From 2ea22512def1efc161622a84db1e1201cdf36692 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Sep 2023 14:07:56 +0100 Subject: [PATCH 1/3] Added file to import_tasks Signed-off-by: Mark Bolwell --- tasks/main.yml | 33 ++++++++++++++------- tasks/post.yml | 3 +- tasks/pre_remediation_audit.yml | 3 +- tasks/section_1/cis_1.1.2.x.yml | 3 +- tasks/section_1/cis_1.1.3.x.yml | 3 +- tasks/section_1/cis_1.1.4.x.yml | 3 +- tasks/section_1/cis_1.1.5.x.yml | 3 +- tasks/section_1/cis_1.1.6.x.yml | 3 +- tasks/section_1/cis_1.1.7.x.yml | 3 +- tasks/section_1/cis_1.3.x.yml | 6 ++-- tasks/section_1/cis_1.6.x.yml | 6 ++-- tasks/section_1/main.yml | 51 ++++++++++++++++++++++----------- tasks/section_2/cis_2.2.x.yml | 3 +- tasks/section_2/cis_2.4.yml | 3 +- tasks/section_2/main.yml | 21 +++++++++----- tasks/section_3/cis_3.4.1.x.yml | 3 +- tasks/section_3/cis_3.4.2.x.yml | 24 ++++++++++------ tasks/section_3/cis_3.4.3.x.yml | 3 +- tasks/section_3/main.yml | 18 ++++++++---- tasks/section_4/cis_4.4.x.yml | 3 +- tasks/section_4/cis_4.5.1.x.yml | 3 +- tasks/section_4/main.yml | 18 ++++++++---- tasks/section_5/cis_5.1.1.x.yml | 3 +- tasks/section_5/cis_5.1.2.x.yml | 3 +- tasks/section_5/main.yml | 24 ++++++++++------ tasks/section_6/cis_6.1.x.yml | 12 +++++--- tasks/section_6/cis_6.2.x.yml | 27 +++++++++++------ tasks/section_6/main.yml | 6 ++-- 28 files changed, 196 insertions(+), 98 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 2083b7e0..84f0f93c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -81,20 +81,23 @@ - always - name: Import preliminary tasks - ansible.builtin.import_tasks: prelim.yml + ansible.builtin.import_tasks: + file: prelim.yml tags: - prelim_tasks - run_audit - name: Run pre remediation audit tasks - ansible.builtin.import_tasks: pre_remediation_audit.yml + ansible.builtin.import_tasks: + file: pre_remediation_audit.yml when: - run_audit tags: - run_audit - name: Run parse /etc/passwd - ansible.builtin.import_tasks: parse_etc_password.yml + ansible.builtin.import_tasks: + file: parse_etc_password.yml when: - ubtu20cis_section5_patch or ubtu20cis_section6_patch @@ -106,42 +109,48 @@ - always - name: Include section 1 patches - ansible.builtin.import_tasks: section_1/main.yml + ansible.builtin.import_tasks: + file: section_1/main.yml when: - ubtu20cis_section1_patch tags: - section1 - name: Include section 2 patches - ansible.builtin.import_tasks: section_2/main.yml + ansible.builtin.import_tasks: + file: section_2/main.yml when: - ubtu20cis_section2_patch tags: - section2 - name: Include section 3 patches - ansible.builtin.import_tasks: section_3/main.yml + ansible.builtin.import_tasks: + file: section_3/main.yml when: - ubtu20cis_section3_patch tags: - section3 - name: Include section 4 patches - ansible.builtin.import_tasks: section_4/main.yml + ansible.builtin.import_tasks: + file: section_4/main.yml when: - ubtu20cis_section4_patch tags: - section4 - name: Include section 5 patches - ansible.builtin.import_tasks: section_5/main.yml + ansible.builtin.import_tasks: + file: section_5/main.yml when: - ubtu20cis_section5_patch tags: - section5 - name: Include section 6 patches - ansible.builtin.import_tasks: section_6/main.yml + ansible.builtin.import_tasks: + file: section_6/main.yml when: - ubtu20cis_section6_patch tags: @@ -151,13 +160,15 @@ ansible.builtin.meta: flush_handlers - name: run post remediation tasks - ansible.builtin.import_tasks: post.yml + ansible.builtin.import_tasks: + file: post.yml tags: - post_tasks - always - name: Run post audit - ansible.builtin.import_tasks: post_remediation_audit.yml + ansible.builtin.import_tasks: + file: post_remediation_audit.yml when: - run_audit diff --git a/tasks/post.yml b/tasks/post.yml index 53ff7315..61b0abde 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -21,7 +21,8 @@ - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: - change_requires_reboot - skip_reboot diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 9ea9e58a..d0882f33 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,7 +1,8 @@ --- - name: Audit Binary Setup | Setup the LE audit - ansible.builtin.import_tasks: LE_audit_setup.yml + ansible.builtin.import_tasks: + file: LE_audit_setup.yml when: - setup_audit tags: diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index d3b03846..bc250e4b 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.2.1 | WARN | Ensure /tmp is a separate partition | warn_count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.2.1' required_mount: '/tmp' diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index c959abea..1cf0e63c 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.3.1 | WARN | Ensure separate partition exists for /var | warn_count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.3.1' required_mount: '/var' diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index f5ac21a1..0cf2afde 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.4.1 | WARN | Ensure separate partition exists for /var/tmp | warn_count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.4.1' required_mount: '/var/tmp' diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index e6abba62..0a609b6c 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.5.1 | WARN | Ensure separate partition exists for /var/log | warn_count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.5.1' required_mount: '/var/log' diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 567368cc..2fc1fa3d 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.6.1 | WARN | Ensure separate partition exists for /var/log/audit | warn_count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.6.1' required_mount: '/var/log/audit' diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 6decf9fd..6faf7152 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.7.1 | WARN | Ensure separate partition exists for /home | warn_count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.7.1' required_mount: '/home' diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index db90a218..aaea44bd 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -31,7 +31,8 @@ - "{{ ubtu20cis_1_3_2_apt_policy.stdout_lines }}" - name: "1.3.2 | AUDIT | Ensure package manager repositories are configured | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.3.2' when: @@ -62,7 +63,8 @@ - "{{ ubtu20cis_1_3_3_apt_gpgkeys.stdout_lines }}" - name: "1.3.3 | AUDIT | Ensure GPG keys are configured | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.3.3' when: diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index ca897d0d..53fa9d3a 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -70,7 +70,8 @@ when: ubtu20cis_rule_1_6_1_3_apparmor_unconfined.stdout != '0' - name: "1.6.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain mode | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: ubtu20cis_rule_1_6_1_3_apparmor_unconfined.stdout != '0' vars: warn_control_id: '1.6.1.3' @@ -99,7 +100,8 @@ when: ubtu20cis_rule_1_6_1_4_apparmor_enforced.stdout != '0' - name: "1.6.1.4 | AUDIT | Ensure all AppArmor Profiles are enforcing | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: ubtu20cis_rule_1_6_1_4_apparmor_enforced.stdout != '0' vars: diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index f7d9203c..b089bb23 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,51 +1,68 @@ --- - name: "SECTION | 1.1.1 | Disable Unused Filesystems" - ansible.builtin.import_tasks: cis_1.1.1.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.1.x.yml - name: "SECTION | 1.1.2 | Configure /tmp" - ansible.builtin.import_tasks: cis_1.1.2.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.2.x.yml - name: "SECTION | 1.1.3 | Configure /var" - ansible.builtin.import_tasks: cis_1.1.3.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.3.x.yml - name: "SECTION | 1.1.4 | Configure /var/tmp" - ansible.builtin.import_tasks: cis_1.1.4.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.4.x.yml - name: "SECTION | 1.1.5 | Configure /var/log" - ansible.builtin.import_tasks: cis_1.1.5.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.5.x.yml - name: "SECTION | 1.1.6 | Configure /var/log/audit" - ansible.builtin.import_tasks: cis_1.1.6.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.6.x.yml - name: "SECTION | 1.1.7 | Configure /home" - ansible.builtin.import_tasks: cis_1.1.7.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.7.x.yml - name: "SECTION | 1.1.8 | Configure /dev/shm" - ansible.builtin.import_tasks: cis_1.1.8.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.8.x.yml - name: "SECTION | 1.1.9 | Configure autofs" - ansible.builtin.import_tasks: cis_1.1.9.yml + ansible.builtin.import_tasks: + file: cis_1.1.9.yml - name: "SECTION | 1.1.10 | Configure usb-storage" - ansible.builtin.import_tasks: cis_1.1.10.yml + ansible.builtin.import_tasks: + file: cis_1.1.10.yml - name: "SECTION | 1.2 | Filesystem Integrity Checking" - ansible.builtin.import_tasks: cis_1.2.x.yml + ansible.builtin.import_tasks: + file: cis_1.2.x.yml - name: "SECTION | 1.3. | gpg and repository configuration" - ansible.builtin.import_tasks: cis_1.3.x.yml + ansible.builtin.import_tasks: + file: cis_1.3.x.yml - name: "SECTION | 1.4 | Secure Boot Settings" - ansible.builtin.import_tasks: cis_1.4.x.yml + ansible.builtin.import_tasks: + file: cis_1.4.x.yml - name: "SECTION | 1.5 | Additional Process Hardening" - ansible.builtin.import_tasks: cis_1.5.x.yml + ansible.builtin.import_tasks: + file: cis_1.5.x.yml - name: "SECTION | 1.6 | Mandatory Access Control" - ansible.builtin.import_tasks: cis_1.6.x.yml + ansible.builtin.import_tasks: + file: cis_1.6.x.yml - name: "SECTION | 1.7 | Command Line Warning Banners" - ansible.builtin.import_tasks: cis_1.7.x.yml + ansible.builtin.import_tasks: + file: cis_1.7.x.yml - name: "SECTION | 1.8 | GNOME Display Manager" - ansible.builtin.import_tasks: cis_1.8.x.yml + ansible.builtin.import_tasks: + file: cis_1.8.x.yml diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 5b0be52a..26301f5c 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -309,7 +309,8 @@ - "'postfix' not in ansible_facts.packages" - name: "2.2.16 | WARN | Ensure mail transfer agent is configured for local-only mode | warn_count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: - "'exim4' not in ansible_facts.packages" - "'postfix' not in ansible_facts.packages" diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 42b1e6b5..cef9445f 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -17,7 +17,8 @@ when: ubtu20cis_2_3_services.stdout | length > 0 - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Set warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: ubtu20cis_2_3_services.stdout | length > 0 vars: warn_control_id: '2.4' diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 95021fef..741d0e53 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,24 +1,31 @@ --- - name: "SECTION | 2.1.1 | Configure Time Synchronization" - ansible.builtin.import_tasks: cis_2.1.1.x.yml + ansible.builtin.import_tasks: + file: cis_2.1.1.x.yml - name: "SECTION | 2.1.2 | Configure chrony" - ansible.builtin.import_tasks: cis_2.1.2.x.yml + ansible.builtin.import_tasks: + file: cis_2.1.2.x.yml when: ubtu20cis_time_sync_tool == "chrony" - name: "SECTION | 2.1.3 | Configure systemd-timesyncd" - ansible.builtin.import_tasks: cis_2.1.3.x.yml + ansible.builtin.import_tasks: + file: cis_2.1.3.x.yml when: ubtu20cis_time_sync_tool == "systemd-timesyncd" - name: "SECTION | 2.1.4 | Configure NTP" - ansible.builtin.import_tasks: cis_2.1.4.x.yml + ansible.builtin.import_tasks: + file: cis_2.1.4.x.yml when: ubtu20cis_time_sync_tool == "ntp" - name: "SECTION | 2.2 | Special Purpose Services" - ansible.builtin.import_tasks: cis_2.2.x.yml + ansible.builtin.import_tasks: + file: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" - ansible.builtin.import_tasks: cis_2.3.x.yml + ansible.builtin.import_tasks: + file: cis_2.3.x.yml - name: "SECTION | 2.4 | Ensure nonessential services are removed or masked" - ansible.builtin.import_tasks: cis_2.4.yml + ansible.builtin.import_tasks: + file: cis_2.4.yml diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 76f598f5..eaaf5138 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -144,7 +144,8 @@ - "{{ ubtu20cis_3_4_1_6_firewall_rules.stdout_lines }}" - name: "3.4.1.6 | AUDIT | Ensure ufw firewall rules exist for all open ports | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.4.1.6' diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index f03538f0..de1d6f26 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -43,7 +43,8 @@ msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - name: "3.4.2.3 | AUDIT | Ensure iptables are flushed with nftables | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.4.2.3 NFTables changes not supported' when: @@ -64,7 +65,8 @@ msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - name: "3.4.2.4 | AUDIT | Ensure a nftables table exists | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.4.2.4 NFTables changes not supported' when: @@ -85,7 +87,8 @@ msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - name: "3.4.2.5 | AUDIT | Ensure nftables base chains exist | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.4.2.5 NFTables changes not supported' when: @@ -106,7 +109,8 @@ msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - name: "3.4.2.6 | AUDIT | Ensure nftables loopback traffic is configured | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.4.2.6 NFTables changes not supported' when: @@ -127,7 +131,8 @@ msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - name: "3.4.2.7 | AUDIT | Ensure nftables outbound and established connections are configured | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.4.2.7 NFTables changes not supported' when: @@ -148,7 +153,8 @@ msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - name: "3.4.2.8 | AUDIT | Ensure nftables default deny firewall policy | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.4.2.8 NFTables changes not supported' when: @@ -169,7 +175,8 @@ msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - name: "3.4.2.9 | AUDIT | Ensure nftables service is enabled | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.4.2.9 NFTables changes not supported' when: @@ -190,7 +197,8 @@ msg: "Warning!! NFTables is not supported in this role. Please use UFW, iptables, or manually manage nftables" - name: "3.4.2.10 | AUDIT | Ensure nftables rules are permanent | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.4.2.10 NFTables changes not supported' when: diff --git a/tasks/section_3/cis_3.4.3.x.yml b/tasks/section_3/cis_3.4.3.x.yml index 077346fa..ec37545e 100644 --- a/tasks/section_3/cis_3.4.3.x.yml +++ b/tasks/section_3/cis_3.4.3.x.yml @@ -337,7 +337,8 @@ - "{{ ubtu20cis_3_4_3_3_4_current_rules.stdout_lines }}" - name: "3.4.3.3.4 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '3.4.3.3.4' when: diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 97a37743..d3436ec1 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,24 +1,30 @@ --- - name: "SECTION | 3.1 | Disable unused network protocols and devices" - ansible.builtin.import_tasks: cis_3.1.x.yml + ansible.builtin.import_tasks: + file: cis_3.1.x.yml - name: "SECTION | 3.2 | Network Parameters Host Only" - ansible.builtin.import_tasks: cis_3.2.x.yml + ansible.builtin.import_tasks: + file: cis_3.2.x.yml - name: "SECTION | 3.3 | Network Parameters Host and Router" - ansible.builtin.import_tasks: cis_3.3.x.yml + ansible.builtin.import_tasks: + file: cis_3.3.x.yml - name: "SECTION | 3.4.1 | Firewall Configuration UFW" - ansible.builtin.import_tasks: cis_3.4.1.x.yml + ansible.builtin.import_tasks: + file: cis_3.4.1.x.yml when: - ubtu20cis_firewall_package == "ufw" - name: "SECTION | 3.4.2 | Firewall Configuration nftables" - ansible.builtin.import_tasks: cis_3.4.2.x.yml + ansible.builtin.import_tasks: + file: cis_3.4.2.x.yml when: - ubtu20cis_firewall_package == "nftables" - name: "SECTION | 3.4.3 | Firewall Configuration iptables" - ansible.builtin.import_tasks: cis_3.4.3.x.yml + ansible.builtin.import_tasks: + file: cis_3.4.3.x.yml when: - ubtu20cis_firewall_package == "iptables" diff --git a/tasks/section_4/cis_4.4.x.yml b/tasks/section_4/cis_4.4.x.yml index 260587b1..1b0b30ce 100644 --- a/tasks/section_4/cis_4.4.x.yml +++ b/tasks/section_4/cis_4.4.x.yml @@ -187,7 +187,8 @@ when: "' $6$' not in ubtu20cis_4_4_5_passwd_hash_used.stdout" - name: "4.4.5 | WARN | Ensure all current passwords uses the configured hashing algorithm | warn_count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: "' $6$' not in ubtu20cis_4_4_5_passwd_hash_used.stdout" vars: warn_control_id: '4.4.5' diff --git a/tasks/section_4/cis_4.5.1.x.yml b/tasks/section_4/cis_4.5.1.x.yml index ab877fef..151b0ebd 100644 --- a/tasks/section_4/cis_4.5.1.x.yml +++ b/tasks/section_4/cis_4.5.1.x.yml @@ -145,7 +145,8 @@ when: ubtu20cis_4_5_1_5_user_list.stdout | length > 0 - name: "4.5.1.5 | PATCH | Ensure all users last password change date is in the past | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: ubtu20cis_4_5_1_5_user_list.stdout | length > 0 - name: "4.5.1.5 | PATCH | Ensure all users last password change date is in the past | Lock accounts with future PW changed dates" diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index 08afefa9..8557973c 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,18 +1,24 @@ --- - name: "SECTION | 4.1 | Configure job based time schedulers" - ansible.builtin.import_tasks: cis_4.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.x.yml - name: "SECTION | 4.2 | Configure SSH Server" - ansible.builtin.import_tasks: cis_4.2.x.yml + ansible.builtin.import_tasks: + file: cis_4.2.x.yml - name: "SECTION | 4.3 | Configure Privilege escalations" - ansible.builtin.import_tasks: cis_4.3.x.yml + ansible.builtin.import_tasks: + file: cis_4.3.x.yml - name: "SECTION | 4.4 | Configure PAM" - ansible.builtin.import_tasks: cis_4.4.x.yml + ansible.builtin.import_tasks: + file: cis_4.4.x.yml - name: "SECTION | 4.5.1.x | User Accounts and Environment | Shadow Suite" - ansible.builtin.import_tasks: cis_4.5.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.5.1.x.yml - name: "SECTION | 4.5.x | User Accounts and Environment | password params" - ansible.builtin.import_tasks: cis_4.5.x.yml + ansible.builtin.import_tasks: + file: cis_4.5.x.yml diff --git a/tasks/section_5/cis_5.1.1.x.yml b/tasks/section_5/cis_5.1.1.x.yml index f39787c3..37fdba79 100644 --- a/tasks/section_5/cis_5.1.1.x.yml +++ b/tasks/section_5/cis_5.1.1.x.yml @@ -9,7 +9,8 @@ failed_when: ubtu20cis_5_1_1_2_journald_enabled.rc not in [ 0, 1, 2 ] - name: "5.1.1.2 | Ensure journald service is enabled | warn count if not as expected" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: "'static' not in ubtu20cis_5_1_1_2_journald_enabled.stdout" vars: warn_control_id: '5.1.1.2' diff --git a/tasks/section_5/cis_5.1.2.x.yml b/tasks/section_5/cis_5.1.2.x.yml index ca62a624..4db266f2 100644 --- a/tasks/section_5/cis_5.1.2.x.yml +++ b/tasks/section_5/cis_5.1.2.x.yml @@ -111,7 +111,8 @@ when: ubtu20cis_rsyslog_ansible_managed - name: "5.1.2.5 | AUDIT | Ensure logging is configured | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: not ubtu20cis_rsyslog_ansible_managed vars: warn_control_id: '5.1.2.5' diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index e9815ad3..44392380 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -1,30 +1,38 @@ --- - name: "SECTION | 5.1.1.1 | Configure journald remote" - ansible.builtin.import_tasks: cis_5.1.1.1.x.yml + ansible.builtin.import_tasks: + file: cis_5.1.1.1.x.yml when: - ubtu20cis_syslog_service == 'journald' - name: "SECTION | 5.1.1 | Configure journald remote" - ansible.builtin.import_tasks: cis_5.1.1.x.yml + ansible.builtin.import_tasks: + file: cis_5.1.1.x.yml when: - ubtu20cis_syslog_service == 'journald' - name: "SECTION | 5.1.2 | Configure rsyslog" - ansible.builtin.import_tasks: cis_5.1.2.x.yml + ansible.builtin.import_tasks: + file: cis_5.1.2.x.yml when: - ubtu20cis_syslog_service == 'rsyslog' - name: "SECTION | 5.1.3 | Configure logfiles" - ansible.builtin.import_tasks: cis_5.1.3.yml + ansible.builtin.import_tasks: + file: cis_5.1.3.yml - name: "SECTION | 5.2.1.x | Configure auditd" - ansible.builtin.import_tasks: cis_5.2.1.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.1.x.yml - name: "SECTION | 5.2.2.x | Configure auditd data retention" - ansible.builtin.import_tasks: cis_5.2.2.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.2.x.yml - name: "SECTION | 5.2.3.x | Configure auditd rules" - ansible.builtin.import_tasks: cis_5.2.3.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.3.x.yml - name: "SECTION | 5.2.4.x | Configure auditd file access" - ansible.builtin.import_tasks: cis_5.2.4.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.4.x.yml diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index ebfee008..25ca4c06 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -250,7 +250,8 @@ - ubtu20cis_6_1_12_no_user_items_flatten | length > 0 - name: "6.1.12 | AUDIT | Ensure no unowned or ungrouped files or directories exist | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: - not ubtu20cis_no_owner_adjust - ubtu20cis_6_1_12_no_user_items_flatten | length > 0 @@ -293,7 +294,8 @@ - ubtu20cis_6_1_12_ungrouped_items_flatten | length > 0 - name: "6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: - not ubtu20cis_no_group_adjust - ubtu20cis_6_1_12_ungrouped_items_flatten | length > 0 @@ -347,7 +349,8 @@ - ubtu20cis_6_1_13_suid_executables_flatten | length > 0 - name: "6.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | SUID Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: - ubtu20cis_6_1_13_suid_executables_flatten | length > 0 - not ubtu20cis_suid_adjust @@ -380,7 +383,8 @@ - not ubtu20cis_sgid_adjust - name: "6.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | SGID Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: - ubtu20cis_6_1_13_sgid_executables_flatten | length > 0 - not ubtu20cis_sgid_adjust diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 1a757c79..672791a7 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -14,7 +14,8 @@ - "{{ ubtu20cis_6_2_1_nonshadowed_users.stdout_lines }}" - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: - ubtu20cis_6_2_1_nonshadowed_users.stdout | length > 0 vars: @@ -70,7 +71,8 @@ when: ubtu20cis_6_2_3_passwd_gid_check.stdout | length > 0 - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: ubtu20cis_6_2_3_passwd_gid_check.stdout | length > 0 vars: warn_control_id: '6.2.3' @@ -98,7 +100,8 @@ when: getent_group.shadow[2] | length > 0 - name: "6.2.4 | AUDIT | Ensure shadow group is empty | check users in group" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: getent_group.shadow[2] | length > 0 vars: warn_control_id: '6.2.4' @@ -122,7 +125,8 @@ register: ubtu20cis_6_2_5_user_uid_check - name: "6.2.5 | AUDIT | Ensure no duplicate UIDs exist | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: ubtu20cis_6_2_5_user_uid_check.stdout | length > 0 - name: "6.2.5 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" @@ -156,7 +160,8 @@ when: ubtu20cis_6_2_6_user_username_check.stdout | length > 0 - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: ubtu20cis_6_2_6_user_username_check.stdout | length > 0 vars: warn_control_id: '6.2.6' @@ -185,7 +190,8 @@ when: ubtu20cis_6_2_7_user_username_check.stdout | length > 0 - name: "6.2.7 | AUDIT | Ensure no duplicate user names exist | Set warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: ubtu20cis_6_2_7_user_username_check.stdout | length > 0 vars: warn_control_id: '6.2.7' @@ -214,7 +220,8 @@ when: ubtu20cis_6_2_8_group_group_check.stdout | length > 0 - name: "6.2.8 | AUDIT | Ensure no duplicate group names exist | Set warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: ubtu20cis_6_2_8_group_group_check.stdout | length > 0 vars: warn_control_id: '6.2.8' @@ -268,7 +275,8 @@ with_items: "{{ ubtu20cis_rule_6_2_9_dot_in_path.stdout_lines }}" - name: "6.2.9 | AUDIT | Ensure root PATH Integrity | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: ubtu20cis_rule_6_2_9_dot_in_path.stdout | length > 0 vars: warn_control_id: '6.2.9' @@ -314,7 +322,8 @@ - ubtu20cis_6_2_10_uid_0_notroot.stdout | length > 0 - name: "6.2.10 | AUDIT | Ensure root is the only UID 0 account | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml when: - ubtu20cis_disruption_high - ubtu20cis_6_2_10_uid_0_notroot.stdout | length > 0 diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index 61c4cb21..9a01d99b 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,6 +1,8 @@ --- - name: "SECTION | 6.1 | System File Permissions" - ansible.builtin.import_tasks: cis_6.1.x.yml + ansible.builtin.import_tasks: + file: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - ansible.builtin.import_tasks: cis_6.2.x.yml + ansible.builtin.import_tasks: + file: cis_6.2.x.yml From a10cea0eb4bf7c9e3480dfd5f6e0285f9c127976 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Sep 2023 14:10:09 +0100 Subject: [PATCH 2/3] addressed issue #88 Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.4.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 41774164..2b9dc503 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -9,6 +9,7 @@ line: '\1 {{ ubtu20cis_bootloader_password_hash }}' insertafter: set superusers="{{ ubtu20cis_grub_user }}" state: present + create: true notify: Grub update - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot" From 0d89c976690f3f3b4fe32d9370a3f502dc6b6890 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Sep 2023 14:30:57 +0100 Subject: [PATCH 3/3] removed exccess comment on warnvar Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.2.x.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index de1d6f26..71f55d83 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -46,7 +46,7 @@ ansible.builtin.import_tasks: file: warning_facts.yml vars: - warn_control_id: '3.4.2.3 NFTables changes not supported' + warn_control_id: '3.4.2.3' when: - ubtu20cis_rule_3_4_2_3 - ubtu20cis_firewall_package == "nftables" @@ -68,7 +68,7 @@ ansible.builtin.import_tasks: file: warning_facts.yml vars: - warn_control_id: '3.4.2.4 NFTables changes not supported' + warn_control_id: '3.4.2.4' when: - ubtu20cis_rule_3_4_2_4 - ubtu20cis_firewall_package == "nftables" @@ -90,7 +90,7 @@ ansible.builtin.import_tasks: file: warning_facts.yml vars: - warn_control_id: '3.4.2.5 NFTables changes not supported' + warn_control_id: '3.4.2.5' when: - ubtu20cis_rule_3_4_2_5 - ubtu20cis_firewall_package == "nftables" @@ -112,7 +112,7 @@ ansible.builtin.import_tasks: file: warning_facts.yml vars: - warn_control_id: '3.4.2.6 NFTables changes not supported' + warn_control_id: '3.4.2.6' when: - ubtu20cis_rule_3_4_2_6 - ubtu20cis_firewall_package == "nftables" @@ -134,7 +134,7 @@ ansible.builtin.import_tasks: file: warning_facts.yml vars: - warn_control_id: '3.4.2.7 NFTables changes not supported' + warn_control_id: '3.4.2.7' when: - ubtu20cis_rule_3_4_2_7 - ubtu20cis_firewall_package == "nftables" @@ -156,7 +156,7 @@ ansible.builtin.import_tasks: file: warning_facts.yml vars: - warn_control_id: '3.4.2.8 NFTables changes not supported' + warn_control_id: '3.4.2.8' when: - ubtu20cis_rule_3_4_2_8 - ubtu20cis_firewall_package == "nftables" @@ -178,7 +178,7 @@ ansible.builtin.import_tasks: file: warning_facts.yml vars: - warn_control_id: '3.4.2.9 NFTables changes not supported' + warn_control_id: '3.4.2.9' when: - ubtu20cis_rule_3_4_2_9 - ubtu20cis_firewall_package == "nftables" @@ -200,7 +200,7 @@ ansible.builtin.import_tasks: file: warning_facts.yml vars: - warn_control_id: '3.4.2.10 NFTables changes not supported' + warn_control_id: '3.4.2.10' when: - ubtu20cis_rule_3_4_2_10 - ubtu20cis_firewall_package == "nftables"