Merge pull request #20 from ansible-lockdown/standards

Alignment

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2022 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases
+Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

defaults/main.yml

@@ -750,11 +750,10 @@ debian11cis_passwd_setpam_hash_algo: false
 # warn_age is how many days before pw expiry the user will be warned. Set to 7 or more to conform to CIS standards
 # Control 5.5.1.4
 # inactive the number of days of inactivity before the account will lock. Set to 30 day sor less to conform to CIS standards
-debian11cis_pass:
-    max_days: 365
-    min_days: 1
-    warn_age: 7
-    inactive: 30
+debian11cis_pass_max_days: 365
+debian11cis_pass_min_days: 1
+debian11cis_pass_warn_age: 7
+debian11cis_pass_inactive: 30
 
 # Control 5.5.4
 # debian11cis_bash_umask is the umask to set in the /etc/bash.bashrc and /etc/profile.

handlers/main.yml

@@ -100,33 +100,33 @@
 
 - name: Iptables persistent
   ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4"
-  changed_when: debian11cis_iptables_save.rc == 0
-  failed_when: debian11cis_iptables_save.rc > 0
-  register: debian11cis_iptables_save
+  changed_when: discovered_ip4tables_save.rc == 0
+  failed_when: discovered_ip4tables_save.rc > 0
+  register: discovered_ip4tables_save
 
 - name: Ip6tables persistent
   ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6"
-  changed_when: debian11cis_ip6tables_save.rc == 0
-  failed_when: debian11cis_ip6tables_save.rc > 0
-  register: debian11cis_ip6tables_save
+  changed_when: discovered_ip6tables_save.rc == 0
+  failed_when: discovered_ip6tables_save.rc > 0
+  register: discovered_ip6tables_save
 
 - name: Auditd rules reload
   ansible.builtin.shell: augenrules --load
   when:
-      - debian11cis_rule_4_1_3_21_augen_check is not defined
+      - discovered_auditd_diff_check is not defined
 
 - name: Audit_immutable_fact
   ansible.builtin.debug:
       msg: "Reboot required for auditd to apply new rules as immutable set"
   notify: change_requires_reboot
   when:
-      - audit_rules_updated.changed
+      - discovered_audit_rules_updated.changed
       - auditd_immutable_check is defined
 
 - name: Restart auditd
   ansible.builtin.shell: service auditd restart
   when:
-      - audit_rules_updated is defined
+      - discovered_audit_rules_updated is defined
   tags:
       - skip_ansible_lint
 

tasks/auditd.yml

@@ -7,7 +7,7 @@
       owner: root
       group: root
       mode: '0640'
-  register: audit_rules_updated
+  register: discovered_audit_rules_updated
   notify:
       - Auditd rules reload
       - Audit_immutable_fact
@@ -25,19 +25,3 @@
   when:
       - allow_auditd_uid_user_exclusions
       - debian11ciscis_auditd_uid_exclude | length > 0
-
-# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable"
-#   block:
-#       - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable | Get status"
-#         ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
-#         changed_when: false
-#         failed_when: false
-#         register: debian11ciscis_auditd_immutable_check
-
-#       - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable | Set reboot required"
-#         ansible.builtin.debug:
-#             msg: "Reboot required for auditd to apply new rules as immutable set"
-#         notify: change_requires_reboot
-#         when: debian11ciscis_auditd_immutable_check.stdout == '1'
-#   when:
-#       - debian11ciscis_audit_rules_update.changed

tasks/main.yml

@@ -25,11 +25,11 @@
         changed_when: false
         failed_when: false
         check_mode: false
-        register: ansible_user_password_set
+        register: discovered_ansible_user_password_set
 
       - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked"
         ansible.builtin.assert:
-            that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!"
+            that: discovered_ansible_user_password_set.stdout | length != 0 and discovered_ansible_user_password_set.stdout != "!!"
             fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
             success_msg: "You have a password set for sudo user {{ ansible_env.SUDO_USER }}"
         vars:

tasks/parse_etc_password.yml

@@ -6,13 +6,13 @@
         ansible.builtin.shell: cat /etc/passwd
         changed_when: false
         check_mode: false
-        register: debian11cis_passwd_file_audit
+        register: discovered_passwd_file_audit
 
       - name: "PRELIM | Parse /etc/passwd | Split passwd entries"
         ansible.builtin.set_fact:
-            debian11cis_passwd: "{{ debian11cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
+            debian11cis_passwd: "{{ discovered_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
 
-        with_items: "{{ debian11cis_passwd_file_audit.stdout_lines }}"
+        with_items: "{{ discovered_passwd_file_audit.stdout_lines }}"
         vars:
             ld_passwd_regex: >-
                 ^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*)

tasks/pre_remediation_audit.yml

@@ -60,11 +60,11 @@
       - name: Pre Audit Setup | Check for goss file
         ansible.builtin.stat:
             path: "{{ audit_bin }}"
-        register: goss_available
+        register: discovered_goss_available
 
       - name: Pre Audit Setup | If audit ensure goss is available
         when:
-            - not goss_available.stat.exists
+            - not discovered_goss_available.stat.exists
         ansible.builtin.assert:
             msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
 

tasks/prelim.yml

@@ -228,7 +228,7 @@
       regexp: ^IPT_SYSCTL=.*
       line: IPT_SYSCTL=/etc/sysctl.conf
       create: true
-      mode: '0640'
+      mode: 'u-x,g-wx,o-rwx'
       owner: root
       group: root
   when:

tasks/section_1/cis_1.1.2.x.yml

@@ -32,7 +32,7 @@
       dest: /etc/systemd/system/tmp.mount
       owner: root
       group: root
-      mode: 0644
+      mode: 'u-x,go-wx'
   notify: Remount tmp
   with_items:
       - "{{ ansible_facts.mounts }}"

tasks/section_1/cis_1.2.x.yml

@@ -7,14 +7,14 @@
         changed_when: false
         failed_when: false
         check_mode: false
-        register: debian11cis_1_2_1_apt_policy
+        register: discovered_apt_policy
 
       - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Message out repository configs"
         ansible.builtin.debug:
             msg:
                 - "Warning!! Below are the apt package repositories"
                 - "Please review to make sure they conform to your sites policies"
-                - "{{ debian11cis_1_2_1_apt_policy.stdout_lines }}"
+                - "{{ discovered_apt_policy.stdout_lines }}"
 
       - name: "1.2.1 | WARN | Ensure package manager repositories are configured | warn_count"
         ansible.builtin.import_tasks:
@@ -38,15 +38,15 @@
         changed_when: false
         failed_when: false
         check_mode: false
-        register: debian11cis_1_2_2_apt_gpgkeys
+        register: discovered_apt_gpgkeys
 
       - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Message out apt gpg keys"
         ansible.builtin.debug:
             msg:
                 - "Warning!! Below are the apt gpg keys configured"
                 - "Please review to make sure they are configured"
                 - "in accordance with site policy"
-                - "{{ debian11cis_1_2_2_apt_gpgkeys.stdout_lines }}"
+                - "{{ discovered_apt_gpgkeys.stdout_lines }}"
 
       - name: "1.2.2 | WARN | Ensure GPG keys are configured | warn_count"
         ansible.builtin.import_tasks:

tasks/section_1/cis_1.3.x.yml

@@ -7,15 +7,15 @@
             name: ['aide', 'aide-common']
             state: present
             update_cache: true
-        register: debian11cis_rule_1_3_1_aide_added
+        register: discovered_aide_installed
         when:
             - "'aide' not in ansible_facts.packages or
               'aide-common' not in ansible_facts.packages"
 
       - name: "1.3.1 | PATCH | Ensure AIDE is installed | Recapture packages"
         ansible.builtin.package_facts:
             manager: auto
-        when: debian11cis_rule_1_3_1_aide_added.skipped is not defined
+        when: discovered_aide_installed.skipped is not defined
 
       - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE"
         ansible.builtin.shell: aideinit && mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

tasks/section_1/cis_1.4.x.yml

@@ -8,7 +8,7 @@
             dest: "{{ debian11cis_grub_user_file }}"
             owner: root
             group: root
-            mode: 0755
+            mode: 'u+x,go-w'
         notify: Grub update
 
       - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot"
@@ -36,16 +36,16 @@
         ansible.builtin.stat:
             path: "{{ debian11cis_grub_file }}"
         check_mode: false
-        register: debian11cis_1_4_2_grub_cfg_status
+        register: discovered_grub_cfg_status
 
       - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | Set permissions"
         ansible.builtin.file:
             path: "{{ debian11cis_grub_file }}"
             owner: root
             group: root
-            mode: '0400'
+            mode: 'go-wx'
         when:
-            - debian11cis_1_4_2_grub_cfg_status.stat.exists
+            - discovered_grub_cfg_status.stat.exists
   when:
       - debian11cis_rule_1_4_2
   tags:

tasks/section_1/cis_1.5.x.yml

@@ -52,7 +52,7 @@
             create: true
             owner: root
             group: root
-            mode: '0644'
+            mode: 'u-x,go-wx'
 
       - name: "1.5.3 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package"
         ansible.builtin.package:
@@ -91,7 +91,7 @@
             create: true
             owner: root
             group: root
-            mode: '0644'
+            mode: 'u-x,go-wx'
 
       - name: "1.5.4 | PATCH | Ensure core dumps are restricted | sysctl.conf"
         ansible.builtin.lineinfile:
@@ -100,7 +100,7 @@
             line: fs.suid_dumpable=0
             owner: root
             group: root
-            mode: '0644'
+            mode: 'u-x,go-wx'
         notify: Reload systemctl
 
       - name: "1.5.4 | PATCH | Ensure core dumps are restricted | coredump.conf"
@@ -111,7 +111,7 @@
             create: true
             owner: root
             group: root
-            mode: '0644'
+            mode: 'u-x,go-wx'
         loop:
             - { regexp: '^Storage', line: 'Storage=none' }
             - { regexp: '^ProcessSizeMax', line: 'ProcessSizeMax=0' }

tasks/section_1/cis_1.6.x.yml

@@ -23,7 +23,7 @@
         changed_when: false
         failed_when: false
         check_mode: false
-        register: debian11cis_1_6_1_2_cmdline_settings
+        register: discovered_grub_cmdline_settings
 
       - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist"
         ansible.builtin.lineinfile:
@@ -32,7 +32,7 @@
             line: \1apparmor=1 \3
             backrefs: true
         notify: Grub update
-        when: debian11cis_1_6_1_2_cmdline_settings.stdout is not search('apparmor=')
+        when: discovered_grub_cmdline_settings.stdout is not search('apparmor=')
 
       - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set security settings if none exist"
         ansible.builtin.lineinfile:
@@ -41,17 +41,17 @@
             line: \1security=apparmor \3
             backrefs: true
         notify: Grub update
-        when: debian11cis_1_6_1_2_cmdline_settings.stdout is not search('security=')
+        when: discovered_grub_cmdline_settings.stdout is not search('security=')
 
       - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Set apparmor settings if none exist"
         ansible.builtin.lineinfile:
             path: /etc/default/grub
             regexp: '^GRUB_CMDLINE_LINUX='
-            line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ debian11cis_1_6_1_2_cmdline_settings.stdout }}"'
+            line: 'GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor {{ discovered_grub_cmdline_settings.stdout }}"'
             insertafter: '^GRUB_'
         when:
-            - "'apparmor' not in debian11cis_1_6_1_2_cmdline_settings.stdout"
-            - "'security' not in debian11cis_1_6_1_2_cmdline_settings.stdout"
+            - "'apparmor' not in discovered_grub_cmdline_settings.stdout"
+            - "'security' not in discovered_grub_cmdline_settings.stdout"
         notify: Grub update
 
       - name: "1.6.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration | Replace apparmor settings when exists"
@@ -63,8 +63,8 @@
             - { regexp: 'apparmor=\w+', replace: 'apparmor=1' }
             - { regexp: 'security=\w+', replace: 'security=apparmor' }
         when:
-            - "'apparmor' in debian11cis_1_6_1_2_cmdline_settings.stdout or
-              'security' in debian11cis_1_6_1_2_cmdline_settings.stdout"
+            - "'apparmor' in discovered_grub_cmdline_settings.stdout or
+              'security' in discovered_grub_cmdline_settings.stdout"
         notify: Grub update
   when:
       - debian11cis_rule_1_6_1_2
@@ -83,7 +83,7 @@
         ansible.builtin.shell: apparmor_status |  grep "profiles are in enforce mode" | tr -d -c 0-9
         changed_when: false
         failed_when: false
-        register: debian11cis_1_6_1_3_pre_count
+        register: discovered_apparmor_pre_count
 
       - name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | Apply enforcing to /etc/apparmor.d profiles"
         ansible.builtin.shell: aa-enforce /etc/apparmor.d/*
@@ -94,13 +94,13 @@
         ansible.builtin.shell: apparmor_status |  grep "profiles are in enforce mode" | tr -d -c 0-9
         changed_when: false
         failed_when: false
-        register: debian11cis_1_6_1_3_post_count
+        register: discovered_apparmor_pre_count
 
       - name: "1.6.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode | This flags for idempotency"
         ansible.builtin.debug:
             msg: Changed! The profiles in /etc/apparmor.d were set to enforcing
         changed_when: true
-        when: debian11cis_1_6_1_3_pre_count.stdout != debian11cis_1_6_1_3_post_count.stdout
+        when: discovered_apparmor_pre_count.stdout != discovered_apparmor_pre_count.stdout
   when:
       - debian11cis_rule_1_6_1_3
       - not debian11cis_apparmor_disable
@@ -119,7 +119,7 @@
         ansible.builtin.shell: apparmor_status |  grep "profiles are in enforce mode" | tr -d -c 0-9
         changed_when: false
         failed_when: false
-        register: debian11cis_1_6_1_4_pre_count
+        register: discovered_apparmor_pre_count
 
       - name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | Apply enforcing to /etc/apparmor.d profiles"
         ansible.builtin.shell: aa-enforce /etc/apparmor.d/*
@@ -130,13 +130,13 @@
         ansible.builtin.shell: apparmor_status |  grep "profiles are in enforce mode" | tr -d -c 0-9
         changed_when: false
         failed_when: false
-        register: debian11cis_1_6_1_4_post_count
+        register: discovered_apparmor_pre_count
 
       - name: "1.6.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing | This flags for idempotency"
         ansible.builtin.debug:
             msg: Changed! The profiles in /etc/apparmor.d were set to enforcing
         changed_when: true
-        when: debian11cis_1_6_1_4_pre_count.stdout != debian11cis_1_6_1_4_post_count.stdout
+        when: discovered_apparmor_pre_count.stdout != discovered_apparmor_pre_count.stdout
   when:
       - debian11cis_rule_1_6_1_4
       - not debian11cis_apparmor_disable