From a5fe2190449556da2cf57349960a2cd09731ab3e Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Fri, 21 Apr 2023 11:18:25 -0400 Subject: [PATCH] Yamllint Check, Ansible-lint Chek, Module Updates, Bug #73&80 Fixed, Included FIX PR #81 Signed-off-by: Stephen Williams --- .yamllint | 46 ++++++++++++------------- Changelog.md | 9 +++++ Vagrantfile | 63 +++++++++++++++++++++++++++++++++++ defaults/main.yml | 6 ++-- tasks/main.yml | 5 +-- tasks/prelim.yml | 1 + tasks/section_1/cis_1.5.x.yml | 4 +-- tasks/section_3/cis_3.2.x.yml | 6 ++-- tasks/section_3/cis_3.3.x.yml | 22 ++++++------ tasks/section_5/cis_5.4.x.yml | 4 +-- 10 files changed, 120 insertions(+), 46 deletions(-) create mode 100644 Vagrantfile diff --git a/.yamllint b/.yamllint index 72ac645b..7dc754f0 100755 --- a/.yamllint +++ b/.yamllint @@ -3,26 +3,26 @@ extends: default rules: - braces: {max-spaces-inside: 1, level: error} - brackets: {max-spaces-inside: 1, level: error} - colons: {max-spaces-after: -1, level: error} - commas: {max-spaces-after: -1, level: error} - comments: disable - comments-indentation: disable - document-start: disable - empty-lines: {max: 3, level: error} - hyphens: {level: error} - indentation: - # Requiring 4 space indentation - spaces: 4 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent - key-duplicates: enable - line-length: disable - new-line-at-end-of-file: enable - new-lines: - type: unix - trailing-spaces: enable - truthy: - allowed-values: ['true', 'false'] - check-keys: true + braces: {max-spaces-inside: 1, level: error} + brackets: {max-spaces-inside: 1, level: error} + colons: {max-spaces-after: -1, level: error} + commas: {max-spaces-after: -1, level: error} + comments: disable + comments-indentation: disable + document-start: disable + empty-lines: {max: 3, level: error} + hyphens: {level: error} + indentation: + # Requiring 4 space indentation + spaces: 4 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + key-duplicates: enable + line-length: disable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: true diff --git a/Changelog.md b/Changelog.md index 5723029b..3f50d85f 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,15 @@ - license file - ansible version +## April 2023 Updates +- Addressed Bugs + - [#73](https://github.com/ansible-lockdown/UBUNTU20-CIS/issues/73) - Thanks @fnschroeder (Fix Taken From @uk-bolly issue_73 branch) + - [#80](https://github.com/ansible-lockdown/UBUNTU20-CIS/issues/80) - Thanks @kdebisschop +- Added Fixes For Outstanding PR's + - [#81](https://github.com/ansible-lockdown/UBUNTU20-CIS/pull/81) - Thanks @kdebisschop + - Fixed Linting Errors For Yamllint & Ansbile-Lint + - Adjusted Builtin to Posix For sysctl module. + ## Feb 23 updates - Initial ### based upon CIS 1.1.0 diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 00000000..3cd3d7a8 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,63 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : +# All Vagrant configuration is done below. The "2" in Vagrant.configure +# configures the configuration version (we support older styles for +# backwards compatibility). Please don't change it unless you know what +# you're doing. +Vagrant.configure("2") do |config| + # The most common configuration options are documented and commented below. + # For a complete reference, please see the online documentation at + # https://docs.vagrantup.com. + # Every Vagrant development environment requires a box. You can search for + # boxes at https://vagrantcloud.com/search. + # config.vm.box = "nogala/tomcat9" + # config.vm.box = "generic/centos8" + # config.vm.box = "generic/rocky8" + # config.vm.box = "rockylinux/9" + # config.vm.box = "centos/stream8" + # config.vm.box = "generic/rhel8" + # config.vm.box = "generic/rhel7" + # config.vm.box = "bento/ubuntu-18.04" + config.vm.box = "generic/ubuntu2004" + # config.vm.box = “pega-squid/ubuntu-18.04.1-desktop” + # config.vm.box = "/Users/georgen/Documents/Work/TestDelete/BollyImages/virtualbox-centos8-efi.box" + # config.vm.box = "/Users/georgen/Documents/Work/TestDelete/BollyImages/virtualbox-rocky8-efi.box" + # config.vm.box = "generic/centos7" + # config.vm.box = "mindpointgroup/centos8_apache_base" + # config.vm.box = "mindpointgroup/cent8_tomcat9_base" + # config.vm.box = "trueability/esxi-6.7" + # config.vm.network "private_network", ip: "10.42.0.50" + # Windows 10 Below + # config.vm.network "private_network", ip: "192.168.56.2" + # config.vm.synced_folder ".", "/vagrant", type: "virtualbox" + # config.vm.synced_folder "/Users/georgen/Documents/Work/ControlWork/STIG", "/var/tmp", type: "virtualbox" + # config.ssh.username = 'vagrant' + # config.ssh.password = 'vagrant' + # config.vm.provider "virtualbox" do |hw| + # hw.memory = 4096 + # hw.cpus = 2 + # end + config.vm.provision "ansible" do |ansible| + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/tomcat-stig/site.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/POSTGRES-9-STIG/site.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/Oracle-7/RHEL7-STIG/site.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/TOMCAT-9-STIG/site.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/CIS/rhel-8/site.yaml" + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/STIG/rhel-8-stig/site.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/CIS/apache-cis/site.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/CIS/APACHE-2.4-CIS/site.yml" + # ansible.playbook = "playbook_rhel8_stig.yml" + # ansible.playbook = "playbook_rhel8_stig.yml" + # ansible.playbook = "./test_playbook/site.yml" + # ansible.playbook = "update_upgrade.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/ClientWork/CBS/1045/RHEL7-CIS/site.yaml" + # ansible.playbook = "/Users/stephenw/Documents/Development/RHEL7-STIG/site.yml" + # ansible.playbook = "/Users/stephenw/Documents/Development/Testing (Ok If Deleted)/RHEL9-CIS/site.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/ControlWork/temp/RHEL8-STIG-TEST/site.yml" + # ansible.playbook = "/Users/stephenw/Documents/Development/Testing (Ok If Deleted)/UBUNTU18-STIG/site.yml" + # ansible.playbook = "/Users/stephenw/Documents/Development/Testing (Complete)/UBUNTU20-STIG/site.yml" + # ansible.playbook = "/Users/georgen/Documents/Work/TempDelete/pr_233_staging/RHEL7-CIS/site.yml" + ansible.playbook = "/Users/stephenw/Documents/Development/UBUNTU20-CIS/site.yml" + ansible.verbose = "vvvvv" + end +end diff --git a/defaults/main.yml b/defaults/main.yml index cb83c0dc..6b86b9ca 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -431,14 +431,14 @@ ubtu20cis_aide_cron: ubtu20cis_set_grub_password: true ubtu20cis_grub_user_file: /etc/grub.d/40_custom ubtu20cis_grub_users: root -ubtu20cis_grub_pw: "grub.pbkdf2.sha512.10000.ChangeMe" +ubtu20cis_grub_pw: "grub.pbkdf2.sha512.10000" # Change the following value to true if you wish to be prompted to get past grub bootloader ubtu20cis_ask_passwd_to_boot: false # 1.4.4 # note this needs to be in the encrypted format ubtu20cis_set_root_password: true -ubtu20cis_root_pw: $6$this_is_needs_to_be_changed +ubtu20cis_root_pw: $6$ # 1.7.1 # disable dynamic motd to stop extra sshd message from appearing @@ -454,7 +454,7 @@ ubtu20cis_warning_banner: | # Control 2.1.1.1 # ubtu20cis_time_sync_tool is the tool in which to synchronize time # The two options are chrony, ntp, or systemd-timesyncd -ubtu20cis_time_sync_tool: "ntp" +ubtu20cis_time_sync_tool: "chrony" # Control 2.1.1.2 # ubtu20cis_ntp_server_list is the list ntp servers diff --git a/tasks/main.yml b/tasks/main.yml index 6b05d568..062d3c55 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -48,7 +48,8 @@ tags: - run_audit -- ansible.builtin.import_tasks: parse_etc_password.yml +- name: Run parse /etc/passwd + ansible.builtin.import_tasks: parse_etc_password.yml when: - ubtu20cis_section5_patch or ubtu20cis_section6_patch @@ -119,7 +120,7 @@ - skip_reboot - name: run post remediation tasks - import_tasks: post.yml + ansible.builtin.import_tasks: post.yml tags: - post_tasks - always diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 461fc4c1..44672b91 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -58,6 +58,7 @@ name: network-manager state: present when: + - wireless_interfaces.stdout is defined - wireless_interfaces.stdout | length > 0 - ubtu20cis_install_network_manager - ubtu20cis_rule_3_1_2 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 881d941e..b124a6cb 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -37,7 +37,7 @@ line: 'kernel.randomize_va_space = 2' - name: "1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: kernel.randomize_va_space value: '2' when: @@ -75,7 +75,7 @@ - name: "1.5.4 | PATCH | Ensure core dumps are restricted" block: - name: "1.5.4 | PATCH | Ensure core dumps are restricted | kernel sysctl" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: fs.suid_dumpable value: '0' state: present diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 9b94d821..3b0131be 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -1,6 +1,6 @@ --- - name: "3.2.1 | PATCH | Ensure packet redirect sending is disabled" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '0' sysctl_set: true @@ -26,7 +26,7 @@ - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled" block: - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv4 settings" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: net.ipv4.ip_forward value: '0' sysctl_set: true @@ -37,7 +37,7 @@ - sysctl flush ipv4 route table - name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv6 settings" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: net.ipv6.conf.all.forwarding value: '0' sysctl_set: true diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 078e82be..52f7b16b 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -2,7 +2,7 @@ - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" block: - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 settings" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '0' sysctl_set: true @@ -15,7 +15,7 @@ notify: sysctl flush ipv4 route table - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 settings" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '0' sysctl_set: true @@ -42,7 +42,7 @@ - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" block: - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 settings" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '0' sysctl_set: true @@ -55,7 +55,7 @@ notify: sysctl flush ipv4 route table - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 settings" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '0' sysctl_set: true @@ -79,7 +79,7 @@ - sysctl - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '0' sysctl_set: true @@ -102,7 +102,7 @@ - sysctl - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '1' sysctl_set: true @@ -125,7 +125,7 @@ - sysctl - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts value: '1' sysctl_set: true @@ -145,7 +145,7 @@ - sysctl - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: net.ipv4.icmp_ignore_bogus_error_responses value: '1' sysctl_set: true @@ -165,7 +165,7 @@ - sysctl - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '1' sysctl_set: true @@ -188,7 +188,7 @@ - sysctl - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: net.ipv4.tcp_syncookies value: '1' sysctl_set: true @@ -208,7 +208,7 @@ - sysctl - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" - ansible.builtin.sysctl: + ansible.posix.sysctl: name: "{{ item }}" value: '0' sysctl_set: true diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index b10d3dfa..d285f41d 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -86,9 +86,9 @@ - name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | common-auth pam_tally2 opts" ansible.builtin.lineinfile: path: /etc/pam.d/common-auth - regexp: '^auth\s+required pam_tally2 .*onerr=fail.*' + regexp: '^auth\s+required pam_tally2.so .*onerr=fail.*' line: 'auth required pam_tally2.so {{ ubtu20cis_pamtally2_login_opts }}' - insertafter: '^# here are the per-package modules (the "Primary" block)' + insertafter: '^# here are the per-package modules' when: - ubtu20cis_rule_5_4_2 tags: