Skip to content

Commit

Permalink
Merge pull request #83 from ansible-lockdown/mrsteve_april_2023_fixes
Browse files Browse the repository at this point in the history
Yamllint Check, Ansible-lint Chek, Module Updates, Bug #73&80 Fixed, Included FIX PR #81
  • Loading branch information
MrSteve81 authored Apr 27, 2023
2 parents 92aadf6 + 976cc8c commit d56428b
Show file tree
Hide file tree
Showing 10 changed files with 62 additions and 49 deletions.
46 changes: 23 additions & 23 deletions .yamllint
Original file line number Diff line number Diff line change
Expand Up @@ -3,26 +3,26 @@
extends: default

rules:
braces: {max-spaces-inside: 1, level: error}
brackets: {max-spaces-inside: 1, level: error}
colons: {max-spaces-after: -1, level: error}
commas: {max-spaces-after: -1, level: error}
comments: disable
comments-indentation: disable
document-start: disable
empty-lines: {max: 3, level: error}
hyphens: {level: error}
indentation:
# Requiring 4 space indentation
spaces: 4
# Requiring consistent indentation within a file, either indented or not
indent-sequences: consistent
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: enable
new-lines:
type: unix
trailing-spaces: enable
truthy:
allowed-values: ['true', 'false']
check-keys: true
braces: {max-spaces-inside: 1, level: error}
brackets: {max-spaces-inside: 1, level: error}
colons: {max-spaces-after: -1, level: error}
commas: {max-spaces-after: -1, level: error}
comments: disable
comments-indentation: disable
document-start: disable
empty-lines: {max: 3, level: error}
hyphens: {level: error}
indentation:
# Requiring 4 space indentation
spaces: 4
# Requiring consistent indentation within a file, either indented or not
indent-sequences: consistent
key-duplicates: enable
line-length: disable
new-line-at-end-of-file: enable
new-lines:
type: unix
trailing-spaces: enable
truthy:
allowed-values: ['true', 'false']
check-keys: true
9 changes: 9 additions & 0 deletions Changelog.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,15 @@
- license file
- ansible version

## April 2023 Updates
- Addressed Bugs
- [#73](https://github.com/ansible-lockdown/UBUNTU20-CIS/issues/73) - Thanks @fnschroeder (Fix Taken From @uk-bolly issue_73 branch)
- [#80](https://github.com/ansible-lockdown/UBUNTU20-CIS/issues/80) - Thanks @kdebisschop
- Added Fixes For Outstanding PR's
- [#81](https://github.com/ansible-lockdown/UBUNTU20-CIS/pull/81) - Thanks @kdebisschop
- Fixed Linting Errors For Yamllint & Ansbile-Lint
- Adjusted Builtin to Posix For sysctl module.

## Feb 23 updates - Initial

### based upon CIS 1.1.0
Expand Down
8 changes: 5 additions & 3 deletions collections/requirements.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
---

collections:
- name: community.general
- name: community.crypto
- name: ansible.posix
- name: community.general

- name: community.crypto

- name: ansible.posix
6 changes: 3 additions & 3 deletions defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -431,14 +431,14 @@ ubtu20cis_aide_cron:
ubtu20cis_set_grub_password: true
ubtu20cis_grub_user_file: /etc/grub.d/40_custom
ubtu20cis_grub_users: root
ubtu20cis_grub_pw: "grub.pbkdf2.sha512.10000.ChangeMe"
ubtu20cis_grub_pw: "grub.pbkdf2.sha512.10000"
# Change the following value to true if you wish to be prompted to get past grub bootloader
ubtu20cis_ask_passwd_to_boot: false

# 1.4.4
# note this needs to be in the encrypted format
ubtu20cis_set_root_password: true
ubtu20cis_root_pw: $6$this_is_needs_to_be_changed
ubtu20cis_root_pw: $6$

# 1.7.1
# disable dynamic motd to stop extra sshd message from appearing
Expand All @@ -454,7 +454,7 @@ ubtu20cis_warning_banner: |
# Control 2.1.1.1
# ubtu20cis_time_sync_tool is the tool in which to synchronize time
# The two options are chrony, ntp, or systemd-timesyncd
ubtu20cis_time_sync_tool: "ntp"
ubtu20cis_time_sync_tool: "chrony"

# Control 2.1.1.2
# ubtu20cis_ntp_server_list is the list ntp servers
Expand Down
5 changes: 3 additions & 2 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,8 @@
tags:
- run_audit

- ansible.builtin.import_tasks: parse_etc_password.yml
- name: Run parse /etc/passwd
ansible.builtin.import_tasks: parse_etc_password.yml
when:
- ubtu20cis_section5_patch or
ubtu20cis_section6_patch
Expand Down Expand Up @@ -119,7 +120,7 @@
- skip_reboot

- name: run post remediation tasks
import_tasks: post.yml
ansible.builtin.import_tasks: post.yml
tags:
- post_tasks
- always
Expand Down
1 change: 1 addition & 0 deletions tasks/prelim.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@
name: network-manager
state: present
when:
- wireless_interfaces.stdout is defined
- wireless_interfaces.stdout | length > 0
- ubtu20cis_install_network_manager
- ubtu20cis_rule_3_1_2
Expand Down
4 changes: 2 additions & 2 deletions tasks/section_1/cis_1.5.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@
line: 'kernel.randomize_va_space = 2'

- name: "1.5.2 | PATCH | Ensure address space layout randomization (ASLR) is enabled | Set active kernel parameter"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: kernel.randomize_va_space
value: '2'
when:
Expand Down Expand Up @@ -75,7 +75,7 @@
- name: "1.5.4 | PATCH | Ensure core dumps are restricted"
block:
- name: "1.5.4 | PATCH | Ensure core dumps are restricted | kernel sysctl"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: fs.suid_dumpable
value: '0'
state: present
Expand Down
6 changes: 3 additions & 3 deletions tasks/section_3/cis_3.2.x.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
- name: "3.2.1 | PATCH | Ensure packet redirect sending is disabled"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
Expand All @@ -26,7 +26,7 @@
- name: "3.2.2 | PATCH | Ensure IP forwarding is disabled"
block:
- name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv4 settings"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: net.ipv4.ip_forward
value: '0'
sysctl_set: true
Expand All @@ -37,7 +37,7 @@
- sysctl flush ipv4 route table

- name: "3.2.2 | PATCH | Ensure IP forwarding is disabled | IPv6 settings"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: net.ipv6.conf.all.forwarding
value: '0'
sysctl_set: true
Expand Down
22 changes: 11 additions & 11 deletions tasks/section_3/cis_3.3.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted"
block:
- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 settings"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
Expand All @@ -15,7 +15,7 @@
notify: sysctl flush ipv4 route table

- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 settings"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
Expand All @@ -42,7 +42,7 @@
- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted"
block:
- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 settings"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
Expand All @@ -55,7 +55,7 @@
notify: sysctl flush ipv4 route table

- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 settings"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
Expand All @@ -79,7 +79,7 @@
- sysctl

- name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
Expand All @@ -102,7 +102,7 @@
- sysctl

- name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '1'
sysctl_set: true
Expand All @@ -125,7 +125,7 @@
- sysctl

- name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: net.ipv4.icmp_echo_ignore_broadcasts
value: '1'
sysctl_set: true
Expand All @@ -145,7 +145,7 @@
- sysctl

- name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: net.ipv4.icmp_ignore_bogus_error_responses
value: '1'
sysctl_set: true
Expand All @@ -165,7 +165,7 @@
- sysctl

- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '1'
sysctl_set: true
Expand All @@ -188,7 +188,7 @@
- sysctl

- name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: net.ipv4.tcp_syncookies
value: '1'
sysctl_set: true
Expand All @@ -208,7 +208,7 @@
- sysctl

- name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted"
ansible.builtin.sysctl:
ansible.posix.sysctl:
name: "{{ item }}"
value: '0'
sysctl_set: true
Expand Down
4 changes: 2 additions & 2 deletions tasks/section_5/cis_5.4.x.yml
Original file line number Diff line number Diff line change
Expand Up @@ -86,9 +86,9 @@
- name: "5.4.2 | PATCH | Ensure lockout for failed password attempts is configured | common-auth pam_tally2 opts"
ansible.builtin.lineinfile:
path: /etc/pam.d/common-auth
regexp: '^auth\s+required pam_tally2 .*onerr=fail.*'
regexp: '^auth\s+required pam_tally2.so .*onerr=fail.*'
line: 'auth required pam_tally2.so {{ ubtu20cis_pamtally2_login_opts }}'
insertafter: '^# here are the per-package modules (the "Primary" block)'
insertafter: '^# here are the per-package modules'
when:
- ubtu20cis_rule_5_4_2
tags:
Expand Down

0 comments on commit d56428b

Please sign in to comment.