From 6333ebbfa83cdb92715b0a1b3a454bf018d8e744 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Mon, 22 Jan 2024 15:35:51 +0200 Subject: [PATCH 1/4] Rewriting tasks for rule 1.1.2.x according to this issue: https://code.siemens.com/cybersecurity/automated_hardening_tech/scapolite/python-libscapolite/libscapolite-automation-unix/-/issues/107 Signed-off-by: Diana-Maria Dumitru --- handlers/main.yml | 34 ++++++++++ tasks/prelim.yml | 17 +++++ tasks/section_1/cis_1.1.2.x.yml | 75 ++++++++--------------- templates/etc/systemd/system/tmp.mount.j2 | 2 +- 4 files changed, 76 insertions(+), 52 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 207593b8..06683632 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,9 +1,43 @@ --- +- name: Writing the tmp file | tmp_systemd + ansible.builtin.template: + src: etc/systemd/system/tmp.mount.j2 + dest: /etc/systemd/system/tmp.mount + owner: root + group: root + mode: '0644' + with_items: + - "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" + when: + - "'/tmp' in mount_names" + - item.mount == "/tmp" + - tmp_mnt_type == 'tmp_systemd' + listen: Writing and remounting tmp + +- name: Writing the tmp file | fstab + ansible.posix.mount: + path: /tmp + src: "{{ item.device }}" + state: present + fstype: "{{ item.fstype }}" + opts: defaults,{{ tmp_partition_mount_options | unique | join(',') }} + with_items: + - "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" + when: + - "'/tmp' in mount_names" + - tmp_mnt_type == 'fstab' + - item.mount == "/tmp" + listen: Writing and remounting tmp - name: Remount tmp ansible.posix.mount: path: /tmp state: remounted + listen: Writing and remounting tmp - name: Remount var ansible.posix.mount: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 61108164..924af10e 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -59,6 +59,23 @@ tags: - always +- name: Initialize the mount options variable + block: + - name: Initializing the var if there is no /tmp mount + ansible.builtin.set_fact: + tmp_partition_mount_options: [] + when: "'/tmp' not in mount_names" + + - name: Initializing the var if there is a /tmp mount + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ item.options }}" + loop: "{{ ansible_facts.mounts }}" + when: + - item.mount == "/tmp" + - "'/tmp' in mount_names" + tags: + -always + - name: "PRELIM | Run apt update" ansible.builtin.package: update_cache: true diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 5f1e75fc..44a18820 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -23,68 +23,41 @@ - rule_1.1.2.1 - tmp -- name: | - "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition | tmp_systemd" - "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition | tmp_systemd" - "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition | tmp_systemd" - ansible.builtin.template: - src: etc/systemd/system/tmp.mount.j2 - dest: /etc/systemd/system/tmp.mount - owner: root - group: root - mode: '0644' - notify: Remount tmp - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - when: - - "'/tmp' in mount_names" - - item.mount == "/tmp" - - tmp_mnt_type == 'tmp_systemd' - - ubtu22cis_rule_1_1_2_2 or - ubtu22cis_rule_1_1_2_3 or - ubtu22cis_rule_1_1_2_4 - tags: +- name: "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nodev' ] }}" + notify: Writing and remounting tmp + when: ubtu22cis_rule_1_1_2_2 + tags: - level1-server - level1-workstation - automated - patch - rule_1.1.2.2 - - rule_1.1.2.3 - - rule_1.1.2.4 - tmp -- name: | - "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition | fstab" - "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition | fstab" - "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition | fstab" - ansible.posix.mount: - path: /tmp - src: "{{ item.device }}" - state: present - fstype: "{{ item.fstype }}" - opts: defaults,{% if ubtu22cis_rule_1_1_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_2_4 %}nosuid{% endif %} - notify: remount tmp - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - when: - - "'/tmp' in mount_names" - - tmp_mnt_type == 'fstab' - - item.mount == "/tmp" - - ubtu22cis_rule_1_1_2_1 or - ubtu22cis_rule_1_1_2_2 or - ubtu22cis_rule_1_1_2_3 or - ubtu22cis_rule_1_1_2_4 - tags: +- name: "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'noexec' ] }}" + notify: Writing and remounting tmp + when: ubtu22cis_rule_1_1_2_3 + tags: - level1-server - level1-workstation - automated - patch - - rule_1.1.2.2 - - rule_1.1.2.2 - rule_1.1.2.3 + - tmp + +- name: "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nosuid' ] }}" + notify: Writing and remounting tmp + when: ubtu22cis_rule_1_1_2_4 + tags: + - level1-server + - level1-workstation + - automated + - patch - rule_1.1.2.4 - tmp diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2 index fb5df693..5ab24e7b 100644 --- a/templates/etc/systemd/system/tmp.mount.j2 +++ b/templates/etc/systemd/system/tmp.mount.j2 @@ -10,7 +10,7 @@ After=swap.target What=tmpfs Where=/tmp Type=tmpfs -Options: {% if ubtu22cis_rule_1_1_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_2_4 %}nosuid{% endif %} +Options: {{ tmp_partition_mount_options | unique | join(',') }} [Install] WantedBy=local-fs.target From 05c2a5a90c6a31a44d2b9667855eeaf2cbfb8fbf Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Mon, 22 Jan 2024 15:35:51 +0200 Subject: [PATCH 2/4] Rewriting tasks for rule 1.1.2.x according to this issue: https://code.siemens.com/cybersecurity/automated_hardening_tech/scapolite/python-libscapolite/libscapolite-automation-unix/-/issues/107 Signed-off-by: Diana-Maria Dumitru --- handlers/main.yml | 34 ++++++++++ tasks/prelim.yml | 17 +++++ tasks/section_1/cis_1.1.2.x.yml | 75 ++++++++--------------- templates/etc/systemd/system/tmp.mount.j2 | 2 +- 4 files changed, 76 insertions(+), 52 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 207593b8..06683632 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,9 +1,43 @@ --- +- name: Writing the tmp file | tmp_systemd + ansible.builtin.template: + src: etc/systemd/system/tmp.mount.j2 + dest: /etc/systemd/system/tmp.mount + owner: root + group: root + mode: '0644' + with_items: + - "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" + when: + - "'/tmp' in mount_names" + - item.mount == "/tmp" + - tmp_mnt_type == 'tmp_systemd' + listen: Writing and remounting tmp + +- name: Writing the tmp file | fstab + ansible.posix.mount: + path: /tmp + src: "{{ item.device }}" + state: present + fstype: "{{ item.fstype }}" + opts: defaults,{{ tmp_partition_mount_options | unique | join(',') }} + with_items: + - "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.device }}" + when: + - "'/tmp' in mount_names" + - tmp_mnt_type == 'fstab' + - item.mount == "/tmp" + listen: Writing and remounting tmp - name: Remount tmp ansible.posix.mount: path: /tmp state: remounted + listen: Writing and remounting tmp - name: Remount var ansible.posix.mount: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 61108164..924af10e 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -59,6 +59,23 @@ tags: - always +- name: Initialize the mount options variable + block: + - name: Initializing the var if there is no /tmp mount + ansible.builtin.set_fact: + tmp_partition_mount_options: [] + when: "'/tmp' not in mount_names" + + - name: Initializing the var if there is a /tmp mount + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ item.options }}" + loop: "{{ ansible_facts.mounts }}" + when: + - item.mount == "/tmp" + - "'/tmp' in mount_names" + tags: + -always + - name: "PRELIM | Run apt update" ansible.builtin.package: update_cache: true diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 5f1e75fc..44a18820 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -23,68 +23,41 @@ - rule_1.1.2.1 - tmp -- name: | - "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition | tmp_systemd" - "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition | tmp_systemd" - "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition | tmp_systemd" - ansible.builtin.template: - src: etc/systemd/system/tmp.mount.j2 - dest: /etc/systemd/system/tmp.mount - owner: root - group: root - mode: '0644' - notify: Remount tmp - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - when: - - "'/tmp' in mount_names" - - item.mount == "/tmp" - - tmp_mnt_type == 'tmp_systemd' - - ubtu22cis_rule_1_1_2_2 or - ubtu22cis_rule_1_1_2_3 or - ubtu22cis_rule_1_1_2_4 - tags: +- name: "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nodev' ] }}" + notify: Writing and remounting tmp + when: ubtu22cis_rule_1_1_2_2 + tags: - level1-server - level1-workstation - automated - patch - rule_1.1.2.2 - - rule_1.1.2.3 - - rule_1.1.2.4 - tmp -- name: | - "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition | fstab" - "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition | fstab" - "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition | fstab" - ansible.posix.mount: - path: /tmp - src: "{{ item.device }}" - state: present - fstype: "{{ item.fstype }}" - opts: defaults,{% if ubtu22cis_rule_1_1_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_2_4 %}nosuid{% endif %} - notify: remount tmp - with_items: - - "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - when: - - "'/tmp' in mount_names" - - tmp_mnt_type == 'fstab' - - item.mount == "/tmp" - - ubtu22cis_rule_1_1_2_1 or - ubtu22cis_rule_1_1_2_2 or - ubtu22cis_rule_1_1_2_3 or - ubtu22cis_rule_1_1_2_4 - tags: +- name: "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'noexec' ] }}" + notify: Writing and remounting tmp + when: ubtu22cis_rule_1_1_2_3 + tags: - level1-server - level1-workstation - automated - patch - - rule_1.1.2.2 - - rule_1.1.2.2 - rule_1.1.2.3 + - tmp + +- name: "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nosuid' ] }}" + notify: Writing and remounting tmp + when: ubtu22cis_rule_1_1_2_4 + tags: + - level1-server + - level1-workstation + - automated + - patch - rule_1.1.2.4 - tmp diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2 index fb5df693..5ab24e7b 100644 --- a/templates/etc/systemd/system/tmp.mount.j2 +++ b/templates/etc/systemd/system/tmp.mount.j2 @@ -10,7 +10,7 @@ After=swap.target What=tmpfs Where=/tmp Type=tmpfs -Options: {% if ubtu22cis_rule_1_1_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_2_4 %}nosuid{% endif %} +Options: {{ tmp_partition_mount_options | unique | join(',') }} [Install] WantedBy=local-fs.target From 4343e34c3144eb88dccdb78244c0db70386f179b Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Mon, 29 Jan 2024 14:07:38 +0200 Subject: [PATCH 3/4] Removing some trailing whitespaces Signed-off-by: Diana-Maria Dumitru --- handlers/main.yml | 4 ++-- tasks/prelim.yml | 6 +++--- tasks/section_1/cis_1.1.2.x.yml | 12 ++++++------ 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 06683632..b1c23b18 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -30,8 +30,8 @@ when: - "'/tmp' in mount_names" - tmp_mnt_type == 'fstab' - - item.mount == "/tmp" - listen: Writing and remounting tmp + - item.mount == "/tmp" + listen: Writing and remounting tmp - name: Remount tmp ansible.posix.mount: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 924af10e..c365f974 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -65,12 +65,12 @@ ansible.builtin.set_fact: tmp_partition_mount_options: [] when: "'/tmp' not in mount_names" - - - name: Initializing the var if there is a /tmp mount + + - name: Initializing the var if there is a /tmp mount ansible.builtin.set_fact: tmp_partition_mount_options: "{{ item.options }}" loop: "{{ ansible_facts.mounts }}" - when: + when: - item.mount == "/tmp" - "'/tmp' in mount_names" tags: diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 44a18820..9ed201fd 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -27,8 +27,8 @@ ansible.builtin.set_fact: tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nodev' ] }}" notify: Writing and remounting tmp - when: ubtu22cis_rule_1_1_2_2 - tags: + when: ubtu22cis_rule_1_1_2_2 + tags: - level1-server - level1-workstation - automated @@ -40,8 +40,8 @@ ansible.builtin.set_fact: tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'noexec' ] }}" notify: Writing and remounting tmp - when: ubtu22cis_rule_1_1_2_3 - tags: + when: ubtu22cis_rule_1_1_2_3 + tags: - level1-server - level1-workstation - automated @@ -53,8 +53,8 @@ ansible.builtin.set_fact: tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nosuid' ] }}" notify: Writing and remounting tmp - when: ubtu22cis_rule_1_1_2_4 - tags: + when: ubtu22cis_rule_1_1_2_4 + tags: - level1-server - level1-workstation - automated From ae0e66dd87ff053be829aee990f527322f8cf3c3 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Mon, 29 Jan 2024 14:18:59 +0200 Subject: [PATCH 4/4] Fixing indentation Signed-off-by: Diana-Maria Dumitru --- tasks/prelim.yml | 24 ++++++++++++------------ tasks/section_1/cis_1.1.2.x.yml | 6 +++--- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c365f974..44510854 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -61,18 +61,18 @@ - name: Initialize the mount options variable block: - - name: Initializing the var if there is no /tmp mount - ansible.builtin.set_fact: - tmp_partition_mount_options: [] - when: "'/tmp' not in mount_names" - - - name: Initializing the var if there is a /tmp mount - ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ item.options }}" - loop: "{{ ansible_facts.mounts }}" - when: - - item.mount == "/tmp" - - "'/tmp' in mount_names" + - name: Initializing the var if there is no /tmp mount + ansible.builtin.set_fact: + tmp_partition_mount_options: [] + when: "'/tmp' not in mount_names" + + - name: Initializing the var if there is a /tmp mount + ansible.builtin.set_fact: + tmp_partition_mount_options: "{{ item.options }}" + loop: "{{ ansible_facts.mounts }}" + when: + - item.mount == "/tmp" + - "'/tmp' in mount_names" tags: -always diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 9ed201fd..8b335b6a 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -25,7 +25,7 @@ - name: "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nodev' ] }}" + tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nodev' ] }}" notify: Writing and remounting tmp when: ubtu22cis_rule_1_1_2_2 tags: @@ -38,7 +38,7 @@ - name: "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'noexec' ] }}" + tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'noexec' ] }}" notify: Writing and remounting tmp when: ubtu22cis_rule_1_1_2_3 tags: @@ -51,7 +51,7 @@ - name: "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" ansible.builtin.set_fact: - tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nosuid' ] }}" + tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nosuid' ] }}" notify: Writing and remounting tmp when: ubtu22cis_rule_1_1_2_4 tags: