Merge pull request #134 from ansible-lockdown/Jan26_updates

Jan26 updates

Author: frederickw082922

.ansible-lint

@@ -1,6 +1,5 @@
 ---
 
-parseable: true
 quiet: true
 skip_list:
   - 'package-latest'

Changelog.md

@@ -3,6 +3,16 @@
 ## Based on CIS v1.0.0
 
 ## based on benchmark CIS 1.0.0
+
+### Jan26 updates
+pre-commit
+#92 readdressed thanks to @bizrad and @jbruno
+#127 addressed thanks to @rronneburger incl #84
+#129 addressed thanks to @stelucz
+#131 thanks to @Jurka007
+
+### Dec26_updates
+
 precommit update Public issues address
 
 4.2.5 ufw port variables and improvements to include ntp and protocol options

tasks/section_5/cis_5.4.1.x.yml

@@ -33,21 +33,21 @@
     - name: "5.4.1.1 | AUDIT | Ensure password expiration is configured | Add warning if ansible user found as break connection"
       when:
         - ubtu24cis_disruption_high
-        - ansible_user in discovered_passwd_max_days.stdout
+        - (ansible_user | default(ansible_env.USER)) in discovered_passwd_max_days.stdout
       ansible.builtin.debug:
         msg: "Warning!! Your ansible user found to be not compliant with maxdays - Manual intervention required"
 
     - name: 5.4.1.1 | AUDIT | Ensure password expiration is configured | Warn count"
       when:
         - ubtu24cis_disruption_high
-        - ansible_user in discovered_passwd_max_days.stdout
+        - (ansible_user | default(ansible_env.USER)) in discovered_passwd_max_days.stdout
       ansible.builtin.import_tasks:
         file: warning_facts.yml
 
     - name: "5.4.1.1 | PATCH | Ensure password expiration is configured | Set existing users PASS_MAX_DAYS"
       when:
         - ubtu24cis_disruption_high
-        - item != (ansible_user)
+        - item != (ansible_user | default(ansible_env.USER))
       ansible.builtin.command: "chage --maxdays {{ ubtu24cis_pass_max_days }} {{ item }}"
       failed_when: false
       changed_when: discovered_passwd_max_days.stdout | length > 0
@@ -81,21 +81,21 @@
     - name: "5.4.1.2 | AUDIT | Ensure minimum password age is configured | Add warning if ansible user found as break connection"
       when:
         - ubtu24cis_disruption_high
-        - ansible_user in discovered_passwd_min_days.stdout
+        - (ansible_user | default(ansible_env.USER)) in discovered_passwd_min_days.stdout
       ansible.builtin.debug:
         msg: "Warning!! Your ansible user found to be not compliant with mindays - Manual intervention required"
 
     - name: "5.4.1.2 | AUDIT | Ensure minimum password age is configured | Warn count"
       when:
         - ubtu24cis_disruption_high
-        - ansible_user in discovered_passwd_min_days.stdout
+        - (ansible_user | default(ansible_env.USER)) in discovered_passwd_min_days.stdout
       ansible.builtin.import_tasks:
         file: warning_facts.yml
 
     - name: "5.4.1.2 | PATCH | Ensure minimum password age is configured | Set existing users PASS_MIN_DAYS"
       when:
         - ubtu24cis_disruption_high
-        - item != (ansible_user)
+        - item != (ansible_user | default(ansible_env.USER))
       ansible.builtin.command: chage --mindays {{ ubtu24cis_pass_min_days }} {{ item }}
       failed_when: false
       changed_when: discovered_passwd_min_days.stdout | length > 0
@@ -128,7 +128,7 @@
     - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users PASS_WARN_AGE"
       when:
         - ubtu24cis_disruption_high
-        - item != (ansible_user)
+        - item != (ansible_user | default(ansible_env.USER))
       ansible.builtin.command: chage --warndays {{ ubtu24cis_pass_warn_age }} {{ item }}
       failed_when: false
       changed_when: discovered_passwd_warn_days.stdout | length > 0

tasks/section_5/cis_5.4.3.x.yml

@@ -27,19 +27,33 @@
     - shell
     - rule_5.4.3.2
     - NIST800-53R5_NA
-  ansible.builtin.blockinfile:
-    path: "{{ item.path }}"
-    state: "{{ item.state }}"
-    marker: "# {mark} - CIS benchmark - Ansible-lockdown"
-    create: true
-    mode: 'go-wx'
-    block: |
-      TMOUT={{ ubtu24cis_shell_session_timeout }}
-      readonly TMOUT
-      export TMOUT
-  loop:
-    - { path: "{{ ubtu24cis_shell_session_file }}", state: present }
-    - { path: /etc/profile, state: "{{ (ubtu24cis_shell_session_file == '/etc/profile') | ternary('present', 'absent') }}" }
+  block:
+    - name: "5.4.3.2 | AUDIT | Ensure default user shell timeout is configured | Get shell timeout files"
+      ansible.builtin.stat:
+        path: "{{ ubtu24cis_shell_session_file }}"
+      register: discovered_shell_session_file
+
+    - name: "5.4.3.2 | AUDIT | Ensure default user shell timeout is configured | Remove shell timeout files"
+      when: discovered_shell_session_file.stat.exists
+      ansible.builtin.replace:
+        path: "{{ ubtu24cis_shell_session_file }}"
+        regexp: '# Logout Timeout\nexport TMOUT=0\nreadonly TMOUT\n'
+        replace: '# Logout Timeout\n'
+
+    - name: "5.4.3.2 | PATCH | Ensure default user shell timeout is configured | Set shell timeout"
+      ansible.builtin.blockinfile:
+        path: "{{ item.path }}"
+        state: "{{ item.state }}"
+        marker: "# {mark} - CIS benchmark - Ansible-lockdown"
+        create: true
+        mode: 'u-x,go-wx'
+        block: |
+          TMOUT={{ ubtu24cis_shell_session_timeout }}
+          readonly TMOUT
+          export TMOUT
+      loop:
+        - { path: "{{ ubtu24cis_shell_session_file }}", state: present }
+        - { path: /etc/profile, state: "{{ (ubtu24cis_shell_session_file == '/etc/profile') | ternary('present', 'absent') }}" }
 
 - name: "5.4.3.3 | PATCH | Ensure default user umask is configured"
   when: ubtu24cis_rule_5_4_3_3

templates/ansible_vars_goss.yml.j2

@@ -470,7 +470,7 @@ ubtu24cis_desktop_required: {{ ubtu24cis_desktop_required }}
 ## Section 1
 
 # If system uses squashfs e.gf. snap package manager set true
-ubtu24cis_squashfs_skip:{% if prelim_squashfs_builtin.rc == 0 or prelim_snap_pkg_mgr.rc == 0 %} true{% else %} false{% endif %}
+ubtu24cis_squashfs_skip:{% if (prelim_squashfs_builtin.rc | default(1)) == 0  or (prelim_snap_pkg_mgr.rc | default(1)) == 0 %} true{% else %} false{% endif %}
 
 ## Controls 1.3.1.3 and 1.3.1.4 Ensure all AppArmor Profiles are in enforce (1.3.1.3/4) or complain (1.3.1.3) mode