Merge pull request #214 from ansible-lockdown/devel

New release
ansible-lockdown · Mar 11, 2024 · 98e6419 · 98e6419
2 parents 583e16f + f80e871
commit 98e6419
Show file tree

Hide file tree

Showing 29 changed files with 275 additions and 86 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -36,13 +36,13 @@ repos:
     args: [ '--baseline', '.config/.secrets.baseline' ]
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.18.1
+  rev: v8.18.2
   hooks:
   - id: gitleaks
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.22.0
+  rev: v24.2.0
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -61,6 +61,6 @@ repos:
     - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.33.0  # or higher tag
+  rev: v1.35.1  # or higher tag
   hooks:
   - id: yamllint
diff --git a/Changelog.md b/Changelog.md
@@ -2,6 +2,16 @@
 
 ## Based on CIS V1.0.0
 
+### 1.0.9
+
+- updated audit command to allow multiple groups from inventory
+- #144 usb-blacklisting - thanks to @paulquevedojdrf
+- #152 and #170 Added ssh validate to tasks - thanks to @dderemiah and @twadelij
+- #180 and #181 password reuse 5.3.4 - thanks to @DianaMariaDDM
+- #182 pwquality enhancement New variable to allow extended or minclass (default)options - thanks to @ma3s7ro
+- #184 Initial container config feedback required - thanks to @ipruteanu-sie
+- #204 reboot not idempotent - changed auditd and reboot logic update to 4.1.3.6 discovery - thanks to @bhuddah
+
 ### 1.0.8
 
 - updated goss binary to 0.4.4

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -40,7 +40,7 @@ ubtu22cis_ask_passwd_to_boot: false
 # is executed on a container image and sets the variable
 # system_is_container the true. Otherwise, the default value
 # 'false' is left unchanged.
-system_is_container: false
+container_vars_file: is_container.yml
 
 ## Root user used
 # Root by default is not used unless setup by user
@@ -543,8 +543,10 @@ ubtu22cis_config_aide: true
 ## When Initializing aide this can take longer on some systems
 # changing the values enables user to change to thier own requirements
 ubtu22cis_aide_init:
-    async: 45  # Maximum Time in seconds
-    poll: 0  # Polling Interval in seconds
+    # Maximum Time in seconds
+    async: 45
+    # Polling Interval in seconds
+    poll: 0
 
 ## Control 1.3.2
 # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE.
@@ -597,7 +599,7 @@ ubtu22cis_set_boot_pass: false
 
 ubtu22cis_grub_file: /boot/grub/grub.cfg
 
-## 1.5.x
+## Controls 1.5.x
 # Ability to set file in which the kernel systcl changes are placed
 ubtu22cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf
 
@@ -748,7 +750,7 @@ ubtu22cis_audit_back_log_limit: 8192
 # This should be set based on your sites policy. CIS does not provide a specific value.
 ubtu22cis_max_log_file_size: 10
 
-## 4.1.3.x - Audit template
+## Controls 4.1.3.x - Audit template
 # This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the
 # audit settings are overwritten with the role's template. In order to exclude
 # specific rules, you must set the variable of form `ubtu22cis_rule_4_1_3_x` above
@@ -938,13 +940,33 @@ ubtu22cis_sudo_timestamp_timeout: 15
 # CIS requires that such a group be created (named according to site policy) and be kept empty.
 ubtu22cis_sugroup: nosugroup
 
+## Control 5.4.1
+# This variable allows us to use either
+#
+
+ubtu22cis_pwquality_minclass: true
+ubtu22cis_pwquality_minclass_value: '4'
+ubtu22cis_pwquality:
+    - key: '#minclass'
+      value: "{{ ubtu22cis_pwquality_minclass_value }}"
+    - key: 'minlen'
+      value: '14'
+    - key: 'dcredit'
+      value: '-1'
+    - key: 'ucredit'
+      value: '-1'
+    - key: 'ocredit'
+      value: '-1'
+    - key: 'lcredit'
+      value: '-1'
+
 ## Control 5.4.3
 # This variable represents the number of password change cycles, after which
 # a user can re-use a password.
 # CIS requires a value of 5 or more.
 ubtu22cis_pamd_pwhistory_remember: 5
 
-# Control 5.4.2
+## Control 5.4.2
 # This can seriously break access to a system
 ## The end state the file /etc/pam.d/common-auth need to be understood
 ## If using external auth providers this will be very different
@@ -955,7 +977,7 @@ ubtu22cis_rule_5_4_2_faillock_config: |
     auth       [default=die] pam_faillock.so authfail
     auth       sufficient pam_faillock.so authsucc
 
-# Control 5.4.4
+## Control 5.4.4
 # ubtu22cis_passwd_hash_algo is the hashing algorithm used
 ubtu22cis_passwd_hash_algo: yescrypt  # pragma: allowlist secret
 # Set pam as well as login defs if PAM is required

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,5 +1,9 @@
 ---
 
+- name: Update_Initramfs
+  ansible.builtin.shell: update-initramfs -u
+  notify: change_requires_reboot
+
 - name: Remount tmp
   ansible.posix.mount:
       path: /tmp
@@ -39,6 +43,7 @@
 - name: Grub update
   ansible.builtin.shell: update-grub
   failed_when: false
+  notify: change_requires_reboot
 
 - name: Restart timeservice
   ansible.builtin.systemd:
@@ -110,31 +115,21 @@
   when:
       - '"No change" not in ubtu22cis_rule_4_1_3_21_augen_check.stdout'
 
-- name: Auditd_immutable_check
-  ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
-  changed_when: false
-  register: auditd_immutable_check
-
 - name: Audit_immutable_fact
   ansible.builtin.debug:
       msg: "Reboot required for auditd to apply new rules as immutable set"
   notify: change_requires_reboot
   when:
-      - auditd_immutable_check.stdout == '1'
+      - audit_rules_updated.changed
+      - auditd_immutable_check is defined
 
 - name: Restart auditd
   ansible.builtin.shell: service auditd restart
   when:
-      - audit_rules_updated.changed or
-        rule_4_1_2_1.changed or
-        rule_4_1_2_2.changed or
-        rule_4_1_2_3.changed
+      - audit_rules_updated is defined
   tags:
       - skip_ansible_lint
 
-- name: remount tmp
-  ansible.builtin.shell: mount -o remount /tmp
-
 - name: restart sshd
   ansible.builtin.systemd:
       name: sshd

diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml
@@ -10,7 +10,7 @@
       - name: Pre Audit Setup | Set audit package name | ARM64
         ansible.builtin.set_fact:
             audit_pkg_arch_name: ARM64
-        when: ansible_facts.machine == "arm64"
+        when: ansible_facts.machine == "aarch64"
 
 - name: Pre Audit Setup | Download audit binary
   ansible.builtin.get_url:

diff --git a/tasks/auditd.yml b/tasks/auditd.yml
@@ -6,13 +6,13 @@
       dest: /etc/audit/rules.d/99_auditd.rules
       owner: root
       group: root
-      mode: '0600'
+      mode: '0640'
   register: audit_rules_updated
   notify:
       - Auditd rules reload
-      - Auditd_immutable_check
       - Audit_immutable_fact
       - Restart auditd
+      - change_requires_reboot
   when: update_audit_template
 
 - name: POST | Set up auditd user logging exceptions
@@ -25,19 +25,3 @@
   notify: Restart auditd
   when:
       - ubtu22cis_allow_auditd_uid_user_exclusions
-
-# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable"
-#   block:
-#       - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable | Get status"
-#         ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
-#         changed_when: false
-#         failed_when: false
-#         register: ubtu22cis_auditd_immutable_check
-
-#       - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable | Set reboot required"
-#         ansible.builtin.debug:
-#             msg: "Reboot required for auditd to apply new rules as immutable set"
-#         notify: change_requires_reboot
-#         when: ubtu22cis_auditd_immutable_check.stdout == '1'
-#   when:
-#       - ubtu22cis_audit_rules_update.changed
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -208,13 +208,15 @@
         ansible.builtin.reboot:
         when:
             - not skip_reboot
+            - change_requires_reboot
 
       - name: Warning a reboot required but skip option set
         ansible.builtin.debug:
             msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
         changed_when: true
         when:
             - skip_reboot
+            - change_requires_reboot
 
 - name: Run post remediation audit
   ansible.builtin.import_tasks:

diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml
@@ -1,7 +1,7 @@
 ---
 
 - name: Post Audit | Run post_remediation {{ benchmark }} audit
-  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
+  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
   changed_when: true
   environment:
       AUDIT_BIN: "{{ audit_bin }}"

diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml
@@ -77,7 +77,7 @@
       mode: '0600'
 
 - name: Pre Audit | Run pre_remediation {{ benchmark }} audit
-  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
+  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
   changed_when: true
   environment:
       AUDIT_BIN: "{{ audit_bin }}"

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -133,7 +133,16 @@
       - auditd
       - always
 
-- name: "PRELIM | 5.3.4 | Find all sudoers files."
+- name: "PRELIM | Check if auditd is immutable before changes"
+  ansible.builtin.shell: auditctl -l | grep -c '-e 2'
+  changed_when: false
+  failed_when: auditd_immutable_check.rc not in [ 0, 1 ]
+  register: auditd_immutable_check
+  when: "'auditd' in ansible_facts.packages"
+  tags:
+      - always
+
+- name: "PRELIM | 5.3.4 | 5.3.5 | Find all sudoers files."
   ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
   changed_when: false
   failed_when: false
@@ -177,6 +186,12 @@
       grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/false") { print $6 }'
   changed_when: false
   register: interactive_users_home
+  when:
+      - ubtu22cis_rule_6_2_11 or
+        ubtu22cis_rule_6_2_13 or
+        ubtu22cis_rule_6_2_14 or
+        ubtu22cis_rule_6_2_15 or
+        ubtu22cis_rule_6_2_16
   tags:
       - always
 
@@ -207,16 +222,6 @@
   changed_when: false
   check_mode: false
   register: ubtu22cis_users
-  when:
-      - ubtu22cis_rule_6_2_14 or
-        ubtu22cis_rule_6_2_15 or
-        ubtu22cis_rule_6_2_16
-  tags:
-      - always
-
-- name: "PRELIM | Recapture packages"
-  ansible.builtin.package_facts:
-      manager: auto
   tags:
       - always
 

diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml
@@ -22,6 +22,7 @@
             name: cramfs
             state: absent
         when: ansible_connection != 'docker'
+  notify: Update_Initramfs
   when:
       - ubtu22cis_rule_1_1_1_1
   tags:
@@ -54,6 +55,7 @@
             name: squashfs
             state: absent
         when: ansible_connection != 'docker'
+  notify: Update_Initramfs
   when:
       - ubtu22cis_rule_1_1_1_2
       - snap_pkg_mgr.stdout == "0"
@@ -88,6 +90,7 @@
             name: udf
             state: absent
         when: ansible_connection != 'docker'
+  notify: Update_Initramfs
   when:
       - ubtu22cis_rule_1_1_1_3
   tags:

diff --git a/tasks/section_1/cis_1.1.10.yml b/tasks/section_1/cis_1.1.10.yml
@@ -20,6 +20,7 @@
             name: usb-storage
             state: absent
         when: ansible_connection != 'docker'
+  notify: Update_Initramfs
   when:
       - ubtu22cis_rule_1_1_10
       - not ubtu22cis_allow_usb_storage

diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml
@@ -65,7 +65,7 @@
       state: present
       fstype: "{{ item.fstype }}"
       opts: defaults,{% if ubtu22cis_rule_1_1_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_2_4 %}nosuid{% endif %}
-  notify: remount tmp
+  notify: Remount tmp
   with_items:
       - "{{ ansible_facts.mounts }}"
   loop_control:

diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml
@@ -29,9 +29,15 @@
       - motd
 
 - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly"
-  ansible.builtin.template:
-      src: etc/issue.j2
-      dest: /etc/issue
+  block:
+      - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly | issue"
+        ansible.builtin.template:
+            src: etc/issue.j2
+            dest: /etc/issue
+
+      - name: "1.7.2 | PATCH | Ensure local login warning banner is kept on package upgrade | issue"
+        community.general.dpkg_divert:
+            path: /etc/issue
   when:
       - ubtu22cis_rule_1_7_2
   tags:
@@ -43,9 +49,15 @@
       - banner
 
 - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly"
-  ansible.builtin.template:
-      src: etc/issue.net.j2
-      dest: /etc/issue.net
+  block:
+      - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly | issue.net"
+        ansible.builtin.template:
+            src: etc/issue.net.j2
+            dest: /etc/issue.net
+
+      - name: "1.7.3 | PATCH | Ensure remote login warning banner is kept on package upgrade | issue.net"
+        community.general.dpkg_divert:
+            path: /etc/issue.net
   when:
       - ubtu22cis_rule_1_7_3
   tags: