Merge pull request #56 from ansible-lockdown/issue_54_fix

Issue 54 and 55 fixes
ansible-lockdown · May 4, 2022 · 79891b0 · 79891b0
2 parents d2b3275 + 52738ae
commit 79891b0
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 4 deletions.
diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml
@@ -132,6 +132,7 @@
         modprobe:
             name: squashfs
             state: absent
+        ignore_errors: yes
         when: ansible_connection != 'docker'
   when:
       - ubtu20cis_rule_1_1_1_6
@@ -416,6 +417,8 @@
       fstype: "{{ item.fstype }}"
       opts: "nodev"
   with_items: "{{ ansible_mounts }}"
+  loop_control:
+      label: "{{ item.device }}"
   when:
       - ubtu20cis_rule_1_1_18
       - item.mount == "/home"

diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml
@@ -137,11 +137,11 @@
             - { regexp: '^OPTIONS', line: 'OPTIONS="-u ntp:ntp"'}
             - { regexp: '^NTPD_OPTIONS', line: 'NTPD_OPTIONS="-u ntp:ntp"' }
 
-      - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Modify /etc/init.d/npt"
+      - name: "AUTOMATED | 2.1.1.4 | PATCH | Ensure ntp is configured | Modify /etc/init.d/ntp"
         lineinfile:
             path: /etc/init.d/ntp
             regexp: '^RUNAUSER'
-            line: 'RUNAUSER=npt'
+            line: 'RUNAUSER=ntp'
   when:
       - ubtu20cis_rule_2_1_1_4
       - ubtu20cis_time_sync_tool == "ntp"

diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml
@@ -74,6 +74,8 @@
             - { regexp: '^local2,local3.\*|^#local2,local3.\*', line: 'local2,local3.*                 -/var/log/localmessages', insertafter: '^# First some standard log files' }
             - { regexp: '^local4,local5.\*|^#local4,local5.\*', line: 'local4,local5.*                 -/var/log/localmessages', insertafter: '^# First some standard log files' }
             - { regexp: '^local6,local7.\*|^#local6,local7.\*', line: 'local6,local7.*                 -/var/log/localmessages', insertafter: '^# First some standard log files' }
+        loop_control:
+            label: "{{ item.line }}"
         notify: restart rsyslog
         when: ubtu20cis_rsyslog_ansible_managed
   when:

diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml
@@ -15,6 +15,8 @@
         with_items:
             - "{{ ubtu20cis_4_3_logrotate_files.files }}"
             - { path: "/etc/logrotate.conf" }
+        loop_control:
+            label: "{{ item.path }}"
   when:
       - ubtu20cis_rule_4_3
   tags:

diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml
@@ -31,6 +31,8 @@
             mode: 0600
         with_items:
             - "{{ ubtu20cis_5_3_2_ssh_host_priv_keys.files }}"
+        loop_control:
+            label: "{{ item.path }}"
   when:
       - ubtu20cis_rule_5_3_2
   tags:
@@ -57,6 +59,8 @@
             mode: 0644
         with_items:
             - "{{ ubtu20cis_5_3_3_ssh_host_pub_keys.files }}"
+        loop_control:
+            label: "{{ item.path }}"
   when:
       - ubtu20cis_rule_5_3_3
   tags:

diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml
@@ -171,6 +171,8 @@
         register: ubtu20cis_6_1_10_wwf
         with_items:
             - "{{ ansible_mounts }}"
+        loop_control:
+            label: "{{ item.mount }}"
 
       - name: "AUTOMATED | 6.1.10 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist"
         file:
@@ -199,6 +201,8 @@
         register: ubtu20cis_6_1_11_no_user_items
         with_items:
             - "{{ ansible_mounts }}"
+        loop_control:
+            label: "{{ item.mount }}"
 
       - name: "AUTOMATED | 6.1.11 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use"
         set_fact:
@@ -243,6 +247,8 @@
         register: ubtu20cis_6_1_12_ungrouped_items
         with_items:
             - "{{ ansible_mounts }}"
+        loop_control:
+            label: "{{ item.mount }}"
 
       - name: "AUTOMATED | 6.1.12 | AUDIT | Ensure no ungrouped files or directories exist | Flatten ungrouped_items results for easier use"
         set_fact:
@@ -288,6 +294,8 @@
         register: ubtu20cis_6_1_13_suid_executables
         with_items:
             - "{{ ansible_mounts }}"
+        loop_control:
+            label: "{{ item.mount }}"
 
       - name: "MANUAL | 6.1.13 | AUDIT | Audit SUID executables | Flatten suid_executables results for easier use"
         set_fact:
@@ -332,6 +340,8 @@
         register: ubtu20cis_6_1_14_sgid_executables
         with_items:
             - "{{ ansible_mounts }}"
+        loop_control:
+            label: "{{ item.mount }}"
 
       - name: "MANUAL | 6.1.14 | AUDIT | Audit SGID executables | Flatten sgid_executables results for easier use"
         set_fact:

diff --git a/templates/audit/ubtu20cis_4_1_15_actions.rules.j2 b/templates/audit/ubtu20cis_4_1_15_actions.rules.j2
@@ -1,4 +1,4 @@
--a always,exit -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
+-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions
 {% if ansible_architecture == 'x86_64' -%}
--a always,exit -F arch=b64 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
+-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions
 {% endif %}