From ed4e8489e899ff6d6f0fac2db60d12e5f7b29fa7 Mon Sep 17 00:00:00 2001 From: MVladislav Date: Sat, 7 Sep 2024 19:39:18 +0200 Subject: [PATCH] fix(#0): cis_ubuntu2404_rule_1_1_1_10 block not loopable --- tasks/section1-1_1_1_10.yml | 76 +++++++++++++++++++++++++++++++++++++ tasks/section1.yml | 52 +++---------------------- 2 files changed, 81 insertions(+), 47 deletions(-) create mode 100644 tasks/section1-1_1_1_10.yml diff --git a/tasks/section1-1_1_1_10.yml b/tasks/section1-1_1_1_10.yml new file mode 100644 index 0000000..f684d13 --- /dev/null +++ b/tasks/section1-1_1_1_10.yml @@ -0,0 +1,76 @@ +--- +# tasks file for ansible-cis-ubuntu-2404 + +# ------------------------------------------------------------------------------ + +- name: > + SECTION1 | 1.1.1.10 | Ensure unused filesystems kernel modules are not available | check if filesystem is mounted for {{ cis_ubuntu2404_fs_module_file }} + ansible.builtin.set_fact: + cis_ubuntu2404_is_fs_mounted: "{{ cis_ubuntu2404_fs_module_file in cis_ubuntu2404_mounted_filesystems.stdout_lines }}" + tags: + - rule_1_1_1 + - server_l2 + - workstation_l2 + +- name: > + SECTION1 | 1.1.1.10 | Ensure unused filesystems kernel modules are not available | check if kernel module is loaded for {{ cis_ubuntu2404_fs_module_file }} + ansible.builtin.shell: "set -o pipefail && lsmod | grep {{ cis_ubuntu2404_fs_module_file }}" + args: + executable: "{{ cis_ubuntu2404_shell_executable }}" + register: cis_ubuntu2404_lsmod_output + changed_when: false + failed_when: false + check_mode: false + tags: + - rule_1_1_1 + - server_l2 + - workstation_l2 + +- name: > + SECTION1 | 1.1.1.10 | Ensure unused filesystems kernel modules are not available | log vulnerable filesystem + ansible.builtin.debug: + msg: "** WARNING: Filesystem {{ cis_ubuntu2404_fs_module_file }} is loaded and vulnerable to CVE!" + when: + - cis_ubuntu2404_lsmod_output.rc == 0 + - not cis_ubuntu2404_is_fs_mounted | bool + tags: + - rule_1_1_1 + - server_l2 + - workstation_l2 + +- name: > + SECTION1 | 1.1.1.10 | Ensure unused filesystems kernel modules are not available | unload kernel module if loaded for {{ cis_ubuntu2404_fs_module_file }} + community.general.modprobe: + name: "{{ cis_ubuntu2404_fs_module_file }}" + state: absent + when: + - cis_ubuntu2404_lsmod_output.rc == 0 + - not cis_ubuntu2404_is_fs_mounted | bool + tags: + - rule_1_1_1 + - server_l2 + - workstation_l2 + +- name: > + SECTION1 | 1.1.1.10 | Ensure unused filesystems kernel modules are not available | setting module and deny listing for {{ item }} + ansible.builtin.lineinfile: + dest: /etc/modprobe.d/cis.conf + regexp: "{{ item.reg }}" + line: "{{ item.line }}" + state: present + create: true + owner: "{{ cis_ubuntu2404_section1_owner_default }}" + group: "{{ cis_ubuntu2404_section1_group_default }}" + mode: "{{ cis_ubuntu2404_section1_mode_default }}" + with_items: + - reg: '{{ cis_ubuntu2404_regex_base_search }}install {{ item }}(\s|$)' + line: "install {{ item }} /bin/false" + - reg: "{{ cis_ubuntu2404_regex_base_search }}blacklist {{ item }}$" + line: "blacklist {{ item }}" + when: + - cis_ubuntu2404_lsmod_output.rc == 0 + - not cis_ubuntu2404_is_fs_mounted | bool + tags: + - rule_1_1_1 + - server_l2 + - workstation_l2 diff --git a/tasks/section1.yml b/tasks/section1.yml index 521e37c..dca8efd 100644 --- a/tasks/section1.yml +++ b/tasks/section1.yml @@ -294,55 +294,13 @@ - name: > SECTION1 | 1.1.1.10 | Ensure unused filesystems kernel modules are not available | check and unload loaded vulnerable filesystems + ansible.builtin.include_tasks: section1-1_1_1_10.yml loop: "{{ cis_ubuntu2404_available_fs_modules.files | map(attribute='path') | map('basename') }}" + loop_control: + loop_var: cis_ubuntu2404_fs_module_file when: - - item in cis_ubuntu2404_fs_known_vulnerable - - item not in cis_ubuntu2404_fs_ignored - block: - - name: > - SECTION1 | 1.1.1.10 | Ensure unused filesystems kernel modules are not available | check if filesystem is mounted for {{ item }} - ansible.builtin.set_fact: - cis_ubuntu2404_is_fs_mounted: "{{ item in cis_ubuntu2404_mounted_filesystems.stdout_lines }}" - - - name: > - SECTION1 | 1.1.1.10 | Ensure unused filesystems kernel modules are not available | check if kernel module is loaded for {{ item }} - ansible.builtin.shell: "set -o pipefail && lsmod | grep {{ item }}" - args: - executable: "{{ cis_ubuntu2404_shell_executable }}" - register: cis_ubuntu2404_lsmod_output - changed_when: false - failed_when: false - check_mode: false - - - name: > - SECTION1 | 1.1.1.10 | Ensure unused filesystems kernel modules are not available | log vulnerable filesystem - ansible.builtin.debug: - msg: "** WARNING: Filesystem {{ item }} is loaded and vulnerable to CVE!" - when: cis_ubuntu2404_lsmod_output.rc == 0 and not cis_ubuntu2404_is_fs_mounted | bool - - - name: > - SECTION1 | 1.1.1.10 | Ensure unused filesystems kernel modules are not available | unload kernel module if loaded for {{ item }} - community.general.modprobe: - name: "{{ item }}" - state: absent - when: cis_ubuntu2404_lsmod_output.rc == 0 and not cis_ubuntu2404_is_fs_mounted | bool - - - name: > - SECTION1 | 1.1.1.10 | Ensure unused filesystems kernel modules are not available | setting module and deny listing for {{ item }} - ansible.builtin.lineinfile: - dest: /etc/modprobe.d/cis.conf - regexp: "{{ item.reg }}" - line: "{{ item.line }}" - state: present - create: true - owner: "{{ cis_ubuntu2404_section1_owner_default }}" - group: "{{ cis_ubuntu2404_section1_group_default }}" - mode: "{{ cis_ubuntu2404_section1_mode_default }}" - with_items: - - reg: '{{ cis_ubuntu2404_regex_base_search }}install {{ item }}(\s|$)' - line: "install {{ item }} /bin/false" - - reg: "{{ cis_ubuntu2404_regex_base_search }}blacklist {{ item }}$" - line: "blacklist {{ item }}" + - cis_ubuntu2404_fs_module_file in cis_ubuntu2404_fs_known_vulnerable + - cis_ubuntu2404_fs_module_file not in cis_ubuntu2404_fs_ignored # ------------------------------------------------------------------------------