diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f645faf8..18743e94 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,14 +37,14 @@ repos: exclude: .config/.gitleaks-report.json tasks/parse_etc_password - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.1 + rev: v8.18.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] exclude: .config/.secrets.baseline - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.1 + rev: v24.2.1 hooks: - id: ansible-lint name: Ansible-lint @@ -63,6 +63,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.33.0 # or higher tag + rev: v1.35.1 # or higher tag hooks: - id: yamllint diff --git a/defaults/main.yml b/defaults/main.yml index 9ad090d3..795587e8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -100,6 +100,12 @@ ubtu20cis_system_is_container: false # skip events for ec2 instance testing pipeline system_is_ec2: false +## Root user used +# Root by default is not used unless setup by user +# The role will only run certain commands if set to true +# This allows the ability to skip tasks that may cause an issue +ubtu20cis_uses_root: false + # Section 1 Fixes # Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, # Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) @@ -535,7 +541,7 @@ ubtu20cis_warning_banner: | # The two options are chrony, ntp, or systemd-timesyncd ubtu20cis_time_sync_tool: "systemd-timesyncd" -# This setting allow to use 'pool' or 'server' options using values below. +# This setting allow to use 'pool' or 'servers' options using values below. # only one wil be applied ubtu20cis_chrony_timesource: pool diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 7ef94b4a..08d047d6 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -10,7 +10,7 @@ - name: Pre Audit Setup | Set audit package name | ARM64 ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 - when: ansible_facts.machine == "arm64" + when: ansible_facts.machine == "aarch64" - name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index eb01bc75..2c51bbb0 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,7 +1,7 @@ --- - name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 258171a1..e3a261e7 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -77,7 +77,7 @@ mode: '0600' - name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index e1a9eeda..64f727f5 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -51,11 +51,11 @@ ansible.builtin.package: update_cache: true when: - - ubtu20cis_rule_1_3_1 or - ubtu20cis_rule_1_9 + - ubtu20cis_rule_1_2_1 or + ubtu20cis_rule_1_3_1 tags: - rule_1.3.1 - - rule_1.9 + - rule_1.2.1 - always - name: "PRELIM | Check for autofs service" diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 53fa9d3a..279d6189 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -39,8 +39,8 @@ regexp: "{{ item.regexp }}" replace: "{{ item.replace }}" with_items: - - { regexp: 'apparmor=\S+', replace: 'apparmor=1' } - - { regexp: 'security=\S+', replace: 'security=apparmor' } + - { regexp: 'apparmor=[^\s"]+', replace: 'apparmor=1' } + - { regexp: 'security=[^\s"]+', replace: 'security=apparmor' } when: - "'apparmor' in ubtu20cis_1_6_1_2_cmdline_settings.stdout" - "'security' in ubtu20cis_1_6_1_2_cmdline_settings.stdout" diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml index a4a5c0fa..a4432856 100644 --- a/tasks/section_4/cis_4.3.x.yml +++ b/tasks/section_4/cis_4.3.x.yml @@ -19,7 +19,7 @@ path: /etc/sudoers regexp: '^\s*Defaults\s+use_pty\s*$' line: 'Defaults use_pty' - insertafter: 'EOF' + insertafter: '^\s*Defaults' when: - ubtu20cis_rule_4_3_2 tags: @@ -35,7 +35,7 @@ path: /etc/sudoers regexp: '^\s*Defaults\s+logfile\s*=' line: 'Defaults logfile="{{ ubtu20cis_sudo_logfile }}"' - insertafter: 'EOF' + insertafter: '^\s*Defaults' when: - ubtu20cis_rule_4_3_3 tags: @@ -92,6 +92,7 @@ regexp: '^\s*Defaults\s+timestamp_timeout\s*=' line: "Defaults timestamp_timeout={{ ubtu20cis_sudo_timestamp_timeout }}" validate: '/usr/sbin/visudo -cf %s' + insertafter: '^\s*Defaults' when: ubtu20cis_4_3_6_timeout_files.stdout | length == 0 - name: "4.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" diff --git a/tasks/section_5/cis_5.1.2.x.yml b/tasks/section_5/cis_5.1.2.x.yml index 3b4674ca..c792f67c 100644 --- a/tasks/section_5/cis_5.1.2.x.yml +++ b/tasks/section_5/cis_5.1.2.x.yml @@ -97,7 +97,7 @@ - { regexp: '^mail.info|^#mail.info', line: 'mail.info -/var/log/mail.info', insertafter: '^# Logging for the mail system' } - { regexp: '^mail.warn|^#mail.warn', line: 'mail.warn -/var/log/mail.warn', insertafter: '^# Logging for the mail system.' } - { regexp: '^mail.err|^#mail.err', line: 'mail.err /var/log/mail.err', insertafter: '^# Logging for the mail system.' } - - { regexp: '^cron.\*|^#cron.\*', line: 'cron.\* /var/log/cron', insertafter: '^# First some standard log files' } + - { regexp: '^cron.\*|^#cron.\*', line: 'cron.* /var/log/cron', insertafter: '^# First some standard log files' } - { regexp: '^\*.=warning;\*.=err|^#\*.=warning;\*.=err', line: '*.=warning;*.=err -/var/log/warn', insertafter: '^# First some standard log files' } - { regexp: '^\*.crit|^#\*.crit', line: '*.crit /var/log/warn', insertafter: '^# First some standard log files' } - { regexp: '^\*.\*;mail.none;news.none|^#\*.\*;mail.none;news.none', line: '*.*;mail.none;news.none -/var/log/messages', insertafter: '^# First some standard log files' } diff --git a/tasks/section_5/cis_5.2.3.x.yml b/tasks/section_5/cis_5.2.3.x.yml index 39075bb3..0291b87e 100644 --- a/tasks/section_5/cis_5.2.3.x.yml +++ b/tasks/section_5/cis_5.2.3.x.yml @@ -93,7 +93,7 @@ - name: "5.2.3.6 | PATCH | Ensure use of privileged commands is collected" block: - name: "5.2.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" - ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done + ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done register: priv_procs changed_when: false check_mode: false diff --git a/tasks/section_5/cis_5.2.4.x.yml b/tasks/section_5/cis_5.2.4.x.yml index a1fd1d6e..8e7d983e 100644 --- a/tasks/section_5/cis_5.2.4.x.yml +++ b/tasks/section_5/cis_5.2.4.x.yml @@ -65,7 +65,7 @@ ansible.builtin.file: path: "{{ item.path }}" mode: '0640' - loop: "{{ auditd_conf_files.files }}" + loop: "{{ auditd_conf_files.files|default([])}}" loop_control: label: "{{ item.path }}" when: