Skip to content

Commit

Permalink
Merge pull request #85 from ansible-lockdown/issue_84
Browse files Browse the repository at this point in the history
Issue 84 addressed
  • Loading branch information
uk-bolly authored May 17, 2023
2 parents 767cdc8 + 2b4d547 commit a9ab947
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 27 deletions.
7 changes: 5 additions & 2 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# Change log for Ubuntu 2004

## V1.0.1 - based upon CIS 1.1.0

thanks to ikthomas
[#84](https://github.com/ansible-lockdown/UBUNTU20-CIS/issues/84)

## v1.0.0

- update galaxy lint requirements
Expand All @@ -17,8 +22,6 @@

## Feb 23 updates - Initial

### based upon CIS 1.1.0

- lint files updated
- ansible version updated
- Lots of lint and standardisation changes
Expand Down
11 changes: 0 additions & 11 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -396,17 +396,6 @@ ubtu20cis_tmp_fstab_options: "defaults,rw,nosuid,nodev,noexec,relatime"
# To conform to CIS control 1.1.9 noexec needs to be present
ubtu20cis_dev_shm_fstab_options: "defaults,noexec,nodev,nosuid"

# Control 1.1.12/1.1.13/1.1.14
# These are the settings for the /var/tmp mount
# To conform to CIS control 1.1.12 nodev needs to be present in opts
# To conform to CIS control 1.1.13 nosuid needs to be present in opts
# To conform to CIS control 1.1.14 noexec needs to be present in opts
ubtu20cis_vartmp:
source: /tmp
fstype: none
opts: "defaults,nodev,nosuid,noexec,bind"
enabled: false

# Control 1.3.1 - allow aide to be configured
ubtu20cis_config_aide: true

Expand Down
3 changes: 0 additions & 3 deletions handlers/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,19 +3,16 @@
- name: remount tmp
ansible.posix.mount:
name: /tmp
src: /tmp
state: remounted

- name: remount dev_shm
ansible.posix.mount:
name: /dev/shm
src: /dev/shm
state: remounted

- name: remount var_tmp
ansible.posix.mount:
name: /var/tmp
src: "{{ ubtu20cis_vartmp['source'] }}"
state: remounted

- name: grub update
Expand Down
25 changes: 14 additions & 11 deletions tasks/section_1/cis_1.1.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -127,24 +127,27 @@
- automated
- audit
- rule_1.1.11
- var/tmp
- var_tmp

- name: |
"1.1.12 | PATCH | Ensure /var/tmp partition includes the nodev option"
"1.1.13 | PATCH | Ensure /var/tmp partition includes the nosuid option"
"1.1.14 | PATCH | Ensure /var/tmp partition includes the noexec option"
ansible.posix.mount:
name: /var/tmp
src: "{{ ubtu20cis_vartmp['source'] }}"
src: "{{ item.device }}"
state: present
fstype: "{{ ubtu20cis_vartmp['fstype'] }}"
opts: "{{ ubtu20cis_vartmp['opts'] }}"
fstype: "{{ item.fstype }}"
opts: "defaults,{% if ubtu20cis_rule_1_1_12 %}nodev,{% endif %}{% if ubtu20cis_rule_1_1_13 %}nosuid,{% endif %}{% if ubtu20cis_rule_1_1_14 %}noexec{% endif %}"
loop: "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
notify: remount var_tmp
when:
- ubtu20cis_rule_1_1_12 or
ubtu20cis_rule_1_1_13 or
ubtu20cis_rule_1_1_14
- ubtu20cis_vartmp['enabled']
- item.mount == '/var/tmp'
tags:
- level1-server
- level1-workstation
Expand All @@ -153,7 +156,7 @@
- rule_1.1.12
- rule_1.1.13
- rule_1.1.14
- var/tmp
- var_tmp

- name: "1.1.15 | AUDIT | Ensure separate partition exists for /var/log"
block:
Expand All @@ -175,7 +178,7 @@
- automated
- audit
- rule_1.1.15
- var/log
- var_log

- name: "1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit"
block:
Expand All @@ -196,7 +199,7 @@
- level2-workstation
- automated
- audit
- var/log/audit
- var_log_audit

- name: "1.1.17 | AUDIT | Ensure separate partition exists for /home"
block:
Expand All @@ -217,7 +220,7 @@
- level2-workstation
- automated
- audit
- /home
- home

- name: "1.1.18 | PATCH | Ensure /home partition includes the nodev option"
ansible.posix.mount:
Expand All @@ -226,7 +229,7 @@
state: mounted
fstype: "{{ item.fstype }}"
opts: "nodev"
with_items: "{{ ansible_mounts }}"
loop: "{{ ansible_mounts }}"
loop_control:
label: "{{ item.device }}"
when:
Expand All @@ -238,7 +241,7 @@
- automated
- patch
- rule_1.1.18
- /home
- home

- name: "1.1.19 | AUDIT | Ensure nodev option set on removable media partitions"
ansible.builtin.debug:
Expand Down

0 comments on commit a9ab947

Please sign in to comment.