Skip to content

Commit

Permalink
Merge pull request #34 from ansible-lockdown/devel
Browse files Browse the repository at this point in the history 
Updates for final release v2.0
  • Loading branch information
@uk-bolly
uk-bolly authored Jun 10, 2024
2 parents 15511b3 + 9d10836 commit 11b8afe
Show file tree
Hide file tree
Showing 5 changed files with 25 additions and 25 deletions.
2 changes: 1 addition & 1 deletion defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -411,7 +411,7 @@ amazon2cis_ssh_loglevel: INFO
# To conform to CIS standards this value nees to be 10 or less
amazon2cis_ssh_maxsessions: 10
amazon2cis_sshd:
# clientalivecountmax: 0
clientalivecountmax: 0
# clientaliveinterval shoudl be between 1 and 900
clientaliveinterval: 300
ciphers: "[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr"
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.4.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
lineinfile:
dest: /usr/lib/systemd/system/rescue.service
regexp: '/sbin/sulogin'
line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default'
line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
when:
- amazon2cis_rule_1_4_2
- ansible_facts['distribution_major_version'] is version('2', '>=')
Expand Down
20 changes: 10 additions & 10 deletions tasks/section_4/cis_4.1.1.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,26 +34,26 @@
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
block:
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Get Grub CMDLINE Settings"
shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -d'"' -f2
shell: grep -c -E '^GRUB_CMDLINE_LINUX(_DEFAULT)?=' /etc/default/grub
changed_when: false
failed_when: false
register: amazon2cis_4_1_1_3_grub_cmdline_linux

- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Set if audit setting already set"
replace:
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Set if Grub CMDLINE exists"
lineinfile:
path: /etc/default/grub
regexp: 'audit=([^\D]+)'
replace: 'audit=1'
regexp: '^(GRUB_CMDLINE_LINUX(?:_DEFAULT)?)="(.*)( audit=\d)?(.*)"'
line: '\1="\2 audit=1\3"'
backrefs: true
notify: grub2cfg
when: "'audit=' in amazon2cis_4_1_1_3_grub_cmdline_linux.stdout"
when: "'1' in amazon2cis_4_1_1_3_grub_cmdline_linux.stdout"

- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Set if audit setting not already set"
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Set if Grub CMDLINE does not exist"
lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
line: 'GRUB_CMDLINE_LINUX="{{ amazon2cis_4_1_1_3_grub_cmdline_linux.stdout }} audit=1"'
line: 'GRUB_CMDLINE_LINUX="audit=1"'
notify: grub2cfg
when: "'audit=' not in amazon2cis_4_1_1_3_grub_cmdline_linux.stdout"
when: "'0' in amazon2cis_4_1_1_3_grub_cmdline_linux.stdout"
when:
- amazon2cis_rule_4_1_1_3
tags:
Expand Down
24 changes: 12 additions & 12 deletions tasks/section_4/cis_4.1.2.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,26 +55,26 @@
- name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient"
block:
- name: "4.1.2.4 | AUDIT | Ensure audit_backlog_limit is sufficient | Grep GRUB_CMDLINE_LINUX parameter"
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | cut -f2 -d'"'
shell: grep -c -E 'GRUB_CMDLINE_LINUX(_DEFAULT)?=' /etc/default/grub
changed_when: false
failed_when: false
register: amazon2cis_4_1_2_4_grub_cmdline_linux_settings

- name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Set audit_backlog_limit if not configured"
- name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Set audit_backlog_limit if GRUB_CMDLINE_LINUX exists"
lineinfile:
dest: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
line: 'GRUB_CMDLINE_LINUX="{{ amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout }} audit_backlog_limit={{ amazon2cis_audit_backlog_limit }}"'
path: /etc/default/grub
regexp: '^(GRUB_CMDLINE_LINUX(?:_DEFAULT)?)="(.*)( audit_backlog_limit={{ amazon2cis_audit_backlog_limit }})?(.*)"'
line: '\1="\2 audit_backlog_limit={{ amazon2cis_audit_backlog_limit }}\3"'
backrefs: true
notify: grub2cfg
when: '"audit_backlog_limit" not in amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout'
when: "'1' in amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout"

- name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Adjust audit_backlog_limit if exists"
replace:
dest: /etc/default/grub
regexp: 'audit_backlog_limit=([^\D]+)'
replace: 'audit_backlog_limit={{ amazon2cis_audit_backlog_limit }}'
- name: "4.1.2.4 | PATCH | Ensure audit_backlog_limit is sufficient | Set audit_backlog_limit if GRUB_CMDLINE_LINUX does not exists"
lineinfile:
path: /etc/default/grub
replace: 'GRUB_CMDLINE_LINUX="audit_backlog_limit={{ amazon2cis_audit_backlog_limit }}"'
notify: grub2cfg
when: '"audit_backlog_limit" in amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout'
when: "'0' in amazon2cis_4_1_2_4_grub_cmdline_linux_settings.stdout"
when:
- amazon2cis_rule_4_1_2_4
tags:
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_5/cis_5.3.x.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -297,7 +297,7 @@
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^ClientAliveCountMax'
line: "ClientAliveCountMax 0"
line: "ClientAliveCountMax {{ amazon2cis_sshd['clientalivecountmax'] }}"
notify: restart sshd
when:
- amazon2cis_rule_5_3_16
Expand Down

0 comments on commit 11b8afe

Please sign in to comment.