Merge pull request #87 from ansible-lockdown/devel

Release to main branch

.yamllint

@@ -3,26 +3,26 @@
 extends: default
 
 rules:
-  braces: {max-spaces-inside: 1, level: error}
-  brackets: {max-spaces-inside: 1, level: error}
-  colons: {max-spaces-after: -1, level: error}
-  commas: {max-spaces-after: -1, level: error}
-  comments: disable
-  comments-indentation: disable
-  document-start: disable
-  empty-lines: {max: 3, level: error}
-  hyphens: {level: error}
-  indentation:
-     # Requiring 4 space indentation
-     spaces: 4
-     # Requiring consistent indentation within a file, either indented or not
-     indent-sequences: consistent
-  key-duplicates: enable
-  line-length: disable
-  new-line-at-end-of-file: enable
-  new-lines: 
-    type: unix
-  trailing-spaces: enable
-  truthy:
-    allowed-values: ['true', 'false']
-    check-keys: true
+    braces: {max-spaces-inside: 1, level: error}
+    brackets: {max-spaces-inside: 1, level: error}
+    colons: {max-spaces-after: -1, level: error}
+    commas: {max-spaces-after: -1, level: error}
+    comments: disable
+    comments-indentation: disable
+    document-start: disable
+    empty-lines: {max: 3, level: error}
+    hyphens: {level: error}
+    indentation:
+      # Requiring 4 space indentation
+        spaces: 4
+      # Requiring consistent indentation within a file, either indented or not
+        indent-sequences: consistent
+    key-duplicates: enable
+    line-length: disable
+    new-line-at-end-of-file: enable
+    new-lines:
+        type: unix
+    trailing-spaces: enable
+    truthy:
+        allowed-values: ['true', 'false']
+        check-keys: true

Changelog.md

@@ -1,14 +1,26 @@
 # Change log for Ubuntu 2004
 
+## V1.0.1 - based upon CIS 1.1.0
+
+thanks to ikthomas
+[#84](https://github.com/ansible-lockdown/UBUNTU20-CIS/issues/84) 
+
 ## v1.0.0
 
 - update galaxy lint requirements
 - license file
 - ansible version
 
-## Feb 23 updates - Initial
+## April 2023 Updates
+- Addressed Bugs 
+  - [#73](https://github.com/ansible-lockdown/UBUNTU20-CIS/issues/73) - Thanks @fnschroeder (Fix Taken From @uk-bolly issue_73 branch)
+  - [#80](https://github.com/ansible-lockdown/UBUNTU20-CIS/issues/80) - Thanks @kdebisschop
+- Added Fixes For Outstanding PR's
+  - [#81](https://github.com/ansible-lockdown/UBUNTU20-CIS/pull/81) - Thanks @kdebisschop
+  - Fixed Linting Errors For Yamllint & Ansbile-Lint
+  - Adjusted Builtin to Posix For sysctl module. 
 
-### based upon CIS 1.1.0
+## Feb 23 updates - Initial
 
 - lint files updated
 - ansible version updated

collections/requirements.yml

@@ -1,6 +1,8 @@
 ---
 
 collections:
-- name: community.general
-- name: community.crypto
-- name: ansible.posix
+    - name: community.general
+
+    - name: community.crypto
+
+    - name: ansible.posix

defaults/main.yml

@@ -396,17 +396,6 @@ ubtu20cis_tmp_fstab_options: "defaults,rw,nosuid,nodev,noexec,relatime"
 # To conform to CIS control 1.1.9 noexec needs to be present
 ubtu20cis_dev_shm_fstab_options: "defaults,noexec,nodev,nosuid"
 
-# Control 1.1.12/1.1.13/1.1.14
-# These are the settings for the /var/tmp mount
-# To conform to CIS control 1.1.12 nodev needs to be present in opts
-# To conform to CIS control 1.1.13 nosuid needs to be present in opts
-# To conform to CIS control 1.1.14 noexec needs to be present in opts
-ubtu20cis_vartmp:
-    source: /tmp
-    fstype: none
-    opts: "defaults,nodev,nosuid,noexec,bind"
-    enabled: false
-
 # Control 1.3.1 - allow aide to be configured
 ubtu20cis_config_aide: true
 
@@ -431,14 +420,14 @@ ubtu20cis_aide_cron:
 ubtu20cis_set_grub_password: true
 ubtu20cis_grub_user_file: /etc/grub.d/40_custom
 ubtu20cis_grub_users: root
-ubtu20cis_grub_pw: "grub.pbkdf2.sha512.10000.ChangeMe"
+ubtu20cis_grub_pw: "grub.pbkdf2.sha512.10000"
 # Change the following value to true if you wish to be prompted to get past grub bootloader
 ubtu20cis_ask_passwd_to_boot: false
 
 # 1.4.4
 # note this needs to be in the encrypted format
 ubtu20cis_set_root_password: true
-ubtu20cis_root_pw: $6$this_is_needs_to_be_changed
+ubtu20cis_root_pw: $6$
 
 # 1.7.1
 # disable dynamic motd to stop extra sshd message from appearing
@@ -454,7 +443,7 @@ ubtu20cis_warning_banner: |
 # Control 2.1.1.1
 # ubtu20cis_time_sync_tool is the tool in which to synchronize time
 # The two options are chrony, ntp, or systemd-timesyncd
-ubtu20cis_time_sync_tool: "ntp"
+ubtu20cis_time_sync_tool: "chrony"
 
 # Control 2.1.1.2
 # ubtu20cis_ntp_server_list is the list ntp servers
@@ -504,7 +493,7 @@ ubtu20cis_ufw_allow_out_ports:
 
 ufw_add_incoming: false
 ubtu20cis_ufw_allow_in:
-    - ports: 22
+    - port: 22
       from: any
       proto: tcp
 

handlers/main.yml

@@ -3,19 +3,16 @@
 - name: remount tmp
   ansible.posix.mount:
       name: /tmp
-      src: /tmp
       state: remounted
 
 - name: remount dev_shm
   ansible.posix.mount:
       name: /dev/shm
-      src: /dev/shm
       state: remounted
 
 - name: remount var_tmp
   ansible.posix.mount:
       name: /var/tmp
-      src: "{{ ubtu20cis_vartmp['source'] }}"
       state: remounted
 
 - name: grub update

tasks/main.yml

@@ -48,7 +48,8 @@
   tags:
       - run_audit
 
-- ansible.builtin.import_tasks: parse_etc_password.yml
+- name: Run parse /etc/passwd
+  ansible.builtin.import_tasks: parse_etc_password.yml
   when:
       - ubtu20cis_section5_patch or
         ubtu20cis_section6_patch
@@ -119,7 +120,7 @@
             - skip_reboot
 
 - name: run post remediation tasks
-  import_tasks: post.yml
+  ansible.builtin.import_tasks: post.yml
   tags:
       - post_tasks
       - always

tasks/prelim.yml

@@ -58,6 +58,7 @@
       name: network-manager
       state: present
   when:
+      - wireless_interfaces.stdout is defined
       - wireless_interfaces.stdout | length > 0
       - ubtu20cis_install_network_manager
       - ubtu20cis_rule_3_1_2

tasks/section_1/cis_1.1.x.yml

@@ -127,24 +127,27 @@
       - automated
       - audit
       - rule_1.1.11
-      - var/tmp
+      - var_tmp
 
 - name: |
     "1.1.12 | PATCH | Ensure /var/tmp partition includes the nodev option"
     "1.1.13 | PATCH | Ensure /var/tmp partition includes the nosuid option"
     "1.1.14 | PATCH | Ensure /var/tmp partition includes the noexec option"
   ansible.posix.mount:
       name: /var/tmp
-      src: "{{ ubtu20cis_vartmp['source'] }}"
+      src: "{{ item.device }}"
       state: present
-      fstype: "{{ ubtu20cis_vartmp['fstype'] }}"
-      opts: "{{ ubtu20cis_vartmp['opts'] }}"
+      fstype: "{{ item.fstype }}"
+      opts: "defaults,{% if ubtu20cis_rule_1_1_12 %}nodev,{% endif %}{% if ubtu20cis_rule_1_1_13 %}nosuid,{% endif %}{% if ubtu20cis_rule_1_1_14 %}noexec{% endif %}"
+  loop: "{{ ansible_mounts }}"
+  loop_control:
+      label: "{{ item.device }}"
   notify: remount var_tmp
   when:
       - ubtu20cis_rule_1_1_12 or
         ubtu20cis_rule_1_1_13 or
         ubtu20cis_rule_1_1_14
-      - ubtu20cis_vartmp['enabled']
+      - item.mount == '/var/tmp'
   tags:
       - level1-server
       - level1-workstation
@@ -153,7 +156,7 @@
       - rule_1.1.12
       - rule_1.1.13
       - rule_1.1.14
-      - var/tmp
+      - var_tmp
 
 - name: "1.1.15 | AUDIT | Ensure separate partition exists for /var/log"
   block:
@@ -175,7 +178,7 @@
       - automated
       - audit
       - rule_1.1.15
-      - var/log
+      - var_log
 
 - name: "1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit"
   block:
@@ -196,7 +199,7 @@
       - level2-workstation
       - automated
       - audit
-      - var/log/audit
+      - var_log_audit
 
 - name: "1.1.17 | AUDIT | Ensure separate partition exists for /home"
   block:
@@ -217,7 +220,7 @@
       - level2-workstation
       - automated
       - audit
-      - /home
+      - home
 
 - name: "1.1.18 | PATCH | Ensure /home partition includes the nodev option"
   ansible.posix.mount:
@@ -226,7 +229,7 @@
       state: mounted
       fstype: "{{ item.fstype }}"
       opts: "nodev"
-  with_items: "{{ ansible_mounts }}"
+  loop: "{{ ansible_mounts }}"
   loop_control:
       label: "{{ item.device }}"
   when:
@@ -238,7 +241,7 @@
       - automated
       - patch
       - rule_1.1.18
-      - /home
+      - home
 
 - name: "1.1.19 | AUDIT | Ensure nodev option set on removable media partitions"
   ansible.builtin.debug:

tasks/section_1/cis_1.5.x.yml

@@ -37,7 +37,7 @@
             line: 'kernel.randomize_va_space = 2'
 
       - name: "1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter"
-        ansible.builtin.sysctl:
+        ansible.posix.sysctl:
             name: kernel.randomize_va_space
             value: '2'
   when:
@@ -75,7 +75,7 @@
 - name: "1.5.4 | PATCH | Ensure core dumps are restricted"
   block:
       - name: "1.5.4 | PATCH | Ensure core dumps are restricted | kernel sysctl"
-        ansible.builtin.sysctl:
+        ansible.posix.sysctl:
             name: fs.suid_dumpable
             value: '0'
             state: present

tasks/section_2/cis_2.1.x.yml

@@ -75,6 +75,7 @@
             state: stopped
             enabled: false
             masked: true
+        when: "'systemd-timesyncd' in ansible_facts.packages"
 
       - name: "2.1.1.3 | AUDIT | Ensure chrony is configured | Check for chrony user"
         ansible.builtin.shell: grep {{ ubtu20cis_chrony_user }} /etc/passwd

tasks/section_3/cis_3.2.x.yml

@@ -1,6 +1,6 @@
 ---
 - name: "3.2.1 | PATCH | Ensure packet redirect sending is disabled"
-  ansible.builtin.sysctl:
+  ansible.posix.sysctl:
       name: "{{ item }}"
       value: '0'
       sysctl_set: true
@@ -26,7 +26,7 @@
 - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled"
   block:
       - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv4 settings"
-        ansible.builtin.sysctl:
+        ansible.posix.sysctl:
             name: net.ipv4.ip_forward
             value: '0'
             sysctl_set: true
@@ -37,7 +37,7 @@
             - sysctl flush ipv4 route table
 
       - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv6 settings"
-        ansible.builtin.sysctl:
+        ansible.posix.sysctl:
             name: net.ipv6.conf.all.forwarding
             value: '0'
             sysctl_set: true