Enhancements (#228)

* issue #175 thanks to @rostskadat

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* issue #200 thanks to @DianaMariaDDM

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated name for mount options variables

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

---------

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

Changelog.md

@@ -2,6 +2,14 @@
 
 ## Based on CIS V1.0.0
 
+### 1.1.1
+
+- Huge thanks to
+  - @rostskadat
+    - #175 - Allowing changes to the ssh default variables
+  - @DianaMariaDDM
+    - #200 - new approach to tmp mount options
+
 ### 1.1.0
 
 - #223 thanks to feedback @txsastre

defaults/main.yml

@@ -837,6 +837,35 @@ ubtu22cis_rsyslog_ansible_managed: true
 ##
 
 ## Controls 5.2.4/5/13/14/15/18/20/21/22 -- various sshd settings
+ubtu22cis_sshd_default_log_level: "INFO"
+ubtu22cis_sshd_default_ciphers:
+    - chacha20-poly1305@openssh.com
+    - aes256-gcm@openssh.com
+    - aes128-gcm@openssh.com
+    - aes256-ctr
+    - aes192-ctr
+    - aes128-ctr
+ubtu22cis_sshd_default_macs:
+    - hmac-sha2-512-etm@openssh.com
+    - hmac-sha2-256-etm@openssh.com
+    - hmac-sha2-512
+    - hmac-sha2-256
+ubtu22cis_sshd_default_kex_algorithms:
+    - curve25519-sha256
+    - curve25519-sha256@libssh.org
+    - diffie-hellman-group14-sha256
+    - diffie-hellman-group16-sha512
+    - diffie-hellman-group18-sha512
+    - ecdh-sha2-nistp521
+    - ecdh-sha2-nistp384
+    - ecdh-sha2-nistp256
+    - diffie-hellman-group-exchange-sha256
+ubtu22cis_sshd_default_max_auth_tries: 4
+ubtu22cis_sshd_default_max_sessions: 8
+ubtu22cis_sshd_default_login_grace_time: 60
+ubtu22cis_sshd_default_client_alive_interval: 300
+ubtu22cis_sshd_default_client_alive_count_max: 3
+
 ubtu22cis_sshd:
     # This variable is used to control the verbosity of the logging produced by the SSH server.
     # The options for setting it are as follows:
@@ -846,51 +875,32 @@ ubtu22cis_sshd:
     # - `INFO`: logs informational messages in addition to errors;
     # - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges;
     # - `DEBUG`: generates very detailed debugging information including sensitive information.
-    log_level: "INFO"
+    log_level: "{{ubtu22cis_sshd_default_log_level}}"
     # This variable specifies the maximum number of authentication attempts that are
     # allowed for a single SSH session.
-    max_auth_tries: 4
+    max_auth_tries: "{{ubtu22cis_sshd_default_max_auth_tries}}"
     # This variable specifies the encryption algorithms that can be used for securing
     # data transmission.
-    ciphers:
-        - chacha20-poly1305@openssh.com
-        - aes256-gcm@openssh.com
-        - aes128-gcm@openssh.com
-        - aes256-ctr
-        - aes192-ctr
-        - aes128-ctr
+    ciphers: "{{ubtu22cis_sshd_default_ciphers}}"
     # This variable specifies a list of message authentication code algorithms (MACs) that are allowed for verifying
     # the integrity of data exchanged.
-    macs:
-        - hmac-sha2-512-etm@openssh.com
-        - hmac-sha2-256-etm@openssh.com
-        - hmac-sha2-512
-        - hmac-sha2-256
+    macs: "{{ubtu22cis_sshd_default_macs}}"
     # This variable is used to state the key exchange algorithms used to establish secure encryption
     # keys during the initial connection setup.
-    kex_algorithms:
-        - curve25519-sha256
-        - curve25519-sha256@libssh.org
-        - diffie-hellman-group14-sha256
-        - diffie-hellman-group16-sha512
-        - diffie-hellman-group18-sha512
-        - ecdh-sha2-nistp521
-        - ecdh-sha2-nistp384
-        - ecdh-sha2-nistp256
-        - diffie-hellman-group-exchange-sha256
+    kex_algorithms: "{{ubtu22cis_sshd_default_kex_algorithms}}"
     # This variable sets the time interval in seconds between sending "keep-alive"
     # messages from the server to the client. These types of messages are intended to
     # keep the connection alive and prevent it being terminated due to inactivity.
-    client_alive_interval: 300
+    client_alive_interval: "{{ubtu22cis_sshd_default_client_alive_interval}}"
     # This variable sets the maximum number of unresponsive "keep-alive" messages
     # that can be sent from the server to the client before the connection is considered
     # inactive and thus, closed.
-    client_alive_count_max: 3
+    client_alive_count_max: "{{ubtu22cis_sshd_default_client_alive_count_max}}"
     # This variable specifies the amount of seconds allowed for successful authentication to
     # the SSH server.
-    login_grace_time: 60
+    login_grace_time: "{{ubtu22cis_sshd_default_login_grace_time}}"
     # This variables is used to set the maximum number of open sessions per connection.
-    max_sessions: 8
+    max_sessions: "{{ubtu22cis_sshd_default_max_sessions}}"
     # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH
     # access for users whose user name matches one of the patterns. This is done
     # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file.

handlers/main.yml

@@ -1,5 +1,39 @@
 ---
 
+- name: Writing the tmp file | tmp_systemd
+  ansible.builtin.template:
+      src: etc/systemd/system/tmp.mount.j2
+      dest: /etc/systemd/system/tmp.mount
+      owner: root
+      group: root
+      mode: '0644'
+  with_items:
+      - "{{ ansible_facts.mounts }}"
+  loop_control:
+      label: "{{ item.device }}"
+  when:
+      - "'/tmp' in mount_names"
+      - item.mount == "/tmp"
+      - tmp_mnt_type == 'tmp_systemd'
+  listen: Writing and remounting tmp
+
+- name: Writing the tmp file | fstab
+  ansible.posix.mount:
+      path: /tmp
+      src: "{{ item.device }}"
+      state: present
+      fstype: "{{ item.fstype }}"
+      opts: defaults,{{ tmp_partition_mount_options | unique | join(',') }}
+  with_items:
+      - "{{ ansible_facts.mounts }}"
+  loop_control:
+      label: "{{ item.device }}"
+  when:
+      - "'/tmp' in mount_names"
+      - tmp_mnt_type == 'fstab'
+      - item.mount == "/tmp"
+  listen: Writing and remounting tmp
+
 - name: Update_Initramfs
   ansible.builtin.shell: update-initramfs -u
   notify: set_reboot_required
@@ -8,6 +42,9 @@
   ansible.posix.mount:
       path: /tmp
       state: remounted
+  when:
+      - "'/tmp' in mount_names"
+  listen: Writing and remounting tmp
 
 - name: Remount var
   ansible.posix.mount:

tasks/prelim.yml

@@ -59,6 +59,23 @@
   tags:
       - always
 
+- name: PRELIM | Initialize the mount options variable
+  block:
+      - name: PRELIM | Initializing the var if there is no /tmp mount | set_fact
+        ansible.builtin.set_fact:
+            tmp_partition_mount_options: []
+        when: "'/tmp' not in mount_names"
+
+      - name: PRELIM | Initializing the var if there is a /tmp mount | set_fact
+        ansible.builtin.set_fact:
+            tmp_partition_mount_options: "{{ item.options.split(',') }}"
+        loop: "{{ ansible_facts.mounts }}"
+        when:
+            - item.mount == "/tmp"
+            - "'/tmp' in mount_names"
+  tags:
+      - always
+
 - name: "PRELIM | AUDIT | Check for autofs service"
   ansible.builtin.shell: "systemctl show autofs | grep LoadState | cut -d = -f 2"
   register: ubtu22cis_autofs_service_status

tasks/section_1/cis_1.1.2.x.yml

@@ -23,68 +23,56 @@
       - rule_1.1.2.1
       - tmp
 
-- name: |
-    "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition | tmp_systemd"
-    "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition | tmp_systemd"
-    "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition | tmp_systemd"
-  ansible.builtin.template:
-      src: etc/systemd/system/tmp.mount.j2
-      dest: /etc/systemd/system/tmp.mount
-      owner: root
-      group: root
-      mode: '0644'
-  notify: Remount tmp
-  with_items:
-      - "{{ ansible_facts.mounts }}"
-  loop_control:
-      label: "{{ item.device }}"
+- name: "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition"
+  ansible.builtin.set_fact:
+      tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nodev' ] }}"
+  changed_when: true
+  notify: Writing and remounting tmp
+  vars:
+      required_mount: '/tmp'
   when:
-      - "'/tmp' in mount_names"
-      - item.mount == "/tmp"
-      - tmp_mnt_type == 'tmp_systemd'
-      - ubtu22cis_rule_1_1_2_2 or
-        ubtu22cis_rule_1_1_2_3 or
-        ubtu22cis_rule_1_1_2_4
+      - required_mount in mount_names
+      - ubtu22cis_rule_1_1_2_2
   tags:
       - level1-server
       - level1-workstation
       - automated
       - patch
       - rule_1.1.2.2
-      - rule_1.1.2.3
-      - rule_1.1.2.4
       - tmp
 
-- name: |
-    "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition | fstab"
-    "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition | fstab"
-    "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition | fstab"
-  ansible.posix.mount:
-      path: /tmp
-      src: "{{ item.device }}"
-      state: present
-      fstype: "{{ item.fstype }}"
-      opts: defaults,{% if ubtu22cis_rule_1_1_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_2_4 %}nosuid{% endif %}
-  notify: Remount tmp
-  with_items:
-      - "{{ ansible_facts.mounts }}"
-  loop_control:
-      label: "{{ item.device }}"
+- name: "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition"
+  ansible.builtin.set_fact:
+      tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'noexec' ] }}"
+  changed_when: true
+  notify: Writing and remounting tmp
+  vars:
+      required_mount: '/tmp'
   when:
-      - "'/tmp' in mount_names"
-      - tmp_mnt_type == 'fstab'
-      - item.mount == "/tmp"
-      - ubtu22cis_rule_1_1_2_1 or
-        ubtu22cis_rule_1_1_2_2 or
-        ubtu22cis_rule_1_1_2_3 or
-        ubtu22cis_rule_1_1_2_4
+      - required_mount in mount_names
+      - ubtu22cis_rule_1_1_2_3
   tags:
       - level1-server
       - level1-workstation
       - automated
       - patch
-      - rule_1.1.2.2
-      - rule_1.1.2.2
       - rule_1.1.2.3
+      - tmp
+
+- name: "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition"
+  ansible.builtin.set_fact:
+      tmp_partition_mount_options: "{{ tmp_partition_mount_options + [ 'nosuid' ] }}"
+  changed_when: true
+  notify: Writing and remounting tmp
+  vars:
+      required_mount: '/tmp'
+  when:
+      - required_mount in mount_names
+      - ubtu22cis_rule_1_1_2_4
+  tags:
+      - level1-server
+      - level1-workstation
+      - automated
+      - patch
       - rule_1.1.2.4
       - tmp

tasks/section_5/cis_5.2.x.yml

@@ -123,7 +123,7 @@
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       regexp: '^LogLevel|^#LogLevel'
-      line: "LogLevel {{ ubtu22cis_sshd.log_level }}"
+      line: 'LogLevel {{ ubtu22cis_sshd.log_level | default(ubtu22cis_sshd_default_log_level) }}'
       insertafter: '^# Logging'
       validate: 'sshd -t -f %s'
   notify: Restart sshd
@@ -263,7 +263,7 @@
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       regexp: '^Ciphers|^#Ciphers'
-      line: "Ciphers {{ ubtu22cis_sshd.ciphers | join(',') }}"
+      line: "Ciphers {{ ubtu22cis_sshd.ciphers | default(ubtu22cis_sshd_default_ciphers) | join(',') }}"
       insertafter: '^# Ciphers and keying'
       validate: 'sshd -t -f %s'
   notify: Restart sshd
@@ -281,7 +281,7 @@
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       regexp: '^MACs|^#MACs'
-      line: "MACs {{ ubtu22cis_sshd.macs | join(',') }}"
+      line: "MACs {{ ubtu22cis_sshd.macs | default(ubtu22cis_sshd_default_macs) | join(',') }}"
       insertafter: '^# Ciphers and keying'
       validate: 'sshd -t -f %s'
   notify: Restart sshd
@@ -299,7 +299,7 @@
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       regexp: '^KexAlgorithms|^#KexAlgorithms'
-      line: "KexAlgorithms {{ ubtu22cis_sshd.kex_algorithms | join(',') }}"
+      line: "KexAlgorithms {{ ubtu22cis_sshd.kex_algorithms | default(ubtu22cis_sshd_default_kex_algorithms) | join(',') }}"
       insertafter: '^# Ciphers and keying'
       validate: 'sshd -t -f %s'
   notify: Restart sshd
@@ -352,7 +352,7 @@
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       regexp: '^MaxAuthTries|^#MaxAuthTries'
-      line: 'MaxAuthTries {{ ubtu22cis_sshd.max_auth_tries }}'
+      line: 'MaxAuthTries {{ ubtu22cis_sshd.max_auth_tries | default(ubtu22cis_sshd_default_max_auth_tries) }}'
       insertafter: '^# Authentication'
       validate: 'sshd -t -f %s'
   notify: Restart sshd
@@ -387,7 +387,7 @@
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       regexp: '^MaxSessions|^#MaxSessions'
-      line: 'MaxSessions {{ ubtu22cis_sshd.max_sessions }}'
+      line: 'MaxSessions {{ ubtu22cis_sshd.max_sessions | default(ubtu22cis_sshd_default_max_sessions) }}'
       insertafter: '^# Authentication'
       validate: 'sshd -t -f %s'
   notify: Restart sshd
@@ -405,7 +405,7 @@
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
       regexp: '^LoginGraceTime|^#LoginGraceTime'
-      line: 'LoginGraceTime {{ ubtu22cis_sshd.login_grace_time }}'
+      line: 'LoginGraceTime {{ ubtu22cis_sshd.login_grace_time | default(ubtu22cis_sshd_default_login_grace_time) }}'
       insertafter: '^# Authentication'
       validate: 'sshd -t -f %s'
   notify: Restart sshd
@@ -426,8 +426,8 @@
       line: "{{ item.line }}"
       validate: 'sshd -t -f %s'
   with_items:
-      - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu22cis_sshd.client_alive_interval }}' }
-      - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu22cis_sshd.client_alive_count_max }}' }
+      - { regexp: '^ClientAliveInterval|^#ClientAliveInterval', line: 'ClientAliveInterval {{ ubtu22cis_sshd.client_alive_interval | default(ubtu22cis_sshd_default_client_alive_interval) }}' }
+      - { regexp: '^ClientAliveCountMax|^#ClientAliveCountMax', line: 'ClientAliveCountMax {{ ubtu22cis_sshd.client_alive_count_max | default(ubtu22cis_sshd_default_client_alive_count_max) }}' }
   notify: Restart sshd
   when:
       - ubtu22cis_rule_5_2_22

templates/etc/systemd/system/tmp.mount.j2

@@ -10,7 +10,8 @@ After=swap.target
 What=tmpfs
 Where=/tmp
 Type=tmpfs
-Options: {% if ubtu22cis_rule_1_1_2_2 %}nodev,{% endif %}{% if ubtu22cis_rule_1_1_2_3 %}noexec,{% endif %}{% if ubtu22cis_rule_1_1_2_4 %}nosuid{% endif %}
+
+Options: {{ tmp_partition_mount_options | unique | join(',') }}
 
 [Install]
 WantedBy=local-fs.target