Merge pull request #326 from ansible-lockdown/pub_Jan26

frederickw082922 · web-flow · commit 1adc7bdc5dc1 · 2026-01-22T08:47:39.000-05:00
Jan26 updates
diff --git a/.ansible-lint b/.ansible-lint
@@ -1,6 +1,5 @@
 ---
 
-parseable: true
 quiet: true
 skip_list:
   - 'package-latest'
diff --git a/Changelog.md b/Changelog.md
@@ -4,6 +4,11 @@
 
 ### Do not migrate
 
+# Jan26
+pre-commits
+#325 nopasswd for sudoers options added
+chrony template tidied up
+
 # Dec 25 update
 pre-commits
 
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -909,6 +909,12 @@ ubtu22cis_sshd_deny_groups: ""
 # CIS recommends `sudo` or, if LDAP functionality is required, `sudo-ldap`.
 ubtu22cis_sudo_package: "sudo"
 
+## control 5.2.4 sudoers NOPASSWD
+# This will leave NOPASSWD intact for these users
+ubtu22cis_sudoers_exclude_nopasswd_list:
+  - ec2-user
+  - vagrant
+
 ## Control 5.2.3
 # This variable defines the path and file name of the sudo log file.
 ubtu22cis_sudo_logfile: "/var/log/sudo.log"
diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml
@@ -53,12 +53,22 @@
     - sudo
     - rule_5.2.4
     - NIST800-53R5_AC-6
-  ansible.builtin.replace:
-    path: "{{ item }}"
-    regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)'
-    replace: '\1PASSWD\2'
-    validate: '/usr/sbin/visudo -cf %s'
-  loop: "{{ prelim_sudoers_files.stdout_lines }}"
+  block:
+    - name: "5.2.4 | AUDIT | Ensure users must provide password for escalation | discover accts with NOPASSWD"
+      ansible.builtin.shell: grep -Ei '(nopasswd)' /etc/sudoers /etc/sudoers.d/* | cut -d':' -f1
+      become: true
+      changed_when: false
+      failed_when: false
+      register: discovered_sudoers_nopasswd
+
+    - name: "5.2.4 | PATCH | Ensure users must provide password for escalation"
+      when: discovered_sudoers_nopasswd.stdout | length > 0
+      ansible.builtin.replace:
+        path: "{{ item }}"
+        regexp: '^((?!#|{% for name in ubtu22cis_sudoers_exclude_nopasswd_list %}{{ name }}{% if not loop.last -%}|{%- endif -%}{% endfor %}).*)NOPASSWD(.*)'
+        replace: '\1PASSWD\2'
+        validate: '/usr/sbin/visudo -cf %s'
+      loop: "{{ discovered_sudoers_nopasswd.stdout_lines }}"
 
 - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
   when: ubtu22cis_rule_5_2_5
diff --git a/templates/chrony.conf.j2 b/templates/chrony.conf.j2
@@ -1,5 +1,5 @@
 # Welcome to the chrony configuration file. See chrony.conf(5) for more
-# information about usuable directives.
+# information about useable directives.
 
 # This will use (up to):
 # - 4 sources from ntp.ubuntu.com which some are ipv6 enabled
@@ -89,5 +89,3 @@ logchange 0.5
 # chrony postinst based on what it found in /etc/default/rcS.  You may
 # change it if necessary.
 rtconutc
-
-user {{ ubtu22cis_chrony_user }}
