updates and improvements

.config/.secrets.baseline

@@ -124,15 +124,15 @@
         "filename": "defaults/main.yml",
         "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
         "is_verified": false,
-        "line_number": 454,
+        "line_number": 458,
         "is_secret": false
       },
       {
         "type": "Secret Keyword",
         "filename": "defaults/main.yml",
         "hashed_secret": "62d080aa835d5cde69e3162f928472a204769a63",
         "is_verified": false,
-        "line_number": 641,
+        "line_number": 645,
         "is_secret": false
       }
     ],
@@ -164,5 +164,5 @@
       }
     ]
   },
-  "generated_at": "2023-08-09T10:22:53Z"
+  "generated_at": "2023-09-11T16:16:48Z"
 }

Changelog.md

@@ -2,6 +2,20 @@
 
 ## Based on CIS V1.0.0
 
+### v1.0.4
+
+Several issues addressed
+Version of goss updated along with associated audit content
+linting update
+pre-commit added
+
+- #59
+- #61
+- #62
+- #64
+- #67
+- #69
+
 ### v1.0.3
 
 Issues:

README.md

@@ -68,8 +68,9 @@ This role was developed against a clean install of the Operating System. If you
 
 **Technical Dependencies:**
 
-- Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer)
+- Running Ansible/Tower setup (this role is tested against Ansible version 2.10.1 and newer)
 - Python3 Ansible run environment
+- goss >= 0.4.0 (If using for audit)
 
 ## Auditing (new)
 

defaults/main.yml

@@ -510,7 +510,7 @@ ubtu22cis_is_mail_server: false
 # Section 3 Control Variables
 # Control 3.1.1
 # How to disable ipv6 either via grub or sysctl settings options: grub or sysctl
-ubuntu22cis_ipv6_disable: grub
+ubtu22cis_ipv6_disable: grub
 
 # Control 3.1.2
 # ubtu22cis_install_network_manager determines if this role can install network manager
@@ -716,8 +716,8 @@ ubtu22cis_dotperm_ansiblemanaged: true
 
 ### Audit binary settings ###
 audit_bin_version:
-    release: v0.3.21
-    checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3'
+    release: v0.4.0
+    checksum: 'sha256:9cb37863d3d25e2af80cb5cf55198c0c115b2477724153ba9afd0a2e544cb46e'
 audit_bin_path: /usr/local/bin/
 audit_bin: "{{ audit_bin_path }}goss"
 audit_format: json

tasks/section_1/cis_1.1.1.x.yml

@@ -9,6 +9,14 @@
             line: install cramfs /bin/true
             create: true
 
+      - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | blacklist"
+        ansible.builtin.lineinfile:
+            path: /etc/modprobe.d/blacklist.conf
+            regexp: "^(#)?blacklist cramfs(\\s|$)"
+            line: "blacklist cramfs"
+            create: true
+            mode: '0600'
+
       - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs"
         community.general.modprobe:
             name: cramfs
@@ -33,6 +41,14 @@
             line: install squashfs /bin/true
             create: true
 
+      - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist"
+        ansible.builtin.lineinfile:
+            path: /etc/modprobe.d/blacklist.conf
+            regexp: "^(#)?blacklist squashfs(\\s|$)"
+            line: "blacklist squashfs"
+            create: true
+            mode: '0600'
+
       - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs"
         community.general.modprobe:
             name: squashfs
@@ -58,6 +74,14 @@
             line: install udf /bin/true
             create: true
 
+      - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist"
+        ansible.builtin.lineinfile:
+            path: /etc/modprobe.d/blacklist.conf
+            regexp: "^(#)?blacklist udf(\\s|$)"
+            line: "blacklist udf"
+            create: true
+            mode: '0600'
+
       - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled | Disable udf"
         community.general.modprobe:
             name: udf

tasks/section_1/cis_1.4.x.yml

@@ -8,7 +8,7 @@
             dest: "{{ ubtu22cis_grub_user_file }}"
             owner: root
             group: root
-            mode: 0755
+            mode: '0755'
         notify: Grub update
 
       - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot"
@@ -43,7 +43,7 @@
             path: "{{ ubtu22cis_grub_file }}"
             owner: root
             group: root
-            mode: 0400
+            mode: '0400'
         when:
             - ubtu22cis_1_4_2_grub_cfg_status.stat.exists
   when:

tasks/section_2/cis_2.1.1.x.yml

@@ -22,6 +22,7 @@
             state: stopped
             enabled: false
             masked: true
+            daemon_reload: true
         when: ubtu22cis_time_sync_tool != "systemd-timesyncd"
   when:
       - ubtu22cis_rule_2_1_1_1

tasks/section_3/cis_3.1.x.yml

@@ -8,7 +8,7 @@
             regexp: '^(GRUB_CMDLINE_LINUX=.*)ipv6.disable=(0|1)(.*$)'
             line: '\g<1>\g<3> ipv6.disable=1'
             backrefs: true
-        when: ubuntu22cis_ipv6_disable == 'grub'
+        when: ubtu22cis_ipv6_disable == 'grub'
         notify: Grub update
 
       - name: "3.1.1 | PATCH | Ensure system is checked to determine if IPv6 is enabled | Remove net.ipv6.conf.all.disable_ipv6"
@@ -21,7 +21,7 @@
         notify: Flush ipv6 route table
         loop:
             - etc/sysctl.d/60-disable_ipv6.conf
-        when: ubuntu22cis_ipv6_disable == 'sysctl'
+        when: ubtu22cis_ipv6_disable == 'sysctl'
   when:
       - ubtu22cis_rule_3_1_1
       - not ubtu22cis_ipv6_required

tasks/section_3/cis_3.4.x.yml

@@ -1,14 +1,25 @@
 ---
 
 - name: "3.4.1 | PATCH | Ensure DCCP is disabled"
-  ansible.builtin.lineinfile:
-      path: /etc/modprobe.d/dccp.conf
-      regexp: '^(#)?install dccp(\\s|$)'
-      line: "{{ item }}"
-      create: true
-  loop:
-      - install dccp /bin/true
-      - blacklist dccp
+  block:
+      - name: "3.4.1 | PATCH | Ensure DCCP is disabled | modprobe"
+        ansible.builtin.lineinfile:
+            path: /etc/modprobe.d/dccp.conf
+            regexp: '^(#)?install dccp(\\s|$)'
+            line: "{{ item }}"
+            create: true
+        loop:
+            - install dccp /bin/true
+            - blacklist dccp
+
+      - name: "3.4.1 | PATCH | Ensure DCCP is disabled | blacklist"
+        ansible.builtin.lineinfile:
+            path: /etc/modprobe.d/blacklist.conf
+            regexp: "^(#)?blacklist cramfs(\\s|$)"
+            line: "blacklist cramfs"
+            create: true
+            mode: '0600'
+
   when:
       - ubtu22cis_rule_3_4_1
   tags:
@@ -20,14 +31,25 @@
       - dccp
 
 - name: "3.4.2 | PATCH | Ensure SCTP is disabled"
-  ansible.builtin.lineinfile:
-      path: /etc/modprobe.d/sctp.conf
-      regexp: '^(#)?install sctp(\\s|$)'
-      line: "{{ item }}"
-      create: true
-  loop:
-      - install sctp /bin/true
-      - blacklist sctp
+  block:
+      - name: "3.4.2 | PATCH | Ensure SCTP is disabled modprobe"
+        ansible.builtin.lineinfile:
+            path: /etc/modprobe.d/sctp.conf
+            regexp: '^(#)?install sctp(\\s|$)'
+            line: "{{ item }}"
+            create: true
+        loop:
+            - install sctp /bin/true
+            - blacklist sctp
+
+      - name: "3.4.2 | PATCH | Ensure SCTP is disabled | blacklist"
+        ansible.builtin.lineinfile:
+            path: /etc/modprobe.d/blacklist.conf
+            regexp: "^(#)?blacklist sctp(\\s|$)"
+            line: "blacklist sctp"
+            create: true
+            mode: '0600'
+
   when:
       - ubtu22cis_rule_3_4_2
   tags:
@@ -39,14 +61,24 @@
       - sctp
 
 - name: "3.4.3 | PATCH | Ensure RDS is disabled"
-  ansible.builtin.lineinfile:
-      path: /etc/modprobe.d/rds.conf
-      regexp: '^(#)?install rds(\\s|$)'
-      line: "{{ item }}"
-      create: true
-  loop:
-      - install rds /bin/true
-      - blacklist rds
+  block:
+      - name: "3.4.3 | PATCH | Ensure RDS is disabled | modprobe"
+        ansible.builtin.lineinfile:
+            path: /etc/modprobe.d/rds.conf
+            regexp: '^(#)?install rds(\\s|$)'
+            line: "{{ item }}"
+            create: true
+        loop:
+            - install rds /bin/true
+            - blacklist rds
+
+      - name: "3.4.3 | PATCH | Ensure RDS is disabled | blacklist"
+        ansible.builtin.lineinfile:
+            path: /etc/modprobe.d/blacklist.conf
+            regexp: "^(#)?blacklist rds(\\s|$)"
+            line: "blacklist rds"
+            create: true
+            mode: '0600'
   when:
       - ubtu22cis_rule_3_4_3
   tags:
@@ -58,14 +90,25 @@
       - rds
 
 - name: "3.4.4 | PATCH | Ensure TIPC is disabled"
-  ansible.builtin.lineinfile:
-      path: /etc/modprobe.d/tipc.conf
-      regexp: '^(#)?install tipc(\\s|$)'
-      line: "{{ item }}"
-      create: true
-  loop:
-      - install tipc /bin/true
-      - blacklist tipc
+  block:
+      - name: "3.4.4 | PATCH | Ensure TIPC is disabled | modprobe"
+        ansible.builtin.lineinfile:
+            path: /etc/modprobe.d/tipc.conf
+            regexp: '^(#)?install tipc(\\s|$)'
+            line: "{{ item }}"
+            create: true
+        loop:
+            - install tipc /bin/true
+            - blacklist tipc
+
+      - name: "3.4.4 | PATCH | Ensure TIPC is disabled | blacklist"
+        ansible.builtin.lineinfile:
+            path: /etc/modprobe.d/blacklist.conf
+            regexp: "^(#)?blacklist tipc(\\s|$)"
+            line: "blacklist tipc"
+            create: true
+            mode: '0600'
+
   when:
       - ubtu22cis_rule_3_4_4
   tags:

tasks/section_5/cis_5.4.x.yml

@@ -113,8 +113,8 @@
       - name: "5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_unix does exist"
         ansible.builtin.lineinfile:
             path: /etc/pam.d/common-password
-            regexp: '^(password\s*\[success=1 default=ignore\] pam_unix.*)(remember=([0-9]{1,})|)(.*$)'
-            line: '\g<1>\g<2> remember={{ ubtu22cis_pamd_pwhistory_remember }}'
+            regexp: '^(password\s*\[success=1 default=ignore\] pam_unix.so)(.*)(remember=([0-9]{1,})|)(.*$)'
+            line: '\g<1>\g<2>\g<3> remember={{ ubtu22cis_pamd_pwhistory_remember }}'
             backrefs: true
         when:
             - ubtu22cis_5_4_3_pam_unix_state.stdout | length > 0

templates/ansible_vars_goss.yml.j2

@@ -3,7 +3,7 @@
 benchmark_version: '1.1.0'
 
 
-# Some audit tests may need to scan every filesystem or have an impact on a system 
+# Some audit tests may need to scan every filesystem or have an impact on a system
 # these may need be scheduled to minimise impact also ability to set a timeout if taking too long
 timeout_ms: {{ audit_cmd_timeout }}
 
@@ -460,7 +460,7 @@ ubtu22cis_rpc_required: {{ ubtu22cis_rpc_required }}
 # IPv6 required
 ubtu22cis_ipv6_required: {{ ubtu22cis_ipv6_required }}
 # How to disable ipv6 either via grub or sysctl settings options: grub or sysctl
-ubtu22cis_ipv6_disable: {{ ubuntu22cis_ipv6_disable }}
+ubtu22cis_ipv6_disable: {{ ubtu22cis_ipv6_disable }}
 
 
 # System network parameters (host only OR host and router)