From fe75576dbf84e645f2d9699c2935738825199cac Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Sep 2023 17:19:11 +0100 Subject: [PATCH 01/10] updated Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index a88642e..2209add 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -109,20 +109,11 @@ { "path": "detect_secrets.filters.regex.should_exclude_file", "pattern": [ - ".config/.gitleaks-report.json" + ".config/.gitleaks-report.json", + "tasks/parse_etc_password.yml" ] } ], - "results": { - "tasks/parse_etc_password.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_password.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ] - }, - "generated_at": "2023-09-15T15:29:37Z" + "results": {}, + "generated_at": "2023-09-20T16:18:57Z" } From ad784e8fc843dd2bb5d9514ff6e4ac0e0487afbb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Sep 2023 17:20:21 +0100 Subject: [PATCH 02/10] removed files not required Signed-off-by: Mark Bolwell --- files/etc/apparmor.d/usr.bin.ssh | 10 ---------- tests/inventory | 2 -- tests/test.yml | 7 ------- 3 files changed, 19 deletions(-) delete mode 100644 files/etc/apparmor.d/usr.bin.ssh delete mode 100644 tests/inventory delete mode 100644 tests/test.yml diff --git a/files/etc/apparmor.d/usr.bin.ssh b/files/etc/apparmor.d/usr.bin.ssh deleted file mode 100644 index 380a218..0000000 --- a/files/etc/apparmor.d/usr.bin.ssh +++ /dev/null @@ -1,10 +0,0 @@ -# Last Modified: Mon Aug 24 20:03:44 2020 -#include - -/usr/bin/ssh { - #include - - /lib/x86_64-linux-gnu/ld-*.so mr, - /usr/bin/ssh mr, - -} \ No newline at end of file diff --git a/tests/inventory b/tests/inventory deleted file mode 100644 index 878877b..0000000 --- a/tests/inventory +++ /dev/null @@ -1,2 +0,0 @@ -localhost - diff --git a/tests/test.yml b/tests/test.yml deleted file mode 100644 index a397b04..0000000 --- a/tests/test.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- hosts: localhost - - remote_user: root - roles: - - UBUNTU18-CIS From e1499b9c0fcf5ac52ebf4993c95e0ee1ff7cfa1f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Sep 2023 17:20:59 +0100 Subject: [PATCH 03/10] remove file not needed Signed-off-by: Mark Bolwell --- library/goss.py | 147 ------------------------------------------------ 1 file changed, 147 deletions(-) delete mode 100644 library/goss.py diff --git a/library/goss.py b/library/goss.py deleted file mode 100644 index d4dfbc7..0000000 --- a/library/goss.py +++ /dev/null @@ -1,147 +0,0 @@ -#!/usr/bin/env python -# FROM: https://github.com/indusbox/goss-ansible -import os -from ansible.module_utils.basic import * - -DOCUMENTATION = ''' ---- -module: goss -author: Mathieu Corbin -short_description: Launch goss (https://github.com/aelsabbahy/goss) tests -description: - - Launch goss tests. - This module always returns `changed = false` for idempotence. -options: - path: - required: true - description: - - Test file to validate. - The test file must be on the remote machine. - goss_path: - required: false - description: - - Path location for the goss executable. - Default is "goss" (ie.`no absolute path, goss executable must be available in $PATH). - vars_path: - required: false - description: - - Path location for a variables YAML/JSON file to use as templating inputs. - format: - required: false - description: - - Output goss format. - Goss format list : goss v --format => [documentation json junit nagios nagios_verbose rspecish tap silent]. - Default is "rspecish". - output_file: - required: false - description: - - Save the result of the goss command in a file whose path is output_file -examples: - - name: run goss against the gossfile /path/to/file.yml - goss: - path: "/path/to/file.yml" - - name: run goss against the gossfile /path/to/file.yml with nagios output - goss: - path: "/path/to/file.yml" - format: "nagios" - - name: run /usr/local/bin/goss against the gossfile /path/to/file.yml - goss: - path: "/path/to/file.yml" - goss_path: "/usr/local/bin/goss" - - name: run /usr/local/bin/goss with a variables file - goss: - vars_path: "/path/to/file.yml" - - name: run goss against multiple gossfiles and write the result in JSON format to /my/output/ for each file - goss: - path: "{{ item }}" - format: json - output_file : /my/output/{{ item }} - with_items: "{{ goss_files }}" -''' - - -# launch goss validate command on the file -def check(module, test_file_path, output_format, goss_path, vars_path): - cmd = "{0} --gossfile {1}".format(goss_path, test_file_path) - # goss parent command flags - if vars_path is not None: - cmd += " --vars {0}".format(vars_path) - - # validate sub-command flags - cmd += " validate" - if output_format is not None: - cmd += " --format {0}".format(output_format) - - return module.run_command(cmd) - - -# write goss result to output_file_path -def output_file(output_file_path, out): - if output_file_path is not None: - with open(output_file_path, 'w') as output_file: - output_file.write(out) - - -def main(): - module = AnsibleModule( - argument_spec=dict( - path=dict(required=True, type='str'), - format=dict(required=False, type='str'), - output_file=dict(required=False, type='str'), - vars_path=dict(required=False, type='str'), - goss_path=dict(required=False, default='goss', type='str'), - ), - supports_check_mode=False - ) - - test_file_path = module.params['path'] # test file path - output_format = module.params['format'] # goss output format - output_file_path = module.params['output_file'] - goss_path = module.params['goss_path'] - vars_path = module.params['vars_path'] - - if test_file_path is None: - module.fail_json(msg="test file path is null") - - test_file_path = os.path.expanduser(test_file_path) - - # test if access to test file is ok - if not os.access(test_file_path, os.R_OK): - module.fail_json(msg="Test file %s not readable" % (test_file_path)) - - # test if test file is not a dir - if os.path.isdir(test_file_path): - module.fail_json(msg="Test file must be a file ! : %s" % (test_file_path)) - - (rc, out, err) = check(module, test_file_path, output_format, goss_path, vars_path) - - if output_file_path is not None: - output_file_path = os.path.expanduser(output_file_path) - # check if output_file is a file - if output_file_path.endswith(os.sep): - module.fail_json(msg="output_file must be a file. Actually : %s " - % (output_file_path)) - - output_dirname = os.path.dirname(output_file_path) - - # check if output directory exists - if not os.path.exists(output_dirname): - module.fail_json(msg="directory %s does not exists" % (output_dirname)) - - # check if writable - if not os.access(os.path.dirname(output_file_path), os.W_OK): - module.fail_json(msg="Destination %s not writable" % (os.path.dirname(output_file_path))) - # write goss result on the output file - output_file(output_file_path, out) - - if rc is not None and rc != 0: - error_msg = "err : {0} ; out : {1}".format(err, out) - module.fail_json(msg=error_msg) - - result = {} - result['stdout'] = out - result['changed'] = False - - module.exit_json(**result) - -main() \ No newline at end of file From 734fb813fd43204fcd1911b2a14d02f2885d6d2e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Sep 2023 17:21:16 +0100 Subject: [PATCH 04/10] linting and spacing Signed-off-by: Mark Bolwell --- .gitattributes | 2 +- .github/workflows/github_vars.tfvars | 2 +- templates/ansible_vars_goss.yml.j2 | 2 +- templates/audit/ubtu18cis_4_1_10_access.rules.j2 | 1 - templates/audit/ubtu18cis_4_1_11_privileged.rules.j2 | 3 +-- templates/audit/ubtu18cis_4_1_12_audit.rules.j2 | 1 - templates/audit/ubtu18cis_4_1_13_delete.rules.j2 | 1 - templates/audit/ubtu18cis_4_1_14_scope.rules.j2 | 1 - templates/audit/ubtu18cis_4_1_15_actions.rules.j2 | 1 - templates/audit/ubtu18cis_4_1_16_modules.rules.j2 | 1 - templates/audit/ubtu18cis_4_1_17_99finalize.rules.j2 | 1 - templates/audit/ubtu18cis_4_1_3_timechange.rules.j2 | 1 - templates/audit/ubtu18cis_4_1_4_identity.rules.j2 | 1 - templates/audit/ubtu18cis_4_1_5_systemlocale.rules.j2 | 1 - templates/audit/ubtu18cis_4_1_6_macpolicy.rules.j2 | 1 - templates/audit/ubtu18cis_4_1_7_logins.rules.j2 | 1 - templates/audit/ubtu18cis_4_1_8_session.rules.j2 | 1 - templates/audit/ubtu18cis_4_1_9_permmod.rules.j2 | 1 - templates/ntp.conf.j2 | 2 +- templates/ubtu18cis_4_1_3_timechange64.rules.j2 | 2 +- 20 files changed, 6 insertions(+), 21 deletions(-) diff --git a/.gitattributes b/.gitattributes index 9a24540..b2daffb 100644 --- a/.gitattributes +++ b/.gitattributes @@ -3,4 +3,4 @@ *.yml linguist-detectable=true *.ps1 linguist-detectable=true *.j2 linguist-detectable=true -*.md linguist-documentation \ No newline at end of file +*.md linguist-documentation diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index b79af63..67d1252 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -1,7 +1,7 @@ // github_actions variables // Resourced in github_networks.tf // Declared in variables.tf -// +// namespace = "Ansible_Lockdown_GH_PR_Actions" environment = "Ansible_Lockdown_GH_PR_Pipeline" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 64f2f0b..15730ee 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,7 +1,7 @@ ## metadata for Audit benchmark benchmark_version: '2.1.0' -# Some audit tests may need to scan every filesystem or have an impact on a system +# Some audit tests may need to scan every filesystem or have an impact on a system # these may need be scheduled to minimise impact also ability to set a timeout if taking too long run_heavy_tests: {{ audit_run_heavy_tests }} timeout_ms: {{ audit_cmd_timeout }} diff --git a/templates/audit/ubtu18cis_4_1_10_access.rules.j2 b/templates/audit/ubtu18cis_4_1_10_access.rules.j2 index 880c77f..17635e1 100644 --- a/templates/audit/ubtu18cis_4_1_10_access.rules.j2 +++ b/templates/audit/ubtu18cis_4_1_10_access.rules.j2 @@ -4,4 +4,3 @@ -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access {% endif %} - diff --git a/templates/audit/ubtu18cis_4_1_11_privileged.rules.j2 b/templates/audit/ubtu18cis_4_1_11_privileged.rules.j2 index 0dc5f52..47de826 100644 --- a/templates/audit/ubtu18cis_4_1_11_privileged.rules.j2 +++ b/templates/audit/ubtu18cis_4_1_11_privileged.rules.j2 @@ -1,4 +1,3 @@ -{% for proc in priv_procs.stdout_lines -%} +{% for proc in priv_procs.stdout_lines -%} -a always,exit -F path={{ proc }} -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged {% endfor %} - diff --git a/templates/audit/ubtu18cis_4_1_12_audit.rules.j2 b/templates/audit/ubtu18cis_4_1_12_audit.rules.j2 index 9db0365..fa95efb 100644 --- a/templates/audit/ubtu18cis_4_1_12_audit.rules.j2 +++ b/templates/audit/ubtu18cis_4_1_12_audit.rules.j2 @@ -2,4 +2,3 @@ {% if ansible_architecture == 'x86_64' -%} -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts {% endif %} - diff --git a/templates/audit/ubtu18cis_4_1_13_delete.rules.j2 b/templates/audit/ubtu18cis_4_1_13_delete.rules.j2 index 065757a..7a97b22 100644 --- a/templates/audit/ubtu18cis_4_1_13_delete.rules.j2 +++ b/templates/audit/ubtu18cis_4_1_13_delete.rules.j2 @@ -2,4 +2,3 @@ {% if ansible_architecture == 'x86_64' -%} -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete {% endif %} - diff --git a/templates/audit/ubtu18cis_4_1_14_scope.rules.j2 b/templates/audit/ubtu18cis_4_1_14_scope.rules.j2 index f1784bd..0ae21fd 100644 --- a/templates/audit/ubtu18cis_4_1_14_scope.rules.j2 +++ b/templates/audit/ubtu18cis_4_1_14_scope.rules.j2 @@ -1,3 +1,2 @@ -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope - diff --git a/templates/audit/ubtu18cis_4_1_15_actions.rules.j2 b/templates/audit/ubtu18cis_4_1_15_actions.rules.j2 index 53824fb..ef134a9 100644 --- a/templates/audit/ubtu18cis_4_1_15_actions.rules.j2 +++ b/templates/audit/ubtu18cis_4_1_15_actions.rules.j2 @@ -2,4 +2,3 @@ {% if ansible_architecture == 'x86_64' -%} -a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions {% endif %} - diff --git a/templates/audit/ubtu18cis_4_1_16_modules.rules.j2 b/templates/audit/ubtu18cis_4_1_16_modules.rules.j2 index 58216e1..bc1813b 100644 --- a/templates/audit/ubtu18cis_4_1_16_modules.rules.j2 +++ b/templates/audit/ubtu18cis_4_1_16_modules.rules.j2 @@ -7,4 +7,3 @@ {% if ansible_architecture == 'x86_64' -%} -a always,exit -F arch=b64 -S init_module -S delete_module -k modules {% endif %} - diff --git a/templates/audit/ubtu18cis_4_1_17_99finalize.rules.j2 b/templates/audit/ubtu18cis_4_1_17_99finalize.rules.j2 index a2b3aa0..bc95eba 100644 --- a/templates/audit/ubtu18cis_4_1_17_99finalize.rules.j2 +++ b/templates/audit/ubtu18cis_4_1_17_99finalize.rules.j2 @@ -1,2 +1 @@ -e 2 - diff --git a/templates/audit/ubtu18cis_4_1_3_timechange.rules.j2 b/templates/audit/ubtu18cis_4_1_3_timechange.rules.j2 index f531292..fd08cfe 100644 --- a/templates/audit/ubtu18cis_4_1_3_timechange.rules.j2 +++ b/templates/audit/ubtu18cis_4_1_3_timechange.rules.j2 @@ -5,4 +5,3 @@ -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change {% endif %} - diff --git a/templates/audit/ubtu18cis_4_1_4_identity.rules.j2 b/templates/audit/ubtu18cis_4_1_4_identity.rules.j2 index c8bded4..358f999 100644 --- a/templates/audit/ubtu18cis_4_1_4_identity.rules.j2 +++ b/templates/audit/ubtu18cis_4_1_4_identity.rules.j2 @@ -3,4 +3,3 @@ -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity - diff --git a/templates/audit/ubtu18cis_4_1_5_systemlocale.rules.j2 b/templates/audit/ubtu18cis_4_1_5_systemlocale.rules.j2 index 74e4065..73c912d 100644 --- a/templates/audit/ubtu18cis_4_1_5_systemlocale.rules.j2 +++ b/templates/audit/ubtu18cis_4_1_5_systemlocale.rules.j2 @@ -6,4 +6,3 @@ -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/network -p wa -k system-locale - diff --git a/templates/audit/ubtu18cis_4_1_6_macpolicy.rules.j2 b/templates/audit/ubtu18cis_4_1_6_macpolicy.rules.j2 index bfbf2c3..10354ae 100644 --- a/templates/audit/ubtu18cis_4_1_6_macpolicy.rules.j2 +++ b/templates/audit/ubtu18cis_4_1_6_macpolicy.rules.j2 @@ -1,3 +1,2 @@ -w /etc/apparmor/ -p wa -k MAC-policy -w /etc/apparmor.d/ -p wa -k MAC-policy - diff --git a/templates/audit/ubtu18cis_4_1_7_logins.rules.j2 b/templates/audit/ubtu18cis_4_1_7_logins.rules.j2 index 3ead283..b38f823 100644 --- a/templates/audit/ubtu18cis_4_1_7_logins.rules.j2 +++ b/templates/audit/ubtu18cis_4_1_7_logins.rules.j2 @@ -1,4 +1,3 @@ -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins - diff --git a/templates/audit/ubtu18cis_4_1_8_session.rules.j2 b/templates/audit/ubtu18cis_4_1_8_session.rules.j2 index f9e3dbf..51d7254 100644 --- a/templates/audit/ubtu18cis_4_1_8_session.rules.j2 +++ b/templates/audit/ubtu18cis_4_1_8_session.rules.j2 @@ -1,4 +1,3 @@ -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k logins -w /var/log/btmp -p wa -k logins - diff --git a/templates/audit/ubtu18cis_4_1_9_permmod.rules.j2 b/templates/audit/ubtu18cis_4_1_9_permmod.rules.j2 index 09dacb3..19d9884 100644 --- a/templates/audit/ubtu18cis_4_1_9_permmod.rules.j2 +++ b/templates/audit/ubtu18cis_4_1_9_permmod.rules.j2 @@ -6,4 +6,3 @@ -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod {% endif %} - diff --git a/templates/ntp.conf.j2 b/templates/ntp.conf.j2 index fd5eafe..2ec66b1 100644 --- a/templates/ntp.conf.j2 +++ b/templates/ntp.conf.j2 @@ -65,4 +65,4 @@ restrict source notrap nomodify noquery #fudge 127.127.8.1 time1 0.0042 # relative to PPS for my hardware #server 127.127.22.1 # ATOM(PPS) -#fudge 127.127.22.1 flag3 1 # enable PPS API \ No newline at end of file +#fudge 127.127.22.1 flag3 1 # enable PPS API diff --git a/templates/ubtu18cis_4_1_3_timechange64.rules.j2 b/templates/ubtu18cis_4_1_3_timechange64.rules.j2 index bd8666d..7f79962 100644 --- a/templates/ubtu18cis_4_1_3_timechange64.rules.j2 +++ b/templates/ubtu18cis_4_1_3_timechange64.rules.j2 @@ -2,4 +2,4 @@ -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change --w /etc/localtime -p wa -k time-change \ No newline at end of file +-w /etc/localtime -p wa -k time-change From c1e99044aa0304e2d69689f3c265080f3c87bc69 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Sep 2023 17:23:52 +0100 Subject: [PATCH 05/10] updated Signed-off-by: Mark Bolwell --- .ansible-lint | 2 -- .yamllint | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 057c65e..b717f67 100755 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,12 +6,10 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' - - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' - 'name[template]' - - 'fqcn[action]' - 'key-order[task]' - '204' - '305' diff --git a/.yamllint b/.yamllint index ec46929..65faae6 100755 --- a/.yamllint +++ b/.yamllint @@ -30,4 +30,4 @@ rules: trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: false + check-keys: true From 7ba4675a85c48df084a908072820cebfda427d99 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Sep 2023 17:23:59 +0100 Subject: [PATCH 06/10] lint Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 65b9fbf..5c1ae3a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -61,7 +61,7 @@ - section1 - name: Include section 2 patches - import_tasks: section_2/main.yml + ansible.builtin.import_tasks: section_2/main.yml when: ubtu18cis_section2_patch tags: - section2 From b4e209c130ab916077a148e9c57fb58fc216d3f9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 11:31:21 +0100 Subject: [PATCH 07/10] import_tasks file added Signed-off-by: Mark Bolwell --- tasks/main.yml | 30 ++++++++++++++++--------- tasks/pre_remediation_audit.yml | 3 ++- tasks/section_1/cis_1.1.x.yml | 24 +++++++++++++------- tasks/section_1/cis_1.2.x.yml | 6 +++-- tasks/section_1/cis_1.4.x.yml | 3 ++- tasks/section_1/cis_1.5.x.yml | 3 ++- tasks/section_1/cis_1.6.x.yml | 6 +++-- tasks/section_1/main.yml | 27 +++++++++++++++-------- tasks/section_2/cis_2.3.yml | 3 ++- tasks/section_2/main.yml | 9 +++++--- tasks/section_3/cis_3.5.x.yml | 39 ++++++++++++++++++++++----------- tasks/section_3/main.yml | 15 ++++++++----- tasks/section_4/cis_4.2.1.x.yml | 3 ++- tasks/section_4/main.yml | 24 +++++++++++++------- tasks/section_5/cis_5.5.1.x.yml | 3 ++- tasks/section_5/cis_5.6.yml | 3 ++- tasks/section_5/main.yml | 24 +++++++++++++------- tasks/section_6/cis_6.1.x.yml | 15 ++++++++----- tasks/section_6/cis_6.2.x.yml | 30 ++++++++++++++++--------- tasks/section_6/main.yml | 6 +++-- 20 files changed, 184 insertions(+), 92 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 5c1ae3a..44a19c9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -31,19 +31,22 @@ - always - name: Prelim Import Tasks - ansible.builtin.import_tasks: prelim.yml + ansible.builtin.import_tasks: + file: prelim.yml tags: - always - name: Pre Remediate Audit Task Import - ansible.builtin.import_tasks: pre_remediation_audit.yml + ansible.builtin.import_tasks: + file: pre_remediation_audit.yml when: - run_audit tags: - run_audit - name: Run Password Parsing - ansible.builtin.import_tasks: parse_etc_password.yml + ansible.builtin.import_tasks: + file: parse_etc_password.yml when: - ubtu18cis_section5_patch or ubtu18cis_section6_patch @@ -55,37 +58,43 @@ - always - name: Include section 1 patches - ansible.builtin.import_tasks: section_1/main.yml + ansible.builtin.import_tasks: + file: section_1/main.yml when: ubtu18cis_section1_patch tags: - section1 - name: Include section 2 patches - ansible.builtin.import_tasks: section_2/main.yml + ansible.builtin.import_tasks: + file: section_2/main.yml when: ubtu18cis_section2_patch tags: - section2 - name: Include section 3 patches - ansible.builtin.import_tasks: section_3/main.yml + ansible.builtin.import_tasks: + file: section_3/main.yml when: ubtu18cis_section3_patch tags: - section3 - name: Include section 4 patches - ansible.builtin.import_tasks: section_4/main.yml + ansible.builtin.import_tasks: + file: section_4/main.yml when: ubtu18cis_section4_patch tags: - section4 - name: Include section 5 patches - ansible.builtin.import_tasks: section_5/main.yml + ansible.builtin.import_tasks: + file: section_5/main.yml when: ubtu18cis_section5_patch tags: - section5 - name: Include section 6 patches - ansible.builtin.import_tasks: section_6/main.yml + ansible.builtin.import_tasks: + file: section_6/main.yml when: ubtu18cis_section6_patch | bool tags: - section6 @@ -113,7 +122,8 @@ warn_control_id: 'Reboot Required' - name: Post Remediation Task - ansible.builtin.import_tasks: post_remediation_audit.yml + ansible.builtin.import_tasks: + file: post_remediation_audit.yml when: - run_audit diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 1ba132b..93e54f9 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,7 +1,8 @@ --- - name: Pre Audit | Setup the audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml when: - setup_audit tags: diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 92a2932..12e2744 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -255,7 +255,8 @@ ubtu18cis_1_1_10_var_mounted.stdout | length == 0 - name: "1.1.10 | AUDIT | Ensure separate partition exists for /var | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.10' when: @@ -289,7 +290,8 @@ ubtu18cis_1_1_11_var_tmp_mounted.stdout | length == 0 - name: "1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.11' when: @@ -352,7 +354,8 @@ ubtu18cis_1_1_15_var_log_mounted.stdout | length == 0 - name: "1.1.15 | AUDIT | Ensure separate partition exists for /var/log | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.15' when: @@ -386,7 +389,8 @@ ubtu18cis_1_1_16_var_log_audit_mounted.stdout | length == 0 - name: "1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.16' when: @@ -420,7 +424,8 @@ ubtu18cis_1_1_17_home_mounted.stdout | length == 0 - name: "1.1.17 | AUDIT | Ensure separate partition exists for /home | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.17' when: @@ -462,7 +467,8 @@ msg: "Warning!! Ensure nodev option set on removable media partitions." - name: "1.1.19 | AUDIT | Ensure nodev option set on removable media partitions. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.19' when: @@ -482,7 +488,8 @@ msg: "Warning!! Ensure nosuid option set on removable media partitions." - name: "1.1.20 | AUDIT | Ensure nosuid option set on removable media partitions. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.20' when: @@ -502,7 +509,8 @@ msg: "Warning!! Ensure noexec option set on removable media partitions." - name: "1.1.21 | AUDIT | Ensure noexec option set on removable media partitions. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.21' when: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 009ec11..0bd3b42 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -15,7 +15,8 @@ - "{{ ubtu18cis_1_2_1_apt_policy.stdout_lines }}" - name: "1.2.1 | AUDIT | Ensure package manager repositories are configured | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.2.1' when: @@ -45,7 +46,8 @@ - "{{ ubtu18cis_1_2_2_apt_gpgkeys.stdout_lines }}" - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.2.2' when: diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index cd38539..732561f 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -65,7 +65,8 @@ - "'password' in ubtu18cis_bootloader_hash_check.stdout" - name: "1.4.2 | AUDIT | Ensure bootloader password is set. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.4.2' when: diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 0ed1735..a80a1dd 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -15,7 +15,8 @@ when: "'active' not in ubtu18cis_1_5_1_xdnx_status.stdout" - name: "1.5.1 | AUDIT | Ensure XD/NX support is enabled. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.5.1' when: diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index fb32233..8f019fe 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -69,7 +69,8 @@ when: ubtu18cis_rule_1_6_1_3_apparmor_unconfined.stdout != '0' - name: "1.6.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain mode | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: ubtu18cis_rule_1_6_1_3_apparmor_unconfined.stdout != '0' vars: warn_control_id: '1.6.1.3' @@ -98,7 +99,8 @@ when: ubtu18cis_rule_1_6_1_4_apparmor_enforced.stdout != '0' - name: "1.6.1.4 | AUDIT | Ensure all AppArmor Profiles are enforcing | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: ubtu18cis_rule_1_6_1_4_apparmor_enforced.stdout != '0' vars: warn_control_id: '1.6.1.4' diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index d3a93e2..1842296 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,27 +1,36 @@ --- - name: "SECTION | 1.1 | Disable Unused Filesystems" - ansible.builtin.import_tasks: cis_1.1.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.x.yml - name: "SECTION | 1.2 | Configure Software Updates" - ansible.builtin.import_tasks: cis_1.2.x.yml + ansible.builtin.import_tasks: + file: cis_1.2.x.yml - name: "SECTION | 1.3. | Filesystem Integrity Checking" - ansible.builtin.import_tasks: cis_1.3.x.yml + ansible.builtin.import_tasks: + file: cis_1.3.x.yml - name: "SECTION | 1.4 | Secure Boot Settings" - ansible.builtin.import_tasks: cis_1.4.x.yml + ansible.builtin.import_tasks: + file: cis_1.4.x.yml - name: "SECTION | 1.5 | Additional Process Hardening" - ansible.builtin.import_tasks: cis_1.5.x.yml + ansible.builtin.import_tasks: + file: cis_1.5.x.yml - name: "SECTION | 1.6 | Mandatory Access Control" - ansible.builtin.import_tasks: cis_1.6.x.yml + ansible.builtin.import_tasks: + file: cis_1.6.x.yml - name: "SECTION | 1.7 | Command Line Warning Banners" - ansible.builtin.import_tasks: cis_1.7.x.yml + ansible.builtin.import_tasks: + file: cis_1.7.x.yml - name: "SECTION | 1.8 | GNOME Display Manager" - ansible.builtin.import_tasks: cis_1.8.x.yml + ansible.builtin.import_tasks: + file: cis_1.8.x.yml - name: "SECTION | 1.9 | Ensure updates, patches, and additional security software are installed" - ansible.builtin.import_tasks: cis_1.9.yml + ansible.builtin.import_tasks: + file: cis_1.9.yml diff --git a/tasks/section_2/cis_2.3.yml b/tasks/section_2/cis_2.3.yml index 39af2b6..f2c1d08 100644 --- a/tasks/section_2/cis_2.3.yml +++ b/tasks/section_2/cis_2.3.yml @@ -14,7 +14,8 @@ - "{{ ubtu18cis_2_3_services.stdout_lines }}" - name: "2.3 | AUDIT | Ensure nonessential services are removed or masked | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '2.3' when: diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 1a39e2b..d66b7af 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,9 +1,12 @@ --- - name: "SECTION | 2.1 | Special Purpose Services" - ansible.builtin.import_tasks: cis_2.1.x.yml + ansible.builtin.import_tasks: + file: cis_2.1.x.yml - name: "SECTION | 2.2 | Service Clients" - ansible.builtin.import_tasks: cis_2.2.x.yml + ansible.builtin.import_tasks: + file: cis_2.2.x.yml - name: "SECTION | 2.3 | Ensure nonessential services are removed or masked" - ansible.builtin.import_tasks: cis_2.3.yml + ansible.builtin.import_tasks: + file: cis_2.3.yml diff --git a/tasks/section_3/cis_3.5.x.yml b/tasks/section_3/cis_3.5.x.yml index f3d36f0..13a5cdf 100644 --- a/tasks/section_3/cis_3.5.x.yml +++ b/tasks/section_3/cis_3.5.x.yml @@ -145,7 +145,8 @@ - "{{ ubtu18cis_3_5_1_6_firewall_rules.stdout_lines }}" - name: "3.5.1.6 | AUDIT | Ensure firewall rules exist for all open ports | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.5.1.6' when: @@ -191,7 +192,8 @@ msg: "Warning!! NFTables is not supported in this role. Please use UFW or iptables" - name: "3.5.2.1 | AUDIT | Ensure firewall rules exist for all open ports | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.5.2.1' # ansible.builtin.package: @@ -217,7 +219,8 @@ msg: "Warning!! NFTables is not supported in this role. Please use UFW or iptables" - name: "3.5.2.2 | AUDIT | Ensure ufw is uninstalled or disabled with nftables. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.5.2.2' # ansible.builtin.package: @@ -243,7 +246,8 @@ msg: "Warning!! NFTables is not supported in this role. Please use UFW or iptables" - name: "3.5.2.3 | PATCH | Ensure iptables are flushed. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.5.2.3' # ansible.builtin.iptables: @@ -268,7 +272,8 @@ msg: "Warning!! NFTables is not supported in this role. Please us UFW or iptables" - name: "3.5.2.4 | PATCH | Ensure a nftables table exists. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.5.2.4' # ansible.builtin.shell: "nft create table {{ ubtu18cis_nftables_table_name }}" @@ -294,7 +299,8 @@ msg: "Warning!! NFTables is not supported in this role. Please us UFW or iptables" - name: "3.5.2.5 | PATCH | Ensure nftables base chains exist | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.5.2.5' # block: @@ -334,7 +340,8 @@ msg: "Warning!! NFTables is not supported in this role. Please us UFW or iptables" - name: "3.5.2.6 | PATCH | Ensure nftables loopback traffic is configured. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.5.2.6' # block: @@ -399,7 +406,8 @@ msg: "Warning!! NFTables is not supported in this role. Please us UFW or iptables" - name: "3.5.2.7 | PATCH | Ensure nftables outbound and established connections are configured | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.5.2.7' when: @@ -421,7 +429,8 @@ msg: "Warning!! NFTables is not supported in this role. Please us UFW or iptables" - name: "3.5.2.8 | PATCH | Ensure nftables default deny firewall policy | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.5.2.8' when: @@ -443,7 +452,8 @@ msg: "Warning!! NFTables is not supported in this role. Please us UFW or iptables" - name: "3.5.2.9 | PATCH | Ensure nftables service is enabled | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.5.2.9' # service: @@ -469,7 +479,8 @@ msg: "Warning!! NFTables is not supported in this role. Please us UFW or iptables" - name: "3.5.2.10 | PATCH | Ensure nftables rules are permanent. | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.5.2.10' when: @@ -665,7 +676,8 @@ - "{{ ubtu18cis_3_5_3_2_4_current_rules.stdout_lines }}" - name: "3.5.3.2.4 | AUDIT | Ensure firewall rules exist for all open ports | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.5.3.2.4' when: @@ -837,7 +849,8 @@ - "{{ ubtu18cis_3_5_3_3_4_current_rules.stdout_lines }}" - name: "3.5.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.5.3.3.4' when: diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 41fe9f0..f95dc6a 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,15 +1,20 @@ --- - name: "SECTION | 3.1 | Disable unused network protocols and devices" - ansible.builtin.import_tasks: cis_3.1.x.yml + ansible.builtin.import_tasks: + file: cis_3.1.x.yml - name: "SECTION | 3.2 | Network Parameters Host Only" - ansible.builtin.import_tasks: cis_3.2.x.yml + ansible.builtin.import_tasks: + file: cis_3.2.x.yml - name: "SECTION | 3.3 | Network Parameters Host and Router" - ansible.builtin.import_tasks: cis_3.3.x.yml + ansible.builtin.import_tasks: + file: cis_3.3.x.yml - name: "SECTION | 3.4 | Uncommong Network Protocols" - ansible.builtin.import_tasks: cis_3.4.x.yml + ansible.builtin.import_tasks: + file: cis_3.4.x.yml - name: "SECTION | 3.5 | Firewall Configuration" - ansible.builtin.import_tasks: cis_3.5.x.yml + ansible.builtin.import_tasks: + file: cis_3.5.x.yml diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 93569e3..1597953 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -50,7 +50,8 @@ when: not ubtu18cis_rsyslog_ansible_managed - name: "4.2.1.3 | PATCH | Ensure logging is configured | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '4.2.1.3' when: not ubtu18cis_rsyslog_ansible_managed diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index 8e39682..d1032c2 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,24 +1,32 @@ --- - name: "SECTION | 4.1.1 | Configure System Accounting" - ansible.builtin.import_tasks: cis_4.1.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.1.x.yml - name: "SECTION | 4.1.2 | Configure Data Retention" - ansible.builtin.import_tasks: cis_4.1.2.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.2.x.yml - name: "SECTION | 4.1.x | Login Settings" - ansible.builtin.import_tasks: cis_4.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.x.yml - name: "SECTION | 4.2.1 | Configure rsyslog" - ansible.builtin.import_tasks: cis_4.2.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.2.1.x.yml - name: "SECTION | 4.2.2 | Configure journald" - ansible.builtin.import_tasks: cis_4.2.2.x.yml + ansible.builtin.import_tasks: + file: cis_4.2.2.x.yml - name: "SECTION | 4.2.3 | Ensure permissions on all logfiles are configured" - ansible.builtin.import_tasks: cis_4.2.3.x.yml + ansible.builtin.import_tasks: + file: cis_4.2.3.x.yml - name: "SECTION | 4.3 | Ensure logrotate is configured" - ansible.builtin.import_tasks: cis_4.3.yml + ansible.builtin.import_tasks: + file: cis_4.3.yml - name: "SECTION | 4.4 | Ensure assigns appropriate permissions" - ansible.builtin.import_tasks: cis_4.4.yml + ansible.builtin.import_tasks: + file: cis_4.4.yml diff --git a/tasks/section_5/cis_5.5.1.x.yml b/tasks/section_5/cis_5.5.1.x.yml index a6f354a..62bfc3f 100644 --- a/tasks/section_5/cis_5.5.1.x.yml +++ b/tasks/section_5/cis_5.5.1.x.yml @@ -120,7 +120,8 @@ when: ubtu18cis_5_5_1_5_user_list.stdout | length > 0 - name: "5.5.1.5 | PATCH | Ensure all users last password change date is in the past | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '5.5.1.5' when: ubtu18cis_5_5_1_5_user_list.stdout | length > 0 diff --git a/tasks/section_5/cis_5.6.yml b/tasks/section_5/cis_5.6.yml index c6d4257..61c5257 100644 --- a/tasks/section_5/cis_5.6.yml +++ b/tasks/section_5/cis_5.6.yml @@ -15,7 +15,8 @@ - "{{ ubtu18cis_5_6_terminal_list.stdout_lines }}" - name: "5.6 | AUDIT | Ensure root login is restricted to system console | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '5.6' when: diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 592919f..cdd97ba 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -1,24 +1,32 @@ --- - name: "SECTION | 5.1 | Configure time-based job schedulers" - ansible.builtin.import_tasks: cis_5.1.x.yml + ansible.builtin.import_tasks: + file: cis_5.1.x.yml - name: "SECTION | 5.2 | Configure sudo" - ansible.builtin.import_tasks: cis_5.2.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.x.yml - name: "SECTION | 5.3 | Configure SSH Server" - ansible.builtin.import_tasks: cis_5.3.x.yml + ansible.builtin.import_tasks: + file: cis_5.3.x.yml - name: "SECTION | 5.4.x | User PAM" - ansible.builtin.import_tasks: cis_5.4.x.yml + ansible.builtin.import_tasks: + file: cis_5.4.x.yml - name: "SECTION | 5.5.1.x | User Accounts and Enironment part 1" - ansible.builtin.import_tasks: cis_5.5.1.x.yml + ansible.builtin.import_tasks: + file: cis_5.5.1.x.yml - name: "SECTION | 5.5.x | User Accounts and Enironment part 2" - ansible.builtin.import_tasks: cis_5.5.x.yml + ansible.builtin.import_tasks: + file: cis_5.5.x.yml - name: "SECTION | 5.6 | Ensure root login is restricted to system console" - ansible.builtin.import_tasks: cis_5.6.yml + ansible.builtin.import_tasks: + file: cis_5.6.yml - name: "SECTION | 5.7 | Ensure access to the su command is restricted" - ansible.builtin.import_tasks: cis_5.7.yml + ansible.builtin.import_tasks: + file: cis_5.7.yml diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 5df8a2a..58805cd 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -45,7 +45,8 @@ when: ubtu18cis_manual_audit_dpkg - name: "6.1.1 | AUDIT | Audit system file permissions | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.1.1' when: @@ -240,7 +241,8 @@ when: ubtu18cis_6_1_11_unowned_files_found - name: "6.1.11 | AUDIT | Ensure no unowned files or directories exist | warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.1.11' when: ubtu18cis_6_1_11_unowned_files_found @@ -283,7 +285,8 @@ when: ubtu18cis_6_1_12_ungrouped_files_found - name: "6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.1.12' when: ubtu18cis_6_1_12_ungrouped_files_found @@ -322,7 +325,8 @@ when: ubtu18cis_6_1_13_suid_found - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.1.13' when: ubtu18cis_6_1_13_suid_found @@ -361,7 +365,8 @@ when: ubtu18cis_6_1_14_sgid_found - name: "6.1.14 | AUDIT | Audit SGID executables| warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.1.14' when: ubtu18cis_6_1_14_sgid_found diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index e0b81f6..b5fd197 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -16,7 +16,8 @@ - ubtu18cis_6_2_1_nonshadowed_users.stdout | length > 0 - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.1' when: @@ -77,7 +78,8 @@ when: ubtu18cis_6_2_3_passwd_gid_check.stdout | length > 0 - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.3' when: ubtu18cis_6_2_3_passwd_gid_check.stdout | length > 0 @@ -261,7 +263,8 @@ - not ubtu18cis_dotperm_ansiblemanaged - name: "6.2.7 | AUDIT | Ensure users' dot files are not group or world-writable | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.7' when: @@ -358,7 +361,8 @@ - ubtu18cis_6_2_11_uid_0_notroot.stdout | length > 0 - name: "6.2.11 | AUDIT | Ensure root is the only UID 0 account | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.11' when: @@ -408,7 +412,8 @@ - "The following paths have no working directory: {{ ubtu18cis_6_2_12_path_stat.results | selectattr('stat.exists','equalto','false') | map(attribute='item') | list }}" - name: "6.2.12 | AUDIT | Ensure root PATH Integrity | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.12' @@ -453,7 +458,8 @@ when: ubtu18cis_6_2_13_user_uid_check.stdout | length > 0 - name: "6.2.13 | AUDIT | Ensure no duplicate UIDs exist | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.13' when: ubtu18cis_6_2_13_user_uid_check.stdout | length > 0 @@ -486,7 +492,8 @@ when: ubtu18cis_6_2_14_user_check.stdout | length > 0 - name: "6.2.14 | AUDIT | Ensure no duplicate GIDs exist | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.14' when: ubtu18cis_6_2_14_user_check.stdout | length > 0 @@ -519,7 +526,8 @@ when: ubtu18cis_6_2_15_user_username_check.stdout | length > 0 - name: "6.2.15 | AUDIT | Ensure no duplicate user names exist | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.15' when: ubtu18cis_6_2_15_user_username_check.stdout | length > 0 @@ -552,7 +560,8 @@ when: ubtu18cis_6_2_16_group_group_check.stdout | length > 0 - name: "6.2.16 | AUDIT | Ensure no duplicate group names exist | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.16' when: ubtu18cis_6_2_16_group_group_check.stdout | length > 0 @@ -595,7 +604,8 @@ when: ubtu18cis_6_2_17_users_shadow_gid.stdout | length > 0 - name: "6.2.17 | AUDIT | Ensure shadow group is empty | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '6.2.17' when: diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index 61c4cb2..9a01d99 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,6 +1,8 @@ --- - name: "SECTION | 6.1 | System File Permissions" - ansible.builtin.import_tasks: cis_6.1.x.yml + ansible.builtin.import_tasks: + file: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - ansible.builtin.import_tasks: cis_6.2.x.yml + ansible.builtin.import_tasks: + file: cis_6.2.x.yml From 40702758b6fd32ecfa71afe0f8d84122f51c161e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 11:31:27 +0100 Subject: [PATCH 08/10] updated Signed-off-by: Mark Bolwell --- ChangeLog.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ChangeLog.md b/ChangeLog.md index 8d3f5db..ca1e74f 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,5 +1,11 @@ # Changelog +## 1.4.0 + +workflow update +linting updates +impoirt_tasks spilut with file + ## 1.3.1 - issue 84 from ubuntu20 fixed vartmp From 65e7a3d7cfc45cbcd8d32f602e18222e2becbf98 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 12:20:11 +0100 Subject: [PATCH 09/10] 3.1.2 handler and control updated Signed-off-by: Mark Bolwell --- ChangeLog.md | 4 +++- handlers/main.yml | 3 +++ tasks/section_3/cis_3.1.x.yml | 33 ++++++++++++++++++++------------- 3 files changed, 26 insertions(+), 14 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index ca1e74f..5e50e9f 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -4,7 +4,9 @@ workflow update linting updates -impoirt_tasks spilut with file +import_tasks spilut with file +rule 3.1.2 logic update +tidy up tags ## 1.3.1 diff --git a/handlers/main.yml b/handlers/main.yml index 00bfc79..ad8a676 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -20,6 +20,9 @@ name: exim4 state: restarted +- name: Disable wireless adaptor + ansible.builtin.shell: nmcli radio wifi off + - name: sysctl flush ipv4 route table ansible.posix.sysctl: name: net.ipv4.route.flush diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 45c2898..6d392e1 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -19,27 +19,34 @@ - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" block: - - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" - ansible.builtin.shell: dpkg -s network-manager - changed_when: false - failed_when: false - args: - warn: false - check_mode: false - register: ubtu18cis_nmcli_available - - - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" + - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled if wlan exists" ansible.builtin.shell: nmcli radio wifi register: ubtu18cis_wifi_enabled check_mode: false - changed_when: ubtu18cis_wifi_enabled.stdout != "disabled" - when: ubtu18cis_nmcli_available.rc == 0 + changed_when: ubtu18cis_wifi_enabled.stdout not in [ 'disabled', 'missing' ] + when: "'network-manager' in ansible_facts.packages" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" ansible.builtin.shell: nmcli radio wifi off - when: ubtu18cis_wifi_enabled is changed # noqa: no-handler + notify: Disable wireless adaptor + when: + - ubtu18cis_wifi_enabled.stdout is defined + - "[ 'disabled', 'missing' ] not in ubtu18cis_wifi_enabled.stdout" + + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warning" + ansible.builtin.debug: + msg: "Warning!! network-manager package is not installed please check wireless connections manually" + when: "'network-manager' not in ansible_facts.packages" + + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + when: "'network-manager' not in ansible_facts.packages" + vars: + warn_control_id: '3.1.2' when: - ubtu18cis_rule_3_1_2 + - "'wlan' in ansible_facts.interfaces" tags: - level1-server - level2-workstation From 94c9825eb7384ef96ddba0ee1517b8988d10b949 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 12:22:18 +0100 Subject: [PATCH 10/10] updated Signed-off-by: Mark Bolwell --- ChangeLog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.md b/ChangeLog.md index 5e50e9f..2aa5184 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -4,7 +4,7 @@ workflow update linting updates -import_tasks spilut with file +import_tasks added file rule 3.1.2 logic update tidy up tags