Fixing https://github.com/ansible-lockdown/AMAZON2023-CIS/issues/36 #37
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
…line-automations/ansible-lockdown/amazon2023-cis/-/issues/10#note_27614016 Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
…rafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/19 Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
…that requires the root password to be set Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
…-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/22 Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
…ing "|". Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
…d in issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/22. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
…e it was not supposed to be there! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
updates: - [github.com/pre-commit/pre-commit-hooks: v4.4.0 → v4.5.0](pre-commit/pre-commit-hooks@v4.4.0...v4.5.0) - [github.com/gitleaks/gitleaks: v8.17.0 → v8.18.2](gitleaks/gitleaks@v8.17.0...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.18.0 → v24.2.0](ansible/ansible-lint@v6.18.0...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.35.1)
…s it was implementing something needed by 6.1.10. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
…it-ci-update-config [pre-commit.ci] pre-commit autoupdate
…docs Refactoring documentation
…re_root_psswd_fix Fixing ansible-lockdown#38
…ng_prelim_find_all_sudoers_files Fixing issue ansible-lockdown#42
…1.2.1 Fixing issue ansible-lockdown#44
…ng_inconsistencies Fixing issue ansible-lockdown#46
…r_syntax_fixes Fixing issue ansible-lockdown#48
…ve_6.1.12_duplicate Fixing issue ansible-lockdown#52
…ng_double_import_r_5_3 Removing double import of "cis_5.3.yml".
uk-bolly
reviewed
Feb 22, 2024
There was a problem hiding this comment.
While i understand the issue, this change means that this could be searching any shared mounted drives which on shared systems may introduce major issues for some systems and configurations.
Passing it through the df with xargs allows us to separate those filesystems not part of the same device ID thereby excluding things like /sys and /proc.
Its current state allows it to run on most systems with local disk, it doesn't always allow for systems with multiple disks, again the impact on shared environments could have a very bad adverse effect.
Trying to minimise any possible impact we could change this to add a couple of extra excludes using grep at the end of the command.
e.g.
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 | grep -Ev "/snap|/containerd|/kubelet"
This allows greater control and having tested across a few different OSs seems to be a consistent output.
We could also add a variable if we wanted to allow users to defined their own filesystems to be excluded.
There was a problem hiding this comment.
I would try to modify the command by adding the exceptions in the find part of the command like this:
df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find \( ! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "/sys/kernel/security/apparmor/*" -a ! -path "/snap/*" -a ! -path "/sys/fs/cgroup/memory*" -a ! -path "/sys/fs/selinux/*" \) -xdev -type f -perm -0002
There was a problem hiding this comment.
the -xdev means that the filesystems /sys /run and /proc wouldn't be looked at anyway, so those in the ! -path matching those filesystems wouldn't be needed.
There was a problem hiding this comment.
Sorry, about this, I overlooked it. I will push the modification asap!
…nfig Signed-off-by: DianaMariaDDM <143085010+DianaMariaDDM@users.noreply.github.com>
…ving_prelim_install_authconfig Removing prelim for installing authconfig, as it is not used.
…line-automations/ansible-lockdown/amazon2023-cis/-/issues/10#note_27614016 Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
…AZON2023-CIS into siemens/feat/r_6_1_10_updated
…allation is removed! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
…ving_unneeded_var Removing `amzn2023cis_use_authconfig` variable.
…line-automations/ansible-lockdown/amazon2023-cis/-/issues/10#note_27614016 Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com>
…AZON2023-CIS into siemens/feat/r_6_1_10_updated
uk-bolly
added a commit
that referenced
this pull request
Feb 23, 2024
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
uk-bolly
added a commit
that referenced
this pull request
Mar 6, 2024
* updated to use ansible_facts variables
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* Squashed commit of the following:
commit 0cad737fe35db33ff0b867ac4439688cd2bcb009
Author: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri Feb 23 09:41:39 2024 +0000
updated and tidied up
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
commit 1fa72013209866be66f7f2a353b9cf6264a3681d
Author: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri Feb 23 09:41:10 2024 +0000
audit_only
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* Always tag for 1.2.1 gpg_key package update #14
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* tidy up prelim removal step
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* updated changelog
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* removed inject facts as vars
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* 4.6.5 related to #27 thanks to @DianaMariaDDM
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* 6.1.10 thanks to @DianaMariaDDM #37
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* tage change to alwasy thanks to @DianaMariaDDM #41
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* updated changelog
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
* updated changelog
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---------
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
|
Thank you again for you issues and PRs and all the work, i know we have seen this previously with one file being changes but having multiple commits being added. I believe this is the same issue that one of your colleagues is having. If you could please check and close if this is done. Many thanks and apologies for any confusion. uk-bolly |
uk-bolly
added a commit
that referenced
this pull request
Apr 15, 2024
* Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/3 by editing the destination path! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/4 by masking both the socket and the service! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/6 by editing the value of `clientalivecountmax` to 3! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/2 by using `import_tasks` module so as the rules will get added and executed! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/5 by adding the necessary lines to both sshd_config file and sshd_config.d/ files. The same method is used for all the rules from 4.2.x, to make them compliant with CISs checks. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing trailing whitespaces Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing trailing whitespaces and fixing an end-of-file Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Refactoring docs Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Small fixings for https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/19 Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing trailing whitespace Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing fail message so that is states the correct number of the rule that requires the root password to be set Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing inconsistencies for issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/22 Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing minor syntax issues by adding missing "PATCH" keywords or missing "|". Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Fixing PRELIM task "PRELIM | 4.3.3 | Find all sudoers files" mentioned in issue https://code.siemens.com/infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/amazon2023-cis/-/issues/22. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing 1.1.2.1 from multiline task 1.1.2.2 ,1.1.2.3, 1.1.2.4 because it was not supposed to be there! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing prelim for installing authconfig, as it is not used. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * [pre-commit.ci] pre-commit autoupdate updates: - [github.com/pre-commit/pre-commit-hooks: v4.4.0 → v4.5.0](pre-commit/pre-commit-hooks@v4.4.0...v4.5.0) - [github.com/gitleaks/gitleaks: v8.17.0 → v8.18.2](gitleaks/gitleaks@v8.17.0...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.18.0 → v24.2.0](ansible/ansible-lint@v6.18.0...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.35.1) * Removing the 6.1.12 duplicate task and adding it to the 6.1.10 task as it was implementing something needed by 6.1.10. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * De-commenting allow and deny variables for sshd. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Removing double import of cis_5.3.yml. Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * As authconfig is not needed anymore, the variable related to its installation is removed! Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> * Feb 24 updates to devel (#58) * updated to use ansible_facts variables Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Squashed commit of the following: commit 0cad737fe35db33ff0b867ac4439688cd2bcb009 Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Fri Feb 23 09:41:39 2024 +0000 updated and tidied up Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> commit 1fa72013209866be66f7f2a353b9cf6264a3681d Author: Mark Bolwell <mark.bollyuk@gmail.com> Date: Fri Feb 23 09:41:10 2024 +0000 audit_only Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Always tag for 1.2.1 gpg_key package update #14 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tidy up prelim removal step Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changelog Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed inject facts as vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * 4.6.5 related to #27 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * 6.1.10 thanks to @DianaMariaDDM #37 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tage change to alwasy thanks to @DianaMariaDDM #41 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changelog Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated changelog Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated ansible fact naming and checkout action (#64) * updated ansible fact naming for ansible_facts.virtualization_type Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated checkout version Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * ansible fact update Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated ansible facts and timeout now inherited Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * [pre-commit.ci] pre-commit autoupdate (#65) updates: - [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](ansible/ansible-lint@v24.2.0...v24.2.1) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> * 4.2.16: Add variable for SSH MaxAuthTries (#66) Signed-off-by: Tom Henderson <tom.henderson@pushpay.com> * 4.2.16: Correct variable name and required max value (#67) Signed-off-by: Tom Henderson <tom.henderson@pushpay.com> * March 24 updates (#68) * addressed #59 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * issue #59 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * issue #62 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated variable name in conditional Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated container check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated authselect PR Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix conditional typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix conditional typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fix var typo Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * [pre-commit.ci] pre-commit autoupdate (#69) updates: - [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](pre-commit/pre-commit-hooks@v4.5.0...v4.6.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --------- Signed-off-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> Signed-off-by: DianaMariaDDM <143085010+DianaMariaDDM@users.noreply.github.com> Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> Signed-off-by: Tom Henderson <tom.henderson@pushpay.com> Co-authored-by: Diana-Maria Dumitru <diana.dumitru.ext@siemens.com> Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> Co-authored-by: DianaMariaDDM <143085010+DianaMariaDDM@users.noreply.github.com> Co-authored-by: Tom Henderson <tomhenderson@mac.com> Co-authored-by: Tom Henderson <tom.henderson@pushpay.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overall Review of Changes:
This PR contains the solution for this issue.
Issue Fixes:
Enhancements:
None.
How has this been tested?:
Locally.