Skip to content

Commit

Permalink
Yamllint Check, Ansible-lint Chek, Module Updates, Bug #73&80 Fixed, …
Browse files Browse the repository at this point in the history
…Included FIX PR #81

Signed-off-by: Stephen Williams <[email protected]>
  • Loading branch information
MrSteve81 committed Apr 21, 2023
1 parent 92aadf6 commit a5fe219
Show file tree
Hide file tree
Showing 10 changed files with 120 additions and 46 deletions.
46 changes: 23 additions & 23 deletions .yamllint
Original file line number Diff line number Diff line change
Expand Up @@ -3,26 +3,26 @@
extends: default

rules:
braces: {max-spaces-inside: 1, level: error}
brackets: {max-spaces-inside: 1, level: error}
colons: {max-spaces-after: -1, level: error}
commas: {max-spaces-after: -1, level: error}
comments: disable
comments-indentation: disable
document-start: disable
empty-lines: {max: 3, level: error}
hyphens: {level: error}
indentation:
# Requiring 4 space indentation
spaces: 4
# Requiring consistent indentation within a file, either indented or not
indent-sequences: consistent
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: enable
new-lines:
type: unix
trailing-spaces: enable
truthy:
allowed-values: ['true', 'false']
check-keys: true
braces: {max-spaces-inside: 1, level: error}
brackets: {max-spaces-inside: 1, level: error}
colons: {max-spaces-after: -1, level: error}
commas: {max-spaces-after: -1, level: error}
comments: disable
comments-indentation: disable
document-start: disable
empty-lines: {max: 3, level: error}
hyphens: {level: error}
indentation:
# Requiring 4 space indentation
spaces: 4
# Requiring consistent indentation within a file, either indented or not
indent-sequences: consistent
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: enable
new-lines:
type: unix
trailing-spaces: enable
truthy:
allowed-values: ['true', 'false']
check-keys: true
9 changes: 9 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,15 @@
- license file
- ansible version

## April 2023 Updates
- Addressed Bugs
- [#73](https://github.com/ansible-lockdown/UBUNTU20-CIS/issues/73) - Thanks @fnschroeder (Fix Taken From @uk-bolly issue_73 branch)
- [#80](https://github.com/ansible-lockdown/UBUNTU20-CIS/issues/80) - Thanks @kdebisschop
- Added Fixes For Outstanding PR's
- [#81](https://github.com/ansible-lockdown/UBUNTU20-CIS/pull/81) - Thanks @kdebisschop
- Fixed Linting Errors For Yamllint & Ansbile-Lint
- Adjusted Builtin to Posix For sysctl module.

## Feb 23 updates - Initial

### based upon CIS 1.1.0
Expand Down
63 changes: 63 additions & 0 deletions Vagrantfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
# The most common configuration options are documented and commented below.
# For a complete reference, please see the online documentation at
# https://docs.vagrantup.com.
# Every Vagrant development environment requires a box. You can search for
# boxes at https://vagrantcloud.com/search.
# config.vm.box = "nogala/tomcat9"
# config.vm.box = "generic/centos8"
# config.vm.box = "generic/rocky8"
# config.vm.box = "rockylinux/9"
# config.vm.box = "centos/stream8"
# config.vm.box = "generic/rhel8"
# config.vm.box = "generic/rhel7"
# config.vm.box = "bento/ubuntu-18.04"
config.vm.box = "generic/ubuntu2004"
# config.vm.box = “pega-squid/ubuntu-18.04.1-desktop”
# config.vm.box = "/Users/georgen/Documents/Work/TestDelete/BollyImages/virtualbox-centos8-efi.box"
# config.vm.box = "/Users/georgen/Documents/Work/TestDelete/BollyImages/virtualbox-rocky8-efi.box"
# config.vm.box = "generic/centos7"
# config.vm.box = "mindpointgroup/centos8_apache_base"
# config.vm.box = "mindpointgroup/cent8_tomcat9_base"
# config.vm.box = "trueability/esxi-6.7"
# config.vm.network "private_network", ip: "10.42.0.50"
# Windows 10 Below
# config.vm.network "private_network", ip: "192.168.56.2"
# config.vm.synced_folder ".", "/vagrant", type: "virtualbox"
# config.vm.synced_folder "/Users/georgen/Documents/Work/ControlWork/STIG", "/var/tmp", type: "virtualbox"
# config.ssh.username = 'vagrant'
# config.ssh.password = 'vagrant'
# config.vm.provider "virtualbox" do |hw|
# hw.memory = 4096
# hw.cpus = 2
# end
config.vm.provision "ansible" do |ansible|
# ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/tomcat-stig/site.yml"
# ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/POSTGRES-9-STIG/site.yml"
# ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/Oracle-7/RHEL7-STIG/site.yml"
# ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/TOMCAT-9-STIG/site.yml"
# ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/CIS/rhel-8/site.yaml"
# ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/rhel-8-stig/site.yml"
# ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/CIS/apache-cis/site.yml"
# ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/CIS/APACHE-2.4-CIS/site.yml"
# ansible.playbook = "playbook_rhel8_stig.yml"
# ansible.playbook = "playbook_rhel8_stig.yml"
# ansible.playbook = "./test_playbook/site.yml"
# ansible.playbook = "update_upgrade.yml"
# ansible.playbook = "/Users/georgen/Documents/Work/ClientWork/CBS/1045/RHEL7-CIS/site.yaml"
# ansible.playbook = "/Users/stephenw/Documents/Development/RHEL7-STIG/site.yml"
# ansible.playbook = "/Users/stephenw/Documents/Development/Testing (Ok If Deleted)/RHEL9-CIS/site.yml"
# ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/temp/RHEL8-STIG-TEST/site.yml"
# ansible.playbook = "/Users/stephenw/Documents/Development/Testing (Ok If Deleted)/UBUNTU18-STIG/site.yml"
# ansible.playbook = "/Users/stephenw/Documents/Development/Testing (Complete)/UBUNTU20-STIG/site.yml"
# ansible.playbook = "/Users/georgen/Documents/Work/TempDelete/pr_233_staging/RHEL7-CIS/site.yml"
ansible.playbook = "/Users/stephenw/Documents/Development/UBUNTU20-CIS/site.yml"
ansible.verbose = "vvvvv"
end
end
6 changes: 3 additions & 3 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -431,14 +431,14 @@ ubtu20cis_aide_cron:
ubtu20cis_set_grub_password: true
ubtu20cis_grub_user_file: /etc/grub.d/40_custom
ubtu20cis_grub_users: root
ubtu20cis_grub_pw: "grub.pbkdf2.sha512.10000.ChangeMe"
ubtu20cis_grub_pw: "grub.pbkdf2.sha512.10000"
# Change the following value to true if you wish to be prompted to get past grub bootloader
ubtu20cis_ask_passwd_to_boot: false

# 1.4.4
# note this needs to be in the encrypted format
ubtu20cis_set_root_password: true
ubtu20cis_root_pw: $6$this_is_needs_to_be_changed
ubtu20cis_root_pw: $6$

# 1.7.1
# disable dynamic motd to stop extra sshd message from appearing
Expand All @@ -454,7 +454,7 @@ ubtu20cis_warning_banner: |
# Control 2.1.1.1
# ubtu20cis_time_sync_tool is the tool in which to synchronize time
# The two options are chrony, ntp, or systemd-timesyncd
ubtu20cis_time_sync_tool: "ntp"
ubtu20cis_time_sync_tool: "chrony"

# Control 2.1.1.2
# ubtu20cis_ntp_server_list is the list ntp servers
Expand Down
5 changes: 3 additions & 2 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,8 @@
tags:
- run_audit

- ansible.builtin.import_tasks: parse_etc_password.yml
- name: Run parse /etc/passwd
ansible.builtin.import_tasks: parse_etc_password.yml
when:
- ubtu20cis_section5_patch or
ubtu20cis_section6_patch
Expand Down Expand Up @@ -119,7 +120,7 @@
- skip_reboot

- name: run post remediation tasks
import_tasks: post.yml
ansible.builtin.import_tasks: post.yml
tags:
- post_tasks
- always
Expand Down
1 change: 1 addition & 0 deletions tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@
name: network-manager
state: present
when:
- wireless_interfaces.stdout is defined
- wireless_interfaces.stdout | length > 0
- ubtu20cis_install_network_manager
- ubtu20cis_rule_3_1_2
Expand Down
4 changes: 2 additions & 2 deletions tasks/section_1/cis_1.5.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
line: 'kernel.randomize_va_space = 2'

- name: "1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: kernel.randomize_va_space
value: '2'
when:
Expand Down Expand Up @@ -75,7 +75,7 @@
- name: "1.5.4 | PATCH | Ensure core dumps are restricted"
block:
- name: "1.5.4 | PATCH | Ensure core dumps are restricted | kernel sysctl"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: fs.suid_dumpable
value: '0'
state: present
Expand Down
6 changes: 3 additions & 3 deletions tasks/section_3/cis_3.2.x.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
- name: "3.2.1 | PATCH | Ensure packet redirect sending is disabled"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
Expand All @@ -26,7 +26,7 @@
- name: "3.2.2 | PATCH | Ensure IP forwarding is disabled"
block:
- name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv4 settings"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '0'
sysctl_set: true
Expand All @@ -37,7 +37,7 @@
- sysctl flush ipv4 route table

- name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv6 settings"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding
value: '0'
sysctl_set: true
Expand Down
22 changes: 11 additions & 11 deletions tasks/section_3/cis_3.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted"
block:
- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 settings"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
Expand All @@ -15,7 +15,7 @@
notify: sysctl flush ipv4 route table

- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 settings"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
Expand All @@ -42,7 +42,7 @@
- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted"
block:
- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 settings"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
Expand All @@ -55,7 +55,7 @@
notify: sysctl flush ipv4 route table

- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 settings"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
Expand All @@ -79,7 +79,7 @@
- sysctl

- name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
Expand All @@ -102,7 +102,7 @@
- sysctl

- name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '1'
sysctl_set: true
Expand All @@ -125,7 +125,7 @@
- sysctl

- name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: net.ipv4.icmp_echo_ignore_broadcasts
value: '1'
sysctl_set: true
Expand All @@ -145,7 +145,7 @@
- sysctl

- name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: net.ipv4.icmp_ignore_bogus_error_responses
value: '1'
sysctl_set: true
Expand All @@ -165,7 +165,7 @@
- sysctl

- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '1'
sysctl_set: true
Expand All @@ -188,7 +188,7 @@
- sysctl

- name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: net.ipv4.tcp_syncookies
value: '1'
sysctl_set: true
Expand All @@ -208,7 +208,7 @@
- sysctl

- name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
Expand Down
4 changes: 2 additions & 2 deletions tasks/section_5/cis_5.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -86,9 +86,9 @@
- name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | common-auth pam_tally2 opts"
ansible.builtin.lineinfile:
path: /etc/pam.d/common-auth
regexp: '^auth\s+required pam_tally2 .*onerr=fail.*'
regexp: '^auth\s+required pam_tally2.so .*onerr=fail.*'
line: 'auth required pam_tally2.so {{ ubtu20cis_pamtally2_login_opts }}'
insertafter: '^# here are the per-package modules (the "Primary" block)'
insertafter: '^# here are the per-package modules'
when:
- ubtu20cis_rule_5_4_2
tags:
Expand Down

0 comments on commit a5fe219

Please sign in to comment.