From 973ef95e98c6c52ea6da678af5149a7117a79055 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 22 Nov 2023 14:41:26 +0200 Subject: [PATCH 01/44] Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/ubuntu22-cis/-/issues/69! Signed-off-by: Diana-Maria Dumitru --- tasks/section_5/cis_5.4.x.yml | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 1894dead..ef1e6769 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -106,14 +106,30 @@ - pam - notimplemented -- name: 5.4.3 | PATCH | Ensure password reuse is limited" - community.general.pamd: - name: common-password - type: password - control: '[success=1 default=ignore]' - module_path: pam_unix.so - module_arguments: "remember={{ ubtu22cis_pamd_pwhistory_remember }}" - state: args_present +- name: "5.4.3 | PATCH | Ensure password reuse is limited" + block: + - name: "5.4.3 | PATCH | Ensure password reuse is limited | Add pam_unix or edit it accordingly" + community.general.pamd: + name: common-password + type: password + control: '[success=1 default=ignore]' + module_path: pam_unix.so + module_arguments: 'obscure + yescrypt' + state: args_present + + - name: "5.4.3 | PATCH | Ensure password reuse is limited| Set remember value after adding pam unix" + community.general.pamd: + name: common-password + type: password + control: '[success=1 default=ignore]' + module_path: pam_unix.so + new_type: password + new_module_path: pam_pwhistory.so + new_control: required + module_arguments: 'use_authtok + remember={{ ubtu22cis_pamd_pwhistory_remember }}' + state: before when: - ubtu22cis_rule_5_4_3 tags: From 0c06607b97b6f4dd00bbae8a8b7c2f14b82dcdce Mon Sep 17 00:00:00 2001 From: Dan D Date: Wed, 29 Nov 2023 20:56:22 -0800 Subject: [PATCH 02/44] missing grub check fails when using sysctl Signed-off-by: Dan D --- tasks/section_3/cis_3.1.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 73021427..d905548f 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -26,6 +26,7 @@ line: '\1 ipv6.disable=1"' backrefs: true when: + - ubtu22cis_ipv6_disable == 'grub' - ipv6disable_replaced is not changed - "'ipv6.disable' not in ubtu22cis_3_1_1_cmdline_settings.stdout" notify: Grub update From c250141ed07d77c10bde5b783f3a98f69cfbfd7f Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:36:15 +0000 Subject: [PATCH 03/44] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v6.22.0 → v6.22.1](https://github.com/ansible-community/ansible-lint/compare/v6.22.0...v6.22.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 54e9449b..911d4714 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,7 +42,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.0 + rev: v6.22.1 hooks: - id: ansible-lint name: Ansible-lint From dbb95281b5dbf3afe10916594d54b03327ce784d Mon Sep 17 00:00:00 2001 From: Dan D Date: Wed, 20 Dec 2023 20:44:05 -0800 Subject: [PATCH 04/44] Fixes a typo that keeps Chr0ny from working Signed-off-by: Dan D --- tasks/section_2/cis_2.1.2.x.yml | 4 ++-- .../etc/chrony/sources.d/{pool.source.j2 => pool.sources.j2} | 0 .../chrony/sources.d/{server.source.j2 => server.sources.j2} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename templates/etc/chrony/sources.d/{pool.source.j2 => pool.sources.j2} (100%) rename templates/etc/chrony/sources.d/{server.source.j2 => server.sources.j2} (100%) diff --git a/tasks/section_2/cis_2.1.2.x.yml b/tasks/section_2/cis_2.1.2.x.yml index cf1dc323..a58e69a2 100644 --- a/tasks/section_2/cis_2.1.2.x.yml +++ b/tasks/section_2/cis_2.1.2.x.yml @@ -10,8 +10,8 @@ owner: root group: root loop: - - etc/chrony/sources.d/pool.source - - etc/chrony/sources.d/server.source + - etc/chrony/sources.d/pool.sources + - etc/chrony/sources.d/server.sources notify: Restart timeservice - name: "2.1.2.1 | PATCH | Ensure chrony is configured with authorized timeserver | load sources" diff --git a/templates/etc/chrony/sources.d/pool.source.j2 b/templates/etc/chrony/sources.d/pool.sources.j2 similarity index 100% rename from templates/etc/chrony/sources.d/pool.source.j2 rename to templates/etc/chrony/sources.d/pool.sources.j2 diff --git a/templates/etc/chrony/sources.d/server.source.j2 b/templates/etc/chrony/sources.d/server.sources.j2 similarity index 100% rename from templates/etc/chrony/sources.d/server.source.j2 rename to templates/etc/chrony/sources.d/server.sources.j2 From 7ec71abe7070ba754a86a30d96ef5ac158268071 Mon Sep 17 00:00:00 2001 From: Dan D Date: Wed, 27 Dec 2023 14:55:59 -0800 Subject: [PATCH 05/44] Changed regex to account for different whitespace and grouping all the Defaults in sudoers Signed-off-by: Dan D --- tasks/section_5/cis_5.3.x.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 975dd5b5..334c63f4 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -17,9 +17,9 @@ - name: "5.3.2 | PATCH | Ensure sudo commands use pty" ansible.builtin.lineinfile: path: /etc/sudoers - regexp: '^Defaults use_' + regexp: '^Defaults\s+use_' line: 'Defaults use_pty' - insertafter: '^Defaults' + insertafter: '^\s*Defaults' when: - ubtu22cis_rule_5_3_2 tags: @@ -33,9 +33,9 @@ - name: "5.3.3 | PATCH | Ensure sudo log file exists" ansible.builtin.lineinfile: path: /etc/sudoers - regexp: '^Defaults logfile' + regexp: '^Defaults\s+logfile' line: 'Defaults logfile="{{ ubtu22cis_sudo_logfile }}"' - insertafter: '^Defaults' + insertafter: '^\s*Defaults' when: - ubtu22cis_rule_5_3_3 tags: @@ -89,8 +89,9 @@ - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" ansible.builtin.lineinfile: path: /etc/sudoers - regexp: 'Defaults timestamp_timeout=' - line: "Defaults timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" + regexp: '^\s*Defaults/s+timestamp_timeout=' + line: "Defaults timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}" + insertafter: '^\s*Defaults' validate: '/usr/sbin/visudo -cf %s' when: ubtu22cis_5_3_6_timeout_files.stdout | length == 0 From d8091a640bb2fc6e9d0318b1467f565d13569463 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jan 2024 11:46:38 +0000 Subject: [PATCH 06/44] issue_144 Signed-off-by: Mark Bolwell --- handlers/main.yml | 3 +++ tasks/section_1/cis_1.1.1.x.yml | 3 +++ tasks/section_1/cis_1.1.10.yml | 1 + 3 files changed, 7 insertions(+) diff --git a/handlers/main.yml b/handlers/main.yml index 207593b8..e5b5df95 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,5 +1,8 @@ --- +- name: Update_Initramfs + ansible.builtin.shell: update-initramfs -u + - name: Remount tmp ansible.posix.mount: path: /tmp diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 806b2800..5c3d41e7 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -22,6 +22,7 @@ name: cramfs state: absent when: ansible_connection != 'docker' + notify: Update_Initramfs when: - ubtu22cis_rule_1_1_1_1 tags: @@ -54,6 +55,7 @@ name: squashfs state: absent when: ansible_connection != 'docker' + notify: Update_Initramfs when: - ubtu22cis_rule_1_1_1_2 - snap_pkg_mgr.stdout == "0" @@ -88,6 +90,7 @@ name: udf state: absent when: ansible_connection != 'docker' + notify: Update_Initramfs when: - ubtu22cis_rule_1_1_1_3 tags: diff --git a/tasks/section_1/cis_1.1.10.yml b/tasks/section_1/cis_1.1.10.yml index 3ea9324c..4b964b62 100644 --- a/tasks/section_1/cis_1.1.10.yml +++ b/tasks/section_1/cis_1.1.10.yml @@ -20,6 +20,7 @@ name: usb-storage state: absent when: ansible_connection != 'docker' + notify: Update_Initramfs when: - ubtu22cis_rule_1_1_10 - not ubtu22cis_allow_usb_storage From a478bd4273c34e77c2e002e305abc2c949e6c658 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jan 2024 11:59:34 +0000 Subject: [PATCH 07/44] issue #180 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.x.yml | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 1894dead..d2656e14 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -107,13 +107,29 @@ - notimplemented - name: 5.4.3 | PATCH | Ensure password reuse is limited" - community.general.pamd: - name: common-password - type: password - control: '[success=1 default=ignore]' - module_path: pam_unix.so - module_arguments: "remember={{ ubtu22cis_pamd_pwhistory_remember }}" - state: args_present + block: + - name: "5.4.3 | PATCH | Ensure password reuse is limited | Add pam_unix or edit it accordingly" + community.general.pamd: + name: common-password + type: password + control: '[success=1 default=ignore]' + module_path: pam_unix.so + module_arguments: 'obscure + yescrypt' + state: args_present + + - name: "5.4.3 | PATCH | Ensure password reuse is limited| Set remember value after adding pam unix" + community.general.pamd: + name: common-password + type: password + control: '[success=1 default=ignore]' + module_path: pam_unix.so + new_type: password + new_module_path: pam_pwhistory.so + new_control: required + module_arguments: 'use_authtok + remember={{ ubtu22cis_pamd_pwhistory_remember }}' + state: before when: - ubtu22cis_rule_5_4_3 tags: From cec3f0d63c6a73a04a0e105ae64ae01609e118eb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jan 2024 12:41:11 +0000 Subject: [PATCH 08/44] issue #182 addressed pwquality enhancement thanks to @ma3s7ro Signed-off-by: Mark Bolwell --- defaults/main.yml | 20 ++++++++++++++++++++ tasks/section_5/cis_5.4.x.yml | 13 +++++++++++-- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 878534cb..6ccff70a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -938,6 +938,26 @@ ubtu22cis_sudo_timestamp_timeout: 15 # CIS requires that such a group be created (named according to site policy) and be kept empty. ubtu22cis_sugroup: nosugroup +## Control 5.4.1 +# This variable allows us to use either +# + +ubtu22cis_pwquality_minclass: false +ubtu22cis_pwquality_minclass_value: '4' +ubtu22cis_pwquality: + - key: '#minclass' + value: "{{ ubtu22cis_pwquality_minclass_value }}" + - key: 'minlen' + value: '14' + - key: 'dcredit' + value: '-1' + - key: 'ucredit' + value: '-1' + - key: 'ocredit' + value: '-1' + - key: 'lcredit' + value: '-1' + ## Control 5.4.3 # This variable represents the number of password change cycles, after which # a user can re-use a password. diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index d2656e14..ed69a594 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -16,8 +16,17 @@ - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add minclass" ansible.builtin.lineinfile: path: /etc/security/pwquality.conf - regexp: '^minclass|^# minclass' - line: 'minclass = 4' + regexp: ^minclass + line: "minclass = {{ ubtu22cis_pwquality_minclass_value }}" + when: ubtu22cis_pwquality_minclass + + - name: "5.4.1 | PATCH | Ensure password creation requirements are configured | Add extended keys" + ansible.builtin.lineinfile: + path: /etc/security/pwquality.conf + regexp: ^{{ item.key }} + line: "{{ item.key }} = {{ item.value }}" + loop: "{{ ubtu22cis_pwquality }}" + when: not ubtu22cis_pwquality_minclass - name: "5.4.1 | AUDIT | Ensure password creation requirements are configured | Confirm pwquality module in common-password" ansible.builtin.shell: grep 'password.*requisite.*pam_pwquality.so' /etc/pam.d/common-password From 9e1393c691bd10a717ad41834757b34c66deda09 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jan 2024 16:31:18 +0000 Subject: [PATCH 09/44] issue #184 container updates Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 +- tasks/section_1/main.yml | 15 +++++- tasks/section_5/main.yml | 3 ++ vars/is_container.yml | 104 +++++++++++++++++++++++++++++++++++++++ vars/main.yml | 5 ++ 5 files changed, 128 insertions(+), 3 deletions(-) create mode 100644 vars/is_container.yml diff --git a/defaults/main.yml b/defaults/main.yml index 6ccff70a..4d9ac266 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -40,7 +40,7 @@ ubtu22cis_ask_passwd_to_boot: false # is executed on a container image and sets the variable # system_is_container the true. Otherwise, the default value # 'false' is left unchanged. -system_is_container: false +container_vars_file: is_container.yml ## Root user used # Root by default is not used unless setup by user @@ -942,7 +942,7 @@ ubtu22cis_sugroup: nosugroup # This variable allows us to use either # -ubtu22cis_pwquality_minclass: false +ubtu22cis_pwquality_minclass: true ubtu22cis_pwquality_minclass_value: '4' ubtu22cis_pwquality: - key: '#minclass' diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index e8a6ef89..d8ac800f 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -7,10 +7,12 @@ - name: "SECTION | 1.1.2 | configure /tmp" ansible.builtin.import_tasks: file: cis_1.1.2.x.yml + when: not system_is_container - name: "SECTION | 1.1.3 | configure /var" ansible.builtin.import_tasks: file: cis_1.1.3.x.yml + when: not system_is_container - name: "SECTION | 1.1.4 | configure /var/tmp" ansible.builtin.import_tasks: @@ -19,30 +21,37 @@ - name: "SECTION | 1.1.5 | configure /var/log" ansible.builtin.import_tasks: file: cis_1.1.5.x.yml + when: not system_is_container - name: "SECTION | 1.1.6 | configure /var/log/audit" ansible.builtin.import_tasks: file: cis_1.1.6.x.yml + when: not system_is_container - name: "SECTION | 1.1.7 | configure /home" ansible.builtin.import_tasks: file: cis_1.1.7.x.yml + when: not system_is_container - name: "SECTION | 1.1.8 | configure /dev/shm" ansible.builtin.import_tasks: file: cis_1.1.8.x.yml + when: not system_is_container - name: "SECTION | 1.1.9 | configure software updates" ansible.builtin.import_tasks: file: cis_1.1.9.yml + when: not system_is_container - name: "SECTION | 1.1.10 | Disable USB storage" ansible.builtin.import_tasks: file: cis_1.1.10.yml + when: not system_is_container - name: "SECTION | 1.2 | Configure Software Updates" ansible.builtin.import_tasks: file: cis_1.2.x.yml + when: not system_is_container - name: "SECTION | 1.3. | Filesystem Integrity Checking" ansible.builtin.import_tasks: @@ -55,6 +64,7 @@ - name: "SECTION | 1.5 | Additional Process Hardening" ansible.builtin.import_tasks: file: cis_1.5.x.yml + when: not system_is_container - name: "SECTION | 1.6 | Mandatory Access Control" ansible.builtin.import_tasks: @@ -67,8 +77,11 @@ - name: "SECTION | 1.8 | GNOME Display Manager" ansible.builtin.import_tasks: file: cis_1.8.x.yml - when: "'gdm3' in ansible_facts.packages" + when: + - "'gdm3' in ansible_facts.packages" + - not system_is_container - name: "SECTION | 1.9 | Ensure updates, patches, and additional security software are installed" ansible.builtin.import_tasks: file: cis_1.9.yml + when: not system_is_container diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 2dba103e..b5bc9184 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -7,14 +7,17 @@ - name: "SECTION | 5.2 | Configure sudo" ansible.builtin.import_tasks: file: cis_5.2.x.yml + when: not system_is_container - name: "SECTION | 5.3 | Configure SSH Server" ansible.builtin.import_tasks: file: cis_5.3.x.yml + when: not system_is_container - name: "SECTION | 5.4.x | User PAM" ansible.builtin.import_tasks: file: cis_5.4.x.yml + when: not system_is_container - name: "SECTION | 5.5.x | User Accounts and Environment" ansible.builtin.import_tasks: diff --git a/vars/is_container.yml b/vars/is_container.yml new file mode 100644 index 00000000..4c93d6be --- /dev/null +++ b/vars/is_container.yml @@ -0,0 +1,104 @@ +--- + +# File to skip controls if container +# Based on standard image no changes +# it expected all pkgs required for the container are alreday installed + +## controls + +# Firewall +ubtu22cis_firewall_package: None + +# Filesystems + +## Related individual rules +# Aide +ubtu22cis_rule_1_4_1: false +ubtu22cis_rule_1_4_2: false + +# AppArmor +ubtu22cis_rule_1_6_1: false +ubtu22cis_rule_1_6_2: false +ubtu22cis_rule_1_6_3: false +ubtu22cis_rule_1_6_4: false + +# time sync +ubtu22cis_rule_2_1_1_1: false +ubtu22cis_rule_2_2_1_2: false + +# Auditd +ubtu22cis_rule_4_1_1_1: true +ubtu22cis_rule_4_1_1_2: true +ubtu22cis_rule_4_1_1_3: true +ubtu22cis_rule_4_1_1_4: true +ubtu22cis_rule_4_1_2_1: true +ubtu22cis_rule_4_1_2_2: true +ubtu22cis_rule_4_1_2_3: true +# Auditd rules +ubtu22cis_rule_4_1_3_1: true +ubtu22cis_rule_4_1_3_2: true +ubtu22cis_rule_4_1_3_3: true +ubtu22cis_rule_4_1_3_4: true +ubtu22cis_rule_4_1_3_5: true +ubtu22cis_rule_4_1_3_6: true +ubtu22cis_rule_4_1_3_7: true +ubtu22cis_rule_4_1_3_8: true +ubtu22cis_rule_4_1_3_9: true +ubtu22cis_rule_4_1_3_10: true +ubtu22cis_rule_4_1_3_11: true +ubtu22cis_rule_4_1_3_12: true +ubtu22cis_rule_4_1_3_13: true +ubtu22cis_rule_4_1_3_14: true +ubtu22cis_rule_4_1_3_15: true +ubtu22cis_rule_4_1_3_16: true +ubtu22cis_rule_4_1_3_17: true +ubtu22cis_rule_4_1_3_18: true +ubtu22cis_rule_4_1_3_19: true +ubtu22cis_rule_4_1_3_20: true +ubtu22cis_rule_4_1_3_21: true +# Auditd file access +ubtu22cis_rule_4_1_4_1: true +ubtu22cis_rule_4_1_4_2: true +ubtu22cis_rule_4_1_4_3: true +ubtu22cis_rule_4_1_4_4: true +ubtu22cis_rule_4_1_4_5: true +ubtu22cis_rule_4_1_4_6: true +ubtu22cis_rule_4_1_4_7: true +ubtu22cis_rule_4_1_4_8: true +ubtu22cis_rule_4_1_4_9: true +ubtu22cis_rule_4_1_4_10: true +ubtu22cis_rule_4_1_4_11: true + +# cron +ubtu22cis_rule_5_1_1: false +ubtu22cis_rule_5_1_2: false +ubtu22cis_rule_5_1_3: false +ubtu22cis_rule_5_1_4: false +ubtu22cis_rule_5_1_5: false +ubtu22cis_rule_5_1_6: false +ubtu22cis_rule_5_1_7: false +ubtu22cis_rule_5_1_8: false + +# ssh +ubtu22cis_rule_5_2_1: false +ubtu22cis_rule_5_2_2: false +ubtu22cis_rule_5_2_3: false +ubtu22cis_rule_5_2_4: false +ubtu22cis_rule_5_2_5: false +ubtu22cis_rule_5_2_6: false +ubtu22cis_rule_5_2_7: false +ubtu22cis_rule_5_2_8: false +ubtu22cis_rule_5_2_9: false +ubtu22cis_rule_5_2_10: false +ubtu22cis_rule_5_2_11: false +ubtu22cis_rule_5_2_12: false +ubtu22cis_rule_5_2_13: false +ubtu22cis_rule_5_2_14: false +ubtu22cis_rule_5_2_15: false +ubtu22cis_rule_5_2_16: false +ubtu22cis_rule_5_2_17: false +ubtu22cis_rule_5_2_18: false +ubtu22cis_rule_5_2_19: false +ubtu22cis_rule_5_2_20: false +ubtu22cis_rule_5_2_21: false +ubtu22cis_rule_5_2_22: false diff --git a/vars/main.yml b/vars/main.yml index 1b9bcfc8..b54e16fd 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -2,6 +2,11 @@ min_ansible_version: 2.10.1 +# The role discovers dynamically (in tasks/main.yml) whether it +# is executed on a container image and sets the variable +# system_is_container the true. Otherwise, the default value +# 'false' is left unchanged. +system_is_container: false # Used to control warning summary warn_control_list: "" warn_count: 0 From d37c1a8a853f6c5940630be83c7d5dfa5cc763e7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jan 2024 16:52:30 +0000 Subject: [PATCH 10/44] lint updates Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.2.x.yml | 2 +- tasks/section_5/cis_5.3.x.yml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index ed219bf3..68ac2c85 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -123,7 +123,7 @@ ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^LogLevel|^#LogLevel' - line: 'LogLevel {{ ubtu22cis_sshd.log_level }}' + line: "LogLevel {{ ubtu22cis_sshd.log_level }}" insertafter: '^# Logging' validate: 'sshd -t -f %s' notify: restart sshd diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 334c63f4..bd495b19 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -114,7 +114,6 @@ - name: "5.3.7 | PATCH | Ensure access to the su command is restricted" block: - - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists" ansible.builtin.group: name: "{{ ubtu22cis_sugroup }}" From e68b073a2ce0c5bbecce4aa3c6838c89adf23d33 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 9 Jan 2024 16:53:03 +0000 Subject: [PATCH 11/44] updated Signed-off-by: Mark Bolwell --- Changelog.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Changelog.md b/Changelog.md index dbd4df7d..416e3ed9 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,14 @@ ## Based on CIS V1.0.0 +### 1.0.9 + +- #144 usb-blacklisting - thanks to @paulquevedojdrf +- #152 and #170 Added ssh validate to tasks - thanks to @dderemiah and @twadelij +- #180 and #181 password reuse 5.3.4 - thanks to @DianaMariaDDM +- #182 pwquality enhancement New variable to allow extended or minclass (default)options - thanks to @ma3s7ro +- #184 Initial container config feedback required - thansk to @ipruteanu-sie + ### 1.0.8 - updated goss binary to 0.4.4 From ab6f9dac5fbde14be89386421c1e64285aa4ea5c Mon Sep 17 00:00:00 2001 From: Dan D Date: Tue, 16 Jan 2024 18:20:16 -0800 Subject: [PATCH 12/44] improves command collection to match CIS bench Signed-off-by: Dan D --- tasks/section_4/cis_4.1.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index da145e6e..6c1018d2 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -70,7 +70,7 @@ - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" block: - name: "4.1.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" - ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done + ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done register: priv_procs changed_when: false check_mode: false From d37b6e6c9403b4f9e975b6fbd95c83d30622feef Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 09:34:32 +0200 Subject: [PATCH 13/44] Fixing first syntax issue from https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/ubuntu22-cis/-/issues/71 Signed-off-by: Diana-Maria Dumitru --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 154d0a8e..a44592ce 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -133,7 +133,7 @@ - auditd - always -- name: "PRELIM | 5.3.4 | Find all sudoers files." +- name: "PRELIM | 5.3.4 | 5.3.5 | Find all sudoers files." ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false From d2242dd1749c5c2bb1172aaf5850db9d85d5bbdc Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 09:57:57 +0200 Subject: [PATCH 14/44] Fixing second syntax issue from https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/ubuntu22-cis/-/issues/71 Signed-off-by: Diana-Maria Dumitru --- tasks/prelim.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 154d0a8e..c69dab5c 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -177,6 +177,12 @@ grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/false") { print $6 }' changed_when: false register: interactive_users_home + when: + - ubtu22cis_rule_6_2_11 or + ubtu22cis_rule_6_2_13 or + ubtu22cis_rule_6_2_14 or + ubtu22cis_rule_6_2_15 or + ubtu22cis_rule_6_2_16 tags: - always @@ -207,10 +213,6 @@ changed_when: false check_mode: false register: ubtu22cis_users - when: - - ubtu22cis_rule_6_2_14 or - ubtu22cis_rule_6_2_15 or - ubtu22cis_rule_6_2_16 tags: - always From a8c18824e6ced887cd9f76ae2544045b56c73b10 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 10:08:35 +0200 Subject: [PATCH 15/44] Fixing third syntax issue from https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/ubuntu22-cis/-/issues/71 Signed-off-by: Diana-Maria Dumitru --- tasks/section_2/cis_2.2.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 43a08762..baa622ea 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -349,6 +349,7 @@ - ubtu22cis_rsync_server == 'mask' when: - "'rsync' in ansible_facts.packages" + - ubtu22cis_rule_2_2_16 tags: - level1-server - level1-workstation From 808b154cbdf28e2b55c1ed60f44e3e4702b6f149 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 22 Jan 2024 17:33:56 +0000 Subject: [PATCH 16/44] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v6.22.1 → v6.22.2](https://github.com/ansible-community/ansible-lint/compare/v6.22.1...v6.22.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 911d4714..43020660 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,7 +42,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.1 + rev: v6.22.2 hooks: - id: ansible-lint name: Ansible-lint From 211262334f9b8b09b86c547b82c8b1da94d51ad8 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 09:34:32 +0200 Subject: [PATCH 17/44] Fixing first syntax issue from https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/ubuntu22-cis/-/issues/71 Signed-off-by: Diana-Maria Dumitru --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 61108164..a1a5d171 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -133,7 +133,7 @@ - auditd - always -- name: "PRELIM | 5.3.4 | Find all sudoers files." +- name: "PRELIM | 5.3.4 | 5.3.5 | Find all sudoers files." ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false From c9be356ab8e107bad69105d0dd393deb802e63b6 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 09:57:57 +0200 Subject: [PATCH 18/44] Fixing second syntax issue from https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/ubuntu22-cis/-/issues/71 Signed-off-by: Diana-Maria Dumitru --- tasks/prelim.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 61108164..0388ecd6 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -177,6 +177,12 @@ grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/false") { print $6 }' changed_when: false register: interactive_users_home + when: + - ubtu22cis_rule_6_2_11 or + ubtu22cis_rule_6_2_13 or + ubtu22cis_rule_6_2_14 or + ubtu22cis_rule_6_2_15 or + ubtu22cis_rule_6_2_16 tags: - always @@ -207,10 +213,6 @@ changed_when: false check_mode: false register: ubtu22cis_users - when: - - ubtu22cis_rule_6_2_14 or - ubtu22cis_rule_6_2_15 or - ubtu22cis_rule_6_2_16 tags: - always From e3a97e3efd8159c4d76777e226a894a00889de5e Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 10:08:35 +0200 Subject: [PATCH 19/44] Fixing third syntax issue from https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/ubuntu22-cis/-/issues/71 Signed-off-by: Diana-Maria Dumitru --- tasks/section_2/cis_2.2.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 43a08762..baa622ea 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -349,6 +349,7 @@ - ubtu22cis_rsync_server == 'mask' when: - "'rsync' in ansible_facts.packages" + - ubtu22cis_rule_2_2_16 tags: - level1-server - level1-workstation From f8c1f54a669e6186b9d6140d453f6a76a09df643 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 13:02:07 +0200 Subject: [PATCH 20/44] Small documentation fix by adding the description right above each variable from the "ubtu22cis_aide_init" dictionary. Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 878534cb..09517944 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -543,8 +543,10 @@ ubtu22cis_config_aide: true ## When Initializing aide this can take longer on some systems # changing the values enables user to change to thier own requirements ubtu22cis_aide_init: - async: 45 # Maximum Time in seconds - poll: 0 # Polling Interval in seconds + # Maximum Time in seconds + async: 45 + # Polling Interval in seconds + poll: 0 ## Control 1.3.2 # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. From b30145c55505dabb141d967bcff46138c80d6ca8 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 13:09:51 +0200 Subject: [PATCH 21/44] Small documentation fix by adding in the description of some variables the "Controls" keyword. Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 09517944..f9acc40f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -599,7 +599,7 @@ ubtu22cis_set_boot_pass: false ubtu22cis_grub_file: /boot/grub/grub.cfg -## 1.5.x +## Controls 1.5.x # Ability to set file in which the kernel systcl changes are placed ubtu22cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf @@ -750,7 +750,7 @@ ubtu22cis_audit_back_log_limit: 8192 # This should be set based on your sites policy. CIS does not provide a specific value. ubtu22cis_max_log_file_size: 10 -## 4.1.3.x - Audit template +## Controls 4.1.3.x - Audit template # This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the # audit settings are overwritten with the role's template. In order to exclude # specific rules, you must set the variable of form `ubtu22cis_rule_4_1_3_x` above From 55f660fde3261103173c7515764b0f5ee73cc32d Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 13:13:21 +0200 Subject: [PATCH 22/44] Small documentation fix by adding double "#" before the title of some of the variables' description. Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f9acc40f..6b09d4f4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -946,7 +946,7 @@ ubtu22cis_sugroup: nosugroup # CIS requires a value of 5 or more. ubtu22cis_pamd_pwhistory_remember: 5 -# Control 5.4.2 +## Control 5.4.2 # This can seriously break access to a system ## The end state the file /etc/pam.d/common-auth need to be understood ## If using external auth providers this will be very different @@ -957,7 +957,7 @@ ubtu22cis_rule_5_4_2_faillock_config: | auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc -# Control 5.4.4 +## Control 5.4.4 # ubtu22cis_passwd_hash_algo is the hashing algorithm used ubtu22cis_passwd_hash_algo: yescrypt # pragma: allowlist secret # Set pam as well as login defs if PAM is required From e3bc5f7fb472e1b107d9d00e5118f9a7c597bda5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 25 Jan 2024 12:15:13 +0000 Subject: [PATCH 23/44] Updated to allow multiple inv groups for audit Signed-off-by: Mark Bolwell --- Changelog.md | 4 +++- tasks/post_remediation_audit.yml | 2 +- tasks/pre_remediation_audit.yml | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index 416e3ed9..906d97e7 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,11 +4,13 @@ ### 1.0.9 +- updated audit command to allow multiple groups from inventory + - #144 usb-blacklisting - thanks to @paulquevedojdrf - #152 and #170 Added ssh validate to tasks - thanks to @dderemiah and @twadelij - #180 and #181 password reuse 5.3.4 - thanks to @DianaMariaDDM - #182 pwquality enhancement New variable to allow extended or minclass (default)options - thanks to @ma3s7ro -- #184 Initial container config feedback required - thansk to @ipruteanu-sie +- #184 Initial container config feedback required - thanks to @ipruteanu-sie ### 1.0.8 diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index eb01bc75..2c51bbb0 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,7 +1,7 @@ --- - name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 258171a1..e3a261e7 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -77,7 +77,7 @@ mode: '0600' - name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" From 504eb15ecece8a1964797fba606da60060914700 Mon Sep 17 00:00:00 2001 From: joshavant <830519+joshavant@users.noreply.github.com> Date: Thu, 25 Jan 2024 19:24:34 -0600 Subject: [PATCH 24/44] Respect ipv6_disable mechanism Signed-off-by: joshavant <830519+joshavant@users.noreply.github.com> --- tasks/section_3/cis_3.2.x.yml | 1 + tasks/section_3/cis_3.3.x.yml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index f497c448..e12f9118 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -48,6 +48,7 @@ state: present reload: true ignoreerrors: true + when: ubtu22cis_ipv6_disable == 'sysctl' notify: - Flush ipv6 route table diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index c4915cca..67b13df4 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -25,6 +25,7 @@ state: present reload: true ignoreerrors: true + when: ubtu22cis_ipv6_disable == 'sysctl' with_items: - net.ipv6.conf.all.accept_source_route - net.ipv6.conf.default.accept_source_route @@ -66,6 +67,7 @@ state: present reload: true ignoreerrors: true + when: ubtu22cis_ipv6_disable == 'sysctl' with_items: - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects From 6bd6371b83d641aa2983577b3bd67cee594f9db6 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 22 Nov 2023 14:41:26 +0200 Subject: [PATCH 25/44] Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/ubuntu22-cis/-/issues/69! Signed-off-by: Diana-Maria Dumitru --- tasks/section_5/cis_5.4.x.yml | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 1894dead..ef1e6769 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -106,14 +106,30 @@ - pam - notimplemented -- name: 5.4.3 | PATCH | Ensure password reuse is limited" - community.general.pamd: - name: common-password - type: password - control: '[success=1 default=ignore]' - module_path: pam_unix.so - module_arguments: "remember={{ ubtu22cis_pamd_pwhistory_remember }}" - state: args_present +- name: "5.4.3 | PATCH | Ensure password reuse is limited" + block: + - name: "5.4.3 | PATCH | Ensure password reuse is limited | Add pam_unix or edit it accordingly" + community.general.pamd: + name: common-password + type: password + control: '[success=1 default=ignore]' + module_path: pam_unix.so + module_arguments: 'obscure + yescrypt' + state: args_present + + - name: "5.4.3 | PATCH | Ensure password reuse is limited| Set remember value after adding pam unix" + community.general.pamd: + name: common-password + type: password + control: '[success=1 default=ignore]' + module_path: pam_unix.so + new_type: password + new_module_path: pam_pwhistory.so + new_control: required + module_arguments: 'use_authtok + remember={{ ubtu22cis_pamd_pwhistory_remember }}' + state: before when: - ubtu22cis_rule_5_4_3 tags: From e8aabeaa07e2e4928a5e41b403b756066b9d431b Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 22 Nov 2023 14:41:26 +0200 Subject: [PATCH 26/44] Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/ubuntu22-cis/-/issues/69! Signed-off-by: Diana-Maria Dumitru --- tasks/section_5/cis_5.4.x.yml | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 1894dead..ef1e6769 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -106,14 +106,30 @@ - pam - notimplemented -- name: 5.4.3 | PATCH | Ensure password reuse is limited" - community.general.pamd: - name: common-password - type: password - control: '[success=1 default=ignore]' - module_path: pam_unix.so - module_arguments: "remember={{ ubtu22cis_pamd_pwhistory_remember }}" - state: args_present +- name: "5.4.3 | PATCH | Ensure password reuse is limited" + block: + - name: "5.4.3 | PATCH | Ensure password reuse is limited | Add pam_unix or edit it accordingly" + community.general.pamd: + name: common-password + type: password + control: '[success=1 default=ignore]' + module_path: pam_unix.so + module_arguments: 'obscure + yescrypt' + state: args_present + + - name: "5.4.3 | PATCH | Ensure password reuse is limited| Set remember value after adding pam unix" + community.general.pamd: + name: common-password + type: password + control: '[success=1 default=ignore]' + module_path: pam_unix.so + new_type: password + new_module_path: pam_pwhistory.so + new_control: required + module_arguments: 'use_authtok + remember={{ ubtu22cis_pamd_pwhistory_remember }}' + state: before when: - ubtu22cis_rule_5_4_3 tags: From 8fdf8408071ca0fdf86629314ee2fc7e8b142c98 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 22 Nov 2023 14:41:26 +0200 Subject: [PATCH 27/44] Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/ubuntu22-cis/-/issues/69! Signed-off-by: Diana-Maria Dumitru --- tasks/section_5/cis_5.4.x.yml | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 1894dead..ef1e6769 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -106,14 +106,30 @@ - pam - notimplemented -- name: 5.4.3 | PATCH | Ensure password reuse is limited" - community.general.pamd: - name: common-password - type: password - control: '[success=1 default=ignore]' - module_path: pam_unix.so - module_arguments: "remember={{ ubtu22cis_pamd_pwhistory_remember }}" - state: args_present +- name: "5.4.3 | PATCH | Ensure password reuse is limited" + block: + - name: "5.4.3 | PATCH | Ensure password reuse is limited | Add pam_unix or edit it accordingly" + community.general.pamd: + name: common-password + type: password + control: '[success=1 default=ignore]' + module_path: pam_unix.so + module_arguments: 'obscure + yescrypt' + state: args_present + + - name: "5.4.3 | PATCH | Ensure password reuse is limited| Set remember value after adding pam unix" + community.general.pamd: + name: common-password + type: password + control: '[success=1 default=ignore]' + module_path: pam_unix.so + new_type: password + new_module_path: pam_pwhistory.so + new_control: required + module_arguments: 'use_authtok + remember={{ ubtu22cis_pamd_pwhistory_remember }}' + state: before when: - ubtu22cis_rule_5_4_3 tags: From a80de3a0fc61f9e94286ee33ca07b2e73f01ca0a Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Mon, 29 Jan 2024 13:54:10 +0200 Subject: [PATCH 28/44] Removing some trailing whitespaces Signed-off-by: Diana-Maria Dumitru --- tasks/section_5/cis_5.4.x.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index ef1e6769..e9c5c4db 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -108,7 +108,7 @@ - name: "5.4.3 | PATCH | Ensure password reuse is limited" block: - - name: "5.4.3 | PATCH | Ensure password reuse is limited | Add pam_unix or edit it accordingly" + - name: "5.4.3 | PATCH | Ensure password reuse is limited | Add pam_unix or edit it accordingly" community.general.pamd: name: common-password type: password @@ -118,7 +118,7 @@ yescrypt' state: args_present - - name: "5.4.3 | PATCH | Ensure password reuse is limited| Set remember value after adding pam unix" + - name: "5.4.3 | PATCH | Ensure password reuse is limited| Set remember value after adding pam unix" community.general.pamd: name: common-password type: password @@ -127,7 +127,7 @@ new_type: password new_module_path: pam_pwhistory.so new_control: required - module_arguments: 'use_authtok + module_arguments: 'use_authtok remember={{ ubtu22cis_pamd_pwhistory_remember }}' state: before when: From 54f219d469e4183074569732c954daa576455c27 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 13:02:07 +0200 Subject: [PATCH 29/44] Small documentation fix by adding the description right above each variable from the "ubtu22cis_aide_init" dictionary. Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 878534cb..09517944 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -543,8 +543,10 @@ ubtu22cis_config_aide: true ## When Initializing aide this can take longer on some systems # changing the values enables user to change to thier own requirements ubtu22cis_aide_init: - async: 45 # Maximum Time in seconds - poll: 0 # Polling Interval in seconds + # Maximum Time in seconds + async: 45 + # Polling Interval in seconds + poll: 0 ## Control 1.3.2 # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. From 1b909e60d48bc497890b733a5125be5ab6d61e6d Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 13:09:51 +0200 Subject: [PATCH 30/44] Small documentation fix by adding in the description of some variables the "Controls" keyword. Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 09517944..f9acc40f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -599,7 +599,7 @@ ubtu22cis_set_boot_pass: false ubtu22cis_grub_file: /boot/grub/grub.cfg -## 1.5.x +## Controls 1.5.x # Ability to set file in which the kernel systcl changes are placed ubtu22cis_sysctl_kernel_conf: /etc/sysctl.d/98_cis_kernel.conf @@ -750,7 +750,7 @@ ubtu22cis_audit_back_log_limit: 8192 # This should be set based on your sites policy. CIS does not provide a specific value. ubtu22cis_max_log_file_size: 10 -## 4.1.3.x - Audit template +## Controls 4.1.3.x - Audit template # This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the # audit settings are overwritten with the role's template. In order to exclude # specific rules, you must set the variable of form `ubtu22cis_rule_4_1_3_x` above From 6458a14851994dbbca46582d20c6301064b06471 Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Wed, 17 Jan 2024 13:13:21 +0200 Subject: [PATCH 31/44] Small documentation fix by adding double "#" before the title of some of the variables' description. Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f9acc40f..6b09d4f4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -946,7 +946,7 @@ ubtu22cis_sugroup: nosugroup # CIS requires a value of 5 or more. ubtu22cis_pamd_pwhistory_remember: 5 -# Control 5.4.2 +## Control 5.4.2 # This can seriously break access to a system ## The end state the file /etc/pam.d/common-auth need to be understood ## If using external auth providers this will be very different @@ -957,7 +957,7 @@ ubtu22cis_rule_5_4_2_faillock_config: | auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc -# Control 5.4.4 +## Control 5.4.4 # ubtu22cis_passwd_hash_algo is the hashing algorithm used ubtu22cis_passwd_hash_algo: yescrypt # pragma: allowlist secret # Set pam as well as login defs if PAM is required From cbac7754ede76a386f355b77b224db47aa16bd6b Mon Sep 17 00:00:00 2001 From: Diana-Maria Dumitru Date: Mon, 29 Jan 2024 14:02:30 +0200 Subject: [PATCH 32/44] Removing some trailing whitespaces Signed-off-by: Diana-Maria Dumitru --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6b09d4f4..24f9197b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -544,9 +544,9 @@ ubtu22cis_config_aide: true # changing the values enables user to change to thier own requirements ubtu22cis_aide_init: # Maximum Time in seconds - async: 45 + async: 45 # Polling Interval in seconds - poll: 0 + poll: 0 ## Control 1.3.2 # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. From c49bc8ad1950695af11484fe76e1472b9be31109 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 5 Feb 2024 17:36:37 +0000 Subject: [PATCH 33/44] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.1 → v8.18.2](https://github.com/gitleaks/gitleaks/compare/v8.18.1...v8.18.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 43020660..f5c18248 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,7 +36,7 @@ repos: args: [ '--baseline', '.config/.secrets.baseline' ] - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.1 + rev: v8.18.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From a94ac54f52f306383e81d2921db5cc48bb18b718 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 7 Feb 2024 12:21:08 +0000 Subject: [PATCH 34/44] issue #204 addressed Signed-off-by: Mark Bolwell --- handlers/main.yml | 17 ++++------------- tasks/auditd.yml | 18 +----------------- tasks/main.yml | 2 ++ tasks/prelim.yml | 9 +++++++++ vars/main.yml | 3 ++- 5 files changed, 18 insertions(+), 31 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index e5b5df95..7272a9ba 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -2,6 +2,7 @@ - name: Update_Initramfs ansible.builtin.shell: update-initramfs -u + notify: change_requires_reboot - name: Remount tmp ansible.posix.mount: @@ -42,6 +43,7 @@ - name: Grub update ansible.builtin.shell: update-grub failed_when: false + notify: change_requires_reboot - name: Restart timeservice ansible.builtin.systemd: @@ -113,31 +115,20 @@ when: - '"No change" not in ubtu22cis_rule_4_1_3_21_augen_check.stdout' -- name: Auditd_immutable_check - ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules - changed_when: false - register: auditd_immutable_check - - name: Audit_immutable_fact ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" notify: change_requires_reboot when: - - auditd_immutable_check.stdout == '1' + - auditd_immutable_check.stdout | length > 0 - name: Restart auditd ansible.builtin.shell: service auditd restart when: - - audit_rules_updated.changed or - rule_4_1_2_1.changed or - rule_4_1_2_2.changed or - rule_4_1_2_3.changed + - audit_rules_updated is defined tags: - skip_ansible_lint -- name: remount tmp - ansible.builtin.shell: mount -o remount /tmp - - name: restart sshd ansible.builtin.systemd: name: sshd diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 71dbf629..3752d4d9 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -10,9 +10,9 @@ register: audit_rules_updated notify: - Auditd rules reload - - Auditd_immutable_check - Audit_immutable_fact - Restart auditd + - change_requires_reboot when: update_audit_template - name: POST | Set up auditd user logging exceptions @@ -25,19 +25,3 @@ notify: Restart auditd when: - ubtu22cis_allow_auditd_uid_user_exclusions - -# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable" -# block: -# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable | Get status" -# ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules -# changed_when: false -# failed_when: false -# register: ubtu22cis_auditd_immutable_check - -# - name: "POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable | Set reboot required" -# ansible.builtin.debug: -# msg: "Reboot required for auditd to apply new rules as immutable set" -# notify: change_requires_reboot -# when: ubtu22cis_auditd_immutable_check.stdout == '1' -# when: -# - ubtu22cis_audit_rules_update.changed diff --git a/tasks/main.yml b/tasks/main.yml index 9124d732..11076736 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -208,6 +208,7 @@ ansible.builtin.reboot: when: - not skip_reboot + - change_requires_reboot - name: Warning a reboot required but skip option set ansible.builtin.debug: @@ -215,6 +216,7 @@ changed_when: true when: - skip_reboot + - change_requires_reboot - name: Run post remediation audit ansible.builtin.import_tasks: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 3d2cdea7..64307a19 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -133,6 +133,15 @@ - auditd - always +- name: "PRELIM | Check if auditd is immutable before changes" + ansible.builtin.shell: auditctl -l | grep -c '-e 2' + changed_when: false + failed_when: auditd_immutable_check.rc not in [ 0, 1 ] + register: auditd_immutable_check + when: "'auditd' in ansible_facts.packages" + tags: + - always + - name: "PRELIM | 5.3.4 | 5.3.5 | Find all sudoers files." ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false diff --git a/vars/main.yml b/vars/main.yml index b54e16fd..e36495f0 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,7 +1,8 @@ --- min_ansible_version: 2.10.1 - +# Set default value for reboot value +change_requires_reboot: false # The role discovers dynamically (in tasks/main.yml) whether it # is executed on a container image and sets the variable # system_is_container the true. Otherwise, the default value From 7fda90404cdbac0db68ba985d73f76d9d0dc7690 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 7 Feb 2024 12:22:12 +0000 Subject: [PATCH 35/44] updated notify for remount Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 5f1e75fc..5e5f9d22 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -65,7 +65,7 @@ state: present fstype: "{{ item.fstype }}" opts: defaults,{% if ubtu22cis_rule_1_1_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_2_4 %}nosuid{% endif %} - notify: remount tmp + notify: Remount tmp with_items: - "{{ ansible_facts.mounts }}" loop_control: From 9df6bf21ad63629d1cd52ce8ae4fcc0609aab4c7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 7 Feb 2024 13:09:07 +0000 Subject: [PATCH 36/44] updated Signed-off-by: Mark Bolwell --- Changelog.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 906d97e7..3a97829e 100644 --- a/Changelog.md +++ b/Changelog.md @@ -5,12 +5,12 @@ ### 1.0.9 - updated audit command to allow multiple groups from inventory - - #144 usb-blacklisting - thanks to @paulquevedojdrf - #152 and #170 Added ssh validate to tasks - thanks to @dderemiah and @twadelij - #180 and #181 password reuse 5.3.4 - thanks to @DianaMariaDDM - #182 pwquality enhancement New variable to allow extended or minclass (default)options - thanks to @ma3s7ro -- #184 Initial container config feedback required - thanks to @ipruteanu-sie +- #184 Initial container config feedback required - thanks to @ipruteanu-sie +- #204 reboot not idempotent - thanks to @bhuddah ### 1.0.8 From 339e8d5a06933dec81b01141848a1b4f0dfa4430 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 7 Feb 2024 13:29:06 +0000 Subject: [PATCH 37/44] removed unnecessary pkg discovery Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 64307a19..cb3f8678 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -225,12 +225,6 @@ tags: - always -- name: "PRELIM | Recapture packages" - ansible.builtin.package_facts: - manager: auto - tags: - - always - - name: "Optional | Patch | UFW firewall force to use /etc/sysctl.conf settings" ansible.builtin.lineinfile: path: /etc/default/ufw From 2bf1653b91b0f755f590c8ea744385cf1872c16f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 7 Feb 2024 15:32:05 +0000 Subject: [PATCH 38/44] updated for auditd Signed-off-by: Mark Bolwell --- handlers/main.yml | 3 ++- tasks/auditd.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 7272a9ba..23f1ca47 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -120,7 +120,8 @@ msg: "Reboot required for auditd to apply new rules as immutable set" notify: change_requires_reboot when: - - auditd_immutable_check.stdout | length > 0 + - audit_rules_updated.changed + - auditd_immutable_check is defined - name: Restart auditd ansible.builtin.shell: service auditd restart diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 3752d4d9..d753add0 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -6,7 +6,7 @@ dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: '0600' + mode: '0640' register: audit_rules_updated notify: - Auditd rules reload From 74ac06657b10aa1df4c5a3ef8f6a82dad20fd767 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 7 Feb 2024 15:32:58 +0000 Subject: [PATCH 39/44] updated 4.1.3.6 for priv commands Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index 6c1018d2..a0d85703 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -70,7 +70,7 @@ - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" block: - name: "4.1.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" - ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done + ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done | grep -vw '/snap' register: priv_procs changed_when: false check_mode: false From 40d578195dfbb9682fa36491679ef201c97f52c6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 7 Feb 2024 15:33:44 +0000 Subject: [PATCH 40/44] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 3a97829e..ff0aae1b 100644 --- a/Changelog.md +++ b/Changelog.md @@ -10,7 +10,7 @@ - #180 and #181 password reuse 5.3.4 - thanks to @DianaMariaDDM - #182 pwquality enhancement New variable to allow extended or minclass (default)options - thanks to @ma3s7ro - #184 Initial container config feedback required - thanks to @ipruteanu-sie -- #204 reboot not idempotent - thanks to @bhuddah +- #204 reboot not idempotent - changed auditd and reboot logic update to 4.1.3.6 discovery - thanks to @bhuddah ### 1.0.8 From c135fa48ce5c3832baf9eff5466e59fc7612b92a Mon Sep 17 00:00:00 2001 From: David Lesaffre Date: Mon, 19 Feb 2024 12:04:03 +0100 Subject: [PATCH 41/44] prevent /etc/issue and /etc/issue.net to be overwritten on package upgrade Signed-off-by: David Lesaffre --- tasks/section_1/cis_1.7.x.yml | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 53067b28..298563bc 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -29,9 +29,15 @@ - motd - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" - ansible.builtin.template: - src: etc/issue.j2 - dest: /etc/issue + block: + - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly | issue" + ansible.builtin.template: + src: etc/issue.j2 + dest: /etc/issue + + - name: "1.7.2 | PATCH | Ensure local login warning banner is kept on package upgrade | issue" + community.general.dpkg_divert: + path: /etc/issue when: - ubtu22cis_rule_1_7_2 tags: @@ -43,9 +49,15 @@ - banner - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" - ansible.builtin.template: - src: etc/issue.net.j2 - dest: /etc/issue.net + block: + - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly | issue.net" + ansible.builtin.template: + src: etc/issue.net.j2 + dest: /etc/issue.net + + - name: "1.7.3 | PATCH | Ensure remote login warning banner is kept on package upgrade | issue.net" + community.general.dpkg_divert: + path: /etc/issue.net when: - ubtu22cis_rule_1_7_3 tags: From 4b1f63fa2a6b82552394ab0cb54a6426428aa897 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 19 Feb 2024 17:48:44 +0000 Subject: [PATCH 42/44] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v6.22.2 → v24.2.0](https://github.com/ansible-community/ansible-lint/compare/v6.22.2...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.33.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.35.1) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f5c18248..82858b54 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,7 +42,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.2 + rev: v24.2.0 hooks: - id: ansible-lint name: Ansible-lint @@ -61,6 +61,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.33.0 # or higher tag + rev: v1.35.1 # or higher tag hooks: - id: yamllint From 46fa1824105f6aeb16351e099509ca6890728d7e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 20 Feb 2024 12:25:40 +0000 Subject: [PATCH 43/44] updated logic for #207 Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index d905548f..c8fbe0cf 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -17,7 +17,6 @@ failed_when: false check_mode: false register: ubtu22cis_3_1_1_cmdline_settings - when: ubtu22cis_ipv6_disable == 'grub' - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist" ansible.builtin.lineinfile: From bde51ca7ca16e6fa644ec533d97fed647e007e11 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 8 Mar 2024 17:28:41 +0000 Subject: [PATCH 44/44] fixed test for the arm64 conditional Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 7ef94b4a..08d047d6 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -10,7 +10,7 @@ - name: Pre Audit Setup | Set audit package name | ARM64 ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 - when: ansible_facts.machine == "arm64" + when: ansible_facts.machine == "aarch64" - name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: