Merge pull request #340 from ansible-lockdown/2026_Community_Updates

2026 Community Updates: fix global issues and community bugs

Author: frederickw082922

Changelog.md

@@ -1,5 +1,23 @@
 # Changelog — UBUNTU22-CIS
 
+## Based on CIS v3.0.0 - Branch [2026_Community_Updates]
+
+### Fixed
+
+- **prelim.yml:** Fixed mount UUID/LABEL loss — added fstab source parsing so handlers preserve UUID/LABEL entries instead of replacing them with `/dev/sdX` device names
+- **cis_2.1.x.yml:** Added ternary masking to 2.1.1 autofs service mask task — prevents failure when autofs package is not installed
+- **templates/tmp.mount.j2:** Fixed `Options:` (colon) to `Options=` (equals) in systemd mount unit — colon syntax is invalid and silently ignored by systemd
+- **defaults/main.yml:** Added `ubtu22cis_tmp_partition_mount_options` variable for tmp.mount template
+- **vars/is_container.yml:** Added missing `ubtu22cis_rule_6_2_1_1` to container skip list — auditd package install requires kernel audit subsystem unavailable in containers
+- **18 files:** Added `lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"` to all remaining `ansible.builtin.package` tasks across the role — prevents apt/dpkg frontend lock failures when unattended-upgrades or other apt processes are running (extends fix for [#330](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/330))
+
+### Already Fixed (verified in this pass)
+
+- **pwck/getent SIGPIPE rc=141:** All pwck and getent tasks already use `failed_when: false` — no changes needed
+- **UFW "all" loop error** ([#328](https://github.com/ansible-lockdown/UBUNTU22-CIS/issues/328)): Rule 4.1.4 already has separate `when` conditions for string `"all"` vs list of port dicts — no changes needed
+
+---
+
 ## Based on CIS v3.0.0 - Branch [2026_April_QA]
 
 ### Molecule Testing

defaults/main.yml

@@ -673,6 +673,11 @@ ubtu22cis_debug_mount_data: false
 # These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards.
 ubtu22cis_tmp_svc: false
 
+# Mount options applied to the tmp.mount systemd unit when ubtu22cis_tmp_svc is true
+ubtu22cis_tmp_partition_mount_options:
+  - mode=1777
+  - strictatime
+
 ## Controls 1.3.1.x - apparmor
 # AppArmor security policies define what system resources applications can access and their privileges.
 # This automatically limits the damage that the software can do to files accessible by the calling user.

tasks/pre_remediation_audit.yml

@@ -19,6 +19,7 @@
       ansible.builtin.package:
         name: git
         state: present
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: Pre Audit Setup | Retrieve audit content files from git
       ansible.builtin.git:

tasks/prelim.yml

@@ -43,13 +43,31 @@
       check_mode: false
       register: prelim_mount_output
 
+    - name: PRELIM | AUDIT | Section 1.1 | Retrieve fstab sources to preserve UUID/LABEL entries
+      ansible.builtin.shell: |
+        set -o pipefail
+        awk '$0 !~ /^[[:space:]]*#/ && NF >= 2 {print $1, $2}' /etc/fstab
+      args:
+        executable: /bin/bash
+      changed_when: false
+      check_mode: false
+      register: prelim_fstab_sources
+
     - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact
       ansible.builtin.set_fact:
         prelim_mount_point_fs_and_options: >-
+          {%- set fstab_src = {} -%}
+          {%- for line in prelim_fstab_sources.stdout_lines -%}
+          {%- set parts = line.split() -%}
+          {%- if parts | length >= 2 -%}
+          {%- set _ = fstab_src.update({parts[1]: parts[0]}) -%}
+          {%- endif -%}
+          {%- endfor -%}
           {%- set prelim_mount_point_fs_and_options = {} -%}
           {%- for line in prelim_mount_output.stdout_lines -%}
           {%- set fields = line.split() -%}
-          {%- set _ = prelim_mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%}
+          {%- set mount_src = fstab_src.get(fields[1], fields[0]) -%}
+          {%- set _ = prelim_mount_point_fs_and_options.update({fields[1]: {'src': mount_src, 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%}
           {%- endfor -%}
           {{ prelim_mount_point_fs_and_options }}
 

tasks/section_1/cis_1.3.1.x.yml

@@ -15,6 +15,7 @@
   ansible.builtin.package:
     name: ['apparmor', 'apparmor-utils']
     state: present
+    lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
 - name: "1.3.1.2 | PATCH | Ensure AppArmor is enabled"
   when: ubtu22cis_rule_1_3_1_2

tasks/section_1/cis_1.5.x.yml

@@ -95,6 +95,7 @@
         name: prelink
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
 - name: "1.5.6 | PATCH | Ensure Automatic Error Reporting is not enabled"
   when: ubtu22cis_rule_1_5_6
@@ -121,3 +122,4 @@
         name: apport
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"

tasks/section_1/cis_1.7.x.yml

@@ -14,6 +14,7 @@
   ansible.builtin.package:
     name: gdm3
     state: absent
+    lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
 - name: "1.7.2 | PATCH | Ensure GDM login banner is configured"
   when:

tasks/section_2/cis_2.1.x.yml

@@ -21,13 +21,16 @@
         name: autofs
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.1 | PATCH | Ensure autofs services are not in use | Mask service"
       when:
         - not ubtu22cis_autofs_services
         - ubtu22cis_autofs_mask
       ansible.builtin.systemd:
         name: autofs
+        enabled: "{{ ('autofs' in ansible_facts.packages) | ternary(false, omit) }}"
+        state: "{{ ('autofs' in ansible_facts.packages) | ternary('stopped', omit) }}"
         masked: true
       notify: Systemd daemon reload
 
@@ -51,6 +54,7 @@
           - avahi
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use | Mask service"
       when:
@@ -86,6 +90,7 @@
         name: isc-dhcp-server
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use | Mask service"
       when:
@@ -121,6 +126,7 @@
         name: bind9
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.4 | PATCH | Ensure dns server services are not in use | Mask service"
       when:
@@ -151,6 +157,7 @@
         name: dnsmasq
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.5 | PATCH | Ensure dnsmasq services are not in use | Mask service"
       when:
@@ -182,6 +189,7 @@
         name: vsftpd
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.6 | PATCH | Ensure ftp server services are not in use | Mask service"
       when:
@@ -212,6 +220,7 @@
         name: slapd
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.7 | PATCH | Ensure ldap server services are not in use | Mask service"
       when:
@@ -246,6 +255,7 @@
           - dovecot-imapd
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.8 | PATCH | Ensure message access server services are not in use | Mask service"
       when:
@@ -283,6 +293,7 @@
         name: nfs-kernel-server
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.9 | PATCH | Ensure network file system services are not in use | Mask service"
       when:
@@ -314,6 +325,7 @@
         name: ypserv
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.10 | PATCH | Ensure nis server services are not in use | Mask service"
       when:
@@ -343,6 +355,7 @@
         name: cups
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.11 | PATCH | Ensure print server services are not in use | Mask service"
       when:
@@ -379,6 +392,7 @@
         name: rpcbind
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use | Mask service"
       when:
@@ -414,6 +428,7 @@
         name: rsync
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.13 | PATCH | Ensure rsync services are not in use | Mask service"
       when:
@@ -445,6 +460,7 @@
         name: samba
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.14 | PATCH | Ensure samba file server services are not in use | Mask service"
       when:
@@ -476,6 +492,7 @@
         name: snmpd
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.15 | PATCH | Ensure snmp services are not in use | Mask service"
       when:
@@ -506,6 +523,7 @@
         name: tftpd-hpa
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.16 | PATCH | Ensure tftp server services are not in use | Mask service"
       when:
@@ -536,6 +554,7 @@
         name: squid
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use | Mask service"
       when:
@@ -568,6 +587,7 @@
         name: apache2
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.18 | PATCH | Ensure web server services are not in use | Remove nginx server"
       when:
@@ -577,6 +597,7 @@
         name: nginx
         state: absent
         purge: "{{ ubtu22cis_purge_apt }}"
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.18 | PATCH | Ensure web server services are not in use | Mask httpd service"
       when:
@@ -623,6 +644,7 @@
         name: xinetd
         purge: "{{ ubtu22cis_purge_apt }}"
         state: absent
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.1.19 | PATCH | Ensure xinetd services are not in use | Mask service"
       when:
@@ -649,6 +671,7 @@
     name: xorg-x11-server-common
     state: absent
     purge: "{{ ubtu22cis_purge_apt }}"
+    lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
 - name: "2.1.21 | PATCH | Ensure mail transfer agent is configured for local-only mode"
   when:

tasks/section_2/cis_2.2.x.yml

@@ -15,6 +15,7 @@
     name: nis
     state: absent
     purge: "{{ ubtu22cis_purge_apt }}"
+    lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
 - name: "2.2.2 | PATCH | Ensure rsh client is not installed"
   when:
@@ -31,6 +32,7 @@
     name: rsh-client
     state: absent
     purge: "{{ ubtu22cis_purge_apt }}"
+    lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
 - name: "2.2.3 | PATCH | Ensure talk client is not installed"
   when:
@@ -47,6 +49,7 @@
     name: talk
     state: absent
     purge: "{{ ubtu22cis_purge_apt }}"
+    lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
 - name: "2.2.4 | PATCH | Ensure telnet client is not installed"
   when:
@@ -64,6 +67,7 @@
     name: telnet
     state: absent
     purge: "{{ ubtu22cis_purge_apt }}"
+    lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
 - name: "2.2.5 | PATCH | Ensure ldap client is not installed"
   when:
@@ -80,6 +84,7 @@
     name: ldap-utils
     state: absent
     purge: "{{ ubtu22cis_purge_apt }}"
+    lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
 - name: "2.2.6 | PATCH | Ensure ftp client is not installed"
   when:
@@ -97,3 +102,4 @@
     name: ftp
     state: absent
     purge: "{{ ubtu22cis_purge_apt }}"
+    lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"

tasks/section_2/cis_2.3.1.x.yml

@@ -17,12 +17,14 @@
       ansible.builtin.package:
         name: "{{ ubtu22cis_time_sync_tool }}"
         state: present
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
 
     - name: "2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | other pkgs removed"
       when: item != ubtu22cis_time_sync_tool
       ansible.builtin.package:
         name: "{{ item }}"
         state: absent
+        lock_timeout: "{{ ubtu22cis_apt_lock_timeout }}"
       loop:
         - chrony
         - ntp