devel to main release (ansible-lockdown#27)

* ansible-lockdown#18 corrected

Signed-off-by: Mark Bolwell <[email protected]>

* updated due to ansible-lockdown#19 great catch

Signed-off-by: Mark Bolwell <[email protected]>

* V2.0.0 final release (ansible-lockdown#24)

* removed warn: false

Signed-off-by: Mark Bolwell <[email protected]>

* fix typos

Signed-off-by: Mark Bolwell <[email protected]>

* addressed ansible-lockdown#21

Signed-off-by: Mark Bolwell <[email protected]>

* updated 1.1.2 logic

Signed-off-by: Mark Bolwell <[email protected]>

* updated handler

Signed-off-by: Mark Bolwell <[email protected]>

---------

Signed-off-by: Mark Bolwell <[email protected]>

* Correct 4.1.15 sudo audit syntax (ansible-lockdown#26)

Signed-off-by: Andrew Davison <[email protected]>

---------

Signed-off-by: Mark Bolwell <[email protected]>
Signed-off-by: Andrew Davison <[email protected]>
Co-authored-by: Andrew Davison <[email protected]>
Signed-off-by: fortinm <[email protected]>

handlers/main.yml

@@ -8,20 +8,18 @@
       masked: false
       state: reloaded
 
+- name: remount tmp
+  command: mount -o remount /tmp
+
 - name: remount dev_shm
   command: mount -o remount /dev/shm
-  args:
-      warn: false
 
 - name: remount var_tmp
   command: mount -o remount /var/tmp
-  args:
-      warn: false
 
 - name: remount home
   command: mount -o remount /home
-  args:
-      warn: false
+
 - name: systemd daemon reload
   systemd:
       daemon_reload: true
@@ -61,8 +59,6 @@
   command: /sbin/service auditd restart
   check_mode: false
   failed_when: false
-  args:
-      warn: false
   when:
       - not amazon2cis_skip_for_travis
   tags:

tasks/post_remediation_audit.yml

@@ -3,8 +3,6 @@
 - name: "Post Audit | Run post_remediation {{ benchmark }} audit"
   shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
   changed_when: true
-  vars:
-      warn: false
 
 - name: Post Audit | ensure audit files readable by users
   file:

tasks/pre_remediation_audit.yml

@@ -79,8 +79,6 @@
 - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit"
   shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
   changed_when: true
-  vars:
-      warn: false
 
 - name: Pre Audit | Capture audit data if json format
   block:

tasks/section_1/cis_1.1.x.yml

@@ -1,51 +1,84 @@
 ---
 
-- name: "1.1.2 | PATCH | Ensure /tmp is configured"
-  systemd:
-      name: tmp.mount
-      daemon_reload: true
-      enabled: true
-      masked: false
-      state: started
+- name: "1.1.2 | AUDIT | Ensure /tmp is configured"
+  block:
+      - name: "1.1.2 | AUDIT | Ensure /tmp is configured"
+        ansible.builtin.shell: findmnt -n /tmp
+        changed_when: false
+        failed_when: false
+        register: amazon2_tmp_exists
+
+      - name: "1.1.2 | WARN | Ensure /tmp is configured | Absent"
+        ansible.builtin.debug:
+            msg: "Warning!! /tmp is configured to use fstab but does not exist"
+        changed_when: true
+        when: amazon2_tmp_exists.stdout | length == 0
   when:
-      - amazon2cis_tmp_svc
       - amazon2cis_rule_1_1_2
+      - not amazon2cis_tmp_svc
   tags:
-      - level1
+      - level1-server
+      - level1-workstation
       - automated
-      - patch
-      - rule_1.1.2
+      - audit
       - mounts
+      - rule_1.1.2
 
 - name: |
-         "1.1.3 | PATCH | Ensure noexec option set on /tmp partition
-          1.1.4 | PATCH | Ensure nodev option set on /tmp partition
-          1.1.5 | PATCH | Ensure nosuid option set on /tmp partition"
-  mount:
+        "1.1.3 | PATCH | Ensure noexec option set on /tmp partition"
+        "1.1.4 | PATCH | Ensure nodev option set on /tmp partition"
+        "1.1.5 | PATCH | Ensure nosuid option set on /tmp partition"
+  ansible.posix.mount:
       name: /tmp
       src: "{{ item.device }}"
       fstype: "{{ item.fstype }}"
       state: present
-      opts: defaults,{% if amazon2cis_rule_1_1_4 %}nodev,{% endif %}{% if amazon2cis_rule_1_1_3 %}noexec,{% endif %}{% if amazon2cis_rule_1_1_5 %}nosuid{% endif %}
-  notify: systemd restart tmp.mount
-  with_items:
-      - "{{ ansible_mounts }}"
+      opts: defaults,{% if amazon2cis_rule_1_1_3 %}noexec,{% endif %}{% if amazon2cis_rule_1_1_4 %}nodev,{% endif %}{% if amazon2cis_rule_1_1_5 %}nosuid{% endif %}
+  notify: remount tmp
+  loop: "{{ ansible_facts.mounts }}"
   loop_control:
       label: "{{ item.device }}"
   when:
       - item.mount == "/tmp"
-      - amazon2cis_tmp_svc
+      - not amazon2cis_tmp_svc
+      - amazon2_tmp_exists.stdout | length > 0
       - amazon2cis_rule_1_1_3 or
         amazon2cis_rule_1_1_4 or
         amazon2cis_rule_1_1_5
   tags:
-      - level1
+      - level1-server
+      - level1-workstation
       - automated
       - patch
+      - mounts
+
+- name: |
+        "1.1.2 | PATCH | Ensure /tmp is configured"
+        "1.1.3 | PATCH | Ensure noexec option set on /tmp partition"
+        "1.1.4 | PATCH | Ensure nodev option set on /tmp partition"
+        "1.1.5 | PATCH | Ensure nosuid option set on /tmp partition"
+  notify: systemd restart tmp.mount
+  ansible.builtin.template:
+      src: etc/systemd/system/tmp.mount.j2
+      dest: /etc/systemd/system/tmp.mount
+      owner: root
+      group: root
+      mode: '0644'
+  when:
+      - amazon2cis_tmp_svc
+      - amazon2cis_rule_1_1_2 or
+        amazon2cis_rule_1_1_3 or
+        amazon2cis_rule_1_1_4 or
+        amazon2cis_rule_1_1_5
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - mounts
+      - rule_1.1.2
       - rule_1.1.3
       - rule_1.1.4
       - rule_1.1.5
-      - mounts
 
 - name: |
     "1.1.6 | PATCH | Ensure /dev/shm is configured
@@ -82,7 +115,7 @@
 
       - name: "1.1.10 | AUDIT | Ensure separate partition exists for /var | Message if present"
         debug:
-            msg: "Congradulations: /var is on a seperate partition"
+            msg: "Congratulations: /var is on a seperate partition"
         when: "'/var' in mount_names"
   when:
       - amazon2cis_rule_1_1_10
@@ -102,7 +135,7 @@
 
       - name: "1.1.11 | AUDIT | Ensure separate partition exists for /var/tmp | Message if present"
         debug:
-            msg: "Congradulations: /var/tmp is on a seperate partition"
+            msg: "Congratulations: /var/tmp is on a seperate partition"
         when: "'/var/tmp' in mount_names"
   when:
       - amazon2cis_rule_1_1_11
@@ -153,7 +186,7 @@
 
       - name: "1.1.15 | PATCH | Ensure separate partition exists for /var/log | Message if present"
         debug:
-            msg: "Congradulations: /var/log is on a seperate partition"
+            msg: "Congratulations: /var/log is on a seperate partition"
         when: "'/var/log' in mount_names"
   when:
       - amazon2cis_rule_1_1_15
@@ -173,7 +206,7 @@
 
       - name: "1.1.16 | AUDIT | Ensure separate partition exists for /var/log/audit | Message if present"
         debug:
-            msg: "Congradulations: /var/log/audit is on a seperate partition"
+            msg: "Congratulations: /var/log/audit is on a seperate partition"
         when: "'/var/log/audit' in mount_names"
   when:
       - amazon2cis_rule_1_1_16
@@ -193,7 +226,7 @@
 
       - name: "1.1.17 | AUDIT | Ensure separate partition exists for /home | Message if present"
         debug:
-            msg: "Congradulations: /home is on a seperate partition"
+            msg: "Congratulations: /home is on a seperate partition"
         when: "'/home' in mount_names"
   when:
       - amazon2cis_rule_1_1_17
@@ -250,8 +283,6 @@
   shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
   changed_when: false
   failed_when: false
-  args:
-      warn: false
   when:
       - amazon2cis_rule_1_1_22
   tags:

tasks/section_1/cis_1.2.x.yml

@@ -19,8 +19,6 @@
         command: yum repolist
         changed_when: false
         register: amazon2cis_1_2_2_repolist
-        args:
-            warn: false
 
       - name: "AUDIT| 1.2.2 | AUDIT | Ensure package manager repositories are configured | Show repo list"
         debug:

tasks/section_3/cis_3.1.x.yml

@@ -28,8 +28,6 @@
         failed_when: false
         check_mode: false
         register: amazon2_3_1_2_nmcli_available
-        args:
-            warn: false
 
       - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled"
         command: nmcli radio wifi

tasks/section_6/cis_6.2.x.yml

@@ -7,8 +7,6 @@
         changed_when: false
         failed_when: false
         register: amazon2_6_2_1_shadow
-        args:
-            warn: false
 
       - name: "6.2.1 | PATCH | Ensure accounts in /etc/passwd use shadow passwords | Good News"
         debug:

templates/audit/99_auditd.rules.j2

@@ -66,8 +66,8 @@
 -w /etc/sudoers.d/ -p wa -k scope
 {% endif %}
 {% if amazon2cis_rule_4_1_15 %}
--a exit,always -F arch=b64 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
--a exit,always -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
+-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions
+-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions
 {% endif %}
 {% if amazon2cis_rule_4_1_16 %}
 -w /sbin/insmod -p x -k modules

templates/etc/systemd/system/tmp.mount.j2

@@ -0,0 +1,22 @@
+## This file is managed by Ansible, YOUR CHANGED WILL BE LOST!
+
+
+[Unit]
+Description=Temporary Directory (/tmp)
+Documentation=man:hier(7)
+Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+ConditionPathIsSymbolicLink=!/tmp
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+After=swap.target
+
+[Mount]
+What=tmpfs
+Where=/tmp
+Type=tmpfs
+Options=mode=1777,strictatime,{% if amazon2cis_rule_1_1_3 %}noexec,{% endif %}{% if amazon2cis_rule_1_1_4 %}nodev,{% endif %}{% if amazon2cis_rule_1_1_5 %}nosuid{% endif %}
+
+# Make 'systemctl enable tmp.mount' work:
+[Install]
+WantedBy=local-fs.target