From 97140fd6b1c2adde966365fc9621b5096fb7b3ff Mon Sep 17 00:00:00 2001
From: Karl DeBisschop <kdebisschop@gmail.com>
Date: Sun, 26 Nov 2023 17:16:51 -0500
Subject: [PATCH 1/6] Nultiple issues with CIS 4.3.x sudo

Signed-off-by: Karl DeBisschop <kdebisschop@gmail.com>
---
 tasks/section_4/cis_4.3.x.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml
index dc6b1b71..a4a5c0fa 100644
--- a/tasks/section_4/cis_4.3.x.yml
+++ b/tasks/section_4/cis_4.3.x.yml
@@ -17,9 +17,9 @@
 - name: "4.3.2 | PATCH | Ensure sudo commands use pty"
   ansible.builtin.lineinfile:
       path: /etc/sudoers
-      regexp: '^Defaults        use_'
-      line: 'Defaults        use_pty'
-      insertafter: '^Defaults'
+      regexp: '^\s*Defaults\s+use_pty\s*$'
+      line: 'Defaults use_pty'
+      insertafter: 'EOF'
   when:
       - ubtu20cis_rule_4_3_2
   tags:
@@ -33,9 +33,9 @@
 - name: "4.3.3 | PATCH | Ensure sudo log file exists"
   ansible.builtin.lineinfile:
       path: /etc/sudoers
-      regexp: '^Defaults        logfile'
-      line: 'Defaults        logfile="{{ ubtu20cis_sudo_logfile }}"'
-      insertafter: '^Defaults'
+      regexp: '^\s*Defaults\s+logfile\s*='
+      line: 'Defaults logfile="{{ ubtu20cis_sudo_logfile }}"'
+      insertafter: 'EOF'
   when:
       - ubtu20cis_rule_4_3_3
   tags:
@@ -89,7 +89,7 @@
       - name: "4.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results"
         ansible.builtin.lineinfile:
             path: /etc/sudoers
-            regexp: 'Defaults timestamp_timeout='
+            regexp: '^\s*Defaults\s+timestamp_timeout\s*='
             line: "Defaults timestamp_timeout={{ ubtu20cis_sudo_timestamp_timeout }}"
             validate: '/usr/sbin/visudo -cf %s'
         when: ubtu20cis_4_3_6_timeout_files.stdout | length == 0
@@ -97,7 +97,7 @@
       - name: "4.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results"
         ansible.builtin.replace:
             path: "{{ item }}"
-            regexp: 'timestamp_timeout=(\d+)'
+            regexp: 'timestamp_timeout\s*=\s*(\d+)'
             replace: "timestamp_timeout={{ ubtu20cis_sudo_timestamp_timeout }}"
             validate: '/usr/sbin/visudo -cf %s'
         loop: "{{ ubtu20cis_4_3_6_timeout_files.stdout_lines }}"

From 91f1f3ffd0ac2ae2042d813a8084a7516821e92b Mon Sep 17 00:00:00 2001
From: Karl DeBisschop <kdebisschop@gmail.com>
Date: Mon, 27 Nov 2023 08:40:13 -0500
Subject: [PATCH 2/6] CIS 2.1.1.1 should not fail if systemd-timesyncd is not
 installed

Signed-off-by: Karl DeBisschop <kdebisschop@gmail.com>
---
 tasks/section_2/cis_2.1.1.x.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tasks/section_2/cis_2.1.1.x.yml b/tasks/section_2/cis_2.1.1.x.yml
index 84e4bcbb..fe9cdd28 100644
--- a/tasks/section_2/cis_2.1.1.x.yml
+++ b/tasks/section_2/cis_2.1.1.x.yml
@@ -22,7 +22,9 @@
             state: stopped
             enabled: false
             masked: true
-        when: ubtu20cis_time_sync_tool != "systemd-timesyncd"
+        when:
+            - ubtu20cis_time_sync_tool != "systemd-timesyncd"
+            - "'systemd-timesyncd' in ansible_facts.packages"
   when:
       - ubtu20cis_rule_2_1_1_1
   tags:

From ba0d9b3940a388e86217a3129595d999c16cd5ab Mon Sep 17 00:00:00 2001
From: Karl DeBisschop <kdebisschop@gmail.com>
Date: Mon, 27 Nov 2023 09:28:24 -0500
Subject: [PATCH 3/6] CIS 4.5.1.6 difok regex incorrectly matches any line

Signed-off-by: Karl DeBisschop <kdebisschop@gmail.com>
---
 tasks/section_4/cis_4.5.1.x.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/section_4/cis_4.5.1.x.yml b/tasks/section_4/cis_4.5.1.x.yml
index 151b0ebd..95d629af 100644
--- a/tasks/section_4/cis_4.5.1.x.yml
+++ b/tasks/section_4/cis_4.5.1.x.yml
@@ -173,7 +173,7 @@
 - name: "4.5.1.6 | PATCH | Ensure the number of changed characters in a new password is configured"
   ansible.builtin.lineinfile:
       path: /etc/security/pwquality.conf
-      regexp: '^(#\s+|)difok|'
+      regexp: '^(#\s+|)difok'
       line: 'difok = {{ ubtu20cis_pass.character_changed }}'
       create: true
       mode: 0640

From 0e8285549f4dcd46ad8d246dde584fbca42067bb Mon Sep 17 00:00:00 2001
From: Dan D <daniel.deremiah@windriver.com>
Date: Wed, 29 Nov 2023 11:52:00 -0800
Subject: [PATCH 4/6] removes unexpected variable

Signed-off-by: Dan D <daniel.deremiah@windriver.com>
---
 tasks/section_6/cis_6.2.x.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml
index 672791a7..826549d5 100644
--- a/tasks/section_6/cis_6.2.x.yml
+++ b/tasks/section_6/cis_6.2.x.yml
@@ -409,7 +409,6 @@
         with_items: "{{ ubtu20cis_6_2_12_audit.stdout_lines }}"
         when:
             - ubtu20cis_6_2_12_audit.stdout | length > 0
-            - ubtu20cis_dotperm_ansibleManaged
 
       - name: "6.2.12 | PATCH | Ensure local interactive user dot files access is configured | Ensure no users have .netrc files"
         ansible.builtin.file:

From 4bab811fd2965189626d34bf510d108ee9eaf09b Mon Sep 17 00:00:00 2001
From: Dan D <daniel.deremiah@windriver.com>
Date: Wed, 29 Nov 2023 12:17:31 -0800
Subject: [PATCH 5/6] Fixes case sensitive umask setting

Signed-off-by: Dan D <daniel.deremiah@windriver.com>
---
 tasks/section_4/cis_4.5.x.yml | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/tasks/section_4/cis_4.5.x.yml b/tasks/section_4/cis_4.5.x.yml
index 9f851614..43a04129 100644
--- a/tasks/section_4/cis_4.5.x.yml
+++ b/tasks/section_4/cis_4.5.x.yml
@@ -75,14 +75,13 @@
 
       - name: "4.5.4 | PATCH | Ensure default user umask is 027 or more restrictive"
         ansible.builtin.lineinfile:
-            path: "{{ item }}"
-            regexp: '(?i)(umask\s*)'
-            line: '\g<1>{{ ubtu20cis_bash_umask }}'
-            backrefs: true
+            path: "{{ item.path }}"
+            regexp: '(?i)(umask\s*\d\d\d)'
+            line: '{{ item.line }} {{ ubtu20cis_bash_umask }}'
         with_items:
-            - /etc/bash.bashrc
-            - /etc/profile
-            - /etc/login.defs
+            - { path: '/etc/bash.bashrc', line: 'umask' }
+            - { path: '/etc/profile', line: 'umask' }
+            - { path: '/etc/login.defs', line: 'UMASK' }
 
       - name: "4.5.4 | PATCH | Ensure default user umask is 027 or more restrictive"
         ansible.builtin.lineinfile:

From 25245fd9455fe7d7d8c8534dd543242878d81664 Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Mon, 4 Dec 2023 17:36:07 +0000
Subject: [PATCH 6/6] [pre-commit.ci] pre-commit autoupdate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

updates:
- [github.com/ansible-community/ansible-lint: v6.22.0 → v6.22.1](https://github.com/ansible-community/ansible-lint/compare/v6.22.0...v6.22.1)
---
 .pre-commit-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 12712f2e..f645faf8 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -44,7 +44,7 @@ repos:
     exclude: .config/.secrets.baseline
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.22.0
+  rev: v6.22.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint