Merge pull request #141 from ansible-lockdown/devel

cis2.0.1 release March 24

Author: uk-bolly

.pre-commit-config.yaml

@@ -37,14 +37,14 @@ repos:
     exclude: .config/.gitleaks-report.json tasks/parse_etc_password
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.18.1
+  rev: v8.18.2
   hooks:
   - id: gitleaks
     args: ['--baseline-path', '.config/.gitleaks-report.json']
     exclude: .config/.secrets.baseline
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.22.1
+  rev: v24.2.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -63,6 +63,6 @@ repos:
     - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.33.0  # or higher tag
+  rev: v1.35.1  # or higher tag
   hooks:
   - id: yamllint

defaults/main.yml

@@ -100,6 +100,12 @@ ubtu20cis_system_is_container: false
 # skip events for ec2 instance testing pipeline
 system_is_ec2: false
 
+## Root user used
+# Root by default is not used unless setup by user
+# The role will only run certain commands if set to true
+# This allows the ability to skip tasks that may cause an issue
+ubtu20cis_uses_root: false
+
 # Section 1 Fixes
 # Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings,
 # Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager)
@@ -535,7 +541,7 @@ ubtu20cis_warning_banner: |
 # The two options are chrony, ntp, or systemd-timesyncd
 ubtu20cis_time_sync_tool: "systemd-timesyncd"
 
-# This setting allow to use 'pool' or 'server' options using values below.
+# This setting allow to use 'pool' or 'servers' options using values below.
 # only one wil be applied
 ubtu20cis_chrony_timesource: pool
 

tasks/LE_audit_setup.yml

@@ -10,7 +10,7 @@
       - name: Pre Audit Setup | Set audit package name | ARM64
         ansible.builtin.set_fact:
             audit_pkg_arch_name: ARM64
-        when: ansible_facts.machine == "arm64"
+        when: ansible_facts.machine == "aarch64"
 
 - name: Pre Audit Setup | Download audit binary
   ansible.builtin.get_url:

tasks/post_remediation_audit.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Post Audit | Run post_remediation {{ benchmark }} audit
-  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
+  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
   changed_when: true
   environment:
       AUDIT_BIN: "{{ audit_bin }}"

tasks/pre_remediation_audit.yml

@@ -77,7 +77,7 @@
       mode: '0600'
 
 - name: Pre Audit | Run pre_remediation {{ benchmark }} audit
-  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
+  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
   changed_when: true
   environment:
       AUDIT_BIN: "{{ audit_bin }}"

tasks/prelim.yml

@@ -51,11 +51,11 @@
   ansible.builtin.package:
       update_cache: true
   when:
-      - ubtu20cis_rule_1_3_1 or
-        ubtu20cis_rule_1_9
+      - ubtu20cis_rule_1_2_1 or
+        ubtu20cis_rule_1_3_1
   tags:
       - rule_1.3.1
-      - rule_1.9
+      - rule_1.2.1
       - always
 
 - name: "PRELIM | Check for autofs service"

tasks/section_1/cis_1.6.x.yml

@@ -39,8 +39,8 @@
             regexp: "{{ item.regexp }}"
             replace: "{{ item.replace }}"
         with_items:
-            - { regexp: 'apparmor=\S+', replace: 'apparmor=1' }
-            - { regexp: 'security=\S+', replace: 'security=apparmor' }
+            - { regexp: 'apparmor=[^\s"]+', replace: 'apparmor=1' }
+            - { regexp: 'security=[^\s"]+', replace: 'security=apparmor' }
         when:
             - "'apparmor' in ubtu20cis_1_6_1_2_cmdline_settings.stdout"
             - "'security' in ubtu20cis_1_6_1_2_cmdline_settings.stdout"

tasks/section_4/cis_4.3.x.yml

@@ -19,7 +19,7 @@
       path: /etc/sudoers
       regexp: '^\s*Defaults\s+use_pty\s*$'
       line: 'Defaults use_pty'
-      insertafter: 'EOF'
+      insertafter: '^\s*Defaults'
   when:
       - ubtu20cis_rule_4_3_2
   tags:
@@ -35,7 +35,7 @@
       path: /etc/sudoers
       regexp: '^\s*Defaults\s+logfile\s*='
       line: 'Defaults logfile="{{ ubtu20cis_sudo_logfile }}"'
-      insertafter: 'EOF'
+      insertafter: '^\s*Defaults'
   when:
       - ubtu20cis_rule_4_3_3
   tags:
@@ -92,6 +92,7 @@
             regexp: '^\s*Defaults\s+timestamp_timeout\s*='
             line: "Defaults timestamp_timeout={{ ubtu20cis_sudo_timestamp_timeout }}"
             validate: '/usr/sbin/visudo -cf %s'
+            insertafter: '^\s*Defaults'
         when: ubtu20cis_4_3_6_timeout_files.stdout | length == 0
 
       - name: "4.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results"

tasks/section_5/cis_5.1.2.x.yml

@@ -97,7 +97,7 @@
             - { regexp: '^mail.info|^#mail.info', line: 'mail.info                      -/var/log/mail.info', insertafter: '^# Logging for the mail system' }
             - { regexp: '^mail.warn|^#mail.warn', line: 'mail.warn                      -/var/log/mail.warn', insertafter: '^# Logging for the mail system.' }
             - { regexp: '^mail.err|^#mail.err', line: 'mail.err                        /var/log/mail.err', insertafter: '^# Logging for the mail system.' }
-            - { regexp: '^cron.\*|^#cron.\*', line: 'cron.\*                     /var/log/cron', insertafter: '^# First some standard log files' }
+            - { regexp: '^cron.\*|^#cron.\*', line: 'cron.*                     /var/log/cron', insertafter: '^# First some standard log files' }
             - { regexp: '^\*.=warning;\*.=err|^#\*.=warning;\*.=err', line: '*.=warning;*.=err               -/var/log/warn', insertafter: '^# First some standard log files' }
             - { regexp: '^\*.crit|^#\*.crit', line: '*.crit                           /var/log/warn', insertafter: '^# First some standard log files' }
             - { regexp: '^\*.\*;mail.none;news.none|^#\*.\*;mail.none;news.none', line: '*.*;mail.none;news.none         -/var/log/messages', insertafter: '^# First some standard log files' }

tasks/section_5/cis_5.2.3.x.yml

@@ -93,7 +93,7 @@
 - name: "5.2.3.6 | PATCH | Ensure use of privileged commands is collected"
   block:
       - name: "5.2.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs"
-        ansible.builtin.shell: for i in  $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
+        ansible.builtin.shell: for i in  $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
         register: priv_procs
         changed_when: false
         check_mode: false