From cf4f10aa3e3ba07584378da0c870675eea859626 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 19 Mar 2024 16:55:08 +0000 Subject: [PATCH 1/5] removed warn: false Signed-off-by: Mark Bolwell --- handlers/main.yml | 9 +-------- tasks/post_remediation_audit.yml | 2 -- tasks/pre_remediation_audit.yml | 2 -- tasks/section_1/cis_1.1.x.yml | 6 ++---- tasks/section_1/cis_1.2.x.yml | 2 -- tasks/section_3/cis_3.1.x.yml | 2 -- tasks/section_6/cis_6.2.x.yml | 2 -- 7 files changed, 3 insertions(+), 22 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index bfc6e4a..ae1291a 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -10,18 +10,13 @@ - name: remount dev_shm command: mount -o remount /dev/shm - args: - warn: false - name: remount var_tmp command: mount -o remount /var/tmp - args: - warn: false - name: remount home command: mount -o remount /home - args: - warn: false + - name: systemd daemon reload systemd: daemon_reload: true @@ -61,8 +56,6 @@ command: /sbin/service auditd restart check_mode: false failed_when: false - args: - warn: false when: - not amazon2cis_skip_for_travis tags: diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index cff4432..fd1e9ec 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -3,8 +3,6 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" changed_when: true - vars: - warn: false - name: Post Audit | ensure audit files readable by users file: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 3e0c4a6..53e66f8 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -79,8 +79,6 @@ - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" changed_when: true - vars: - warn: false - name: Pre Audit | Capture audit data if json format block: diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 1f5bb8b..ac70338 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -153,7 +153,7 @@ - name: "1.1.15 | PATCH | Ensure separate partition exists for /var/log | Message if present" debug: - msg: "Congradulations: /var/log is on a seperate partition" + msg: "Congratulations: /var/log is on a seperate partition" when: "'/var/log' in mount_names" when: - amazon2cis_rule_1_1_15 @@ -173,7 +173,7 @@ - name: "1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | Message if present" debug: - msg: "Congradulations: /var/log/audit is on a seperate partition" + msg: "Congratulations: /var/log/audit is on a seperate partition" when: "'/var/log/audit' in mount_names" when: - amazon2cis_rule_1_1_16 @@ -250,8 +250,6 @@ shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t changed_when: false failed_when: false - args: - warn: false when: - amazon2cis_rule_1_1_22 tags: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index ef6c99a..f555f4a 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -19,8 +19,6 @@ command: yum repolist changed_when: false register: amazon2cis_1_2_2_repolist - args: - warn: false - name: "AUDIT| 1.2.2 | AUDIT | Ensure package manager repositories are configured | Show repo list" debug: diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 3c17f66..7bafafe 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -28,8 +28,6 @@ failed_when: false check_mode: false register: amazon2_3_1_2_nmcli_available - args: - warn: false - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" command: nmcli radio wifi diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 1a8b844..0bbb680 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -7,8 +7,6 @@ changed_when: false failed_when: false register: amazon2_6_2_1_shadow - args: - warn: false - name: "6.2.1 | PATCH | Ensure accounts in /etc/passwd use shadow passwords | Good News" debug: From 3961233fdb7cc81029f5a5d08e538751e610122e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 19 Mar 2024 16:58:31 +0000 Subject: [PATCH 2/5] fix typos Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.x.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index ac70338..2f1df07 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -82,7 +82,7 @@ - name: "1.1.10 | AUDIT | Ensure separate partition exists for /var | Message if present" debug: - msg: "Congradulations: /var is on a seperate partition" + msg: "Congratulations: /var is on a seperate partition" when: "'/var' in mount_names" when: - amazon2cis_rule_1_1_10 @@ -102,7 +102,7 @@ - name: "1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp | Message if present" debug: - msg: "Congradulations: /var/tmp is on a seperate partition" + msg: "Congratulations: /var/tmp is on a seperate partition" when: "'/var/tmp' in mount_names" when: - amazon2cis_rule_1_1_11 @@ -193,7 +193,7 @@ - name: "1.1.17 | AUDIT | Ensure separate partition exists for /home | Message if present" debug: - msg: "Congradulations: /home is on a seperate partition" + msg: "Congratulations: /home is on a seperate partition" when: "'/home' in mount_names" when: - amazon2cis_rule_1_1_17 From 7af0b011c418535d89bd6e11f02e7db5b068224c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Mar 2024 09:31:39 +0000 Subject: [PATCH 3/5] addressed #21 Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.x.yml | 76 ++++++++++++++++------- templates/etc/systemd/system/tmp.mount.j2 | 22 +++++++ 2 files changed, 76 insertions(+), 22 deletions(-) create mode 100644 templates/etc/systemd/system/tmp.mount.j2 diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 2f1df07..c19074e 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -1,51 +1,83 @@ --- -- name: "1.1.2 | PATCH | Ensure /tmp is configured" - systemd: - name: tmp.mount - daemon_reload: true - enabled: true - masked: false - state: started +- name: "1.1.2 | AUDIT | Ensure /tmp is configured" + block: + - name: "1.1.2 | AUDIT | Ensure /tmp is configured" + ansible.builtin.shell: findmnt -n /tmp + changed_when: false + failed_when: false + register: amazon2_tmp_exists + + - name: "1.1.2 | WARN | Ensure /tmp is configured | Absent" + ansible.builtin.debug: + msg: "Warning!! /tmp is configured to use fstab but does not exist" + when: amazon2_tmp_exists.stdout | length > 0 when: - - amazon2cis_tmp_svc - amazon2cis_rule_1_1_2 + - not amazon2cis_tmp_svc tags: - - level1 + - level1-server + - level1-workstation - automated - - patch - - rule_1.1.2 + - audit - mounts + - rule_1.1.2 - name: | - "1.1.3 | PATCH | Ensure noexec option set on /tmp partition - 1.1.4 | PATCH | Ensure nodev option set on /tmp partition - 1.1.5 | PATCH | Ensure nosuid option set on /tmp partition" - mount: + "1.1.3 | PATCH | Ensure noexec option set on /tmp partition" + "1.1.4 | PATCH | Ensure nodev option set on /tmp partition" + "1.1.5 | PATCH | Ensure nosuid option set on /tmp partition" + ansible.posix.mount: name: /tmp src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if amazon2cis_rule_1_1_4 %}nodev,{% endif %}{% if amazon2cis_rule_1_1_3 %}noexec,{% endif %}{% if amazon2cis_rule_1_1_5 %}nosuid{% endif %} - notify: systemd restart tmp.mount - with_items: - - "{{ ansible_mounts }}" + opts: defaults,{% if amazon2cis_rule_1_1_3 %}noexec,{% endif %}{% if amazon2cis_rule_1_1_4 %}nodev,{% endif %}{% if amazon2cis_rule_1_1_5 %}nosuid{% endif %} + notify: Remount_tmp + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" when: - item.mount == "/tmp" - - amazon2cis_tmp_svc + - not amazon2cis_tmp_svc + - amazon2_tmp_exists.stdout | length > 0 - amazon2cis_rule_1_1_3 or amazon2cis_rule_1_1_4 or amazon2cis_rule_1_1_5 tags: - - level1 + - level1-server + - level1-workstation - automated - patch + - mounts + +- name: | + "1.1.2 | PATCH | Ensure /tmp is configured" + "1.1.3 | PATCH | Ensure noexec option set on /tmp partition" + "1.1.4 | PATCH | Ensure nodev option set on /tmp partition" + "1.1.5 | PATCH | Ensure nosuid option set on /tmp partition" + notify: systemd restart tmp.mount + ansible.builtin.template: + src: etc/systemd/system/tmp.mount.j2 + dest: /etc/systemd/system/tmp.mount + owner: root + group: root + mode: '0644' + when: + - amazon2cis_tmp_svc + - amazon2cis_rule_1_1_2 or + amazon2cis_rule_1_1_3 or + amazon2cis_rule_1_1_4 or + amazon2cis_rule_1_1_5 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2 - rule_1.1.3 - rule_1.1.4 - rule_1.1.5 - - mounts - name: | "1.1.6 | PATCH | Ensure /dev/shm is configured diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2 new file mode 100644 index 0000000..1200d47 --- /dev/null +++ b/templates/etc/systemd/system/tmp.mount.j2 @@ -0,0 +1,22 @@ +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! + + +[Unit] +Description=Temporary Directory (/tmp) +Documentation=man:hier(7) +Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +ConditionPathIsSymbolicLink=!/tmp +DefaultDependencies=no +Conflicts=umount.target +Before=local-fs.target umount.target +After=swap.target + +[Mount] +What=tmpfs +Where=/tmp +Type=tmpfs +Options=mode=1777,strictatime,{% if amazon2cis_rule_1_1_3 %}noexec,{% endif %}{% if amazon2cis_rule_1_1_4 %}nodev,{% endif %}{% if amazon2cis_rule_1_1_5 %}nosuid{% endif %} + +# Make 'systemctl enable tmp.mount' work: +[Install] +WantedBy=local-fs.target From 6e3449fcf6ed178df15b86ea80a09ba3cd400f88 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Mar 2024 09:57:41 +0000 Subject: [PATCH 4/5] updated 1.1.2 logic Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.x.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index c19074e..978e413 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -11,7 +11,8 @@ - name: "1.1.2 | WARN | Ensure /tmp is configured | Absent" ansible.builtin.debug: msg: "Warning!! /tmp is configured to use fstab but does not exist" - when: amazon2_tmp_exists.stdout | length > 0 + changed_when: true + when: amazon2_tmp_exists.stdout | length == 0 when: - amazon2cis_rule_1_1_2 - not amazon2cis_tmp_svc From 8f5088f5a20f28b912cdd1c34663540822efec72 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Mar 2024 13:10:53 +0000 Subject: [PATCH 5/5] updated handler Signed-off-by: Mark Bolwell --- handlers/main.yml | 3 +++ tasks/section_1/cis_1.1.x.yml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index ae1291a..f8c71c6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -8,6 +8,9 @@ masked: false state: reloaded +- name: remount tmp + command: mount -o remount /tmp + - name: remount dev_shm command: mount -o remount /dev/shm diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 978e413..f269d46 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -34,7 +34,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if amazon2cis_rule_1_1_3 %}noexec,{% endif %}{% if amazon2cis_rule_1_1_4 %}nodev,{% endif %}{% if amazon2cis_rule_1_1_5 %}nosuid{% endif %} - notify: Remount_tmp + notify: remount tmp loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}"