From 65ad8e79a908f031356de9731af77ca7e631b75f Mon Sep 17 00:00:00 2001 From: Florian Utz Date: Fri, 25 Mar 2022 22:33:49 +0100 Subject: [PATCH] remove fqcn for 2.9 compatibility (#47) --- handlers/main.yml | 26 +++++----- meta/main.yml | 2 +- tasks/main.yml | 4 +- tasks/post.yml | 4 +- tasks/prelim.yml | 86 +++++++++++++++---------------- tasks/section1.yml | 110 ++++++++++++++++++++-------------------- tasks/section2.yml | 124 ++++++++++++++++++++++----------------------- tasks/section3.yml | 78 ++++++++++++++-------------- tasks/section4.yml | 78 ++++++++++++++-------------- tasks/section5.yml | 124 ++++++++++++++++++++++----------------------- tasks/section6.yml | 66 ++++++++++++------------ 11 files changed, 351 insertions(+), 351 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 78422cd..76842d1 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -19,7 +19,7 @@ - name: systemd restart tmp.mount become: true - ansible.builtin.systemd: + systemd: name: tmp.mount daemon_reload: true enabled: true @@ -30,7 +30,7 @@ - name: systemd restart var-tmp.mount become: true - ansible.builtin.systemd: + systemd: name: var-tmp.mount daemon_reload: true enabled: true @@ -40,12 +40,12 @@ - name: generate new grub config become: true - ansible.builtin.command: grub-mkconfig -o "{{ grub_cfg.stat.path }}" + command: grub-mkconfig -o "{{ grub_cfg.stat.path }}" notify: fix permissions after generate new grub config handler - name: fix permissions after generate new grub config handler become: true - ansible.builtin.file: + file: path: "/boot/grub/grub.cfg" owner: root group: root @@ -56,35 +56,35 @@ - name: restart firewalld become: true - ansible.builtin.service: + service: name: firewalld state: restarted - name: reload nftables become: true - ansible.builtin.service: + service: name: nftables state: reloaded - name: restart xinetd become: true - ansible.builtin.service: + service: name: xinetd state: restarted - name: restart sshd become: true - ansible.builtin.service: + service: name: sshd state: restarted - name: reload dconf become: true - ansible.builtin.command: dconf update + command: dconf update - name: restart auditd become: true - ansible.builtin.service: + service: name: auditd state: restarted when: @@ -94,7 +94,7 @@ - name: load audit rules become: true - ansible.builtin.command: /sbin/augenrules --load + command: /sbin/augenrules --load when: - not ubuntu2004cis_skip_for_travis tags: @@ -102,7 +102,7 @@ - name: restart systemd-coredump become: true - ansible.builtin.service: + service: name: systemd-coredump.socket daemon_reload: true enabled: true @@ -110,6 +110,6 @@ - name: restart journald become: true - ansible.builtin.service: + service: name: systemd-journald state: restarted diff --git a/meta/main.yml b/meta/main.yml index 79cb0f0..80f79d8 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: "Ansible role to apply Ubuntu 20.04 CIS Baseline" company: "none" license: MIT - min_ansible_version: 2.10 + min_ansible_version: 2.9 role_name: ubuntu2004_cis namespace: florianutz diff --git a/tasks/main.yml b/tasks/main.yml index 8d072b3..ba5c27f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,7 +1,7 @@ --- # tasks file for Ubuntu2004-CIS - name: Check OS version and family - ansible.builtin.fail: + fail: msg: "This role can only be run agaist Ubuntu 20.04. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." when: - not ansible_distribution == "Ubuntu" @@ -10,7 +10,7 @@ - always - name: Check ansible version - ansible.builtin.fail: + fail: msg: You must use ansible 2.3 or greater! when: not ansible_version.full is version_compare('2.3', '>=') tags: diff --git a/tasks/post.yml b/tasks/post.yml index 7167739..b4b6083 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -2,7 +2,7 @@ # Post tasks - name: "POST | Find removed but configured apt packages" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; dpkg --list | (grep ^rc || true) | tr -s ' ' | cut -d ' ' -f 2" args: executable: /bin/bash @@ -10,7 +10,7 @@ changed_when: false - name: "POST | Perform apt package cleanup" - ansible.builtin.apt: + apt: name: "{{ apt_rc_packages.stdout_lines }}" state: absent purge: true diff --git a/tasks/prelim.yml b/tasks/prelim.yml index a851b68..599d790 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -2,13 +2,13 @@ # Preliminary tasks that should always be run # List users in order to look files inside each home directory - name: "PRELIM | List users accounts" - ansible.builtin.command: "awk -F: '{print $1}' /etc/passwd" + command: "awk -F: '{print $1}' /etc/passwd" register: users changed_when: false check_mode: false - name: "PRELIM | Gather homes with wrong permissions on /home" - ansible.builtin.shell: 'set -o pipefail; + shell: 'set -o pipefail; for dir in $(getent passwd | cut -d '':'' -f 6 | awk ''$1 ~ /^\/home\//''); do perm=$(stat -L -c "%A" "$dir" ); @@ -24,7 +24,7 @@ check_mode: false - name: "PRELIM | Gather accounts with empty password fields" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" args: executable: /bin/bash @@ -33,7 +33,7 @@ check_mode: false - name: "PRELIM | Check if root has password" - ansible.builtin.shell: 'set -o pipefail; + shell: 'set -o pipefail; getent shadow | grep root | awk -F: ''($2 == "*" || $2 == "!" ) { printf $2; }''' args: executable: /bin/bash @@ -42,7 +42,7 @@ check_mode: false - name: "PRELIM | Gather UID 0 accounts other than root" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" args: executable: /bin/bash @@ -51,12 +51,12 @@ check_mode: false - name: "PRELIM | Run apt cache update" - ansible.builtin.apt: + apt: update_cache: true changed_when: false - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" - ansible.builtin.apt: + apt: name: "{{ auditd_package[ansible_os_family] }}" state: present install_recommends: false @@ -64,13 +64,13 @@ - not ubuntu2004cis_auditd_disable - name: "PRELIM | Section 5.1 | Configure cron" - ansible.builtin.apt: + apt: name: "{{ cron_package[ansible_os_family] }}" state: present install_recommends: false - name: "PRELIM | Check if prelink package is installed" - ansible.builtin.command: "{{ prelim_check_package_command[ansible_os_family] }} prelink" + command: "{{ prelim_check_package_command[ansible_os_family] }} prelink" register: prelink_installed changed_when: false failed_when: false @@ -79,7 +79,7 @@ - skip_ansible_lint - name: "PRELIM | Check if postfix package is installed" - ansible.builtin.command: "{{ prelim_check_package_command[ansible_os_family] }} postfix" + command: "{{ prelim_check_package_command[ansible_os_family] }} postfix" register: postfix_installed changed_when: false failed_when: false @@ -89,7 +89,7 @@ # Individual service checks - name: "PRELIM | Check for xinetd service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show xinetd | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -98,7 +98,7 @@ check_mode: false - name: "PRELIM | Check for openbsd-inetd service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; dpkg -s openbsd-inetd | grep -o 'ok installed'; true" args: executable: /bin/bash @@ -107,7 +107,7 @@ check_mode: false - name: "PRELIM | Check for ntpd service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show {{ ntp_service[ansible_os_family] }} | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -116,7 +116,7 @@ check_mode: false - name: "PRELIM | Check for chronyd service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show {{ chrony_service[ansible_os_family] }} | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -125,7 +125,7 @@ check_mode: false - name: "PRELIM | Check for systemd-timesyncd service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show systemd-timesyncd | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -134,7 +134,7 @@ check_mode: false - name: "PRELIM | Check for avahi-daemon service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show avahi-daemon | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -143,7 +143,7 @@ check_mode: false - name: "PRELIM | Check for cups service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show cups | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -152,7 +152,7 @@ check_mode: false - name: "PRELIM | Check for dhcpd service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show dhcpd | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -161,7 +161,7 @@ check_mode: false - name: "PRELIM | Check for slapd service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show slapd | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -170,7 +170,7 @@ check_mode: false - name: "PRELIM | Check for nfs service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show nfs | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -179,7 +179,7 @@ check_mode: false - name: "PRELIM | Check for rpcbind service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show rpcbind | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -188,7 +188,7 @@ check_mode: false - name: "PRELIM | Check for named service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show named | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -197,7 +197,7 @@ check_mode: false - name: "PRELIM | Check for vsftpd service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show vsftpd | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -206,7 +206,7 @@ check_mode: false - name: "PRELIM | Check for httpd service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show apache2 | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -215,7 +215,7 @@ check_mode: false - name: "PRELIM | Check for dovecot service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show dovecot | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -224,7 +224,7 @@ check_mode: false - name: "PRELIM | Check for smb service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show smbd | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -233,7 +233,7 @@ check_mode: false - name: "PRELIM | Check for squid service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show squid | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -242,7 +242,7 @@ check_mode: false - name: "PRELIM | Check for snmpd service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show snmpd | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -251,7 +251,7 @@ check_mode: false - name: "PRELIM | Check for ypserv service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show nis | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -260,7 +260,7 @@ check_mode: false - name: "PRELIM | Check for rsh.socket service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show rsh.socket | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -269,7 +269,7 @@ check_mode: false - name: "PRELIM | Check for rlogin.socket service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show rlogin.socket | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -278,7 +278,7 @@ check_mode: false - name: "PRELIM | Check for rexec.socket service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show rexec.socket | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -287,7 +287,7 @@ check_mode: false - name: "PRELIM | Check for telnet service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show telnetd | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -296,7 +296,7 @@ check_mode: false - name: "PRELIM | Check for tftp service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show tftpd-hpa | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -305,7 +305,7 @@ check_mode: false - name: "PRELIM | Check for rsyncd service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show rsync | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -314,7 +314,7 @@ check_mode: false - name: "PRELIM | Check for ntalk service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show ntalk | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -323,7 +323,7 @@ check_mode: false - name: "PRELIM | Check for autofs service" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; systemctl show autofs | grep LoadState | cut -d = -f 2" args: executable: /bin/bash @@ -332,22 +332,22 @@ check_mode: false - name: "PRELIM | Check the grub.cfg configuration" - ansible.builtin.stat: + stat: path: /boot/grub/grub.cfg register: grub_cfg - name: "PRELIM | Check the grub.conf configuration" - ansible.builtin.stat: + stat: path: /boot/grub/grub.conf register: grub_conf - name: "PRELIM | Check the menu.lst configuration" - ansible.builtin.stat: + stat: path: "/boot/grub/menu.lst" register: menu_lst - name: "PRELIM | Check that system accounts are non-login #1" - ansible.builtin.shell: > + shell: > set -o pipefail && egrep -v "^\+" /etc/passwd | awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<1000 && $7!="/usr/sbin/nologin" && @@ -360,7 +360,7 @@ - name: "PRELIM | Check that system accounts are non-login #2" - ansible.builtin.shell: > + shell: > set -o pipefail && for user in `awk -F: '($1!="root" && $3 < 1000) {print $1 }' /etc/passwd`; do passwd -S $user | awk -F ' ' '($2!="L") {print $1}'; done @@ -371,7 +371,7 @@ check_mode: false - name: "PRELIM | Check that users last password change date are in the future" - ansible.builtin.shell: | + shell: | set -o pipefail; awk -F: '{print $1}' /etc/shadow | while read -r usr do diff --git a/tasks/section1.yml b/tasks/section1.yml index 8955674..8cbcf36 100644 --- a/tasks/section1.yml +++ b/tasks/section1.yml @@ -1,6 +1,6 @@ --- - name: "SCORED | 1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" @@ -35,7 +35,7 @@ - rule_1.1.1.1 - name: "SCORED | 1.1.1.2 | PATCH | Ensure mounting of freevxfs filesystems is disabled" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install freevxfs" line: "install freevxfs /bin/true" @@ -67,7 +67,7 @@ - rule_1.1.1.2 - name: "SCORED | 1.1.1.3 | PATCH | Ensure mounting of jffs2 filesystems is disabled" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install jffs2(\\s|$)" line: "install jffs2 /bin/true" @@ -99,7 +99,7 @@ - rule_1.1.1.3 - name: "SCORED | 1.1.1.4 | PATCH | Ensure mounting of hfs filesystems is disabled" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install hfs(\\s|$)" line: "install hfs /bin/true" @@ -131,7 +131,7 @@ - rule_1.1.1.4 - name: "SCORED | 1.1.1.5 | PATCH | Ensure mounting of hfsplus filesystems is disabled" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install hfsplus(\\s|$)" line: "install hfsplus /bin/true" @@ -163,7 +163,7 @@ - rule_1.1.1.5 - name: "SCORED | 1.1.1.6 | PATCH | Ensure mounting of udf filesystems is disabled" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" @@ -195,7 +195,7 @@ - rule_1.1.1.6 - name: "NOTSCORED | 1.1.1.7 | PATCH | Ensure mounting of FAT filesystems is limited" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install vfat(\\s|$)" line: "install vfat /bin/true" @@ -227,7 +227,7 @@ - rule_1.1.1.7 - name: "SCORED | 1.1.2 | PATCH | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount" - ansible.builtin.copy: + copy: src: "{{ tmp_mount_file[ansible_os_family] }}" dest: /etc/systemd/system/tmp.mount owner: root @@ -247,7 +247,7 @@ - rule_1.1.2 - name: "SCORED | 1.1.2 | PATCH | Ensure separate partition exists for /tmp | enable and start/restart tmp.mount" - ansible.builtin.systemd: + systemd: name: tmp.mount daemon_reload: yes enabled: yes @@ -314,7 +314,7 @@ - rule_1.1.9 - name: "SCORED | 1.1.10 | PATCH | Ensure separate partition exists for /var" - ansible.builtin.shell: mount | grep "on /var " + shell: mount | grep "on /var " register: var_mounted changed_when: false failed_when: false @@ -330,7 +330,7 @@ - skip_ansible_lint - name: "SCORED | 1.1.11 | PATCH | Ensure separate partition exists for /var/tmp" - ansible.builtin.shell: mount | grep "on /var/tmp " + shell: mount | grep "on /var/tmp " register: var_tmp_mounted changed_when: false failed_when: false @@ -368,7 +368,7 @@ - rule_1.1.14 - name: "SCORED | 1.1.15 | PATCH | Ensure separate partition exists for /var/log" - ansible.builtin.shell: mount | grep "on /var/log " + shell: mount | grep "on /var/log " register: var_log_mounted changed_when: false failed_when: false @@ -384,7 +384,7 @@ - skip_ansible_lint - name: "SCORED | 1.1.16 | PATCH | Ensure separate partition exists for /var/log/audit" - ansible.builtin.shell: mount | grep "on /var/log/audit " + shell: mount | grep "on /var/log/audit " register: var_log_audit_mounted changed_when: false failed_when: false @@ -400,7 +400,7 @@ - skip_ansible_lint - name: "SCORED | 1.1.17 | PATCH | Ensure separate partition exists for /home" - ansible.builtin.shell: mount | grep "on /home " + shell: mount | grep "on /home " register: home_mounted changed_when: false failed_when: false @@ -434,7 +434,7 @@ - rule_1.1.18 - name: "NOTSCORED | 1.1.19 | PATCH | Ensure nodev option set on removable media partitions" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_1_1_19 @@ -446,7 +446,7 @@ - notimplemented - name: "NOTSCORED | 1.1.20 | PATCH | Ensure nosuid option set on removable media partitions" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_1_1_20 @@ -458,7 +458,7 @@ - notimplemented - name: "NOTSCORED | 1.1.21 | PATCH | Ensure noexec option set on removable media partitions" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_1_1_21 @@ -470,7 +470,7 @@ - notimplemented - name: "SCORED | 1.1.22 | PATCH | Ensure sticky bit is set on all world-writable directories" - ansible.builtin.shell: | + shell: | set -o pipefail; df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t args: @@ -487,7 +487,7 @@ - rule_1.1.22 - name: "SCORED | 1.1.23 | PATCH | Disable Automounting" - ansible.builtin.service: + service: name: autofs enabled: false when: @@ -501,7 +501,7 @@ - rule_1.1.23 - name: "SCORED | 1.1.24 | PATCH | Disable USB Storage" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" @@ -533,7 +533,7 @@ - rule_1.1.24 - name: "NOTSCORED | 1.2.1 | PATCH | Ensure package manager repositories are configured" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_1_2_1 @@ -545,7 +545,7 @@ - notimplemented - name: "NOTSCORED | 1.2.2 | PATCH | Ensure GPG keys are configured" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_1_2_2 @@ -557,7 +557,7 @@ - notimplemented - name: "SCORED | 1.3.1 | PATCH | Ensure sudo is installed" - ansible.builtin.apt: + apt: name: - sudo state: present @@ -572,7 +572,7 @@ - rule_1.3.1 - name: "SCORED | 1.3.2 | PATCH | Ensure sudo commands use pty" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/sudoers state: present regexp: '^Defaults use_pty' @@ -588,7 +588,7 @@ - rule_1.3.2 - name: "SCORED | 1.3.3 | PATCH | Ensure sudo log file exists" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/sudoers state: present regexp: '^Defaults logfile.*' @@ -604,7 +604,7 @@ - rule_1.3.3 - name: "SCORED | 1.4.1 | PATCH | Ensure AIDE is installed (install nullmailer instead of postfix)" - ansible.builtin.apt: + apt: name: - nullmailer state: present @@ -620,7 +620,7 @@ - rule_1.4.1 - name: "SCORED | 1.4.1 | PATCH | Ensure AIDE is installed" - ansible.builtin.apt: + apt: name: - aide - aide-common @@ -636,7 +636,7 @@ - rule_1.4.1 - name: "SCORED | 1.4.1 | PATCH | Stat AIDE DB" - ansible.builtin.stat: path=/var/lib/aide/aide.db + stat: path=/var/lib/aide/aide.db register: aide_db tags: - level1 @@ -646,7 +646,7 @@ - rule_1.4.1 - name: "SCORED | 1.4.1 | PATCH | Init AIDE | This may take a LONG time" - ansible.builtin.command: /usr/sbin/aideinit + command: /usr/sbin/aideinit args: creates: /var/lib/aide/aide.db when: @@ -662,7 +662,7 @@ - rule_1.4.1 - name: "SCORED | 1.4.2 | PATCH | Ensure filesystem integrity is regularly checked" - ansible.builtin.cron: + cron: name: Run AIDE integrity check weekly cron_file: "{{ ubuntu2004cis_aide_cron['cron_file'] }}" user: "{{ ubuntu2004cis_aide_cron['cron_user'] }}" @@ -683,7 +683,7 @@ - rule_1.4.2 - name: "SCORED | 1.5.1 | PATCH | Ensure bootloader password is set - generate password" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; if [ '{{ ubuntu2004cis_bootloader_password }}' == 'random' ]; then PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c12); else PASSWORD='{{ ubuntu2004cis_bootloader_password }}'; fi; @@ -702,7 +702,7 @@ - rule_1.5.1 - name: "SCORED | 1.5.1 | PATCH | Ensure bootloader password is set - generate config" - ansible.builtin.copy: + copy: dest: /etc/grub.d/00_password content: "cat << EOF\nset superusers=\"root\"\npassword_pbkdf2 root {{ grub_pass.stdout }}\nEOF" owner: root @@ -720,7 +720,7 @@ - rule_1.5.1 - name: "SCORED | 1.5.1 | PATCH | Ensure bootloader password is set - disable password for system boot" - ansible.builtin.replace: + replace: path: /etc/grub.d/10_linux regexp: '--class os"' replace: '--class os --unrestricted"' @@ -737,7 +737,7 @@ - rule_1.5.1 - name: "SCORED | 1.5.2 | PATCH | Ensure permissions on bootloader config are configured for grub.cfg" - ansible.builtin.file: + file: path: "/boot/grub/grub.cfg" owner: root group: root @@ -753,7 +753,7 @@ - rule_1.5.2 - name: "SCORED | 1.5.2 | PATCH | Ensure permissions on bootloader config are configured for grub.conf" - ansible.builtin.file: + file: path: "/boot/grub/grub.conf" owner: root group: root @@ -770,7 +770,7 @@ - rule_1.5.2 - name: "SCORED | 1.5.2 | PATCH | Ensure permissions on bootloader config are configured for menu.lst" - ansible.builtin.file: + file: path: "/boot/grub/menu.lst" owner: root group: root @@ -787,7 +787,7 @@ - rule_1.5.2 - name: "SCORED | 1.5.3 | PATCH | Ensure authentication required for single user mode" - ansible.builtin.shell: "set -o pipefail; + shell: "set -o pipefail; if [ '{{ ubuntu2004cis_root_password }}' == 'random' ]; then PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c24); else PASSWORD='{{ ubuntu2004cis_root_password }}'; fi; @@ -804,7 +804,7 @@ - rule_1.5.3 - name: "SCORED | 1.6.1 | PATCH | Ensure XD/NX support is enabled" - ansible.builtin.shell: | + shell: | set -o pipefail; dmesg | grep -E "NX|XD" | grep " active" args: @@ -837,7 +837,7 @@ - rule_1.6.2 - name: "SCORED | 1.6.3 | PATCH | Ensure prelink is disabled" - ansible.builtin.command: prelink -ua + command: prelink -ua when: - prelink_installed.rc == 0 - ubuntu2004cis_rule_1_6_3 @@ -848,7 +848,7 @@ - rule_1.6.3 - name: "SCORED | 1.6.3 | PATCH | Ensure prelink is disabled" - ansible.builtin.apt: + apt: name: prelink state: absent when: @@ -877,7 +877,7 @@ - rule_1.6.4 - name: "SCORED | 1.6.4 | PATCH | Ensure systemd-coredump is installed" - ansible.builtin.apt: + apt: name: systemd-coredump state: present notify: restart systemd-coredump @@ -890,7 +890,7 @@ - rule_1.6.4 - name: "SCORED | 1.6.4 | PATCH | Ensure hard core 0 is set" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/security/limits.conf line: '* hard core 0' regexp: '(^#)?\*\s+hard\s+core\s+[0-9]+' @@ -907,7 +907,7 @@ - rule_1.6.4 - name: "SCORED | 1.7.1.1 | PATCH | Ensure AppArmor is installed" - ansible.builtin.apt: + apt: name: - apparmor - apparmor-utils @@ -923,7 +923,7 @@ - name: "SCORED | 1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" block: - name: "SCORED | 1.7.1.2 | PATCH | Ensure AppArmor is enabled in the bootloader configuration" - ansible.builtin.replace: + replace: dest: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=(?!.*apparmor)\"[^\"]*)(\".*)' replace: '\1 apparmor=1 security=apparmor\2' @@ -931,7 +931,7 @@ - generate new grub config - name: "SCORED | 1.7.1.2 | PATCH | Ensure AppArmor Security is enabled in the bootloader configuration" - ansible.builtin.replace: + replace: dest: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=(?!.*security)\"[^\"]*)(\".*)' replace: '\1 security=apparmor\2' @@ -946,7 +946,7 @@ - rule_1.7.1.2 - name: "SCORED | 1.7.1.3 | PATCH | Ensure all AppArmor Profiles are in enforce or complain mode" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_1_7_1_3 @@ -958,7 +958,7 @@ - notimplemented - name: "SCORED | 1.7.1.4 | PATCH | Ensure all AppArmor Profiles are enforcing" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_1_7_1_4 @@ -970,7 +970,7 @@ - notimplemented - name: "SCORED | 1.8.1.1 | PATCH | Ensure message of the day is configured properly" - ansible.builtin.template: + template: src: etc/motd.j2 dest: /etc/motd when: @@ -983,7 +983,7 @@ - rule_1.8.1.1 - name: "SCORED | 1.8.1.2 | PATCH | Ensure local login warning banner is configured properly" - ansible.builtin.template: + template: src: etc/issue.j2 dest: /etc/issue when: @@ -996,7 +996,7 @@ - rule_1.8.1.2 - name: "SCORED | 1.8.1.3 | PATCH | Ensure remote login warning banner is configured properly" - ansible.builtin.template: + template: src: etc/issue.net.j2 dest: /etc/issue.net when: @@ -1009,7 +1009,7 @@ - rule_1.8.1.3 - name: "SCORED | 1.8.1.4 | PATCH | Ensure permissions on /etc/motd are configured" - ansible.builtin.file: + file: dest: /etc/motd state: file owner: root @@ -1025,7 +1025,7 @@ - rule_1.8.1.4 - name: "SCORED | 1.8.1.5 | PATCH | Ensure permissions on /etc/issue are configured" - ansible.builtin.file: + file: dest: /etc/issue state: file owner: root @@ -1041,7 +1041,7 @@ - rule_1.8.1.5 - name: "SCORED | 1.8.1.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - ansible.builtin.file: + file: dest: /etc/issue.net state: file owner: root @@ -1057,7 +1057,7 @@ - rule_1.8.1.6 - name: "NOTSCORED | 1.9 | PATCH | Ensure updates, patches, and additional security software are installed" - ansible.builtin.apt: + apt: upgrade: dist when: - ubuntu2004cis_apply_upgrades @@ -1069,7 +1069,7 @@ - skip_ansible_lint - name: "SCORED | 1.10 | PATCH | Ensure GDM login banner is configured" - ansible.builtin.lineinfile: + lineinfile: dest: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" diff --git a/tasks/section2.yml b/tasks/section2.yml index 606886f..ed2b87d 100644 --- a/tasks/section2.yml +++ b/tasks/section2.yml @@ -2,12 +2,12 @@ - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram,chargen-stream" block: - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram" - ansible.builtin.stat: + stat: path: /etc/xinetd.d/chargen-dgram register: chargen_dgram_service - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-dgram" - ansible.builtin.service: + service: name: chargen-dgram enabled: no notify: restart xinetd @@ -15,12 +15,12 @@ - chargen_dgram_service.stat.exists - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-stream" - ansible.builtin.stat: + stat: path: /etc/xinetd.d/chargen-stream register: chargen_stream_service - name: "SCORED | 2.1.1 | PATCH | Ensure chargen services are not enabled | chargen-stream" - ansible.builtin.service: + service: name: chargen-stream enabled: no notify: restart xinetd @@ -39,12 +39,12 @@ - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram,daytime-stream" block: - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram" - ansible.builtin.stat: + stat: path: /etc/xinetd.d/daytime-dgram register: daytime_dgram_service - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-dgram" - ansible.builtin.service: + service: name: daytime-dgram enabled: no notify: restart xinetd @@ -52,12 +52,12 @@ - daytime_dgram_service.stat.exists - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-stream" - ansible.builtin.stat: + stat: path: /etc/xinetd.d/daytime-stream register: daytime_stream_service - name: "SCORED | 2.1.2 | PATCH | Ensure daytime services are not enabled | daytime-stream" - ansible.builtin.service: + service: name: daytime-stream enabled: no notify: restart xinetd @@ -75,12 +75,12 @@ - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram,discard-stream" block: - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram" - ansible.builtin.stat: + stat: path: /etc/xinetd.d/discard-dgram register: discard_dgram_service - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-dgram" - ansible.builtin.service: + service: name: discard-dgram enabled: no notify: restart xinetd @@ -88,12 +88,12 @@ - discard_dgram_service.stat.exists - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-stream" - ansible.builtin.stat: + stat: path: /etc/xinetd.d/discard-stream register: discard_stream_service - name: "SCORED | 2.1.3 | PATCH | Ensure discard services are not enabled | discard-stream" - ansible.builtin.service: + service: name: discard-stream enabled: no notify: restart xinetd @@ -111,12 +111,12 @@ - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram,echo-stream" block: - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram" - ansible.builtin.stat: + stat: path: /etc/xinetd.d/echo-dgram register: echo_dgram_service - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-dgram" - ansible.builtin.service: + service: name: echo-dgram enabled: no notify: restart xinetd @@ -124,12 +124,12 @@ - echo_dgram_service.stat.exists - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-stream" - ansible.builtin.stat: + stat: path: /etc/xinetd.d/echo-stream register: echo_stream_service - name: "SCORED | 2.1.4 | PATCH | Ensure echo services are not enabled | echo-stream" - ansible.builtin.service: + service: name: echo-stream enabled: no notify: restart xinetd @@ -147,12 +147,12 @@ - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram,time-stream" block: - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram" - ansible.builtin.stat: + stat: path: /etc/xinetd.d/time-dgram register: time_dgram_service - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-dgram" - ansible.builtin.service: + service: name: time-dgram enabled: no notify: restart xinetd @@ -160,12 +160,12 @@ - time_dgram_service.stat.exists - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-stream" - ansible.builtin.stat: + stat: path: /etc/xinetd.d/time-stream register: time_stream_service - name: "SCORED | 2.1.5 | PATCH | Ensure time services are not enabled | time-stream" - ansible.builtin.service: + service: name: time-stream enabled: no notify: restart xinetd @@ -183,7 +183,7 @@ - name: "SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rsh, rlogin, rexec" block: - name: "SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rsh" - ansible.builtin.service: + service: name: rsh.socket state: stopped enabled: false @@ -193,7 +193,7 @@ - ubuntu2004cis_rule_2_1_6 - name: "SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rlogin" - ansible.builtin.service: + service: name: rlogin.socket state: stopped enabled: false @@ -203,7 +203,7 @@ - ubuntu2004cis_rule_2_1_6 - name: "SCORED | 2.1.6 | PATCH | Ensure rsh server is not enabled | rexec" - ansible.builtin.service: + service: name: rexec.socket state: stopped enabled: false @@ -218,7 +218,7 @@ - rule_2.1.6 - name: "SCORED | 2.1.7 | PATCH | Ensure talk server is not enabled" - ansible.builtin.service: + service: name: ntalk state: stopped enabled: false @@ -233,7 +233,7 @@ - rule_2.1.7 - name: "SCORED | 2.1.8 | PATCH | Ensure telnet server is not enabled" - ansible.builtin.service: + service: name: telnetd state: stopped enabled: false @@ -248,7 +248,7 @@ - rule_2.1.8 - name: "SCORED | 2.1.9 | PATCH | Ensure tftp server is not enabled" - ansible.builtin.service: + service: name: tftpd-hpa state: stopped enabled: no @@ -263,7 +263,7 @@ - rule_2.1.9 - name: "SCORED | 2.1.10 | PATCH | Ensure xinetd is not enabled" - ansible.builtin.service: + service: name: xinetd state: stopped enabled: false @@ -278,7 +278,7 @@ - rule_2.1.10 - name: "SCORED | 2.1.11 | PATCH | Ensure openbsd-inetd is not installed" - ansible.builtin.apt: + apt: name: openbsd-inetd state: absent when: @@ -293,19 +293,19 @@ - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use" block: - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service install" - ansible.builtin.apt: + apt: name: "{{ ubuntu2004cis_time_synchronization }}" state: present install_recommends: false - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service start" - ansible.builtin.service: + service: name: "{{ ubuntu2004cis_time_synchronization }}" state: started enabled: true - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop ntp" - ansible.builtin.service: + service: name: "{{ ntp_service[ansible_os_family] }}" state: stopped enabled: false @@ -314,7 +314,7 @@ - ntpd_service_status.stdout == "loaded" - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - service stop chrony" - ansible.builtin.service: + service: name: chronyd state: stopped enabled: false @@ -324,7 +324,7 @@ - chronyd_service_status.stdout == "loaded" - name: "SCORED | 2.2.1.1 | PATCH | Ensure time synchronization is in use - mask systemd-timesyncd" - ansible.builtin.systemd: + systemd: name: systemd-timesyncd enabled: no masked: yes @@ -343,7 +343,7 @@ - rule_2.2.1.1 - name: "NOTSCORED | 2.2.1.2 | PATCH | Ensure systemd-timesyncd is configured" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_2_2_1_2 @@ -357,7 +357,7 @@ - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured" block: - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | create chrony.conf" - ansible.builtin.template: + template: src: chrony.conf.j2 dest: "{{ chrony_config_file[ansible_os_family] }}" owner: root @@ -365,7 +365,7 @@ mode: 0644 - name: "SCORED | 2.2.1.3 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/sysconfig/chronyd regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u {{ chrony_system_user[ansible_os_family] }}\"" @@ -384,7 +384,7 @@ - name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured" block: - name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured | modify /etc/ntp.conf" - ansible.builtin.template: + template: src: ntp.conf.j2 dest: /etc/ntp.conf owner: root @@ -392,7 +392,7 @@ mode: 0644 - name: "SCORED | 2.2.1.4 | PATCH | Ensure ntp is configured | modify /etc/init.d/ntp" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/init.d/ntp regexp: "^RUNASUSER" line: "RUNASUSER=ntp" @@ -407,7 +407,7 @@ - rule_2.2.1.4 - name: "SCORED | 2.2.2 | PATCH | Ensure X Window System is not installed" - ansible.builtin.apt: + apt: name: - "xorg" - "x11*" @@ -423,7 +423,7 @@ - rule_2.2.2 - name: "SCORED | 2.2.3 | PATCH | Ensure Avahi Server is not enabled" - ansible.builtin.service: + service: name: avahi-daemon state: stopped enabled: false @@ -440,7 +440,7 @@ - rule_2.2.3 - name: "SCORED | 2.2.4 | PATCH | Ensure CUPS is not enabled" - ansible.builtin.service: + service: name: cups state: stopped enabled: false @@ -457,7 +457,7 @@ - rule_2.2.4 - name: "SCORED | 2.2.5 | PATCH | Ensure DHCP Server is not enabled" - ansible.builtin.service: + service: name: dhcpd state: stopped enabled: false @@ -474,7 +474,7 @@ - rule_2.2.5 - name: "SCORED | 2.2.6 | PATCH | Ensure LDAP server is not enabled" - ansible.builtin.service: + service: name: slapd state: stopped enabled: false @@ -491,7 +491,7 @@ - rule_2.2.6 - name: "SCORED | 2.2.7 | PATCH | Ensure NFS and RPC are not enabled" - ansible.builtin.service: + service: name: nfs state: stopped enabled: false @@ -509,7 +509,7 @@ - rule_2.2.7 - name: "SCORED | 2.2.7 | PATCH | Ensure RPC is not enabled" - ansible.builtin.service: + service: name: rpcbind state: stopped enabled: false @@ -527,7 +527,7 @@ - rule_2.2.7 - name: "SCORED | 2.2.8 | PATCH | Ensure DNS Server is not enabled" - ansible.builtin.service: + service: name: named state: stopped enabled: false @@ -544,7 +544,7 @@ - rule_2.2.8 - name: "SCORED | 2.2.9 | PATCH | Ensure FTP Server is not enabled" - ansible.builtin.service: + service: name: vsftpd state: stopped enabled: false @@ -561,7 +561,7 @@ - rule_2.2.9 - name: "SCORED | 2.2.10 | PATCH | Ensure HTTP server is not enabled" - ansible.builtin.service: + service: name: apache2 state: stopped enabled: false @@ -578,7 +578,7 @@ - rule_2.2.10 - name: "SCORED | 2.2.11 | PATCH | Ensure IMAP and POP3 server is not enabled" - ansible.builtin.service: + service: name: dovecot state: stopped enabled: false @@ -596,7 +596,7 @@ - rule_2.2.11 - name: "SCORED | 2.2.12 | PATCH | Ensure Samba is not enabled" - ansible.builtin.service: + service: name: smbd state: stopped enabled: false @@ -613,7 +613,7 @@ - rule_2.2.12 - name: "SCORED | 2.2.13 | PATCH | Ensure HTTP Proxy Server is not enabled" - ansible.builtin.service: + service: name: squid state: stopped enabled: false @@ -630,7 +630,7 @@ - rule_2.2.13 - name: "SCORED | 2.2.14 | PATCH | Ensure SNMP Server is not enabled" - ansible.builtin.service: + service: name: snmpd state: stopped enabled: false @@ -647,7 +647,7 @@ - rule_2.2.14 - name: "SCORED | 2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" line: "inet_interfaces = localhost" @@ -662,7 +662,7 @@ - rule_2.2.15 - name: "SCORED | 2.2.16 | PATCH | Ensure rsync service is not enabled " - ansible.builtin.service: + service: name: rsync state: stopped enabled: false @@ -679,7 +679,7 @@ - rule_2.2.16 - name: "SCORED | 2.2.17 | PATCH | Ensure NIS Server is not enabled" - ansible.builtin.service: + service: name: nis state: stopped enabled: false @@ -696,7 +696,7 @@ - rule_2.2.17 - name: "SCORED | 2.3.1 | PATCH | Ensure NIS Client is not installed" - ansible.builtin.apt: + apt: name: yp-tools state: absent when: @@ -709,7 +709,7 @@ - rule_2.3.1 - name: "SCORED | 2.3.2 | PATCH | Ensure rsh client is not installed" - ansible.builtin.apt: + apt: name: rsh state: absent when: @@ -722,7 +722,7 @@ - rule_2.3.2 - name: "SCORED | 2.3.3 | PATCH | Ensure talk client is not installed" - ansible.builtin.apt: + apt: name: talk state: absent when: @@ -735,7 +735,7 @@ - rule_2.3.3 - name: "SCORED | 2.3.4 | PATCH | Ensure telnet client is not installed" - ansible.builtin.apt: + apt: name: telnet state: absent when: @@ -748,7 +748,7 @@ - rule_2.3.4 - name: "SCORED | 2.3.5 | PATCH | Ensure LDAP client is not installed" - ansible.builtin.apt: + apt: name: ldap-utils state: absent when: @@ -761,7 +761,7 @@ - rule_2.3.5 - name: "SCORED | 2.3.6 | PATCH | Ensure RPC is not installed" - ansible.builtin.apt: + apt: name: rpcbind state: absent when: @@ -775,7 +775,7 @@ - name: "NOTSCORED | 2.4 | PATCH | Ensure nonessential services are removed or masked" changed_when: false - ansible.builtin.debug: + debug: msg: > Run the following command: # lsof -i -P -n | grep -v "(ESTABLISHED)" diff --git a/tasks/section3.yml b/tasks/section3.yml index 3bd768e..3a3dc94 100644 --- a/tasks/section3.yml +++ b/tasks/section3.yml @@ -21,7 +21,7 @@ - rule_3.1.1 - name: "NOTSCORED | 3.1.1 | PATCH | Disable IPv6" - ansible.builtin.replace: + replace: dest: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=(?!.*ipv6.disable)\"[^\"]*)(\".*)' replace: '\1 ipv6.disable=1\2' @@ -338,7 +338,7 @@ - rule_3.3.9 - name: "SCORED | 3.4.1 | PATCH | Ensure DCCP is disabled" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install dccp(\\s|$)" line: "install dccp /bin/true" @@ -352,7 +352,7 @@ - rule_3.4.1 - name: "SCORED | 3.4.2 | PATCH | Ensure SCTP is disabled" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install sctp(\\s|$)" line: "install sctp /bin/true" @@ -366,7 +366,7 @@ - rule_3.4.2 - name: "SCORED | 3.4.3 | PATCH | Ensure RDS is disabled" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install rds(\\s|$)" line: "install rds /bin/true" @@ -380,7 +380,7 @@ - rule_3.4.3 - name: "SCORED | 3.4.4 | PATCH | Ensure TIPC is disabled" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/modprobe.d/CIS.conf regexp: "^(#)?install tipc(\\s|$)" line: "install tipc /bin/true" @@ -394,7 +394,7 @@ - rule_3.4.4 - name: "SCORED | 3.5.1.1 | PATCH | Ensure Uncomplicated Firewall is installed" - ansible.builtin.apt: + apt: name: ufw state: present install_recommends: false @@ -409,7 +409,7 @@ - rule_3.5.1.1 - name: "SCORED | 3.5.1.2 | PATCH | Ensure iptables-persistent is not installed" - ansible.builtin.apt: + apt: name: iptables-persistent state: absent when: @@ -423,7 +423,7 @@ - rule_3.5.1.2 - name: "SCORED | 3.5.1.3 | PATCH | Ensure ufw service is enabled" - ansible.builtin.service: + service: name: ufw state: started enabled: true @@ -527,7 +527,7 @@ - rule_3.5.1.7 - name: "SCORED | 3.5.2.1 | PATCH | Ensure nftables is installed" - ansible.builtin.apt: + apt: name: nftables state: present install_recommends: false @@ -542,7 +542,7 @@ - rule_3.5.2.1 - name: "SCORED | 3.5.2.2 | PATCH | Ensure Uncomplicated Firewall is not installed or disabled" - ansible.builtin.apt: + apt: name: ufw state: absent when: @@ -558,11 +558,11 @@ - name: "NOTSCORED | 3.5.2.3 | PATCH | Ensure iptables are flushed | ipv4, ipv6" block: - name: "NOTSCORED | 3.5.2.3 | PATCH | Ensure iptables are flushed | ipv4" - ansible.builtin.iptables: + iptables: flush: yes - name: "NOTSCORED | 3.5.2.3 | PATCH | Ensure iptables are flushed | ipv6" - ansible.builtin.iptables: + iptables: flush: yes ip_version: ipv6 when: ubuntu2004cis_ipv6_required @@ -577,7 +577,7 @@ - rule_3.5.2.3 - name: "SCORED | 3.5.2.4 | PATCH | Ensure a table exists" - ansible.builtin.shell: | + shell: | nft create table inet {{ ubuntu2004cis_nftables_table }} args: executable: /bin/bash @@ -597,7 +597,7 @@ - rule_3.5.2.4 - name: "SCORED | 3.5.2.5 | PATCH | Ensure base chains exist" - ansible.builtin.shell: | + shell: | nft chain inet {{ ubuntu2004cis_nftables_table }} {{ item }} { type filter hook {{ item }} priority 0\; } args: executable: /bin/bash @@ -620,7 +620,7 @@ - name: "SCORED | 3.5.2.6 | PATCH | Ensure loopback traffic is configured" block: - name: "SCORED | 3.5.2.6 | PATCH | Ensure loopback traffic is configured | ingress lo allow nay" - ansible.builtin.shell: | + shell: | nft add rule inet {{ ubuntu2004cis_nftables_table }} input iif lo accept args: executable: /bin/bash @@ -628,7 +628,7 @@ check_mode: false - name: "SCORED | 3.5.2.6 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv4" - ansible.builtin.shell: | + shell: | nft add rule inet {{ ubuntu2004cis_nftables_table }} input ip saddr 127.0.0.0/8 counter drop args: executable: /bin/bash @@ -636,7 +636,7 @@ check_mode: false - name: "SCORED | 3.5.2.6 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network ipv6" - ansible.builtin.shell: | + shell: | nft add rule inet {{ ubuntu2004cis_nftables_table }} input ip6 saddr ::1 counter drop args: executable: /bin/bash @@ -654,7 +654,7 @@ - rule_3.5.2.6 - name: "NOTSCORED | 3.5.2.7 | PATCH | Ensure outbound and established connections are configured" - ansible.builtin.shell: | + shell: | nft add rule inet {{ ubuntu2004cis_nftables_table }} input ip protocol {{ item }} ct state established accept nft add rule inet {{ ubuntu2004cis_nftables_table }} output ip protocol {{ item }} ct state new,related,established accept args: @@ -676,7 +676,7 @@ - rule_3.5.2.7 - name: "SCORED | 3.5.2.8 | PATCH | Ensure default deny policy" - ansible.builtin.shell: | + shell: | nft chain inet {{ ubuntu2004cis_nftables_table }} {{ item }} { policy drop \; } args: executable: /bin/bash @@ -697,7 +697,7 @@ - rule_3.5.2.8 - name: "SCORED | 3.5.2.9 | PATCH | Ensure nftables service is enabled" - ansible.builtin.service: + service: name: nftables state: started enabled: true @@ -712,7 +712,7 @@ - rule_3.5.2.9 - name: "SCORED | 3.5.2.10 | PATCH | Ensure nftables rules are permanent" - ansible.builtin.shell: + shell: nft list table inet {{ ubuntu2004cis_nftables_table }} > /etc/nftables.conf when: - ubuntu2004cis_rule_3_5_2_10 @@ -725,7 +725,7 @@ - rule_3.5.2.10 - name: "SCORED | 3.5.3.1.1 | PATCH | Ensure a Firewall package is installed | iptables" - ansible.builtin.apt: + apt: name: iptables state: present install_recommends: false @@ -739,7 +739,7 @@ - name: "SCORED | 3.5.3.1.2 | PATCH | Ensure nftables is not installed or disabled SCORED | 3.5.3.1.3 | PATCH | Ensure Uncomplicated Firewall is not installed or disabled" - ansible.builtin.apt: + apt: name: - nftables - ufw @@ -757,7 +757,7 @@ - rule_3.5.3.1.3 - name: "SCORED | 3.5.3.2.1 | PATCH | Ensure default deny firewall policy" - ansible.builtin.iptables: + iptables: chain: "{{ item }}" policy: DROP loop: @@ -777,19 +777,19 @@ - name: "SCORED | 3.5.3.2.2 | PATCH | Ensure loopback traffic is configured" block: - name: "SCORED | 3.5.3.2.2 | PATCH | Ensure loopback traffic is configured | ingress lo allow any" - ansible.builtin.iptables: + iptables: chain: INPUT jump: ACCEPT in_interface: lo - name: "SCORED | 3.5.3.2.2 | PATCH | Ensure loopback traffic is configured | egress lo allow any" - ansible.builtin.iptables: + iptables: chain: INPUT jump: ACCEPT in_interface: lo - name: "SCORED | 3.5.3.2.2 | PATCH | Ensure loopback traffic is configured | ingress deny from lo network" - ansible.builtin.iptables: + iptables: chain: INPUT jump: DROP source: 127.0.0.0/8 @@ -806,7 +806,7 @@ - name: "NOTSCORED | 3.5.3.2.3 | PATCH | Ensure outbound and established connections are configured" block: - name: "NOTSCORED | 3.5.3.2.3 | PATCH | Ensure outbound and established connections are configured | input " - ansible.builtin.iptables: + iptables: chain: INPUT jump: ACCEPT ctstate: NEW,ESTABLISHED @@ -817,7 +817,7 @@ - icmp - name: "NOTSCORED | 3.5.3.2.3 | PATCH | Ensure outbound and established connections are configured | output" - ansible.builtin.iptables: + iptables: chain: OUTPUT jump: ACCEPT ctstate: NEW,ESTABLISHED @@ -839,7 +839,7 @@ - name: "SCORED | 3.5.3.2.4 | PATCH | Ensure firewall rules exist for all open ports" block: - name: "SCORED | 3.5.3.2.4 | PATCH | Ensure firewall rules exist for all open ports| ssh" - ansible.builtin.iptables: + iptables: chain: INPUT jump: ACCEPT ctstate: NEW @@ -847,7 +847,7 @@ destination_port: 22 - name: "SCORED | 3.5.3.2.4 | PATCH | Ensure firewall rules exist for all open ports| dns" - ansible.builtin.iptables: + iptables: chain: INPUT jump: ACCEPT ctstate: NEW @@ -867,7 +867,7 @@ - rule_3.5.3.2.4 - name: "SCORED | 3.5.3.3.1 | PATCH | Ensure IPv6 default deny firewall policy" - ansible.builtin.iptables: + iptables: chain: "{{ item }}" policy: DROP ip_version: ipv6 @@ -889,21 +889,21 @@ - name: "SCORED | 3.5.3.3.2 | PATCH | Ensure IPv6 loopback traffic is configured" block: - name: "SCORED | 3.5.3.3.2 | PATCH | Ensure IPv6 loopback traffic is configured| ingress lo allow any" - ansible.builtin.iptables: + iptables: chain: INPUT jump: ACCEPT in_interface: lo ip_version: ipv6 - name: "SCORED | 3.5.3.3.2 | PATCH | Ensure IPv6 loopback traffic is configured| egress lo allow any" - ansible.builtin.iptables: + iptables: chain: INPUT jump: ACCEPT in_interface: lo ip_version: ipv6 - name: "SCORED | 3.5.3.3.2 | PATCH | Ensure IPv6 loopback traffic is configured| ingress deny from lo network" - ansible.builtin.iptables: + iptables: chain: INPUT jump: DROP source: "::1" @@ -922,7 +922,7 @@ - name: "NOTSCORED | 3.5.3.3.3 | PATCH | Ensure IPv6 outbound and established connections are configured" block: - name: "NOTSCORED | 3.5.3.3.3 | PATCH | Ensure IPv6 outbound and established connections are configured | input " - ansible.builtin.iptables: + iptables: chain: INPUT jump: ACCEPT ctstate: NEW,ESTABLISHED @@ -934,7 +934,7 @@ - icmp - name: "NOTSCORED | 3.5.3.3.3 | PATCH | Ensure IPv6 outbound and established connections are configured | output" - ansible.builtin.iptables: + iptables: chain: OUTPUT jump: ACCEPT ctstate: NEW,ESTABLISHED @@ -958,7 +958,7 @@ - name: "NOTSCORED | 3.5.3.3.4 | PATCH | Ensure IPv6 firewall rules exist for all open ports" block: - name: "NOTSCORED | 3.5.3.3.4 | PATCH | Ensure IPv6 firewall rules exist for all open ports| ssh" - ansible.builtin.iptables: + iptables: chain: INPUT jump: ACCEPT ctstate: NEW @@ -967,7 +967,7 @@ ip_version: ipv6 - name: "NOTSCORED | 3.5.3.3.4 | PATCH | Ensure IPv6 firewall rules exist for all open ports| dns" - ansible.builtin.iptables: + iptables: chain: INPUT jump: ACCEPT ctstate: NEW diff --git a/tasks/section4.yml b/tasks/section4.yml index 2fd4c07..9e1803e 100644 --- a/tasks/section4.yml +++ b/tasks/section4.yml @@ -1,6 +1,6 @@ --- - name: "SCORED | 4.1.1.1 | PATCH | Ensure auditd is installed" - ansible.builtin.apt: + apt: name: audispd-plugins state: present install_recommends: false @@ -15,7 +15,7 @@ - rule_4.1.1.1 - name: "SCORED | 4.1.1.2 | PATCH | Ensure auditd service is enabled" - ansible.builtin.service: + service: name: auditd state: started enabled: true @@ -30,7 +30,7 @@ - rule_4.1.1.2 - name: "SCORED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" - ansible.builtin.replace: + replace: dest: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=(?!.*audit)\"[^\"]*)(\".*)' replace: '\1 audit=1\2' @@ -46,7 +46,7 @@ - rule_4.1.1.3 - name: "SCORED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" - ansible.builtin.replace: + replace: dest: /etc/default/grub regexp: '^(GRUB_CMDLINE_LINUX=(?!.*audit_backlog_limit)\"[^\"]*)(\".*)' replace: '\1 audit_backlog_limit={{ ubuntu2004cis_auditd.backlog_limit }}\2' @@ -63,7 +63,7 @@ - rule_4.1.1.4 - name: "SCORED | 4.1.2.1 | PATCH | Ensure audit log storage size is configured" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ ubuntu2004cis_auditd.max_audit_log_file_size }}" @@ -81,7 +81,7 @@ - rule_4.1.2.1 - name: "SCORED | 4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/audit/auditd.conf regexp: "^max_log_file_action" line: "max_log_file_action = {{ ubuntu2004cis_auditd['max_log_file_action'] }}" @@ -101,7 +101,7 @@ - name: "SCORED | 4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" block: - name: "SCORED | 4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full | admin_space_left_action" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/audit/auditd.conf regexp: "^admin_space_left_action" line: "admin_space_left_action = {{ ubuntu2004cis_auditd['admin_space_left_action'] }}" @@ -111,7 +111,7 @@ - restart auditd - name: "SCORED | 4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full | space_left_action" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/audit/auditd.conf regexp: "^space_left_action" line: "space_left_action = email" @@ -121,7 +121,7 @@ - restart auditd - name: "SCORED | 4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full | action_mail_acct" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/audit/auditd.conf regexp: "^action_mail_acct" line: "action_mail_acct = root" @@ -139,7 +139,7 @@ - rule_4.1.2.3 - name: "SCORED | 4.1.3 | PATCH | Ensure events that modify date and time information are collected" - ansible.builtin.template: + template: src: audit/ubuntu2004cis_rule_4_1_3.rules.j2 dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_3.rules owner: root @@ -158,7 +158,7 @@ - rule_4.1.3 - name: "SCORED | 4.1.4 | PATCH | Ensure events that modify user/group information are collected" - ansible.builtin.template: + template: src: audit/ubuntu2004cis_rule_4_1_4.rules.j2 dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_4.rules owner: root @@ -177,7 +177,7 @@ - rule_4.1.4 - name: "SCORED | 4.1.5 | PATCH | Ensure events that modify the system's network environment are collected" - ansible.builtin.template: + template: src: audit/ubuntu2004cis_rule_4_1_5.rules.j2 dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_5.rules owner: root @@ -196,7 +196,7 @@ - rule_4.1.5 - name: "SCORED | 4.1.6 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - ansible.builtin.template: + template: src: audit/ubuntu2004cis_rule_4_1_6.rules.j2 dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_6.rules owner: root @@ -215,7 +215,7 @@ - rule_4.1.6 - name: "SCORED | 4.1.7 | PATCH | Ensure login and logout events are collected" - ansible.builtin.template: + template: src: audit/ubuntu2004cis_rule_4_1_7.rules.j2 dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_7.rules owner: root @@ -234,7 +234,7 @@ - rule_4.1.7 - name: "SCORED | 4.1.8 | PATCH | Ensure session initiation information is collected" - ansible.builtin.template: + template: src: audit/ubuntu2004cis_rule_4_1_8.rules.j2 dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_8.rules owner: root @@ -253,7 +253,7 @@ - rule_4.1.8 - name: "SCORED | 4.1.9 | PATCH | Ensure discretionary access control permission modification events are collected" - ansible.builtin.template: + template: src: audit/ubuntu2004cis_rule_4_1_9.rules.j2 dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_9.rules owner: root @@ -272,7 +272,7 @@ - rule_4.1.9 - name: "SCORED | 4.1.10 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - ansible.builtin.template: + template: src: audit/ubuntu2004cis_rule_4_1_10.rules.j2 dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_10.rules owner: root @@ -294,13 +294,13 @@ block: - name: "SCORED | 4.1.11 | PATCH | Get list of setuid/setguid binaries" - ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done + shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done register: priv_procs changed_when: false check_mode: false - name: "SCORED | 4.1.11 | PATCH | Ensure use of privileged commands is collected" - ansible.builtin.template: + template: src: audit/ubuntu2004cis_rule_4_1_11.rules.j2 dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_11.rules owner: root @@ -319,7 +319,7 @@ - rule_4.1.11 - name: "SCORED | 4.1.12 | PATCH | Ensure successful file system mounts are collected" - ansible.builtin.template: + template: src: audit/ubuntu2004cis_rule_4_1_12.rules.j2 dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_12.rules owner: root @@ -338,7 +338,7 @@ - rule_4.1.12 - name: "SCORED | 4.1.13 | PATCH | Ensure file deletion events by users are collected" - ansible.builtin.template: + template: src: audit/ubuntu2004cis_rule_4_1_13.rules.j2 dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_13.rules owner: root @@ -357,7 +357,7 @@ - rule_4.1.13 - name: "SCORED | 4.1.14 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - ansible.builtin.template: + template: src: audit/ubuntu2004cis_rule_4_1_14.rules.j2 dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_14.rules owner: root @@ -376,7 +376,7 @@ - rule_4.1.14 - name: "SCORED | 4.1.15 | PATCH | Ensure system administrator actions (sudolog) are collected" - ansible.builtin.template: + template: src: audit/ubuntu2004cis_rule_4_1_15.rules.j2 dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_15.rules owner: root @@ -395,7 +395,7 @@ - rule_4.1.15 - name: "SCORED | 4.1.16 | PATCH | Ensure kernel module loading and unloading is collected" - ansible.builtin.template: + template: src: audit/ubuntu2004cis_rule_4_1_16.rules.j2 dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_16.rules owner: root @@ -414,7 +414,7 @@ - rule_4.1.16 - name: "SCORED | 4.1.17 | PATCH | Ensure the audit configuration is immutable" - ansible.builtin.template: + template: src: audit/ubuntu2004cis_rule_4_1_17.rules.j2 dest: /etc/audit/rules.d/ubuntu2004cis_rule_4_1_17.rules owner: root @@ -433,7 +433,7 @@ - rule_4.1.17 - name: "SCORED | 4.2.1.1 | PATCH | Ensure rsyslog or is installed" - ansible.builtin.apt: + apt: name: rsyslog state: present install_recommends: false @@ -448,7 +448,7 @@ - rule_4.2.1.1 - name: "SCORED | 4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" - ansible.builtin.service: + service: name: rsyslog enabled: yes changed_when: false @@ -463,7 +463,7 @@ - rule_4.2.1.2 - name: "NOTSCORED | 4.2.1.3 | PATCH | Ensure logging is configured" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_4_2_1_3 @@ -476,7 +476,7 @@ - notimplemented - name: "SCORED | 4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/rsyslog.conf regexp: '^\$FileCreateMode' line: '$FileCreateMode 0640' @@ -490,7 +490,7 @@ - rule_4.2.1.4 - name: "SCORED | 4.2.1.5 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_4_2_1_5 @@ -503,7 +503,7 @@ - notimplemented - name: "NOTSCORED | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts." - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_4_2_1_6 @@ -516,7 +516,7 @@ - notimplemented - name: "SCORED | 4.2.2.1 | PATCH | Ensure journald is configured to send logs to rsyslog" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/systemd/journald.conf regexp: "(#)?ForwardToSyslog=(yes|no)" line: ForwardToSyslog=yes @@ -533,7 +533,7 @@ - rule_4.2.2.1 - name: "SCORED | 4.2.2.2 | PATCH | Ensure journald is configured to compress large log files" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/systemd/journald.conf regexp: "(#)?Compress=(yes|no)" line: Compress=yes @@ -549,7 +549,7 @@ - rule_4.2.2.2 - name: "SCORED | 4.2.2.3 | PATCH | Ensure journald is configured to write logfiles to persistent disk" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/systemd/journald.conf regexp: "(#)?Storage=(auto|persistent)" line: Storage=persistent @@ -565,7 +565,7 @@ - rule_4.2.2.3 - name: "SCORED | 4.2.3 | PATCH | Ensure permissions on all logfiles are configured" - ansible.builtin.command: find /var/log -type f -exec chmod g-wx,o-rwx {} + + command: find /var/log -type f -exec chmod g-wx,o-rwx {} + changed_when: false failed_when: false when: @@ -580,18 +580,18 @@ - name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured" block: - name: "NOTSCORED | 4.3 | PATCH | Register logrotate.d files" - ansible.builtin.find: + find: paths: /etc/logrotate.d/ register: log_rotates - name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate.conf exists" - ansible.builtin.file: + file: path: /etc/logrotate.conf state: touch changed_when: false - name: "NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured" - ansible.builtin.replace: + replace: path: "{{ item.path }}" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' replace: "\\1{{ ubuntu2004cis_logrotate }}" @@ -608,7 +608,7 @@ - rule_4.3 - name: "SCORED | 4.4 | PATCH | Ensure logrotate assigns appropriate permissions" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/logrotate.conf regexp: '^create' diff --git a/tasks/section5.yml b/tasks/section5.yml index 1b9a20c..717cc60 100644 --- a/tasks/section5.yml +++ b/tasks/section5.yml @@ -1,6 +1,6 @@ --- - name: "SCORED | 5.1.1 | PATCH | Ensure cron daemon is enabled" - ansible.builtin.service: + service: name: "{{ cron_service[ansible_os_family] }}" enabled: true when: @@ -13,7 +13,7 @@ - rule_5.1.1 - name: "SCORED | 5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" - ansible.builtin.file: + file: dest: /etc/crontab owner: root group: root @@ -28,7 +28,7 @@ - rule_5.1.2 - name: "SCORED | 5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" - ansible.builtin.file: + file: dest: /etc/cron.hourly state: directory owner: root @@ -44,7 +44,7 @@ - rule_5.1.3 - name: "SCORED | 5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" - ansible.builtin.file: + file: dest: /etc/cron.daily state: directory owner: root @@ -60,7 +60,7 @@ - rule_5.1.4 - name: "SCORED | 5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" - ansible.builtin.file: + file: dest: /etc/cron.weekly state: directory owner: root @@ -76,7 +76,7 @@ - rule_5.1.5 - name: "SCORED | 5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" - ansible.builtin.file: + file: dest: /etc/cron.monthly state: directory owner: root @@ -92,7 +92,7 @@ - rule_5.1.6 - name: "SCORED | 5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" - ansible.builtin.file: + file: dest: /etc/cron.d state: directory owner: root @@ -110,12 +110,12 @@ - name: "SCORED | 5.1.8 | PATCH | Ensure cron is restricted to authorized users" block: - name: "SCORED | 5.1.8 | PATCH | Ensure cron is restricted to authorized users" - ansible.builtin.file: + file: dest: /etc/cron.deny state: absent - name: "SCORED | 5.1.8 | PATCH | Ensure cron is restricted to authorized users" - ansible.builtin.template: + template: src: cron.allow.j2 dest: /etc/cron.allow owner: root @@ -133,12 +133,12 @@ - name: "SCORED | 5.1.9 | PATCH | Ensure at is restricted to authorized users" block: - name: "SCORED | 5.1.9 | PATCH | Ensure at is restricted to authorized users" - ansible.builtin.file: + file: dest: /etc/at.deny state: absent - name: "SCORED | 5.1.8 | PATCH | Ensure at is restricted to authorized users" - ansible.builtin.template: + template: src: at.allow.j2 dest: /etc/at.allow owner: root @@ -154,7 +154,7 @@ - rule_5.1.9 - name: "SCORED | 5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" - ansible.builtin.file: + file: dest: /etc/ssh/sshd_config state: file owner: root @@ -172,13 +172,13 @@ - name: "SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured" block: - name: "SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured | find keys" - ansible.builtin.find: + find: paths: /etc/ssh patterns: "ssh_host_*_key" register: ssh_private_host_keys - name: "SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured | change permissions" - ansible.builtin.file: + file: dest: "{{ item.path }}" state: file owner: root @@ -197,13 +197,13 @@ - name: "SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured" block: - name: "SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured | find keys" - ansible.builtin.find: + find: paths: /etc/ssh patterns: "ssh_host_*_key.pub" register: ssh_public_host_keys - name: "SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured | change permissions" - ansible.builtin.file: + file: dest: "{{ item.path }}" state: file owner: root @@ -220,7 +220,7 @@ - rule_5.2.3 - name: "SCORED | 5.2.4 | PATCH | Ensure SSH LogLevel is set to INFO" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^LogLevel' @@ -235,7 +235,7 @@ - rule_5.2.4 - name: "SCORED | 5.2.5 | PATCH | Ensure SSH X11 forwarding is disabled" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^X11Forwarding' @@ -250,7 +250,7 @@ - rule_5.2.5 - name: "SCORED | 5.2.6 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^(#)?MaxAuthTries \d' @@ -265,7 +265,7 @@ - rule_5.2.6 - name: "SCORED | 5.2.7 | PATCH | Ensure SSH IgnoreRhosts is enabled" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^IgnoreRhosts' @@ -280,7 +280,7 @@ - rule_5.2.7 - name: "SCORED | 5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^HostbasedAuthentication' @@ -295,7 +295,7 @@ - rule_5.2.8 - name: "SCORED | 5.2.9 | PATCH | Ensure SSH root login is disabled" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^PermitRootLogin' @@ -310,7 +310,7 @@ - rule_5.2.9 - name: "SCORED | 5.2.10 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^PermitEmptyPasswords' @@ -325,7 +325,7 @@ - rule_5.2.10 - name: "SCORED | 5.2.11 | PATCH | Ensure SSH PermitUserEnvironment is disabled" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^PermitUserEnvironment' @@ -340,7 +340,7 @@ - rule_5.2.11 - name: "SCORED | 5.2.12 | PATCH | Ensure only strong Ciphers are used" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^Ciphers' @@ -355,7 +355,7 @@ - rule_5.2.12 - name: "SCORED | 5.2.13 | PATCH | Ensure only approved MAC algorithms are used" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^MACs' @@ -370,7 +370,7 @@ - rule_5.2.13 - name: "SCORED | 5.2.14 | PATCH | Ensure only strong Key Exchange algorithms are used" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^KexAlgorithms' @@ -387,14 +387,14 @@ - name: "SCORED | 5.2.15 | PATCH | Ensure SSH Idle Timeout Interval is configured" block: - name: "SCORED | 5.2.15 | PATCH | Ensure SSH Idle Timeout Interval is configured" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ ubuntu2004cis_sshd['clientaliveinterval'] }}" - name: "SCORED | 5.2.15 | PATCH | Ensure SSH ClientAliveCountMax set to <= 3" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^ClientAliveCountMax' @@ -409,7 +409,7 @@ - rule_5.2.15 - name: "SCORED | 5.2.16 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^LoginGraceTime' @@ -426,7 +426,7 @@ - name: "SCORED | 5.2.17 | PATCH | Ensure SSH access is limited" block: - name: "SCORED | 5.2.17 | PATCH | Ensure SSH access is limited | allowusers" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^AllowUsers' @@ -435,7 +435,7 @@ - "ubuntu2004cis_sshd['allowusers']|default('')" - name: "SCORED | 5.2.17 | PATCH | Ensure SSH access is limited | allowgroups" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^AllowGroups' @@ -444,7 +444,7 @@ - "ubuntu2004cis_sshd['allowgroups']|default('')" - name: "SCORED | 5.2.17 | PATCH | Ensure SSH access is limited | denyusers" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^DenyUsers' @@ -453,7 +453,7 @@ - "ubuntu2004cis_sshd['denyusers']|default('')" - name: "SCORED | 5.2.17 | PATCH | Ensure SSH access is limited | denygroups" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^DenyGroups' @@ -470,7 +470,7 @@ - rule_5.2.17 - name: "SCORED | 5.2.18 | PATCH | Ensure SSH warning banner is configured" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^Banner' @@ -485,7 +485,7 @@ - rule_5.2.18 - name: "SCORED | 5.2.19 | PATCH | Ensure SSH PAM is enabled" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^UsePAM' @@ -500,7 +500,7 @@ - rule_5.2.19 - name: "SCORED | 5.2.20 | PATCH | Ensure SSH AllowTcpForwarding is disabled" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^AllowTcpForwarding' @@ -515,7 +515,7 @@ - rule_5.2.20 - name: "SCORED | 5.2.21 | PATCH | Ensure SSH MaxStartups is configured" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^MaxStartups' @@ -530,7 +530,7 @@ - rule_5.2.21 - name: "SCORED | 5.2.22 | PATCH | Ensure SSH MaxSessions is set to 4 or less " - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/ssh/sshd_config regexp: '^MaxSessions' @@ -549,13 +549,13 @@ - name: "SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured" block: - name: "SCORED | 5.3.1 | PATCH | Ensure lipam-pwquality is installed" - ansible.builtin.apt: + apt: name: libpam-pwquality state: present install_recommends: false - name: "SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured" - ansible.builtin.lineinfile: + lineinfile: state: present create: yes dest: /etc/security/pwquality.conf @@ -574,12 +574,12 @@ - name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured" block: - name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured - /etc/pam.d/common-account" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/pam.d/common-account line: 'account required pam_tally2.so' - name: "SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured - /etc/pam.d/common-auth" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/pam.d/common-auth line: 'auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' when: @@ -591,7 +591,7 @@ - rule_5.3.2 - name: "SCORED | 5.3.3 | PATCH | Ensure password reuse is limited" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/pam.d/common-password line: "password required pam_pwhistory.so remember={{ ubuntu2004cis_pass['history'] }}" when: @@ -603,7 +603,7 @@ - rule_5.3.3 - name: "SCORED | 5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512" - ansible.builtin.command: authconfig --passalgo=sha512 --update + command: authconfig --passalgo=sha512 --update changed_when: false failed_when: false when: @@ -615,7 +615,7 @@ - rule_5.3.4 - name: "SCORED | 5.4.1.1 | PATCH | Ensure password expiration is 365 days or less" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/login.defs regexp: '^PASS_MAX_DAYS' @@ -629,7 +629,7 @@ - rule_5.4.1.1 - name: "SCORED | 5.4.1.2 | PATCH | Ensure minimum days between password changes is configured" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/login.defs regexp: '^PASS_MIN_DAYS' @@ -643,7 +643,7 @@ - rule_5.4.1.2 - name: "SCORED | 5.4.1.3 | PATCH | Ensure password expiration warning days is 7 or more" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/login.defs regexp: '^PASS_WARN_AGE' @@ -657,7 +657,7 @@ - rule_5.4.1.3 - name: "SCORED | 5.4.1.4 | PATCH | Ensure inactive password lock is 30 days or less" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/default/useradd regexp: '^INACTIVE' @@ -673,7 +673,7 @@ - name: "SCORED | 5.4.1.5 | PATCH | Ensure all users last password change date is in the past" block: - name: "SCORED | 5.4.1.5 | PATCH | Ensure all users last password change date is in the past| lock users" - ansible.builtin.user: + user: name: "{{ item }}" password_lock: yes" loop: "{{ users_password_change_date_in_future.stdout_lines }}" @@ -681,7 +681,7 @@ - ubuntu2004cis_password_change_date_in_future_action == 'lock' - name: "SCORED | 5.4.1.5 | PATCH | Ensure all users last password change date is in the past| expire users" - ansible.builtin.user: + user: name: "{{ item }}" expires: 1422403387 loop: "{{ users_password_change_date_in_future.stdout_lines }}" @@ -697,7 +697,7 @@ - rule_5.4.1.5 - name: "SCORED | 5.4.2 | PATCH | Ensure system accounts are secured" - ansible.builtin.command: > + command: > for user in `awk -F: '($3 < 1000) {print $1 }' /etc/passwd`; do if [ $user != "root" ]; then usermod -L $user @@ -719,7 +719,7 @@ - scored - name: "SCORED | 5.4.3 | PATCH | Ensure default group for the root account is GID 0" - ansible.builtin.command: usermod -g 0 root + command: usermod -g 0 root changed_when: false failed_when: false when: @@ -733,7 +733,7 @@ - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive" block: - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/bash.bashrc" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/bash.bashrc create: true @@ -741,7 +741,7 @@ line: 'umask 027' - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/profile" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/profile create: true @@ -749,7 +749,7 @@ line: 'umask 027' - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/profile.d/99-umask.sh" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/profile.d/99-umask.sh create: true @@ -766,7 +766,7 @@ - name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less" block: - name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less - /etc/bash.bashrc" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/bash.bashrc create: true @@ -774,7 +774,7 @@ line: "TMOUT={{ ubuntu2004cis_shell_timeout }}" - name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less - /etc/profile" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/profile create: true @@ -782,7 +782,7 @@ line: "TMOUT={{ ubuntu2004cis_shell_timeout }}" - name: "SCORED | 5.4.5 | PATCH | Ensure default user shell timeout is 900 seconds or less - /etc/profile.d/99-tmout.sh" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/profile.d/99-tmout.sh create: true @@ -797,7 +797,7 @@ - scored - name: "NOTSCORED | 5.5 | PATCH | Ensure root login is restricted to system console" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_5_5 @@ -809,7 +809,7 @@ - notimplemented - name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted" - ansible.builtin.lineinfile: + lineinfile: state: present dest: /etc/pam.d/su regexp: '^(#)?auth\s+required\s+pam_wheel\.so' @@ -823,7 +823,7 @@ - scored - name: "SCORED | 5.6 | PATCH | Ensure access to the su command is restricted - sudo group contains root" - ansible.builtin.user: + user: name: root groups: sudo when: diff --git a/tasks/section6.yml b/tasks/section6.yml index 19c9412..e873f7a 100644 --- a/tasks/section6.yml +++ b/tasks/section6.yml @@ -1,6 +1,6 @@ --- - name: "NOTSCORED | 6.1.1 | PATCH | Audit system file permissions" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_6_1_1 @@ -12,7 +12,7 @@ - notimplemented - name: "SCORED | 6.1.2 | PATCH | Ensure permissions on /etc/passwd are configured" - ansible.builtin.file: + file: dest: /etc/passwd owner: root group: root @@ -26,7 +26,7 @@ - rule_6.1.2 - name: "SCORED | 6.1.3 | PATCH | Ensure permissions on /etc/gshadow- are configured" - ansible.builtin.file: + file: dest: /etc/gshadow- owner: root group: shadow @@ -40,7 +40,7 @@ - rule_6.1.3 - name: "SCORED | 6.1.4 | PATCH | Ensure permissions on /etc/shadow are configured" - ansible.builtin.file: + file: dest: /etc/shadow owner: root group: shadow @@ -54,7 +54,7 @@ - rule_6.1.4 - name: "SCORED | 6.1.5 | PATCH | Ensure permissions on /etc/group are configured" - ansible.builtin.file: + file: dest: /etc/group owner: root group: root @@ -68,7 +68,7 @@ - rule_6.1.5 - name: "SCORED | 6.1.6 | PATCH | Ensure permissions on /etc/passwd- are configured" - ansible.builtin.file: + file: dest: /etc/passwd- owner: root group: root @@ -82,7 +82,7 @@ - rule_6.1.6 - name: "SCORED | 6.1.7 | PATCH | Ensure permissions on /etc/shadow- are configured" - ansible.builtin.file: + file: dest: /etc/shadow- owner: root group: shadow @@ -96,7 +96,7 @@ - rule_6.1.7 - name: "SCORED | 6.1.8 | PATCH | Ensure permissions on /etc/group- are configured" - ansible.builtin.file: + file: dest: /etc/group- owner: root group: root @@ -110,7 +110,7 @@ - rule_6.1.8 - name: "SCORED | 6.1.9 | PATCH | Ensure permissions on /etc/gshadow are configured" - ansible.builtin.file: + file: dest: /etc/gshadow owner: root group: shadow @@ -124,7 +124,7 @@ - rule_6.1.9 - name: "SCORED | 6.1.10 | PATCH | Ensure no world writable files exist" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_6_1_10 @@ -136,7 +136,7 @@ - notimplemented - name: "SCORED | 6.1.11 | PATCH | Ensure no unowned files or directories exist" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_6_1_11 @@ -148,7 +148,7 @@ - notimplemented - name: "SCORED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_6_1_12 @@ -160,7 +160,7 @@ - notimplemented - name: "NOTSCORED | 6.1.13 | PATCH | Audit SUID executables" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_6_1_13 @@ -172,7 +172,7 @@ - notimplemented - name: "NOTSCORED | 6.1.14 | PATCH | Audit SGID executables" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_6_1_14 @@ -184,7 +184,7 @@ - notimplemented - name: "SCORED | 6.2.1 | PATCH | Ensure password fields are not empty" - ansible.builtin.command: passwd -l {{ item }} + command: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ empty_password_accounts.stdout_lines }}" @@ -198,7 +198,7 @@ - rule_6.2.1 - name: "SCORED | 6.2.2 | PATCH | Ensure root is the only UID 0 account" - ansible.builtin.command: passwd -l {{ item }} + command: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}" @@ -214,7 +214,7 @@ - name: "SCORED | 6.2.3 | PATCH | Ensure root PATH Integrity" block: - name: "SCORED | 6.2.3 | PATCH | Ensure root PATH Integrity (unimplemented)" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false tags: - level1 @@ -224,7 +224,7 @@ - notimplemented - name: "SCORED | 6.2.3 | PATCH | Ensure root PATH Integrity (collect paths)" - ansible.builtin.shell: | + shell: | set -o pipefail; sudopath=($(grep secure_path /etc/sudoers | cut -f2 -d= |cut -f2 -d\")) IFS=: @@ -247,7 +247,7 @@ - rule_6.2.3 - name: "SCORED | 6.2.3 | PATCH | Ensure root PATH Integrity (fix paths)" - ansible.builtin.lineinfile: + lineinfile: dest: /etc/sudoers regexp: "(.*secure_path=).*" line: '\1"{{ fixsudo.stdout_lines[0] }}"' @@ -263,7 +263,7 @@ - ubuntu2004cis_rule_6_2_3 - name: "SCORED | 6.2.4 | PATCH | Ensure all users' home directories exist" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_6_2_4 @@ -275,7 +275,7 @@ - notimplemented - name: "SCORED | 6.2.5 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" - ansible.builtin.shell: | + shell: | for dir in {{ homes_with_perms.stdout }}; do chmod g-w,o-rwx $dir; @@ -290,7 +290,7 @@ - rule_6.2.5 - name: "SCORED | 6.2.6 | PATCH | Ensure users own their home directories" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_6_2_6 @@ -302,7 +302,7 @@ - notimplemented - name: "SCORED | 6.2.7 | PATCH | Ensure users' dot files are not group or world writable" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_6_2_7 @@ -314,7 +314,7 @@ - notimplemented - name: "SCORED | 6.2.8 | PATCH | Ensure no users have .forward files" - ansible.builtin.file: + file: state: absent dest: "~{{ item }}/.forward" with_items: "{{ users.stdout_lines }}" @@ -327,7 +327,7 @@ - rule_6.2.8 - name: "SCORED | 6.2.9 | PATCH | Ensure no users have .netrc files" - ansible.builtin.file: + file: state: absent dest: "~{{ item }}/.netrc" with_items: "{{ users.stdout_lines }}" @@ -340,7 +340,7 @@ - rule_6.2.9 - name: "SCORED | 6.2.10 | PATCH | Ensure users' .netrc Files are not group or world accessible" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_6_2_10 @@ -352,7 +352,7 @@ - notimplemented - name: "SCORED | 6.2.11 | PATCH | Ensure no users have .rhosts files" - ansible.builtin.file: + file: state: absent dest: "~{{ item }}/.rhosts" with_items: "{{ users.stdout_lines }}" @@ -365,7 +365,7 @@ - rule_6.2.11 - name: "SCORED | 6.2.12 | PATCH | Ensure all groups in /etc/passwd exist in /etc/group" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_6_2_12 @@ -377,7 +377,7 @@ - notimplemented - name: "SCORED | 6.2.13 | PATCH | Ensure no duplicate UIDs exist" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_6_2_13 @@ -389,7 +389,7 @@ - notimplemented - name: "SCORED | 6.2.14 | PATCH | Ensure no duplicate GIDs exist" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_6_2_14 @@ -401,7 +401,7 @@ - notimplemented - name: "SCORED | 6.2.15 | PATCH | Ensure no duplicate user names exist" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_6_2_15 @@ -413,7 +413,7 @@ - notimplemented - name: "SCORED | 6.2.16 | PATCH | Ensure no duplicate group names exist" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_6_2_16 @@ -425,7 +425,7 @@ - notimplemented - name: "SCORED | 6.2.17 | PATCH | Ensure shadow group is empty" - ansible.builtin.command: /bin/true + command: /bin/true changed_when: false when: - ubuntu2004cis_rule_6_2_17