Skip to content

Commit

Permalink
Merge pull request #71 from ansible-lockdown/goss_update
Browse files Browse the repository at this point in the history 
updates and improvements
  • Loading branch information
@uk-bolly
uk-bolly authored Sep 13, 2023
2 parents e2afe3f + a0d3fe8 commit 50713b6
Show file tree
Hide file tree
Showing 11 changed files with 130 additions and 47 deletions.
6 changes: 3 additions & 3 deletions .config/.secrets.baseline
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,15 +124,15 @@
"filename": "defaults/main.yml",
"hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
"is_verified": false,
"line_number": 454,
"line_number": 458,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": "defaults/main.yml",
"hashed_secret": "62d080aa835d5cde69e3162f928472a204769a63",
"is_verified": false,
"line_number": 641,
"line_number": 645,
"is_secret": false
}
],
Expand Down Expand Up @@ -164,5 +164,5 @@
}
]
},
"generated_at": "2023-08-09T10:22:53Z"
"generated_at": "2023-09-11T16:16:48Z"
}
14 changes: 14 additions & 0 deletions Changelog.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,20 @@

## Based on CIS V1.0.0

### v1.0.4

Several issues addressed
Version of goss updated along with associated audit content
linting update
pre-commit added

- #59
- #61
- #62
- #64
- #67
- #69

### v1.0.3

Issues:
Expand Down
3 changes: 2 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,8 +68,9 @@ This role was developed against a clean install of the Operating System. If you

**Technical Dependencies:**

- Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer)
- Running Ansible/Tower setup (this role is tested against Ansible version 2.10.1 and newer)
- Python3 Ansible run environment
- goss >= 0.4.0 (If using for audit)

## Auditing (new)

Expand Down
6 changes: 3 additions & 3 deletions defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -510,7 +510,7 @@ ubtu22cis_is_mail_server: false
# Section 3 Control Variables
# Control 3.1.1
# How to disable ipv6 either via grub or sysctl settings options: grub or sysctl
ubuntu22cis_ipv6_disable: grub
ubtu22cis_ipv6_disable: grub

# Control 3.1.2
# ubtu22cis_install_network_manager determines if this role can install network manager
Expand Down Expand Up @@ -716,8 +716,8 @@ ubtu22cis_dotperm_ansiblemanaged: true

### Audit binary settings ###
audit_bin_version:
release: v0.3.21
checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3'
release: v0.4.0
checksum: 'sha256:9cb37863d3d25e2af80cb5cf55198c0c115b2477724153ba9afd0a2e544cb46e'
audit_bin_path: /usr/local/bin/
audit_bin: "{{ audit_bin_path }}goss"
audit_format: json
Expand Down
24 changes: 24 additions & 0 deletions tasks/section_1/cis_1.1.1.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,14 @@
line: install cramfs /bin/true
create: true

- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | blacklist"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist cramfs(\\s|$)"
line: "blacklist cramfs"
create: true
mode: '0600'

- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs"
community.general.modprobe:
name: cramfs
Expand All @@ -33,6 +41,14 @@
line: install squashfs /bin/true
create: true

- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist squashfs(\\s|$)"
line: "blacklist squashfs"
create: true
mode: '0600'

- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs"
community.general.modprobe:
name: squashfs
Expand All @@ -58,6 +74,14 @@
line: install udf /bin/true
create: true

- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist udf(\\s|$)"
line: "blacklist udf"
create: true
mode: '0600'

- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled | Disable udf"
community.general.modprobe:
name: udf
Expand Down
4 changes: 2 additions & 2 deletions tasks/section_1/cis_1.4.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
dest: "{{ ubtu22cis_grub_user_file }}"
owner: root
group: root
mode: 0755
mode: '0755'
notify: Grub update

- name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot"
Expand Down Expand Up @@ -43,7 +43,7 @@
path: "{{ ubtu22cis_grub_file }}"
owner: root
group: root
mode: 0400
mode: '0400'
when:
- ubtu22cis_1_4_2_grub_cfg_status.stat.exists
when:
Expand Down
1 change: 1 addition & 0 deletions tasks/section_2/cis_2.1.1.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
state: stopped
enabled: false
masked: true
daemon_reload: true
when: ubtu22cis_time_sync_tool != "systemd-timesyncd"
when:
- ubtu22cis_rule_2_1_1_1
Expand Down
4 changes: 2 additions & 2 deletions tasks/section_3/cis_3.1.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
regexp: '^(GRUB_CMDLINE_LINUX=.*)ipv6.disable=(0|1)(.*$)'
line: '\g<1>\g<3> ipv6.disable=1'
backrefs: true
when: ubuntu22cis_ipv6_disable == 'grub'
when: ubtu22cis_ipv6_disable == 'grub'
notify: Grub update

- name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Remove net.ipv6.conf.all.disable_ipv6"
Expand All @@ -21,7 +21,7 @@
notify: Flush ipv6 route table
loop:
- etc/sysctl.d/60-disable_ipv6.conf
when: ubuntu22cis_ipv6_disable == 'sysctl'
when: ubtu22cis_ipv6_disable == 'sysctl'
when:
- ubtu22cis_rule_3_1_1
- not ubtu22cis_ipv6_required
Expand Down
107 changes: 75 additions & 32 deletions tasks/section_3/cis_3.4.x.yml
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,25 @@
---

- name: "3.4.1 | PATCH | Ensure DCCP is disabled"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/dccp.conf
regexp: '^(#)?install dccp(\\s|$)'
line: "{{ item }}"
create: true
loop:
- install dccp /bin/true
- blacklist dccp
block:
- name: "3.4.1 | PATCH | Ensure DCCP is disabled | modprobe"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/dccp.conf
regexp: '^(#)?install dccp(\\s|$)'
line: "{{ item }}"
create: true
loop:
- install dccp /bin/true
- blacklist dccp

- name: "3.4.1 | PATCH | Ensure DCCP is disabled | blacklist"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist cramfs(\\s|$)"
line: "blacklist cramfs"
create: true
mode: '0600'

when:
- ubtu22cis_rule_3_4_1
tags:
Expand All @@ -20,14 +31,25 @@
- dccp

- name: "3.4.2 | PATCH | Ensure SCTP is disabled"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/sctp.conf
regexp: '^(#)?install sctp(\\s|$)'
line: "{{ item }}"
create: true
loop:
- install sctp /bin/true
- blacklist sctp
block:
- name: "3.4.2 | PATCH | Ensure SCTP is disabled modprobe"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/sctp.conf
regexp: '^(#)?install sctp(\\s|$)'
line: "{{ item }}"
create: true
loop:
- install sctp /bin/true
- blacklist sctp

- name: "3.4.2 | PATCH | Ensure SCTP is disabled | blacklist"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist sctp(\\s|$)"
line: "blacklist sctp"
create: true
mode: '0600'

when:
- ubtu22cis_rule_3_4_2
tags:
Expand All @@ -39,14 +61,24 @@
- sctp

- name: "3.4.3 | PATCH | Ensure RDS is disabled"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/rds.conf
regexp: '^(#)?install rds(\\s|$)'
line: "{{ item }}"
create: true
loop:
- install rds /bin/true
- blacklist rds
block:
- name: "3.4.3 | PATCH | Ensure RDS is disabled | modprobe"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/rds.conf
regexp: '^(#)?install rds(\\s|$)'
line: "{{ item }}"
create: true
loop:
- install rds /bin/true
- blacklist rds

- name: "3.4.3 | PATCH | Ensure RDS is disabled | blacklist"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist rds(\\s|$)"
line: "blacklist rds"
create: true
mode: '0600'
when:
- ubtu22cis_rule_3_4_3
tags:
Expand All @@ -58,14 +90,25 @@
- rds

- name: "3.4.4 | PATCH | Ensure TIPC is disabled"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/tipc.conf
regexp: '^(#)?install tipc(\\s|$)'
line: "{{ item }}"
create: true
loop:
- install tipc /bin/true
- blacklist tipc
block:
- name: "3.4.4 | PATCH | Ensure TIPC is disabled | modprobe"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/tipc.conf
regexp: '^(#)?install tipc(\\s|$)'
line: "{{ item }}"
create: true
loop:
- install tipc /bin/true
- blacklist tipc

- name: "3.4.4 | PATCH | Ensure TIPC is disabled | blacklist"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist tipc(\\s|$)"
line: "blacklist tipc"
create: true
mode: '0600'

when:
- ubtu22cis_rule_3_4_4
tags:
Expand Down
4 changes: 2 additions & 2 deletions tasks/section_5/cis_5.4.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,8 +113,8 @@
- name: "5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_unix does exist"
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: '^(password\s*\[success=1 default=ignore\] pam_unix.*)(remember=([0-9]{1,})|)(.*$)'
line: '\g<1>\g<2> remember={{ ubtu22cis_pamd_pwhistory_remember }}'
regexp: '^(password\s*\[success=1 default=ignore\] pam_unix.so)(.*)(remember=([0-9]{1,})|)(.*$)'
line: '\g<1>\g<2>\g<3> remember={{ ubtu22cis_pamd_pwhistory_remember }}'
backrefs: true
when:
- ubtu22cis_5_4_3_pam_unix_state.stdout | length > 0
Expand Down
4 changes: 2 additions & 2 deletions templates/ansible_vars_goss.yml.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
benchmark_version: '1.1.0'


# Some audit tests may need to scan every filesystem or have an impact on a system
# Some audit tests may need to scan every filesystem or have an impact on a system
# these may need be scheduled to minimise impact also ability to set a timeout if taking too long
timeout_ms: {{ audit_cmd_timeout }}

Expand Down Expand Up @@ -460,7 +460,7 @@ ubtu22cis_rpc_required: {{ ubtu22cis_rpc_required }}
# IPv6 required
ubtu22cis_ipv6_required: {{ ubtu22cis_ipv6_required }}
# How to disable ipv6 either via grub or sysctl settings options: grub or sysctl
ubtu22cis_ipv6_disable: {{ ubuntu22cis_ipv6_disable }}
ubtu22cis_ipv6_disable: {{ ubtu22cis_ipv6_disable }}


# System network parameters (host only OR host and router)
Expand Down

0 comments on commit 50713b6

Please sign in to comment.