Merge branch 'devel' into nov23_improvements

.pre-commit-config.yaml

@@ -44,7 +44,7 @@ repos:
     exclude: .config/.secrets.baseline
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.22.0
+  rev: v6.22.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint

tasks/section_2/cis_2.1.1.x.yml

@@ -22,7 +22,9 @@
             state: stopped
             enabled: false
             masked: true
-        when: ubtu20cis_time_sync_tool != "systemd-timesyncd"
+        when:
+            - ubtu20cis_time_sync_tool != "systemd-timesyncd"
+            - "'systemd-timesyncd' in ansible_facts.packages"
   when:
       - ubtu20cis_rule_2_1_1_1
   tags:

tasks/section_4/cis_4.3.x.yml

@@ -17,9 +17,9 @@
 - name: "4.3.2 | PATCH | Ensure sudo commands use pty"
   ansible.builtin.lineinfile:
       path: /etc/sudoers
-      regexp: '^Defaults        use_'
-      line: 'Defaults        use_pty'
-      insertafter: '^Defaults'
+      regexp: '^\s*Defaults\s+use_pty\s*$'
+      line: 'Defaults use_pty'
+      insertafter: 'EOF'
   when:
       - ubtu20cis_rule_4_3_2
   tags:
@@ -33,9 +33,9 @@
 - name: "4.3.3 | PATCH | Ensure sudo log file exists"
   ansible.builtin.lineinfile:
       path: /etc/sudoers
-      regexp: '^Defaults        logfile'
-      line: 'Defaults        logfile="{{ ubtu20cis_sudo_logfile }}"'
-      insertafter: '^Defaults'
+      regexp: '^\s*Defaults\s+logfile\s*='
+      line: 'Defaults logfile="{{ ubtu20cis_sudo_logfile }}"'
+      insertafter: 'EOF'
   when:
       - ubtu20cis_rule_4_3_3
   tags:
@@ -89,15 +89,15 @@
       - name: "4.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results"
         ansible.builtin.lineinfile:
             path: /etc/sudoers
-            regexp: 'Defaults timestamp_timeout='
+            regexp: '^\s*Defaults\s+timestamp_timeout\s*='
             line: "Defaults timestamp_timeout={{ ubtu20cis_sudo_timestamp_timeout }}"
             validate: '/usr/sbin/visudo -cf %s'
         when: ubtu20cis_4_3_6_timeout_files.stdout | length == 0
 
       - name: "4.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results"
         ansible.builtin.replace:
             path: "{{ item }}"
-            regexp: 'timestamp_timeout=(\d+)'
+            regexp: 'timestamp_timeout\s*=\s*(\d+)'
             replace: "timestamp_timeout={{ ubtu20cis_sudo_timestamp_timeout }}"
             validate: '/usr/sbin/visudo -cf %s'
         loop: "{{ ubtu20cis_4_3_6_timeout_files.stdout_lines }}"

tasks/section_4/cis_4.5.1.x.yml

@@ -191,7 +191,7 @@
 - name: "4.5.1.6 | PATCH | Ensure the number of changed characters in a new password is configured"
   ansible.builtin.lineinfile:
       path: /etc/security/pwquality.conf
-      regexp: '^(#\s+|)difok|'
+      regexp: '^(#\s+|)difok'
       line: 'difok = {{ ubtu20cis_pass.character_changed }}'
       create: true
       mode: 0640

tasks/section_4/cis_4.5.x.yml

@@ -75,14 +75,13 @@
 
       - name: "4.5.4 | PATCH | Ensure default user umask is 027 or more restrictive"
         ansible.builtin.lineinfile:
-            path: "{{ item }}"
-            regexp: '(?i)(umask\s*)'
-            line: '\g<1>{{ ubtu20cis_bash_umask }}'
-            backrefs: true
+            path: "{{ item.path }}"
+            regexp: '(?i)(umask\s*\d\d\d)'
+            line: '{{ item.line }} {{ ubtu20cis_bash_umask }}'
         with_items:
-            - /etc/bash.bashrc
-            - /etc/profile
-            - /etc/login.defs
+            - { path: '/etc/bash.bashrc', line: 'umask' }
+            - { path: '/etc/profile', line: 'umask' }
+            - { path: '/etc/login.defs', line: 'UMASK' }
 
       - name: "4.5.4 | PATCH | Ensure default user umask is 027 or more restrictive"
         ansible.builtin.lineinfile:

tasks/section_6/cis_6.2.x.yml

@@ -409,7 +409,6 @@
         with_items: "{{ ubtu20cis_6_2_12_audit.stdout_lines }}"
         when:
             - ubtu20cis_6_2_12_audit.stdout | length > 0
-            - ubtu20cis_dotperm_ansibleManaged
 
       - name: "6.2.12 | PATCH | Ensure local interactive user dot files access is configured | Ensure no users have .netrc files"
         ansible.builtin.file: