Merge pull request #113 from ansible-lockdown/devel

Release to Main
ansible-lockdown · Feb 21, 2025 · 6554423 · 6554423
2 parents d55e0d3 + fd6ee1f
commit 6554423
Show file tree

Hide file tree

Showing 57 changed files with 621 additions and 605 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -7,7 +7,7 @@ ci:
 
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.6.0
+  rev: v5.0.0
   hooks:
   # Safety
   - id: detect-aws-credentials
@@ -35,12 +35,12 @@ repos:
   - id: detect-secrets
 
 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.19.2
+  rev: v8.23.3
   hooks:
   - id: gitleaks
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.9.0
+  rev: v25.1.2
   hooks:
   - id: ansible-lint
     name: Ansible-lint

diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases
+Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/site.yml b/site.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: Amazon 2023 cis benchmark
+- name: Apply Amazon Linux 2023 CIS hardening
   hosts: all
   become: true
 

diff --git a/tasks/post.yml b/tasks/post.yml
@@ -13,7 +13,7 @@
       dest: "/etc/sysctl.d/{{ item }}"
       owner: root
       group: root
-      mode: 0600
+      mode: 'u-x,go-rwx'
   register: sysctl_updated
   notify: Reload sysctl
   loop:

diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -173,7 +173,7 @@
       path: "{{ amzn2023cis_sshd_config_file }}"
       owner: root
       group: root
-      mode: '0600'
+      mode: 'u-x,o-rwx'
       state: touch
   when:
       - amzn2023cis_sshd_config_file != '/etc/ssh/sshd_config'

diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml
@@ -8,15 +8,15 @@
             regexp: "^(#)?install squashfs(\\s|$)"
             line: "install squashfs /bin/true"
             create: true
-            mode: '0600'
+            mode: 'u-x,go-rwx'
 
       - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist"
         ansible.builtin.lineinfile:
             path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist squashfs(\\s|$)"
             line: "blacklist squashfs"
             create: true
-            mode: '0600'
+            mode: 'u-x,go-rwx'
 
       - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs"
         community.general.modprobe:
@@ -31,7 +31,7 @@
       - patch
       - rule_1.1.1.1
       - squashfs
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled"
   block:
@@ -41,15 +41,15 @@
             regexp: "^(#)?install udf(\\s|$)"
             line: "install udf /bin/true"
             create: true
-            mode: '0600'
+            mode: 'u-x,go-rwx'
 
       - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist"
         ansible.builtin.lineinfile:
             path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist udf(\\s|$)"
             line: "blacklist udf"
             create: true
-            mode: '0600'
+            mode: 'u-x,go-rwx'
 
       - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf"
         community.general.modprobe:
@@ -72,15 +72,15 @@
             regexp: "^(#)?install cramfs(\\s|$)"
             line: "install cramfs /bin/true"
             create: true
-            mode: '0600'
+            mode: 'u-x,go-rwx'
 
       - name: "1.1.1.3 | PATCH | Ensure mounting of cramfs filesystems is disabled | blacklist"
         ansible.builtin.lineinfile:
             path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist cramfs(\\s|$)"
             line: "blacklist cramfs"
             create: true
-            mode: '0600'
+            mode: 'u-x,go-rwx'
 
       - name: "1.1.1.3 | PATCH | Ensure mounting of cramfs filesystems is disable | Disable cramfs"
         community.general.modprobe:
@@ -94,7 +94,7 @@
       - patch
       - rule_1.1.1.3
       - cramfs
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 - name: "1.1.1.4 | PATCH | Ensure mounting of freevxfs filesystems is disabled"
   block:
@@ -104,15 +104,15 @@
             regexp: "^(#)?install freevxfs(\\s|$)"
             line: "install freevxfs /bin/true"
             create: true
-            mode: '0600'
+            mode: 'u-x,go-rwx'
 
       - name: "1.1.1.4 | PATCH | Ensure mounting of freevxfs filesystems is disabled | blacklist"
         ansible.builtin.lineinfile:
             path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist freevxfs(\\s|$)"
             line: "blacklist freevxfs"
             create: true
-            mode: '0600'
+            mode: 'u-x,go-rwx'
 
       - name: "1.1.1.4 | PATCH | Ensure mounting of freevxfs filesystems is disable | Disable freevxfs"
         community.general.modprobe:
@@ -126,7 +126,7 @@
       - patch
       - rule_1.1.1.4
       - freevxfs
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 - name: "1.1.1.5 | PATCH | Ensure mounting of jffs2 filesystems is disabled"
   block:
@@ -136,15 +136,15 @@
             regexp: "^(#)?install jffs2(\\s|$)"
             line: "install jffs2 /bin/true"
             create: true
-            mode: '0600'
+            mode: 'u-x,go-rwx'
 
       - name: "1.1.1.5 | PATCH | Ensure mounting of jffs2 filesystems is disabled | blacklist"
         ansible.builtin.lineinfile:
             path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist jffs2(\\s|$)"
             line: "blacklist jffs2"
             create: true
-            mode: '0600'
+            mode: 'u-x,go-rwx'
 
       - name: "1.1.1.5 | PATCH | Ensure mounting of jffs2 filesystems is disable | Disable jffs2"
         community.general.modprobe:
@@ -158,7 +158,7 @@
       - patch
       - rule_1.1.1.5
       - jffs2
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 - name: "1.1.1.6 | PATCH | Ensure mounting of hfs filesystems is disabled"
   block:
@@ -168,15 +168,15 @@
             regexp: "^(#)?install hfs(\\s|$)"
             line: "install hfs /bin/true"
             create: true
-            mode: '0600'
+            mode: 'u-x,go-rwx'
 
       - name: "1.1.1.6 | PATCH | Ensure mounting of hfs filesystems is disabled | blacklist"
         ansible.builtin.lineinfile:
             path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist hfs(\\s|$)"
             line: "blacklist hfs"
             create: true
-            mode: '0600'
+            mode: 'u-x,go-rwx'
 
       - name: "1.1.1.6 | PATCH | Ensure mounting of hfs filesystems is disable | Disable hfs"
         community.general.modprobe:
@@ -190,7 +190,7 @@
       - patch
       - rule_1.1.1.6
       - hfs
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 - name: "1.1.1.7 | PATCH | Ensure mounting of hfsplus filesystems is disabled"
   block:
@@ -200,15 +200,15 @@
             regexp: "^(#)?install hfsplus(\\s|$)"
             line: "install hfsplus /bin/true"
             create: true
-            mode: '0600'
+            mode: 'u-x,go-rwx'
 
       - name: "1.1.1.7 | PATCH | Ensure mounting of hfsplus filesystems is disabled | blacklist"
         ansible.builtin.lineinfile:
             path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist hfsplus(\\s|$)"
             line: "blacklist hfsplus"
             create: true
-            mode: '0600'
+            mode: 'u-x,go-rwx'
 
       - name: "1.1.1.7 | PATCH | Ensure mounting of hfsplus filesystems is disable | Disable hfsplus"
         community.general.modprobe:
@@ -222,4 +222,4 @@
       - patch
       - rule_1.1.1.7
       - hfsplus
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml
@@ -20,7 +20,7 @@
       - audit
       - mounts
       - rule_1.1.2.1
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 # via fstab
 - name: |
@@ -50,7 +50,7 @@
       - rule_1.1.2.2
       - rule_1.1.2.3
       - rule_1.1.2.4
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 # via systemd
 - name: |
@@ -62,7 +62,7 @@
       dest: /etc/systemd/system/tmp.mount
       owner: root
       group: root
-      mode: '0644'
+      mode: 'u-x,go-wx'
   notify: Systemd restart tmp.mount
   when:
       - amzn2023cis_tmp_svc
@@ -76,6 +76,6 @@
       - rule_1.1.2.2
       - rule_1.1.2.3
       - rule_1.1.2.4
-      - nist_sp800-53r5_CM-7
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_CM-7
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml
@@ -46,5 +46,5 @@
       - skip_ansible_lint
       - rule_1.1.3.2
       - rule_1.1.3.3
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml
@@ -50,5 +50,5 @@
       - rule_1.1.4.2
       - rule_1.1.4.3
       - rule_1.1.4.4
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml
@@ -21,7 +21,7 @@
       - audit
       - mounts
       - rule_1.1.5.1
-      - nist_sp800-53r5_CM-6
+      - NIST800-53R5_CM-6
 
 - name: |
           "1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition"
@@ -50,5 +50,5 @@
       - rule_1.1.5.2
       - rule_1.1.5.3
       - rule_1.1.5.4
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml
@@ -21,7 +21,7 @@
       - audit
       - mounts
       - rule_1.1.6.1
-      - nist_sp800-53r5_CM-6
+      - NIST800-53R5_CM-6
 
 - name: |
           "1.1.6.2 | PATCH | Ensure noexec option set on /var/log/audit partition"
@@ -49,5 +49,5 @@
       - rule_1.1.6.2
       - rule_1.1.6.3
       - rule_1.1.6.4
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml
@@ -21,7 +21,7 @@
       - audit
       - mounts
       - rule_1.1.7.1
-      - nist_sp800-53r5_CM-6
+      - NIST800-53R5_CM-6
 
 - name: |
     "1.1.7.2 | PATCH | Ensure nodev option set on /home partition
@@ -46,5 +46,5 @@
       - mounts
       - rule_1.1.7.2
       - rule_1.1.7.3
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml
@@ -22,7 +22,7 @@
       - audit
       - mounts
       - rule_1.1.8.1
-      - nist_sp800-53r5_CM-7
+      - NIST800-53R5_CM-7
 
 - name: |
        "1.1.8.2 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option
@@ -46,5 +46,5 @@
       - rule_1.1.8.2
       - rule_1.1.8.3
       - rule_1.1.8.4
-      - nist_sp800-53r5_AC-3
-      - nist_sp800-53r5_MP-2
+      - NIST800-53R5_AC-3
+      - NIST800-53R5_MP-2
diff --git a/tasks/section_1/cis_1.1.9.yml b/tasks/section_1/cis_1.1.9.yml
@@ -10,7 +10,7 @@
             create: true
             owner: root
             group: root
-            mode: '0600'
+            mode: 'u-x,go-rwx'
 
       - name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config"
         community.general.modprobe:
@@ -24,7 +24,7 @@
             regexp: "^(#)?blacklist usb-storage(\\s|$)"
             line: "blacklist usb-storage"
             create: true
-            mode: '0600'
+            mode: 'u-x,go-rwx'
   when:
       - amzn2023cis_rule_1_1_9
   tags:
@@ -33,4 +33,4 @@
       - mounts
       - removable_storage
       - rule_1.1.9
-      - nist_sp800-53r5_SI-3
+      - NIST800-53R5_SI-3