Merge pull request #57 from ansible-lockdown/devel

Release to main

Author: uk-bolly

.pre-commit-config.yaml

@@ -41,12 +41,12 @@ repos:
   - id: detect-secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.26.0
+  rev: v8.28.0
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v25.4.0
+  rev: v25.7.0
   hooks:
   - id: ansible-lint
     name: Ansible-lint

.yamllint

@@ -16,7 +16,7 @@ rules:
   comments:
     ignore-shebangs: true
     min-spaces-from-content: 1 # prettier compatibility
-  comments-indentation: enable
+  comments-indentation: disable
   empty-lines:
     max: 1
   indentation:

tasks/main.yml

@@ -44,7 +44,7 @@
   tags: always
   block:
     - name: Ensure root password is set
-      ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|root P |Password locked)"
+      ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set, SHA512 crypt|root P |root L |Password locked)"
       changed_when: false
       failed_when: false
       register: prelim_root_passwd_set

tasks/parse_etc_password.yml

@@ -12,7 +12,7 @@
 
     - name: "PRELIM | Parse /etc/passwd | Split passwd entries"
       ansible.builtin.set_fact:
-        ubtu24cis_passwd: "{{ prelim_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
+        prelim_captured_passwd_data: "{{ prelim_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
       vars:
         ld_passwd_regex: >-
             ^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*)

tasks/section_2/cis_2.4.1.x.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and running"
   when: ubtu24cis_rule_2_4_1_1
   tags:
@@ -32,7 +31,7 @@
     path: /etc/crontab
     owner: root
     group: root
-    mode: 'go-rwx'
+    mode: "go-rwx"
 
 - name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
   when: ubtu24cis_rule_2_4_1_3
@@ -48,7 +47,7 @@
     path: /etc/cron.hourly
     owner: root
     group: root
-    mode: 'u+x,go-rwx'
+    mode: "u+x,go-rwx"
     state: directory
 
 - name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
@@ -65,7 +64,7 @@
     path: /etc/cron.daily
     owner: root
     group: root
-    mode: 'u+x,go-rwx'
+    mode: "u+x,go-rwx"
     state: directory
 
 - name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
@@ -82,7 +81,7 @@
     path: /etc/cron.weekly
     owner: root
     group: root
-    mode: 'u+x,go-rwx'
+    mode: "u+x,go-rwx"
     state: directory
 
 - name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
@@ -99,7 +98,7 @@
     path: /etc/cron.monthly
     owner: root
     group: root
-    mode: 'u+x,go-rwx'
+    mode: "u+x,go-rwx"
     state: directory
 
 - name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
@@ -116,7 +115,7 @@
     path: /etc/cron.d
     owner: root
     group: root
-    mode: 'u+x,go-rwx'
+    mode: "u+x,go-rwx"
     state: directory
 
 - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users"
@@ -146,13 +145,13 @@
         path: /etc/cron.allow
         owner: root
         group: root
-        mode: 'u-x,g-wx,o-rwx'
+        mode: "u-x,g-wx,o-rwx"
         state: touch
 
     - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users |  Update cron.allow if exists"
       when: discovered_cron_allow_status.stat.exists
       ansible.builtin.file:
         path: /etc/cron.allow
         owner: root
-        group: '{{ (discovered_cron_allow_status.stat.gr_name == "crontab") | ternary(omit,"root") }}'
-        mode: 'u-x,g-wx,o-rwx'
+        group: '{{ (discovered_cron_allow_status.stat.gr_name == "crontab") | ternary(omit, "root") }}'
+        mode: "u-x,g-wx,o-rwx"

tasks/section_5/cis_5.4.1.x.yml

@@ -156,7 +156,7 @@
       changed_when: true
       failed_when: false
       with_items:
-        - "{{ ubtu24cis_passwd | map(attribute='id') | list | intersect(discovered_passwd_inactive_users.stdout_lines) | list }}"
+        - "{{ prelim_captured_passwd_data | map(attribute='id') | list | intersect(discovered_passwd_inactive_users.stdout_lines) | list }}"
 
 - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past"
   when:

tasks/section_5/cis_5.4.2.x.yml

@@ -196,7 +196,7 @@
     regexp: \s*umask
     line: "umask {{ ubtu24cis_root_umask }}"
     create: true
-    mode: 'u+x,go-rwx'
+    mode: 'go-rwx'
 
 - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell"
   when:
@@ -217,7 +217,7 @@
   ansible.builtin.user:
     name: "{{ item.id }}"
     shell: /usr/sbin/nologin
-  loop: "{{ ubtu24cis_passwd }}"
+  loop: "{{ prelim_captured_passwd_data }}"
   loop_control:
     label: "{{ item.id }}"
 
@@ -240,6 +240,6 @@
   ansible.builtin.user:
     name: "{{ item.id }}"
     password_lock: true
-  loop: "{{ ubtu24cis_passwd }}"
+  loop: "{{ prelim_captured_passwd_data }}"
   loop_control:
     label: "{{ item.id }}"

tasks/section_7/cis_7.2.x.yml

@@ -265,7 +265,7 @@
         owner: "{{ item.id }}"
         group: "{{ item.gid }}"
         mode: 'g-w,o-rwx'
-      loop: "{{ ubtu24cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | list }}"
+      loop: "{{ prelim_captured_passwd_data | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | list }}"
       loop_control:
         label: "{{ item.id }}"
 
@@ -308,33 +308,73 @@
   vars:
     warn_control_id: '7.2.10'
   block:
-    - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Check for files"
-      ansible.builtin.shell: find /home/ /root/ -name "\.*" -type f -perm /u+x,g+wx,o+wx
+    - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured"
+      ansible.builtin.shell: find {{ prelim_interactive_users_home.stdout_lines | list | join(' ') }} -name "\.*" -type f
       changed_when: false
-      failed_when: discovered_homedir_dot_files.rc not in [ 0, 1 ]
+      failed_when: discovered_homedir_hidden_files.rc not in [ 0, 1 ]
       check_mode: false
-      register: discovered_homedir_dot_files
+      register: discovered_homedir_hidden_files
 
     - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Warning on files found"
       when:
-        - discovered_homedir_dot_files.stdout | length > 0
-        - ubtu24cis_dotperm_ansiblemanaged
+        - discovered_homedir_hidden_files.stdout | length > 0
+        - not ubtu24cis_dotperm_ansiblemanaged
       ansible.builtin.debug:
         msg:
-          - "Warning!! We have discovered group or world-writable dot files on your system and this host is configured for manual intervention. Please investigate these files further."
+          - "Warning!! Please investigate that hidden files found in users home directories match control requirements."
 
-    - name: "7.2.10 | PATCH | Ensure local interactive user dot files access is configured | Set warning count"
+    - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Set warning count"
       when:
-        - discovered_homedir_dot_files.stdout | length > 0
-        - ubtu24cis_dotperm_ansiblemanaged
+        - discovered_homedir_hidden_files.stdout | length > 0
+        - not ubtu24cis_dotperm_ansiblemanaged
       ansible.builtin.import_tasks:
         file: warning_facts.yml
 
-    - name: "7.2.10 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured"
+    - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured"
       when:
-        - discovered_homedir_dot_files.stdout | length > 0
+        - discovered_homedir_hidden_files.stdout | length > 0
         - ubtu24cis_dotperm_ansiblemanaged
-      ansible.builtin.file:
-        path: '{{ item }}'
-        mode: 'u-x,go-wx'
-      with_items: "{{ discovered_homedir_dot_files.stdout_lines }}"
+      block:
+        - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Changes files if configured .bash_history & .netrc"
+          when:
+            - discovered_homedir_hidden_files.stdout | length > 0
+            - item | basename in ['.bash_history','.netrc']
+          ansible.builtin.file:
+            path: "{{ item }}"
+            mode: 'u-x,go-rwx'
+          failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]'
+          register: discovered_dot_bash_history_to_change
+          loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"
+
+        - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Changes files if configured file mode"
+          ansible.builtin.file:
+            path: '{{ item }}'
+            mode: 'u-x,go-wx'
+          failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]'
+          register: discovered_dot_bash_history_to_change
+          loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"
+
+        - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | Changes files ownerships"
+          ansible.builtin.file:
+            path: "{{ item }}"
+            owner: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}"
+            group: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}"
+          failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]'
+          register: discovered_dot_bash_history_to_change
+          loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"
+
+        - name: "7.2.10 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured"
+          ansible.builtin.file:
+            path: '{{ item }}'
+            mode: 'go-w'
+            owner: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}"
+            group: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}"
+          with_items: "{{ discovered_homedir_hidden_files.stdout_lines }}"
+
+        - name: "7.2.10 | AUDIT | Ensure local interactive user dot files access is configured | rename .forward or .rhosts files"
+          when:
+            - item | basename in ['.forward','.rhosts']
+            - item is not search ("CIS")
+          ansible.builtin.command: "mv {{ item }} {{ item }}_CIS_TOBEREVIEWED"
+          changed_when: true
+          loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"

templates/usr/share/pam-configs/pam_unix.j2

@@ -18,6 +18,6 @@ Session-Initial:
         required pam_unix.so
 Password-Type: Primary
 Password:
-        [success=end default=ignore] pam_unix.so obscure{% if ubtu24cis_rule_5.3.3.4.4 %} use_authtok{% endif %} try_first_pass{% if ubtu24cis_rule_5.3.3.4.3 %} {{ ubtu24cis_passwd_hash_algo }}{% endif %}
+        [success=end default=ignore] pam_unix.so obscure{% if ubtu24cis_rule_5_3_3_4_4 %} use_authtok{% endif %} try_first_pass{% if ubtu24cis_rule_5_3_3_4_3 %} {{ ubtu24cis_passwd_hash_algo }}{% endif %}
 Password-Initial:
-        [success=end default=ignore] pam_unix.so obscure{% if ubtu24cis_rule_5.3.3.4.3 %} {{ ubtu24cis_passwd_hash_algo }}{% endif %}
+        [success=end default=ignore] pam_unix.so obscure{% if ubtu24cis_rule_5_3_3_4_3 %} {{ ubtu24cis_passwd_hash_algo }}{% endif %}