From 3467f7634da60cae99cd136a128bdce13d3bc9d0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 May 2023 11:32:21 +0100 Subject: [PATCH 1/4] removed src for remount as not required Signed-off-by: Mark Bolwell --- handlers/main.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index a853c554..a4ac7add 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -3,19 +3,16 @@ - name: remount tmp ansible.posix.mount: name: /tmp - src: /tmp state: remounted - name: remount dev_shm ansible.posix.mount: name: /dev/shm - src: /dev/shm state: remounted - name: remount var_tmp ansible.posix.mount: name: /var/tmp - src: "{{ ubtu20cis_vartmp['source'] }}" state: remounted - name: grub update From a07ce8809cbf5299e203008165b1264647bf9db3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 May 2023 11:32:38 +0100 Subject: [PATCH 2/4] tidy up control 1.1.12-14 Signed-off-by: Mark Bolwell --- defaults/main.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index cb83c0dc..ebe1bb8f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -396,17 +396,6 @@ ubtu20cis_tmp_fstab_options: "defaults,rw,nosuid,nodev,noexec,relatime" # To conform to CIS control 1.1.9 noexec needs to be present ubtu20cis_dev_shm_fstab_options: "defaults,noexec,nodev,nosuid" -# Control 1.1.12/1.1.13/1.1.14 -# These are the settings for the /var/tmp mount -# To conform to CIS control 1.1.12 nodev needs to be present in opts -# To conform to CIS control 1.1.13 nosuid needs to be present in opts -# To conform to CIS control 1.1.14 noexec needs to be present in opts -ubtu20cis_vartmp: - source: /tmp - fstype: none - opts: "defaults,nodev,nosuid,noexec,bind" - enabled: false - # Control 1.3.1 - allow aide to be configured ubtu20cis_config_aide: true From 422a69578795497ccfae5f98e3aeb620054d5a93 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 May 2023 11:33:05 +0100 Subject: [PATCH 3/4] fix tags and 1.1.12-14 control Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.x.yml | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 62560760..71fd2375 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -127,7 +127,7 @@ - automated - audit - rule_1.1.11 - - var/tmp + - var_tmp - name: | "1.1.12 | PATCH | Ensure /var/tmp partition includes the nodev option" @@ -135,16 +135,19 @@ "1.1.14 | PATCH | Ensure /var/tmp partition includes the noexec option" ansible.posix.mount: name: /var/tmp - src: "{{ ubtu20cis_vartmp['source'] }}" + src: "{{ item.device }}" state: present - fstype: "{{ ubtu20cis_vartmp['fstype'] }}" - opts: "{{ ubtu20cis_vartmp['opts'] }}" + fstype: "{{ item.fstype }}" + opts: "defaults,{% if ubtu20cis_rule_1_1_12 %}nodev,{% endif %}{% if ubtu20cis_rule_1_1_13 %}nosuid,{% endif %}{% if ubtu20cis_rule_1_1_14 %}noexec{% endif %}" + loop: "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" notify: remount var_tmp when: - ubtu20cis_rule_1_1_12 or ubtu20cis_rule_1_1_13 or ubtu20cis_rule_1_1_14 - - ubtu20cis_vartmp['enabled'] + - item.mount == '/var/tmp' tags: - level1-server - level1-workstation @@ -153,7 +156,7 @@ - rule_1.1.12 - rule_1.1.13 - rule_1.1.14 - - var/tmp + - var_tmp - name: "1.1.15 | AUDIT | Ensure separate partition exists for /var/log" block: @@ -175,7 +178,7 @@ - automated - audit - rule_1.1.15 - - var/log + - var_log - name: "1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit" block: @@ -196,7 +199,7 @@ - level2-workstation - automated - audit - - var/log/audit + - var_log_audit - name: "1.1.17 | AUDIT | Ensure separate partition exists for /home" block: @@ -217,7 +220,7 @@ - level2-workstation - automated - audit - - /home + - home - name: "1.1.18 | PATCH | Ensure /home partition includes the nodev option" ansible.posix.mount: @@ -226,7 +229,7 @@ state: mounted fstype: "{{ item.fstype }}" opts: "nodev" - with_items: "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" when: @@ -238,7 +241,7 @@ - automated - patch - rule_1.1.18 - - /home + - home - name: "1.1.19 | AUDIT | Ensure nodev option set on removable media partitions" ansible.builtin.debug: From 2b4d5471192039841e28c04bd6dfe999bf64037d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 May 2023 11:37:33 +0100 Subject: [PATCH 4/4] updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 5723029b..d14c4b9e 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,10 @@ # Change log for Ubuntu 2004 +## V1.0.1 - based upon CIS 1.1.0 + +thanks to ikthomas +[#84](https://github.com/ansible-lockdown/UBUNTU20-CIS/issues/84) + ## v1.0.0 - update galaxy lint requirements @@ -8,8 +13,6 @@ ## Feb 23 updates - Initial -### based upon CIS 1.1.0 - - lint files updated - ansible version updated - Lots of lint and standardisation changes