Oct23 improvements

defaults/main.yml

@@ -467,15 +467,17 @@ ubtu20cis_aide_cron:
     aide_weekday: '*'
 
 # Control 1.4.1
-# THIS VARIABLE SHOULD BE CHANGED
+# THESE VARIABLES SHOULD BE CHANGED
 # This will fail assertion if not changed and rule 1.4.2 is enabled
 # insert password as per output of running grub-mkpasswd-pbkdf2
 # refers to https://help.ubuntu.com/community/Grub2/Passwords
 
+# You maybe changing the root password if grub user root - Ensure you understand the risks
+ubtu20cis_set_grub_user_pass: false
+ubtu20cis_grub_user: root
+ubtu20cis_grub_user_passwd: '$y$j9T$MBA5l/tQyWifM869nQjsi.$cTy0ConcNjIYOn6Cppo5NAky20osrkRxz4fEWA8xac6'  # Set to changeme
 ubtu20cis_set_boot_pass: false
-ubtu20cis_set_grub_password: true
 ubtu20cis_grub_user_file: /etc/grub.d/40_custom
-ubtu20cis_grub_user: root
 ubtu20cis_grub_file: /boot/grub/grub.cfg
 
 # This is used to set the password in grub the full string is required.

tasks/main.yml

@@ -22,7 +22,7 @@
           - '"grub.pbkdf2.sha512.1000" in ubtu20cis_bootloader_password_hash'
       fail_msg: "The default grub password has not been changed"
   when:
-      - ubtu20cis_set_grub_password
+      - ubtu20cis_set_grub_user_password
       - ubtu20cis_rule_1_4_2
 
 - name: Ensure root password has been changed

tasks/section_1/cis_1.4.x.yml

@@ -63,10 +63,10 @@
 - name: "1.4.3 | PATCH | Ensure authentication required for single user mode"
   ansible.builtin.user:
       name: "{{ ubtu20cis_grub_user }}"
-      password: "{{ ubtu20cis_bootloader_password_hash }}"
+      password: "{{ ubtu20cis_grub_user_passwd }}"
   when:
       - ubtu20cis_rule_1_4_3
-      - ubtu20cis_set_boot_pass
+      - ubtu20cis_set_grub_user_pass
   tags:
       - level1-server
       - level1-workstation

tasks/section_2/cis_2.2.x.yml

@@ -330,23 +330,23 @@
 
 - name: "2.2.17 | PATCH | Ensure rsync service is either not installed or masked"
   block:
-    - name: "2.2.17 | PATCH | Ensure rsync service is either not installed or masked | remove pkg"
-      ansible.builtin.package:
-          name: rsync
-          state: absent
-      when:
-          - ubtu20cis_rule_2_2_17
-          - ubtu20cis_rsync_server == 'remove'
+      - name: "2.2.17 | PATCH | Ensure rsync service is either not installed or masked | remove pkg"
+        ansible.builtin.package:
+            name: rsync
+            state: absent
+        when:
+            - ubtu20cis_rule_2_2_17
+            - ubtu20cis_rsync_server == 'remove'
 
-    - name: "2.2.17 | PATCH | Ensure rsync service is either not installed or masked | mask service"
-      ansible.builtin.service:
-          name: rsync.service
-          state: stopped
-          enabled: false
-          masked: true
-      when:
-          - ubtu20cis_rule_2_2_17
-          - ubtu20cis_rsync_server == 'mask'
+      - name: "2.2.17 | PATCH | Ensure rsync service is either not installed or masked | mask service"
+        ansible.builtin.service:
+            name: rsync.service
+            state: stopped
+            enabled: false
+            masked: true
+        when:
+            - ubtu20cis_rule_2_2_17
+            - ubtu20cis_rsync_server == 'mask'
   when:
       - "'rsync' in ansible_facts.packages"
   tags:

tasks/section_3/cis_3.1.x.yml

@@ -2,19 +2,22 @@
 
 - name: "3.1.1 | PATCH | Disable IPv6"
   block:
-      - name: "3.1.1 | AUDIT | Disable IPv6 | Get current GRUB_CMDLINE_LINUX settings"
-        ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"'
-        changed_when: false
-        failed_when: false
-        check_mode: false
-        register: ubtu20cis_3_1_1_grub_cmdline_linux_settings
+      - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Replace ipv6.disable if it exists"
+        ansible.builtin.replace:
+            path: /etc/default/grub
+            regexp: '^(GRUB_CMDLINE_LINUX=.*)\bipv6\.disable=\d\b(.*$)'
+            replace: '\1ipv6.disable=1\2'
+        when: ubtu20cis_ipv6_disable == 'grub'
+        register: ipv6disable_replaced
+        notify: Grub update
 
-      - name: "3.1.1 | PATCH | Disable IPv6 | Add ipv6.disable if does not exist"
+      - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Insert ipv6.disable if it doesn't exist"
         ansible.builtin.lineinfile:
             path: /etc/default/grub
-            regexp: '^GRUB_CMDLINE_LINUX'
-            line: 'GRUB_CMDLINE_LINUX="{{ ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout }} ipv6.disable=1"'
-        when: "'ipv6.disable' not in ubtu20cis_3_1_1_grub_cmdline_linux_settings.stdout"
+            regexp: '^(GRUB_CMDLINE_LINUX=".*)"$'
+            line: '\1 ipv6.disable=1"'
+            backrefs: true
+        when: ipv6disable_replaced is not changed
         notify: Grub update
 
       - name: "3.1.1 | PATCH | Disable IPv6 | Set ipv6.disable to 1 if exists"

tasks/section_4/cis_4.5.1.x.yml

@@ -8,14 +8,20 @@
             regexp: '^PASS_MIN_DAYS|^#PASS_MIN_DAYS'
             line: 'PASS_MIN_DAYS {{ ubtu20cis_pass.min_days }}'
 
+      - name: "4.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Get existing users PASS_MIN_DAYS"
+        ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($4<{{ ubtu20cis_pass.min_days }})) {print $1}' /etc/shadow"
+        changed_when: false
+        failed_when: false
+        register: ubtu20cis_4_5_1_1_min_days
+
       - name: "4.5.1.1 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS"
         ansible.builtin.shell: chage --mindays {{ ubtu20cis_pass.min_days }} {{ item }}
         failed_when: false
-        with_items:
-            - "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | map(attribute='id') | list }}"
+        changed_when: ubtu20cis_4_5_1_1_min_days.stdout |length > 0
+        loop: "{{ ubtu20cis_4_5_1_1_min_days.stdout_lines }}"
         when:
             - ubtu20cis_disruption_high
-            - item != 'nobody'
+            - (item != 'root') or (not ubtu20cis_uses_root)
   when:
       - ubtu20cis_rule_4_5_1_1
   tags:
@@ -36,14 +42,20 @@
             line: 'PASS_MAX_DAYS {{ ubtu20cis_pass.max_days }}'
             insertafter: '# Password aging controls'
 
+      - name: "4.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS"
+        ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5>{{ ubtu20cis_pass.max_days }} || $5<{{ ubtu20cis_pass.min_days }} || $5 == -1)){print $1}' /etc/shadow"
+        changed_when: false
+        failed_when: false
+        register: ubtu20cis_4_5_1_2_max_days
+
       - name: "4.5.1.2 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"
         ansible.builtin.shell: chage --maxdays {{ ubtu20cis_pass.max_days }} {{ item }}
         failed_when: false
-        with_items:
-            - "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | map(attribute='id') | list }}"
+        changed_when: ubtu20cis_4_5_1_2_max_days.stdout | length > 0
+        loop: "{{ ubtu20cis_4_5_1_2_max_days.stdout_lines }}"
         when:
             - ubtu20cis_disruption_high
-            - item != 'nobody'
+            - (item != 'root') or (not ubtu20cis_uses_root)
   when:
       - ubtu20cis_rule_4_5_1_2
   tags:
@@ -63,14 +75,20 @@
             regexp: '^PASS_WARN_AGE|^#PASS_WARN_AGE'
             line: 'PASS_WARN_AGE {{ ubtu20cis_pass.warn_age }}'
 
+      - name: "4.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Get existing users PASS_WARN_AGE"
+        ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && $6<{{ ubtu20cis_pass.warn_age }}){print $1}' /etc/shadow"
+        changed_when: false
+        failed_when: false
+        register: ubtu20cis_4_5_1_3_warn_days
+
       - name: "4.5.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users PASS_WARN_AGE"
-        ansible.builtin.shell: chage --warndays {{ ubtu20cis_pass.warn_age }} {{ item }}
+        ansible.builtin.shell: chage --maxdays {{ ubtu20cis_pass.warn_age }} {{ item }}
         failed_when: false
-        with_items:
-            - "{{ ubtu20cis_passwd | selectattr('uid', '>=', 1000) | map(attribute='id') | list }}"
+        changed_when: ubtu20cis_4_5_1_3_warn_days.stdout | length > 0
+        loop: "{{ ubtu20cis_4_5_1_3_warn_days.stdout_lines }}"
         when:
             - ubtu20cis_disruption_high
-            - item != 'nobody'
+            - (item != 'root') or (not ubtu20cis_uses_root)
   when:
       - ubtu20cis_rule_4_5_1_3
   tags:

tasks/section_6/cis_6.1.x.yml

@@ -5,7 +5,7 @@
       path: /etc/passwd
       owner: root
       group: root
-      mode: 0644
+      mode: '0644'
   when:
       - ubtu20cis_rule_6_1_1
   tags:
@@ -21,7 +21,7 @@
       path: /etc/passwd-
       owner: root
       group: root
-      mode: 0600
+      mode: '0600'
   when:
       - ubtu20cis_rule_6_1_2
   tags:
@@ -37,7 +37,7 @@
       path: /etc/group
       owner: root
       group: root
-      mode: 0644
+      mode: '0644'
   when:
       - ubtu20cis_rule_6_1_3
   tags:
@@ -53,7 +53,7 @@
       path: /etc/group-
       owner: root
       group: root
-      mode: 0644
+      mode: '0644'
   when:
       - ubtu20cis_rule_6_1_4
   tags:
@@ -69,7 +69,7 @@
       path: /etc/shadow
       owner: root
       group: shadow
-      mode: 0640
+      mode: '0640'
   when:
       - ubtu20cis_rule_6_1_5
   tags:
@@ -85,7 +85,7 @@
       path: /etc/shadow-
       owner: root
       group: shadow
-      mode: 0640
+      mode: '0640'
   when:
       - ubtu20cis_rule_6_1_6
   tags:
@@ -101,7 +101,7 @@
       path: /etc/gshadow
       owner: root
       group: shadow
-      mode: 0640
+      mode: '0640'
   when:
       - ubtu20cis_rule_6_1_7
   tags:
@@ -117,7 +117,7 @@
       path: /etc/gshadow-
       owner: root
       group: shadow
-      mode: 0640
+      mode: '0640'
   when:
       - ubtu20cis_rule_6_1_8
   tags:
@@ -133,7 +133,7 @@
       path: /etc/shells
       owner: root
       group: root
-      mode: 0644
+      mode: '0644'
   when:
       - ubtu20cis_rule_6_1_9
   tags:
@@ -156,7 +156,7 @@
             path: /etc/opasswd
             owner: root
             group: root
-            mode: 0600
+            mode: '0600'
             state: touch
         when: opasswd.stat.exists
 
@@ -170,7 +170,7 @@
             path: /etc/opasswd.old
             owner: root
             group: root
-            mode: 0600
+            mode: '0600'
         when: opasswd_old.stat.exists
   when:
       - ubtu20cis_rule_6_1_10