From bbb0d0ff82761f69a4e302b5f0641a15c90dea94 Mon Sep 17 00:00:00 2001 From: Alexandre Rousseau Date: Wed, 6 Dec 2023 22:27:26 -0500 Subject: [PATCH 01/17] Fix loop condition default Signed-off-by: Alexandre Rousseau --- tasks/section_5/cis_5.2.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.2.4.x.yml b/tasks/section_5/cis_5.2.4.x.yml index a1fd1d6e..17b2573a 100644 --- a/tasks/section_5/cis_5.2.4.x.yml +++ b/tasks/section_5/cis_5.2.4.x.yml @@ -65,7 +65,7 @@ ansible.builtin.file: path: "{{ item.path }}" mode: '0640' - loop: "{{ auditd_conf_files.files }}" + loop: "{{ auditd_conf_files.files|default({})}}" loop_control: label: "{{ item.path }}" when: From f1d8600265d6facd69414227131a878a7e9e55fb Mon Sep 17 00:00:00 2001 From: Alexandre Rousseau Date: Wed, 6 Dec 2023 23:30:40 -0500 Subject: [PATCH 02/17] Fix loop condition default Signed-off-by: Alexandre Rousseau --- tasks/section_5/cis_5.2.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.2.4.x.yml b/tasks/section_5/cis_5.2.4.x.yml index 17b2573a..8e7d983e 100644 --- a/tasks/section_5/cis_5.2.4.x.yml +++ b/tasks/section_5/cis_5.2.4.x.yml @@ -65,7 +65,7 @@ ansible.builtin.file: path: "{{ item.path }}" mode: '0640' - loop: "{{ auditd_conf_files.files|default({})}}" + loop: "{{ auditd_conf_files.files|default([])}}" loop_control: label: "{{ item.path }}" when: From a3df7a197dc56efad546034d697a297012d15c38 Mon Sep 17 00:00:00 2001 From: Alexandre Rousseau Date: Fri, 8 Dec 2023 10:54:18 -0500 Subject: [PATCH 03/17] Empty-Commit Signed-off-by: Alexandre Rousseau From 14e04df045241e2749b68e69c127b58dfd884473 Mon Sep 17 00:00:00 2001 From: Alexandre Rousseau Date: Wed, 6 Dec 2023 22:27:26 -0500 Subject: [PATCH 04/17] Fix loop condition default Signed-off-by: Alexandre Rousseau --- tasks/section_5/cis_5.2.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.2.4.x.yml b/tasks/section_5/cis_5.2.4.x.yml index a1fd1d6e..17b2573a 100644 --- a/tasks/section_5/cis_5.2.4.x.yml +++ b/tasks/section_5/cis_5.2.4.x.yml @@ -65,7 +65,7 @@ ansible.builtin.file: path: "{{ item.path }}" mode: '0640' - loop: "{{ auditd_conf_files.files }}" + loop: "{{ auditd_conf_files.files|default({})}}" loop_control: label: "{{ item.path }}" when: From 7ed10020303c32680296a8702c4a0d0b8ee7bcbd Mon Sep 17 00:00:00 2001 From: Alexandre Rousseau Date: Wed, 6 Dec 2023 23:30:40 -0500 Subject: [PATCH 05/17] Fix loop condition default Signed-off-by: Alexandre Rousseau --- tasks/section_5/cis_5.2.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.2.4.x.yml b/tasks/section_5/cis_5.2.4.x.yml index 17b2573a..8e7d983e 100644 --- a/tasks/section_5/cis_5.2.4.x.yml +++ b/tasks/section_5/cis_5.2.4.x.yml @@ -65,7 +65,7 @@ ansible.builtin.file: path: "{{ item.path }}" mode: '0640' - loop: "{{ auditd_conf_files.files|default({})}}" + loop: "{{ auditd_conf_files.files|default([])}}" loop_control: label: "{{ item.path }}" when: From c6fbfac6f1586792c12e6f3e827a827979c3f8c5 Mon Sep 17 00:00:00 2001 From: Alexandre Rousseau Date: Wed, 20 Dec 2023 14:47:11 -0500 Subject: [PATCH 06/17] added default value for ubtu20cis_uses_root Signed-off-by: Alexandre Rousseau --- defaults/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 94112ddb..7e3c3780 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -73,6 +73,12 @@ ubtu20cis_system_is_container: false # skip events for ec2 instance testing pipeline system_is_ec2: false +## Root user used +# Root by default is not used unless setup by user +# The role will only run certain commands if set to true +# This allows the ability to skip tasks that may cause an issue +ubtu20cis_uses_root: false + # Section 1 Fixes # Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, # Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) From 70809e4bbb470020b7fc83016ebb7fe28c5d00b4 Mon Sep 17 00:00:00 2001 From: Dan D Date: Thu, 4 Jan 2024 20:35:45 -0800 Subject: [PATCH 07/17] fix prelim check to check for AIDE install rule and updates rule Signed-off-by: Dan D --- tasks/prelim.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index e1a9eeda..64f727f5 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -51,11 +51,11 @@ ansible.builtin.package: update_cache: true when: - - ubtu20cis_rule_1_3_1 or - ubtu20cis_rule_1_9 + - ubtu20cis_rule_1_2_1 or + ubtu20cis_rule_1_3_1 tags: - rule_1.3.1 - - rule_1.9 + - rule_1.2.1 - always - name: "PRELIM | Check for autofs service" From aab873f3a99b89e93dd633f84bd1b2dca6f03f99 Mon Sep 17 00:00:00 2001 From: Dan D Date: Thu, 4 Jan 2024 20:33:32 -0800 Subject: [PATCH 08/17] Groups the Defaults together Signed-off-by: Dan D --- tasks/section_4/cis_4.3.x.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml index a4a5c0fa..a4432856 100644 --- a/tasks/section_4/cis_4.3.x.yml +++ b/tasks/section_4/cis_4.3.x.yml @@ -19,7 +19,7 @@ path: /etc/sudoers regexp: '^\s*Defaults\s+use_pty\s*$' line: 'Defaults use_pty' - insertafter: 'EOF' + insertafter: '^\s*Defaults' when: - ubtu20cis_rule_4_3_2 tags: @@ -35,7 +35,7 @@ path: /etc/sudoers regexp: '^\s*Defaults\s+logfile\s*=' line: 'Defaults logfile="{{ ubtu20cis_sudo_logfile }}"' - insertafter: 'EOF' + insertafter: '^\s*Defaults' when: - ubtu20cis_rule_4_3_3 tags: @@ -92,6 +92,7 @@ regexp: '^\s*Defaults\s+timestamp_timeout\s*=' line: "Defaults timestamp_timeout={{ ubtu20cis_sudo_timestamp_timeout }}" validate: '/usr/sbin/visudo -cf %s' + insertafter: '^\s*Defaults' when: ubtu20cis_4_3_6_timeout_files.stdout | length == 0 - name: "4.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" From 4830ea20f983a2a65d5235853a1510985ac084c6 Mon Sep 17 00:00:00 2001 From: Karl DeBisschop Date: Sun, 14 Jan 2024 08:44:36 -0500 Subject: [PATCH 09/17] Fix regex to prevent swallowing closing quote in bootloader config. Fixes #132 Signed-off-by: Karl DeBisschop --- tasks/section_1/cis_1.6.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 53fa9d3a..279d6189 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -39,8 +39,8 @@ regexp: "{{ item.regexp }}" replace: "{{ item.replace }}" with_items: - - { regexp: 'apparmor=\S+', replace: 'apparmor=1' } - - { regexp: 'security=\S+', replace: 'security=apparmor' } + - { regexp: 'apparmor=[^\s"]+', replace: 'apparmor=1' } + - { regexp: 'security=[^\s"]+', replace: 'security=apparmor' } when: - "'apparmor' in ubtu20cis_1_6_1_2_cmdline_settings.stdout" - "'security' in ubtu20cis_1_6_1_2_cmdline_settings.stdout" From 207f0f9b82c7ca21d2eb6378cb0856c058e9384d Mon Sep 17 00:00:00 2001 From: Pieter Smit Date: Tue, 16 Jan 2024 23:24:48 +1300 Subject: [PATCH 10/17] pre and post_remediation - quote group_names Signed-off-by: Pieter Smit --- tasks/post_remediation_audit.yml | 2 +- tasks/pre_remediation_audit.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index eb01bc75..2c51bbb0 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,7 +1,7 @@ --- - name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 258171a1..e3a261e7 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -77,7 +77,7 @@ mode: '0600' - name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" From 742a6955f90f024149e4a87ebfa758fc5b85a9cb Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 22 Jan 2024 17:33:54 +0000 Subject: [PATCH 11/17] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v6.22.1 → v6.22.2](https://github.com/ansible-community/ansible-lint/compare/v6.22.1...v6.22.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f645faf8..d3985f72 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -44,7 +44,7 @@ repos: exclude: .config/.secrets.baseline - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.1 + rev: v6.22.2 hooks: - id: ansible-lint name: Ansible-lint From 7f0a4f6688e7fe4baa6bdb98a6b8e3dc0315c434 Mon Sep 17 00:00:00 2001 From: Dan D Date: Mon, 29 Jan 2024 18:57:49 -0800 Subject: [PATCH 12/17] Fixes a couple typos Signed-off-by: Dan D --- defaults/main.yml | 2 +- tasks/section_5/cis_5.1.2.x.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9ad090d3..a46b0146 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -535,7 +535,7 @@ ubtu20cis_warning_banner: | # The two options are chrony, ntp, or systemd-timesyncd ubtu20cis_time_sync_tool: "systemd-timesyncd" -# This setting allow to use 'pool' or 'server' options using values below. +# This setting allow to use 'pool' or 'servers' options using values below. # only one wil be applied ubtu20cis_chrony_timesource: pool diff --git a/tasks/section_5/cis_5.1.2.x.yml b/tasks/section_5/cis_5.1.2.x.yml index 3b4674ca..c792f67c 100644 --- a/tasks/section_5/cis_5.1.2.x.yml +++ b/tasks/section_5/cis_5.1.2.x.yml @@ -97,7 +97,7 @@ - { regexp: '^mail.info|^#mail.info', line: 'mail.info -/var/log/mail.info', insertafter: '^# Logging for the mail system' } - { regexp: '^mail.warn|^#mail.warn', line: 'mail.warn -/var/log/mail.warn', insertafter: '^# Logging for the mail system.' } - { regexp: '^mail.err|^#mail.err', line: 'mail.err /var/log/mail.err', insertafter: '^# Logging for the mail system.' } - - { regexp: '^cron.\*|^#cron.\*', line: 'cron.\* /var/log/cron', insertafter: '^# First some standard log files' } + - { regexp: '^cron.\*|^#cron.\*', line: 'cron.* /var/log/cron', insertafter: '^# First some standard log files' } - { regexp: '^\*.=warning;\*.=err|^#\*.=warning;\*.=err', line: '*.=warning;*.=err -/var/log/warn', insertafter: '^# First some standard log files' } - { regexp: '^\*.crit|^#\*.crit', line: '*.crit /var/log/warn', insertafter: '^# First some standard log files' } - { regexp: '^\*.\*;mail.none;news.none|^#\*.\*;mail.none;news.none', line: '*.*;mail.none;news.none -/var/log/messages', insertafter: '^# First some standard log files' } From 7104ccf0ea65faa87813775a6c5355380daabebb Mon Sep 17 00:00:00 2001 From: Dan D Date: Mon, 29 Jan 2024 19:20:25 -0800 Subject: [PATCH 13/17] Fixes list privileged cmd collection to match benchmark Signed-off-by: Dan D --- tasks/section_5/cis_5.2.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.2.3.x.yml b/tasks/section_5/cis_5.2.3.x.yml index 39075bb3..0291b87e 100644 --- a/tasks/section_5/cis_5.2.3.x.yml +++ b/tasks/section_5/cis_5.2.3.x.yml @@ -93,7 +93,7 @@ - name: "5.2.3.6 | PATCH | Ensure use of privileged commands is collected" block: - name: "5.2.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs" - ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done + ansible.builtin.shell: for i in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done register: priv_procs changed_when: false check_mode: false From 2dd63f15dac49ce8c96a0474c5729d5fe881c100 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 5 Feb 2024 17:36:37 +0000 Subject: [PATCH 14/17] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.1 → v8.18.2](https://github.com/gitleaks/gitleaks/compare/v8.18.1...v8.18.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d3985f72..924359f6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,7 +37,7 @@ repos: exclude: .config/.gitleaks-report.json tasks/parse_etc_password - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.1 + rev: v8.18.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From fc03fdd5298c575781a776ab0dcf5dd289fba34f Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 19 Feb 2024 17:48:39 +0000 Subject: [PATCH 15/17] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v6.22.2 → v24.2.0](https://github.com/ansible-community/ansible-lint/compare/v6.22.2...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.33.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.35.1) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 924359f6..0a8e436f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -44,7 +44,7 @@ repos: exclude: .config/.secrets.baseline - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.2 + rev: v24.2.0 hooks: - id: ansible-lint name: Ansible-lint @@ -63,6 +63,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.33.0 # or higher tag + rev: v1.35.1 # or higher tag hooks: - id: yamllint From c46d1e6ed4e81575fad1f079ea2f30a651c81969 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 8 Mar 2024 17:33:08 +0000 Subject: [PATCH 16/17] fixed test for the arm64 conditional Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 7ef94b4a..08d047d6 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -10,7 +10,7 @@ - name: Pre Audit Setup | Set audit package name | ARM64 ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 - when: ansible_facts.machine == "arm64" + when: ansible_facts.machine == "aarch64" - name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: From 768be7fb3c06e520cd996e930236fe62da51bf1d Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 18 Mar 2024 17:48:25 +0000 Subject: [PATCH 17/17] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](https://github.com/ansible-community/ansible-lint/compare/v24.2.0...v24.2.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0a8e436f..18743e94 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -44,7 +44,7 @@ repos: exclude: .config/.secrets.baseline - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.0 + rev: v24.2.1 hooks: - id: ansible-lint name: Ansible-lint