Skip to content

Changelog.md

Latest commit

 

History

History
307 lines (250 loc) · 18.7 KB

Changelog.md

File metadata and controls

307 lines (250 loc) · 18.7 KB

Change log for Ubuntu 2004

v3.0.0 based on CIS v3.0.0

Major version upgrade from CIS Benchmark v2.0.1 to v3.0.0

Structural Changes

  • Restructured from 6 sections to 7 sections to align with CIS v3.0.0
  • Section 3.4 (Firewalls) moved to new Section 4 (Host Based Firewall)
  • Section 4 (Access/Auth) moved to Section 5 (Access Control)
  • Section 5 (Logging/Auditing) moved to Section 6 (Logging and Auditing)
  • Section 6 (System Maintenance) moved to Section 7 (System Maintenance)
  • AIDE controls moved from Section 1.2 to Section 6.1
  • Cron/At controls moved from Section 4.1 to Section 2.4
  • Automounting moved from Section 1.1.9 to Section 2.1.1

New Controls (30)

  • 1.1.1.6 (overlay kernel module), 1.1.1.10 (unused filesystem modules)
  • 2.1.12 (rpcbind), 2.1.16 (tftp), 2.1.19 (xinetd), 2.4.1.7 (cron.yearly)
  • 4.1.1 (single firewall utility), 4.2.2 (nftables not with ufw)
  • 5.1.9 (SSH GSSAPIAuthentication)
  • 5.3.1.1-5.3.1.3 (PAM packages), 5.3.2.1, 5.3.2.4 (PAM modules)
  • 5.3.3.1.3, 5.3.3.2.3, 5.3.3.2.5, 5.3.3.2.7, 5.3.3.2.8 (PAM quality/faillock)
  • 5.3.3.3.2, 5.3.3.3.3 (PAM pwhistory), 5.3.3.4.1, 5.3.3.4.2, 5.3.3.4.4 (PAM unix)
  • 5.4.2.2-5.4.2.4, 5.4.2.8 (root/system accounts)
  • 6.2.3.8 (logrotate), 6.3.2.4 (audit log space warning)

Removed Controls (7)

  • 1.4.3 (single user mode auth - removed from benchmark)
  • 2.1.4.1-2.1.4.4 (NTP controls - deprecated, chrony/systemd-timesyncd only)
  • 4.2.12 (SSH X11 forwarding - absorbed into DisableForwarding)
  • 4.5.3 (root default group - absorbed into 5.4.2.x)

Code Quality

  • Fixed ~85 ansible-lint issues: key-order, command-instead-of-shell, yaml comment indentation, jinja spacing, name casing, risky-file-permissions
  • Fixed yamllint 2-space indentation throughout the playbook
  • Capitalized all handler names and notify references for ansible-lint name[casing] compliance
  • Converted all single-item when: lists to inline format across 27 task files (204 occurrences)
  • Converted all single-item tags: lists to inline format across 4 task files (23 occurrences)
  • Task key order normalized: name → when → tags → block/module

Audit Template Fixes

  • Fixed duplicate keys in ansible_vars_goss.yml.j2 that caused goss "unable to determine format" error (Go YAML parser rejects duplicates)
    • Removed duplicate ubtu20cis_grub_user, ubtu20cis_nis_server, ubtu20cis_samba_server, ubtu20cis_snmp_server
  • Renamed ubtu20cis_time_service to ubtu20cis_time_sync_tool in template to match goss test variable references
  • Added missing audit variables to template and defaults/main.yml:
    • ubtu20cis_bluetooth_service, ubtu20cis_bluetooth_mask (goss test 3.1.3)
    • ubtu20cis_ftp_client (goss test 2.2.6)
    • ubtu20cis_ipv6_disable (goss test 3.1.1)
    • ubtu20cis_remote_log_server (goss tests 6.2.3.6/6.2.3.7)
  • Added --- YAML document marker to template
  • Quoted string values containing YAML special characters

Variable Naming Standardization

  • Standardized all register: variable prefixes to follow Lockdown conventions:
    • prelim_ prefix for all preliminary/discovery variables in tasks/prelim.yml (17 variables renamed)
    • discovered_ prefix for all section task registered variables (63 variables renamed)
  • Renamed prelim set_fact variables: mount_namesprelim_mount_names, etc.
  • Removed inconsistent prefixes (ubtu20cis_, avahi_, snap_, bare names) from registered variables
  • Updated all cross-file references in defaults, templates, and section tasks

Warn Count Consistency

  • Added missing Warn Count blocks (import_tasks: warning_facts.yml + vars: warn_control_id) to 34 manual remediation tasks across 11 files
  • Fixed vars: warn_control_id placement from block-level to task-level (same indentation as ansible.builtin.import_tasks:) in 20+ tasks

Benchmark Title and Logic Alignment

  • Validated all 313 task titles against CIS v3.0.0 benchmark JSON — fixed 150+ stale v2 titles
  • Fixed 8 critical logic bugs where tasks implemented the wrong control:
    • 2.2.6: Changed from RPC removal (rpcbind) to FTP client removal (ftp) per v3.0.0
    • 7.1.10: Fixed file paths from /etc/opasswd to /etc/security/opasswd (4 references)
    • 7.2.6: Changed from duplicate username check to duplicate GID check per v3.0.0
    • 1.1.2.1.3/1.1.2.1.4: Fixed nosuid/noexec swap in both task logic and systemd template
    • 5.3.3.2.7/5.3.3.2.8: Fixed swapped PAM quality titles
    • 5.4.2.6: Fixed title to "Ensure root user umask is configured"
    • 5.4.2.8: Replaced manual stub with actual logic to find and lock accounts without valid login shells
    • 3.1.1: Changed from active IPv6 disable to audit-first approach per v3.0.0

Cross-Repo Alignment (Remediation + Audit)

  • Fixed remediation 2.4.1.7: replaced manual stub with proper file permission task for /etc/cron.yearly
  • Fixed bridge template (ansible_vars_goss.yml.j2): ubtu20cis_telnet_server and ubtu20cis_telnet_mask were both mapped from ubtu20cis_telnet_required instead of their actual defaults variables
  • Fixed bridge template: ubtu20_varlog_location renamed to ubtu20cis_varlog_location to match audit vars/CIS.yml
  • Added missing ubtu20cis_remote_log_host, ubtu20cis_remote_log_port, ubtu20cis_remote_log_protocol to defaults/main.yml and bridge template (goss test 6.2.3.6 references these)
  • Added missing ubtu20cis_ipv4_required to bridge template (was in defaults but not passed to audit)

QA Fixes (April 2026)

  • Added ubtu20cis_purge_apt variable (default false) to control apt package purging; applied to prelink (1.5.4) and apport (1.5.5) removal tasks
  • Fixed handler key ordering in Grub update: moved notify after changed_when/failed_when per Lockdown conventions
  • Removed duplicate 1.1.2.2.1 debug stub — /dev/shm partition check is already handled in the combined 1.1.2.2.x mount options task
  • Fixed 1.5.4 prelink: added when: 'prelink' in ansible_facts.packages guard on prelink -ua command; renamed task for clarity
  • Fixed 2.1.2 avahi: improved task name to specify Stop/Disable action
  • Fixed 3.1.1/3.1.2: corrected task name prefixes from PATCH to AUDIT on read-only commands
  • Fixed 4.2.x: added inline documentation comments for optional UFW incoming ports task
  • Fixed 4.4.2.4: removed notify: Persistent ip4tables from 3 audit-only tasks where changed_when: false prevented the handler from ever firing
  • Fixed 5.2.7: removed unused register: discovered_sugroup from group creation task
  • Fixed 5.4.3.2 TMOUT: replaced deprecated dest parameter with path in blockinfile module; reordered keys to match Lockdown conventions
  • Fixed 7.1.10: corrected task name prefixes from PATCH to AUDIT on stat tasks
  • Fixed 7.1.11/7.1.12: reordered changed_when/failed_when/check_mode/register to appear before with_items/loop_control per Lockdown conventions
  • Fixed 7.2.4: gave all three shadow group tasks unique names instead of duplicate "check users in group"
  • Fixed 5.4.2.6: rewrote root umask task — removed pam_umask.so/login.defs/USERGROUPS_ENAB approach, replaced with direct lineinfile to /root/.bash_profile and /root/.bashrc; added missing automated tag; fixed ubtu20cis_bash_umask default from 027 to 0027
  • Fixed 5.4.2.4: added when guard on assert so it doesn't fail when root password isn't set in containers
  • Fixed 5.4.2.8: added missing Alert on findings debug task before Warn Count
  • Fixed 2.4.1.9: changed /etc/cron.allow group from crontab to root to match CIS benchmark and goss expectation
  • Added deny_users and deny_groups to ubtu20cis_sshd defaults (5.1.4 sshd access)
  • Enabled goss audit in molecule converge (setup_audit: true, run_audit: true)
  • Standardized warn count task naming across all sections:
    • Debug/alert tasks → "Alert on findings" suffix (was inconsistent: "Absent", "Output Warning", "Message out...", "Print warning about...")
    • Warn count tasks → "Warn Count" suffix (was: "warn_count", "Set warning count", "Capture Warning")
    • Discovery tasks → "Discover status" suffix
    • Applied to 13 task files across sections 1–7
  • Fixed 4.2.7: added when condition so alert only fires when open ports exist
  • Fixed 6.2.1.1: added missing Alert on findings debug for journald service status
  • Fixed 7.2.5: reordered alert debug before warn count import (was warn count before alert)
  • Fixed 4.3.3–4.3.10: added "Alert on findings" suffix to all 8 nftables audit debug tasks
  • Migrated all mode: directives from = (absolute) to - (relative) symbolic notation to align with UBUNTU22-CIS conventions (~100 directives across 18 task files). Mapping: u=rw,g=,o=go-rwx, u=rw,g=r,o=ru-x,go-wx, u=rwx,g=,o=u+rwx,go-rwx, u=rwx,g=rx,o=rxgo-w, u=rw,g=r,o=u-x,g-wx,o-rwx, u=rwx,g=rx,o=g-w,o-rwx. Also standardized 2 mixed-notation entries in cis_2.3.x.yml

Bug Fixes

  • Added missing "Update dconf" handler (14 task references)
  • Fixed "Restart timeservice" handler case mismatch
  • Added missing when: clause on journald file permissions rule
  • Fixed wrong task ID 5.2.3.10 → 5.2.3.20 (audit immutable config)
  • Added no_log: true to password task
  • Added changed_when to 5 shell/command tasks
  • Fixed meta description typo "benmarks" → "benchmarks"
  • Removed unused handlers (reload gdm3, reload gdm, persistent ip6tables)
  • Created 6 missing dconf templates
  • Removed 2 orphaned templates (chrony.conf.j2, ntp.conf.j2)
  • Added *.vault, *.pem, *.key to .gitignore

Defaults

  • Complete rewrite of defaults/main.yml with v3.0.0 variable names
  • All 313 control toggle variables renamed to v3.0.0 numbering
  • Added ubtu20cis_section7_patch toggle
  • benchmark_version updated to v3.0.0

Tags

  • Replaced all scored/not_scored tags with automated/manual
  • Updated all rule_X.Y.Z tags to v3.0.0 IDs
  • Updated level tags for controls that changed profile

PAM Section 5 Implementations

  • Faillock (5.3.3.1.1-5.3.3.1.3): Configure deny, unlock_time, and root lockout via lineinfile on /etc/security/faillock.conf with cleanup of pam-config files
  • PWQuality (5.3.3.2.1-5.3.3.2.8): Template-based drop-in files in /etc/security/pwquality.conf.d/ with replace to clean duplicate settings from other locations
  • PWHistory (5.3.3.3.1-5.3.3.3.3): Shell audit + lineinfile with backrefs for remember, enforce_for_root, and use_authtok on pam_pwhistory.so
  • PAM Unix (5.3.3.4.1-5.3.3.4.2, 5.3.3.4.4): Shell audit + replace to remove nullok and remember from pam_unix.so; lineinfile for use_authtok
  • Updated existing tasks 5.3.3.2.1, 5.3.3.2.2, 5.3.3.2.4, 5.3.3.2.6 from legacy ubtu20cis_pass.* variables to new ubtu20cis_passwd_* variables
  • Created 8 pwquality drop-in template files in templates/etc/security/pwquality.conf.d/
  • Added 3 prelim tasks: prelim_pam_conf_files, prelim_pam_pwquality_confs discovery, and pwquality.conf.d directory creation
  • Wired up all 25 previously-unused PAM/password defaults variables to tasks and templates
  • Fixed register: ordering in 6 tasks (prelim.yml, cis_5.3.x.yml, handlers/main.yml) — register: now appears after changed_when:/failed_when: per Lockdown conventions
  • Fixed ubtu20cis_journald_upload typo in cis_6.2.x.yml:102 — should be ubtu20cis_journal_upload (would cause undefined variable error at runtime)
  • Fixed: added prelim_tmp_mnt_type.stdout is defined guard on tmp mount type conditional to prevent attribute error when set_fact overwrites command result with string
  • Moved all inline comments in defaults/main.yml to the line above their variable (~70 occurrences) for consistency — pragma: allowlist secret directives kept inline
  • Renamed prelim_min_int_gid to min_int_gid in prelim set_facts to match min_int_uid/max_int_uid naming convention

Automated Controls (ported from UBUNTU22-CIS)

  • 1.1.1.6: Overlay kernel module — lineinfile to /etc/modprobe.d/CIS.conf + blacklist + modprobe disable (was manual)
  • 1.1.1.10: Unused filesystem modules — deploys fs_with_cves.sh discovery script, warns on loaded modules (was manual)
  • 1.1.2.2.2: /dev/shm nodev option — merged into combined 1.1.2.2.x mount options task with ansible.posix.mount (was manual)
  • 2.1.12: rpcbind — package removal or systemd mask via ubtu20cis_rpc_server/ubtu20cis_rpc_mask variables (was manual)
  • 2.1.16: tftp server — package removal or systemd mask via ubtu20cis_tftp_server/ubtu20cis_tftp_mask variables (was manual)
  • 2.1.19: xinetd — package removal or systemd mask via ubtu20cis_xinetd_server/ubtu20cis_xinetd_mask variables (was manual)
  • 4.1.1: Firewall utility — installs ufw package (was manual)
  • 5.1.9: SSH GSSAPIAuthentication — lineinfile to set GSSAPIAuthentication no in sshd_config (was manual)
  • 5.3.1.1: PAM runtime — installs latest libpam-runtime package (was manual)
  • 5.3.1.2: PAM modules — installs latest libpam-modules package (was manual)
  • 5.4.2.1: UID 0 accounts — passwd -l to lock non-root UID 0 accounts (was manual)
  • 5.4.2.2: GID 0 accounts — discovers and removes non-root accounts from GID 0 (was manual)
  • 5.4.2.5: Root PATH integrity — stat/file module to audit and fix directory ownership and permissions (was manual)
  • Added Systemd daemon reload handler for service masking tasks
  • Added prelim tasks: prelim_uid_zero_accounts_except_root, prelim_interactive_usernames
  • Added files/fs_with_cves.sh discovery script for unused filesystem modules
  • Added failed_when: false to pwquality replace tasks (5.3.3.2.1-2.7) for missing file resilience
  • 4.2.2: nftables removal — package_facts check + ansible.builtin.package to remove nftables when ufw is the chosen firewall (was manual)
  • 5.4.2.3: GID 0 group audit — shell discovers non-root groups with GID 0 and warns with group names (was manual stub with no audit logic)
  • 5.4.2.4: Root access controlled — passwd -S root check with assert to verify root password is set (was manual)
  • 6.2.3.8: Logrotate configuration — ansible.builtin.find + ansible.builtin.replace to set rotation frequency in /etc/logrotate.conf and all /etc/logrotate.d/ drop-in files using new ubtu20cis_logrotate variable (was manual)
  • 6.3.2.4: Audit log space warning — lineinfile to set space_left_action and admin_space_left_action in /etc/audit/auditd.conf using existing ubtu20cis_auditd variables, notifies Restart auditd (was manual)

Molecule Docker Testing

  • Fixed FQCN connection detection: added community.docker.docker to ansible_connection checks in tasks/main.yml (container detection block) and tasks/section_1/cis_1.1.1.x.yml (8 modprobe skip conditions). Molecule uses the FQCN community.docker.docker connection plugin, not the short name docker
  • Fixed molecule/default/molecule.yml: changed cgroup volume mount from :ro to :rw and added cgroupns_mode: host for full systemd support on cgroups v2 hosts (macOS Docker Desktop)
  • Created molecule/default/prepare.yml: installs openssh-server, libpam-pwquality, sudo, acl, kmod, cron, chrony, rsyslog, aide, aide-common, logrotate; creates /run/sshd; starts cron and rsyslog services
  • Simplified molecule/default/converge.yml: removed redundant rule overrides now handled by vars/is_container.yml auto-loading
  • Updated vars/is_container.yml:
    • Added ubtu20cis_rule_1_3_1_2: false (AppArmor bootloader config — no grub in containers)
    • Added ubtu20cis_ipv6_disable: sysctl (use sysctl instead of grub method)
    • Added ubtu20cis_rule_6_3_4_1 through 6_3_4_10: false (audit log file permissions — no auditd)
    • Re-enabled AIDE (6.1.x), cron (2.4.x), time sync (2.3.x), rsyslog (6.2.3.x), and logging (6.2.1.x) rules — now functional with prepare.yml packages and working systemd
  • Fixed cron idempotence: added changed_when: false to 7 cron access tasks (2.4.1.2–2.4.1.8) that used state: touch which always reports changed

v2.0.1 based on CIS v2.0.1

  • issue 148 thanks to @karlg100
  • workflow updates for new pipeline
  • audit
    • updated files and variables
    • updated vars/audit.yml
    • improved when using local copies or archived

v2.0.1 based upon CIS 2.0.1

  • ability to run goss audit only audit_only variable
    • audit vars mainly moved to var/audit.yml
  • several control updates
  • goss version update to 0.4.4

V2.0 based upon CIS 2.0.1

  • v2.0.1 - refer to change history from official CIS pdf.

    • ReWrite of many rules
    • Ordering and numbering of rules
    • many title updates

  • timesync options increased

    • default systemd-timesyncd
    • chrony options updated

  • idempotency improvements

  • new discoveries

    • interactive users
    • uid min value
    • is_container discovery and default var

  • pre-commit added to setup

  • README new layout

  • Added test for rule 4.3.4 check user is using sudo has password set before NOPASSWD removed from sudoers

  • grub password check update thanks to @Acenl12 on discord

V1.0.1 - based upon CIS 1.1.0

thanks to ikthomas #84

v1.0.0

  • update galaxy lint requirements
  • license file
  • ansible version

April 2023 Updates

  • Addressed Bugs
    • #73 - Thanks @fnschroeder (Fix Taken From @uk-bolly issue_73 branch)
    • #80 - Thanks @kdebisschop
  • Added Fixes For Outstanding PR's
    • #81 - Thanks @kdebisschop
    • Fixed Linting Errors For Yamllint & Ansible-Lint
    • Adjusted Builtin to Posix For sysctl module.

Feb 23 updates - Initial

  • lint files updated
  • ansible version updated
  • Lots of lint and standardisation changes
  • fqcn
  • Assertions for root and grub passwords
  • Import tasks to allow tags to be used
  • Warnings made standard
  • warn count feature added
  • workflow updates
  • wireless interface discovery
  • idempotency checks and updates

reboot variable changed from ubtu20_skip_reboot to skip_reboot (still default true)

Remediate portion

Issues and PRs address

  • #1 set bootloader pwd - Allowed unrestricted by default but set new variables

    • Added extra variable options ubtu20cis_set_grub_password and ubtu20cis_set_root_password (defaults true)

  • #2 Ensure locks for failed attempts

  • #3 root path integrity

  • thanks to @vbotka

    • #63 parse_etc_password

  • thanks to @makefu

    • #67 UFW incoming firewall ports (optional)

  • thanks to @CFoltin

    • #68 logrotate alignment
    • #69 stop rule overwrite UFW

  • thanks to @hackery

    • #70 TMOUT stops being repeated

Many improvements on multiple controls Remediate and audit version now match. When using remediate will pull in latest version of audit for that release.

Audit

  • updated goss version used
  • aligned new variables with audit
  • audit path used now default to /opt from /var/tmp

Started at devel version 1.1.0 Feb_23