From a5fe2190449556da2cf57349960a2cd09731ab3e Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 21 Apr 2023 11:18:25 -0400 Subject: [PATCH 01/10] Yamllint Check, Ansible-lint Chek, Module Updates, Bug #73&80 Fixed, Included FIX PR #81 Signed-off-by: Stephen Williams --- .yamllint | 46 ++++++++++++------------- Changelog.md | 9 +++++ Vagrantfile | 63 +++++++++++++++++++++++++++++++++++ defaults/main.yml | 6 ++-- tasks/main.yml | 5 +-- tasks/prelim.yml | 1 + tasks/section_1/cis_1.5.x.yml | 4 +-- tasks/section_3/cis_3.2.x.yml | 6 ++-- tasks/section_3/cis_3.3.x.yml | 22 ++++++------ tasks/section_5/cis_5.4.x.yml | 4 +-- 10 files changed, 120 insertions(+), 46 deletions(-) create mode 100644 Vagrantfile diff --git a/.yamllint b/.yamllint index 72ac645b..7dc754f0 100755 --- a/.yamllint +++ b/.yamllint @@ -3,26 +3,26 @@ extends: default rules: - braces: {max-spaces-inside: 1, level: error} - brackets: {max-spaces-inside: 1, level: error} - colons: {max-spaces-after: -1, level: error} - commas: {max-spaces-after: -1, level: error} - comments: disable - comments-indentation: disable - document-start: disable - empty-lines: {max: 3, level: error} - hyphens: {level: error} - indentation: - # Requiring 4 space indentation - spaces: 4 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent - key-duplicates: enable - line-length: disable - new-line-at-end-of-file: enable - new-lines: - type: unix - trailing-spaces: enable - truthy: - allowed-values: ['true', 'false'] - check-keys: true + braces: {max-spaces-inside: 1, level: error} + brackets: {max-spaces-inside: 1, level: error} + colons: {max-spaces-after: -1, level: error} + commas: {max-spaces-after: -1, level: error} + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: {max: 3, level: error} + hyphens: {level: error} + indentation: + # Requiring 4 space indentation + spaces: 4 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: true diff --git a/Changelog.md b/Changelog.md index 5723029b..3f50d85f 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,15 @@ - license file - ansible version +## April 2023 Updates +- Addressed Bugs + - [#73](https://github.com/ansible-lockdown/UBUNTU20-CIS/issues/73) - Thanks @fnschroeder (Fix Taken From @uk-bolly issue_73 branch) + - [#80](https://github.com/ansible-lockdown/UBUNTU20-CIS/issues/80) - Thanks @kdebisschop +- Added Fixes For Outstanding PR's + - [#81](https://github.com/ansible-lockdown/UBUNTU20-CIS/pull/81) - Thanks @kdebisschop + - Fixed Linting Errors For Yamllint & Ansbile-Lint + - Adjusted Builtin to Posix For sysctl module. + ## Feb 23 updates - Initial ### based upon CIS 1.1.0 diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 00000000..3cd3d7a8 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,63 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : +# All Vagrant configuration is done below. The "2" in Vagrant.configure +# configures the configuration version (we support older styles for +# backwards compatibility). Please don't change it unless you know what +# you're doing. +Vagrant.configure("2") do |config| + # The most common configuration options are documented and commented below. + # For a complete reference, please see the online documentation at + # https://docs.vagrantup.com. + # Every Vagrant development environment requires a box. You can search for + # boxes at https://vagrantcloud.com/search. + # config.vm.box = "nogala/tomcat9" + # config.vm.box = "generic/centos8" + # config.vm.box = "generic/rocky8" + # config.vm.box = "rockylinux/9" + # config.vm.box = "centos/stream8" + # config.vm.box = "generic/rhel8" + # config.vm.box = "generic/rhel7" + # config.vm.box = "bento/ubuntu-18.04" + config.vm.box = "generic/ubuntu2004" + # config.vm.box = “pega-squid/ubuntu-18.04.1-desktop” + # config.vm.box = "/Users/georgen/Documents/Work/TestDelete/BollyImages/virtualbox-centos8-efi.box" + # config.vm.box = "/Users/georgen/Documents/Work/TestDelete/BollyImages/virtualbox-rocky8-efi.box" + # config.vm.box = "generic/centos7" + # config.vm.box = "mindpointgroup/centos8_apache_base" + # config.vm.box = "mindpointgroup/cent8_tomcat9_base" + # config.vm.box = "trueability/esxi-6.7" + # config.vm.network "private_network", ip: "10.42.0.50" + # Windows 10 Below + # config.vm.network "private_network", ip: "192.168.56.2" + # config.vm.synced_folder ".", "/vagrant", type: "virtualbox" + # config.vm.synced_folder "/Users/georgen/Documents/Work/ControlWork/STIG", "/var/tmp", type: "virtualbox" + # config.ssh.username = 'vagrant' + # config.ssh.password = 'vagrant' + # config.vm.provider "virtualbox" do |hw| + # hw.memory = 4096 + # hw.cpus = 2 + # end + config.vm.provision "ansible" do |ansible| + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/tomcat-stig/site.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/POSTGRES-9-STIG/site.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/Oracle-7/RHEL7-STIG/site.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/TOMCAT-9-STIG/site.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/CIS/rhel-8/site.yaml" + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/rhel-8-stig/site.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/CIS/apache-cis/site.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/CIS/APACHE-2.4-CIS/site.yml" + # ansible.playbook = "playbook_rhel8_stig.yml" + # ansible.playbook = "playbook_rhel8_stig.yml" + # ansible.playbook = "./test_playbook/site.yml" + # ansible.playbook = "update_upgrade.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/ClientWork/CBS/1045/RHEL7-CIS/site.yaml" + # ansible.playbook = "/Users/stephenw/Documents/Development/RHEL7-STIG/site.yml" + # ansible.playbook = "/Users/stephenw/Documents/Development/Testing (Ok If Deleted)/RHEL9-CIS/site.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/temp/RHEL8-STIG-TEST/site.yml" + # ansible.playbook = "/Users/stephenw/Documents/Development/Testing (Ok If Deleted)/UBUNTU18-STIG/site.yml" + # ansible.playbook = "/Users/stephenw/Documents/Development/Testing (Complete)/UBUNTU20-STIG/site.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/TempDelete/pr_233_staging/RHEL7-CIS/site.yml" + ansible.playbook = "/Users/stephenw/Documents/Development/UBUNTU20-CIS/site.yml" + ansible.verbose = "vvvvv" + end +end diff --git a/defaults/main.yml b/defaults/main.yml index cb83c0dc..6b86b9ca 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -431,14 +431,14 @@ ubtu20cis_aide_cron: ubtu20cis_set_grub_password: true ubtu20cis_grub_user_file: /etc/grub.d/40_custom ubtu20cis_grub_users: root -ubtu20cis_grub_pw: "grub.pbkdf2.sha512.10000.ChangeMe" +ubtu20cis_grub_pw: "grub.pbkdf2.sha512.10000" # Change the following value to true if you wish to be prompted to get past grub bootloader ubtu20cis_ask_passwd_to_boot: false # 1.4.4 # note this needs to be in the encrypted format ubtu20cis_set_root_password: true -ubtu20cis_root_pw: $6$this_is_needs_to_be_changed +ubtu20cis_root_pw: $6$ # 1.7.1 # disable dynamic motd to stop extra sshd message from appearing @@ -454,7 +454,7 @@ ubtu20cis_warning_banner: | # Control 2.1.1.1 # ubtu20cis_time_sync_tool is the tool in which to synchronize time # The two options are chrony, ntp, or systemd-timesyncd -ubtu20cis_time_sync_tool: "ntp" +ubtu20cis_time_sync_tool: "chrony" # Control 2.1.1.2 # ubtu20cis_ntp_server_list is the list ntp servers diff --git a/tasks/main.yml b/tasks/main.yml index 6b05d568..062d3c55 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -48,7 +48,8 @@ tags: - run_audit -- ansible.builtin.import_tasks: parse_etc_password.yml +- name: Run parse /etc/passwd + ansible.builtin.import_tasks: parse_etc_password.yml when: - ubtu20cis_section5_patch or ubtu20cis_section6_patch @@ -119,7 +120,7 @@ - skip_reboot - name: run post remediation tasks - import_tasks: post.yml + ansible.builtin.import_tasks: post.yml tags: - post_tasks - always diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 461fc4c1..44672b91 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -58,6 +58,7 @@ name: network-manager state: present when: + - wireless_interfaces.stdout is defined - wireless_interfaces.stdout | length > 0 - ubtu20cis_install_network_manager - ubtu20cis_rule_3_1_2 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 881d941e..b124a6cb 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -37,7 +37,7 @@ line: 'kernel.randomize_va_space = 2' - name: "1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: kernel.randomize_va_space value: '2' when: @@ -75,7 +75,7 @@ - name: "1.5.4 | PATCH | Ensure core dumps are restricted" block: - name: "1.5.4 | PATCH | Ensure core dumps are restricted | kernel sysctl" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: fs.suid_dumpable value: '0' state: present diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 9b94d821..3b0131be 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -1,6 +1,6 @@ --- - name: "3.2.1 | PATCH | Ensure packet redirect sending is disabled" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '0' sysctl_set: true @@ -26,7 +26,7 @@ - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled" block: - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv4 settings" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: net.ipv4.ip_forward value: '0' sysctl_set: true @@ -37,7 +37,7 @@ - sysctl flush ipv4 route table - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv6 settings" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: net.ipv6.conf.all.forwarding value: '0' sysctl_set: true diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 078e82be..52f7b16b 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -2,7 +2,7 @@ - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" block: - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 settings" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '0' sysctl_set: true @@ -15,7 +15,7 @@ notify: sysctl flush ipv4 route table - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 settings" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '0' sysctl_set: true @@ -42,7 +42,7 @@ - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" block: - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 settings" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '0' sysctl_set: true @@ -55,7 +55,7 @@ notify: sysctl flush ipv4 route table - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 settings" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '0' sysctl_set: true @@ -79,7 +79,7 @@ - sysctl - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '0' sysctl_set: true @@ -102,7 +102,7 @@ - sysctl - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '1' sysctl_set: true @@ -125,7 +125,7 @@ - sysctl - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts value: '1' sysctl_set: true @@ -145,7 +145,7 @@ - sysctl - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: net.ipv4.icmp_ignore_bogus_error_responses value: '1' sysctl_set: true @@ -165,7 +165,7 @@ - sysctl - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '1' sysctl_set: true @@ -188,7 +188,7 @@ - sysctl - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: net.ipv4.tcp_syncookies value: '1' sysctl_set: true @@ -208,7 +208,7 @@ - sysctl - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '0' sysctl_set: true diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index b10d3dfa..d285f41d 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -86,9 +86,9 @@ - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | common-auth pam_tally2 opts" ansible.builtin.lineinfile: path: /etc/pam.d/common-auth - regexp: '^auth\s+required pam_tally2 .*onerr=fail.*' + regexp: '^auth\s+required pam_tally2.so .*onerr=fail.*' line: 'auth required pam_tally2.so {{ ubtu20cis_pamtally2_login_opts }}' - insertafter: '^# here are the per-package modules (the "Primary" block)' + insertafter: '^# here are the per-package modules' when: - ubtu20cis_rule_5_4_2 tags: From 89e2c76dfd008e054a19ff99f59540c31fff3305 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 21 Apr 2023 11:18:49 -0400 Subject: [PATCH 02/10] Remove Vagrant Signed-off-by: Stephen Williams --- Vagrantfile | 63 ----------------------------------------------------- 1 file changed, 63 deletions(-) delete mode 100644 Vagrantfile diff --git a/Vagrantfile b/Vagrantfile deleted file mode 100644 index 3cd3d7a8..00000000 --- a/Vagrantfile +++ /dev/null @@ -1,63 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : -# All Vagrant configuration is done below. The "2" in Vagrant.configure -# configures the configuration version (we support older styles for -# backwards compatibility). Please don't change it unless you know what -# you're doing. -Vagrant.configure("2") do |config| - # The most common configuration options are documented and commented below. - # For a complete reference, please see the online documentation at - # https://docs.vagrantup.com. - # Every Vagrant development environment requires a box. You can search for - # boxes at https://vagrantcloud.com/search. - # config.vm.box = "nogala/tomcat9" - # config.vm.box = "generic/centos8" - # config.vm.box = "generic/rocky8" - # config.vm.box = "rockylinux/9" - # config.vm.box = "centos/stream8" - # config.vm.box = "generic/rhel8" - # config.vm.box = "generic/rhel7" - # config.vm.box = "bento/ubuntu-18.04" - config.vm.box = "generic/ubuntu2004" - # config.vm.box = “pega-squid/ubuntu-18.04.1-desktop” - # config.vm.box = "/Users/georgen/Documents/Work/TestDelete/BollyImages/virtualbox-centos8-efi.box" - # config.vm.box = "/Users/georgen/Documents/Work/TestDelete/BollyImages/virtualbox-rocky8-efi.box" - # config.vm.box = "generic/centos7" - # config.vm.box = "mindpointgroup/centos8_apache_base" - # config.vm.box = "mindpointgroup/cent8_tomcat9_base" - # config.vm.box = "trueability/esxi-6.7" - # config.vm.network "private_network", ip: "10.42.0.50" - # Windows 10 Below - # config.vm.network "private_network", ip: "192.168.56.2" - # config.vm.synced_folder ".", "/vagrant", type: "virtualbox" - # config.vm.synced_folder "/Users/georgen/Documents/Work/ControlWork/STIG", "/var/tmp", type: "virtualbox" - # config.ssh.username = 'vagrant' - # config.ssh.password = 'vagrant' - # config.vm.provider "virtualbox" do |hw| - # hw.memory = 4096 - # hw.cpus = 2 - # end - config.vm.provision "ansible" do |ansible| - # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/tomcat-stig/site.yml" - # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/POSTGRES-9-STIG/site.yml" - # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/Oracle-7/RHEL7-STIG/site.yml" - # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/TOMCAT-9-STIG/site.yml" - # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/CIS/rhel-8/site.yaml" - # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/rhel-8-stig/site.yml" - # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/CIS/apache-cis/site.yml" - # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/CIS/APACHE-2.4-CIS/site.yml" - # ansible.playbook = "playbook_rhel8_stig.yml" - # ansible.playbook = "playbook_rhel8_stig.yml" - # ansible.playbook = "./test_playbook/site.yml" - # ansible.playbook = "update_upgrade.yml" - # ansible.playbook = "/Users/georgen/Documents/Work/ClientWork/CBS/1045/RHEL7-CIS/site.yaml" - # ansible.playbook = "/Users/stephenw/Documents/Development/RHEL7-STIG/site.yml" - # ansible.playbook = "/Users/stephenw/Documents/Development/Testing (Ok If Deleted)/RHEL9-CIS/site.yml" - # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/temp/RHEL8-STIG-TEST/site.yml" - # ansible.playbook = "/Users/stephenw/Documents/Development/Testing (Ok If Deleted)/UBUNTU18-STIG/site.yml" - # ansible.playbook = "/Users/stephenw/Documents/Development/Testing (Complete)/UBUNTU20-STIG/site.yml" - # ansible.playbook = "/Users/georgen/Documents/Work/TempDelete/pr_233_staging/RHEL7-CIS/site.yml" - ansible.playbook = "/Users/stephenw/Documents/Development/UBUNTU20-CIS/site.yml" - ansible.verbose = "vvvvv" - end -end From 976cc8ccd8717e778153d50612136d3468fdb974 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 21 Apr 2023 12:11:32 -0400 Subject: [PATCH 03/10] Update Collections Yaml Signed-off-by: Stephen Williams --- collections/requirements.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/collections/requirements.yml b/collections/requirements.yml index d71d774b..23596ec0 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,6 +1,8 @@ --- collections: -- name: community.general -- name: community.crypto -- name: ansible.posix + - name: community.general + + - name: community.crypto + + - name: ansible.posix From 919d71abe2d04a08089daf33115621e08f7b197e Mon Sep 17 00:00:00 2001 From: Karl DeBisschop Date: Fri, 21 Apr 2023 21:56:02 -0400 Subject: [PATCH 04/10] only stop and mask systemd-timesyncd if package is installed Signed-off-by: Karl DeBisschop --- tasks/section_2/cis_2.1.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index f3c89633..465a2280 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -75,6 +75,7 @@ state: stopped enabled: false masked: true + when: "'systemd-timesyncd' in ansible_facts.packages" - name: "2.1.1.3 | AUDIT | Ensure chrony is configured | Check for chrony user" ansible.builtin.shell: grep {{ ubtu20cis_chrony_user }} /etc/passwd From 3467f7634da60cae99cd136a128bdce13d3bc9d0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 May 2023 11:32:21 +0100 Subject: [PATCH 05/10] removed src for remount as not required Signed-off-by: Mark Bolwell --- handlers/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index a853c554..a4ac7add 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -3,19 +3,16 @@ - name: remount tmp ansible.posix.mount: name: /tmp - src: /tmp state: remounted - name: remount dev_shm ansible.posix.mount: name: /dev/shm - src: /dev/shm state: remounted - name: remount var_tmp ansible.posix.mount: name: /var/tmp - src: "{{ ubtu20cis_vartmp['source'] }}" state: remounted - name: grub update From a07ce8809cbf5299e203008165b1264647bf9db3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 May 2023 11:32:38 +0100 Subject: [PATCH 06/10] tidy up control 1.1.12-14 Signed-off-by: Mark Bolwell --- defaults/main.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index cb83c0dc..ebe1bb8f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -396,17 +396,6 @@ ubtu20cis_tmp_fstab_options: "defaults,rw,nosuid,nodev,noexec,relatime" # To conform to CIS control 1.1.9 noexec needs to be present ubtu20cis_dev_shm_fstab_options: "defaults,noexec,nodev,nosuid" -# Control 1.1.12/1.1.13/1.1.14 -# These are the settings for the /var/tmp mount -# To conform to CIS control 1.1.12 nodev needs to be present in opts -# To conform to CIS control 1.1.13 nosuid needs to be present in opts -# To conform to CIS control 1.1.14 noexec needs to be present in opts -ubtu20cis_vartmp: - source: /tmp - fstype: none - opts: "defaults,nodev,nosuid,noexec,bind" - enabled: false - # Control 1.3.1 - allow aide to be configured ubtu20cis_config_aide: true From 422a69578795497ccfae5f98e3aeb620054d5a93 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 May 2023 11:33:05 +0100 Subject: [PATCH 07/10] fix tags and 1.1.12-14 control Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.x.yml | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 62560760..71fd2375 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -127,7 +127,7 @@ - automated - audit - rule_1.1.11 - - var/tmp + - var_tmp - name: | "1.1.12 | PATCH | Ensure /var/tmp partition includes the nodev option" @@ -135,16 +135,19 @@ "1.1.14 | PATCH | Ensure /var/tmp partition includes the noexec option" ansible.posix.mount: name: /var/tmp - src: "{{ ubtu20cis_vartmp['source'] }}" + src: "{{ item.device }}" state: present - fstype: "{{ ubtu20cis_vartmp['fstype'] }}" - opts: "{{ ubtu20cis_vartmp['opts'] }}" + fstype: "{{ item.fstype }}" + opts: "defaults,{% if ubtu20cis_rule_1_1_12 %}nodev,{% endif %}{% if ubtu20cis_rule_1_1_13 %}nosuid,{% endif %}{% if ubtu20cis_rule_1_1_14 %}noexec{% endif %}" + loop: "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" notify: remount var_tmp when: - ubtu20cis_rule_1_1_12 or ubtu20cis_rule_1_1_13 or ubtu20cis_rule_1_1_14 - - ubtu20cis_vartmp['enabled'] + - item.mount == '/var/tmp' tags: - level1-server - level1-workstation @@ -153,7 +156,7 @@ - rule_1.1.12 - rule_1.1.13 - rule_1.1.14 - - var/tmp + - var_tmp - name: "1.1.15 | AUDIT | Ensure separate partition exists for /var/log" block: @@ -175,7 +178,7 @@ - automated - audit - rule_1.1.15 - - var/log + - var_log - name: "1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit" block: @@ -196,7 +199,7 @@ - level2-workstation - automated - audit - - var/log/audit + - var_log_audit - name: "1.1.17 | AUDIT | Ensure separate partition exists for /home" block: @@ -217,7 +220,7 @@ - level2-workstation - automated - audit - - /home + - home - name: "1.1.18 | PATCH | Ensure /home partition includes the nodev option" ansible.posix.mount: @@ -226,7 +229,7 @@ state: mounted fstype: "{{ item.fstype }}" opts: "nodev" - with_items: "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" when: @@ -238,7 +241,7 @@ - automated - patch - rule_1.1.18 - - /home + - home - name: "1.1.19 | AUDIT | Ensure nodev option set on removable media partitions" ansible.builtin.debug: From 2b4d5471192039841e28c04bd6dfe999bf64037d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 May 2023 11:37:33 +0100 Subject: [PATCH 08/10] updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 5723029b..d14c4b9e 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,10 @@ # Change log for Ubuntu 2004 +## V1.0.1 - based upon CIS 1.1.0 + +thanks to ikthomas +[#84](https://github.com/ansible-lockdown/UBUNTU20-CIS/issues/84) + ## v1.0.0 - update galaxy lint requirements @@ -8,8 +13,6 @@ ## Feb 23 updates - Initial -### based upon CIS 1.1.0 - - lint files updated - ansible version updated - Lots of lint and standardisation changes From bf78a734711f6c3c7690706450b938bfecb3ef03 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 19 Jul 2023 13:44:40 +0100 Subject: [PATCH 09/10] changed list label Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index ca2b7124..c4a1a9e3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -493,7 +493,7 @@ ubtu20cis_ufw_allow_out_ports: ufw_add_incoming: false ubtu20cis_ufw_allow_in: - - ports: 22 + - port: 22 from: any proto: tcp From cb9ea8c126c3a435f9c469e9e7eb1c955d0b90e9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 19 Jul 2023 13:44:52 +0100 Subject: [PATCH 10/10] fixed ufw in port optional logic Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.5.1.x.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tasks/section_3/cis_3.5.1.x.yml b/tasks/section_3/cis_3.5.1.x.yml index ba65de4b..028941fd 100644 --- a/tasks/section_3/cis_3.5.1.x.yml +++ b/tasks/section_3/cis_3.5.1.x.yml @@ -164,10 +164,11 @@ rule: allow direction: in from_ip: '{{ item.from }}' - to_port: '{{ item.ports }}' + to_port: '{{ item.port }}' proto: '{{ item.proto }}' - loop: - - "{{ ubtu20cis_ufw_allow_in }}" + loop: "{{ ubtu20cis_ufw_allow_in }}" + loop_control: + label: "{{ item.port }}" notify: reload ufw when: ufw_add_incoming tags: