ansible-lockdown · uk-bolly · Sep 25, 2023 · Sep 25, 2023 · Sep 25, 2023 · Sep 25, 2023
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -81,20 +81,23 @@
       - always
 
 - name: Import preliminary tasks
-  ansible.builtin.import_tasks: prelim.yml
+  ansible.builtin.import_tasks:
+      file: prelim.yml
   tags:
       - prelim_tasks
       - run_audit
 
 - name: Run pre remediation audit tasks
-  ansible.builtin.import_tasks: pre_remediation_audit.yml
+  ansible.builtin.import_tasks:
+      file: pre_remediation_audit.yml
   when:
       - run_audit
   tags:
       - run_audit
 
 - name: Run parse /etc/passwd
-  ansible.builtin.import_tasks: parse_etc_password.yml
+  ansible.builtin.import_tasks:
+      file: parse_etc_password.yml
   when:
       - ubtu20cis_section5_patch or
         ubtu20cis_section6_patch
@@ -106,42 +109,48 @@
       - always
 
 - name: Include section 1 patches
-  ansible.builtin.import_tasks: section_1/main.yml
+  ansible.builtin.import_tasks:
+      file: section_1/main.yml
   when:
       - ubtu20cis_section1_patch
   tags:
       - section1
 
 - name: Include section 2 patches
-  ansible.builtin.import_tasks: section_2/main.yml
+  ansible.builtin.import_tasks:
+      file: section_2/main.yml
   when:
       - ubtu20cis_section2_patch
   tags:
       - section2
 
 - name: Include section 3 patches
-  ansible.builtin.import_tasks: section_3/main.yml
+  ansible.builtin.import_tasks:
+      file: section_3/main.yml
   when:
       - ubtu20cis_section3_patch
   tags:
       - section3
 
 - name: Include section 4 patches
-  ansible.builtin.import_tasks: section_4/main.yml
+  ansible.builtin.import_tasks:
+      file: section_4/main.yml
   when:
       - ubtu20cis_section4_patch
   tags:
       - section4
 
 - name: Include section 5 patches
-  ansible.builtin.import_tasks: section_5/main.yml
+  ansible.builtin.import_tasks:
+      file: section_5/main.yml
   when:
       - ubtu20cis_section5_patch
   tags:
       - section5
 
 - name: Include section 6 patches
-  ansible.builtin.import_tasks: section_6/main.yml
+  ansible.builtin.import_tasks:
+      file: section_6/main.yml
   when:
       - ubtu20cis_section6_patch
   tags:
@@ -151,13 +160,15 @@
   ansible.builtin.meta: flush_handlers
 
 - name: run post remediation tasks
-  ansible.builtin.import_tasks: post.yml
+  ansible.builtin.import_tasks:
+      file: post.yml
   tags:
       - post_tasks
       - always
 
 - name: Run post audit
-  ansible.builtin.import_tasks: post_remediation_audit.yml
+  ansible.builtin.import_tasks:
+      file: post_remediation_audit.yml
   when:
       - run_audit
 

diff --git a/tasks/post.yml b/tasks/post.yml
@@ -21,7 +21,8 @@
             - skip_reboot
 
       - name: "POST | Warning a reboot required but skip option set | warning count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         when:
             - change_requires_reboot
             - skip_reboot

diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml
@@ -1,7 +1,8 @@
 ---
 
 - name: Audit Binary Setup | Setup the LE audit
-  ansible.builtin.import_tasks: LE_audit_setup.yml
+  ansible.builtin.import_tasks:
+      file: LE_audit_setup.yml
   when:
       - setup_audit
   tags:

diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml
@@ -7,7 +7,8 @@
             msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
 
       - name: "1.1.2.1 | WARN | Ensure /tmp is a separate partition | warn_count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
   vars:
       warn_control_id: '1.1.2.1'
       required_mount: '/tmp'

diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml
@@ -7,7 +7,8 @@
             msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
 
       - name: "1.1.3.1 | WARN | Ensure separate partition exists for /var | warn_count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
   vars:
       warn_control_id: '1.1.3.1'
       required_mount: '/var'

diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml
@@ -7,7 +7,8 @@
             msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
 
       - name: "1.1.4.1 | WARN | Ensure separate partition exists for /var/tmp  | warn_count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
   vars:
       warn_control_id: '1.1.4.1'
       required_mount: '/var/tmp'

diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml
@@ -7,7 +7,8 @@
             msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
 
       - name: "1.1.5.1 | WARN | Ensure separate partition exists for /var/log | warn_count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
   vars:
       warn_control_id: '1.1.5.1'
       required_mount: '/var/log'

diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml
@@ -7,7 +7,8 @@
             msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
 
       - name: "1.1.6.1 | WARN | Ensure separate partition exists for /var/log/audit | warn_count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
   vars:
       warn_control_id: '1.1.6.1'
       required_mount: '/var/log/audit'

diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml
@@ -7,7 +7,8 @@
             msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
 
       - name: "1.1.7.1 | WARN | Ensure separate partition exists for /home | warn_count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
   vars:
       warn_control_id: '1.1.7.1'
       required_mount: '/home'

diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml
@@ -31,7 +31,8 @@
                 - "{{ ubtu20cis_1_3_2_apt_policy.stdout_lines }}"
 
       - name: "1.3.2 | AUDIT | Ensure package manager repositories are configured | Warn Count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
   vars:
       warn_control_id: '1.3.2'
   when:
@@ -62,7 +63,8 @@
                 - "{{ ubtu20cis_1_3_3_apt_gpgkeys.stdout_lines }}"
 
       - name: "1.3.3 | AUDIT | Ensure GPG keys are configured | Warn Count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
   vars:
       warn_control_id: '1.3.3'
   when:

diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml
@@ -9,6 +9,7 @@
             line: '\1 {{ ubtu20cis_bootloader_password_hash }}'
             insertafter: set superusers="{{ ubtu20cis_grub_user }}"
             state: present
+            create: true
         notify: Grub update
 
       - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot"

diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml
@@ -70,7 +70,8 @@
         when: ubtu20cis_rule_1_6_1_3_apparmor_unconfined.stdout != '0'
 
       - name: "1.6.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain mode | Warn Count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         when: ubtu20cis_rule_1_6_1_3_apparmor_unconfined.stdout != '0'
   vars:
       warn_control_id: '1.6.1.3'
@@ -99,7 +100,8 @@
         when: ubtu20cis_rule_1_6_1_4_apparmor_enforced.stdout != '0'
 
       - name: "1.6.1.4 | AUDIT | Ensure all AppArmor Profiles are enforcing | Warn Count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         when: ubtu20cis_rule_1_6_1_4_apparmor_enforced.stdout != '0'
 
   vars:

diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml
@@ -1,51 +1,68 @@
 ---
 - name: "SECTION | 1.1.1 | Disable Unused Filesystems"
-  ansible.builtin.import_tasks: cis_1.1.1.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.1.1.x.yml
 
 - name: "SECTION | 1.1.2 | Configure /tmp"
-  ansible.builtin.import_tasks: cis_1.1.2.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.1.2.x.yml
 
 - name: "SECTION | 1.1.3 | Configure /var"
-  ansible.builtin.import_tasks: cis_1.1.3.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.1.3.x.yml
 
 - name: "SECTION | 1.1.4 | Configure /var/tmp"
-  ansible.builtin.import_tasks: cis_1.1.4.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.1.4.x.yml
 
 - name: "SECTION | 1.1.5 | Configure /var/log"
-  ansible.builtin.import_tasks: cis_1.1.5.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.1.5.x.yml
 
 - name: "SECTION | 1.1.6 | Configure /var/log/audit"
-  ansible.builtin.import_tasks: cis_1.1.6.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.1.6.x.yml
 
 - name: "SECTION | 1.1.7 | Configure /home"
-  ansible.builtin.import_tasks: cis_1.1.7.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.1.7.x.yml
 
 - name: "SECTION | 1.1.8 | Configure /dev/shm"
-  ansible.builtin.import_tasks: cis_1.1.8.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.1.8.x.yml
 
 - name: "SECTION | 1.1.9 | Configure autofs"
-  ansible.builtin.import_tasks: cis_1.1.9.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.1.9.yml
 
 - name: "SECTION | 1.1.10 | Configure usb-storage"
-  ansible.builtin.import_tasks: cis_1.1.10.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.1.10.yml
 
 - name: "SECTION | 1.2 | Filesystem Integrity Checking"
-  ansible.builtin.import_tasks: cis_1.2.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.2.x.yml
 
 - name: "SECTION | 1.3. | gpg and repository configuration"
-  ansible.builtin.import_tasks: cis_1.3.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.3.x.yml
 
 - name: "SECTION | 1.4 | Secure Boot Settings"
-  ansible.builtin.import_tasks: cis_1.4.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.4.x.yml
 
 - name: "SECTION | 1.5 | Additional Process Hardening"
-  ansible.builtin.import_tasks: cis_1.5.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.5.x.yml
 
 - name: "SECTION | 1.6 | Mandatory Access Control"
-  ansible.builtin.import_tasks: cis_1.6.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.6.x.yml
 
 - name: "SECTION | 1.7 | Command Line Warning Banners"
-  ansible.builtin.import_tasks: cis_1.7.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.7.x.yml
 
 - name: "SECTION | 1.8 | GNOME Display Manager"
-  ansible.builtin.import_tasks: cis_1.8.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_1.8.x.yml
diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml
@@ -309,7 +309,8 @@
             - "'postfix' not in ansible_facts.packages"
 
       - name: "2.2.16 | WARN | Ensure mail transfer agent is configured for local-only mode | warn_count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         when:
             - "'exim4' not in ansible_facts.packages"
             - "'postfix' not in ansible_facts.packages"

diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml
@@ -17,7 +17,8 @@
         when: ubtu20cis_2_3_services.stdout | length > 0
 
       - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Set warning count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
         when: ubtu20cis_2_3_services.stdout | length > 0
   vars:
       warn_control_id: '2.4'

diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml
@@ -1,24 +1,31 @@
 ---
 - name: "SECTION | 2.1.1 | Configure Time Synchronization"
-  ansible.builtin.import_tasks: cis_2.1.1.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_2.1.1.x.yml
 
 - name: "SECTION | 2.1.2 | Configure chrony"
-  ansible.builtin.import_tasks: cis_2.1.2.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_2.1.2.x.yml
   when: ubtu20cis_time_sync_tool == "chrony"
 
 - name: "SECTION | 2.1.3 | Configure systemd-timesyncd"
-  ansible.builtin.import_tasks: cis_2.1.3.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_2.1.3.x.yml
   when: ubtu20cis_time_sync_tool == "systemd-timesyncd"
 
 - name: "SECTION | 2.1.4 | Configure NTP"
-  ansible.builtin.import_tasks: cis_2.1.4.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_2.1.4.x.yml
   when: ubtu20cis_time_sync_tool == "ntp"
 
 - name: "SECTION | 2.2 | Special Purpose Services"
-  ansible.builtin.import_tasks: cis_2.2.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_2.2.x.yml
 
 - name: "SECTION | 2.3 | Service Clients"
-  ansible.builtin.import_tasks: cis_2.3.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_2.3.x.yml
 
 - name: "SECTION | 2.4 | Ensure nonessential services are removed or masked"
-  ansible.builtin.import_tasks: cis_2.4.yml
+  ansible.builtin.import_tasks:
+      file: cis_2.4.yml
diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml
@@ -144,7 +144,8 @@
                 - "{{ ubtu20cis_3_4_1_6_firewall_rules.stdout_lines }}"
 
       - name: "3.4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Warn Count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
   vars:
       warn_control_id: '3.4.1.6'