From 963aaf41faeef32efa9f51066e235a0579c29aca Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Oct 2023 09:08:58 +0100 Subject: [PATCH 1/6] lint update Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.2.x.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 83e6f7cf..93ff80e5 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -330,23 +330,23 @@ - name: "2.2.17 | PATCH | Ensure rsync service is either not installed or masked" block: - - name: "2.2.17 | PATCH | Ensure rsync service is either not installed or masked | remove pkg" - ansible.builtin.package: - name: rsync - state: absent - when: - - ubtu20cis_rule_2_2_17 - - ubtu20cis_rsync_server == 'remove' + - name: "2.2.17 | PATCH | Ensure rsync service is either not installed or masked | remove pkg" + ansible.builtin.package: + name: rsync + state: absent + when: + - ubtu20cis_rule_2_2_17 + - ubtu20cis_rsync_server == 'remove' - - name: "2.2.17 | PATCH | Ensure rsync service is either not installed or masked | mask service" - ansible.builtin.service: - name: rsync.service - state: stopped - enabled: false - masked: true - when: - - ubtu20cis_rule_2_2_17 - - ubtu20cis_rsync_server == 'mask' + - name: "2.2.17 | PATCH | Ensure rsync service is either not installed or masked | mask service" + ansible.builtin.service: + name: rsync.service + state: stopped + enabled: false + masked: true + when: + - ubtu20cis_rule_2_2_17 + - ubtu20cis_rsync_server == 'mask' when: - "'rsync' in ansible_facts.packages" tags: From c39816e5b1421cc8fb9f1f963d471c1dbb6163cd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Oct 2023 09:09:27 +0100 Subject: [PATCH 2/6] Updated grub user usage and warning based on #106 Signed-off-by: Mark Bolwell --- defaults/main.yml | 8 +++++--- tasks/main.yml | 2 +- tasks/section_1/cis_1.4.x.yml | 4 ++-- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 94112ddb..aafbeb0c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -467,15 +467,17 @@ ubtu20cis_aide_cron: aide_weekday: '*' # Control 1.4.1 -# THIS VARIABLE SHOULD BE CHANGED +# THESE VARIABLES SHOULD BE CHANGED # This will fail assertion if not changed and rule 1.4.2 is enabled # insert password as per output of running grub-mkpasswd-pbkdf2 # refers to https://help.ubuntu.com/community/Grub2/Passwords +# You maybe changing the root password if grub user root - Ensure you understand the risks +ubtu20cis_set_grub_user_pass: false +ubtu20cis_grub_user: root +ubtu20cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6' # Set to changeme ubtu20cis_set_boot_pass: false -ubtu20cis_set_grub_password: true ubtu20cis_grub_user_file: /etc/grub.d/40_custom -ubtu20cis_grub_user: root ubtu20cis_grub_file: /boot/grub/grub.cfg # This is used to set the password in grub the full string is required. diff --git a/tasks/main.yml b/tasks/main.yml index 84f0f93c..2d638d11 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -22,7 +22,7 @@ - '"grub.pbkdf2.sha512.1000" in ubtu20cis_bootloader_password_hash' fail_msg: "The default grub password has not been changed" when: - - ubtu20cis_set_grub_password + - ubtu20cis_set_grub_user_password - ubtu20cis_rule_1_4_2 - name: Ensure root password has been changed diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 6d99e624..a9f899c9 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -63,10 +63,10 @@ - name: "1.4.3 | PATCH | Ensure authentication required for single user mode" ansible.builtin.user: name: "{{ ubtu20cis_grub_user }}" - password: "{{ ubtu20cis_bootloader_password_hash }}" + password: "{{ ubtu20cis_grub_user_passwd }}" when: - ubtu20cis_rule_1_4_3 - - ubtu20cis_set_boot_pass + - ubtu20cis_set_grub_user_pass tags: - level1-server - level1-workstation From 15bafe264ea19ce10036b52698a3ee640d2a16cc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Oct 2023 10:38:28 +0100 Subject: [PATCH 3/6] updated 3.1.1 thanks to @LoZZoL U22 Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 68fa65d8..b5c39fee 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -2,19 +2,22 @@ - name: "3.1.1 | PATCH | Disable IPv6" block: - - name: "3.1.1 | AUDIT | Disable IPv6 | Get current GRUB_CMDLINE_LINUX settings" - ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"' - changed_when: false - failed_when: false - check_mode: false - register: ubtu20cis_3_1_1_grub_cmdline_linux_settings + - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Replace ipv6.disable if it exists" + ansible.builtin.replace: + path: /etc/default/grub + regexp: '^(GRUB_CMDLINE_LINUX=.*)\bipv6\.disable=\d\b(.*$)' + replace: '\1ipv6.disable=1\2' + when: ubtu22cis_ipv6_disable == 'grub' + register: ipv6disable_replaced + notify: Grub update - - name: "3.1.1 | PATCH | Disable IPv6 | Add ipv6.disable if does not exist" + - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist" ansible.builtin.lineinfile: path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX' - line: 'GRUB_CMDLINE_LINUX="{{ ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout }} ipv6.disable=1"' - when: "'ipv6.disable' not in ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout" + regexp: '^(GRUB_CMDLINE_LINUX=".*)"$' + line: '\1 ipv6.disable=1"' + backrefs: true + when: ipv6disable_replaced is not changed notify: Grub update - name: "3.1.1 | PATCH | Disable IPv6 | Set ipv6.disable to 1 if exists" From b93c00e4327d45917ca4152c60586983ba06fa4d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Oct 2023 10:39:26 +0100 Subject: [PATCH 4/6] typo fix Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index b5c39fee..f458233f 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -7,7 +7,7 @@ path: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=.*)\bipv6\.disable=\d\b(.*$)' replace: '\1ipv6.disable=1\2' - when: ubtu22cis_ipv6_disable == 'grub' + when: ubtu20cis_ipv6_disable == 'grub' register: ipv6disable_replaced notify: Grub update From 8435085503a749062e797d555e40a9139398107c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Oct 2023 10:41:48 +0100 Subject: [PATCH 5/6] updated thanks to @LoZZoL u22 Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.5.1.x.yml | 38 ++++++++++++++++++++++++--------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/tasks/section_4/cis_4.5.1.x.yml b/tasks/section_4/cis_4.5.1.x.yml index 151b0ebd..8603a63c 100644 --- a/tasks/section_4/cis_4.5.1.x.yml +++ b/tasks/section_4/cis_4.5.1.x.yml @@ -8,14 +8,20 @@ regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS' line: 'PASS_MIN_DAYS {{ ubtu20cis_pass.min_days }}' + - name: "4.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Get existing users PASS_MIN_DAYS" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu20cis_pass.min_days }})) {print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: ubtu20cis_4_5_1_1_min_days + - name: "4.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS" ansible.builtin.shell: chage --mindays {{ ubtu20cis_pass.min_days }} {{ item }} failed_when: false - with_items: - - "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" + changed_when: ubtu20cis_4_5_1_1_min_days.stdout |length > 0 + loop: "{{ ubtu20cis_4_5_1_1_min_days.stdout_lines }}" when: - ubtu20cis_disruption_high - - item != 'nobody' + - (item != 'root') or (not ubtu20cis_uses_root) when: - ubtu20cis_rule_4_5_1_1 tags: @@ -36,14 +42,20 @@ line: 'PASS_MAX_DAYS {{ ubtu20cis_pass.max_days }}' insertafter: '# Password aging controls' + - name: "4.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ ubtu20cis_pass.max_days }} || $5<{{ ubtu20cis_pass.min_days }} || $5 == -1)){print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: ubtu20cis_4_5_1_2_max_days + - name: "4.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" ansible.builtin.shell: chage --maxdays {{ ubtu20cis_pass.max_days }} {{ item }} failed_when: false - with_items: - - "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" + changed_when: ubtu20cis_4_5_1_2_max_days.stdout | length > 0 + loop: "{{ ubtu20cis_4_5_1_2_max_days.stdout_lines }}" when: - ubtu20cis_disruption_high - - item != 'nobody' + - (item != 'root') or (not ubtu20cis_uses_root) when: - ubtu20cis_rule_4_5_1_2 tags: @@ -63,14 +75,20 @@ regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE' line: 'PASS_WARN_AGE {{ ubtu20cis_pass.warn_age }}' + - name: "4.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Get existing users PASS_WARN_AGE" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu20cis_pass.warn_age }}){print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: ubtu20cis_4_5_1_3_warn_days + - name: "4.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users PASS_WARN_AGE" - ansible.builtin.shell: chage --warndays {{ ubtu20cis_pass.warn_age }} {{ item }} + ansible.builtin.shell: chage --maxdays {{ ubtu20cis_pass.warn_age }} {{ item }} failed_when: false - with_items: - - "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | map(attribute='id') | list }}" + changed_when: ubtu20cis_4_5_1_3_warn_days.stdout | length > 0 + loop: "{{ ubtu20cis_4_5_1_3_warn_days.stdout_lines }}" when: - ubtu20cis_disruption_high - - item != 'nobody' + - (item != 'root') or (not ubtu20cis_uses_root) when: - ubtu20cis_rule_4_5_1_3 tags: From c0efed35acab12e918f013719d392f787918dc24 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Oct 2023 12:18:38 +0100 Subject: [PATCH 6/6] updated quotes around mode Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 25ca4c06..f4ccc305 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -5,7 +5,7 @@ path: /etc/passwd owner: root group: root - mode: 0644 + mode: '0644' when: - ubtu20cis_rule_6_1_1 tags: @@ -21,7 +21,7 @@ path: /etc/passwd- owner: root group: root - mode: 0600 + mode: '0600' when: - ubtu20cis_rule_6_1_2 tags: @@ -37,7 +37,7 @@ path: /etc/group owner: root group: root - mode: 0644 + mode: '0644' when: - ubtu20cis_rule_6_1_3 tags: @@ -53,7 +53,7 @@ path: /etc/group- owner: root group: root - mode: 0644 + mode: '0644' when: - ubtu20cis_rule_6_1_4 tags: @@ -69,7 +69,7 @@ path: /etc/shadow owner: root group: shadow - mode: 0640 + mode: '0640' when: - ubtu20cis_rule_6_1_5 tags: @@ -85,7 +85,7 @@ path: /etc/shadow- owner: root group: shadow - mode: 0640 + mode: '0640' when: - ubtu20cis_rule_6_1_6 tags: @@ -101,7 +101,7 @@ path: /etc/gshadow owner: root group: shadow - mode: 0640 + mode: '0640' when: - ubtu20cis_rule_6_1_7 tags: @@ -117,7 +117,7 @@ path: /etc/gshadow- owner: root group: shadow - mode: 0640 + mode: '0640' when: - ubtu20cis_rule_6_1_8 tags: @@ -133,7 +133,7 @@ path: /etc/shells owner: root group: root - mode: 0644 + mode: '0644' when: - ubtu20cis_rule_6_1_9 tags: @@ -156,7 +156,7 @@ path: /etc/opasswd owner: root group: root - mode: 0600 + mode: '0600' state: touch when: opasswd.stat.exists @@ -170,7 +170,7 @@ path: /etc/opasswd.old owner: root group: root - mode: 0600 + mode: '0600' when: opasswd_old.stat.exists when: - ubtu20cis_rule_6_1_10