Merge pull request #77 from ansible-lockdown/may23_updates

May23 updates

ChangeLog.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 1.3.1
+
+- issue 84 from ubuntu20 fixed vartmp
+- fixed other mount points in 1.1.x.yml and options
+- updated the audit process list check
+
 ## 1.3
 
 - Audit integration

defaults/main.yml

@@ -374,34 +374,6 @@ ubtu18cis_desktop_required: false
 # The gdm related handlers won't run if you have this set to true but gdm3 is not installed.
 ubtu18cis_install_gdm3: true
 
-# Section 1 Control Variables
-# Control 1.1.2/1.1.3/1.1.4/1.1.5
-# ubtu18cis_tmp_fstab_options are the file system options for the fstabs configuration for /tmp
-# To conform to CIS control 1.1.2 could use any settings
-# To conform to CIS control 1.1.3 nodev needs to be present
-# To conform to CIS control 1.1.4 nosuid needs to be present
-# To conform to CIS control 1.1.5 noexec needs to present
-ubtu18cis_tmp_fstab_options: "defaults,rw,nosuid,nodev,noexec,relatime"
-
-# Control 1.1.6/1.1.7/1.1.8/1.1.9
-# ubtu18cis_shm_fstab_options are the file system options for the fstabs configuration for /dev/shm
-# To conform to CIS control 1.1.6 could use any settings
-# To conform to CIS control 1.1.7 nodev needs to be present
-# To conform to CIS control 1.1.8 nosuid needs to be present
-# To conform to CIS control 1.1.9 no exec needs to be present
-ubtu18cis_shm_fstab_options: "defaults,noexec,nodev,nosuid,seclabel"
-
-# Control 1.1.12/1.1.13/1.1.14
-# These are the settings for the /var/tmp mount
-# To conform to CIS control 1.1.12 nodev needs to be present in opts
-# To conform to CIS control 1.1.13 nosuid needs to be present in opts
-# To conform to CIS control 1.1.14 noexec needs to be present in opts
-ubtu18cis_vartmp:
-    source: /tmp
-    fstype: none
-    opts: "defaults,nodev,nosuid,noexec,bind"
-    enabled: false
-
 # Control 1.3.2
 # These are the crontab settings for file system integrity enforcement
 ubtu18cis_aide_cron:

tasks/section_1/cis_1.1.x.yml

@@ -150,7 +150,6 @@
       src: /tmp
       state: mounted
       fstype: tmpfs
-      opts: "{{ ubtu18cis_tmp_fstab_options }}"
   when:
       - ubtu18cis_rule_1_1_2
   tags:
@@ -167,15 +166,18 @@
     "1.1.5 | PATCH | Ensure noexec option set on /tmp partition"
   ansible.posix.mount:
       name: /tmp
-      src: /tmp
-      state: remounted
-      fstype: tmpfs
-      opts: "{{ ubtu18cis_tmp_fstab_options }}"
+      src: "{{ item.device }}"
+      state: mounted
+      fstype: "{{ item.fstype }}"
+      opts: "defaults,{% if ubtu18cis_rule_1_1_3 %}nodev,{% endif %}{% if ubtu18cis_rule_1_1_4 %}nosuid,{% endif %}{% if ubtu18cis_rule_1_1_5 %}noexec{% endif %}"
+  loop: "{{ ansible_mounts }}"
+  loop_control:
+      label: "{{ item.device }}"
   when:
       - ubtu18cis_rule_1_1_3 or
         ubtu18cis_rule_1_1_4 or
         ubtu18cis_rule_1_1_5
-      - ubtu18cis_vartmp['enabled']
+      - item.mount == '/tmp'
   tags:
       - level1-server
       - level1-workstation
@@ -192,7 +194,6 @@
       src: /dev/shm
       state: mounted
       fstype: tmpfs
-      opts: "{{ ubtu18cis_shm_fstab_options }}"
   when:
       - ubtu18cis_rule_1_1_6
   tags:
@@ -209,15 +210,19 @@
     "1.1.9 | PATCH | Ensure noexec option set on /dev/shm partition"
   ansible.posix.mount:
       name: /dev/shm
-      src: tmpfs
+      src: "{{ item.device }}"
       state: mounted
-      fstype: tmpfs
-      opts: "{{ ubtu18cis_shm_fstab_options }}"
+      fstype: "{{ item.fstype }}"
+      opts: "defaults,{% if ubtu18cis_rule_1_1_7 %}nodev,{% endif %}{% if ubtu18cis_rule_1_1_8 %}nosuid,{% endif %}{% if ubtu18cis_rule_1_1_9 %}noexec{% endif %}"
+  loop: "{{ ansible_mounts }}"
+  loop_control:
+      label: "{{ item.device }}"
   notify: Remount shm
   when:
       - ubtu18cis_rule_1_1_7 or
         ubtu18cis_rule_1_1_8 or
         ubtu18cis_rule_1_1_9
+      - item.mount == '/dev/shm'
   tags:
       - level1-server
       - level1-workstation
@@ -306,16 +311,19 @@
     "1.1.14 | PATCH | Ensure noexec option set on /var/tmp partition"
   ansible.posix.mount:
       name: /var/tmp
-      src: "{{ ubtu18cis_vartmp['source'] }}"
+      src: "{{ item.device }}"
       state: present
-      fstype: "{{ ubtu18cis_vartmp['fstype'] }}"
-      opts: "{{ ubtu18cis_vartmp['opts'] }}"
+      fstype: "{{ item.fstype }}"
+      opts: "defaults,{% if ubtu18cis_rule_1_1_12 %}nodev,{% endif %}{% if ubtu18cis_rule_1_1_13 %}nosuid,{% endif %}{% if ubtu18cis_rule_1_1_14 %}noexec{% endif %}"
+  loop: "{{ ansible_mounts }}"
+  loop_control:
+      label: "{{ item.device }}"
   notify: Remount var_tmp
   when:
       - ubtu18cis_rule_1_1_12 or
         ubtu18cis_rule_1_1_13 or
         ubtu18cis_rule_1_1_14
-      - ubtu18cis_vartmp['enabled']
+      - item.mount == '/var/tmp'
   tags:
       - level1-server
       - level1-workstation
@@ -324,7 +332,7 @@
       - rule_1.1.12
       - rule_1.1.13
       - rule_1.1.14
-      - var/tmp
+      - var_tmp
 
 - name: "1.1.15 | AUDIT | Ensure separate partition exists for /var/log"
   block:
@@ -358,7 +366,7 @@
       - automated
       - audit
       - rule_1.1.15
-      - var/log
+      - var_log
 
 - name: "1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit"
   block:
@@ -392,7 +400,7 @@
       - automated
       - audit
       - rule_1.1.16
-      - var/log/audit
+      - var_log_audit
 
 - name: "1.1.17 | AUDIT | Ensure separate partition exists for /home."
   block:

tasks/section_4/cis_4.1.x.yml

@@ -146,7 +146,7 @@
 - name: "4.1.11 | PATCH | Ensure use of privileged commands is collected"
   block:
       - name: "4.1.11 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs"
-        ansible.builtin.shell: for i in  $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
+        ansible.builtin.shell: for i in  $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done
         register: priv_procs
         changed_when: false
         check_mode: false