Merge pull request #6 from florianutz/dev

Updates for 5.2.12, 6.2.6 and 1.3.1
activehours · Feb 23, 2018 · f211f3d · f211f3d
2 parents 5a491d7 + e5866e6
commit f211f3d
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 12 deletions.
diff --git a/files/fixsudo.sh b/files/fixsudo.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+sudopath=($(grep secure_path /etc/sudoers | cut -f2 -d= |cut -f2 -d\"|tr ":" " "))
+for i in ${sudopath[@]}
+do
+  if [ -d "$i" ]
+   then newsudopath+=($i)
+  fi
+done
+echo $(IFS=:; echo "${newsudopath[*]}")
diff --git a/tasks/section1.yml b/tasks/section1.yml
@@ -424,7 +424,7 @@
       - rule_1.3.1
 
 - name: "SCORED | 1.3.1 | PATCH | Ensure AIDE is installed"
-  command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
+  command: /usr/bin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
   args:
       creates: /var/lib/aide/aide.db.gz
   changed_when: no

diff --git a/tasks/section5.yml b/tasks/section5.yml
@@ -306,17 +306,17 @@
       - patch
       - rule_5.2.12
 
-#- name: "SCORED | 5.2.13 | PATCH | Ensure SSH ClientAliveCountMax set to <= 3"
-#  lineinfile:
-#      state: present
-#      dest: /etc/ssh/sshd_config
-#      regexp: '^ClientAliveCountMax'
-#      line: "ClientAliveCountMax {{ ubuntu1604cis_sshd['clientalivecountmax'] }}"
-#  tags:
-#      - level1
-#      - level2
-#      - patch
-#      - rule_5.2.13
+- name: "SCORED | 5.2.12 | PATCH | Ensure SSH ClientAliveCountMax set to <= 3"
+  lineinfile:
+      state: present
+      dest: /etc/ssh/sshd_config
+      regexp: '^ClientAliveCountMax'
+      line: "ClientAliveCountMax {{ ubuntu1604cis_sshd['clientalivecountmax'] }}"
+  tags:
+      - level1
+      - level2
+      - patch
+      - rule_5.2.12
 
 - name: "SCORED | 5.2.13 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less"
   lineinfile:

diff --git a/tasks/section6.yml b/tasks/section6.yml
@@ -217,6 +217,23 @@
       - rule_6.2.6
       - notimplemented
 
+- name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity"
+  script: files/fixsudo.sh
+  register: fixsudo
+  changed_when: no
+
+- name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity"
+  lineinfile:
+    dest: /etc/sudoers
+    regexp: "(.*secure_path=).*"
+    line: '\1"{{ fixsudo.stdout_lines[0] }}"'
+    backrefs: yes
+  tags:
+      - level1
+      - level2
+      - patch
+      - rule_6.2.6
+
 - name: "SCORED | 6.2.7 | PATCH | Ensure all users' home directories exist"
   command: /bin/true
   changed_when: no