Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enabling the user to chose between complain and enforce mode in 1.6.1.3. #94

Closed
wants to merge 5 commits into from
+69 −40
Closed

Enabling the user to chose between complain and enforce mode in 1.6.1.3. #94

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
699ef05
Enabling the user to chose between complain and enforce mode in 1.6.1.3.
bgro Sep 22, 2023
3f77f39
This commit looks more messy than it is, because it changes the order…
bgro Sep 22, 2023
9d3c977
Improving documentation and fixing variables for GOSS.
bgro Sep 22, 2023
a5a1a2d
Making sure that the audit role gets all expected variables (though t…
bgro Sep 22, 2023
b766a87
Linting.
bgro Sep 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 10 additions & 7 deletions defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -580,14 +580,17 @@ ubtu22cis_grub_file: /etc/default/grub.cfg
# This automatically limits the damage that the software can do to files accessible by the calling user.
# The following variables are related to the set of rules from section 1.6.1.x

# This variable disables the rule regarding enforcing profiles or putting them in complain mode
## Controls 1.6.1.3 and 1.6.1.4 Ensure all AppArmor Profiles are in enforce (1.6.1.3/4) or complain (1.6.1.3) mode

# This variable disables the implementation of rules 1.6.1.3 and 1.6.1.4
# regarding enforcing profiles or putting them in complain mode
ubtu22cis_apparmor_disable: false
# This variable chooses how the profiles will comply to rule 1.6.1.3.
# If it is set to true the profiles will be in enforce mode
# If it is set to false the profiles will be in complain mode
# *? The role has two tasks that do the same thing no matter what boolean
# value is set to this variable *?
ubtu22cis_apparmor_enforce_only: false

# This variable specifies whether enforce mode or complain mode is set in Control 1.6.1.3.
# Possible values are `enforce` and `complain`.
# ATTENTION: if Control 1.6.1.4 is run (e.g., when running level 2 rules), it OVERRIDES control 1.6.1.3
# and sets `enforce` mode, no matter what this variable's value is.
ubtu22cis_apparmor_mode: complain

## Controls 1.7.x - Warning banners
# The controls 1.7.x set various warning banners and protect the respective files
Expand Down
5 changes: 5 additions & 0 deletions tasks/prelim.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
---
- name: "PRELIM | Set default values for facts"
ansible.builtin.set_fact:
control_1_6_1_4_was_run: false
ubtu22cis_apparmor_enforce_only: false
changed_when: false

- name: "PRELIM | Register if snap being used"
ansible.builtin.shell: df -h | grep -wc "/snap"
Expand Down
84 changes: 52 additions & 32 deletions tasks/section_1/cis_1.6.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,76 +58,96 @@
- rule_1.6.1.2
- apparmor

# This is handled via this block to allow for proper flagging of idempotency for the control
- name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode"
# Controls 1.6.1.4 and 1.6.1.3 target the same setting and thus should not be run together.
# Because control 1.6.1.4 is stricter than 1.6.1.3, we need to change the order --
# control 1.6.1.4 then registers the fact that is has run and thus keeps 1.6.1.3 from running.

- name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing"
block:
- name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get pre apply enforce count"
- name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Make sure that 1.6.1.3 is not run"
ansible.builtin.set_fact:
control_1_6_1_4_was_run: true
ubtu22cis_apparmor_enforce_only: true
changed_when: false

- name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get pre apply enforce count"
ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9
changed_when: false
failed_when: false
register: ubtu22cis_1_6_1_3_pre_count
register: ubtu22cis_1_6_1_4_pre_count

- name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Apply enforcing to /etc/apparmor.d profiles"
- name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Apply enforcing to /etc/apparmor.d profiles"
ansible.builtin.shell: aa-enforce /etc/apparmor.d/*
changed_when: false
failed_when: false

- name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get post apply enforce count"
- name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get post apply enforce count"
ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9
changed_when: false
failed_when: false
register: ubtu22cis_1_6_1_3_post_count
register: ubtu22cis_1_6_1_4_post_count

- name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | This flags for idempotency"
- name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | This flags for idempotency"
ansible.builtin.debug:
msg: Changed! The profiles in /etc/apparmor.d were set to enforcing
changed_when: true
when: ubtu22cis_1_6_1_3_pre_count.stdout != ubtu22cis_1_6_1_3_post_count.stdout
when: ubtu22cis_1_6_1_4_pre_count.stdout != ubtu22cis_1_6_1_4_post_count.stdout
when:
- ubtu22cis_rule_1_6_1_3
- ubtu22cis_rule_1_6_1_4
- not ubtu22cis_apparmor_disable
- not ubtu22cis_apparmor_enforce_only
tags:
- level1-server
- level1-workstation
- level2-server
- level2-workstation
- automated
- scored
- patch
- rule_1.6.1.3
- rule_1.6.1.4
- apparmor

- name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing"
- name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode"
block:
- name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get pre apply enforce count"
ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9
- name: "1.6.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only true for GOSS"
ansible.builtin.set_fact:
ubtu22cis_apparmor_enforce_only: true
changed_when: false
when:
- ubtu22cis_apparmor_mode == "enforce"
- name: "1.6.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only false for GOSS"
ansible.builtin.set_fact:
ubtu22cis_apparmor_enforce_only: false
changed_when: false
when:
- ubtu22cis_apparmor_mode == "complain"
- name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get pre apply enforce count"
ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu22cis_apparmor_mode}} mode" | tr -d -c 0-9
changed_when: false
failed_when: false
register: ubtu22cis_1_6_1_4_pre_count
register: ubtu22cis_1_6_1_3_pre_count

- name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Apply enforcing to /etc/apparmor.d profiles"
ansible.builtin.shell: aa-enforce /etc/apparmor.d/*
- name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Apply complaining/enforcing to /etc/apparmor.d profiles"
ansible.builtin.shell: aa-{{ubtu22cis_apparmor_mode}} /etc/apparmor.d/*
changed_when: false
failed_when: false

- name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Get post apply enforce count"
ansible.builtin.shell: apparmor_status | grep "profiles are in enforce mode" | tr -d -c 0-9
- name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Get post apply enforce count"
ansible.builtin.shell: apparmor_status | grep "profiles are in {{ubtu22cis_apparmor_mode}} mode" | tr -d -c 0-9
changed_when: false
failed_when: false
register: ubtu22cis_1_6_1_4_post_count
register: ubtu22cis_1_6_1_3_post_count

- name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | This flags for idempotency"
- name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | This flags for idempotency"
ansible.builtin.debug:
msg: Changed! The profiles in /etc/apparmor.d were set to enforcing
msg: Changed! The profiles in /etc/apparmor.d were set to {{ubtu22cis_apparmor_mode}} mode
changed_when: true
when: ubtu22cis_1_6_1_4_pre_count.stdout != ubtu22cis_1_6_1_4_post_count.stdout
when: ubtu22cis_1_6_1_3_pre_count.stdout != ubtu22cis_1_6_1_3_post_count.stdout
when:
- ubtu22cis_rule_1_6_1_4
- ubtu22cis_rule_1_6_1_3
- not ubtu22cis_apparmor_disable
- ubtu22cis_apparmor_enforce_only
- not control_1_6_1_4_was_run
tags:
- level2-server
- level2-workstation
- level1-server
- level1-workstation
- automated
- scored
- patch
- rule_1.6.1.4
- rule_1.6.1.3
- apparmor
3 changes: 2 additions & 1 deletion templates/ansible_vars_goss.yml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -383,7 +383,8 @@ ubtu22cis_bootloader_password: {{ ubtu22cis_bootloader_password_hash }}

# 1.6 - Only have apparmor enforcing
ubtu22cis_apparmor_disable: {{ ubtu22cis_apparmor_disable }}
ubtu22cis_apparmor_enforce_only: {{ ubtu22cis_apparmor_enforce_only }}
ubtu22cis_apparmor_mode: {{ ubtu22cis_apparmor_mode }}
ubtu22cis_apparmor_enforce_only: {{ubtu22cis_apparmor_enforce_only}}

# Warning Banner Content (issue, issue.net, motd)
ubtu22_warning_banner: {{ ubtu22cis_warning_banner }}
Expand Down