Skip to content

Commit

Permalink
Merge pull request #141 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history
cis2.0.1 release March 24
  • Loading branch information
uk-bolly authored Mar 20, 2024
2 parents 5f03547 + 38b4140 commit 09b76de
Show file tree
Hide file tree
Showing 11 changed files with 24 additions and 17 deletions.
6 changes: 3 additions & 3 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,14 +37,14 @@ repos:
exclude: .config/.gitleaks-report.json tasks/parse_etc_password

- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.1
rev: v8.18.2
hooks:
- id: gitleaks
args: ['--baseline-path', '.config/.gitleaks-report.json']
exclude: .config/.secrets.baseline

- repo: https://github.com/ansible-community/ansible-lint
rev: v6.22.1
rev: v24.2.1
hooks:
- id: ansible-lint
name: Ansible-lint
Expand All @@ -63,6 +63,6 @@ repos:
- ansible-core>=2.10.1

- repo: https://github.com/adrienverge/yamllint.git
rev: v1.33.0 # or higher tag
rev: v1.35.1 # or higher tag
hooks:
- id: yamllint
8 changes: 7 additions & 1 deletion defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,12 @@ ubtu20cis_system_is_container: false
# skip events for ec2 instance testing pipeline
system_is_ec2: false

## Root user used
# Root by default is not used unless setup by user
# The role will only run certain commands if set to true
# This allows the ability to skip tasks that may cause an issue
ubtu20cis_uses_root: false

# Section 1 Fixes
# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings,
# Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager)
Expand Down Expand Up @@ -535,7 +541,7 @@ ubtu20cis_warning_banner: |
# The two options are chrony, ntp, or systemd-timesyncd
ubtu20cis_time_sync_tool: "systemd-timesyncd"

# This setting allow to use 'pool' or 'server' options using values below.
# This setting allow to use 'pool' or 'servers' options using values below.
# only one wil be applied
ubtu20cis_chrony_timesource: pool

Expand Down
2 changes: 1 addition & 1 deletion tasks/LE_audit_setup.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
- name: Pre Audit Setup | Set audit package name | ARM64
ansible.builtin.set_fact:
audit_pkg_arch_name: ARM64
when: ansible_facts.machine == "arm64"
when: ansible_facts.machine == "aarch64"

- name: Pre Audit Setup | Download audit binary
ansible.builtin.get_url:
Expand Down
2 changes: 1 addition & 1 deletion tasks/post_remediation_audit.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---

- name: Post Audit | Run post_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
Expand Down
2 changes: 1 addition & 1 deletion tasks/pre_remediation_audit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@
mode: '0600'

- name: Pre Audit | Run pre_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
Expand Down
6 changes: 3 additions & 3 deletions tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,11 +51,11 @@
ansible.builtin.package:
update_cache: true
when:
- ubtu20cis_rule_1_3_1 or
ubtu20cis_rule_1_9
- ubtu20cis_rule_1_2_1 or
ubtu20cis_rule_1_3_1
tags:
- rule_1.3.1
- rule_1.9
- rule_1.2.1
- always

- name: "PRELIM | Check for autofs service"
Expand Down
4 changes: 2 additions & 2 deletions tasks/section_1/cis_1.6.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,8 @@
regexp: "{{ item.regexp }}"
replace: "{{ item.replace }}"
with_items:
- { regexp: 'apparmor=\S+', replace: 'apparmor=1' }
- { regexp: 'security=\S+', replace: 'security=apparmor' }
- { regexp: 'apparmor=[^\s"]+', replace: 'apparmor=1' }
- { regexp: 'security=[^\s"]+', replace: 'security=apparmor' }
when:
- "'apparmor' in ubtu20cis_1_6_1_2_cmdline_settings.stdout"
- "'security' in ubtu20cis_1_6_1_2_cmdline_settings.stdout"
Expand Down
5 changes: 3 additions & 2 deletions tasks/section_4/cis_4.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
path: /etc/sudoers
regexp: '^\s*Defaults\s+use_pty\s*$'
line: 'Defaults use_pty'
insertafter: 'EOF'
insertafter: '^\s*Defaults'
when:
- ubtu20cis_rule_4_3_2
tags:
Expand All @@ -35,7 +35,7 @@
path: /etc/sudoers
regexp: '^\s*Defaults\s+logfile\s*='
line: 'Defaults logfile="{{ ubtu20cis_sudo_logfile }}"'
insertafter: 'EOF'
insertafter: '^\s*Defaults'
when:
- ubtu20cis_rule_4_3_3
tags:
Expand Down Expand Up @@ -92,6 +92,7 @@
regexp: '^\s*Defaults\s+timestamp_timeout\s*='
line: "Defaults timestamp_timeout={{ ubtu20cis_sudo_timestamp_timeout }}"
validate: '/usr/sbin/visudo -cf %s'
insertafter: '^\s*Defaults'
when: ubtu20cis_4_3_6_timeout_files.stdout | length == 0

- name: "4.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results"
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_5/cis_5.1.2.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@
- { regexp: '^mail.info|^#mail.info', line: 'mail.info -/var/log/mail.info', insertafter: '^# Logging for the mail system' }
- { regexp: '^mail.warn|^#mail.warn', line: 'mail.warn -/var/log/mail.warn', insertafter: '^# Logging for the mail system.' }
- { regexp: '^mail.err|^#mail.err', line: 'mail.err /var/log/mail.err', insertafter: '^# Logging for the mail system.' }
- { regexp: '^cron.\*|^#cron.\*', line: 'cron.\* /var/log/cron', insertafter: '^# First some standard log files' }
- { regexp: '^cron.\*|^#cron.\*', line: 'cron.* /var/log/cron', insertafter: '^# First some standard log files' }
- { regexp: '^\*.=warning;\*.=err|^#\*.=warning;\*.=err', line: '*.=warning;*.=err -/var/log/warn', insertafter: '^# First some standard log files' }
- { regexp: '^\*.crit|^#\*.crit', line: '*.crit /var/log/warn', insertafter: '^# First some standard log files' }
- { regexp: '^\*.\*;mail.none;news.none|^#\*.\*;mail.none;news.none', line: '*.*;mail.none;news.none -/var/log/messages', insertafter: '^# First some standard log files' }
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_5/cis_5.2.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@
- name: "5.2.3.6 | PATCH | Ensure use of privileged commands is collected"
block:
- name: "5.2.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs"
ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
register: priv_procs
changed_when: false
check_mode: false
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_5/cis_5.2.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@
ansible.builtin.file:
path: "{{ item.path }}"
mode: '0640'
loop: "{{ auditd_conf_files.files }}"
loop: "{{ auditd_conf_files.files|default([])}}"
loop_control:
label: "{{ item.path }}"
when:
Expand Down

0 comments on commit 09b76de

Please sign in to comment.