diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index b67a6e7..b2021a4 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -14,7 +14,7 @@ block: - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" create: true @@ -22,7 +22,7 @@ - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/blacklist.conf + path: /etc/modprobe.d/blacklist.conf regexp: "^(#)?blacklist cramfs(\\s|$)" line: "blacklist cramfs" create: true @@ -47,7 +47,7 @@ block: - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install freevxfs(\\s|$)" line: "install freevxfs /bin/true" create: true @@ -55,7 +55,7 @@ - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/blacklist.conf + path: /etc/modprobe.d/blacklist.conf regexp: "^(#)?blacklist freevxfs(\\s|$)" line: "blacklist freevxfs" create: true @@ -80,7 +80,7 @@ block: - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install hfs(\\s|$)" line: "install hfs /bin/true" create: true @@ -88,7 +88,7 @@ - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/blacklist.conf + path: /etc/modprobe.d/blacklist.conf regexp: "^(#)?blacklist hfs(\\s|$)" line: "blacklist hfs" create: true @@ -113,7 +113,7 @@ block: - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install hfsplus(\\s|$)" line: "install hfsplus /bin/true" create: true @@ -121,7 +121,7 @@ - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/blacklist.conf + path: /etc/modprobe.d/blacklist.conf regexp: "^(#)?blacklist hfsplus(\\s|$)" line: "blacklist hfsplus" create: true @@ -146,7 +146,7 @@ block: - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install jffs2(\\s|$)" line: "install jffs2 /bin/true" create: true @@ -154,7 +154,7 @@ - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/blacklist.conf + path: /etc/modprobe.d/blacklist.conf regexp: "^(#)?blacklist jffs2(\\s|$)" line: "blacklist jffs2" create: true @@ -179,7 +179,7 @@ block: - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: true @@ -187,7 +187,7 @@ - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/blacklist.conf + path: /etc/modprobe.d/blacklist.conf regexp: "^(#)?blacklist squashfs(\\s|$)" line: "blacklist squashfs" create: true @@ -212,7 +212,7 @@ block: - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: true @@ -220,7 +220,7 @@ - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/blacklist.conf + path: /etc/modprobe.d/blacklist.conf regexp: "^(#)?blacklist udf(\\s|$)" line: "blacklist udf" create: true @@ -245,7 +245,7 @@ block: - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" create: true @@ -253,7 +253,7 @@ - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: - dest: /etc/modprobe.d/blacklist.conf + path: /etc/modprobe.d/blacklist.conf regexp: "^(#)?blacklist usb-storage(\\s|$)" line: "blacklist usb-storage" create: true diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 8f94a3e..4d8f5fb 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -12,12 +12,12 @@ block: - name: "1.3.1 | PATCH | Ensure authentication required for single user mode | Emergency service" ansible.builtin.lineinfile: - dest: /usr/lib/systemd/system/emergency.service + path: /usr/lib/systemd/system/emergency.service regexp: '/sbin/sulogin' line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default' - name: "1.3.1 | PATCH | Ensure authentication required for single user mode | Rescue service" ansible.builtin.lineinfile: - dest: /usr/lib/systemd/system/rescue.service + path: /usr/lib/systemd/system/rescue.service regexp: '/sbin/sulogin' line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default' diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index cec5ac4..f72b247 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -47,7 +47,7 @@ - NIST800-53R5_CM-6b notify: Systemd_daemon_reload ansible.builtin.lineinfile: - dest: /etc/systemd/coredump.conf + path: /etc/systemd/coredump.conf regexp: ^ProcessSizeMax line: ProcessSizeMax=0 create: true @@ -64,7 +64,7 @@ - coredump notify: Systemd_daemon_reload ansible.builtin.lineinfile: - dest: /etc/systemd/coredump.conf + path: /etc/systemd/coredump.conf regexp: ^Storage line: Storage=none create: true diff --git a/tasks/section_4/cis_4.5.2.x.yml b/tasks/section_4/cis_4.5.2.x.yml index fce795f..c1c47e6 100644 --- a/tasks/section_4/cis_4.5.2.x.yml +++ b/tasks/section_4/cis_4.5.2.x.yml @@ -68,7 +68,7 @@ loop_control: label: "{{ item.id }}" - - name: "4.5.2.3 | PATCH | | Ensure system accounts are secured | Lock accounts" + - name: "4.5.2.3 | PATCH | Ensure system accounts are secured | Lock accounts" when: - item.id != "root" - item.id != "sync" diff --git a/tasks/section_5/cis_5.2.3.x.yml b/tasks/section_5/cis_5.2.3.x.yml index ff14ad1..ef6c914 100644 --- a/tasks/section_5/cis_5.2.3.x.yml +++ b/tasks/section_5/cis_5.2.3.x.yml @@ -77,14 +77,14 @@ - auditd - rule_5.2.3.6 block: - - name: "5.2.3.6 | PATCH | Ensure use of privileged commands is collected" + - name: "5.2.3.6 | AUDIT | Ensure use of privileged commands is collected" ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done changed_when: false failed_when: false check_mode: false register: priv_procs - - name: "5.2.3.6 | PATCH | Ensure use of privileged commands is collected" + - name: "5.2.3.6 | AUDIT | Ensure use of privileged commands is collected | set_fact for auditd rules" ansible.builtin.set_fact: update_audit_template: true notify: Update_auditd_rules