Merge pull request #322 from ansible-lockdown/dec25_pub

Dec25 pub

Author: frederickw082922

Changelog.md

@@ -4,6 +4,13 @@
 
 ### Do not migrate
 
+# Dec 25 update
+pre-commits
+
+4.1.5 updated variables, loop and added ntp
+6.3.4.1/2/3 separated the tasks
+prelim check for pwquality changed_when logic update thanks to @FrsECM #318
+
 # Sept 25 updates
 
 - 5.4.2.5 improved thanks to @numericillustration

defaults/main.yml

@@ -791,9 +791,16 @@ ubtu22cis_ufw_use_sysctl: true
 # If you want to allow outbound traffic on all ports, set the variable to  `all`, e.g.,
 # `ubtu22cis_ufw_allow_out_ports: "all"`.
 ubtu22cis_ufw_allow_out_ports:
-  - 53
-  - 80
-  - 443
+  - port: 53
+    proto: tcp
+  - port: 53
+    proto: udp
+  - port: 80
+    proto: tcp
+  - port: 123
+    proto: udp
+  - port: 443
+    proto: tcp
 
 ## Controls 4.2.x - nftables
 # Nftables is not supported in this role. Some tasks have parts of them commented out, this is one example

tasks/prelim.yml

@@ -168,7 +168,7 @@
     modification_time: preserve
     access_time: preserve
   register: prelim_pwquality_dummy
-  changed_when: prelim_pwquality_dummy.diff == "absent"
+  changed_when: prelim_pwquality_dummy.changed
   loop:
     - { path: '/etc/security/pwquality.conf.d', state: 'directory' }
     - { path: '/etc/security/pwquality.conf.d/cis_dummy.conf', state: 'touch' }

tasks/section_4/cis_4.1.x.yml

@@ -110,9 +110,11 @@
       community.general.ufw:
         rule: allow
         direction: out
-        to_port: '{{ item }}'
-      with_items:
-        - "{{ ubtu22cis_ufw_allow_out_ports }}"
+        proto: "{{ item.proto }}"
+        to_port: '{{ item.port }}'
+      loop: "{{ ubtu22cis_ufw_allow_out_ports }}"
+      loop_control:
+        label: "{{ item.port }}"
       notify: Reload ufw
 
     - name: "4.1.5 | PATCH | Ensure ufw outbound connections are configured | Allow all"

tasks/section_6/cis_6.3.4.x.yml

@@ -1,27 +1,57 @@
 ---
 
-- name: |
-      "6.3.4.1 | PATCH | Ensure audit log files mode is configured"
-      "6.3.4.2 | PATCH | Ensure audit log files owner is configured"
-      "6.3.4.3 | PATCH | Ensure audit log files group owner is configured"
-  when:
-    - ubtu22cis_rule_6_3_4_1 or
-      ubtu22cis_rule_6_3_4_2 or
-      ubtu22cis_rule_6_3_4_3
+- name: "6.3.4.1 | PATCH | Ensure audit log files mode is configured"
+  when: ubtu22cis_rule_6_3_4_1
   tags:
     - level1-server
     - level1-workstation
     - patch
     - auditd
     - rule_6.3.4.1
+    - NIST800-53R5_AU-3
+  ansible.builtin.file:
+    path: "{{ prelim_auditd_logfile.stdout | dirname }}"
+    recurse: true
+    mode: 'u-x,g-wx,o-rwx'
+
+- name: "6.3.4.2 | PATCH | Ensure audit log files owner is configured"
+  when: ubtu22cis_rule_6_3_4_2
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - auditd
     - rule_6.3.4.2
-    - rule_6.3.4.3
     - NIST800-53R5_AU-3
   ansible.builtin.file:
-    path: "{{ prelim_auditd_logfile.stdout }}"
+    path: "{{ prelim_auditd_logfile.stdout | dirname }}"
+    recurse: true
     owner: root
-    group: root
-    mode: 'u-x,g-wx,o-rwx'
+
+- name: "6.3.4.3 | PATCH | Ensure audit log files group owner is configured"
+  when: ubtu22cis_rule_6_3_4_3
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - auditd
+    - rule_6.3.4.3
+    - NIST800-53R5_AU-3
+  block:
+    - name: "6.3.4.3 | AUDIT | Ensure audit log files group owner is configured | stat logfile"
+      ansible.builtin.find:
+        path: "{{ prelim_auditd_logfile.stdout | dirname }}"
+        file_type: file
+      register: discovered_auditd_logs
+
+    - name: "6.3.4.3 | PATCH | Ensure audit log files group owner is configured"
+      when: item.gr_name not in [ 'root', 'adm' ]
+      ansible.builtin.file:
+        path: "{{ item.path }}"
+        group: root
+      loop: "{{ discovered_auditd_logs.files }}"
+      loop_control:
+        label: "{{ item.path }}"
 
 - name: "6.3.4.4 | PATCH | Ensure the audit log file directory mode is configured"
   when: ubtu22cis_rule_6_3_4_4