Merge pull request #96 from ansible-lockdown/pub_nov_updates

frederickw082922 · web-flow · commit 3d4babf1afac · 2025-12-01T09:55:16.000-05:00
Pub nov updates
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -39,11 +39,13 @@ repos:
   rev: v1.5.0
   hooks:
   - id: detect-secrets
+    name: Detect Secrets test
 
 - repo: https://github.com/gitleaks/gitleaks
   rev: v8.29.1
   hooks:
   - id: gitleaks
+    name: Run Gitleaks test
 
 - repo: https://github.com/ansible-community/ansible-lint
   rev: v25.11.0
diff --git a/Changelog.md b/Changelog.md
@@ -2,6 +2,13 @@
 
 ## Based on CIS v1.0.0
 
+### 1.0.5 - based on benchmark CIS 1.0.0
+#92 1.1.1.7 logic improved and updating inline with audit branches - thanks @jbruno
+#93 ufw logic improved thanks to @ToonSpinTUe
+#94 Fixed var names dailychecktimer thanks to #94 @huan086
+pre-commit updates
+typo fixes
+
 1.0.4 - based on Benchmark CIS 1.0.0
 - pre-commit updates
 - workflow updates
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -6,21 +6,21 @@
     ubtu24cis_apparmor_enforce_only: false
   changed_when: false
 
-- name: "PRELIM | AUDIT | Register if snap being used"
+- name: "PRELIM | AUDIT | squashfs logic"
   when: ubtu24cis_rule_1_1_1_7
   tags: always
-  ansible.builtin.shell: df -h | grep -wc "/snap"
-  changed_when: false
-  failed_when: prelim_snap_pkg_mgr.rc not in [ 0, 1 ]
-  register: prelim_snap_pkg_mgr
+  block:
+    - name: "PRELIM | AUDIT | Register if snap being used"
+      ansible.builtin.shell: lsblk | grep -wc "/snap"
+      changed_when: false
+      failed_when: prelim_snap_pkg_mgr.rc not in [ 0, 1 ]
+      register: prelim_snap_pkg_mgr
 
-- name: "PRELIM | AUDIT | Register if squashfs is built into the kernel"
-  when: ubtu24cis_rule_1_1_1_7
-  tags: always
-  ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep -c "squashfs"
-  changed_when: false
-  failed_when: prelim_squashfs_builtin.rc not in [ 0, 1 ]
-  register: prelim_squashfs_builtin
+    - name: "PRELIM | AUDIT | Register if squashfs is built into the kernel"
+      ansible.builtin.shell: cat /lib/modules/$(uname -r)/modules.builtin | grep "squashfs"
+      changed_when: false
+      failed_when: prelim_squashfs_builtin.rc not in [ 0, 1 ]
+      register: prelim_squashfs_builtin
 
 - name: PRELIM | AUDIT | Section 1.1 | Create list of mount points
   tags: always
@@ -67,7 +67,9 @@
     file: audit.yml
 
 - name: Include pre-remediation audit tasks
-  when: run_audit or audit_only or setup_audit
+  when:
+    - run_audit or audit_only
+    - setup_audit
   tags:
     - run_audit
     - setup_audit
@@ -264,7 +266,8 @@
 
 - name: "PRELIM | PATCH | Install UFW"
   when:
-    - ubtu24cis_rule_2_4_1_1
+    - ubtu24cis_rule_4_2_1
+    - ubtu24cis_section4
     - ubtu24cis_firewall_package == "ufw"
   tags: always
   ansible.builtin.package:
diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml
@@ -206,8 +206,8 @@
 - name: "1.1.1.7 | PATCH | Ensure squashfs kernel module is not available"
   when:
     - ubtu24cis_rule_1_1_1_7
-    - not prelim_squashfs_builtin
-    - prelim_snap_pkg_mgr.rc != 0
+    - prelim_squashfs_builtin.rc != 0
+    - prelim_snap_pkg_mgr.rc == 1
   tags:
     - level2-server
     - level2-workstation
diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2
@@ -469,8 +469,8 @@ ubtu24cis_desktop_required: {{ ubtu24cis_desktop_required }}
 
 ## Section 1
 
-# If system uses squahshfs e.gf. snap package manager set true
-ubtu24cis_squashfs_required:{% if prelim_snap_pkg_mgr.rc == 0 %} true {% else %} false{% endif %}
+# If system uses squashfs e.gf. snap package manager set true
+ubtu24cis_squashfs_skip:{% if prelim_squashfs_builtin.rc == 0 and prelim_snap_pkg_mgr.rc != 0 %} true{% else %} false{% endif %}
 
 ## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode
 
diff --git a/templates/etc/systemd/system/dailyaidecheck.timer.j2 b/templates/etc/systemd/system/dailyaidecheck.timer.j2
@@ -2,7 +2,7 @@
 Description=Daily AIDE check
 
 [Timer]
-OnCalendar={{ ubtu24cis_aide_cron_aide_day }}-{{ ubtu24cis_aide_cron_aide_month }}-{{ ubtu24cis_aide_cron_aide_weekday }} {{ ubtu24cis_aide_cron_aide_hour }}:{{ ubtu24cis_aide_cron_aide_minute }}:00
+OnCalendar={{ ubtu24cis_aide_cron_day }}-{{ ubtu24cis_aide_cron_month }}-{{ ubtu24cis_aide_cron_weekday }} {{ ubtu24cis_aide_cron_hour }}:{{ ubtu24cis_aide_cron_minute }}:00
 Persistent=true
 
 [Install]
