ansible-lockdown · uk-bolly · Jan 30, 2024 · Nov 22, 2023 · Nov 30, 2023 · Dec 4, 2023
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -42,7 +42,7 @@ repos:
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.22.0
+  rev: v6.22.2
   hooks:
   - id: ansible-lint
     name: Ansible-lint

diff --git a/tasks/section_2/cis_2.1.2.x.yml b/tasks/section_2/cis_2.1.2.x.yml
@@ -10,8 +10,8 @@
             owner: root
             group: root
         loop:
-            - etc/chrony/sources.d/pool.source
-            - etc/chrony/sources.d/server.source
+            - etc/chrony/sources.d/pool.sources
+            - etc/chrony/sources.d/server.sources
         notify: Restart timeservice
 
       - name: "2.1.2.1 | PATCH | Ensure chrony is configured with authorized timeserver | load sources"

diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml
@@ -26,6 +26,7 @@
             line: '\1 ipv6.disable=1"'
             backrefs: true
         when:
+            - ubtu22cis_ipv6_disable == 'grub'
             - ipv6disable_replaced is not changed
             - "'ipv6.disable' not in ubtu22cis_3_1_1_cmdline_settings.stdout"
         notify: Grub update

diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml
@@ -48,6 +48,7 @@
             state: present
             reload: true
             ignoreerrors: true
+        when: ubtu22cis_ipv6_disable == 'sysctl'
         notify:
             - Flush ipv6 route table
 

diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml
@@ -25,6 +25,7 @@
             state: present
             reload: true
             ignoreerrors: true
+        when: ubtu22cis_ipv6_disable == 'sysctl'
         with_items:
             - net.ipv6.conf.all.accept_source_route
             - net.ipv6.conf.default.accept_source_route
@@ -66,6 +67,7 @@
             state: present
             reload: true
             ignoreerrors: true
+        when: ubtu22cis_ipv6_disable == 'sysctl'
         with_items:
             - net.ipv6.conf.all.accept_redirects
             - net.ipv6.conf.default.accept_redirects

diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml
@@ -70,7 +70,7 @@
 - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
   block:
       - name: "4.1.3.6 | AUDIT | Ensure use of privileged commands is collected | Get list of privileged programs"
-        ansible.builtin.shell: for i in  $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
+        ansible.builtin.shell: for i in  $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
         register: priv_procs
         changed_when: false
         check_mode: false

diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml
@@ -17,9 +17,9 @@
 - name: "5.3.2 | PATCH | Ensure sudo commands use pty"
   ansible.builtin.lineinfile:
       path: /etc/sudoers
-      regexp: '^Defaults        use_'
+      regexp: '^Defaults\s+use_'
       line: 'Defaults        use_pty'
-      insertafter: '^Defaults'
+      insertafter: '^\s*Defaults'
   when:
       - ubtu22cis_rule_5_3_2
   tags:
@@ -33,9 +33,9 @@
 - name: "5.3.3 | PATCH | Ensure sudo log file exists"
   ansible.builtin.lineinfile:
       path: /etc/sudoers
-      regexp: '^Defaults        logfile'
+      regexp: '^Defaults\s+logfile'
       line: 'Defaults        logfile="{{ ubtu22cis_sudo_logfile }}"'
-      insertafter: '^Defaults'
+      insertafter: '^\s*Defaults'
   when:
       - ubtu22cis_rule_5_3_3
   tags:
@@ -89,8 +89,9 @@
       - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results"
         ansible.builtin.lineinfile:
             path: /etc/sudoers
-            regexp: 'Defaults timestamp_timeout='
-            line: "Defaults timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}"
+            regexp: '^\s*Defaults/s+timestamp_timeout='
+            line: "Defaults        timestamp_timeout={{ ubtu22cis_sudo_timestamp_timeout }}"
+            insertafter: '^\s*Defaults'
             validate: '/usr/sbin/visudo -cf %s'
         when: ubtu22cis_5_3_6_timeout_files.stdout | length == 0
 

diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml
@@ -106,14 +106,30 @@
       - pam
       - notimplemented
 
-- name: 5.4.3 | PATCH | Ensure password reuse is limited"
-  community.general.pamd:
-      name: common-password
-      type: password
-      control: '[success=1 default=ignore]'
-      module_path: pam_unix.so
-      module_arguments: "remember={{ ubtu22cis_pamd_pwhistory_remember }}"
-      state: args_present
+- name: "5.4.3 | PATCH | Ensure password reuse is limited"
+  block:
+      - name: "5.4.3 | PATCH | Ensure password reuse is limited | Add pam_unix or edit it accordingly"
+        community.general.pamd:
+            name: common-password
+            type: password
+            control: '[success=1 default=ignore]'
+            module_path: pam_unix.so
+            module_arguments: 'obscure
+                yescrypt'
+            state: args_present
+
+      - name: "5.4.3 | PATCH | Ensure password reuse is limited| Set remember value after adding pam unix"
+        community.general.pamd:
+            name: common-password
+            type: password
+            control: '[success=1 default=ignore]'
+            module_path: pam_unix.so
+            new_type: password
+            new_module_path: pam_pwhistory.so
+            new_control: required
+            module_arguments: 'use_authtok
+                remember={{ ubtu22cis_pamd_pwhistory_remember }}'
+            state: before
   when:
       - ubtu22cis_rule_5_4_3
   tags:

diff --git a/...lates/etc/chrony/sources.d/pool.source.j2 → ...ates/etc/chrony/sources.d/pool.sources.j2 b/...lates/etc/chrony/sources.d/pool.source.j2 → ...ates/etc/chrony/sources.d/pool.sources.j2
diff --git a/...tes/etc/chrony/sources.d/server.source.j2 → ...es/etc/chrony/sources.d/server.sources.j2 b/...tes/etc/chrony/sources.d/server.source.j2 → ...es/etc/chrony/sources.d/server.sources.j2