Merge pull request #327 from ansible-lockdown/devel

Update latest main branch

Author: frederickw082922

.ansible-lint

@@ -1,6 +1,5 @@
 ---
 
-parseable: true
 quiet: true
 skip_list:
   - 'package-latest'

.pre-commit-config.yaml

@@ -41,12 +41,12 @@ repos:
   - id: detect-secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.28.0
+  rev: v8.30.0
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.9.2
+  rev: v26.1.1
   hooks:
   - id: ansible-lint
     name: Ansible-lint
@@ -65,7 +65,7 @@ repos:
     # - ansible-core>=2.10.1
 
 - repo: https://github.com/adrienverge/yamllint.git
-  rev: v1.37.1  # or higher tag
+  rev: v1.38.0  # or higher tag
   hooks:
   - id: yamllint
     name: Check YAML Lint

Changelog.md

@@ -4,6 +4,18 @@
 
 ### Do not migrate
 
+# Jan26
+pre-commits
+#325 nopasswd for sudoers options added
+chrony template tidied up
+
+# Dec 25 update
+pre-commits
+
+4.1.5 updated variables, loop and added ntp
+6.3.4.1/2/3 separated the tasks
+prelim check for pwquality changed_when logic update thanks to @FrsECM #318
+
 # Sept 25 updates
 
 - 5.4.2.5 improved thanks to @numericillustration

defaults/main.yml

@@ -791,9 +791,16 @@ ubtu22cis_ufw_use_sysctl: true
 # If you want to allow outbound traffic on all ports, set the variable to  `all`, e.g.,
 # `ubtu22cis_ufw_allow_out_ports: "all"`.
 ubtu22cis_ufw_allow_out_ports:
-  - 53
-  - 80
-  - 443
+  - port: 53
+    proto: tcp
+  - port: 53
+    proto: udp
+  - port: 80
+    proto: tcp
+  - port: 123
+    proto: udp
+  - port: 443
+    proto: tcp
 
 ## Controls 4.2.x - nftables
 # Nftables is not supported in this role. Some tasks have parts of them commented out, this is one example
@@ -902,6 +909,12 @@ ubtu22cis_sshd_deny_groups: ""
 # CIS recommends `sudo` or, if LDAP functionality is required, `sudo-ldap`.
 ubtu22cis_sudo_package: "sudo"
 
+## control 5.2.4 sudoers NOPASSWD
+# This will leave NOPASSWD intact for these users
+ubtu22cis_sudoers_exclude_nopasswd_list:
+  - ec2-user
+  - vagrant
+
 ## Control 5.2.3
 # This variable defines the path and file name of the sudo log file.
 ubtu22cis_sudo_logfile: "/var/log/sudo.log"
@@ -1135,6 +1148,37 @@ ubtu22cis_aide_cron_month: '*'
 # can be concatenated with commas.
 ubtu22cis_aide_cron_weekday: '*'
 
+# This variable represents the actual command or script that the systemd timer
+# will execute for running AIDE in update mode.
+ubtu22cis_aide_systemd_exec: '/usr/bin/aide --config /etc/aide/aide.conf --update'
+
+# These variables define the schedule for the systemd timer job
+# This variable governs the minute of the time of day when the AIDE systemd timer is run.
+# It must be in the range `0-59`.
+ubtu22cis_aide_systemd_minute: 0
+
+# This variable governs the hour of the time of day when the AIDE systemd timer is run.
+# It must be in the range `0-23`.
+ubtu22cis_aide_systemd_hour: 5
+
+# This variable governs the day of the month when the AIDE systemd timer is run.
+# `*` signifies that the job is run on all days; furthermore, specific days
+# can be given in the range `1-31`; several days can be concatenated with a comma.
+# The specified day(s) must be in the range `1-31`.
+ubtu22cis_aide_systemd_day: '*'
+
+# This variable governs months when the AIDE systemd timer is run.
+# `*` signifies that the job is run in every month; furthermore, specific months
+# can be given in the range `1-12`; several months can be concatenated with commas.
+# The specified month(s) must be in the range `1-12`.
+ubtu22cis_aide_systemd_month: '*'
+
+# This variable governs the weekdays when the AIDE systemd timer is run.
+# `*` signifies that the job is run on all weekdays; furthermore, specific weekdays
+# can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays
+# can be concatenated with commas.
+ubtu22cis_aide_systemd_weekday: '*'
+
 ## Controls 6.2.1.x journald
 
 # This variable specifies the address of the remote log host where logs are being sent.
@@ -1276,9 +1320,16 @@ ubtu22cis_dotperm_ansiblemanaged: true
 
 ## Section 7
 
-# 7.1.12 Ensure no files or directories without an owner and a group exist
-ubtu22cis_exclude_unowned_search_path: (! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "*/kubelet/plugins/*" -a ! -path "/sys/fs/cgroup/memory/*" -a ! -path "/var/*/private/*")
+# 7.1.12
+# Ensure no files or directories without an owner and a group exist
+# Extend the list as required adding the the current list e.g. "-a ! -path "/somedir/*"
+# Note Ensure to document all exclusions that do not match the benchmark
+ubtu22cis_exclude_unowned_search_path: '\( ! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "*/kubelet/plugins/*" -a ! -path "/sys/fs/cgroup/memory/*" -a ! -path "/var/*/private/*" \)'
 
+# This can be extended as seen fit
+# NFS added as starter to be extended with "-a -not -fstype CIFS"
+# Note Ensure to document all exclusions that do not match the benchmark
+ubtu22cis_exclude_unowned_filesystem_types: '\( -not -fstype nfs \)'
 # Control 7.1.12
 # The value of this variable specifies the owner that will be set for unowned files and directories.
 ubtu22cis_unowned_owner: root

tasks/prelim.yml

@@ -168,7 +168,7 @@
     modification_time: preserve
     access_time: preserve
   register: prelim_pwquality_dummy
-  changed_when: prelim_pwquality_dummy.diff == "absent"
+  changed_when: prelim_pwquality_dummy.changed
   loop:
     - { path: '/etc/security/pwquality.conf.d', state: 'directory' }
     - { path: '/etc/security/pwquality.conf.d/cis_dummy.conf', state: 'touch' }

tasks/section_4/cis_4.1.x.yml

@@ -110,9 +110,11 @@
       community.general.ufw:
         rule: allow
         direction: out
-        to_port: '{{ item }}'
-      with_items:
-        - "{{ ubtu22cis_ufw_allow_out_ports }}"
+        proto: "{{ item.proto }}"
+        to_port: '{{ item.port }}'
+      loop: "{{ ubtu22cis_ufw_allow_out_ports }}"
+      loop_control:
+        label: "{{ item.port }}"
       notify: Reload ufw
 
     - name: "4.1.5 | PATCH | Ensure ufw outbound connections are configured | Allow all"

tasks/section_5/cis_5.2.x.yml

@@ -53,12 +53,22 @@
     - sudo
     - rule_5.2.4
     - NIST800-53R5_AC-6
-  ansible.builtin.replace:
-    path: "{{ item }}"
-    regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)'
-    replace: '\1PASSWD\2'
-    validate: '/usr/sbin/visudo -cf %s'
-  loop: "{{ prelim_sudoers_files.stdout_lines }}"
+  block:
+    - name: "5.2.4 | AUDIT | Ensure users must provide password for escalation | discover accts with NOPASSWD"
+      ansible.builtin.shell: grep -Ei '(nopasswd)' /etc/sudoers /etc/sudoers.d/* | cut -d':' -f1
+      become: true
+      changed_when: false
+      failed_when: false
+      register: discovered_sudoers_nopasswd
+
+    - name: "5.2.4 | PATCH | Ensure users must provide password for escalation"
+      when: discovered_sudoers_nopasswd.stdout | length > 0
+      ansible.builtin.replace:
+        path: "{{ item }}"
+        regexp: '^((?!#|{% for name in ubtu22cis_sudoers_exclude_nopasswd_list %}{{ name }}{% if not loop.last -%}|{%- endif -%}{% endfor %}).*)NOPASSWD(.*)'
+        replace: '\1PASSWD\2'
+        validate: '/usr/sbin/visudo -cf %s'
+      loop: "{{ discovered_sudoers_nopasswd.stdout_lines }}"
 
 - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
   when: ubtu22cis_rule_5_2_5

tasks/section_6/cis_6.3.4.x.yml

@@ -1,27 +1,57 @@
 ---
 
-- name: |
-      "6.3.4.1 | PATCH | Ensure audit log files mode is configured"
-      "6.3.4.2 | PATCH | Ensure audit log files owner is configured"
-      "6.3.4.3 | PATCH | Ensure audit log files group owner is configured"
-  when:
-    - ubtu22cis_rule_6_3_4_1 or
-      ubtu22cis_rule_6_3_4_2 or
-      ubtu22cis_rule_6_3_4_3
+- name: "6.3.4.1 | PATCH | Ensure audit log files mode is configured"
+  when: ubtu22cis_rule_6_3_4_1
   tags:
     - level1-server
     - level1-workstation
     - patch
     - auditd
     - rule_6.3.4.1
+    - NIST800-53R5_AU-3
+  ansible.builtin.file:
+    path: "{{ prelim_auditd_logfile.stdout | dirname }}"
+    recurse: true
+    mode: 'u-x,g-wx,o-rwx'
+
+- name: "6.3.4.2 | PATCH | Ensure audit log files owner is configured"
+  when: ubtu22cis_rule_6_3_4_2
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - auditd
     - rule_6.3.4.2
-    - rule_6.3.4.3
     - NIST800-53R5_AU-3
   ansible.builtin.file:
-    path: "{{ prelim_auditd_logfile.stdout }}"
+    path: "{{ prelim_auditd_logfile.stdout | dirname }}"
+    recurse: true
     owner: root
-    group: root
-    mode: 'u-x,g-wx,o-rwx'
+
+- name: "6.3.4.3 | PATCH | Ensure audit log files group owner is configured"
+  when: ubtu22cis_rule_6_3_4_3
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - auditd
+    - rule_6.3.4.3
+    - NIST800-53R5_AU-3
+  block:
+    - name: "6.3.4.3 | AUDIT | Ensure audit log files group owner is configured | stat logfile"
+      ansible.builtin.find:
+        path: "{{ prelim_auditd_logfile.stdout | dirname }}"
+        file_type: file
+      register: discovered_auditd_logs
+
+    - name: "6.3.4.3 | PATCH | Ensure audit log files group owner is configured"
+      when: item.gr_name not in [ 'root', 'adm' ]
+      ansible.builtin.file:
+        path: "{{ item.path }}"
+        group: root
+      loop: "{{ discovered_auditd_logs.files }}"
+      loop_control:
+        label: "{{ item.path }}"
 
 - name: "6.3.4.4 | PATCH | Ensure the audit log file directory mode is configured"
   when: ubtu22cis_rule_6_3_4_4

tasks/section_7/cis_7.1.x.yml

@@ -220,7 +220,7 @@
     warn_control_id: '7.1.12'
   block:
     - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories"
-      ansible.builtin.command: 'find {{ ubtu22cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs'
+      ansible.builtin.command: find {{ ubtu22cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) {{ ubtu22cis_exclude_unowned_filesystem_types }}
       changed_when: false
       failed_when: false
       check_mode: false

templates/chrony.conf.j2

@@ -1,5 +1,5 @@
 # Welcome to the chrony configuration file. See chrony.conf(5) for more
-# information about usuable directives.
+# information about useable directives.
 
 # This will use (up to):
 # - 4 sources from ntp.ubuntu.com which some are ipv6 enabled
@@ -89,5 +89,3 @@ logchange 0.5
 # chrony postinst based on what it found in /etc/default/rcS.  You may
 # change it if necessary.
 rtconutc
-
-user {{ ubtu22cis_chrony_user }}