | create conf.d dir" ansible.builtin.file: @@ -35,6 +37,8 @@ - level1-workstation - rule_2.3.2.2 - timesyncd + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-8 block: - name: "2.3.2.2 | PATCH | Ensure systemd-timesyncd is enabled and running | enable if timesyncd" ansible.builtin.systemd: diff --git a/tasks/section_2/cis_2.3.3.x.yml b/tasks/section_2/cis_2.3.3.x.yml index 1ed92caf..277e62f5 100644 --- a/tasks/section_2/cis_2.3.3.x.yml +++ b/tasks/section_2/cis_2.3.3.x.yml @@ -8,6 +8,8 @@ - patch - rule_2.3.3.1 - chrony + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 block: - name: "2.3.3.1 | PATCH | Ensure chrony is configured with authorized timeserver | sources" ansible.builtin.template: @@ -36,6 +38,7 @@ - patch - rule_2.3.3.2 - chrony + - NIST800-53R5_AU-8 ansible.builtin.lineinfile: path: /etc/chrony/chrony.conf regexp: '^user _chrony' @@ -48,6 +51,7 @@ - level1-workstation - rule_2.3.3.3 - chrony + - NIST800-53R5_AU-8 block: - name: "2.3.3.3 | PATCH | Ensure chrony is enabled and running" ansible.builtin.systemd: diff --git a/tasks/section_2/cis_2.4.1.x.yml b/tasks/section_2/cis_2.4.1.x.yml index dc4a5736..7aed3c88 100644 --- a/tasks/section_2/cis_2.4.1.x.yml +++ b/tasks/section_2/cis_2.4.1.x.yml @@ -8,6 +8,11 @@ - patch - rule_2.4.1.1 - cron + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.builtin.systemd: name: cron state: started @@ -21,6 +26,8 @@ - patch - rule_2.4.1.2 - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/crontab owner: root @@ -35,6 +42,8 @@ - patch - rule_2.4.1.3 - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/cron.hourly owner: root @@ -50,6 +59,8 @@ - patch - rule_2.4.1.4 - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/cron.daily owner: root @@ -65,6 +76,8 @@ - patch - rule_2.4.1.5 - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/cron.weekly owner: root @@ -80,6 +93,8 @@ - patch - rule_2.4.1.6 - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/cron.monthly owner: root @@ -95,6 +110,8 @@ - patch - rule_2.4.1.7 - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/cron.d owner: root @@ -110,6 +127,8 @@ - patch - rule_2.4.1.8 - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 block: - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" ansible.builtin.file: diff --git a/tasks/section_2/cis_2.4.2.x.yml b/tasks/section_2/cis_2.4.2.x.yml index d22a311b..d1177d03 100644 --- a/tasks/section_2/cis_2.4.2.x.yml +++ b/tasks/section_2/cis_2.4.2.x.yml @@ -8,6 +8,8 @@ - patch - rule_2.4.2.1 - cron + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 block: - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" ansible.builtin.file: diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 3070ca08..543dc8af 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -10,6 +10,7 @@ - patch - rule_3.1.1 - ipv6 + - NIST800-53R5_CM-7 block: - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Replace ipv6.disable if it exists" when: ubtu22cis_ipv6_disable == 'grub' @@ -60,6 +61,7 @@ - patch - rule_3.1.2 - wireless + - NIST800-53R5_CM-7 vars: warn_control_id: '3.1.2' block: @@ -97,6 +99,7 @@ - patch - bluetooth - rule_3.1.3 + - NIST800-53R5_CM-7 block: - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use | pkg" when: diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index aaf050e5..62840cbd 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -8,6 +8,8 @@ - patch - rule_3.2.1 - dccp + - NIST800-53R5_SI-4 + - NIST800-53R5_CM-7 block: - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available | modprobe" ansible.builtin.lineinfile: @@ -35,6 +37,8 @@ - patch - rule_3.2.2 - tipc + - NIST800-53R5_SI-4 + - NIST800-53R5_CM-7 block: - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available | modprobe" ansible.builtin.lineinfile: @@ -62,6 +66,8 @@ - patch - rule_3.2.3 - rds + - NIST800-53R5_SI-4 + - NIST800-53R5_CM-7 block: - name: "3.2.3 | PATCH | Ensure rds kernel module is not available | modprobe" ansible.builtin.lineinfile: @@ -89,6 +95,8 @@ - patch - rule_3.2.4 - sctp + - NIST800-53R5_SI-4 + - NIST800-53R5_CM-7 block: - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available | modprobe" ansible.builtin.lineinfile: diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index cd22545d..a34dbfef 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -11,6 +11,11 @@ - rule_3.3.1 - ip_forwarding - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - name: "3.3.1 | PATCH | Ensure IP forwarding is disabled | IPv4 settings" ansible.posix.sysctl: @@ -48,6 +53,11 @@ - rule_3.3.2 - packet_redirect - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.posix.sysctl: name: "{{ item }}" value: '0' @@ -70,6 +80,11 @@ - rule_3.3.3 - icmp - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.posix.sysctl: name: net.ipv4.icmp_ignore_bogus_error_responses value: '1' @@ -89,6 +104,11 @@ - rule_3.3.4 - icmp - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.posix.sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts value: '1' @@ -108,6 +128,11 @@ - rule_3.3.5 - icmp - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted | IPv4 settings" ansible.posix.sysctl: @@ -147,6 +172,11 @@ - rule_3.3.6 - icmp - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.posix.sysctl: name: "{{ item }}" value: '0' @@ -169,6 +199,11 @@ - rule_3.3.7 - reverse_path_filtering - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.posix.sysctl: name: "{{ item }}" value: '1' @@ -193,6 +228,11 @@ - rule_3.3.8 - routed_packets - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted | IPv4 settings" ansible.posix.sysctl: @@ -232,6 +272,7 @@ - rule_3.3.9 - suspicious_packets - sysctl + - NIST800-53R5_AU-3 ansible.posix.sysctl: name: "{{ item }}" value: '1' @@ -254,6 +295,11 @@ - rule_3.3.10 - tcp_syn_cookies - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.posix.sysctl: name: net.ipv4.tcp_syncookies value: '1' @@ -276,6 +322,11 @@ - ipv6 - router_advertisements - sysctl + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.posix.sysctl: name: "{{ item }}" value: '0' diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index d69b3f83..5cddd0bd 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -11,6 +11,7 @@ - rule_4.1.1 - apt - ufw + - NIST800-53R5_SC-7 ansible.builtin.package: name: ufw state: present @@ -25,6 +26,7 @@ - patch - rule_4.1.2 - ufw + - NIST800-53R5_SC-7 ansible.builtin.package: name: iptables-persistent state: absent @@ -39,6 +41,7 @@ - patch - rule_4.1.3 - ufw + - NIST800-53R5_SC-7 block: - name: "4.1.3 | PATCH | Ensure ufw service is enabled | ssh port enabled" community.general.ufw: @@ -61,6 +64,7 @@ - patch - rule_4.1.4 - ufw + - NIST800-53R5_SC-7 block: - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set allow in ufw rules" community.general.ufw: @@ -99,6 +103,7 @@ - patch - rule_4.1.5 - ufw + - NIST800-53R5_SC-7 block: - name: "4.1.5 | PATCH | Ensure ufw outbound connections are configured | Custom ports" when: ubtu22cis_ufw_allow_out_ports != "all" @@ -125,6 +130,7 @@ - audit - rule_4.1.6 - ufw + - NIST800-53R5_SC-7 vars: warn_control_id: '4.1.6' block: @@ -164,6 +170,7 @@ - patch - rule_4.1.7 - ufw + - NIST800-53R5_SC-7 community.general.ufw: default: deny direction: "{{ item }}" diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index a2c85701..c4372987 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -15,6 +15,7 @@ - audit - rule_4.2.1 - nftables + - NIST800-53R5_CA-9 vars: warn_control_id: '4.2.1' block: @@ -36,6 +37,7 @@ - audit - rule_4.2.2 - nftables + - NIST800-53R5_SC-7 vars: warn_control_id: '4.2.2' block: @@ -60,6 +62,8 @@ - audit - rule_4.2.3 - nftables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 vars: warn_control_id: '4.2.3' block: @@ -83,6 +87,8 @@ - patch - rule_4.2.4 - nftables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 vars: warn_control_id: '4.2.4' block: @@ -109,6 +115,7 @@ - audit - rule_4.2.5 - nftables + - NIST800-53R5_NA vars: warn_control_id: '4.2.5' block: @@ -130,6 +137,8 @@ - audit - rule_4.2.6 - nftables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 vars: warn_control_id: '4.2.6' block: @@ -151,6 +160,8 @@ - audit - rule_4.2.7 - nftables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 vars: warn_control_id: '4.2.7' block: @@ -172,6 +183,8 @@ - audit - rule_4.2.8 - nftables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 vars: warn_control_id: '4.2.8' block: @@ -193,6 +206,8 @@ - audit - rule_4.2.9 - nftables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 vars: warn_control_id: '4.2.9' block: @@ -218,6 +233,8 @@ - audit - rule_4.2.10 - nftables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 vars: warn_control_id: '4.2.10' block: diff --git a/tasks/section_4/cis_4.3.1.x.yml b/tasks/section_4/cis_4.3.1.x.yml index 19391011..88622585 100644 --- a/tasks/section_4/cis_4.3.1.x.yml +++ b/tasks/section_4/cis_4.3.1.x.yml @@ -10,6 +10,8 @@ - patch - rule_4.3.1.1 - iptables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 ansible.builtin.package: name: ['iptables', 'iptables-persistent'] state: present @@ -24,6 +26,8 @@ - patch - rule_4.3.1.2 - iptables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 ansible.builtin.package: name: nftables state: absent @@ -39,368 +43,8 @@ - patch - rule_4.3.1.3 - iptables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 ansible.builtin.package: name: ufw state: absent - -- name: "4.3.1.1 | PATCH | Ensure iptables default deny firewall policy" - when: - - ubtu22cis_rule_4_3_1_1 - - ubtu22cis_ipv4_required - - not system_is_ec2 - tags: - - level1-server - - level1-workstation - - patch - - rule_4.3.1.1 - - iptables - block: - - name: "4.3.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - notify: Iptables persistent - - - name: "4.3.1.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed out" - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - source_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - notify: Iptables persistent - - - name: "4.3.1.1 | PATCH | Ensure iptables default deny firewall policy | Enable apt traffic" - ansible.builtin.iptables: - chain: INPUT - ctstate: 'ESTABLISHED' - jump: ACCEPT - notify: Iptables persistent - - - name: "4.3.1.1 | PATCH | Ensure iptables default deny firewall policy | Set drop items" - ansible.builtin.iptables: - policy: DROP - chain: "{{ item }}" - with_items: - - INPUT - - FORWARD - - OUTPUT - notify: Iptables persistent - -- name: "4.3.1.2 | PATCH | Ensure iptables loopback traffic is configured" - when: - - ubtu22cis_rule_4_3_1_2 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - patch - - rule_4.3.1.2 - - iptables - block: - - name: "4.3.1.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - notify: Iptables persistent - - - name: "4.3.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - notify: Iptables persistent - - - name: "4.3.1.2 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: INPUT - source: 127.0.0.0/8 - jump: DROP - notify: Iptables persistent - -- name: "4.3.1.3 | PATCH | Ensure iptables outbound and established connections are configured" - when: - - ubtu22cis_rule_4_3_1_3 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - patch - - rule_4.3.1.3 - - iptables - ansible.builtin.iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } - notify: Iptables persistent - -- name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports" - when: - - ubtu22cis_rule_4_3_1_4 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - audit - - rule_4.3.1.4 - - iptables - block: - - name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.shell: ss -4tuln - changed_when: false - failed_when: false - check_mode: false - register: discovered_open_ports_list - - - name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.shell: iptables -L INPUT -v -n - changed_when: false - failed_when: false - check_mode: false - register: discovered_current_iptables_rules - - - name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Warn about settings" - ansible.builtin.debug: - msg: - - "Warning!! Below is the list the open ports and current rules" - - "Please create a rule for any open port that does not have a current rule" - - "Open Ports:" - - "{{ discovered_open_ports_list.stdout_lines }}" - - "Current Rules:" - - "{{ discovered_current_iptables_rules.stdout_lines }}" - - - name: "4.3.1.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '4.3.1.4' - -# --------------- -# --------------- -# This is not a control however using the iptables module only writes to memery -# if a reboot occurs that means changes can revert. This task will make the -# above iptables settings permanent -# --------------- -# --------------- -# - name: "Make IPTables persistent | Not a control" -# block: -# - name: "Make IPTables persistent | Install iptables-persistent" -# ansible.builtin.package: -# name: iptables-persistent -# state: present - -# - name: "Make IPTables persistent | Save to persistent files" -# ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" -# changed_when: ubtu22cis_iptables_save.rc == 0 -# failed_when: ubtu22cis_iptables_save.rc > 0 -# register: ubtu22cis_iptables_save -# when: -# - ubtu22cis_firewall_package == "iptables" -# - ubtu22cis_save_iptables_cis_rules -# - ubtu22cis_rule_4_3_1_1 or -# ubtu22cis_rule_4_3_1_2 or -# ubtu22cis_rule_4_3_1_3 or -# ubtu22cis_rule_4_3_1_4 - -- name: "4.3.1.1 | PATCH | Ensure ip6tables default deny firewall policy" - when: - - ubtu22cis_rule_4_3_1_1 - - ubtu22cis_ipv6_required - tags: - - level1-server - - level1-workstation - - patch - - rule_4.3.1.1 - - ip6tables - block: - - name: "4.3.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - source_port: 22 - jump: ACCEPT - ctstate: 'NEW,ESTABLISHED' - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "4.3.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Enable apt traffic" - ansible.builtin.iptables: - chain: INPUT - ctstate: 'ESTABLISHED' - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "4.3.1.1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" - ansible.builtin.iptables: - policy: DROP - chain: "{{ item }}" - ip_version: ipv6 - notify: Ip6tables persistent - loop: - - INPUT - - FORWARD - - OUTPUT - -- name: "4.3.1.2 | PATCH | Ensure ip6tables loopback traffic is configured" - when: - - ubtu22cis_rule_4_3_1_2 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv6_required - - not ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - patch - - rule_4.3.1.2 - - ip6tables - block: - - name: "4.3.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "4.3.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT loopback ACCEPT" - ansible.builtin.iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - ip_version: ipv6 - notify: Ip6tables persistent - - - name: "4.3.1.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback drop" - ansible.builtin.iptables: - action: append - chain: INPUT - source: ::1 - jump: DROP - ip_version: ipv6 - notify: Ip6tables persistent - -- name: "4.3.1.3 | PATCH | Ensure ip6tables outbound and established connections are configured" - when: - - ubtu22cis_rule_4_3_1_3 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv6_required - - not ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - patch - - rule_4.3.1.3 - - ip6tables - ansible.builtin.iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - ip_version: ipv6 - loop: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: udp, ctstate: 'ESTABLISHED' } - - { chain: INPUT, protocol: icmp, ctstate: 'ESTABLISHED' } - notify: Ip6tables persistent - -- name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports" - when: - - ubtu22cis_rule_4_3_1_4 - - ubtu22cis_firewall_package == "iptables" - - ubtu22cis_ipv6_required - - not ubtu22cis_ipv4_required - tags: - - level1-server - - level1-workstation - - audit - - rule_4.3.1.4 - - ip6tables - vars: - warn_control_id: '4.3.1.4' - block: - - name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.shell: ss -6tuln - changed_when: false - failed_when: false - check_mode: false - register: discovered_open_ports_list - - - name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.shell: ip6tables -L INPUT -v -n - changed_when: false - failed_when: false - check_mode: false - register: discovered_current_iptables_rules - - - name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn about settings" - ansible.builtin.debug: - msg: - - "Warning!! Below is the list the open ports and current rules" - - "Please create a rule for any open port that does not have a current rule" - - "Open Ports:" - - "{{ discovered_open_ports_list.stdout_lines }}" - - "Current Rules:" - - "{{ discovered_current_iptables_rules.stdout_lines }}" - - - name: "4.3.1.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Set warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - -# --------------- -# --------------- -# This is not a control however using the ip6tables module only writes to memery -# if a reboot occurs that means changes can revert. This task will make the -# above ip6tables settings permanent -# --------------- -# --------------- -# via handler -# - name: "Make IP6Tables persistent | Not a control" -# block: -# - name: "Make IP6Tables persistent | Install iptables-persistent" -# ansible.builtin.package: -# name: iptables-persistent -# state: present -# when: "'iptables-persistent' not in ansible_facts.packages" - -# - name: "Make IP6Tables persistent | Save to persistent files" -# ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" -# changed_when: ubtu22cis_ip6tables_save.rc == 0 -# failed_when: ubtu22cis_ip6tables_save.rc > 0 -# register: ubtu22cis_ip6tables_save -# when: -# - ubtu22cis_firewall_package == "iptables" -# - ubtu22cis_ipv6_required -# - not ubtu22cis_ipv4_required -# - ubtu22cis_save_iptables_cis_rules -# - ubtu22cis_rule_4_3_1_1 or -# ubtu22cis_rule_4_3_1_2 or -# ubtu22cis_rule_4_3_1_3 or -# ubtu22cis_rule_4_3_1_4 diff --git a/tasks/section_4/cis_4.3.2.x.yml b/tasks/section_4/cis_4.3.2.x.yml index fdd940c6..1b7364eb 100644 --- a/tasks/section_4/cis_4.3.2.x.yml +++ b/tasks/section_4/cis_4.3.2.x.yml @@ -11,6 +11,8 @@ - patch - rule_4.3.2.1 - iptables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 block: - name: "4.3.2.1 | PATCH | Ensure iptables default deny firewall policy | Configure SSH to be allowed in" ansible.builtin.iptables: @@ -58,6 +60,8 @@ - patch - rule_4.3.2.2 - iptables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 block: - name: "4.3.2.2 | PATCH | Ensure iptables loopback traffic is configured | INPUT loopback ACCEPT" ansible.builtin.iptables: @@ -94,6 +98,8 @@ - patch - rule_4.3.2.3 - iptables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 ansible.builtin.iptables: action: append chain: '{{ item.chain }}' @@ -121,6 +127,8 @@ - audit - rule_4.3.2.4 - iptables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 vars: warn_control_id: '4.3.2.4' block: diff --git a/tasks/section_4/cis_4.3.3.x.yml b/tasks/section_4/cis_4.3.3.x.yml index 730ba293..130033e5 100644 --- a/tasks/section_4/cis_4.3.3.x.yml +++ b/tasks/section_4/cis_4.3.3.x.yml @@ -8,6 +8,8 @@ - patch - rule_4.3.3.1 - ip6tables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 block: - name: "4.3.3.1 | PATCH | Ensure ip6tables default deny firewall policy | Configure SSH to be allowed out" ansible.builtin.iptables: @@ -48,6 +50,8 @@ - patch - rule_4.3.3.2 - ip6tables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 block: - name: "4.3.3.2 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT loopback ACCEPT" ansible.builtin.iptables: @@ -86,6 +90,8 @@ - patch - rule_4.3.3.3 - ip6tables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 ansible.builtin.iptables: action: append chain: '{{ item.chain }}' @@ -113,6 +119,8 @@ - audit - rule_4.3.3.4 - ip6tables + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 vars: warn_control_id: '4.3.3.4' block: From ec278e4c3bb3792ad17662f24875aab4ea2af3e0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 27 Nov 2024 11:07:56 +0000 Subject: [PATCH 106/135] Added Nist Values Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 74 ++++++++++++++++++++++++++++++- tasks/section_5/cis_5.2.x.yml | 9 ++++ tasks/section_5/cis_5.3.1.x.yml | 3 ++ tasks/section_5/cis_5.3.2.x.yml | 4 ++ tasks/section_5/cis_5.3.3.1.x.yml | 3 ++ tasks/section_5/cis_5.3.3.2.x.yml | 8 ++++ tasks/section_5/cis_5.3.3.3.x.yml | 3 ++ tasks/section_5/cis_5.3.3.4.x.yml | 4 ++ tasks/section_5/cis_5.4.1.x.yml | 10 +++++ tasks/section_5/cis_5.4.2.x.yml | 31 +++++++++++++ tasks/section_5/cis_5.4.3.x.yml | 8 ++++ tasks/section_6/cis_6.1.x.yml | 3 ++ tasks/section_6/cis_6.2.1.1.x.yml | 18 ++++++++ tasks/section_6/cis_6.2.1.2.x.yml | 10 +++++ tasks/section_6/cis_6.2.2.yml | 2 + tasks/section_6/cis_6.3.1.x.yml | 13 ++++++ tasks/section_6/cis_6.3.2.x.yml | 10 +++++ tasks/section_6/cis_6.3.3.x.yml | 38 ++++++++++++++++ tasks/section_6/cis_6.3.4.x.yml | 14 ++++-- tasks/section_7/cis_7.1.x.yml | 31 +++++++++++++ tasks/section_7/cis_7.2.x.yml | 34 ++++++++++++++ 21 files changed, 326 insertions(+), 4 deletions(-) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index dad495ac..ca07d4cd 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -8,6 +8,8 @@ - patch - rule_5.1.1 - ssh + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/ssh/sshd_config owner: root @@ -22,6 +24,8 @@ - patch - rule_5.1.2 - ssh + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 block: - name: "5.1.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find ssh_host private keys" ansible.builtin.find: @@ -48,6 +52,8 @@ - patch - rule_5.1.3 - ssh + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 block: - name: "5.1.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find ssh_host public keys" ansible.builtin.find: @@ -74,6 +80,8 @@ - patch - rule_5.1.4 - ssh + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 block: - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed users" when: "ubtu22cis_sshd['allow_users']| default('') | length > 0 " @@ -119,6 +127,11 @@ - patch - rule_5.1.5 - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^Banner|^#Banner' @@ -135,6 +148,7 @@ - patch - rule_5.1.6 - ssh + - NIST800-53R5_SC-8 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^Ciphers|^#Ciphers' @@ -151,6 +165,11 @@ - patch - rule_5.1.7 - sshd + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "{{ item.regexp }}" @@ -169,6 +188,7 @@ - patch - rule_5.1.8 - ssh + - NIST800-53R5_CM-7 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^DisableForwarding|^#DisableForwarding' @@ -176,7 +196,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is is disabled" +- name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is is disabled" when: ubtu22cis_rule_5_1_9 tags: - level2-server @@ -184,6 +204,11 @@ - patch - rule_5.1.9 - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^(?i)GSSAPIAuthentication|^(?i)#GSSAPIAuthentication' @@ -199,6 +224,11 @@ - patch - rule_5.1.10 - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^HostbasedAuthentication|^#HostbasedAuthentication' @@ -214,6 +244,11 @@ - patch - rule_5.1.11 - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^IgnoreRhosts|^#IgnoreRhosts' @@ -229,6 +264,7 @@ - patch - rule_5.1.12 - ssh + - NIST800-53R5_SC-8 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^KexAlgorithms|^#KexAlgorithms' @@ -245,6 +281,7 @@ - patch - rule_5.1.13 - ssh + - NIST800-53R5_CM-6 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^LoginGraceTime|^#LoginGraceTime' @@ -261,6 +298,9 @@ - patch - rule_5.1.14 - ssh + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^LogLevel|^#LogLevel' @@ -277,6 +317,11 @@ - patch - rule_5.1.15 - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^MACs|^#MACs' @@ -293,6 +338,7 @@ - patch - rule_5.1.16 - ssh + - NIST800-53R5_AU-3 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxAuthTries|^#MaxAuthTries' @@ -309,6 +355,11 @@ - patch - rule_5.1.17 - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxSessions|^#MaxSessions' @@ -325,6 +376,11 @@ - patch - rule_5.1.18 - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^MaxStartups|^#MaxStartups' @@ -340,6 +396,11 @@ - patch - rule_5.1.19 - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^PermitEmptyPasswords|^#PermitEmptyPasswords' @@ -356,6 +417,7 @@ - patch - rule_5.1.20 - ssh + - NIST800-53R5_AC-6 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^PermitRootLogin|^#PermitRootLogin' @@ -371,6 +433,11 @@ - patch - rule_5.1.21 - ssh + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^PermitUserEnvironment|^#PermitUserEnvironment' @@ -387,6 +454,11 @@ - rule_5.1.22 - ssh - pam + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^UsePAM|^#UsePAM' diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 27cdb15e..df8124db 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -8,6 +8,7 @@ - patch - rule_5.2.1 - sudo + - NIST800-53R5_AC-6 ansible.builtin.package: name: "{{ ubtu22cis_sudo_package }}" state: present @@ -20,6 +21,7 @@ - patch - rule_5.2.2 - sudo + - NIST800-53R5_AC-6 ansible.builtin.lineinfile: path: /etc/sudoers regexp: '^Defaults\s+use_' @@ -34,6 +36,8 @@ - patch - rule_5.2.3 - sudo + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 ansible.builtin.lineinfile: path: /etc/sudoers regexp: '^Defaults\s+logfile' @@ -48,6 +52,7 @@ - patch - sudo - rule_5.2.4 + - NIST800-53R5_AC-6 ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' @@ -63,6 +68,7 @@ - patch - sudo - rule_5.2.5 + - NIST800-53R5_AC-6 ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#].*)!authenticate(.*)' @@ -78,6 +84,7 @@ - patch - sudo - rule_5.2.6 + - NIST800-53R5_AC-6 block: - name: "5.2.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort @@ -111,6 +118,8 @@ - patch - sudo - rule_5.2.7 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 block: - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists" ansible.builtin.group: diff --git a/tasks/section_5/cis_5.3.1.x.yml b/tasks/section_5/cis_5.3.1.x.yml index 44d6a479..197e92f1 100644 --- a/tasks/section_5/cis_5.3.1.x.yml +++ b/tasks/section_5/cis_5.3.1.x.yml @@ -11,6 +11,7 @@ - patch - pam - rule_5.3.1.1 + - NIST800-53R5_NA ansible.builtin.package: name: libpam-runtime state: latest @@ -26,6 +27,7 @@ - patch - pam - rule_5.3.1.2 + - NIST800-53R5_NA ansible.builtin.package: name: libpam-modules state: latest @@ -40,6 +42,7 @@ - patch - pam - rule_5.3.1.3 + - NIST800-53R5_NA ansible.builtin.package: name: libpam-pwquality state: latest diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 7b3110dc..b11d6812 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -13,6 +13,7 @@ - rule_5.3.2.1 - Pam_auth_update - pam_unix + - NIST800-53R5_IA-5 ansible.builtin.template: src: "{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}.j2" dest: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" @@ -34,6 +35,7 @@ - rule_5.3.2.2 - Pam_auth_update - pam_faillock + - NIST800-53R5_NA ansible.builtin.template: src: "{{ ubtu22cis_pam_confd_dir }}{{ item }}.j2" dest: "/{{ ubtu22cis_pam_confd_dir }}{{ item }}" @@ -59,6 +61,7 @@ - rule_5.3.2.3 - Pam_auth_update - pam_quality + - NIST800-53R5_NA ansible.builtin.template: src: "{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwquality_file }}.j2" dest: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwquality_file }}" @@ -79,6 +82,7 @@ - rule_5.3.2.4 - Pam_auth_update - pam_history + - NIST800-53R5_NA ansible.builtin.template: src: "{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}.j2" dest: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" diff --git a/tasks/section_5/cis_5.3.3.1.x.yml b/tasks/section_5/cis_5.3.3.1.x.yml index a97f5cf6..052bb9a9 100644 --- a/tasks/section_5/cis_5.3.3.1.x.yml +++ b/tasks/section_5/cis_5.3.3.1.x.yml @@ -9,6 +9,7 @@ - patch - rule_5.3.3.1.1 - pam + - NIST800-53R5_NA block: - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured | configure faillock.conf" ansible.builtin.lineinfile: @@ -43,6 +44,7 @@ - patch - rule_5.3.3.1.2 - pam + - NIST800-53R5_NA block: - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured | configure faillock.conf" ansible.builtin.lineinfile: @@ -77,6 +79,7 @@ - patch - rule_5.3.3.1.3 - pam + - NIST800-53R5_NA block: - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | configure faillock.conf" ansible.builtin.lineinfile: diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml index 99afc8ac..6bf35231 100644 --- a/tasks/section_5/cis_5.3.3.2.x.yml +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -9,6 +9,7 @@ - patch - rule_5.3.3.2.1 - pam + - NIST800-53R5_IA-5 block: - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from conf files except expected file" when: @@ -39,6 +40,7 @@ - patch - rule_5.3.3.2.2 - pam + - NIST800-53R5_IA-5 block: - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from conf files except expected file" when: @@ -69,6 +71,7 @@ - patch - rule_5.3.3.2.3 - pam + - NIST800-53R5_IA-5 block: - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove pwd complex settings from conf files except expected file" when: @@ -99,6 +102,7 @@ - patch - rule_5.3.3.2.4 - pam + - NIST800-53R5_IA-5 block: - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file" when: @@ -129,6 +133,7 @@ - patch - rule_5.3.3.2.5 - pam + - NIST800-53R5_IA-5 block: - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence settings from conf files except expected file" when: @@ -159,6 +164,7 @@ - patch - rule_5.3.3.2.6 - pam + - NIST800-53R5_IA-5 block: - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file" when: @@ -189,6 +195,7 @@ - patch - rule_5.3.3.2.7 - pam + - NIST800-53R5_IA-5 block: - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced | Remove quality enforcement settings from conf files except expected file" when: @@ -219,6 +226,7 @@ - patch - rule_5.3.3.2.8 - pam + - NIST800-53R5_IA-5 ansible.builtin.template: src: "{{ ubtu22cis_passwd_quality_enforce_root_file }}.j2" dest: "/{{ ubtu22cis_passwd_quality_enforce_root_file }}" diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml index ec2d9989..12d82390 100644 --- a/tasks/section_5/cis_5.3.3.3.x.yml +++ b/tasks/section_5/cis_5.3.3.3.x.yml @@ -10,6 +10,7 @@ - patch - rule_5.3.3.3.1 - pam + - NIST800-53R5_IA-5 block: - name: "5.3.3.3.1 | AUDIT | Ensure password history remember is configured | Check existing files" ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?remember=\d+\b' /etc/pam.d/common-password @@ -36,6 +37,7 @@ - patch - rule_5.3.3.3.2 - pam + - NIST800-53R5_IA-5 block: - name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files" ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?enforce_for_root\b' /etc/pam.d/common-password @@ -62,6 +64,7 @@ - patch - rule_5.3.3.3.2 - pam + - NIST800-53R5_IA-5 block: - name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files" ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml index 6dae89ca..5dcfa8e7 100644 --- a/tasks/section_5/cis_5.3.3.4.x.yml +++ b/tasks/section_5/cis_5.3.3.4.x.yml @@ -10,6 +10,7 @@ - patch - rule_5.3.3.4.1 - pam + - NIST800-53R5_NA block: - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | capture state" ansible.builtin.shell: grep -E "pam_unix.so.*nullok" /etc/pam.d/common-* /usr/share/pam-configs/* | cut -d ':' -f1 | uniq @@ -35,6 +36,7 @@ - patch - pam - rule_5.3.3.4.2 + - NIST800-53R5_NA block: - name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state" ansible.builtin.shell: grep -PH -- '^\h*^\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/common-{password,auth,account,session,session-noninteractive} | grep -Pv -- '\bremember=\d\b' @@ -59,6 +61,7 @@ - patch - pam - rule_5.3.3.4.3 + - NIST800-53R5_IA-5 block: - name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state" ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?("{{ ubtu22cis_passwd_hash_algo }}")\b' /etc/pam.d/common-password @@ -83,6 +86,7 @@ - patch - pam - rule_5.3.3.4.4 + - NIST800-53R5_IA-5 block: - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state" ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/common-password diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 0f015b39..20712f06 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -10,6 +10,11 @@ - rule_5.4.1.1 - user - login + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set /etc/login.defs PASS_MAX_DAYS" ansible.builtin.lineinfile: @@ -43,6 +48,7 @@ - rule_5.4.1.2 - user - login + - NIST800-53R5_NA block: - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Set /etc/login.defs PASS_MIN_DAYS" ansible.builtin.lineinfile: @@ -75,6 +81,7 @@ - rule_5.4.1.3 - user - login + - NIST800-53R5_NA block: - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set /etc/login.defs PASS_WARN_AGE" ansible.builtin.lineinfile: @@ -106,6 +113,7 @@ - patch - rule_5.4.1.4 - pam + - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^ENCRYPT_METHOD' @@ -121,6 +129,7 @@ - rule_5.4.1.5 - user - login + - NIST800-53R5_NA block: - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | General setting" ansible.builtin.shell: useradd -D | grep INACTIVE | cut -d= -f2 @@ -159,6 +168,7 @@ - rule_5.4.1.6 - user - login + - NIST800-53R5_NA vars: warn_control_id: '5.4.1.6' block: diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index dc344775..adaa8ea3 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -12,6 +12,11 @@ - accounts - users - rule_5.4.2.1 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.builtin.shell: passwd -l {{ item }} changed_when: false failed_when: false @@ -28,6 +33,11 @@ - rule_5.4.2.2 - user - system + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - name: "5.4.2.2 | AUDIT | Ensure root is the only GID 0 account | Get members of gid 0" ansible.builtin.shell: "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4==\"0\") {print $1}' /etc/passwd | grep -wv 'root'" @@ -56,6 +66,11 @@ - rule_5.4.2.3 - user - system + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group | Get groups with gid 0" ansible.builtin.shell: "awk -F: '$3==\"0\"{print $1}' /etc/group | grep -vw 'root'" @@ -90,6 +105,7 @@ - patch - shadow_suite - rule_5.4.2.4 + - NIST800-53R5_NA ansible.builtin.debug: msg: "This is set as an assert in tasks/main" @@ -102,6 +118,11 @@ - patch - paths - rule_5.4.2.5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 block: - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Get root paths" ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 @@ -168,6 +189,8 @@ - patch - shadow_suite - rule_5.4.2.6 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.lineinfile: path: /root/.bash_profile regexp: \s*umask @@ -186,6 +209,10 @@ - patch - shadow_suite - rule_5.4.2.7 + - NIST800-53R5_AC-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_AC-11 + - NIST800-53R5_MP-2 ansible.builtin.user: name: "{{ item.id }}" shell: /usr/sbin/nologin @@ -205,6 +232,10 @@ - patch - shadow_suite - rule_5.4.2.8 + - NIST800-53R5_AC-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_AC-11 + - NIST800-53R5_MP-2 ansible.builtin.user: name: "{{ item.id }}" password_lock: true diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml index 3213a749..b2b1f73d 100644 --- a/tasks/section_5/cis_5.4.3.x.yml +++ b/tasks/section_5/cis_5.4.3.x.yml @@ -9,6 +9,11 @@ - patch - shells - rule_5.4.3.1 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 ansible.builtin.replace: path: /etc/shells regexp: nologin @@ -23,6 +28,7 @@ - patch - shell - rule_5.4.3.2 + - NIST800-53R5_NA ansible.builtin.blockinfile: path: "{{ item.path }}" state: "{{ item.state }}" @@ -46,6 +52,8 @@ - patch - umask - rule_5.4.3.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.replace: path: "{{ item.path }}" regexp: (?i)(umask\s+\d\d\d) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 12bcb163..5b2c4ca0 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -10,6 +10,7 @@ - patch - rule_6.1.1 - aide + - NIST800-53R5_AU-2 block: - name: "6.1.1 | PATCH | Ensure AIDE is installed" when: @@ -71,6 +72,7 @@ - rule_6.1.2 - cron - aide + - NIST800-53R5_NA block: - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | cron" when: ubtu22cis_aide_scan == 'cron' @@ -117,6 +119,7 @@ - file_integrity - patch - rule_6.1.3 + - NIST800-53R5_NA ansible.builtin.blockinfile: path: /etc/aide/aide.conf marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown" diff --git a/tasks/section_6/cis_6.2.1.1.x.yml b/tasks/section_6/cis_6.2.1.1.x.yml index 2e07b158..d78a0ba8 100644 --- a/tasks/section_6/cis_6.2.1.1.x.yml +++ b/tasks/section_6/cis_6.2.1.1.x.yml @@ -8,6 +8,9 @@ - audit - journald - rule_6.2.1.1.1 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 ansible.builtin.systemd: name: systemd-journald.service masked: false @@ -21,6 +24,11 @@ - audit - journald - rule_6.2.1.1.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_MP-2 + - NIST800-53R5_SI-5 block: - name: "6.2.1.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions" ansible.builtin.file: @@ -63,6 +71,9 @@ - patch - journald - rule_6.2.1.1.3 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 block: - name: "6.2.1.1.3 | PATCH | Ensure journald log file rotation is configured | Add file" ansible.builtin.template: @@ -94,6 +105,10 @@ - patch - journald - rule_6.2.1.1.4 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-6 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 block: - name: "6.2.1.1.4 | PATCH | Ensure journald ForwardToSyslog is disabled | Add file" ansible.builtin.template: @@ -119,6 +134,8 @@ - patch - journald - rule_6.2.1.1.5 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 block: - name: "6.2.1.1.5 | PATCH | Ensure journald Storage is configured | Add file" ansible.builtin.template: @@ -144,6 +161,7 @@ - patch - journald - rule_6.2.1.1.6 + - NIST800-53R5_AU-4 block: - name: "6.2.1.1.6 | PATCH | Ensure journald Compress is configured | Add file" ansible.builtin.template: diff --git a/tasks/section_6/cis_6.2.1.2.x.yml b/tasks/section_6/cis_6.2.1.2.x.yml index 06b4068a..6211baa6 100644 --- a/tasks/section_6/cis_6.2.1.2.x.yml +++ b/tasks/section_6/cis_6.2.1.2.x.yml @@ -10,6 +10,9 @@ - patch - journald - rule_6.2.1.2.1 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 ansible.builtin.package: name: systemd-journal-remote state: present @@ -24,6 +27,8 @@ - patch - journald - rule_6.2.1.2.2 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 ansible.builtin.lineinfile: path: /etc/systemd/journal-upload.conf regexp: "{{ item.regexp }}" @@ -45,6 +50,8 @@ - patch - journald - rule_6.2.1.2.3 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 ansible.builtin.systemd: name: systemd-journal-upload masked: false @@ -60,6 +67,9 @@ - patch - journald - rule_6.2.1.2.4 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 ansible.builtin.systemd: name: "{{ item }}" state: stopped diff --git a/tasks/section_6/cis_6.2.2.yml b/tasks/section_6/cis_6.2.2.yml index bba4f364..100571e9 100644 --- a/tasks/section_6/cis_6.2.2.yml +++ b/tasks/section_6/cis_6.2.2.yml @@ -9,6 +9,8 @@ - patch - logfiles - rule_6.2.2.1 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 block: - name: "6.2.2.1 | AUDIT | Ensure access to all logfiles has been configured | find files" ansible.builtin.shell: find /var/log/ -type f -exec ls {} \; diff --git a/tasks/section_6/cis_6.3.1.x.yml b/tasks/section_6/cis_6.3.1.x.yml index 22de8f3a..04576ea6 100644 --- a/tasks/section_6/cis_6.3.1.x.yml +++ b/tasks/section_6/cis_6.3.1.x.yml @@ -8,6 +8,10 @@ - patch - rule_6.3.1.1 - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 ansible.builtin.package: name: ['auditd', 'audispd-plugins'] state: present @@ -20,6 +24,9 @@ - patch - rule_6.3.1.2 - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 ansible.builtin.service: name: auditd state: started @@ -34,6 +41,9 @@ - patch - rule_6.3.1.3 - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 block: - name: "6.3.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' @@ -68,6 +78,9 @@ - patch - rule_6.3.1.4 - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 block: - name: "6.3.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Get current GRUB_CMDLINE_LINUX" ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' diff --git a/tasks/section_6/cis_6.3.2.x.yml b/tasks/section_6/cis_6.3.2.x.yml index aee59748..e3afc759 100644 --- a/tasks/section_6/cis_6.3.2.x.yml +++ b/tasks/section_6/cis_6.3.2.x.yml @@ -8,6 +8,7 @@ - patch - rule_6.3.2.1 - auditd + - NIST800-53R5_NA ansible.builtin.lineinfile: dest: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" @@ -23,6 +24,7 @@ - patch - rule_6.3.2.2 - auditd + - NIST800-53R5_AU-8 ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: '^max_log_file_action' @@ -37,6 +39,10 @@ - patch - rule_6.3.2.3 - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-8 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" @@ -55,6 +61,10 @@ - patch - auditd - rule_6.3.2.4 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-8 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" diff --git a/tasks/section_6/cis_6.3.3.x.yml b/tasks/section_6/cis_6.3.3.x.yml index 62fd44a2..5c014389 100644 --- a/tasks/section_6/cis_6.3.3.x.yml +++ b/tasks/section_6/cis_6.3.3.x.yml @@ -8,6 +8,7 @@ - patch - rule_6.3.3.1 - auditd + - NIST800-53R5_AU-3 ansible.builtin.set_fact: update_audit_template: true @@ -19,6 +20,7 @@ - patch - rule_6.3.3.2 - auditd + - NIST800-53R5_AU-3 ansible.builtin.set_fact: update_audit_template: true @@ -30,6 +32,7 @@ - patch - rule_6.3.3.3 - auditd + - NIST800-53R5_NA ansible.builtin.set_fact: update_audit_template: true @@ -41,6 +44,8 @@ - patch - rule_6.3.3.4 - auditd + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 ansible.builtin.set_fact: update_audit_template: true @@ -52,6 +57,8 @@ - patch - rule_6.3.3.5 - auditd + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 ansible.builtin.set_fact: update_audit_template: true @@ -63,6 +70,7 @@ - patch - rule_6.3.3.6 - auditd + - NIST800-53R5_AU-3 block: - name: "6.3.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done @@ -82,6 +90,7 @@ - patch - rule_6.3.3.7 - auditd + - NIST800-53R5_AU-3 ansible.builtin.set_fact: update_audit_template: true @@ -93,6 +102,7 @@ - patch - rule_6.3.3.8 - auditd + - NIST800-53R5_AU-3 ansible.builtin.set_fact: update_audit_template: true @@ -104,6 +114,8 @@ - patch - rule_6.3.3.9 - auditd + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 ansible.builtin.set_fact: update_audit_template: true @@ -115,6 +127,7 @@ - patch - rule_6.3.3.10 - auditd + - NIST800-53R5_CM-6 ansible.builtin.set_fact: update_audit_template: true @@ -126,6 +139,7 @@ - patch - rule_6.3.3.11 - auditd + - NIST800-53R5_AU-3 ansible.builtin.set_fact: update_audit_template: true @@ -137,6 +151,7 @@ - patch - rule_6.3.3.12 - auditd + - NIST800-53R5_AU-3 ansible.builtin.set_fact: update_audit_template: true @@ -148,6 +163,8 @@ - patch - rule_6.3.3.13 - auditd + - NIST800-53R5_AU-12 + - NIST800-53R5_SC-7 ansible.builtin.set_fact: update_audit_template: true @@ -159,6 +176,8 @@ - patch - rule_6.3.3.14 - auditd + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 ansible.builtin.set_fact: update_audit_template: true @@ -170,6 +189,9 @@ - patch - rule_6.3.3.15 - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 ansible.builtin.set_fact: update_audit_template: true @@ -181,6 +203,9 @@ - patch - rule_6.3.3.16 - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 ansible.builtin.set_fact: update_audit_template: true @@ -192,6 +217,9 @@ - patch - rule_6.3.3.17 - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 ansible.builtin.set_fact: update_audit_template: true @@ -203,6 +231,9 @@ - patch - rule_6.3.3.18 - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 ansible.builtin.set_fact: update_audit_template: true @@ -214,6 +245,8 @@ - patch - rule_6.3.3.19 - auditd + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 ansible.builtin.set_fact: update_audit_template: true @@ -225,6 +258,10 @@ - patch - rule_6.3.3.20 - auditd + - NIST800-53R5_AC-3 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + - NIST800-53R5_MP-2 ansible.builtin.set_fact: update_audit_template: true @@ -237,5 +274,6 @@ - patch - rule_6.3.3.21 - auditd + - NIST800-53R5_AU-3 ansible.builtin.shell: augenrules --check changed_when: false diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml index c6a2a66f..be1d22be 100644 --- a/tasks/section_6/cis_6.3.4.x.yml +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -16,11 +16,12 @@ - rule_6.3.4.1 - rule_6.3.4.2 - rule_6.3.4.3 + - NIST800-53R5_AU-3 ansible.builtin.file: path: "{{ prelim_auditd_logfile.stdout }}" owner: root group: root - mode: u-x,g-wx,o-rwx + mode: 'u-x,g-wx,o-rwx' - name: "6.3.4.4 | PATCH | Ensure the audit log file directory mode is configured" when: ubtu22cis_rule_6_3_4_4 @@ -30,6 +31,7 @@ - patch - auditd - rule_6.3.4.4 + - NIST800-53R5_AU-3 block: - name: "6.3.4.4 | AUDIT | Ensure the audit log file directory mode is configured | get current permissions" ansible.builtin.stat: @@ -40,7 +42,7 @@ ansible.builtin.file: path: "{{ discovered_auditlog_dir.stat.path }}" state: directory - mode: g-w,o-rwx + mode: 'g-w,o-rwx' - name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured" when: ubtu22cis_rule_6_3_4_5 @@ -50,9 +52,10 @@ - patch - auditd - rule_6.3.4.5 + - NIST800-53R5_AU-3 ansible.builtin.file: path: "{{ item.path }}" - mode: u-x,g-wx,o-rwx + mode: 'u-x,g-wx,o-rwx' loop: "{{ prelim_auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -65,6 +68,7 @@ - patch - auditd - rule_6.3.4.6 + - NIST800-53R5_AU-3 ansible.builtin.file: path: "{{ item.path }}" owner: root @@ -80,6 +84,7 @@ - patch - auditd - rule_6.3.4.7 + - NIST800-53R5_AU-3 ansible.builtin.file: path: "{{ item.path }}" group: root @@ -95,6 +100,7 @@ - patch - auditd - rule_6.3.4.8 + - NIST800-53R5_AU-3 ansible.builtin.file: path: "{{ item }}" mode: 'g-w,o-rwx' @@ -114,6 +120,7 @@ - patch - auditd - rule_6.3.4.9 + - NIST800-53R5_AU-3 ansible.builtin.file: path: "{{ item }}" owner: root @@ -134,6 +141,7 @@ - patch - auditd - rule_6.3.4.10 + - NIST800-53R5_AU-3 ansible.builtin.file: path: "{{ item }}" group: root diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 67d1c334..083aad30 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -8,6 +8,8 @@ - patch - permissions - rule_7.1.1 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/passwd owner: root @@ -22,6 +24,8 @@ - patch - permissions - rule_7.1.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/passwd- owner: root @@ -38,6 +42,8 @@ - patch - permissions - rule_7.1.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/group owner: root @@ -52,6 +58,8 @@ - patch - permissionss - rule_7.1.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/group- owner: root @@ -68,6 +76,8 @@ - patch - permissions - rule_7.1.5 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/shadow owner: root @@ -82,6 +92,8 @@ - patch - permissions - rule_7.1.6 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/shadow- owner: root @@ -98,6 +110,8 @@ - patch - permissions - rule_7.1.7 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/gshadow owner: root @@ -112,6 +126,8 @@ - patch - permissions - rule_7.1.8 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/gshadow- owner: root @@ -128,6 +144,8 @@ - patch - permissions - rule_7.1.9 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/shells owner: root @@ -142,6 +160,8 @@ - patch - permissions - rule_7.1.10 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: "{{ item }}" owner: root @@ -162,6 +182,8 @@ - files - permissions - rule_7.1.11 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 block: - name: "7.1.11 | AUDIT | Ensure world writable files and directories are secured | Get list of world-writable files" ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 @@ -192,6 +214,8 @@ - patch - rule_7.1.12 - permissions + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 vars: warn_control_id: '7.1.12' block: @@ -245,6 +269,13 @@ - audit - rule_7.1.13 - permissions + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 vars: warn_control_id: '7.1.13' block: diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index 828e1f6d..fad7f6f6 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -8,6 +8,7 @@ - audit - rule_7.2.1 - user_accounts + - NIST800-53R5_IA-5 vars: warn_control_id: '7.2.1' block: @@ -38,6 +39,7 @@ - rule_7.2.2 - user - permissions + - NIST800-53R5_IA-5 block: - name: "7.2.2 | AUDIT | Ensure /etc/shadow password fields are not empty | Find users with no password" ansible.builtin.shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow @@ -61,6 +63,11 @@ - audit - rule_7.2.3 - groups + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 vars: warn_control_id: '7.2.3' block: @@ -89,6 +96,7 @@ - patch - rule_6.2.4 - user + - NIST800-53R5_IA-5 vars: warn_control_id: '7.2.4' block: @@ -116,6 +124,11 @@ - audit - rule_7.2.5 - user + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 vars: warn_control_id: '7.2.5' block: @@ -144,6 +157,11 @@ - audit - rule_7.2.6 - groups + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 vars: warn_control_id: '7.2.6' block: @@ -172,6 +190,11 @@ - audit - rule_7.2.7 - user + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 vars: warn_control_id: '7.2.7' block: @@ -200,6 +223,11 @@ - audit - rule_7.2.8 - groups + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 vars: warn_control_id: '7.2.8' block: @@ -228,6 +256,7 @@ - patch - users - rule_7.2.9 + - NIST800-53R5_NA block: - name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent" ansible.builtin.file: @@ -270,6 +299,11 @@ - patch - rule_7.2.10 - user + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 vars: warn_control_id: '7.2.10' block: From 813df1188f695d5c9915478341ebd2c9abed1335 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 28 Nov 2024 13:49:30 +0000 Subject: [PATCH 107/135] Updated titles #256 thanks to @bgro Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.5.x.yml | 2 +- tasks/section_1/cis_1.6.x.yml | 6 +++--- tasks/section_1/cis_1.7.x.yml | 6 +++--- tasks/section_2/cis_2.1.x.yml | 16 ++++++++-------- tasks/section_2/cis_2.2.x.yml | 2 +- tasks/section_2/cis_2.4.1.x.yml | 12 ++++++------ tasks/section_4/cis_4.1.x.yml | 10 +++++----- tasks/section_5/cis_5.1.x.yml | 24 ++++++++++++------------ tasks/section_5/cis_5.2.x.yml | 2 +- tasks/section_5/cis_5.3.3.2.x.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 3 +-- tasks/section_6/cis_6.2.1.2.x.yml | 2 +- tasks/section_6/cis_6.3.3.x.yml | 6 +++--- 13 files changed, 46 insertions(+), 47 deletions(-) diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 4e53e1fb..8893265c 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,6 +1,6 @@ --- -- name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" +- name: "1.5.1 | PATCH | Ensure address space layout randomization is enabled | Set active kernel parameter" when: ubtu22cis_rule_1_5_1 tags: - level1-server diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 2134f75d..6ea392db 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -71,7 +71,7 @@ community.general.dpkg_divert: path: /etc/issue.net -- name: "1.6.4 | PATCH | Ensure permissions on /etc/motd are configured" +- name: "1.6.4 | PATCH | Ensure access to /etc/motd is configured" when: ubtu22cis_rule_1_6_4 tags: - level1-server @@ -88,7 +88,7 @@ group: root mode: 'u-x,go-wx' -- name: "1.6.5 | PATCH | Ensure permissions on /etc/issue are configured" +- name: "1.6.5 | PATCH | Ensure access to /etc/issue is configured" when: ubtu22cis_rule_1_6_5 tags: - level1-server @@ -105,7 +105,7 @@ group: root mode: 'u-x,go-wx' -- name: "1.6.6 | PATCH | Ensure permissions on /etc/issue.net are configured" +- name: "1.6.6 | PATCH | Ensure access to /etc/issue.net is configured" when: ubtu22cis_rule_1_6_6 tags: - level1-server diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index f1381b1a..7c78788f 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -1,6 +1,6 @@ --- -- name: "1.7.1 | PATCH | Ensure GNOME Display Manager is removed" +- name: "1.7.1 | PATCH | Ensure GDM is removed" when: - ubtu22cis_rule_1_7_1 - not ubtu22cis_desktop_required @@ -56,7 +56,7 @@ - { regexp: 'banner-message-text', line: "banner-message-text='{{ ubtu22cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: 'banner-message-enable' } notify: Update dconf -- name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled" +- name: "1.7.3 | PATCH | Ensure GDM disable-user-list option is enabled" when: - ubtu22cis_rule_1_7_3 - ubtu22cis_desktop_required @@ -72,7 +72,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 block: - - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | make directories" + - name: "1.7.3 | PATCH | Ensure GDM disable-user-list option is enabled | make directories" ansible.builtin.file: path: "{{ item }}" owner: root diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index db315764..c15fe386 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -134,7 +134,7 @@ masked: true notify: Systemd_daemon_reload -- name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use" +- name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use" when: ubtu22cis_rule_2_1_5 tags: - level1-server @@ -144,7 +144,7 @@ - rule_2.1.5 - NIST800-53R5_CM-7 block: - - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Remove package" + - name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Remove package" when: - "'dnsmasq' in ansible_facts.packages" - not ubtu22cis_dnsmasq_server @@ -154,7 +154,7 @@ state: absent purge: "{{ ubtu22cis_purge_apt }}" - - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Mask service" + - name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Mask service" when: - not ubtu22cis_dnsmasq_server - ubtu22cis_dnsmasq_mask @@ -664,7 +664,7 @@ state: absent purge: "{{ ubtu22cis_purge_apt }}" -- name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode" +- name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode" when: - not ubtu22cis_is_mail_server - ubtu22cis_rule_2_1_21 @@ -678,7 +678,7 @@ vars: warn_control_id: '2.2.21' block: - - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if exim4 installed" + - name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" when: "'exim4' in ansible_facts.packages" ansible.builtin.lineinfile: path: /etc/exim4/update-exim4.conf.conf @@ -698,7 +698,7 @@ - { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" } notify: Restart exim4 - - name: "2.1.21 | PATCH | Ensure mail transfer agents are configured for local-only mode | Make changes if postfix is installed" + - name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if postfix is installed" when: "'postfix' in ansible_facts.packages" notify: Restart postfix ansible.builtin.lineinfile: @@ -706,7 +706,7 @@ regexp: '^(#)?inet_interfaces' line: 'inet_interfaces = loopback-only' - - name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | Message out other main agents" + - name: "2.1.21 | WARN | Ensure mail transfer agent is configured for local-only mode | Message out other main agents" when: - "'exim4' not in ansible_facts.packages" - "'postfix' not in ansible_facts.packages" @@ -715,7 +715,7 @@ - "Warning!! You are not using either exim4 or postfix, please ensure mail services set for local only mode" - "Please review your vendors documentation to configure local-only mode" - - name: "2.1.21 | WARN | Ensure mail transfer agents are configured for local-only mode | warn_count" + - name: "2.1.21 | WARN | Ensure mail transfer agent is configured for local-only mode | warn_count" when: - "'exim4' not in ansible_facts.packages" - "'postfix' not in ansible_facts.packages" diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 076bd4b2..7bcc9098 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -81,7 +81,7 @@ state: absent purge: "{{ ubtu22cis_purge_apt }}" -- name: "2.2.6 | PATCH | Ensure ftp is not installed" +- name: "2.2.6 | PATCH | Ensure ftp client is not installed" when: - ubtu22cis_rule_2_2_6 - not ubtu22cis_ftp_client diff --git a/tasks/section_2/cis_2.4.1.x.yml b/tasks/section_2/cis_2.4.1.x.yml index 7aed3c88..17d594bf 100644 --- a/tasks/section_2/cis_2.4.1.x.yml +++ b/tasks/section_2/cis_2.4.1.x.yml @@ -1,6 +1,6 @@ --- -- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and running" +- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and active" when: ubtu22cis_rule_2_4_1_1 tags: - level1-server @@ -119,7 +119,7 @@ mode: '0700' state: directory -- name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users" +- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users" when: ubtu22cis_rule_2_4_1_8 tags: - level1-server @@ -130,17 +130,17 @@ - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 block: - - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" + - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Remove cron.deny" ansible.builtin.file: path: /etc/cron.deny state: absent - - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Check for cron.allow" + - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Check for cron.allow" ansible.builtin.stat: path: /etc/cron.allow register: ubtu22cis_2_4_1_8_status - - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Create cron.allow if doesn't exist" + - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Create cron.allow if doesn't exist" when: not ubtu22cis_2_4_1_8_status.stat.exists ansible.builtin.file: path: /etc/cron.allow @@ -149,7 +149,7 @@ mode: 'u-x,g-wx,o-rwx' state: touch - - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Update cron.allow if exists" + - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Update cron.allow if exists" when: ubtu22cis_2_4_1_8_status.stat.exists ansible.builtin.file: path: /etc/cron.allow diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index 5cddd0bd..09d19aad 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -55,7 +55,7 @@ enabled: true state: started -- name: "4.1.4 | PATCH | Ensure loopback traffic is configured" +- name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured" when: - ubtu22cis_rule_4_1_4 tags: @@ -66,28 +66,28 @@ - ufw - NIST800-53R5_SC-7 block: - - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set allow in ufw rules" + - name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured | Set allow in ufw rules" community.general.ufw: rule: allow direction: in interface: lo notify: Reload ufw - - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set allow out ufw rules" + - name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured | Set allow out ufw rules" community.general.ufw: rule: allow direction: out interface: lo notify: Reload ufw - - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv4" + - name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured | Set deny ufw rules IPv4" community.general.ufw: rule: deny direction: in from_ip: 127.0.0.0/8 notify: Reload ufw - - name: "4.1.4 | PATCH | Ensure loopback traffic is configured | Set deny ufw rules IPv6" + - name: "4.1.4 | PATCH | Ensure ufw loopback traffic is configured | Set deny ufw rules IPv6" when: ubtu22cis_ipv6_required community.general.ufw: rule: deny diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index ca07d4cd..d7a118f9 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -140,7 +140,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.6 | PATCH | Ensure only strong Ciphers are used" +- name: "5.1.6 | PATCH | Ensure sshd Ciphers are configured" when: ubtu22cis_rule_5_1_6 tags: - level1-server @@ -196,7 +196,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is is disabled" +- name: "5.1.9 | PATCH | Ensure sshd GSSAPIAuthentication is disabled" when: ubtu22cis_rule_5_1_9 tags: - level2-server @@ -216,7 +216,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.10 | PATCH | Ensure SSH HostbasedAuthentication is disabled" +- name: "5.1.10 | PATCH | Ensure sshd HostbasedAuthentication is disabled" when: ubtu22cis_rule_5_1_10 tags: - level1-server @@ -236,7 +236,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" +- name: "5.1.11 | PATCH | Ensure sshd IgnoreRhosts is enabled" when: ubtu22cis_rule_5_1_11 tags: - level1-server @@ -256,7 +256,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.12 | PATCH | Ensure only strong Key Exchange algorithms are used" +- name: "5.1.12 | PATCH | Ensure sshd Kexalgorithms is configured" when: ubtu22cis_rule_5_1_12 tags: - level1-server @@ -273,7 +273,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.13 | PATCH | Ensure SSH LoginGraceTime is configured" +- name: "5.1.13 | PATCH | Ensure sshd LoginGraceTime is configured" when: ubtu22cis_rule_5_1_13 tags: - level1-server @@ -290,7 +290,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.14 | PATCH | Ensure SSH LogLevel is configured" +- name: "5.1.14 | PATCH | Ensure sshd LogLevel is configured" when: ubtu22cis_rule_5_1_14 tags: - level1-server @@ -309,7 +309,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.15 | PATCH | Ensure only strong MAC algorithms are used" +- name: "5.1.15 | PATCH | Ensure sshd MACs are configured" when: ubtu22cis_rule_5_1_15 tags: - level1-server @@ -330,7 +330,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" +- name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is configured" when: ubtu22cis_rule_5_1_16 tags: - level1-server @@ -368,7 +368,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.18 | PATCH | Ensure SSH MaxStartups is configured" +- name: "5.1.18 | PATCH | Ensure sshd MaxStartups is configured" when: ubtu22cis_rule_5_1_18 tags: - level1-server @@ -388,7 +388,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.19 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" +- name: "5.1.19 | PATCH | Ensure sshd PermitEmptyPasswords is disabled" when: ubtu22cis_rule_5_1_19 tags: - level1-server @@ -425,7 +425,7 @@ validate: 'sshd -t -f %s' notify: Restart sshd -- name: "5.1.21 | PATCH | Ensure SSH PermitUserEnvironment is disabled" +- name: "5.1.21 | PATCH | Ensure sshd PermitUserEnvironment is disabled" when: ubtu22cis_rule_5_1_21 tags: - level1-server diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index df8124db..b998d204 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -44,7 +44,7 @@ line: 'Defaults logfile="{{ ubtu22cis_sudo_logfile }}"' insertafter: '^\s*Defaults' -- name: "5.2.4 | PATCH | Ensure users must provide password for escalation" +- name: "5.2.4 | PATCH | Ensure users must provide password for privilege escalation" when: ubtu22cis_rule_5_2_4 tags: - level2-server diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml index 6bf35231..f972c75f 100644 --- a/tasks/section_5/cis_5.3.3.2.x.yml +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -124,7 +124,7 @@ group: root mode: '0600' -- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured" +- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured" when: - ubtu22cis_rule_5_3_3_2_5 tags: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 5b2c4ca0..7a8f8a95 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -53,8 +53,7 @@ state: absent - name: "6.1.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - when: - - not ansible_check_mode + when: not ansible_check_mode ansible.builtin.shell: aideinit -y -f args: creates: "{{ ubtu22cis_aide_db_file }}" diff --git a/tasks/section_6/cis_6.2.1.2.x.yml b/tasks/section_6/cis_6.2.1.2.x.yml index 6211baa6..e4747936 100644 --- a/tasks/section_6/cis_6.2.1.2.x.yml +++ b/tasks/section_6/cis_6.2.1.2.x.yml @@ -40,7 +40,7 @@ - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ ubtu22cis_journal_trustedcertificatefile }}'} notify: Restart journald -- name: "6.2.1.2.3 | PATCH | Ensure systemd-journal-remote is enabled and active" +- name: "6.2.1.2.3 | PATCH | Ensure systemd-journal-upload is enabled and active" when: - not ubtu22cis_system_is_log_server - ubtu22cis_rule_6_2_1_2_3 diff --git a/tasks/section_6/cis_6.3.3.x.yml b/tasks/section_6/cis_6.3.3.x.yml index 5c014389..a4937b3d 100644 --- a/tasks/section_6/cis_6.3.3.x.yml +++ b/tasks/section_6/cis_6.3.3.x.yml @@ -62,7 +62,7 @@ ansible.builtin.set_fact: update_audit_template: true -- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" +- name: "6.3.3.6 | PATCH | Ensure use of privileged commands are collected" when: ubtu22cis_rule_6_3_3_6 tags: - level2-server @@ -82,7 +82,7 @@ ansible.builtin.set_fact: update_audit_template: true -- name: "6.3.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" +- name: "6.3.3.7 | PATCH | Ensure unsuccessful file access attempts are collected" when: ubtu22cis_rule_6_3_3_7 tags: - level2-server @@ -237,7 +237,7 @@ ansible.builtin.set_fact: update_audit_template: true -- name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading is collected" +- name: "6.3.3.19 | PATCH | Ensure kernel module loading unloading and modification is collected" when: ubtu22cis_rule_6_3_3_19 tags: - level2-server From 7f724f63c43db8b70a08c6adbbb74304ccaee323 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Nov 2024 16:28:32 +0000 Subject: [PATCH 108/135] tag and title fixes #258 thanks to @bgro Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.2.x.yml | 2 +- tasks/section_1/cis_1.1.2.7.x.yml | 6 +++--- tasks/section_2/cis_2.1.x.yml | 2 +- tasks/section_5/cis_5.3.3.3.x.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 2 +- tasks/section_7/cis_7.2.x.yml | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index dd988e39..b17ef55e 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -45,9 +45,9 @@ - level1-workstation - patch - mounts - - rule_1.1.2.2.1 - rule_1.1.2.2.2 - rule_1.1.2.2.3 + - rule_1.1.2.2.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 notify: Set_reboot_required diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index 6c45c0ad..89169236 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -34,9 +34,6 @@ - ubtu22cis_rule_1_1_2_7_2 or ubtu22cis_rule_1_1_2_7_3 or ubtu22cis_rule_1_1_2_7_4 - - NIST800-53R5_CM-7 - - NIST800-53R5_AC-3 - - NIST800-53R5_MP-2 tags: - level1-server - level1-workstation @@ -45,6 +42,9 @@ - rule_1.1.2.7.2 - rule_1.1.2.7.3 - rule_1.1.2.7.4 + - NIST800-53R5_CM-7 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 notify: Set_reboot_required ansible.posix.mount: name: /var/log/audit diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index c15fe386..739e3fb3 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -4,7 +4,7 @@ when: - ubtu22cis_rule_2_1_1 - "'autofs' in ansible_facts.packages" - - not when system_is_ec2 + - not system_is_ec2 tags: - level1-server - level2-workstation diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml index 12d82390..d4fa250b 100644 --- a/tasks/section_5/cis_5.3.3.3.x.yml +++ b/tasks/section_5/cis_5.3.3.3.x.yml @@ -62,7 +62,7 @@ - level1-server - level1-workstation - patch - - rule_5.3.3.3.2 + - rule_5.3.3.3.3 - pam - NIST800-53R5_IA-5 block: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 7a8f8a95..4ae89909 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -109,7 +109,7 @@ - aidecheck.service - aidecheck.timer -- name: "6.1.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" +- name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" when: ubtu22cis_rule_6_1_3 tags: - level1-server diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index fad7f6f6..e22f07f5 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -94,7 +94,7 @@ - level1-server - level1-workstation - patch - - rule_6.2.4 + - rule_7.2.4 - user - NIST800-53R5_IA-5 vars: From c8dd951e3bffceb21fb2a721489842e28846fa1c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Nov 2024 16:34:13 +0000 Subject: [PATCH 109/135] updated var naming 5.1.4 thanks to @bgro #257 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index d7a118f9..8660e4e1 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -84,7 +84,7 @@ - NIST800-53R5_MP-2 block: - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed users" - when: "ubtu22cis_sshd['allow_users']| default('') | length > 0 " + when: "ubtu22cis_sshd_allow_users | default('') | length > 0 " ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^AllowUsers|^#AllowUsers' @@ -93,7 +93,7 @@ notify: Restart sshd - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add allowed groups" - when: "ubtu22cis_sshd['allow_groups']| default('') | length > 0" + when: "ubtu22cis_sshd_allow_groups | default('') | length > 0" ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^AllowGroups|^#AllowGroups' @@ -102,7 +102,7 @@ notify: Restart sshd - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add deny users" - when: "ubtu22cis_sshd['deny_users']| default('') | length > 0" + when: "ubtu22cis_sshd_deny_users | default('') | length > 0" ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^DenyUsers|^#DenyUsers' @@ -111,7 +111,7 @@ notify: Restart sshd - name: "5.1.4 | PATCH | Ensure sshd access is configured | Add deny groups" - when: "ubtu22cis_sshd['deny_groups']| default('') | length > 0" + when: "ubtu22cis_sshd_deny_groups | default('') | length > 0" ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^DenyGroups|^#DenyGroups' From 2a71aacdd7ee5c98177046a14976976610a50519 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 3 Dec 2024 08:29:42 +0000 Subject: [PATCH 110/135] Latest lint configs Signed-off-by: Mark Bolwell --- .ansible-lint | 17 ++--------------- .yamllint | 22 ++++++++++++++-------- 2 files changed, 16 insertions(+), 23 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 3090307c..3b7c3738 100755 --- a/.ansible-lint +++ b/.ansible-lint @@ -3,20 +3,7 @@ parseable: true quiet: true skip_list: - - 'schema' - - 'no-changed-when' - - 'var-spacing' - - 'experimental' - - 'name[play]' - - 'name[casing]' - - 'name[template]' - - 'key-order[task]' - - '204' - - '305' - - '303' - - '403' - - '306' - - '602' - - '208' + - 'package-latest' + - 'risky-shell-pipe' use_default_rules: true verbosity: 0 diff --git a/.yamllint b/.yamllint index d8eba416..4cf70478 100755 --- a/.yamllint +++ b/.yamllint @@ -1,32 +1,38 @@ --- - extends: default - +locale: en_US.UTF-8 ignore: | tests/ molecule/ .github/ .gitlab-ci.yml *molecule.yml - rules: - indentation: - spaces: 2 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent braces: max-spaces-inside: 1 level: error brackets: max-spaces-inside: 1 level: error + comments: + ignore-shebangs: true + min-spaces-from-content: 1 # prettier compatibility + comments-indentation: enable empty-lines: max: 1 - line-length: disable + indentation: + # Requiring 2 space indentation + spaces: 2 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent key-duplicates: enable + line-length: disable new-line-at-end-of-file: enable new-lines: type: unix + octal-values: + forbid-implicit-octal: true # yamllint defaults to false + forbid-explicit-octal: true trailing-spaces: enable truthy: allowed-values: ['true', 'false'] From e4fa52c4166e76e2cfa5f24ea4016d0ebeac4a6a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 3 Dec 2024 08:30:06 +0000 Subject: [PATCH 111/135] Updated to latest lint layout config Signed-off-by: Mark Bolwell --- defaults/main.yml | 32 ++++++----- handlers/main.yml | 55 ++++++++++--------- tasks/auditd.yml | 2 +- tasks/main.yml | 2 +- tasks/parse_etc_password.yml | 8 +-- tasks/post_remediation_audit.yml | 4 +- tasks/pre_remediation_audit.yml | 14 ++--- tasks/prelim.yml | 60 +++++---------------- tasks/section_1/cis_1.1.1.x.yml | 32 +++++------ tasks/section_1/cis_1.1.2.1.x.yml | 89 +++++++++++++++++-------------- tasks/section_1/cis_1.1.2.2.x.yml | 2 +- tasks/section_1/cis_1.1.2.3.x.yml | 4 +- tasks/section_1/cis_1.1.2.4.x.yml | 4 +- tasks/section_1/cis_1.1.2.5.x.yml | 4 +- tasks/section_1/cis_1.1.2.6.x.yml | 4 +- tasks/section_1/cis_1.1.2.7.x.yml | 4 +- tasks/section_1/cis_1.2.1.x.yml | 4 +- tasks/section_1/cis_1.3.1.x.yml | 8 +-- tasks/section_1/cis_1.4.x.yml | 4 +- tasks/section_1/cis_1.5.x.yml | 10 ++-- tasks/section_1/cis_1.6.x.yml | 9 ++++ tasks/section_1/cis_1.7.x.yml | 69 +++++++++++++----------- tasks/section_2/cis_2.1.x.yml | 38 ++++++------- tasks/section_2/cis_2.3.2.x.yml | 4 +- tasks/section_2/cis_2.3.3.x.yml | 2 +- tasks/section_2/cis_2.4.1.x.yml | 28 +++------- tasks/section_2/cis_2.4.2.x.yml | 16 +----- tasks/section_3/cis_3.1.x.yml | 6 +-- tasks/section_3/cis_3.2.x.yml | 22 ++++++-- tasks/section_4/cis_4.1.x.yml | 4 +- tasks/section_4/cis_4.2.x.yml | 4 +- tasks/section_4/cis_4.3.2.x.yml | 10 ++-- tasks/section_4/cis_4.3.3.x.yml | 10 ++-- tasks/section_5/cis_5.1.x.yml | 4 +- tasks/section_5/cis_5.3.2.x.yml | 8 +-- tasks/section_5/cis_5.3.3.1.x.yml | 9 ++++ tasks/section_5/cis_5.3.3.2.x.yml | 16 +++--- tasks/section_5/cis_5.4.1.x.yml | 19 ++++--- tasks/section_5/cis_5.4.2.x.yml | 16 +++--- tasks/section_5/cis_5.4.3.x.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 4 +- tasks/section_6/cis_6.2.1.1.x.yml | 10 ++-- tasks/section_6/cis_6.3.3.x.yml | 2 +- tasks/section_7/cis_7.1.x.yml | 6 +-- tasks/section_7/cis_7.2.x.yml | 34 ++++++------ tasks/warning_facts.yml | 3 +- 46 files changed, 354 insertions(+), 347 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6fddd630..1be361ba 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -613,13 +613,11 @@ ubtu22cis_purge_apt: false ## Section 1 Control Variables ## -## tmp mount type -# This variable determines, to which mount type -# the tmp mount type will be set, if it cannot be -# correctly discovered. will force the tmp_mnt type -# if not correctly discovered. -# Possible values are `tmp_systemd` or `fstab`- -expected_tmp_mnt: fstab +## Control 1.1.2 +# If set to `true`, rule will be implemented using the `tmp.mount` systemd-service, +# otherwise fstab configuration will be used. +# These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards. +ubtu22cis_tmp_svc: false ## Controls 1.3.1.x - apparmor # AppArmor security policies define what system resources applications can access and their privileges. @@ -674,7 +672,7 @@ ubtu22cis_disable_dynamic_motd: true # This variable specifies the GNOME configuration database file to which configurations are written. # (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) # The default database is `local`. -ubtu22cis_dconf_db_name: "{{ prelim_dconf_db_user|default('local') }}" +ubtu22cis_dconf_db_name: "{{ prelim_dconf_db_user | default('local') }}" # This variable governs the number of seconds of inactivity before the screen goes blank. ubtu22cis_screensaver_idle_delay: 900 # This variable governs the number of seconds the screen remains blank before it is locked. @@ -815,32 +813,32 @@ ubtu22cis_sshd_default_kex_algorithms: # - `INFO`: logs informational messages in addition to errors; # - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; # - `DEBUG`: generates very detailed debugging information including sensitive information. -ubtu22cis_sshd_log_level: "{{ubtu22cis_sshd_default_log_level}}" +ubtu22cis_sshd_log_level: "{{ ubtu22cis_sshd_default_log_level }}" # This variable specifies the maximum number of authentication attempts that are # allowed for a single SSH session. -ubtu22cis_sshd_max_auth_tries: "{{ubtu22cis_sshd_default_max_auth_tries}}" +ubtu22cis_sshd_max_auth_tries: "{{ ubtu22cis_sshd_default_max_auth_tries }}" # This variable specifies the encryption algorithms that can be used for securing # data transmission. -ubtu22cis_sshd_ciphers: "{{ubtu22cis_sshd_default_ciphers}}" +ubtu22cis_sshd_ciphers: "{{ ubtu22cis_sshd_default_ciphers }}" # This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying # the integrity of data exchanged. -ubtu22cis_sshd_macs: "{{ubtu22cis_sshd_default_macs}}" +ubtu22cis_sshd_macs: "{{ ubtu22cis_sshd_default_macs }}" # This variable is used to state the key exchange algorithms used to establish secure encryption # keys during the initial connection setup. -ubtu22cis_sshd_kex_algorithms: "{{ubtu22cis_sshd_default_kex_algorithms}}" +ubtu22cis_sshd_kex_algorithms: "{{ ubtu22cis_sshd_default_kex_algorithms }}" # This variable sets the time interval in seconds between sending "keep-alive" # messages from the server to the client. These types of messages are intended to # keep the connection alive and prevent it being terminated due to inactivity. -ubtu22cis_sshd_client_alive_interval: "{{ubtu22cis_sshd_default_client_alive_interval}}" +ubtu22cis_sshd_client_alive_interval: "{{ ubtu22cis_sshd_default_client_alive_interval }}" # This variable sets the maximum number of unresponsive "keep-alive" messages # that can be sent from the server to the client before the connection is considered # inactive and thus, closed. -ubtu22cis_sshd_client_alive_count_max: "{{ubtu22cis_sshd_default_client_alive_count_max}}" +ubtu22cis_sshd_client_alive_count_max: "{{ ubtu22cis_sshd_default_client_alive_count_max }}" # This variable specifies the amount of seconds allowed for successful authentication to # the SSH server. -ubtu22cis_sshd_login_grace_time: "{{ubtu22cis_sshd_default_login_grace_time}}" +ubtu22cis_sshd_login_grace_time: "{{ ubtu22cis_sshd_default_login_grace_time }}" # This variables is used to set the maximum number of open sessions per connection. -ubtu22cis_sshd_max_sessions: "{{ubtu22cis_sshd_default_max_sessions}}" +ubtu22cis_sshd_max_sessions: "{{ ubtu22cis_sshd_default_max_sessions }}" # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH # access for users whose user name matches one of the patterns. This is done # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. diff --git a/handlers/main.yml b/handlers/main.yml index 0c0aa23b..f6a77e2d 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -10,7 +10,7 @@ dest: /etc/systemd/system/tmp.mount owner: root group: root - mode: '0644' + mode: 'go-wx' with_items: - "{{ ansible_facts.mounts }}" loop_control: @@ -35,7 +35,8 @@ listen: Writing and remounting tmp - name: Update_Initramfs - ansible.builtin.shell: update-initramfs -u + ansible.builtin.command: update-initramfs -u + changed_when: true notify: Set_reboot_required - name: Remount tmp @@ -78,7 +79,8 @@ state: remounted - name: Grub update - ansible.builtin.shell: update-grub + ansible.builtin.command: update-grub + changed_when: true failed_when: false notify: Set_reboot_required @@ -92,7 +94,8 @@ daemon_reload: true - name: Update dconf - ansible.builtin.shell: dconf update + ansible.builtin.command: dconf update + changed_when: true failed_when: false - name: Restart postfix @@ -136,52 +139,56 @@ state: reloaded - name: Iptables persistent - ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" - changed_when: ubtu22cis_iptables_save.rc == 0 - failed_when: ubtu22cis_iptables_save.rc > 0 - register: ubtu22cis_iptables_save + ansible.builtin.command: bash -c "iptables-save > /etc/iptables/rules.v4" + changed_when: discovered_ip4tables_save.rc == 0 + failed_when: discovered_ip4tables_save.rc > 0 + register: discovered_ip4tables_save - name: Ip6tables persistent - ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" - changed_when: ubtu22cis_ip6tables_save.rc == 0 - failed_when: ubtu22cis_ip6tables_save.rc > 0 - register: ubtu22cis_ip6tables_save + ansible.builtin.command: bash -c "ip6tables-save > /etc/iptables/rules.v6" + changed_when: discovered_ip6tables_save.rc == 0 + failed_when: discovered_ip6tables_save.rc > 0 + register: discovered_ip6tables_save - name: Pam_auth_update_pwunix - ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_pwunix_file }} + ansible.builtin.command: pam-auth-update --enable {{ ubtu22cis_pam_pwunix_file }} + changed_when: true - name: Pam_auth_update_pwfaillock - ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_faillock_file }} + ansible.builtin.command: pam-auth-update --enable {{ ubtu22cis_pam_faillock_file }} + changed_when: true - name: Pam_auth_update_pwfaillock_notify - ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_faillock_notify_file }} + ansible.builtin.command: pam-auth-update --enable {{ ubtu22cis_pam_faillock_notify_file }} + changed_when: true - name: Pam_auth_update_pwquality - ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_pwquality_file }} + ansible.builtin.command: pam-auth-update --enable {{ ubtu22cis_pam_pwquality_file }} + changed_when: true - name: Pam_auth_update_pwhistory - ansible.builtin.shell: pam-auth-update --enable {{ ubtu22cis_pam_pwhistory_file }} + ansible.builtin.command: pam-auth-update --enable {{ ubtu22cis_pam_pwhistory_file }} + changed_when: true - name: Auditd rules reload when: - not prelim_auditd_immutable_check or '"No change" not in ubtu22cis_rule_4_1_3_21_augen_check.stdout' - ansible.builtin.shell: augenrules --load + ansible.builtin.command: augenrules --load + changed_when: true - name: Audit_immutable_fact when: - - audit_rules_updated.changed + - discovered_audit_rules_updated.changed - auditd_immutable_check is defined ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" notify: Set_reboot_required - name: Restart auditd - when: - - audit_rules_updated is defined - tags: - - skip_ansible_lint - ansible.builtin.shell: service auditd restart + when: discovered_audit_rules_updated is defined + ansible.builtin.command: service auditd restart # noqa command-instead-of-module + changed_when: true - name: Restart sshd ansible.builtin.systemd: diff --git a/tasks/auditd.yml b/tasks/auditd.yml index c7b78411..fca7a096 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -8,7 +8,7 @@ owner: root group: root mode: '0640' - register: audit_rules_updated + register: discovered_audit_rules_updated notify: - Auditd rules reload - Audit_immutable_fact diff --git a/tasks/main.yml b/tasks/main.yml index c67abf25..065dd87e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -29,7 +29,7 @@ check_mode: false register: prelim_ansible_user_password_set - - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" + - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" # noqa name[template] ansible.builtin.assert: that: prelim_ansible_user_password_set.stdout != "!!" and prelim_ansible_user_password_set.stdout | length > 10 fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 2c9c9ee7..5da43e2d 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -5,16 +5,16 @@ - always block: - name: "PRELIM | Parse /etc/passwd | Get /etc/password contents" - ansible.builtin.shell: cat /etc/passwd + ansible.builtin.command: cat /etc/passwd changed_when: false check_mode: false - register: ubtu22cis_passwd_file_audit + register: prelim_passwd_file_audit - name: "PRELIM | Parse /etc/passwd | Split passwd entries" ansible.builtin.set_fact: - ubtu22cis_passwd: "{{ ubtu22cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" + ubtu22cis_passwd: "{{ prelim_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" - with_items: "{{ ubtu22cis_passwd_file_audit.stdout_lines }}" + with_items: "{{ prelim_passwd_file_audit.stdout_lines }}" vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index cac34ed1..54d57852 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,7 +1,7 @@ --- -- name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" +- name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template] + ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 555eae6c..3db36fd8 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -6,7 +6,7 @@ ansible.builtin.include_tasks: file: LE_audit_setup.yml -- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists +- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists # noqa name[template] ansible.builtin.file: path: "{{ audit_conf_dir }}" mode: '0755' @@ -44,8 +44,8 @@ ansible.builtin.unarchive: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" - remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" - extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" + remote_src: "{{ (audit_conf_source is contains ('http'))| ternary(true, false) }}" + extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', []) }}" - name: Pre Audit Setup | Check Goss is available when: run_audit @@ -53,10 +53,10 @@ - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: path: "{{ audit_bin }}" - register: goss_available + register: prelim_goss_available - name: Pre Audit Setup | If audit ensure goss is available - when: not goss_available.stat.exists + when: not prelim_goss_available.stat.exists ansible.builtin.assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" @@ -70,8 +70,8 @@ dest: "{{ audit_vars_path }}" mode: '0600' -- name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" +- name: Pre Audit | Run pre_remediation {{ benchmark }} audit # noqa name[template] + ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 06b5271b..475b3312 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -29,47 +29,6 @@ ansible.builtin.set_fact: mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" -- name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type - when: - - "'/tmp' in mount_names" - - ubtu22cis_rule_1_1_2_1_1 or - ubtu22cis_rule_1_1_2_1_2 or - ubtu22cis_rule_1_1_2_1_3 or - ubtu22cis_rule_1_1_2_1_4 - tags: always - block: - - name: PRELIM | AUDIT | Capture tmp mount type | discover mount tmp type - ansible.builtin.shell: systemctl is-enabled tmp.mount - register: prelim_tmp_mnt_type - changed_when: false - failed_when: prelim_tmp_mnt_type.rc not in [ 0, 1 ] - - - name: PRELIM | AUDIT | Capture tmp mount type | Set to expected_tmp_mnt variable - when: "'generated' in prelim_tmp_mnt_type.stdout" - ansible.builtin.set_fact: - tmp_mnt_type: "{{ expected_tmp_mnt }}" - - - name: PRELIM | AUDIT | Capture tmp mount type | Set systemd service - when: "'generated' not in prelim_tmp_mnt_type.stdout" - ansible.builtin.set_fact: - tmp_mnt_type: tmp_systemd - -- name: PRELIM | Initialize the mount options variable - tags: always - block: - - name: PRELIM | Initializing the var if there is no /tmp mount | set_fact - when: "'/tmp' not in mount_names" - ansible.builtin.set_fact: - tmp_partition_mount_options: [] - - - name: PRELIM | Initializing the var if there is a /tmp mount | set_fact - when: - - item.mount == "/tmp" - - "'/tmp' in mount_names" - ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ item.options.split(',') }}" - loop: "{{ ansible_facts.mounts }}" - - name: Include audit specific variables when: - run_audit or audit_only @@ -96,19 +55,26 @@ ansible.builtin.package: update_cache: true -- name: PRELIM | Discover Gnome Desktop Environment +- name: PRELIM | AUDIT | Discover Gnome Desktop Environment tags: always ansible.builtin.stat: path: /usr/share/gnome/gnome-version.xml register: prelim_gnome_present -- name: PRELIM | Discover dconf systemdb +- name: PRELIM | AUDIT | Discover dconf systemdb when: ubtu22cis_gui ansible.builtin.shell: grep system-db /etc/dconf/profile/user | cut -d ':' -f2 changed_when: false failed_when: ubtu22cis_dconf_db.rc not in [ 0, 1 ] register: prelim_dconf_system_db +- name: PRELIM | PATCH | Install cron if required + when: ubtu22cis_rule_2_4_1_1 + tags: always + ansible.builtin.package: + name: cron + state: present + - name: PRELIM | AUDIT | Wireless adapter pre-requisites when: - ubtu22cis_rule_3_1_2 @@ -130,7 +96,7 @@ name: network-manager state: present -- name: PRELIM | 4.1.1 | PATCH | Ensure ufw is installed +- name: PRELIM | PATCH | Ensure ufw is installed when: - ubtu22cis_rule_4_1_1 - ubtu22cis_ufw_use_sysctl @@ -146,7 +112,7 @@ name: ufw state: present -- name: PRELIM | PATCH | 5.3.4/5 | Find all sudoers files. +- name: PRELIM | PATCH | Find all sudoers files. when: - ubtu22cis_rule_5_2_4 or ubtu22cis_rule_5_2_5 @@ -171,7 +137,7 @@ state: directory owner: root group: root - mode: '0750' + mode: 'g-w,o-rwx' - name: PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def when: not discover_int_uid @@ -243,7 +209,7 @@ state: directory owner: root group: root - mode: '0755' + mode: 'go-w' - name: PRELIM | PATCH | Ensure auditd is installed when: diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 0a4146a6..a6319458 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -16,7 +16,7 @@ regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -24,7 +24,7 @@ regexp: "^(#)?blacklist cramfs(\\s|$)" line: "blacklist cramfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs" when: not system_is_container @@ -48,7 +48,7 @@ regexp: "^(#)?install freevxfs(\\s|$)" line: "install freevxfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -56,7 +56,7 @@ regexp: "^(#)?blacklist freevxfs(\\s|$)" line: "blacklist freevxfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs" when: not system_is_container @@ -80,7 +80,7 @@ regexp: "^(#)?install hfs(\\s|$)" line: "install hfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -88,7 +88,7 @@ regexp: "^(#)?blacklist hfs(\\s|$)" line: "blacklist hfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable hfs" when: not system_is_container @@ -112,7 +112,7 @@ regexp: "^(#)?install hfsplus(\\s|$)" line: "install hfsplus /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -120,7 +120,7 @@ regexp: "^(#)?blacklist hfsplus(\\s|$)" line: "blacklist hfsplus" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus" when: not system_is_container @@ -144,7 +144,7 @@ regexp: "^(#)?install jffs2(\\s|$)" line: "install jffs2 /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -152,7 +152,7 @@ regexp: "^(#)?blacklist jffs2(\\s|$)" line: "blacklist jffs2" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2" when: not system_is_container @@ -179,7 +179,7 @@ regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -187,7 +187,7 @@ regexp: "^(#)?blacklist squashfs(\\s|$)" line: "blacklist squashfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs" when: not system_is_container @@ -211,7 +211,7 @@ regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -219,7 +219,7 @@ regexp: "^(#)?blacklist udf(\\s|$)" line: "blacklist udf" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Disable udf" when: not system_is_container @@ -243,7 +243,7 @@ regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -251,7 +251,7 @@ regexp: "^(#)?blacklist usb-storage(\\s|$)" line: "blacklist usb-storage" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Disable usb" when: not system_is_container diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index d667dcfc..05ae9f42 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -1,6 +1,6 @@ --- -- name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition" +- name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition" when: - required_mount not in mount_names - ubtu22cis_rule_1_1_2_1_1 @@ -10,70 +10,79 @@ - audit - mounts - rule_1.1.2.1.1 - - tmp - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.1.1' required_mount: '/tmp' block: - - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent" + - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - - name: "1.1.2.1.1 | WARN | Ensure /tmp is a separate partition | warn_count" + - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Present" ansible.builtin.import_tasks: file: warning_facts.yml -- name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" +# via fstab +- name: | + "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" + "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" + "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" + ansible.posix.mount: + name: /tmp + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_1_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_1_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and ubtu22cis_rule_1_1_2_1_4) %},noexec{% endif %}" + notify: Remount tmp + loop: "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" when: - - required_mount in mount_names - - ubtu22cis_rule_1_1_2_1_2 + - item.mount == "/tmp" + - not ubtu22cis_tmp_svc + - ubtu22cis_rule_1_1_2_1_2 or + ubtu22cis_rule_1_1_2_1_3 or + ubtu22cis_rule_1_1_2_1_4 tags: - level1-server - level1-workstation - patch + - mounts - rule_1.1.2.1.2 - - tmp + - rule_1.1.2.1.3 + - rule_1.1.2.1.4 - NIST800-53R5_CM-7 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - vars: - required_mount: '/tmp' - ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nodev' ] }}" - changed_when: true - notify: Writing and remounting tmp -- name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" +# via systemd +- name: | + "1.1.2.1.1 | PATCH | Ensure /tmp is configured" + "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" + "1.1.2.1.3 | PATCH | Ensure noexec option set on /tmp partition" + "1.1.2.1.4 | PATCH | Ensure nosuid option set on /tmp partition" when: - - required_mount in mount_names - - ubtu22cis_rule_1_1_2_1_3 + - ubtu22cis_tmp_svc + - ubtu22cis_rule_1_1_2_1_1 or + ubtu22cis_rule_1_1_2_1_2 or + ubtu22cis_rule_1_1_2_1_3 or + ubtu22cis_rule_1_1_2_1_4 tags: - level1-server - level1-workstation - patch + - mounts + - rule_1.1.2.1.1 + - rule_1.1.2.1.2 - rule_1.1.2.1.3 - - tmp - vars: - required_mount: '/tmp' - ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nosuid' ] }}" - changed_when: true - notify: Writing and remounting tmp - -- name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" - when: - - required_mount in mount_names - - ubtu22cis_rule_1_1_2_1_4 - tags: - - level1-server - - level1-workstation - - patch - rule_1.1.2.1.4 - - tmp - vars: - required_mount: '/tmp' - ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'noexec' ] }}" - changed_when: true - notify: Writing and remounting tmp + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.template: + src: etc/systemd/system/tmp.mount.j2 + dest: /etc/systemd/system/tmp.mount + owner: root + group: root + mode: 'go-wx' + notify: Systemd restart tmp.mount diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index b17ef55e..280e3d70 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -16,7 +16,7 @@ required_mount: '/dev/shm' block: - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check for mount" - ansible.builtin.shell: findmnt -kn "{{ required_mount }}" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" changed_when: false failed_when: discovered_shm_mount.rc not in [ 0, 1 ] register: discovered_shm_mount diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index bfb0040e..1554c645 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -41,7 +41,9 @@ - rule_1.1.2.3.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: Set_reboot_required + notify: + - Remount home + - Set_reboot_required ansible.posix.mount: name: /home src: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index d8c0520d..19929d1b 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -41,7 +41,9 @@ - rule_1.1.2.4.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: Set_reboot_required + notify: + - Remount var + - Set_reboot_required ansible.posix.mount: name: /var src: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index de6bfe7c..f5555672 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -45,7 +45,9 @@ - rule_1.1.2.5.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: Set_reboot_required + notify: + - Remount var_tmp + - Set_reboot_required ansible.posix.mount: name: /var/tmp src: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index c5638bbc..7c1435b8 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -44,7 +44,9 @@ - rule_1.1.2.6.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: Set_reboot_required + notify: + - Remount var_log + - Set_reboot_required ansible.posix.mount: name: /var/log src: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index 89169236..7bde0d24 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -45,7 +45,9 @@ - NIST800-53R5_CM-7 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: Set_reboot_required + notify: + - Remount var_log_audit + - Set_reboot_required ansible.posix.mount: name: /var/log/audit src: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml index d31afed5..d4d2f40a 100644 --- a/tasks/section_1/cis_1.2.1.x.yml +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -14,7 +14,7 @@ warn_control_id: '1.2.1.1' block: - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys" - ansible.builtin.shell: apt-key list + ansible.builtin.command: apt-key list changed_when: false failed_when: false check_mode: false @@ -45,7 +45,7 @@ warn_control_id: '1.2.1.2' block: - name: "1.2.1.2 | AUDIT | Ensure package manager repositories are configured | Get repositories" - ansible.builtin.shell: apt-cache policy + ansible.builtin.command: apt-cache policy changed_when: false failed_when: false check_mode: false diff --git a/tasks/section_1/cis_1.3.1.x.yml b/tasks/section_1/cis_1.3.1.x.yml index 5ca544cc..d7257667 100644 --- a/tasks/section_1/cis_1.3.1.x.yml +++ b/tasks/section_1/cis_1.3.1.x.yml @@ -147,18 +147,18 @@ changed_when: false - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get pre apply enforce count" - ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu22cis_apparmor_mode}} mode" | tr -d -c 0-9 + ansible.builtin.shell: apparmor_status | grep "profiles are in {{ ubtu22cis_apparmor_mode }} mode" | tr -d -c 0-9 changed_when: false failed_when: false register: discovered_apparmor_pre_count - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Apply complaining/enforcing to /etc/apparmor.d profiles" - ansible.builtin.shell: aa-{{ubtu22cis_apparmor_mode}} /etc/apparmor.d/* + ansible.builtin.shell: aa-{{ ubtu22cis_apparmor_mode }} /etc/apparmor.d/* changed_when: false failed_when: false - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get post apply enforce count" - ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu22cis_apparmor_mode}} mode" | tr -d -c 0-9 + ansible.builtin.shell: apparmor_status | grep "profiles are in {{ ubtu22cis_apparmor_mode }} mode" | tr -d -c 0-9 changed_when: false failed_when: false register: discovered_apparmor_post_count @@ -166,5 +166,5 @@ - name: "1.3.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | This flags for idempotency" when: discovered_apparmor_pre_count.stdout != discovered_apparmor_post_count.stdout ansible.builtin.debug: - msg: Changed! The profiles in /etc/apparmor.d were set to {{ubtu22cis_apparmor_mode}} mode + msg: Changed! The profiles in /etc/apparmor.d were set to {{ ubtu22cis_apparmor_mode }} mode changed_when: true diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 1730b875..e5a451f1 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -18,7 +18,7 @@ dest: "{{ ubtu22cis_grub_user_file }}" owner: root group: root - mode: '0755' + mode: 'go-w' notify: Grub update - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot" @@ -52,4 +52,4 @@ path: "{{ ubtu22cis_grub_file }}" owner: root group: root - mode: '0400' + mode: 'go-rwx' diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 8893265c..1e53aacd 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -64,7 +64,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "1.5.3 | PATCH | Ensure core dumps are restricted | sysctl.conf" ansible.builtin.lineinfile: @@ -73,7 +73,7 @@ line: fs.suid_dumpable=0 owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload systemctl - name: "1.5.3 | PATCH | Ensure core dumps are restricted | coredump.conf" @@ -84,7 +84,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'go-wx' loop: - { regexp: '^Storage', line: 'Storage=none' } - { regexp: '^ProcessSizeMax', line: 'ProcessSizeMax=0' } @@ -104,7 +104,7 @@ - NIST800-53R5_CM-6 block: - name: "1.5.4 | PATCH | Ensure prelink is not installed | Restore binaries to normal" - ansible.builtin.shell: prelink -ua + ansible.builtin.command: prelink -ua changed_when: false failed_when: false @@ -132,7 +132,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package" when: "'apport' in ansible_facts.packages" diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 6ea392db..6b715e87 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -16,6 +16,9 @@ ansible.builtin.template: src: etc/motd.j2 dest: /etc/motd + owner: root + group: root + mode: 'u-x,go-wx' - name: "1.6.1 | PATCH | Ensure message of the day is configured properly | disable dynamic_motd" when: ubtu22cis_disable_dynamic_motd @@ -45,6 +48,9 @@ ansible.builtin.template: src: etc/issue.j2 dest: /etc/issue + owner: root + group: root + mode: 'u-x,go-wx' - name: "1.6.2 | PATCH | Ensure local login warning banner is kept on package upgrade | issue" community.general.dpkg_divert: @@ -66,6 +72,9 @@ ansible.builtin.template: src: etc/issue.net.j2 dest: /etc/issue.net + owner: root + group: root + mode: 'u-x,go-wx' - name: "1.6.3 | PATCH | Ensure remote login warning banner is kept on package upgrade | issue.net" community.general.dpkg_divert: diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 7c78788f..d4f6367a 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -1,5 +1,4 @@ --- - - name: "1.7.1 | PATCH | Ensure GDM is removed" when: - ubtu22cis_rule_1_7_1 @@ -37,11 +36,11 @@ path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | banner settings" - ansible.builtin.lineinfile: + ansible.builtin.lineinfile: # noqa: args[module] path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-login-screen" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -49,12 +48,12 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' loop: - - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } - - { regexp: 'banner-message-enable', line: 'banner-message-enable=true', insertafter: '\[org\/gnome\/login-screen\]'} - - { regexp: 'banner-message-text', line: "banner-message-text='{{ ubtu22cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: 'banner-message-enable' } - notify: Update dconf + - { regexp: "\\[org\\/gnome\\/login-screen\\]", line: "[org/gnome/login-screen]", insertafter: EOF } + - { regexp: "banner-message-enable", line: "banner-message-enable=true", insertafter: "\\[org\\/gnome\\/login-screen\\]" } + - { regexp: "banner-message-text", line: "banner-message-text='{{ ubtu22cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: "banner-message-enable" } + notify: Update dconf - name: "1.7.3 | PATCH | Ensure GDM disable-user-list option is enabled" when: @@ -77,7 +76,7 @@ path: "{{ item }}" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory loop: - /etc/dconf/db/{{ prelim_dconf_system_db }}.d @@ -92,10 +91,11 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' loop: - - { regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]', insertafter: EOF } - - { regexp: 'disable-user-list', line: 'disable-user-list=true', insertafter: '\[org\/gnome\/login-screen\]'} + - { regexp: "\\[org\\/gnome\\/login-screen\\]", line: "[org/gnome/login-screen]", insertafter: EOF } + - { regexp: "disable-user-list", line: "disable-user-list=true", insertafter: "\\[org\\/gnome\\/login-screen\\]" } + notify: Update dconf - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | disable-user-list setting profile" ansible.builtin.lineinfile: @@ -106,12 +106,14 @@ create: true owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' loop: - - { regexp: '^user-db:user', line: 'user-db:user', insertafter: EOF } - - { regexp: '^system-db:{{ prelim_dconf_system_db }}', line: 'system-db:{{ prelim_dconf_system_db }}', insertafter: 'user-db:user'} - - { regexp: '^file-db:/usr/share/gdm/greeter-dconf-defaults', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults', insertafter: 'system-db:{{ prelim_dconf_system_db }}'} - notify: Update dconf + - { regexp: "^user-db:user", line: "user-db:user", insertafter: EOF } + - { regexp: "^system-db:{{ prelim_dconf_system_db }}", line: "system-db:{{ prelim_dconf_system_db }}", insertafter: "user-db:user" } + - regexp: "^file-db:/usr/share/gdm/greeter-dconf-defaults" + line: "file-db:/usr/share/gdm/greeter-dconf-defaults" + insertafter: "system-db:{{ prelim_dconf_system_db }}" + notify: Update dconf - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle" when: @@ -132,16 +134,19 @@ line: "{{ item.line }}" insertafter: "{{ item.after | default(omit) }}" create: true + owner: root + group: root + mode: 'u-x,go-wx' loop: - - { regexp: 'user-db:user', line: 'user-db:user' } - - { regexp: 'system-db:{{ prelim_dconf_system_db }}', line: 'system-db:{{ prelim_dconf_system_db }}', after: '^user-db.*' } + - { regexp: "user-db:user", line: "user-db:user" } + - { regexp: "system-db:{{ prelim_dconf_system_db }}", line: "system-db:{{ prelim_dconf_system_db }}", after: "^user-db.*" } - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | make directory" ansible.builtin.file: path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory notify: Update dconf @@ -151,7 +156,7 @@ dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-screensaver" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden" @@ -171,7 +176,7 @@ path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory notify: Update dconf @@ -181,7 +186,7 @@ dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks/00-screensaver" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled" @@ -205,7 +210,7 @@ path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory notify: Update dconf @@ -215,7 +220,7 @@ dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-media-automount" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden" @@ -239,7 +244,7 @@ path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory notify: Update dconf @@ -249,7 +254,7 @@ dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks/00-automount_lock" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled" @@ -273,7 +278,7 @@ path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory notify: Update dconf @@ -283,7 +288,7 @@ dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-media-autorun" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden" @@ -307,7 +312,7 @@ path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory notify: Update dconf @@ -317,7 +322,7 @@ dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks/00-autorun_lock" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Update dconf - name: "1.7.10 | PATCH | Ensure XDCMP is not enabled" @@ -334,5 +339,5 @@ - NIST800-53R5_SI-4 ansible.builtin.lineinfile: path: /etc/gdm3/custom.conf - regexp: '^Enable.*=.*true' + regexp: "^Enable.*=.*true" state: absent diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 739e3fb3..8e037db8 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -676,35 +676,35 @@ - rule_2.1.21 - NIST800-53R5_CM-7 vars: - warn_control_id: '2.2.21' + warn_control_id: "2.2.21" block: - name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" when: "'exim4' in ansible_facts.packages" - ansible.builtin.lineinfile: + ansible.builtin.lineinfile: # noqa: args[module] path: /etc/exim4/update-exim4.conf.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - with_items: - - { regexp: '^dc_eximconfig_configtype', line: "dc_eximconfig_configtype='local'" } - - { regexp: '^dc_local_interfaces', line: "dc_local_interfaces='127.0.0.1 ; ::1'" } - - { regexp: '^dc_readhost', line: "dc_readhost=''" } - - { regexp: '^dc_relay_domains', line: "dc_relay_domains=''" } - - { regexp: '^dc_minimaldns', line: "dc_minimaldns='false'" } - - { regexp: '^dc_relay_nets', line: "dc_relay_nets=''" } - - { regexp: '^dc_smarthost', line: "dc_smarthost=''" } - - { regexp: '^dc_use_split_config', line: "dc_use_split_config='false'" } - - { regexp: '^dc_hide_mailname', line: "dc_hide_mailname=''" } - - { regexp: '^dc_mailname_in_oh', line: "dc_mailname_in_oh='true'" } - - { regexp: '^dc_localdelivery', line: "dc_localdelivery='mail_spool'" } - notify: Restart exim4 + loop: + - { regexp: "^dc_eximconfig_configtype", line: "dc_eximconfig_configtype='local'" } + - { regexp: "^dc_local_interfaces", line: "dc_local_interfaces='127.0.0.1 ; ::1'" } + - { regexp: "^dc_readhost", line: "dc_readhost=''" } + - { regexp: "^dc_relay_domains", line: "dc_relay_domains=''" } + - { regexp: "^dc_minimaldns", line: "dc_minimaldns='false'" } + - { regexp: "^dc_relay_nets", line: "dc_relay_nets=''" } + - { regexp: "^dc_smarthost", line: "dc_smarthost=''" } + - { regexp: "^dc_use_split_config", line: "dc_use_split_config='false'" } + - { regexp: "^dc_hide_mailname", line: "dc_hide_mailname=''" } + - { regexp: "^dc_mailname_in_oh", line: "dc_mailname_in_oh='true'" } + - { regexp: "^dc_localdelivery", line: "dc_localdelivery='mail_spool'" } + notify: Restart exim4 - name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if postfix is installed" when: "'postfix' in ansible_facts.packages" notify: Restart postfix ansible.builtin.lineinfile: path: /etc/postfix/main.cf - regexp: '^(#)?inet_interfaces' - line: 'inet_interfaces = loopback-only' + regexp: ^(?#)inet_interfaces + line: "inet_interfaces = loopback-only" - name: "2.1.21 | WARN | Ensure mail transfer agent is configured for local-only mode | Message out other main agents" when: @@ -732,10 +732,10 @@ - rule_2.1.22 - NIST800-53R5_CM-7 vars: - warn_control_id: '2.1.22' + warn_control_id: "2.1.22" block: - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" - ansible.builtin.shell: systemctl list-units --type=service + ansible.builtin.command: systemctl list-units --type=service # noqa command-instead-of-module changed_when: false failed_when: discovered_list_of_services.rc not in [ 0, 1 ] check_mode: false diff --git a/tasks/section_2/cis_2.3.2.x.yml b/tasks/section_2/cis_2.3.2.x.yml index f431e6b1..977290ba 100644 --- a/tasks/section_2/cis_2.3.2.x.yml +++ b/tasks/section_2/cis_2.3.2.x.yml @@ -16,14 +16,14 @@ path: /etc/systemd/timesyncd.conf.d owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "2.3.2.1 | PATCH | Ensure systemd-timesyncd configured with authorized timeserver | sources" ansible.builtin.template: src: "{{ item }}.j2" dest: "/{{ item }}" - mode: '0644' + mode: 'go-wx' owner: root group: root loop: diff --git a/tasks/section_2/cis_2.3.3.x.yml b/tasks/section_2/cis_2.3.3.x.yml index 277e62f5..2c1cfa8f 100644 --- a/tasks/section_2/cis_2.3.3.x.yml +++ b/tasks/section_2/cis_2.3.3.x.yml @@ -15,7 +15,7 @@ ansible.builtin.template: src: "{{ item }}.j2" dest: "/{{ item }}" - mode: '0644' + mode: 'go-wx' owner: root group: root loop: diff --git a/tasks/section_2/cis_2.4.1.x.yml b/tasks/section_2/cis_2.4.1.x.yml index 17d594bf..aee59b39 100644 --- a/tasks/section_2/cis_2.4.1.x.yml +++ b/tasks/section_2/cis_2.4.1.x.yml @@ -32,7 +32,7 @@ path: /etc/crontab owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" when: ubtu22cis_rule_2_4_1_3 @@ -48,7 +48,7 @@ path: /etc/cron.hourly owner: root group: root - mode: '0700' + mode: 'u+rwx,go-rwx' state: directory - name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" @@ -65,7 +65,7 @@ path: /etc/cron.daily owner: root group: root - mode: '0700' + mode: 'u+rwx,go-rwx' state: directory - name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" @@ -82,7 +82,7 @@ path: /etc/cron.weekly owner: root group: root - mode: '0700' + mode: 'u+rwx,go-rwx' state: directory - name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" @@ -99,7 +99,7 @@ path: /etc/cron.monthly owner: root group: root - mode: '0700' + mode: 'u+rwx,go-rwx' state: directory - name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" @@ -116,7 +116,7 @@ path: /etc/cron.d owner: root group: root - mode: '0700' + mode: 'u+rwx,go-rwx' state: directory - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users" @@ -135,24 +135,12 @@ path: /etc/cron.deny state: absent - - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Check for cron.allow" - ansible.builtin.stat: - path: /etc/cron.allow - register: ubtu22cis_2_4_1_8_status - - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Create cron.allow if doesn't exist" - when: not ubtu22cis_2_4_1_8_status.stat.exists ansible.builtin.file: path: /etc/cron.allow owner: root group: root mode: 'u-x,g-wx,o-rwx' + access_time: preserve + modification_time: preserve state: touch - - - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Update cron.allow if exists" - when: ubtu22cis_2_4_1_8_status.stat.exists - ansible.builtin.file: - path: /etc/cron.allow - owner: root - group: root - mode: 'u-x,g-wx,o-rwx' diff --git a/tasks/section_2/cis_2.4.2.x.yml b/tasks/section_2/cis_2.4.2.x.yml index d1177d03..4f5b3e58 100644 --- a/tasks/section_2/cis_2.4.2.x.yml +++ b/tasks/section_2/cis_2.4.2.x.yml @@ -16,24 +16,12 @@ path: /etc/at.deny state: absent - - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Check for at.allow" - ansible.builtin.stat: - path: /etc/at.allow - register: ubtu22cis_2_4_2_1_status - - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Create at.allow if doesn't exist" - when: not ubtu22cis_2_4_2_1_status.stat.exists ansible.builtin.file: path: /etc/at.allow owner: root group: root mode: 'u-x,g-wx,o-rwx' + access_time: preserve + modification_time: preserve state: touch - - - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | update at.allow if exists" - when: ubtu22cis_2_4_2_1_status.stat.exists - ansible.builtin.file: - path: /etc/at.allow - owner: root - group: root - mode: 'u-x,g-wx,o-rwx' diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 543dc8af..16bce82f 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -47,7 +47,7 @@ dest: "/{{ item }}" owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' notify: Flush ipv6 route table loop: - etc/sysctl.d/60-disable_ipv6.conf @@ -67,7 +67,7 @@ block: - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" when: "'network-manager' in ansible_facts.packages" - ansible.builtin.shell: nmcli radio wifi + ansible.builtin.command: nmcli radio wifi changed_when: false failed_when: false check_mode: false @@ -77,7 +77,7 @@ when: - "'network-manager' in ansible_facts.packages" - "'enabled' in discovered_wifi_status.stdout" - ansible.builtin.shell: nmcli radio all off + ansible.builtin.command: nmcli radio all off changed_when: discovered_nmcli_radio_off.rc == 0 register: discovered_nmcli_radio_off diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 62840cbd..7199f683 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -17,6 +17,9 @@ regexp: '^(#)?install dccp(\\s|$)' line: "{{ item }}" create: true + owner: root + group: root + mode: 'go-wx' loop: - install dccp /bin/true - blacklist dccp @@ -27,7 +30,7 @@ regexp: "^(#)?blacklist cramfs(\\s|$)" line: "blacklist cramfs" create: true - mode: '0600' + mode: 'go-wx' - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available" when: ubtu22cis_rule_3_2_2 @@ -46,6 +49,9 @@ regexp: '^(#)?install tipc(\\s|$)' line: "{{ item }}" create: true + owner: root + group: root + mode: 'go-wx' loop: - install tipc /bin/true - blacklist tipc @@ -56,7 +62,7 @@ regexp: "^(#)?blacklist tipc(\\s|$)" line: "blacklist tipc" create: true - mode: '0600' + mode: 'go-wx' - name: "3.2.3 | PATCH | Ensure rds kernel module is not available" when: ubtu22cis_rule_3_2_3 @@ -75,6 +81,9 @@ regexp: '^(#)?install rds(\\s|$)' line: "{{ item }}" create: true + owner: root + group: root + mode: 'go-wx' loop: - install rds /bin/true - blacklist rds @@ -85,7 +94,7 @@ regexp: "^(#)?blacklist rds(\\s|$)" line: "blacklist rds" create: true - mode: '0600' + mode: 'go-wx' - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available" when: ubtu22cis_rule_3_2_4 @@ -104,6 +113,9 @@ regexp: '^(#)?install sctp(\\s|$)' line: "{{ item }}" create: true + owner: root + group: root + mode: 'go-wx' loop: - install sctp /bin/true - blacklist sctp @@ -114,4 +126,6 @@ regexp: "^(#)?blacklist sctp(\\s|$)" line: "blacklist sctp" create: true - mode: '0600' + owner: root + group: root + mode: 'go-wx' diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index 09d19aad..36da60fe 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -135,14 +135,14 @@ warn_control_id: '4.1.6' block: - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.shell: ss -4tuln + ansible.builtin.command: ss -4tuln changed_when: false failed_when: false check_mode: false register: discovered_list_open_listen_ports - name: "4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Get list of firewall rules" - ansible.builtin.shell: ufw status + ansible.builtin.command: ufw status changed_when: false failed_when: false check_mode: false diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index c4372987..c5258c80 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -96,10 +96,10 @@ ansible.builtin.debug: msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables | Message out warning" # ansible.builtin.shell: "nft create table {{ ubtu22cis_nftables_table_name }}" - # changed_when: ubtu22cis_4_2_4_new_table.rc == 0 + # changed_when: discovered_new_nftables_table.rc == 0 # failed_when: false # check_mode: false - # register: ubtu22cis_4_2_4_new_table + # register: discovered_new_nftables_table - name: "4.2.4 | AUDIT | Ensure a nftables table exists | Set warning count" ansible.builtin.import_tasks: diff --git a/tasks/section_4/cis_4.3.2.x.yml b/tasks/section_4/cis_4.3.2.x.yml index 1b7364eb..589968ad 100644 --- a/tasks/section_4/cis_4.3.2.x.yml +++ b/tasks/section_4/cis_4.3.2.x.yml @@ -133,14 +133,14 @@ warn_control_id: '4.3.2.4' block: - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.shell: ss -4tuln + ansible.builtin.command: ss -4tuln changed_when: false failed_when: false check_mode: false register: discovered_list_open_ports - name: "4.3.2.4 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.shell: iptables -L INPUT -v -n + ansible.builtin.command: iptables -L INPUT -v -n changed_when: false failed_when: false check_mode: false @@ -176,9 +176,9 @@ # - name: "Make IPTables persistent | Save to persistent files" # ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4" -# changed_when: ubtu22cis_iptables_save.rc == 0 -# failed_when: ubtu22cis_iptables_save.rc > 0 -# register: ubtu22cis_iptables_save +# changed_when: discovered_ip4tables_save.rc == 0 +# failed_when: discovered_ip4tables_save.rc > 0 +# register: discovered_ip4tables_save # when: # - ubtu22cis_firewall_package == "iptables" # - ubtu22cis_save_iptables_cis_rules diff --git a/tasks/section_4/cis_4.3.3.x.yml b/tasks/section_4/cis_4.3.3.x.yml index 130033e5..2470855f 100644 --- a/tasks/section_4/cis_4.3.3.x.yml +++ b/tasks/section_4/cis_4.3.3.x.yml @@ -125,14 +125,14 @@ warn_control_id: '4.3.3.4' block: - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of open ports" - ansible.builtin.shell: ss -6tuln + ansible.builtin.command: ss -6tuln changed_when: false failed_when: false check_mode: false register: discovered_list_ip6tables_open_ports - name: "4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of rules" - ansible.builtin.shell: ip6tables -L INPUT -v -n + ansible.builtin.command: ip6tables -L INPUT -v -n changed_when: false failed_when: false check_mode: false @@ -170,9 +170,9 @@ # - name: "Make IP6Tables persistent | Save to persistent files" # ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6" -# changed_when: ubtu22cis_ip6tables_save.rc == 0 -# failed_when: ubtu22cis_ip6tables_save.rc > 0 -# register: ubtu22cis_ip6tables_save +# changed_when: discovered_ip6tables_save.rc == 0 +# failed_when: discovered_ip6tables_save.rc > 0 +# register: discovered_ip6tables_save # when: # - ubtu22cis_firewall_package == "iptables" # - ubtu22cis_ipv6_required diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 8660e4e1..51cee835 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -14,7 +14,7 @@ path: /etc/ssh/sshd_config owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured" when: ubtu22cis_rule_5_1_2 @@ -66,7 +66,7 @@ path: "{{ item.path }}" owner: root group: root - mode: '0644' + mode: 'go-wx' with_items: - "{{ discovered_ssh_host_pub_keys.files }}" loop_control: diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index b11d6812..642368e9 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -19,7 +19,7 @@ dest: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwunix_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' notify: Pam_auth_update_pwunix - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled" @@ -41,7 +41,7 @@ dest: "/{{ ubtu22cis_pam_confd_dir }}{{ item }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' loop: - "{{ ubtu22cis_pam_faillock_file }}" - "{{ ubtu22cis_pam_faillock_notify_file }}" @@ -67,7 +67,7 @@ dest: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwquality_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' notify: Pam_auth_update_pwquality - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled" @@ -88,5 +88,5 @@ dest: "/{{ ubtu22cis_pam_confd_dir }}{{ ubtu22cis_pam_pwhistory_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' notify: Pam_auth_update_pwhistory diff --git a/tasks/section_5/cis_5.3.3.1.x.yml b/tasks/section_5/cis_5.3.3.1.x.yml index 052bb9a9..dc0782c0 100644 --- a/tasks/section_5/cis_5.3.3.1.x.yml +++ b/tasks/section_5/cis_5.3.3.1.x.yml @@ -18,6 +18,9 @@ line: "deny = {{ ubtu22cis_faillock_deny }}" insertafter: '^# end of pam-auth-update config' create: true + owner: root + group: root + mode: 'go-wx' - name: "5.3.3.1.1 | AUDIT | Ensure password failed attempts lockout is configured | discover pam config with deny" ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?deny\b' /usr/share/pam-configs/* @@ -53,6 +56,9 @@ line: "unlock_time = {{ ubtu22cis_faillock_unlock_time }}" insertafter: '^# end of pam-auth-update config' create: true + owner: root + group: root + mode: 'go-wx' - name: "5.3.3.1.2 | AUDIT | Ensure password unlock time is configured | discover pam config with unlock_time" ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?unlock_time\b' /usr/share/pam-configs/* @@ -88,6 +94,9 @@ line: "{{ ubtu22cis_pamroot_lock_string }}" insertafter: '^# end of pam-auth-update config' create: true + owner: root + group: root + mode: 'go-wx' - name: "5.3.3.1.3 | AUDIT | Ensure password failed attempts lockout includes root account | discover pam config with unlock_time" ansible.builtin.shell: grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?(even_deny_root\b|root_unlock_time\s*=\s*\d+\b)' /usr/share/pam-configs/* diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml index f972c75f..37d4df57 100644 --- a/tasks/section_5/cis_5.3.3.2.x.yml +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -29,7 +29,7 @@ dest: "/{{ ubtu22cis_passwd_difok_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured" when: @@ -60,7 +60,7 @@ dest: "/{{ ubtu22cis_passwd_minlen_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured" when: @@ -91,7 +91,7 @@ dest: "/{{ ubtu22cis_passwd_complex_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured" when: @@ -122,7 +122,7 @@ dest: "/{{ ubtu22cis_passwd_maxrepeat_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured" when: @@ -153,7 +153,7 @@ dest: "/{{ ubtu22cis_passwd_maxsequence_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled" when: @@ -184,7 +184,7 @@ dest: "/{{ ubtu22cis_passwd_dictcheck_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced" when: @@ -215,7 +215,7 @@ dest: "/{{ ubtu22cis_passwd_quality_enforce_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.8 | PATCH | Ensure password quality is enforced for the root user" when: @@ -232,4 +232,4 @@ dest: "/{{ ubtu22cis_passwd_quality_enforce_root_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 20712f06..f1c5cd6a 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -33,7 +33,7 @@ when: - ubtu22cis_disruption_high - (item != 'root') or (not ubtu22cis_uses_root) - ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass_max_days }} {{ item }} + ansible.builtin.command: chage --maxdays {{ ubtu22cis_pass_max_days }} {{ item }} failed_when: false changed_when: discovered_max_days.stdout | length > 0 loop: "{{ discovered_max_days.stdout_lines }}" @@ -57,7 +57,7 @@ line: 'PASS_MIN_DAYS {{ ubtu22cis_pass_min_days }}' - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Get existing users PASS_MIN_DAYS" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu22cis_pass_min_days }})) {print $1}' /etc/shadow" + ansible.builtin.command: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu22cis_pass_min_days }})) {print $1}' /etc/shadow" changed_when: false failed_when: false register: discovered_passwd_min_days @@ -66,7 +66,7 @@ when: - ubtu22cis_disruption_high - (item != 'root') or (not ubtu22cis_uses_root) - ansible.builtin.shell: chage --mindays {{ ubtu22cis_pass_min_days }} {{ item }} + ansible.builtin.command: chage --mindays {{ ubtu22cis_pass_min_days }} {{ item }} failed_when: false changed_when: discovered_passwd_min_days.stdout |length > 0 loop: "{{ discovered_passwd_min_days.stdout_lines }}" @@ -99,7 +99,7 @@ when: - ubtu22cis_disruption_high - (item != 'root') or (not ubtu22cis_uses_root) - ansible.builtin.shell: chage --maxdays {{ ubtu22cis_pass_warn_age }} {{ item }} + ansible.builtin.command: chage --maxdays {{ ubtu22cis_pass_warn_age }} {{ item }} failed_when: false changed_when: discovered_passwd_warn_days.stdout | length > 0 loop: "{{ discovered_passwd_warn_days.stdout_lines }}" @@ -139,11 +139,12 @@ - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured| Set inactive period for new users" when: discovered_passwd_inactive_setting.stdout != ubtu22cis_pass_inactive | string - ansible.builtin.shell: useradd -D -f {{ ubtu22cis_pass_inactive }} + ansible.builtin.command: useradd -D -f {{ ubtu22cis_pass_inactive }} failed_when: false + changed_when: true - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | Get Individual users" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<{{ ubtu22cis_pass_inactive }}))) {print $1}' /etc/shadow" + ansible.builtin.shell: awk -F':' '(/^[^:]+:[^!*]/ && ($7~/(\\s*|-1)/ || ( $7>1 && $7<"{{ ubtu22cis_pass_inactive }}"))) {print $1}' /etc/shadow changed_when: false failed_when: false register: discovered_passwd_inactive_users @@ -153,8 +154,9 @@ - ubtu22cis_disruption_high - discovered_passwd_inactive_users.stdout | length > 0 - (item != 'root') and (not ubtu22cis_uses_root) - ansible.builtin.shell: chage --inactive {{ ubtu22cis_pass_inactive }} {{ item }} + ansible.builtin.command: chage --inactive {{ ubtu22cis_pass_inactive }} {{ item }} failed_when: false + changed_when: true with_items: - "{{ ubtu22cis_passwd | map(attribute='id') | list | intersect(discovered_passwd_inactive_users.stdout_lines) | list }}" @@ -202,7 +204,8 @@ when: - ubtu22cis_disruption_high - discovered_passwd_future_user_list.stdout | length > 0 - ansible.builtin.shell: passwd --expire {{ item }} + ansible.builtin.command: passwd --expire {{ item }} failed_when: false + changed_when: true with_items: - "{{ discovered_passwd_future_user_list.stdout_lines }}" diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index adaa8ea3..b7f5987d 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -17,7 +17,7 @@ - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - ansible.builtin.shell: passwd -l {{ item }} + ansible.builtin.command: passwd -l {{ item }} changed_when: false failed_when: false loop: "{{ prelim_uid_zero_accounts_except_root.stdout_lines }}" @@ -41,9 +41,9 @@ block: - name: "5.4.2.2 | AUDIT | Ensure root is the only GID 0 account | Get members of gid 0" ansible.builtin.shell: "awk -F: '($1 !~ /^(sync|shutdown|halt|operator)/ && $4==\"0\") {print $1}' /etc/passwd | grep -wv 'root'" - register: discovered_gid0_members changed_when: false failed_when: discovered_gid0_members.rc not in [ 0, 1 ] + register: discovered_gid0_members - name: "5.4.2.2 | PATCH | Ensure root is the only GID 0 account | Remove users not root from gid 0" when: @@ -51,10 +51,9 @@ - discovered_gid0_members.stdout | length > 0 ansible.builtin.user: name: "{{ item }}" - gid: 0 + group: root state: absent - loop: - - discovered_gid0_members.stdout_lines + loop: "{{ discovered_gid0_members.stdout_lines }}" - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group" when: @@ -74,9 +73,9 @@ block: - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group | Get groups with gid 0" ansible.builtin.shell: "awk -F: '$3==\"0\"{print $1}' /etc/group | grep -vw 'root'" - register: discovered_gid0_groups changed_when: false failed_when: discovered_gid0_groups.rc not in [ 0, 1 ] + register: discovered_gid0_groups - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group | Warning if others gid 0 groups" when: @@ -174,7 +173,7 @@ state: directory owner: root group: root - mode: '0755' + mode: 'go-w' follow: false loop: "{{ discovered_root_path_perms.results }}" loop_control: @@ -196,6 +195,9 @@ regexp: \s*umask line: "umask {{ ubtu22cis_root_umask }}" create: true + owner: root + group: root + mode: 'g-wx,o-rwx' - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell" when: diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml index b2b1f73d..97e6d7d7 100644 --- a/tasks/section_5/cis_5.4.3.x.yml +++ b/tasks/section_5/cis_5.4.3.x.yml @@ -34,7 +34,7 @@ state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true - mode: '0644' + mode: 'u-x,go-wx' block: | TMOUT={{ ubtu22cis_shell_session_timeout }} readonly TMOUT diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 4ae89909..267f0b78 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -54,7 +54,7 @@ - name: "6.1.1 | PATCH | Ensure AIDE is installed | Configure AIDE" when: not ansible_check_mode - ansible.builtin.shell: aideinit -y -f + ansible.builtin.command: aideinit -y -f args: creates: "{{ ubtu22cis_aide_db_file }}" async: "{{ ubtu22cis_aide_init_async }}" @@ -93,7 +93,7 @@ dest: "/{{ item }}" owner: root group: root - mode: '0644' + mode: 'go-wx' loop: - etc/systemd/system/aidecheck.service - etc/systemd/system/aidecheck.timer diff --git a/tasks/section_6/cis_6.2.1.1.x.yml b/tasks/section_6/cis_6.2.1.1.x.yml index d78a0ba8..88c9d25f 100644 --- a/tasks/section_6/cis_6.2.1.1.x.yml +++ b/tasks/section_6/cis_6.2.1.1.x.yml @@ -33,7 +33,7 @@ - name: "6.2.1.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions" ansible.builtin.file: path: /usr/lib/tmpfiles.d/systemd.conf - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.2.1.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file" ansible.builtin.stat: @@ -81,7 +81,7 @@ dest: /etc/systemd/journald.conf.d/rotation.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' notify: Restart journald - name: "6.2.1.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries" @@ -116,7 +116,7 @@ dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' notify: Restart journald - name: "6.2.1.1.4 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" @@ -143,7 +143,7 @@ dest: /etc/systemd/journald.conf.d/storage.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' notify: Restart journald - name: "6.2.1.1.5 | PATCH | Ensure journald Storage is configured | comment out current entries" @@ -169,7 +169,7 @@ dest: /etc/systemd/journald.conf.d/storage.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' notify: Restart journald - name: "6.2.1.1.6 | PATCH | Ensure journald Compress is configured | comment out current entries" diff --git a/tasks/section_6/cis_6.3.3.x.yml b/tasks/section_6/cis_6.3.3.x.yml index a4937b3d..6d756300 100644 --- a/tasks/section_6/cis_6.3.3.x.yml +++ b/tasks/section_6/cis_6.3.3.x.yml @@ -275,5 +275,5 @@ - rule_6.3.3.21 - auditd - NIST800-53R5_AU-3 - ansible.builtin.shell: augenrules --check + ansible.builtin.command: augenrules --check changed_when: false diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 083aad30..9c72472e 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -197,7 +197,7 @@ - ubtu22cis_no_world_write_adjust ansible.builtin.file: path: '{{ item }}' - mode: o-w + mode: 'o-w' state: touch loop: "{{ discovered_worldwriteable_files.stdout_lines }}" @@ -220,7 +220,7 @@ warn_control_id: '7.1.12' block: - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories" - ansible.builtin.shell: 'find {{ ubtu22cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs' + ansible.builtin.command: 'find {{ ubtu22cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs' changed_when: false failed_when: false check_mode: false @@ -280,7 +280,7 @@ warn_control_id: '7.1.13' block: - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID" - ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs + ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs changed_when: false failed_when: false check_mode: false diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index e22f07f5..9bbe850a 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -1,5 +1,4 @@ --- - - name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" when: ubtu22cis_rule_7_2_1 tags: @@ -10,7 +9,7 @@ - user_accounts - NIST800-53R5_IA-5 vars: - warn_control_id: '7.2.1' + warn_control_id: "7.2.1" block: - name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Get users not using shadowed passwords" ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd @@ -69,7 +68,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 vars: - warn_control_id: '7.2.3' + warn_control_id: "7.2.3" block: - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' @@ -81,7 +80,7 @@ - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" when: discovered_passwd_gid_check.stdout | length > 0 ansible.builtin.debug: - msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join (', ') }}" + msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join(', ') }}" - name: "7.2.3 | WARNING | Ensure all groups in /etc/passwd exist in /etc/group | warn_count" when: discovered_passwd_gid_check.stdout | length > 0 @@ -98,12 +97,12 @@ - user - NIST800-53R5_IA-5 vars: - warn_control_id: '7.2.4' + warn_control_id: "7.2.4" block: - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group" ansible.builtin.getent: database: group - split: ':' + split: ":" key: shadow - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group" @@ -130,7 +129,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 vars: - warn_control_id: '7.2.5' + warn_control_id: "7.2.5" block: - name: "7.2.5 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" @@ -163,7 +162,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 vars: - warn_control_id: '7.2.6' + warn_control_id: "7.2.6" block: - name: "7.2.6 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" @@ -196,7 +195,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 vars: - warn_control_id: '7.2.7' + warn_control_id: "7.2.7" block: - name: "7.2.7 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" @@ -229,10 +228,10 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 vars: - warn_control_id: '7.2.8' + warn_control_id: "7.2.8" block: - name: "7.2.8 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" - ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' + ansible.builtin.shell: "getent passwd | cut -d: -f1 | sort -n | uniq -d" changed_when: false failed_when: false check_mode: false @@ -259,12 +258,12 @@ - NIST800-53R5_NA block: - name: "7.2.9 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent" - ansible.builtin.file: + ansible.builtin.file: # noqa risky-file-permissions path: "{{ item.dir }}" state: directory owner: "{{ item.id }}" group: "{{ item.gid }}" - loop: "{{ ubtu22cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" + loop: "{{ ubtu22cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | list }}" loop_control: label: "{{ item.id }}" @@ -305,7 +304,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 vars: - warn_control_id: '7.2.10' + warn_control_id: "7.2.10" block: - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Check for files" ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w @@ -320,7 +319,8 @@ - ubtu22cis_dotperm_ansiblemanaged ansible.builtin.debug: msg: - - "Warning!! We have discovered group or world-writable dot files on your system and this host is configured for manual intervention. Please investigate these files further." + - "Warning!! We have discovered group or world-writable dot files on your system and this host is configured for manual intervention. Please investigate + these files further." - name: "7.2.10 | PATCH | Ensure local interactive user dot files access is configured | Set warning count" when: @@ -334,6 +334,6 @@ - discovered_homedir_dot_files.stdout | length > 0 - ubtu22cis_dotperm_ansiblemanaged ansible.builtin.file: - path: '{{ item }}' - mode: go-w + path: "{{ item }}" + mode: 'go-w' with_items: "{{ discovered_homedir_dot_files.stdout_lines }}" diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index 45497267..e43e31f9 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -1,5 +1,4 @@ --- - # This task is used to create variables used in giving a warning summary for manual tasks # that need attention # @@ -14,7 +13,7 @@ # # warn_count is the main variable for the number of warnings and each time a warn_control_id is added # the count increases by a value of 1 -- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." +- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." # noqa name[template] ansible.builtin.set_fact: warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" warn_count: "{{ warn_count | int + 1 }}" From 8d52dde245d4c16da4b54459744479b02abd3eb7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 3 Dec 2024 11:50:56 +0000 Subject: [PATCH 112/135] updated for time_sync Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index fda3bf33..e67a077f 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -563,7 +563,7 @@ ubtu22cis_ftp_client: {{ ubtu22cis_ftp_client }} ## Control 2.3.1.1 # This variable choses the tool used for time synchronization # The two options are `chrony`and `systemd-timesyncd`. -ubtu22cis_time_sync_tool: "systemd-timesyncd" +ubtu22cis_time_sync_tool: {{ ubtu22cis_time_sync_tool }} ## Controls 2.3.x - Configure time pools & servers for chrony and timesyncd # The following variable represents a list of of time server pools used @@ -571,7 +571,7 @@ ubtu22cis_time_sync_tool: "systemd-timesyncd" # Each list item contains two settings, `name` (the domain name of the pool) and synchronization `options`. # The default setting for the `options` is `iburst maxsources 4` -- please refer to the documentation # of the time synchronization mechanism you are using. -ubtu22cis_time_pool_name: +ubtu22cis_time_pool: {% for pool in ubtu22cis_time_pool %} - name: {{ pool.name }} options: {{ pool.options }} From 3b12acc119b670ea24f18c0f1f1628a815d31c47 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 3 Dec 2024 11:51:45 +0000 Subject: [PATCH 113/135] updated dev_shm vars and handler Signed-off-by: Mark Bolwell --- handlers/main.yml | 5 +++++ tasks/section_1/cis_1.1.2.2.x.yml | 14 ++++++++------ 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index f6a77e2d..41ff924d 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -47,6 +47,11 @@ - "'/tmp' in mount_names" listen: Writing and remounting tmp +- name: Remount dev_shm + ansible.posix.mount: + path: /dev/shm + state: remounted + - name: Remount var ansible.posix.mount: path: /var diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index 280e3d70..b249d29f 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -18,16 +18,16 @@ - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check for mount" ansible.builtin.command: findmnt -kn "{{ required_mount }}" changed_when: false - failed_when: discovered_shm_mount.rc not in [ 0, 1 ] - register: discovered_shm_mount + failed_when: discovered_dev_shm_mount.rc not in [ 0, 1 ] + register: discovered_dev_shm_mount - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" - when: discovered_shm_mount is undefined + when: discovered_dev_shm_mount is undefined ansible.builtin.debug: msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Present" - when: discovered_shm_mount is undefined + when: discovered_dev_shm_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml @@ -36,7 +36,7 @@ 1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition 1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" when: - - ubtu22cis_dev_shm_present is defined + - discovered_dev_shm_mount is defined - ubtu22cis_rule_1_1_2_2_2 or ubtu22cis_rule_1_1_2_2_3 or ubtu22cis_rule_1_1_2_2_4 @@ -50,7 +50,9 @@ - rule_1.1.2.2.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: Set_reboot_required + notify: + - Set_reboot_required + - Remount dev_shm ansible.posix.mount: name: /dev/shm src: tmpfs From 588d602e5dc72bdc94990f2fd2de3a67f91f5645 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 3 Dec 2024 11:52:26 +0000 Subject: [PATCH 114/135] updated details Signed-off-by: Mark Bolwell --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index f3a31e71..78f1f010 100644 --- a/Changelog.md +++ b/Changelog.md @@ -14,7 +14,7 @@ This is a rewrite off approx 75% of controls - New variables - improved audit related checks - greater options on some controls -- linting improvements +- linting improvements and updated to latest ## Based on CIS V1.0.0 From fee3c71ab0b2f5383dd9a2ac0569adba043bd7b4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 4 Dec 2024 10:17:03 +0000 Subject: [PATCH 115/135] updated Signed-off-by: Mark Bolwell --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index e9cb70f0..7e51eb7d 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 MindPoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal From e5ef95d6908f8af3a42acd0e8405ba6eec8018a1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 4 Dec 2024 11:55:01 +0000 Subject: [PATCH 116/135] updated company name reference Signed-off-by: Mark Bolwell --- templates/audit/98_auditd_exception.rules.j2 | 5 ++++- templates/audit/99_auditd.rules.j2 | 3 ++- templates/etc/chrony/sources.d/pool.sources.j2 | 2 +- templates/etc/chrony/sources.d/server.sources.j2 | 2 +- templates/etc/dconf/db/00-automount_lock.j2 | 2 +- templates/etc/dconf/db/00-autorun_lock.j2 | 2 +- templates/etc/dconf/db/00-media-automount.j2 | 2 +- templates/etc/dconf/db/00-media-autorun.j2 | 2 +- templates/etc/dconf/db/00-screensaver.j2 | 2 +- templates/etc/dconf/db/00-screensaver_lock.j2 | 2 +- templates/etc/grub.d/00_user.j2 | 3 ++- templates/etc/sysctl.d/60-disable_ipv6.conf.j2 | 2 +- templates/etc/systemd/timesyncd.conf.d/50-timesyncd.conf.j2 | 2 +- 13 files changed, 18 insertions(+), 13 deletions(-) diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index 54c500b0..f0a0bc3e 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,4 +1,7 @@ -## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! +## Ansible controlled file +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown +## YOUR CHANGED WILL BE LOST! # This file contains users whose actions are not logged by auditd {% if allow_auditd_uid_user_exclusions %} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 87512d76..952a62b6 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,7 +1,8 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC YOUR CHANGED WILL BE LOST! +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown +## YOUR CHANGED WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually diff --git a/templates/etc/chrony/sources.d/pool.sources.j2 b/templates/etc/chrony/sources.d/pool.sources.j2 index 3579658c..6d8cca72 100644 --- a/templates/etc/chrony/sources.d/pool.sources.j2 +++ b/templates/etc/chrony/sources.d/pool.sources.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown {% for pool in ubtu22cis_time_pool %} pool {{ pool.name }} {{ pool.options }} diff --git a/templates/etc/chrony/sources.d/server.sources.j2 b/templates/etc/chrony/sources.d/server.sources.j2 index 8c3abe68..91a2a5d5 100644 --- a/templates/etc/chrony/sources.d/server.sources.j2 +++ b/templates/etc/chrony/sources.d/server.sources.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown {% for server in ubtu22cis_time_servers %} server {{ server.name }} {{ server.options }} diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 index 3534474f..67a080ca 100644 --- a/templates/etc/dconf/db/00-automount_lock.j2 +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown # Lock desktop media-handling automount setting /org/gnome/desktop/media-handling/automount diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 index 392af742..98313302 100644 --- a/templates/etc/dconf/db/00-autorun_lock.j2 +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown # Lock desktop media-handling settings /org/gnome/desktop/media-handling/autorun-never diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 index 227498e7..f6ebb4c5 100644 --- a/templates/etc/dconf/db/00-media-automount.j2 +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown [org/gnome/desktop/media-handling] automount=false diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 index a8c297f7..2637869a 100644 --- a/templates/etc/dconf/db/00-media-autorun.j2 +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown [org/gnome/desktop/media-handling] autorun-never=true diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index 139c429c..c73d685c 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown # Specify the dconf path diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 index 5d5869f7..c1f7e052 100644 --- a/templates/etc/dconf/db/00-screensaver_lock.j2 +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of CIS -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown # Lock desktop screensaver idle-delay setting /org/gnome/desktop/session/idle-delay diff --git a/templates/etc/grub.d/00_user.j2 b/templates/etc/grub.d/00_user.j2 index 132ac33b..dcb5316e 100644 --- a/templates/etc/grub.d/00_user.j2 +++ b/templates/etc/grub.d/00_user.j2 @@ -1,6 +1,7 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown +## YOUR CHANGED WILL BE LOST! cat < Date: Wed, 4 Dec 2024 12:28:22 +0000 Subject: [PATCH 117/135] addressed #259 thanks to @kbknapp Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 475b3312..8cf8d007 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -65,7 +65,7 @@ when: ubtu22cis_gui ansible.builtin.shell: grep system-db /etc/dconf/profile/user | cut -d ':' -f2 changed_when: false - failed_when: ubtu22cis_dconf_db.rc not in [ 0, 1 ] + failed_when: prelim_dconf_system_db.rc not in [ 0, 1 ] register: prelim_dconf_system_db - name: PRELIM | PATCH | Install cron if required From 34dd800a1f3cbfda1ccdde03baa4d1c66872e534 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 4 Dec 2024 12:29:13 +0000 Subject: [PATCH 118/135] addressed #260 thanks to @kbknapp Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.7.x.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index d4f6367a..0d42d180 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -49,10 +49,10 @@ owner: root group: root mode: 'u-x,go-wx' - loop: - - { regexp: "\\[org\\/gnome\\/login-screen\\]", line: "[org/gnome/login-screen]", insertafter: EOF } - - { regexp: "banner-message-enable", line: "banner-message-enable=true", insertafter: "\\[org\\/gnome\\/login-screen\\]" } - - { regexp: "banner-message-text", line: "banner-message-text='{{ ubtu22cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: "banner-message-enable" } + loop: + - { regexp: "\\[org\\/gnome\\/login-screen\\]", line: "[org/gnome/login-screen]", insertafter: EOF } + - { regexp: "banner-message-enable", line: "banner-message-enable=true", insertafter: "\\[org\\/gnome\\/login-screen\\]" } + - { regexp: "banner-message-text", line: "banner-message-text='{{ ubtu22cis_warning_banner | regex_replace('\n', ' ') | trim }}'", insertafter: "banner-message-enable" } notify: Update dconf - name: "1.7.3 | PATCH | Ensure GDM disable-user-list option is enabled" From 57ca82678a2b272d1e989ff7559bca385ddd6323 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 4 Dec 2024 12:31:21 +0000 Subject: [PATCH 119/135] addressed #261 thanks to kbknapp Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.7.x.yml | 42 +++++++++++++++++------------------ 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 0d42d180..441c7ea0 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -33,7 +33,7 @@ block: - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | make directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d" + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d" owner: root group: root mode: 'go-w' @@ -41,7 +41,7 @@ - name: "1.7.2 | PATCH | Ensure GDM login banner is configured | banner settings" ansible.builtin.lineinfile: # noqa: args[module] - path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-login-screen" + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/00-login-screen" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" @@ -79,12 +79,12 @@ mode: 'go-w' state: directory loop: - - /etc/dconf/db/{{ prelim_dconf_system_db }}.d + - /etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d - /etc/dconf/profile - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | disable-user-list setting login-screen" ansible.builtin.lineinfile: - path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-login-screen" + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/00-login-screen" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" @@ -99,7 +99,7 @@ - name: "1.7.3 | PATCH | Ensure disable-user-list option is enabled | disable-user-list setting profile" ansible.builtin.lineinfile: - path: "/etc/dconf/profile/{{ prelim_dconf_system_db }}" + path: "/etc/dconf/profile/{{ prelim_dconf_system_db.stdout }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.insertafter }}" @@ -109,10 +109,10 @@ mode: 'u-x,go-wx' loop: - { regexp: "^user-db:user", line: "user-db:user", insertafter: EOF } - - { regexp: "^system-db:{{ prelim_dconf_system_db }}", line: "system-db:{{ prelim_dconf_system_db }}", insertafter: "user-db:user" } + - { regexp: "^system-db:{{ prelim_dconf_system_db.stdout }}", line: "system-db:{{ prelim_dconf_system_db.stdout }}", insertafter: "user-db:user" } - regexp: "^file-db:/usr/share/gdm/greeter-dconf-defaults" line: "file-db:/usr/share/gdm/greeter-dconf-defaults" - insertafter: "system-db:{{ prelim_dconf_system_db }}" + insertafter: "system-db:{{ prelim_dconf_system_db.stdout }}" notify: Update dconf - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle" @@ -129,7 +129,7 @@ block: - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | session profile" ansible.builtin.lineinfile: - path: "/etc/dconf/profile/{{ prelim_dconf_system_db }}" + path: "/etc/dconf/profile/{{ prelim_dconf_system_db.stdout }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" insertafter: "{{ item.after | default(omit) }}" @@ -139,11 +139,11 @@ mode: 'u-x,go-wx' loop: - { regexp: "user-db:user", line: "user-db:user" } - - { regexp: "system-db:{{ prelim_dconf_system_db }}", line: "system-db:{{ prelim_dconf_system_db }}", after: "^user-db.*" } + - { regexp: "system-db:{{ prelim_dconf_system_db.stdout }}", line: "system-db:{{ prelim_dconf_system_db.stdout }}", after: "^user-db.*" } - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | make directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d" + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d" owner: root group: root mode: 'go-w' @@ -153,7 +153,7 @@ - name: "1.7.4 | PATCH | Ensure GDM screen locks when the user is idle | session script" ansible.builtin.template: src: etc/dconf/db/00-screensaver.j2 - dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-screensaver" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/00-screensaver" owner: root group: root mode: 'u-x,go-wx' @@ -173,7 +173,7 @@ block: - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lock directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks" + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/locks" owner: root group: root mode: 'go-w' @@ -183,7 +183,7 @@ - name: "1.7.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lockfile" ansible.builtin.template: src: etc/dconf/db/00-screensaver_lock.j2 - dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks/00-screensaver" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/locks/00-screensaver" owner: root group: root mode: 'u-x,go-wx' @@ -207,7 +207,7 @@ block: - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | make directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d" + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d" owner: root group: root mode: 'go-w' @@ -217,7 +217,7 @@ - name: "1.7.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled | session script" ansible.builtin.template: src: etc/dconf/db/00-media-automount.j2 - dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-media-automount" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/00-media-automount" owner: root group: root mode: 'u-x,go-wx' @@ -241,7 +241,7 @@ block: - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lock directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks" + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/locks" owner: root group: root mode: 'go-w' @@ -251,7 +251,7 @@ - name: "1.7.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | make lockfile" ansible.builtin.template: src: etc/dconf/db/00-automount_lock.j2 - dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks/00-automount_lock" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/locks/00-automount_lock" owner: root group: root mode: 'u-x,go-wx' @@ -275,7 +275,7 @@ block: - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled | make directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d" + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d" owner: root group: root mode: 'go-w' @@ -285,7 +285,7 @@ - name: "1.7.8 | PATCH | Ensure GDM autorun-never is enabled | session script" ansible.builtin.template: src: etc/dconf/db/00-media-autorun.j2 - dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/00-media-autorun" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/00-media-autorun" owner: root group: root mode: 'u-x,go-wx' @@ -309,7 +309,7 @@ block: - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden | make lock directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks" + path: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/locks" owner: root group: root mode: 'go-w' @@ -319,7 +319,7 @@ - name: "1.7.9 | PATCH | Ensure GDM autorun-never is not overridden | make lockfile" ansible.builtin.template: src: etc/dconf/db/00-autorun_lock.j2 - dest: "/etc/dconf/db/{{ prelim_dconf_system_db }}.d/locks/00-autorun_lock" + dest: "/etc/dconf/db/{{ prelim_dconf_system_db.stdout }}.d/locks/00-autorun_lock" owner: root group: root mode: 'u-x,go-wx' From d28adb5af7a3e01da9ebc29c390dad59e0605c00 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Dec 2024 11:27:07 +0000 Subject: [PATCH 120/135] fix typo in variable Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 8e037db8..0f50ca5c 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -676,7 +676,7 @@ - rule_2.1.21 - NIST800-53R5_CM-7 vars: - warn_control_id: "2.2.21" + warn_control_id: "2.1.21" block: - name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode | Make changes if exim4 installed" when: "'exim4' in ansible_facts.packages" From 6632b77a3ecab66a4c1b9eb32e216e038d239ad1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Dec 2024 11:53:32 +0000 Subject: [PATCH 121/135] Addressed #262 mount refactor thanks to @bgro Signed-off-by: Mark Bolwell --- .yamllint | 2 +- handlers/main.yml | 179 +++++++++++++++------- tasks/pre_remediation_audit.yml | 4 +- tasks/prelim.yml | 21 ++- tasks/section_1/cis_1.1.2.1.x.yml | 109 +++++++++---- tasks/section_1/cis_1.1.2.2.x.yml | 72 ++++++--- tasks/section_1/cis_1.1.2.3.x.yml | 77 ++++++---- tasks/section_1/cis_1.1.2.4.x.yml | 76 +++++---- tasks/section_1/cis_1.1.2.5.x.yml | 94 ++++++++---- tasks/section_1/cis_1.1.2.6.x.yml | 93 +++++++---- tasks/section_1/cis_1.1.2.7.x.yml | 94 ++++++++---- templates/etc/systemd/system/tmp.mount.j2 | 2 +- 12 files changed, 565 insertions(+), 258 deletions(-) diff --git a/.yamllint b/.yamllint index 4cf70478..78eb3e2b 100755 --- a/.yamllint +++ b/.yamllint @@ -17,7 +17,7 @@ rules: comments: ignore-shebangs: true min-spaces-from-content: 1 # prettier compatibility - comments-indentation: enable + comments-indentation: false empty-lines: max: 1 indentation: diff --git a/handlers/main.yml b/handlers/main.yml index 41ff924d..edd42124 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,87 +1,152 @@ --- -- name: Writing the tmp file | tmp_systemd - when: - - "'/tmp' in mount_names" - - item.mount == "/tmp" - - tmp_mnt_type == 'tmp_systemd' - ansible.builtin.template: - src: etc/systemd/system/tmp.mount.j2 - dest: /etc/systemd/system/tmp.mount - owner: root - group: root - mode: 'go-wx' - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - listen: Writing and remounting tmp - -- name: Writing the tmp file | fstab - when: - - "'/tmp' in mount_names" - - tmp_mnt_type == 'fstab' - - item.mount == "/tmp" +- name: "Adding options for /tmp" + when: not ubtu22cis_tmp_svc + vars: + mount_point: '/tmp' ansible.posix.mount: - path: /tmp - src: "{{ item.device }}" + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ item.fstype }}" - opts: defaults,{{ tmp_partition_mount_options | unique | join(',') }} - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - listen: Writing and remounting tmp + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /tmp" -- name: Update_Initramfs - ansible.builtin.command: update-initramfs -u - changed_when: true - notify: Set_reboot_required - -- name: Remount tmp +- name: "Remounting /tmp" + vars: + mount_point: '/tmp' ansible.posix.mount: - path: /tmp + path: "{{ mount_point }}" state: remounted - when: - - "'/tmp' in mount_names" - listen: Writing and remounting tmp + listen: "Remount /tmp" -- name: Remount dev_shm +- name: "Remounting /tmp systemd" + vars: + mount_point: '/tmp' + ansible.builtin.systemd: + name: tmp.mount + state: restarted + daemon_reload: true + listen: "Remount /tmp" + +- name: "Adding options for /dev/shm" + vars: + mount_point: '/dev/shm' ansible.posix.mount: - path: /dev/shm - state: remounted + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /dev/shm" -- name: Remount var +- name: "Remounting /dev/shm" + vars: + mount_point: '/dev/shm' ansible.posix.mount: - path: /var + path: "{{ mount_point }}" state: remounted + listen: "Remount /dev/shm" + +- name: "Adding options for /home" + vars: + mount_point: '/home' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /home" -- name: Remount var_tmp +- name: "Remounting /home" + vars: + mount_point: '/home' ansible.posix.mount: - path: /var/tmp + path: "{{ mount_point }}" state: remounted + listen: "Remount /home" -- name: Remount var_log +- name: "Adding options for /var" + vars: + mount_point: '/var' ansible.posix.mount: - path: /var/log + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var" + +- name: "Remounting /var" + vars: + mount_point: '/var' + ansible.posix.mount: + path: "{{ mount_point }}" state: remounted + listen: "Remount /var" -- name: Remount var_log_audit +- name: "Adding options for /var/tmp" + vars: + mount_point: '/var/tmp' ansible.posix.mount: - path: /var/log/audit + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var/tmp" + +- name: "Remounting /var/tmp" + vars: + mount_point: '/var/tmp' + ansible.posix.mount: + path: "{{ mount_point }}" state: remounted + listen: "Remount /var/tmp" + +- name: "Adding options for /var/log" + vars: + mount_point: '/var/log' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var/log" -- name: Remount home +- name: "Remounting /var/log" + vars: + mount_point: '/var/log' ansible.posix.mount: - path: /home + path: "{{ mount_point }}" state: remounted + listen: "Remount /var/log" -- name: Remount dev_shm +- name: "Adding options for /var/log/audit" + vars: + mount_point: '/var/log/audit' ansible.posix.mount: - path: /dev/shm - src: /dev/shm + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var/log/audit" + +- name: "Remounting /var/log/audit" + vars: + mount_point: '/var/log/audit' + ansible.posix.mount: + path: "{{ mount_point }}" state: remounted + listen: "Remount /var/log/audit" + +- name: Update_Initramfs + ansible.builtin.command: update-initramfs -u + changed_when: true + notify: Set_reboot_required - name: Grub update ansible.builtin.command: update-grub diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 3db36fd8..3b4990cb 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -44,8 +44,8 @@ ansible.builtin.unarchive: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" - remote_src: "{{ (audit_conf_source is contains ('http'))| ternary(true, false) }}" - extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', []) }}" + remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}" + extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}" - name: Pre Audit Setup | Check Goss is available when: run_audit diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 8cf8d007..deb618db 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -29,6 +29,25 @@ ansible.builtin.set_fact: mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" +- name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options + tags: always + block: + - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - call mount # noqa command-instead-of-module + ansible.builtin.shell: | + mount | awk '{print $1, $3, $5, $6}' + changed_when: false + register: mount_output + + - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact + ansible.builtin.set_fact: + mount_point_fs_and_options: >- + {%- set mount_point_fs_and_options = {} -%} + {%- for line in mount_output.stdout_lines -%} + {%- set fields = line.split() -%} + {%- set _ = mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%} + {%- endfor -%} + {{ mount_point_fs_and_options }} + - name: Include audit specific variables when: - run_audit or audit_only @@ -198,7 +217,7 @@ check_mode: false register: prelim_uid_zero_accounts_except_root -- name: PRELIM | PATCH | create journald conf.d directory +- name: PRELIM | PATCH | Create journald conf.d directory when: - ubtu22cis_rule_6_2_1_1_3 or ubtu22cis_rule_6_2_1_1_5 or diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index 05ae9f42..adbfb8f6 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -12,62 +12,101 @@ - rule_1.1.2.1.1 - NIST800-53R5_CM-7 vars: - warn_control_id: '1.1.2.1.1' - required_mount: '/tmp' + warn_control_id: "1.1.2.1.1" + required_mount: "/tmp" block: - - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Absent" + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_tmp_mount.rc not in [ 0, 1 ] + register: discovered_tmp_mount + + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent" + when: discovered_tmp_mount is undefined ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Present" + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Present" + when: discovered_tmp_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml # via fstab -- name: | - "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" - "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" - "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" - ansible.posix.mount: - name: /tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_1_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_1_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and ubtu22cis_rule_1_1_2_1_4) %},noexec{% endif %}" - notify: Remount tmp - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" +- name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" when: - - item.mount == "/tmp" + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_1_2 - not ubtu22cis_tmp_svc - - ubtu22cis_rule_1_1_2_1_2 or - ubtu22cis_rule_1_1_2_1_3 or - ubtu22cis_rule_1_1_2_1_4 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.1.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_1_3 + - not ubtu22cis_tmp_svc + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.1.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_1_4 + - not ubtu22cis_tmp_svc + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.1.4 - - NIST800-53R5_CM-7 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when # via systemd - name: | - "1.1.2.1.1 | PATCH | Ensure /tmp is configured" - "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" - "1.1.2.1.3 | PATCH | Ensure noexec option set on /tmp partition" - "1.1.2.1.4 | PATCH | Ensure nosuid option set on /tmp partition" + "1.1.2.1.1 | PATCH | Ensure /tmp is configured + 1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition + 1.1.2.1.3 | PATCH | Ensure noexec option set on /tmp partition + 1.1.2.1.4 | PATCH | Ensure nosuid option set on /tmp partition" when: - ubtu22cis_tmp_svc - - ubtu22cis_rule_1_1_2_1_1 or - ubtu22cis_rule_1_1_2_1_2 or - ubtu22cis_rule_1_1_2_1_3 or - ubtu22cis_rule_1_1_2_1_4 + - ubtu22cis_rule_1_1_2_1_1 or ubtu22cis_rule_1_1_2_1_2 or ubtu22cis_rule_1_1_2_1_3 or ubtu22cis_rule_1_1_2_1_4 tags: - level1-server - level1-workstation @@ -79,10 +118,12 @@ - rule_1.1.2.1.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" ansible.builtin.template: src: etc/systemd/system/tmp.mount.j2 dest: /etc/systemd/system/tmp.mount owner: root group: root - mode: 'go-wx' - notify: Systemd restart tmp.mount + mode: "go-wx" + notify: *mount_option_notify diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index b249d29f..26b703c2 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -12,8 +12,8 @@ - rule_1.1.2.2.1 - NIST800-53R5_CM-7 vars: - warn_control_id: '1.1.2.2.1' - required_mount: '/dev/shm' + warn_control_id: "1.1.2.2.1" + required_mount: "/dev/shm" block: - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check for mount" ansible.builtin.command: findmnt -kn "{{ required_mount }}" @@ -31,31 +31,65 @@ ansible.builtin.import_tasks: file: warning_facts.yml -- name: | - "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition - 1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition - 1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" +- name: "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition" when: - - discovered_dev_shm_mount is defined - - ubtu22cis_rule_1_1_2_2_2 or - ubtu22cis_rule_1_1_2_2_3 or - ubtu22cis_rule_1_1_2_2_4 + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_2_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.2.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/dev/shm" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_2_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.2.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/dev/shm" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_2_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.2.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: - - Set_reboot_required - - Remount dev_shm - ansible.posix.mount: - name: /dev/shm - src: tmpfs - fstype: tmpfs - state: mounted - opts: defaults,{% if ubtu22cis_rule_1_1_2_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_2_3 %}nosuid,{% endif %}{% if ubtu22cis_rule_1_1_2_2_4 %}noexec{% endif %} + vars: + mount_point: "/dev/shm" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index 1554c645..b45b4650 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -1,55 +1,74 @@ --- - -- name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home" +- name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition" when: - ubtu22cis_rule_1_1_2_3_1 - required_mount not in mount_names tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation - audit - mounts - rule_1.1.2.3.1 - NIST800-53R5_CM-7 vars: - warn_control_id: '1.1.2.3.1' - required_mount: '/home' + warn_control_id: "1.1.2.3.1" + required_mount: "/home" block: - - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Warn if partition is absent" + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_home_mount.rc not in [ 0, 1 ] + register: discovered_home_mount + + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Absent" + when: discovered_dev_shm_mount is undefined ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Present" + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Present" + when: discovered_dev_shm_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition - 1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition +- name: "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition" when: - - "'/home' in mount_names" - - item.mount == "/home" - - ubtu22cis_rule_1_1_2_3_2 or - ubtu22cis_rule_1_1_2_3_3 + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_3_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.3.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/home" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_3_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.3.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: - - Remount home - - Set_reboot_required - ansible.posix.mount: - name: /home - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_3_3) %},nosuid{% endif %}" - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" + vars: + mount_point: "/home" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index 19929d1b..58ae6f4f 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -1,13 +1,13 @@ --- -- name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var" +- name: "1.1.2.4.1 | PATCH | Ensure /var is a separate partition" when: - - required_mount not in mount_names - ubtu22cis_rule_1_1_2_4_1 + - required_mount not in mount_names tags: - - level2-server - - level2-workstation - - patch + - level1-server + - level1-workstation + - audit - mounts - rule_1.1.2.4.1 - NIST800-53R5_CM-7 @@ -15,41 +15,61 @@ warn_control_id: '1.1.2.4.1' required_mount: '/var' block: - - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Warn if partition is absent" + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_mount.rc not in [ 0, 1 ] + register: discovered_var_mount + + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent" + when: discovered_dev_shm_mount is undefined ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Present" + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present" + when: discovered_dev_shm_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition" - "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" +- name: "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition" when: - - "'/var' in mount_names" - - item.mount == "/var" - - ubtu22cis_rule_1_1_2_4_2 or - ubtu22cis_rule_1_1_2_4_3 + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_4_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.4.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_4_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.4.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: - - Remount var - - Set_reboot_required - ansible.posix.mount: - name: /var - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_4_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_4_3) %},nosuid{% endif %}" - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" + vars: + mount_point: "/var" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index f5555672..a830b4b0 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -1,13 +1,12 @@ --- -# Skips if mount is absent -- name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp" +- name: "1.1.2.5.1 | PATCH | Ensure /var/tmp is a separate partition" when: - ubtu22cis_rule_1_1_2_5_1 - required_mount not in mount_names tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation - audit - mounts - rule_1.1.2.5.1 @@ -16,44 +15,81 @@ warn_control_id: '1.1.2.5.1' required_mount: '/var/tmp' block: - - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn if partition is absent" + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_tmp_mount.rc not in [ 0, 1 ] + register: discovered_var_tmp_mount + + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | Absent" + when: discovered_var_tmp_mount is undefined ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | Present" + when: discovered_var_tmp_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition" - "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition" - "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" +- name: "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition" when: - - "'/var/tmp' in mount_names" - - item.mount == "/var/tmp" - - ubtu22cis_rule_1_1_2_5_2 or - ubtu22cis_rule_1_1_2_5_3 or - ubtu22cis_rule_1_1_2_5_4 + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_5_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.5.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/tmp" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_5_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.5.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/tmp" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_5_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.5.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: - - Remount var_tmp - - Set_reboot_required - ansible.posix.mount: - name: /var/tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_5_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_5_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and ubtu22cis_rule_1_1_2_5_4) %},noexec{% endif %}" - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" + vars: + mount_point: "/var/tmp" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index 7c1435b8..780a8e9c 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -1,12 +1,12 @@ --- -- name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log" +- name: "1/.1 | PATCH | Ensure /var/log is a separate partition" when: - ubtu22cis_rule_1_1_2_6_1 - required_mount not in mount_names tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation - audit - mounts - rule_1.1.2.6.1 @@ -15,44 +15,81 @@ warn_control_id: '1.1.2.6.1' required_mount: '/var/log' block: - - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Warn if partition is absent" + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_log_mount.rc not in [ 0, 1 ] + register: discovered_var_log_mount + + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | Absent" + when: discovered_var_log_mount is undefined ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Present" + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | Present" + when: discovered_var_log_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition" - "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition" - "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" +- name: "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition" when: - - "'/var/log' in mount_names" - - item.mount == "/var/log" - - ubtu22cis_rule_1_1_2_6_2 or - ubtu22cis_rule_1_1_2_6_3 or - ubtu22cis_rule_1_1_2_6_4 + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_6_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.6.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_6_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.6.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_6_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.6.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: - - Remount var_log - - Set_reboot_required - ansible.posix.mount: - name: /var/log - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_6_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_6_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and ubtu22cis_rule_1_1_2_6_4) %},noexec{% endif %}" - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" + vars: + mount_point: "/var/log" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index 7bde0d24..c7ed992c 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -1,12 +1,12 @@ --- -- name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit" +- name: "1/.1 | PATCH | Ensure /var/log/audit is a separate partition" when: - ubtu22cis_rule_1_1_2_7_1 - required_mount not in mount_names tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation - audit - mounts - rule_1.1.2.7.1 @@ -15,45 +15,81 @@ warn_control_id: '1.1.2.7.1' required_mount: '/var/log/audit' block: - - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn if partition is absent" + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_log_audit_mount.rc not in [ 0, 1 ] + register: discovered_var_log_audit_mount + + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | Absent" + when: discovered_var_log_audit_mount is undefined ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | Present" + when: discovered_var_log_audit_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition" - "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition" - "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" +- name: "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition" when: - - "'/var/log/audit' in mount_names" - - item.mount == "/var/log/audit" - - ubtu22cis_rule_1_1_2_7_2 or - ubtu22cis_rule_1_1_2_7_3 or - ubtu22cis_rule_1_1_2_7_4 + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_7_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.7.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log/audit" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_7_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.7.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log/audit" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - ubtu22cis_rule_1_1_2_7_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.7.4 - - NIST800-53R5_CM-7 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - notify: - - Remount var_log_audit - - Set_reboot_required - ansible.posix.mount: - name: /var/log/audit - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and ubtu22cis_rule_1_1_2_7_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and ubtu22cis_rule_1_1_2_7_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and ubtu22cis_rule_1_1_2_7_4) %},noexec{% endif %}" - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" + vars: + mount_point: "/var/log/audit" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2 index 72490e3d..057a465d 100644 --- a/templates/etc/systemd/system/tmp.mount.j2 +++ b/templates/etc/systemd/system/tmp.mount.j2 @@ -11,7 +11,7 @@ What=tmpfs Where=/tmp Type=tmpfs -Options: {{ tmp_partition_mount_options | unique | join(',') }} +Options: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" [Install] WantedBy=local-fs.target From b1068de72666b2b60801551baa7d92145852ba64 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Dec 2024 12:08:36 +0000 Subject: [PATCH 122/135] Updated tmpfs options in conditional Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.1.x.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index adbfb8f6..baf0f495 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -35,6 +35,7 @@ - name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" when: - mount_point_fs_and_options[mount_point] is defined + - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu22cis_rule_1_1_2_1_2 - not ubtu22cis_tmp_svc tags: @@ -59,6 +60,7 @@ - name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" when: - mount_point_fs_and_options[mount_point] is defined + - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu22cis_rule_1_1_2_1_3 - not ubtu22cis_tmp_svc tags: @@ -80,6 +82,7 @@ - name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" when: - mount_point_fs_and_options[mount_point] is defined + - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu22cis_rule_1_1_2_1_4 - not ubtu22cis_tmp_svc tags: From f7121144d0139f4cda6de4dcf4d931e5814d23d4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Dec 2024 12:13:20 +0000 Subject: [PATCH 123/135] Updated with name titles Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 10deb27d..acdd8963 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -11,12 +11,17 @@ repos: hooks: # Safety - id: detect-aws-credentials + name: Detect AWS Credentials - id: detect-private-key + name: Detect Private Keys # git checks - id: check-merge-conflict + name: Check for merge conflicts - id: check-added-large-files + name: Check for Large files - id: check-case-conflict + name: Check case conflict # General checks - id: trailing-whitespace @@ -27,6 +32,7 @@ repos: types: [text] args: [--markdown-linebreak-ext=md] - id: end-of-file-fixer + name: Ensure line at end of file # Scan for passwords - repo: https://github.com/Yelp/detect-secrets @@ -62,3 +68,4 @@ repos: rev: v1.35.1 # or higher tag hooks: - id: yamllint + name: Check YAML Lint From 180d19a69edd8b41bfc107712069ccce3aadad9f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Dec 2024 15:38:37 +0000 Subject: [PATCH 124/135] Enable debug options for mounts Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +++ tasks/prelim.yml | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 1be361ba..23f9d566 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -613,6 +613,9 @@ ubtu22cis_purge_apt: false ## Section 1 Control Variables ## +## Ability to enabe debug on mounts to assist in troubleshooting +ubtu22cis_debug_mount_data: false + ## Control 1.1.2 # If set to `true`, rule will be implemented using the `tmp.mount` systemd-service, # otherwise fstab configuration will be used. diff --git a/tasks/prelim.yml b/tasks/prelim.yml index deb618db..1f36df0f 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -48,6 +48,11 @@ {%- endfor -%} {{ mount_point_fs_and_options }} + - name: "PRELIM | AUDIT | Debug of mount variables to assist in troubleshooting" + when: ubtu22cis_debug_mount_data + ansible.builtin.debug: + msg: "{{ mount_point_fs_and_options }}" + - name: Include audit specific variables when: - run_audit or audit_only From db17068cb334c7327c3257eaa5e5ea003785a9ea Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Dec 2024 15:57:11 +0000 Subject: [PATCH 125/135] expanded mountpoint explaination Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 23f9d566..7c9ee8bd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -614,6 +614,8 @@ ubtu22cis_purge_apt: false ## ## Ability to enabe debug on mounts to assist in troubleshooting +# Mount point changes are set based upon facts created in Prelim +# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1. ubtu22cis_debug_mount_data: false ## Control 1.1.2 From 6e6161cb9b9863621f2f3587afdf7bc2a3f4a539 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 08:33:05 +0000 Subject: [PATCH 126/135] layout update for pipeline Signed-off-by: Mark Bolwell --- .yamllint | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.yamllint b/.yamllint index 78eb3e2b..c271c2aa 100755 --- a/.yamllint +++ b/.yamllint @@ -1,12 +1,13 @@ --- + extends: default locale: en_US.UTF-8 ignore: | - tests/ - molecule/ - .github/ - .gitlab-ci.yml - *molecule.yml + tests/ + molecule/ + .github/ + .gitlab-ci.yml + *molecule.yml rules: braces: max-spaces-inside: 1 @@ -16,8 +17,8 @@ rules: level: error comments: ignore-shebangs: true - min-spaces-from-content: 1 # prettier compatibility - comments-indentation: false + min-spaces-from-content: 1 # prettier compatibility + comments-indentation: enable empty-lines: max: 1 indentation: From 7056dd0c70659695796a7f26f622b62dea69c58b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 09:35:01 +0000 Subject: [PATCH 127/135] convert file characterset Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/section_4/cis_4.3.3.x.yml | 2 +- tasks/warning_facts.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7c9ee8bd..69871962 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -986,7 +986,7 @@ ubtu22cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwqualit ubtu22cis_passwd_quality_enforce_value: 1 # 5.3.3.2.8 - password quality enforce for root included with 5.3.3.2.7 -# enforce_for_root: This ensures that the password policies are adhered to even if it’s the root user configuring the passwords. +# enforce_for_root: This ensures that the password policies are adhered to even if its the root user configuring the passwords. ubtu22cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf # pragma: allowlist secret ubtu22cis_passwd_quality_enforce_root_value: enforce_for_root # pragma: allowlist secret diff --git a/tasks/section_4/cis_4.3.3.x.yml b/tasks/section_4/cis_4.3.3.x.yml index 2470855f..181c09ab 100644 --- a/tasks/section_4/cis_4.3.3.x.yml +++ b/tasks/section_4/cis_4.3.3.x.yml @@ -4,7 +4,7 @@ when: ubtu22cis_rule_4_3_3_1 tags: - level1-server - - level1-workstationå + - level1-workstation - patch - rule_4.3.3.1 - ip6tables diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index e43e31f9..66594eb8 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -9,7 +9,7 @@ # # warn_control_id is set within the task itself and has the control ID as the value # -# warn_control_list is the main variable to be used and is a list made up of the warn_control_id’s +# warn_control_list is the main variable to be used and is a list made up of the warn_control_ids # # warn_count is the main variable for the number of warnings and each time a warn_control_id is added # the count increases by a value of 1 From a9cb02747b31cd65ffbaecc9a242c92b3719887c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 09:40:43 +0000 Subject: [PATCH 128/135] removed locale Signed-off-by: Mark Bolwell --- .yamllint | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/.yamllint b/.yamllint index c271c2aa..fa7b6971 100755 --- a/.yamllint +++ b/.yamllint @@ -1,13 +1,11 @@ --- - extends: default -locale: en_US.UTF-8 ignore: | - tests/ - molecule/ - .github/ - .gitlab-ci.yml - *molecule.yml + tests/ + molecule/ + .github/ + .gitlab-ci.yml + *molecule.yml rules: braces: max-spaces-inside: 1 @@ -17,7 +15,7 @@ rules: level: error comments: ignore-shebangs: true - min-spaces-from-content: 1 # prettier compatibility + min-spaces-from-content: 1 # prettier compatibility comments-indentation: enable empty-lines: max: 1 From 0666e00458e97288265e400747e963503c891c80 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 14:47:50 +0000 Subject: [PATCH 129/135] Align mountpoint variable naming Signed-off-by: Mark Bolwell --- handlers/main.yml | 42 +++++++++++++++---------------- tasks/prelim.yml | 14 +++++------ tasks/section_1/cis_1.1.2.1.x.yml | 18 ++++++------- tasks/section_1/cis_1.1.2.2.x.yml | 12 ++++----- tasks/section_1/cis_1.1.2.3.x.yml | 10 ++++---- tasks/section_1/cis_1.1.2.4.x.yml | 10 ++++---- tasks/section_1/cis_1.1.2.5.x.yml | 12 ++++----- tasks/section_1/cis_1.1.2.6.x.yml | 12 ++++----- tasks/section_1/cis_1.1.2.7.x.yml | 12 ++++----- 9 files changed, 71 insertions(+), 71 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index edd42124..dc6bf653 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -6,10 +6,10 @@ mount_point: '/tmp' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /tmp" - name: "Remounting /tmp" @@ -34,10 +34,10 @@ mount_point: '/dev/shm' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /dev/shm" - name: "Remounting /dev/shm" @@ -53,10 +53,10 @@ mount_point: '/home' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /home" - name: "Remounting /home" @@ -72,10 +72,10 @@ mount_point: '/var' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /var" - name: "Remounting /var" @@ -91,10 +91,10 @@ mount_point: '/var/tmp' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /var/tmp" - name: "Remounting /var/tmp" @@ -110,10 +110,10 @@ mount_point: '/var/log' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /var/log" - name: "Remounting /var/log" @@ -129,10 +129,10 @@ mount_point: '/var/log/audit' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /var/log/audit" - name: "Remounting /var/log/audit" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1f36df0f..2bd30871 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -36,22 +36,22 @@ ansible.builtin.shell: | mount | awk '{print $1, $3, $5, $6}' changed_when: false - register: mount_output + register: prelim_mount_output - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact ansible.builtin.set_fact: - mount_point_fs_and_options: >- - {%- set mount_point_fs_and_options = {} -%} - {%- for line in mount_output.stdout_lines -%} + prelim_mount_point_fs_and_options: >- + {%- set prelim_mount_point_fs_and_options = {} -%} + {%- for line in prelim_mount_output.stdout_lines -%} {%- set fields = line.split() -%} - {%- set _ = mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%} + {%- set _ = prelim_mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%} {%- endfor -%} - {{ mount_point_fs_and_options }} + {{ prelim_mount_point_fs_and_options }} - name: "PRELIM | AUDIT | Debug of mount variables to assist in troubleshooting" when: ubtu22cis_debug_mount_data ansible.builtin.debug: - msg: "{{ mount_point_fs_and_options }}" + msg: "{{ prelim_mount_point_fs_and_options }}" - name: Include audit specific variables when: diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index baf0f495..d33ea877 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -34,8 +34,8 @@ # via fstab - name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined - - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" + - prelim_mount_point_fs_and_options[mount_point] is defined + - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu22cis_rule_1_1_2_1_2 - not ubtu22cis_tmp_svc tags: @@ -52,15 +52,15 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined - - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" + - prelim_mount_point_fs_and_options[mount_point] is defined + - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu22cis_rule_1_1_2_1_3 - not ubtu22cis_tmp_svc tags: @@ -81,8 +81,8 @@ - name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined - - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" + - prelim_mount_point_fs_and_options[mount_point] is defined + - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - ubtu22cis_rule_1_1_2_1_4 - not ubtu22cis_tmp_svc tags: diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index 26b703c2..81aa836d 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -33,7 +33,7 @@ - name: "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_2_2 tags: - level1-server @@ -49,14 +49,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_2_3 tags: - level1-server @@ -76,7 +76,7 @@ - name: "1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_2_4 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index b45b4650..d41d339b 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -32,7 +32,7 @@ - name: "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_3_2 tags: - level1-server @@ -48,14 +48,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_3_3 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index 58ae6f4f..d934a51c 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -33,7 +33,7 @@ - name: "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_4_2 tags: - level1-server @@ -49,14 +49,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_4_3 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index a830b4b0..ea1140dd 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -33,7 +33,7 @@ - name: "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_5_2 tags: - level1-server @@ -49,14 +49,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_5_3 tags: - level1-server @@ -76,7 +76,7 @@ - name: "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_5_4 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index 780a8e9c..9d6eaae5 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -33,7 +33,7 @@ - name: "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_6_2 tags: - level1-server @@ -49,14 +49,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_6_3 tags: - level1-server @@ -76,7 +76,7 @@ - name: "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_6_4 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index c7ed992c..b310e086 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -33,7 +33,7 @@ - name: "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_7_2 tags: - level1-server @@ -49,14 +49,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_7_3 tags: - level1-server @@ -76,7 +76,7 @@ - name: "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - ubtu22cis_rule_1_1_2_7_4 tags: - level1-server From 7f934388b977dea5abfa62806db4d51ef872945f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 14:48:22 +0000 Subject: [PATCH 130/135] change case in title Signed-off-by: Mark Bolwell --- tasks/audit_only.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index 56e933de..a8e81e20 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -1,6 +1,6 @@ --- -- name: Audit_Only | Create local Directories for hosts +- name: Audit_only | Create local Directories for hosts when: fetch_audit_files delegate_to: localhost become: false From c175e7a6a8270063d309c52f3ab96c97b335c748 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Dec 2024 09:26:39 +0000 Subject: [PATCH 131/135] updated 5.4.2.5 title to patch Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index b7f5987d..6bbe8487 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -162,7 +162,7 @@ register: discovered_root_path_perms loop: "{{ discovered_root_paths_split.stdout_lines }}" - - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Set permissions" + - name: "5.4.2.5 | PATCH | Ensure root PATH Integrity | Set permissions" when: - item.stat.exists - item.stat.isdir From 43ebf5379e37f0d49a5ae4c6abb3e7fed9f6950b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Dec 2024 09:27:21 +0000 Subject: [PATCH 132/135] updated title 6.1.1 to audit Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 267f0b78..92199269 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -22,7 +22,7 @@ update_cache: true register: discovered_aide_pkg_added - - name: "6.1.1 | PATCH | Ensure AIDE is installed | Recapture packages" + - name: "6.1.1 | AUDIT | Ensure AIDE is installed | Recapture packages" when: discovered_aide_pkg_added.skipped is not defined ansible.builtin.package_facts: manager: auto From 3d93309276feff9bd047f86b7a22a13eb72e5e27 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Dec 2024 09:28:00 +0000 Subject: [PATCH 133/135] 6.3.2.1 moved to path from dest in module Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.3.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.3.2.x.yml b/tasks/section_6/cis_6.3.2.x.yml index e3afc759..48270e21 100644 --- a/tasks/section_6/cis_6.3.2.x.yml +++ b/tasks/section_6/cis_6.3.2.x.yml @@ -10,7 +10,7 @@ - auditd - NIST800-53R5_NA ansible.builtin.lineinfile: - dest: /etc/audit/auditd.conf + path: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ ubtu22cis_max_log_file_size }}" state: present From e39ab0176c7a367c3d30f77f878e87ba658308d6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Dec 2024 09:32:36 +0000 Subject: [PATCH 134/135] renamed register to isolate for task Signed-off-by: Mark Bolwell --- tasks/section_7/cis_7.1.x.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 9c72472e..1a107ea6 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -31,8 +31,8 @@ owner: root group: root mode: 'u-x,go-wx' - failed_when: discovered_file_exists.state not in '[ file, absent ]' - register: discovered_file_exists + failed_when: discovered_password_hyphen_file_exists.state not in '[ file, absent ]' + register: discovered_password_hyphen_file_exists - name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured" when: ubtu22cis_rule_7_1_3 @@ -65,8 +65,8 @@ owner: root group: root mode: 'u-x,go-wx' - failed_when: discovered_file_exists.state not in '[ file, absent ]' - register: discovered_file_exists + failed_when: discovered_group_hyphen_file_exists.state not in '[ file, absent ]' + register: discovered_group_hyphen_file_exists - name: "7.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" when: ubtu22cis_rule_7_1_5 @@ -99,8 +99,8 @@ owner: root group: root mode: 'u-x,g-wx,o-rwx' - failed_when: discovered_file_exists.state not in '[ file, absent ]' - register: discovered_file_exists + failed_when: discovered_shadows_hyphen_file_exists.state not in '[ file, absent ]' + register: discovered_shadows_hyphen_file_exists - name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" when: ubtu22cis_rule_7_1_7 @@ -133,8 +133,8 @@ owner: root group: root mode: 'u-x,g-wx,o-rwx' - failed_when: discovered_file_exists.state not in '[ file, absent ]' - register: discovered_file_exists + failed_when: discovered_gshadow_hyphen_file_exists.state not in '[ file, absent ]' + register: discovered_gshadow_hyphen_file_exists - name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured" when: ubtu22cis_rule_7_1_9 @@ -167,8 +167,8 @@ owner: root group: root mode: 'u-x,go-rwx' - failed_when: discovered_file_exists.state not in '[ file, absent ]' - register: discovered_file_exists + failed_when: discovered_opasswd_file_exists.state not in '[ file, absent ]' + register: discovered_opasswd_file_exists loop: - /etc/security/opasswd - /etc/security/opasswd.old From cc3398fce52fcf43ffee0fbd0f8a1f5fd5938368 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Dec 2024 09:45:30 +0000 Subject: [PATCH 135/135] Updated location for notify entry Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.1.x.yml | 8 ++++---- tasks/section_1/cis_1.1.2.2.x.yml | 8 ++++---- tasks/section_1/cis_1.1.2.3.x.yml | 6 +++--- tasks/section_1/cis_1.1.2.4.x.yml | 6 +++--- tasks/section_1/cis_1.1.2.5.x.yml | 8 ++++---- tasks/section_1/cis_1.1.2.6.x.yml | 8 ++++---- tasks/section_1/cis_1.1.2.7.x.yml | 8 ++++---- 7 files changed, 26 insertions(+), 26 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index d33ea877..505cd464 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -49,13 +49,13 @@ vars: mount_point: "/tmp" required_option: nodev - notify: &mount_option_notify - - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact prelim_mount_point_fs_and_options: | {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + notify: &mount_option_notify + - "Remount {{ mount_point }}" - name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" when: @@ -74,10 +74,10 @@ vars: mount_point: "/tmp" required_option: nosuid - notify: *mount_option_notify ansible.builtin.set_fact: <<: *mount_option_set_fact changed_when: *mount_option_changed_when + notify: *mount_option_notify - name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" when: @@ -96,10 +96,10 @@ vars: mount_point: "/tmp" required_option: noexec - notify: *mount_option_notify ansible.builtin.set_fact: <<: *mount_option_set_fact changed_when: *mount_option_changed_when + notify: *mount_option_notify # via systemd - name: | diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index 81aa836d..44cfc2e5 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -46,13 +46,13 @@ vars: mount_point: "/dev/shm" required_option: nodev - notify: &mount_option_notify - - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact prelim_mount_point_fs_and_options: | {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + notify: &mount_option_notify + - "Remount {{ mount_point }}" - name: "1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition" when: @@ -69,10 +69,10 @@ vars: mount_point: "/dev/shm" required_option: nosuid - notify: *mount_option_notify ansible.builtin.set_fact: <<: *mount_option_set_fact changed_when: *mount_option_changed_when + notify: *mount_option_notify - name: "1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" when: @@ -89,7 +89,7 @@ vars: mount_point: "/dev/shm" required_option: noexec - notify: *mount_option_notify ansible.builtin.set_fact: <<: *mount_option_set_fact changed_when: *mount_option_changed_when + notify: *mount_option_notify diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index d41d339b..fa511ef6 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -45,13 +45,13 @@ vars: mount_point: "/home" required_option: nodev - notify: &mount_option_notify - - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact prelim_mount_point_fs_and_options: | {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + notify: &mount_option_notify + - "Remount {{ mount_point }}" - name: "1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition" when: @@ -68,7 +68,7 @@ vars: mount_point: "/home" required_option: nosuid - notify: *mount_option_notify ansible.builtin.set_fact: <<: *mount_option_set_fact changed_when: *mount_option_changed_when + notify: *mount_option_notify diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index d934a51c..919865a9 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -46,13 +46,13 @@ vars: mount_point: "/var" required_option: nodev - notify: &mount_option_notify - - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact prelim_mount_point_fs_and_options: | {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + notify: &mount_option_notify + - "Remount {{ mount_point }}" - name: "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" when: @@ -69,7 +69,7 @@ vars: mount_point: "/var" required_option: nosuid - notify: *mount_option_notify ansible.builtin.set_fact: <<: *mount_option_set_fact changed_when: *mount_option_changed_when + notify: *mount_option_notify diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index ea1140dd..e03599cd 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -46,13 +46,13 @@ vars: mount_point: "/var/tmp" required_option: nodev - notify: &mount_option_notify - - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact prelim_mount_point_fs_and_options: | {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + notify: &mount_option_notify + - "Remount {{ mount_point }}" - name: "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition" when: @@ -69,10 +69,10 @@ vars: mount_point: "/var/tmp" required_option: nosuid - notify: *mount_option_notify ansible.builtin.set_fact: <<: *mount_option_set_fact changed_when: *mount_option_changed_when + notify: *mount_option_notify - name: "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" when: @@ -89,7 +89,7 @@ vars: mount_point: "/var/tmp" required_option: noexec - notify: *mount_option_notify ansible.builtin.set_fact: <<: *mount_option_set_fact changed_when: *mount_option_changed_when + notify: *mount_option_notify diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index 9d6eaae5..08e00c8b 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -46,13 +46,13 @@ vars: mount_point: "/var/log" required_option: nodev - notify: &mount_option_notify - - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact prelim_mount_point_fs_and_options: | {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + notify: &mount_option_notify + - "Remount {{ mount_point }}" - name: "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition" when: @@ -69,10 +69,10 @@ vars: mount_point: "/var/log" required_option: nosuid - notify: *mount_option_notify ansible.builtin.set_fact: <<: *mount_option_set_fact changed_when: *mount_option_changed_when + notify: *mount_option_notify - name: "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" when: @@ -89,7 +89,7 @@ vars: mount_point: "/var/log" required_option: noexec - notify: *mount_option_notify ansible.builtin.set_fact: <<: *mount_option_set_fact changed_when: *mount_option_changed_when + notify: *mount_option_notify diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index b310e086..56fced12 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -46,13 +46,13 @@ vars: mount_point: "/var/log/audit" required_option: nodev - notify: &mount_option_notify - - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact prelim_mount_point_fs_and_options: | {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] + notify: &mount_option_notify + - "Remount {{ mount_point }}" - name: "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition" when: @@ -69,10 +69,10 @@ vars: mount_point: "/var/log/audit" required_option: nosuid - notify: *mount_option_notify ansible.builtin.set_fact: <<: *mount_option_set_fact changed_when: *mount_option_changed_when + notify: *mount_option_notify - name: "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" when: @@ -89,7 +89,7 @@ vars: mount_point: "/var/log/audit" required_option: noexec - notify: *mount_option_notify ansible.builtin.set_fact: <<: *mount_option_set_fact changed_when: *mount_option_changed_when + notify: *mount_option_notify