From 694e291f0b4ef059d7a8d5cb15e78132615de18e Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Mon, 16 Sep 2024 11:55:53 -0400 Subject: [PATCH 1/6] Prelim UAS Check Addition Signed-off-by: Stephen Williams --- tasks/prelim.yml | 51 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 978cb7f..9682347 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -75,6 +75,57 @@ - section1 - always +- name: "PRELIM | Check for UAS running for usb-storage" + block: + - name: "PRELIM | AUDIT | Check if UAS kernel module is running" + ansible.builtin.shell: "lsmod | grep uas" + register: discovered_uas_status + changed_when: false + failed_when: false + ignore_errors: true + + - name: "PRELIM | AUDIT | Find mounted devices" + ansible.builtin.command: lsblk -o NAME,MOUNTPOINT | grep -v '^$' + register: discovered_mounted_devices + changed_when: false + failed_when: false + ignore_errors: true + when: discovered_uas_status.rc == 0 + + - name: "PRELIM | PATCH | Unmount devices" + ansible.builtin.command: + cmd: "umount /dev/{{ item }}" + loop: "{{ discovered_mounted_devices.stdout_lines | map('split', ' ') | map('first') | list }}" + changed_when: false + failed_when: false + ignore_errors: true + when: discovered_uas_status.rc == 0 + + - name: "PRELIM | PATCH | Unload UAS kernel module" + community.general.modprobe: + name: uas + state: absent + when: discovered_uas_status.rc == 0 + + - name: "PRELIM | AUDIT | Verify UAS module is unloaded" + ansible.builtin.shell: "lsmod | grep uas" + changed_when: false + failed_when: false + ignore_errors: true + register: discovered_uas_check + + - name: "PRELIM | AUDIT | Output UAS unload status" + ansible.builtin.debug: + msg: "The UAS module has been successfully unloaded." + when: discovered_uas_check.rc != 0 + when: + - debian11cis_rule_1_1_10 + tags: + - level1-server + - level2-workstation + - patch + - always + - name: "PRELIM | Check for avahi-daemon service" ansible.builtin.shell: "systemctl show avahi-daemon | grep LoadState | cut -d = -f 2" register: avahi_service_status From 10787528d918c09b06a3434792115c6123c0db82 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Tue, 17 Sep 2024 11:01:35 -0400 Subject: [PATCH 2/6] Fixed indentation Signed-off-by: Stephen Williams --- tasks/prelim.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 9682347..d273340 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -103,8 +103,8 @@ - name: "PRELIM | PATCH | Unload UAS kernel module" community.general.modprobe: - name: uas - state: absent + name: uas + state: absent when: discovered_uas_status.rc == 0 - name: "PRELIM | AUDIT | Verify UAS module is unloaded" @@ -116,7 +116,7 @@ - name: "PRELIM | AUDIT | Output UAS unload status" ansible.builtin.debug: - msg: "The UAS module has been successfully unloaded." + msg: "The UAS module has been successfully unloaded." when: discovered_uas_check.rc != 0 when: - debian11cis_rule_1_1_10 From da0b1c938c1230f8070bb50b91d4bbfef7fba3bb Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 20 Sep 2024 11:40:50 -0400 Subject: [PATCH 3/6] Updated 1.1.10 Logic And Prelim Signed-off-by: Stephen Williams --- defaults/main.yml | 7 +++ tasks/prelim.yml | 92 +++++++++++++++------------------- tasks/section_1/cis_1.1.10.yml | 64 ++++++++++++++++------- 3 files changed, 94 insertions(+), 69 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 700c969..da56799 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -441,6 +441,13 @@ expected_tmp_mnt: fstab # Options are "remove" or "mask" debian11cis_autofs: mask debian11cis_allow_usb_storage: false +# We have found that some systems may have UAS kernel running and if it is +# usb-storage will fail to be removed which is control 1.1.10. By default This +# is set to false. By having this set to false control 1.1.10 will run but if UAS +# Is loaded you will receive a warning message instead of usb-storage being removed +# and the playbook will have to be re-run with this switch set to true. +# Default: false +debian11cis_uas_remove: false # Control 1.3.1 - allow aide to be configured debian11cis_config_aide: true diff --git a/tasks/prelim.yml b/tasks/prelim.yml index d273340..4347f71 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -75,57 +75,6 @@ - section1 - always -- name: "PRELIM | Check for UAS running for usb-storage" - block: - - name: "PRELIM | AUDIT | Check if UAS kernel module is running" - ansible.builtin.shell: "lsmod | grep uas" - register: discovered_uas_status - changed_when: false - failed_when: false - ignore_errors: true - - - name: "PRELIM | AUDIT | Find mounted devices" - ansible.builtin.command: lsblk -o NAME,MOUNTPOINT | grep -v '^$' - register: discovered_mounted_devices - changed_when: false - failed_when: false - ignore_errors: true - when: discovered_uas_status.rc == 0 - - - name: "PRELIM | PATCH | Unmount devices" - ansible.builtin.command: - cmd: "umount /dev/{{ item }}" - loop: "{{ discovered_mounted_devices.stdout_lines | map('split', ' ') | map('first') | list }}" - changed_when: false - failed_when: false - ignore_errors: true - when: discovered_uas_status.rc == 0 - - - name: "PRELIM | PATCH | Unload UAS kernel module" - community.general.modprobe: - name: uas - state: absent - when: discovered_uas_status.rc == 0 - - - name: "PRELIM | AUDIT | Verify UAS module is unloaded" - ansible.builtin.shell: "lsmod | grep uas" - changed_when: false - failed_when: false - ignore_errors: true - register: discovered_uas_check - - - name: "PRELIM | AUDIT | Output UAS unload status" - ansible.builtin.debug: - msg: "The UAS module has been successfully unloaded." - when: discovered_uas_check.rc != 0 - when: - - debian11cis_rule_1_1_10 - tags: - - level1-server - - level2-workstation - - patch - - always - - name: "PRELIM | Check for avahi-daemon service" ansible.builtin.shell: "systemctl show avahi-daemon | grep LoadState | cut -d = -f 2" register: avahi_service_status @@ -287,3 +236,44 @@ - debian11cis_ufw_use_sysctl tags: - always + +- name: "Optional | PATCH | Check for UAS running for usb-storage" + block: + - name: "PRELIM | AUDIT | Check if UAS kernel module is running" + ansible.builtin.shell: "lsmod | grep uas" + register: discovered_uas_status + changed_when: false + failed_when: false + ignore_errors: true + block: + - name: "1.1.10 | PATCH | Disable UAS Storage | Set UAS config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/uas.conf + regexp: '^install uas' + line: 'install uas /bin/true' + create: true + + - name: "1.1.10 | PATCH | Disable USB Storage | Blacklist usb-storage" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + line: 'blacklist uas' + insertafter: EOF + + - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module" + community.general.modprobe: + name: uas + state: absent + when: + - ansible_connection != 'docker' + notify: Update_Initramfs + when: + - discovered_uas_status.rc == 0 + - not debian11cis_allow_usb_storage + - debian11cis_uas_remove + when: + - debian11cis_rule_1_1_10 + tags: + - level1-server + - level2-workstation + - patch + - always diff --git a/tasks/section_1/cis_1.1.10.yml b/tasks/section_1/cis_1.1.10.yml index b6405c4..661fde9 100644 --- a/tasks/section_1/cis_1.1.10.yml +++ b/tasks/section_1/cis_1.1.10.yml @@ -2,28 +2,56 @@ - name: "1.1.10 | PATCH | Disable USB Storage" block: - - name: "1.1.10 | PATCH | Disable USB Storage | Set modprobe config" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/usb_storage.conf - regexp: '^install usb-storage' - line: 'install usb-storage /bin/true' - create: true + - block: + - name: "1.1.10 | PATCH | Disable USB Storage | Set modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/usb_storage.conf + regexp: '^install usb-storage' + line: 'install usb-storage /bin/true' + create: true - - name: "1.1.10 | PATCH | Disable USB Storage | Blacklist usb-storage" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - line: 'blacklist usb-storage' - insertafter: EOF + - name: "1.1.10 | PATCH | Disable USB Storage | Blacklist usb-storage" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + line: 'blacklist usb-storage' + insertafter: EOF - - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module" - community.general.modprobe: - name: usb-storage - state: absent - when: ansible_connection != 'docker' - notify: Update_Initramfs + - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module" + community.general.modprobe: + name: usb-storage + state: absent + when: ansible_connection != 'docker' + when: + - debian11cis_rule_1_1_10 + - not debian11cis_allow_usb_storage + - discovered_uas_status.rc != 0 + notify: Update_Initramfs + + - name: "1.1.10 | AUDIT | Disable USB Storage | Warning Message" + ansible.builtin.debug: + msg: + - "Warning!! USB Attached SCSI (UAS) support is still detected." + - "Removing UAS may cause performance issues or prevent certain USB devices from functioning correctly." + - "UAS provides higher speeds and better I/O performance compared to traditional USB mass storage" + - "Ensure that this action is intentional and consider testing on non-critical systems before applying in production." + - "Please review your setting for variable debian11cis_uas_remove and make sure it is set to true" + - "And rerun the Ansible playbook to properly remove usb_storage." + when: + - debian11cis_rule_1_1_10 + - not debian11cis_allow_usb_storage + - discovered_uas_status.rc == 0 + + - name: "1.1.10 | WARN | Disable USB Storage | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '1.1.10' + when: + - debian11cis_rule_1_1_10 + - not debian11cis_allow_usb_storage + - discovered_uas_status.rc == 0 when: - debian11cis_rule_1_1_10 - - not debian11cis_allow_usb_storage tags: - level1-server - level2-workstation From 5684a7f486572ef143ecebba38fed68d563cab44 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 20 Sep 2024 12:43:24 -0400 Subject: [PATCH 4/6] Fix Name Lines In Prelim Signed-off-by: Stephen Williams --- tasks/prelim.yml | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 4347f71..37c9a1f 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -239,32 +239,32 @@ - name: "Optional | PATCH | Check for UAS running for usb-storage" block: - - name: "PRELIM | AUDIT | Check if UAS kernel module is running" + - name: "Optional | AUDIT | Check if UAS kernel module is running" ansible.builtin.shell: "lsmod | grep uas" register: discovered_uas_status changed_when: false failed_when: false ignore_errors: true - block: - - name: "1.1.10 | PATCH | Disable UAS Storage | Set UAS config" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/uas.conf - regexp: '^install uas' - line: 'install uas /bin/true' - create: true + - block: + - name: "Optional | PATCH | Set UAS config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/uas.conf + regexp: '^install uas' + line: 'install uas /bin/true' + create: true - - name: "1.1.10 | PATCH | Disable USB Storage | Blacklist usb-storage" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - line: 'blacklist uas' - insertafter: EOF + - name: "Optional | PATCH | Blacklist usb-storage" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + line: 'blacklist uas' + insertafter: EOF - - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module" - community.general.modprobe: - name: uas - state: absent - when: - - ansible_connection != 'docker' + - name: "Optional | PATCH | Remove usb-storage module" + community.general.modprobe: + name: uas + state: absent + when: + - ansible_connection != 'docker' notify: Update_Initramfs when: - discovered_uas_status.rc == 0 From 47a41ad22ed4074a940515233abc22edc0a093f3 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Mon, 23 Sep 2024 08:48:22 -0400 Subject: [PATCH 5/6] Fix Linting Signed-off-by: Stephen Williams --- tasks/prelim.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 37c9a1f..9114575 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -246,25 +246,25 @@ failed_when: false ignore_errors: true - block: - - name: "Optional | PATCH | Set UAS config" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/uas.conf - regexp: '^install uas' - line: 'install uas /bin/true' - create: true + - name: "Optional | PATCH | Set UAS config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/uas.conf + regexp: '^install uas' + line: 'install uas /bin/true' + create: true - - name: "Optional | PATCH | Blacklist usb-storage" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - line: 'blacklist uas' - insertafter: EOF + - name: "Optional | PATCH | Blacklist usb-storage" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + line: 'blacklist uas' + insertafter: EOF - - name: "Optional | PATCH | Remove usb-storage module" - community.general.modprobe: - name: uas - state: absent - when: - - ansible_connection != 'docker' + - name: "Optional | PATCH | Remove usb-storage module" + community.general.modprobe: + name: uas + state: absent + when: + - ansible_connection != 'docker' notify: Update_Initramfs when: - discovered_uas_status.rc == 0 From ae4fa91548601d4f790da60ff884d426339bedac Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Thu, 26 Sep 2024 15:49:54 -0400 Subject: [PATCH 6/6] Fixed Mode Per CIS v1.0.0 Signed-off-by: Stephen Williams --- tasks/section_6/cis_6.1.x.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 60bdde7..64c8377 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -65,7 +65,7 @@ path: /etc/shadow owner: root group: root - mode: 0000 + mode: 0640 when: - debian11cis_rule_6_1_5 tags: @@ -80,7 +80,7 @@ path: /etc/shadow- owner: root group: root - mode: 0000 + mode: 0640 when: - debian11cis_rule_6_1_6 tags: @@ -95,7 +95,7 @@ path: /etc/gshadow owner: root group: root - mode: 0000 + mode: 0640 when: - debian11cis_rule_6_1_7 tags: @@ -110,7 +110,7 @@ path: /etc/gshadow- owner: root group: root - mode: 0000 + mode: 0640 when: - debian11cis_rule_6_1_8 tags: