ansible-lockdown · uk-bolly · Sep 18, 2023 · Sep 18, 2023 · Sep 18, 2023
diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml
@@ -27,7 +27,7 @@
                   repo-token: ${{ secrets.GITHUB_TOKEN }}
                   pr-message: |-
                       Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-                      Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
+                      Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
         # This workflow contains a single job which tests the playbook
         playbook-test:

diff --git a/README.md b/README.md
@@ -26,7 +26,7 @@ NOTE AUDIT NOT YET AVAILABLE
 [![Main Pipeline Status](https://github.com/ansible-lockdown/AMAZON2023-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/AMAZON2023-CIS/actions/workflows/main_pipeline_validation.yml)
 
 [![Devel Pipeline Status](https://github.com/ansible-lockdown/AMAZON2023-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/AMAZON2023-CIS/actions/workflows/devel_pipeline_validation.yml)
-![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/AMAZON2023-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits)
+![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/AMAZON2023-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits)
 
 ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/AMAZON2023-CIS?label=Open%20Issues)
 ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/AMAZON2023-CIS?label=Closed%20Issues&&color=success)
@@ -44,7 +44,7 @@ NOTE AUDIT NOT YET AVAILABLE
 
 ### Community
 
-Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users.
+Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users.
 
 ### Contributing
 

diff --git a/tasks/auditd.yml b/tasks/auditd.yml
@@ -21,7 +21,7 @@
 
 - name: POST | AUDITD | Add Warning count for changes to template file | Warn Count  # noqa no-handler
   ansible.builtin.import_tasks:
-    file: warning_facts.yml
+      file: warning_facts.yml
   vars:
       warn_control_id: 'Auditd template updated, see diff output for details'
   when:

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -87,7 +87,7 @@
 
 - name: Include preliminary steps
   ansible.builtin.import_tasks:
-    file: prelim.yml
+      file: prelim.yml
   tags:
       - prelim_tasks
       - always
@@ -96,69 +96,69 @@
   when:
       - run_audit
   ansible.builtin.include_tasks:
-    file: pre_remediation_audit.yml
+      file: pre_remediation_audit.yml
   tags:
       - run_audit
 
 - name: Run Section 1 tasks
   when:
       - amzn2023cis_section1
   ansible.builtin.import_tasks:
-    file: section_1/main.yml
+      file: section_1/main.yml
   tags:
       - amzn2023cis_section1
 
 - name: Run Section 2 tasks
   when:
       - amzn2023cis_section2
   ansible.builtin.import_tasks:
-    file: section_2/main.yml
+      file: section_2/main.yml
   tags:
       - amzn2023cis_section2
 
 - name: Run Section 3 tasks
   when:
       - amzn2023cis_section3
   ansible.builtin.import_tasks:
-    file: section_3/main.yml
+      file: section_3/main.yml
   tags:
       - amzn2023cis_section3
 
 - name: Run Section 4 tasks
   when:
       - amzn2023cis_section4
   ansible.builtin.import_tasks:
-    file: section_4/main.yml
+      file: section_4/main.yml
   tags:
       - amzn2023cis_section4
 
 - name: Run Section 5 tasks
   when:
       - amzn2023cis_section5
   ansible.builtin.import_tasks:
-    file: section_5/main.yml
+      file: section_5/main.yml
   tags:
       - amzn2023cis_section5
 
 - name: Run Section 6 tasks
   when:
       - amzn2023cis_section6
   ansible.builtin.import_tasks:
-    file: section_6/main.yml
+      file: section_6/main.yml
   tags:
       - amzn2023cis_section6
 
 - name: run auditd logic
   when:
       - update_audit_template
   ansible.builtin.import_tasks:
-    file: auditd.yml
+      file: auditd.yml
   tags:
       - always
 
 - name: run post remediation tasks
   ansible.builtin.import_tasks:
-    file: post.yml
+      file: post.yml
   tags:
       - post_tasks
       - always
@@ -167,7 +167,7 @@
   when:
       - run_audit
   ansible.builtin.import_tasks:
-    file: post_remediation_audit.yml
+      file: post_remediation_audit.yml
 
 - name: Show Audit Summary
   when:

diff --git a/tasks/post.yml b/tasks/post.yml
@@ -47,7 +47,7 @@
 
       - name: "POST | Warning a reboot required but skip option set | warning count"
         ansible.builtin.import_tasks:
-          file: warning_facts.yml
+            file: warning_facts.yml
         when:
             - change_requires_reboot
             - skip_reboot

diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml
@@ -2,7 +2,7 @@
 
 - name: Pre Audit Binary Setup | Setup the LE audit
   ansible.builtin.include_tasks:
-    file: LE_audit_setup.yml
+      file: LE_audit_setup.yml
   when:
       - setup_audit
   tags:

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -13,7 +13,7 @@
 
 - name: "PRELIM | capture /etc/password variables"
   ansible.builtin.include_tasks:
-    file: parse_etc_password.yml
+      file: parse_etc_password.yml
   tags:
       - rule_5.5.2
       - rule_5.6.2

diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml
@@ -8,7 +8,7 @@
 
       - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Present"
         ansible.builtin.import_tasks:
-          file: warning_facts.yml
+            file: warning_facts.yml
   vars:
       warn_control_id: '1.1.2.1'
       required_mount: '/tmp'

diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml
@@ -8,7 +8,7 @@
 
       - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present"
         ansible.builtin.import_tasks:
-          file: warning_facts.yml
+            file: warning_facts.yml
   vars:
       warn_control_id: '1.1.3.1'
       required_mount: '/var'

diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml
@@ -9,7 +9,7 @@
 
       - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present"
         ansible.builtin.import_tasks:
-          file: warning_facts.yml
+            file: warning_facts.yml
   vars:
       warn_control_id: '1.1.4.1'
       required_mount: '/var/tmp'

diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml
@@ -8,7 +8,7 @@
 
       - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present"
         ansible.builtin.import_tasks:
-          file: warning_facts.yml
+            file: warning_facts.yml
 
   vars:
       warn_control_id: '1.1.5.1'

diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml
@@ -8,7 +8,7 @@
 
       - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present"
         ansible.builtin.import_tasks:
-          file: warning_facts.yml
+            file: warning_facts.yml
 
   vars:
       warn_control_id: '1.1.6.1'

diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml
@@ -8,7 +8,7 @@
 
       - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present"
         ansible.builtin.import_tasks:
-          file: warning_facts.yml
+            file: warning_facts.yml
 
   vars:
       warn_control_id: '1.1.7.1'

diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml
@@ -9,7 +9,7 @@
 
       - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present"
         ansible.builtin.import_tasks:
-          file: warning_facts.yml
+            file: warning_facts.yml
 
   vars:
       warn_control_id: '1.1.8.1'

diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml
@@ -72,7 +72,7 @@
 
       - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count"
         ansible.builtin.import_tasks:
-          file: warning_facts.yml
+            file: warning_facts.yml
   vars:
       warn_control_id: '1.2.3'
   when:

diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml
@@ -98,7 +98,7 @@
 
       - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count"
         ansible.builtin.import_tasks:
-          file: warning_facts.yml
+            file: warning_facts.yml
         when: amzn2023cis_1_6_1_6_unconf_services.stdout | length > 0
   vars:
       warn_control_id: '1.6.1.6'

diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml
@@ -2,70 +2,70 @@
 
 - name: "SECTION | 1.1.1.x | Disable unused filesystems"
   ansible.builtin.import_tasks:
-    file: cis_1.1.1.x.yml
+      file: cis_1.1.1.x.yml
 
 - name: "SECTION | 1.1.2.x | Configure /tmp"
   ansible.builtin.import_tasks:
-    file: cis_1.1.2.x.yml
+      file: cis_1.1.2.x.yml
 
 - name: "SECTION | 1.1.3.x | Configure /var"
   ansible.builtin.import_tasks:
-    file: cis_1.1.3.x.yml
+      file: cis_1.1.3.x.yml
 
 - name: "SECTION | 1.1.4.x | Configure /var/tmp"
   ansible.builtin.import_tasks:
-    file: cis_1.1.4.x.yml
+      file: cis_1.1.4.x.yml
 
 - name: "SECTION | 1.1.5.x | Configure /var/log"
   ansible.builtin.import_tasks:
-    file: cis_1.1.5.x.yml
+      file: cis_1.1.5.x.yml
 
 - name: "SECTION | 1.1.6.x | Configure /var/log/audit"
   ansible.builtin.import_tasks:
-    file: cis_1.1.6.x.yml
+      file: cis_1.1.6.x.yml
 
 - name: "SECTION | 1.1.7.x | Configure /home"
   ansible.builtin.import_tasks:
-    file: cis_1.1.7.x.yml
+      file: cis_1.1.7.x.yml
 
 - name: "SECTION | 1.1.8.x | Configure /dev/shm"
   ansible.builtin.import_tasks:
-    file: cis_1.1.8.x.yml
+      file: cis_1.1.8.x.yml
 
 - name: "SECTION | 1.1.9 | Disable various mounting"
   ansible.builtin.import_tasks:
-    file: cis_1.1.9.yml
+      file: cis_1.1.9.yml
 
 - name: "SECTION | 1.2 | Configure Software Updates"
   ansible.builtin.import_tasks:
-    file: cis_1.2.x.yml
+      file: cis_1.2.x.yml
 
 - name: "SECTION | 1.3 | Filesystem Integrity Checking"
   ansible.builtin.import_tasks:
-    file: cis_1.3.x.yml
+      file: cis_1.3.x.yml
   when: amzn2023cis_config_aide
 
 - name: "SECTION | 1.4 | Secure Boot Settings"
   ansible.builtin.import_tasks:
-    file: cis_1.4.x.yml
+      file: cis_1.4.x.yml
 
 - name: "SECTION | 1.5 | Additional Process Hardening"
   ansible.builtin.import_tasks:
-    file: cis_1.5.x.yml
+      file: cis_1.5.x.yml
 
 - name: "SECTION | 1.6 | Mandatory Access Control"
   ansible.builtin.include_tasks:
-    file: cis_1.6.1.x.yml
+      file: cis_1.6.1.x.yml
   when: not amzn2023cis_selinux_disable
 
 - name: "SECTION | 1.7 | Command Line Warning Banners"
   ansible.builtin.import_tasks:
-    file: cis_1.7.x.yml
+      file: cis_1.7.x.yml
 
 - name: "SECTION | 1.8 | Updates and Patches"
   ansible.builtin.import_tasks:
-    file: cis_1.8.yml
+      file: cis_1.8.yml
 
 - name: "SECTION | 1.9 | Crypto policies"
   ansible.builtin.include_tasks:
-    file: cis_1.9.yml
+      file: cis_1.9.yml
diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml
@@ -26,7 +26,7 @@
 
       - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count"
         ansible.builtin.import_tasks:
-          file: warning_facts.yml
+            file: warning_facts.yml
   vars:
       warn_control_id: '2.4'
   when:

diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml
@@ -2,16 +2,16 @@
 
 - name: "SECTION | 2.1 | Time Synchronization"
   ansible.builtin.import_tasks:
-    file: cis_2.1.x.yml
+      file: cis_2.1.x.yml
 
 - name: "SECTION | 2.2 | Special Purpose Services"
   ansible.builtin.import_tasks:
-    file: cis_2.2.x.yml
+      file: cis_2.2.x.yml
 
 - name: "SECTION | 2.3 | Service Clients"
   ansible.builtin.import_tasks:
-    file: cis_2.3.x.yml
+      file: cis_2.3.x.yml
 
 - name: "SECTION | 2.4 | Nonessential services removed"
   ansible.builtin.import_tasks:
-    file: cis_2.4.yml
+      file: cis_2.4.yml
diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml
@@ -48,7 +48,7 @@
 
       - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count"
         ansible.builtin.import_tasks:
-          file: warning_facts.yml
+            file: warning_facts.yml
         when:
             - amzn2023cis_3_4_2_2_nft_tables.stdout | length == 0
             - not amzn2023cis_nft_tables_autonewtable

diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml
@@ -2,20 +2,20 @@
 
 - name: "SECTION | 3.1.x | Disable unused network protocols and devices"
   ansible.builtin.import_tasks:
-    file: cis_3.1.x.yml
+      file: cis_3.1.x.yml
 
 - name: "SECTION | 3.2.x | Network Parameters (Host Only)"
   ansible.builtin.import_tasks:
-    file: cis_3.2.x.yml
+      file: cis_3.2.x.yml
 
 - name: "SECTION | 3.3.x | Network Parameters (host and Router)"
   ansible.builtin.import_tasks:
-    file: cis_3.3.x.yml
+      file: cis_3.3.x.yml
 
 - name: "SECTION | 3.4.1.x | Firewall configuration"
   ansible.builtin.import_tasks:
-    file: cis_3.4.1.x.yml
+      file: cis_3.4.1.x.yml
 
 - name: "SECTION | 3.4.2.x | Configure firewall"
   ansible.builtin.import_tasks:
-    file: cis_3.4.2.x.yml
+      file: cis_3.4.2.x.yml