Skip to content

Comments

fix: 🐛 handle 'all' in outbound ports loop in rule rule_4.1.5 and apt/dpkg lock#137

Closed
tmeckel wants to merge 5 commits intoansible-lockdown:develfrom
tmeckel:fix/apt-lock
Closed

fix: 🐛 handle 'all' in outbound ports loop in rule rule_4.1.5 and apt/dpkg lock#137
tmeckel wants to merge 5 commits intoansible-lockdown:develfrom
tmeckel:fix/apt-lock

Conversation

@tmeckel
Copy link

@tmeckel tmeckel commented Feb 12, 2026
edited
Loading

Overall Review of Changes:

UBUNTU24-CIS suffers from the same issues that UBUNTU22-CIS currently have:

Issue Fixes:

This PR contains the same fixes as submitted with PR ansible-lockdown/UBUNTU22-CIS#329 in UBUNTU22-CIS

Enhancements:
N/A

How has this been tested?:
Local image building pipeline

Additional Information

This is the list of tasks using implicitly or expclicitly and suffer from not waiting on a locked apt/dpkg. All those tasks should be updated with a lock_timeout: "{{ ubtu24cis_apt_lock_timeout }}" or another way eg when using ansible.builtin.command

File Line Module/Command Task Name
tasks/pre_remediation_audit.yml 19 ansible.builtin.package Pre Audit Setup | Install git
tasks/prelim.yml 56 ansible.builtin.package PRELIM | PATCH | Run apt update
tasks/prelim.yml 218 ansible.builtin.package PRELIM | PATCH | Ensure auditd is installed
tasks/prelim.yml 256 ansible.builtin.package PRELIM | PATCH | Install ACL
tasks/prelim.yml 263 ansible.builtin.package PRELIM | PATCH | Install cron
tasks/prelim.yml 273 ansible.builtin.package PRELIM | PATCH | Install UFW
tasks/prelim.yml 294 ansible.builtin.package OPTIONAL | PATCH | Install Logrotate if missing
tasks/section_1/cis_1.2.1.x.yml 17 ansible.builtin.command 1.2.1.1 | AUDIT | Ensure GPG keys are configured | Get apt gpg keys
tasks/section_1/cis_1.2.1.x.yml 48 ansible.builtin.command 1.2.1.2 | AUDIT | Ensure package manager repositories are configured | Get repositories
tasks/section_1/cis_1.2.2.x.yml 14 ansible.builtin.package 1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed | Update
tasks/section_1/cis_1.3.1.x.yml 14 ansible.builtin.package 1.3.1.1 | PATCH | Ensure AppArmor is installed
tasks/section_1/cis_1.5.x.yml 112 ansible.builtin.package 1.5.4 | PATCH | Ensure prelink is not installed| Remove prelink package
tasks/section_1/cis_1.5.x.yml 140 ansible.builtin.package 1.5.5 | PATCH | Ensure Automatic Error Reporting is not enabled | remove package
tasks/section_1/cis_1.7.x.yml 15 ansible.builtin.package 1.7.1 | PATCH | Ensure GNOME Display Manager is removed
tasks/section_2/cis_2.1.x.yml 19 ansible.builtin.package 2.1.1 | PATCH | Ensure autofs services are not in use | Remove Package
tasks/section_2/cis_2.1.x.yml 50 ansible.builtin.package 2.1.2 | PATCH | Ensure avahi daemon services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 86 ansible.builtin.package 2.1.3 | PATCH | Ensure dhcp server services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 120 ansible.builtin.package 2.1.4 | PATCH | Ensure dns server services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 151 ansible.builtin.package 2.1.5 | PATCH | Ensure dnsmasq server services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 183 ansible.builtin.package 2.1.6 | PATCH | Ensure ftp server services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 214 ansible.builtin.package 2.1.7 | PATCH | Ensure ldap server services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 247 ansible.builtin.package 2.1.8 | PATCH | Ensure message access server services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 285 ansible.builtin.package 2.1.9 | PATCH | Ensure network file system services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 317 ansible.builtin.package 2.1.10 | PATCH | Ensure nis server services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 346 ansible.builtin.package 2.1.11 | PATCH | Ensure print server services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 381 ansible.builtin.package 2.1.12 | PATCH | Ensure rpcbind services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 415 ansible.builtin.package 2.1.13 | PATCH | Ensure rsync services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 447 ansible.builtin.package 2.1.14 | PATCH | Ensure samba file server services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 479 ansible.builtin.package 2.1.15 | PATCH | Ensure snmp services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 510 ansible.builtin.package 2.1.16 | PATCH | Ensure tftp server services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 541 ansible.builtin.package 2.1.17 | PATCH | Ensure web proxy server services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 574 ansible.builtin.package 2.1.18 | PATCH | Ensure web server services are not in use | Remove httpd server
tasks/section_2/cis_2.1.x.yml 584 ansible.builtin.package 2.1.18 | PATCH | Ensure web server services are not in use | Remove nginx server
tasks/section_2/cis_2.1.x.yml 631 ansible.builtin.package 2.1.19 | PATCH | Ensure xinetd services are not in use | Remove package
tasks/section_2/cis_2.1.x.yml 658 ansible.builtin.package 2.1.20 | PATCH | Ensure X window server services are not in use
tasks/section_2/cis_2.2.x.yml 14 ansible.builtin.package 2.2.1 | PATCH | Ensure NIS Client is not installed
tasks/section_2/cis_2.2.x.yml 30 ansible.builtin.package 2.2.2 | PATCH | Ensure rsh client is not installed
tasks/section_2/cis_2.2.x.yml 46 ansible.builtin.package 2.2.3 | PATCH | Ensure talk client is not installed
tasks/section_2/cis_2.2.x.yml 63 ansible.builtin.package 2.2.4 | PATCH | Ensure telnet client is not installed
tasks/section_2/cis_2.2.x.yml 81 ansible.builtin.package 2.2.5 | PATCH | Ensure ldap client is not installed
tasks/section_2/cis_2.2.x.yml 98 ansible.builtin.package 2.2.6 | PATCH | Ensure ftp is not installed
tasks/section_2/cis_2.3.1.x.yml 17 ansible.builtin.package 2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | Pkg installed
tasks/section_2/cis_2.3.1.x.yml 23 ansible.builtin.package 2.3.1.1 | PATCH | Ensure a single time synchronization daemon is in use | other pkgs removed
tasks/section_3/cis_3.1.x.yml 100 ansible.builtin.package 3.1.3 | PATCH | Ensure bluetooth services are not in use | pkg
tasks/section_4/cis_4.1.1.yml 15 ansible.builtin.shell 4.1.1 | AUDIT | Ensure a single firewall configuration utility is in use | Check packages
tasks/section_4/cis_4.2.x.yml 15 ansible.builtin.package 4.2.1 | PATCH | Ensure ufw is installed
tasks/section_4/cis_4.2.x.yml 30 ansible.builtin.package 4.2.2 | PATCH | Ensure iptables-persistent is not installed with ufw
tasks/section_4/cis_4.4.1.x.yml 15 ansible.builtin.package 4.4.1.1 | PATCH | Ensure iptables packages are installed
tasks/section_4/cis_4.4.1.x.yml 31 ansible.builtin.package 4.4.1.2 | PATCH | Ensure nftables is not installed with iptables
tasks/section_4/cis_4.4.1.x.yml 48 ansible.builtin.package 4.4.1.3 | PATCH | Ensure ufw is uninstalled or disabled with iptables
tasks/section_5/cis_5.2.x.yml 12 ansible.builtin.package 5.2.1 | PATCH | Ensure sudo is installed
tasks/section_5/cis_5.3.1.x.yml 12 ansible.builtin.package 5.3.1.1 | PATCH | Ensure latest version of pam is installed
tasks/section_5/cis_5.3.1.x.yml 25 ansible.builtin.package 5.3.1.2 | PATCH | Ensure libpam-modules is installed
tasks/section_5/cis_5.3.1.x.yml 38 ansible.builtin.package 5.3.1.3 | PATCH | Ensure libpam-pwquality is installed
tasks/section_6/cis_6.1.2.x.yml 16 ansible.builtin.package 6.1.2.1.1 | PATCH | Ensure systemd-journal-remote is installed
tasks/section_6/cis_6.1.3.x.yml 18 ansible.builtin.package 6.1.3.1 | PATCH | Ensure rsyslog is installed
tasks/section_6/cis_6.2.1.x.yml 17 ansible.builtin.package 6.2.1.1 | PATCH | Ensure auditd packages are installed
tasks/section_6/cis_6.3.x.yml 16 ansible.builtin.package 6.3.1 | PATCH | Ensure AIDE is installed

@github-actions
Copy link

github-actions bot commented Feb 12, 2026

Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the Discord Server as well.

@tmeckel tmeckel changed the title Fix/apt lock fix: 🐛 handle 'all' in outbound ports loop in rule rule_4.1.5 and apt/dpkg lock Feb 12, 2026
@tmeckel
feat(config): add apt lock timeout setting
e77d440 
Add ubtu24cis_apt_lock_timeout variable to configure wait time for dpkg/apt locks during package operations. Default set to 180 seconds.

Signed-off-by: Thomas Meckel <tmeckel@users.noreply.github.com>
@tmeckel
fix(cis_5.3.1.x): add apt lock timeout parameter to pam-pwquality ins…
5f42974 
…tallation

Signed-off-by: Thomas Meckel <tmeckel@users.noreply.github.com>
@tmeckel
fix(cis_4.2.x.yaml): correct conditional logic for outbound port conf…
62f65cf 
…iguration

Update the loop condition to handle 'all' value properly in ufw outbound port configuration. Replace string containment check with exact equality comparison to prevent unintended behavior when 'all' is specified.

Signed-off-by: Thomas Meckel <tmeckel@users.noreply.github.com>
@tmeckel
fix(cis_5.3.1.x): use apt module for lock_timeout support
e1762bb 
The ansible.builtin.package module does not support the lock_timeout parameter which is specific to apt. Switch to ansible.builtin.apt to properly utilize the apt lock timeout configuration.
@tmeckel
fix(cis_5.3.1.x): add apt lock timeout to libpam-runtime and libpam-m…
1d950a0 
…odules

Use apt module instead of package module to support lock_timeout parameter for libpam-runtime and libpam-modules installation tasks.
@tmeckel tmeckel mentioned this pull request Feb 13, 2026
Open
@uk-bolly uk-bolly mentioned this pull request Feb 24, 2026
Merged
@uk-bolly
Copy link
Member

uk-bolly commented Feb 24, 2026

hi @tmeckel

Thank you again for this PR, there has been a large number of PRS since raised that addressed a few of these issues.
You should find that all the suggestions you have added are part of PR #154. Other PRs have also introduced a conflict now in this PR due to all the fixes that have since been applied.
We have also addressed the apt list you have provided across all affected tasks.

In this case we would like to close this PR against the new PR.

Kindest regards

uk-bolly

@frederickw082922
Copy link
Contributor

frederickw082922 commented Feb 24, 2026

Thank you for your PR @tmeckel We added your updates to #154 Closing PR

@uk-bolly uk-bolly mentioned this pull request Feb 24, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tmeckel @uk-bolly @frederickw082922