From e325b8a5c5a51d913a8f2e16cb62f4c730ba901b Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 17:48:53 +0000 Subject: [PATCH 01/20] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.9.0 → v24.9.2](https://github.com/ansible-community/ansible-lint/compare/v24.9.0...v24.9.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 32ed016..bcbce98 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,7 +40,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.9.0 + rev: v24.9.2 hooks: - id: ansible-lint name: Ansible-lint From 90be06305a66cab05ceb3092775d3008c6bf4991 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 18:26:41 +0000 Subject: [PATCH 02/20] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v4.6.0 → v5.0.0](https://github.com/pre-commit/pre-commit-hooks/compare/v4.6.0...v5.0.0) - [github.com/gitleaks/gitleaks: v8.19.2 → v8.20.1](https://github.com/gitleaks/gitleaks/compare/v8.19.2...v8.20.1) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bcbce98..e890b35 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v5.0.0 hooks: # Safety - id: detect-aws-credentials @@ -35,7 +35,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.19.2 + rev: v8.20.1 hooks: - id: gitleaks From 6269ab9be82b15bd33b866be0370406f5bda4eb1 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 17:54:45 +0000 Subject: [PATCH 03/20] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.20.1 → v8.21.1](https://github.com/gitleaks/gitleaks/compare/v8.20.1...v8.21.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e890b35..8f80796 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,7 +35,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.20.1 + rev: v8.21.1 hooks: - id: gitleaks From 16bfab9ab42c3e8fd21633bb860a412c255cb525 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 18:01:13 +0000 Subject: [PATCH 04/20] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.21.1 → v8.21.2](https://github.com/gitleaks/gitleaks/compare/v8.21.1...v8.21.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8f80796..cf55dc7 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,7 +35,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.21.1 + rev: v8.21.2 hooks: - id: gitleaks From 6065dd6b1f3c373639766f870bb38c29f3386f26 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 18 Nov 2024 17:54:55 +0000 Subject: [PATCH 05/20] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.9.2 → v24.10.0](https://github.com/ansible-community/ansible-lint/compare/v24.9.2...v24.10.0) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index cf55dc7..99cc0a6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,7 +40,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.9.2 + rev: v24.10.0 hooks: - id: ansible-lint name: Ansible-lint From 40eddc756fd3ecdd68097e884206e2ef84e5f7d2 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 16 Dec 2024 17:53:30 +0000 Subject: [PATCH 06/20] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.10.0 → v24.12.2](https://github.com/ansible-community/ansible-lint/compare/v24.10.0...v24.12.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 99cc0a6..6ef5501 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,7 +40,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.10.0 + rev: v24.12.2 hooks: - id: ansible-lint name: Ansible-lint From 810d157afd23dd45c45dc2d4501f81752f31b556 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Dec 2024 12:31:30 +0000 Subject: [PATCH 07/20] License file updated file mode aligned Signed-off-by: Mark Bolwell --- LICENSE | 2 +- tasks/post.yml | 2 +- tasks/prelim.yml | 2 +- tasks/section_1/cis_1.1.1.x.yml | 28 ++++++++++++++-------------- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.1.9.yml | 4 ++-- tasks/section_1/cis_1.7.x.yml | 12 ++++++------ tasks/section_2/cis_2.1.x.yml | 4 ++-- tasks/section_3/cis_3.1.x.yml | 16 ++++++++-------- tasks/section_4/cis_4.1.x.yml | 16 ++++++++-------- tasks/section_4/cis_4.2.x.yml | 6 +++--- tasks/section_4/cis_4.6.x.yml | 2 +- tasks/section_5/cis_5.1.3.yml | 2 +- tasks/section_5/cis_5.2.4.x.yml | 6 +++--- tasks/section_6/cis_6.1.x.yml | 20 ++++++++++---------- tasks/section_6/cis_6.2.x.yml | 4 ++-- 16 files changed, 64 insertions(+), 64 deletions(-) diff --git a/LICENSE b/LICENSE index f6d2b57..7e51eb7 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/tasks/post.yml b/tasks/post.yml index b681f02..c08ffd2 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -13,7 +13,7 @@ dest: "/etc/sysctl.d/{{ item }}" owner: root group: root - mode: 0600 + mode: 'u-x,go-rwx' register: sysctl_updated notify: Reload sysctl loop: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index ed47db2..018bfc3 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -173,7 +173,7 @@ path: "{{ amzn2023cis_sshd_config_file }}" owner: root group: root - mode: '0600' + mode: 'u-x,o-rwx' state: touch when: - amzn2023cis_sshd_config_file != '/etc/ssh/sshd_config' diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 177d846..f46d2f0 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -8,7 +8,7 @@ regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -16,7 +16,7 @@ regexp: "^(#)?blacklist squashfs(\\s|$)" line: "blacklist squashfs" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" community.general.modprobe: @@ -41,7 +41,7 @@ regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -49,7 +49,7 @@ regexp: "^(#)?blacklist udf(\\s|$)" line: "blacklist udf" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" community.general.modprobe: @@ -72,7 +72,7 @@ regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.3 | PATCH | Ensure mounting of cramfs filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -80,7 +80,7 @@ regexp: "^(#)?blacklist cramfs(\\s|$)" line: "blacklist cramfs" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.3 | PATCH | Ensure mounting of cramfs filesystems is disable | Disable cramfs" community.general.modprobe: @@ -104,7 +104,7 @@ regexp: "^(#)?install freevxfs(\\s|$)" line: "install freevxfs /bin/true" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.4 | PATCH | Ensure mounting of freevxfs filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -112,7 +112,7 @@ regexp: "^(#)?blacklist freevxfs(\\s|$)" line: "blacklist freevxfs" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.4 | PATCH | Ensure mounting of freevxfs filesystems is disable | Disable freevxfs" community.general.modprobe: @@ -136,7 +136,7 @@ regexp: "^(#)?install jffs2(\\s|$)" line: "install jffs2 /bin/true" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.5 | PATCH | Ensure mounting of jffs2 filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -144,7 +144,7 @@ regexp: "^(#)?blacklist jffs2(\\s|$)" line: "blacklist jffs2" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.5 | PATCH | Ensure mounting of jffs2 filesystems is disable | Disable jffs2" community.general.modprobe: @@ -168,7 +168,7 @@ regexp: "^(#)?install hfs(\\s|$)" line: "install hfs /bin/true" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.6 | PATCH | Ensure mounting of hfs filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -176,7 +176,7 @@ regexp: "^(#)?blacklist hfs(\\s|$)" line: "blacklist hfs" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.6 | PATCH | Ensure mounting of hfs filesystems is disable | Disable hfs" community.general.modprobe: @@ -200,7 +200,7 @@ regexp: "^(#)?install hfsplus(\\s|$)" line: "install hfsplus /bin/true" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.7 | PATCH | Ensure mounting of hfsplus filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -208,7 +208,7 @@ regexp: "^(#)?blacklist hfsplus(\\s|$)" line: "blacklist hfsplus" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.1.7 | PATCH | Ensure mounting of hfsplus filesystems is disable | Disable hfsplus" community.general.modprobe: diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 58bc13b..999a231 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -62,7 +62,7 @@ dest: /etc/systemd/system/tmp.mount owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' notify: Systemd restart tmp.mount when: - amzn2023cis_tmp_svc diff --git a/tasks/section_1/cis_1.1.9.yml b/tasks/section_1/cis_1.1.9.yml index aec3502..b8c7a57 100644 --- a/tasks/section_1/cis_1.1.9.yml +++ b/tasks/section_1/cis_1.1.9.yml @@ -10,7 +10,7 @@ create: true owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' - name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config" community.general.modprobe: @@ -24,7 +24,7 @@ regexp: "^(#)?blacklist usb-storage(\\s|$)" line: "blacklist usb-storage" create: true - mode: '0600' + mode: 'u-x,go-rwx' when: - amzn2023cis_rule_1_1_9 tags: diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index eb9f88a..6850ec4 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -6,7 +6,7 @@ dest: /etc/motd owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_1_7_1 tags: @@ -22,7 +22,7 @@ dest: /etc/issue owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_1_7_2 tags: @@ -39,7 +39,7 @@ dest: /etc/issue.net owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_1_7_3 tags: @@ -56,7 +56,7 @@ path: /etc/motd owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_1_7_4 tags: @@ -72,7 +72,7 @@ path: /etc/issue owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_1_7_5 tags: @@ -88,7 +88,7 @@ path: /etc/issue.net owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_1_7_6 tags: diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 8311441..df312f7 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -22,7 +22,7 @@ dest: /etc/chrony.d/chrony.conf owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" ansible.builtin.lineinfile: @@ -30,7 +30,7 @@ regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u chrony\"" create: true - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_2_1_2 - not system_is_container diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 2fda66c..bbecfb9 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -30,7 +30,7 @@ ansible.builtin.template: src: "etc/modprobe.d/modprobe.conf.j2" dest: "/etc/modprobe.d/{{ item }}.conf" - mode: '0600' + mode: 'u-x,go-rwx' owner: root group: root loop: @@ -42,7 +42,7 @@ regexp: "^(#)?blacklist {{ protocol }}(\\s|$)" line: "blacklist {{ protocol }}" create: true - mode: '0600' + mode: 'u-x,go-rwx' vars: protocol: dccp when: @@ -60,7 +60,7 @@ ansible.builtin.template: src: "etc/modprobe.d/modprobe.conf.j2" dest: "/etc/modprobe.d/{{ item }}.conf" - mode: '0600' + mode: 'u-x,go-rwx' owner: root group: root loop: @@ -72,7 +72,7 @@ regexp: "^(#)?blacklist {{ protocol }}(\\s|$)" line: "blacklist {{ protocol }}" create: true - mode: '0600' + mode: 'u-x,go-rwx' vars: protocol: sctp when: @@ -91,7 +91,7 @@ ansible.builtin.template: src: "etc/modprobe.d/modprobe.conf.j2" dest: "/etc/modprobe.d/{{ item }}.conf" - mode: '0600' + mode: 'u-x,go-rwx' owner: root group: root loop: @@ -103,7 +103,7 @@ regexp: "^(#)?blacklist {{ protocol }}(\\s|$)" line: "blacklist {{ protocol }}" create: true - mode: '0600' + mode: 'u-x,go-rwx' vars: protocol: rds when: @@ -121,7 +121,7 @@ ansible.builtin.template: src: "etc/modprobe.d/modprobe.conf.j2" dest: "/etc/modprobe.d/{{ item }}.conf" - mode: '0600' + mode: 'u-x,go-rwx' owner: root group: root loop: @@ -133,7 +133,7 @@ regexp: "^(#)?blacklist {{ protocol }}(\\s|$)" line: "blacklist {{ protocol }}" create: true - mode: '0600' + mode: 'u-x,go-rwx' vars: protocol: tipc when: diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index 5592247..27b20c7 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -22,7 +22,7 @@ path: /etc/crontab owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' when: - amzn2023cis_rule_4_1_2 tags: @@ -39,7 +39,7 @@ state: directory owner: root group: root - mode: '0700' + mode: 'u+x,go-rwx' when: - amzn2023cis_rule_4_1_3 tags: @@ -56,7 +56,7 @@ state: directory owner: root group: root - mode: '0700' + mode: 'u+x,go-rwx' when: - amzn2023cis_rule_4_1_4 tags: @@ -73,7 +73,7 @@ state: directory owner: root group: root - mode: '0700' + mode: 'u+x,go-rwx' when: - amzn2023cis_rule_4_1_5 tags: @@ -89,7 +89,7 @@ state: directory owner: root group: root - mode: '0700' + mode: 'u+x,go-rwx' when: - amzn2023cis_rule_4_1_6 tags: @@ -105,7 +105,7 @@ state: directory owner: root group: root - mode: '0700' + mode: 'u+x,go-rwx' when: - amzn2023cis_rule_4_1_7 tags: @@ -134,7 +134,7 @@ state: '{{ "file" if amzn2023cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' when: - amzn2023cis_rule_4_1_8 tags: @@ -163,7 +163,7 @@ state: '{{ "file" if amzn2023cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' when: - amzn2023cis_rule_4_1_9 tags: diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index 06a542a..656c3bb 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -5,7 +5,7 @@ path: "/etc/ssh/sshd_config" owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' when: - amzn2023cis_rule_4_2_1 tags: @@ -32,7 +32,7 @@ path: "{{ item.path }}" owner: root group: root - mode: '0600' + mode: 'u-x,go-rwx' loop: "{{ amzn2023cis_4_2_2_ssh_private_host_key.files }}" loop_control: label: "{{ item.path }}" @@ -62,7 +62,7 @@ path: "{{ item.path }}" owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' loop: "{{ amzn2023cis_4_2_3_ssh_public_host_key.files }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_4/cis_4.6.x.yml b/tasks/section_4/cis_4.6.x.yml index 67a4046..5195966 100644 --- a/tasks/section_4/cis_4.6.x.yml +++ b/tasks/section_4/cis_4.6.x.yml @@ -53,7 +53,7 @@ state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true - mode: '0644' + mode: 'u-x,go-wx' block: | TMOUT={{ amzn2023cis_shell_session_timeout.timeout }} export TMOUT diff --git a/tasks/section_5/cis_5.1.3.yml b/tasks/section_5/cis_5.1.3.yml index 6259555..c050a10 100644 --- a/tasks/section_5/cis_5.1.3.yml +++ b/tasks/section_5/cis_5.1.3.yml @@ -12,7 +12,7 @@ - name: "5.1.3 | PATCH | Ensure all logfiles have appropriate permissions and ownership | change permissions" ansible.builtin.file: path: "{{ item.path }}" - mode: '0640' + mode: 'u-x,g-wx,o-rwx' loop: "{{ logfiles.files }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_5/cis_5.2.4.x.yml b/tasks/section_5/cis_5.2.4.x.yml index d6aedf1..f4cf7ac 100644 --- a/tasks/section_5/cis_5.2.4.x.yml +++ b/tasks/section_5/cis_5.2.4.x.yml @@ -50,7 +50,7 @@ ansible.builtin.file: path: "{{ audit_discovered_logfile.stdout | dirname }}" state: directory - mode: '0750' + mode: 'u+x,g-w,o-rwx' when: not auditlog_dir.stat.mode is match('07(0|5)0') when: - amzn2023cis_rule_5_2_4_4 @@ -63,7 +63,7 @@ - name: "5.2.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" ansible.builtin.file: path: "{{ item.path }}" - mode: g-wx,o-rwx + mode: 'g-wx,o-rwx' loop: "{{ auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" @@ -125,7 +125,7 @@ - name: "5.2.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" ansible.builtin.file: path: "{{ item.item }}" - mode: '0750' + mode: 'u+x,g-w,o-rwx' loop: "{{ audit_bins.results }}" loop_control: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 503ea46..55b209f 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -5,7 +5,7 @@ path: /etc/passwd owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_6_1_1 tags: @@ -21,7 +21,7 @@ path: /etc/passwd- owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_6_1_2 tags: @@ -37,7 +37,7 @@ path: /etc/group- owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_6_1_3 tags: @@ -53,7 +53,7 @@ path: /etc/group- owner: root group: root - mode: '0644' + mode: 'u-x,go-wx' when: - amzn2023cis_rule_6_1_4 tags: @@ -69,7 +69,7 @@ path: /etc/shadow owner: root group: root - mode: '0000' + mode: 'ugo-rwx' when: - amzn2023cis_rule_6_1_5 tags: @@ -85,7 +85,7 @@ path: /etc/shadow- owner: root group: root - mode: '0000' + mode: 'ugo-rwx' when: - amzn2023cis_rule_6_1_6 tags: @@ -101,7 +101,7 @@ path: /etc/gshadow owner: root group: root - mode: '0000' + mode: 'ugo-rwx' when: - amzn2023cis_rule_6_1_7 tags: @@ -117,7 +117,7 @@ path: /etc/gshadow- owner: root group: root - mode: '0000' + mode: 'ugo-rwx' when: - amzn2023cis_rule_6_1_8 tags: @@ -144,7 +144,7 @@ content: "{{ amzn2023cis_6_1_9_packages_rpm.stdout }}" owner: root group: root - mode: '0640' + mode: 'u-x,g-wx,o-rwx' - name: "6.1.9 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" ansible.builtin.debug: @@ -185,7 +185,7 @@ - name: "6.1.10 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable files if they exist (Configurable)" ansible.builtin.file: path: '{{ item }}' - mode: o-w + mode: 'o-w' state: touch loop: "{{ amzn2023cis_6_1_10_perms_results.stdout_lines }}" when: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index ef25e44..f2a3538 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -254,7 +254,7 @@ state: directory owner: root group: root - mode: "0755" + mode: 'u+x,go-w' follow: false loop: "{{ root_path_perms.results }}" loop_control: @@ -357,7 +357,7 @@ - name: "6.2.11 | AUDIT | Ensure local interactive user dot files access is configured | update permissions" ansible.builtin.file: path: "{{ item.path }}" - mode: go-w + mode: 'go-w' follow: "{{ amzn2023cis_6_2_11_home_follow_symlinks }}" loop: "{{ user_dot_files.files }}" loop_control: From e6113359138bd3aa5d44a540fb028952afbd7c99 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Dec 2024 12:35:39 +0000 Subject: [PATCH 08/20] Updated company name Signed-off-by: Mark Bolwell --- templates/audit/98_auditd_exception.rules.j2 | 2 +- templates/audit/99_auditd.rules.j2 | 2 +- templates/etc/cron.d/aide.cron.j2 | 2 +- templates/etc/dconf/db/00-automount_lock.j2 | 2 +- templates/etc/dconf/db/00-autorun_lock.j2 | 2 +- templates/etc/dconf/db/00-media-automount.j2 | 2 +- templates/etc/dconf/db/00-media-autorun.j2 | 2 +- templates/etc/dconf/db/00-screensaver.j2 | 2 +- templates/etc/dconf/db/00-screensaver_lock.j2 | 2 +- templates/etc/dconf/db/gdm.d/01-banner-message.j2 | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index d5dbc97..e5fe23b 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index a908b6f..8a2dfb4 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,6 +1,6 @@ ## Ansible controlled filescope # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually diff --git a/templates/etc/cron.d/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 index 5526357..cdf1900 100644 --- a/templates/etc/cron.d/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,7 +1,7 @@ # Run AIDE integrity check ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # CIS 1.3.2 diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 index efebeac..0e55b5a 100644 --- a/templates/etc/dconf/db/00-automount_lock.j2 +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop media-handling automount setting /org/gnome/desktop/media-handling/automount diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 index 4506f4f..cf9ed5d 100644 --- a/templates/etc/dconf/db/00-autorun_lock.j2 +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop media-handling settings /org/gnome/desktop/media-handling/autorun-never diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 index 78ad883..640538c 100644 --- a/templates/etc/dconf/db/00-media-automount.j2 +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/desktop/media-handling] automount=false diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 index 81bdfea..382469c 100644 --- a/templates/etc/dconf/db/00-media-autorun.j2 +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/desktop/media-handling] autorun-never=true diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index bcc0736..9eaf988 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Specify the dconf path [org/gnome/desktop/session] diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 index d6c5d70..5988316 100644 --- a/templates/etc/dconf/db/00-screensaver_lock.j2 +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop screensaver idle-delay setting /org/gnome/desktop/session/idle-delay diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 index d2f45a2..38f4253 100644 --- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/login-screen] banner-message-enable=true From 4f6102ca8d2e513cfb6d57c85e412e95686f1aea Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 23 Dec 2024 17:54:56 +0000 Subject: [PATCH 09/20] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.21.2 → v8.22.0](https://github.com/gitleaks/gitleaks/compare/v8.21.2...v8.22.0) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6ef5501..c7d4602 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,7 +35,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.21.2 + rev: v8.22.0 hooks: - id: gitleaks From 8c9afeb4f5a6a3cb2e49b8b5109ca7d0e528f4b5 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 30 Dec 2024 17:34:35 +0000 Subject: [PATCH 10/20] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.22.0 → v8.22.1](https://github.com/gitleaks/gitleaks/compare/v8.22.0...v8.22.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c7d4602..2c49c90 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,7 +35,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.22.0 + rev: v8.22.1 hooks: - id: gitleaks From 121379399e84e4f72414ed2d7d869102d1f3d516 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 13 Jan 2025 17:49:51 +0000 Subject: [PATCH 11/20] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.22.1 → v8.23.0](https://github.com/gitleaks/gitleaks/compare/v8.22.1...v8.23.0) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2c49c90..39d733d 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,7 +35,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.22.1 + rev: v8.23.0 hooks: - id: gitleaks From 9a0cb0bf1048adbca6e7219b5eb88cfe9aca671a Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 20 Jan 2025 17:44:56 +0000 Subject: [PATCH 12/20] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.23.0 → v8.23.1](https://github.com/gitleaks/gitleaks/compare/v8.23.0...v8.23.1) - [github.com/ansible-community/ansible-lint: v24.12.2 → v25.1.0](https://github.com/ansible-community/ansible-lint/compare/v24.12.2...v25.1.0) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 39d733d..5fcf486 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,12 +35,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.23.0 + rev: v8.23.1 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.12.2 + rev: v25.1.0 hooks: - id: ansible-lint name: Ansible-lint From b2d916a19606e7bcc1425c3b5f700ac69b844d4e Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 27 Jan 2025 17:52:51 +0000 Subject: [PATCH 13/20] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.23.1 → v8.23.2](https://github.com/gitleaks/gitleaks/compare/v8.23.1...v8.23.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 5fcf486..e37797f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,7 +35,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.23.1 + rev: v8.23.2 hooks: - id: gitleaks From 5369c0b7f63c25ba0dccda01ba2e6013b6848079 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 3 Feb 2025 18:04:32 +0000 Subject: [PATCH 14/20] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.23.2 → v8.23.3](https://github.com/gitleaks/gitleaks/compare/v8.23.2...v8.23.3) - [github.com/ansible-community/ansible-lint: v25.1.0 → v25.1.1](https://github.com/ansible-community/ansible-lint/compare/v25.1.0...v25.1.1) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e37797f..2233dbd 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,12 +35,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.23.2 + rev: v8.23.3 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.1.0 + rev: v25.1.1 hooks: - id: ansible-lint name: Ansible-lint From 071c94b0fff5dcb0a8f84cdec995213d978e0c4e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 10 Feb 2025 09:28:41 +0000 Subject: [PATCH 15/20] addressed #98 thanks to @exZACHly Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.6.1.x.yml b/tasks/section_4/cis_4.6.1.x.yml index 9a4e526..8590ae7 100644 --- a/tasks/section_4/cis_4.6.1.x.yml +++ b/tasks/section_4/cis_4.6.1.x.yml @@ -54,7 +54,7 @@ - name: "4.6.1.2 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS" ansible.builtin.user: name: "{{ item }}" - password_expire_max: "{{ amzn2023cis_pass['min_days'] }}" + password_expire_min: "{{ amzn2023cis_pass['min_days'] }}" loop: "{{ discovered_min_days.stdout_lines }}" when: - discovered_min_days.stdout_lines | length > 0 From f436de288b1b29cf4b8748131326a7fabdec942a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 10 Feb 2025 09:41:48 +0000 Subject: [PATCH 16/20] Updated logic for symlinks Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.7.x.yml | 44 ++++++++++++++++++++++++----------- 1 file changed, 30 insertions(+), 14 deletions(-) diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 6850ec4..3066933 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -17,12 +17,20 @@ - nist_sp800-53r5_CM-3 - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" - ansible.builtin.template: - src: etc/issue.j2 - dest: /etc/issue - owner: root - group: root - mode: 'u-x,go-wx' + block: + - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly | Create file" + ansible.builtin.template: + src: etc/issue.j2 + dest: /usr/lib/issue + owner: root + group: root + mode: 'u-x,go-wx' + + - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly | Ensure symlink" + ansible.builtin.template: + src: /usr/lib/issue + dest: /etc/issue + state: link when: - amzn2023cis_rule_1_7_2 tags: @@ -34,12 +42,20 @@ - nist_sp800-53r5_CM-6 - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" - ansible.builtin.template: - src: etc/issue.net.j2 - dest: /etc/issue.net - owner: root - group: root - mode: 'u-x,go-wx' + block: + - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly | Create file" + ansible.builtin.template: + src: etc/issue.net.j2 + dest: /usr/lib/issue.net + owner: root + group: root + mode: 'u-x,go-wx' + + - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly | Ensure symlink" + ansible.builtin.template: + src: /usr/lib/issue.net + dest: /etc/issue.net + state: link when: - amzn2023cis_rule_1_7_3 tags: @@ -69,7 +85,7 @@ - name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" ansible.builtin.file: - path: /etc/issue + path: /usr/lib/issue owner: root group: root mode: 'u-x,go-wx' @@ -85,7 +101,7 @@ - name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" ansible.builtin.file: - path: /etc/issue.net + path: /usr/lib/issue.net owner: root group: root mode: 'u-x,go-wx' From a16c03594fb0353be2a48b7a0437e5cec64a4229 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 10 Feb 2025 09:43:28 +0000 Subject: [PATCH 17/20] Updated NIST naming to standard Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 12 +-- tasks/section_1/cis_1.1.2.x.yml | 10 +-- tasks/section_1/cis_1.1.3.x.yml | 4 +- tasks/section_1/cis_1.1.4.x.yml | 4 +- tasks/section_1/cis_1.1.5.x.yml | 6 +- tasks/section_1/cis_1.1.6.x.yml | 6 +- tasks/section_1/cis_1.1.7.x.yml | 6 +- tasks/section_1/cis_1.1.8.x.yml | 6 +- tasks/section_1/cis_1.1.9.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 8 +- tasks/section_1/cis_1.3.x.yml | 6 +- tasks/section_1/cis_1.5.x.yml | 8 +- tasks/section_1/cis_1.6.1.x.yml | 28 +++---- tasks/section_1/cis_1.7.x.yml | 26 +++--- tasks/section_1/cis_1.8.yml | 2 +- tasks/section_1/cis_1.9.yml | 2 +- tasks/section_2/cis_2.1.x.yml | 8 +- tasks/section_2/cis_2.2.x.yml | 40 +++++----- tasks/section_2/cis_2.3.x.yml | 6 +- tasks/section_2/cis_2.4.yml | 2 +- tasks/section_3/cis_3.1.x.yml | 14 ++-- tasks/section_3/cis_3.2.x.yml | 20 ++--- tasks/section_3/cis_3.3.x.yml | 82 +++++++++---------- tasks/section_3/cis_3.4.1.x.yml | 4 +- tasks/section_3/cis_3.4.2.x.yml | 20 ++--- tasks/section_4/cis_4.1.x.yml | 42 +++++----- tasks/section_4/cis_4.2.x.yml | 136 ++++++++++++++++---------------- tasks/section_4/cis_4.3.x.yml | 10 +-- tasks/section_4/cis_4.4.x.yml | 12 +-- tasks/section_4/cis_4.5.x.yml | 10 +-- tasks/section_4/cis_4.6.1.x.yml | 50 ++++++------ tasks/section_4/cis_4.6.x.yml | 32 ++++---- tasks/section_5/cis_5.1.1.x.yml | 44 +++++------ tasks/section_5/cis_5.1.2.x.yml | 64 +++++++-------- tasks/section_5/cis_5.1.3.yml | 4 +- tasks/section_5/cis_5.2.1.x.yml | 26 +++--- tasks/section_5/cis_5.2.2.x.yml | 12 +-- tasks/section_5/cis_5.2.3.x.yml | 76 +++++++++--------- tasks/section_5/cis_5.2.4.x.yml | 14 ++-- tasks/section_5/cis_5.3.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 68 ++++++++-------- tasks/section_6/cis_6.2.x.yml | 94 +++++++++++----------- 42 files changed, 514 insertions(+), 514 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index f46d2f0..4a382b3 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -31,7 +31,7 @@ - patch - rule_1.1.1.1 - squashfs - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled" block: @@ -94,7 +94,7 @@ - patch - rule_1.1.1.3 - cramfs - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "1.1.1.4 | PATCH | Ensure mounting of freevxfs filesystems is disabled" block: @@ -126,7 +126,7 @@ - patch - rule_1.1.1.4 - freevxfs - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "1.1.1.5 | PATCH | Ensure mounting of jffs2 filesystems is disabled" block: @@ -158,7 +158,7 @@ - patch - rule_1.1.1.5 - jffs2 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "1.1.1.6 | PATCH | Ensure mounting of hfs filesystems is disabled" block: @@ -190,7 +190,7 @@ - patch - rule_1.1.1.6 - hfs - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "1.1.1.7 | PATCH | Ensure mounting of hfsplus filesystems is disabled" block: @@ -222,4 +222,4 @@ - patch - rule_1.1.1.7 - hfsplus - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 999a231..718b399 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -20,7 +20,7 @@ - audit - mounts - rule_1.1.2.1 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 # via fstab - name: | @@ -50,7 +50,7 @@ - rule_1.1.2.2 - rule_1.1.2.3 - rule_1.1.2.4 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 # via systemd - name: | @@ -76,6 +76,6 @@ - rule_1.1.2.2 - rule_1.1.2.3 - rule_1.1.2.4 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_CM-7 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 3630ae9..e5a1bf6 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -46,5 +46,5 @@ - skip_ansible_lint - rule_1.1.3.2 - rule_1.1.3.3 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 7034969..136e26c 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -50,5 +50,5 @@ - rule_1.1.4.2 - rule_1.1.4.3 - rule_1.1.4.4 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index f1643d3..5e0376f 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -21,7 +21,7 @@ - audit - mounts - rule_1.1.5.1 - - nist_sp800-53r5_CM-6 + - NIST800-53R5_CM-6 - name: | "1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition" @@ -50,5 +50,5 @@ - rule_1.1.5.2 - rule_1.1.5.3 - rule_1.1.5.4 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index da21d73..631a0ad 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -21,7 +21,7 @@ - audit - mounts - rule_1.1.6.1 - - nist_sp800-53r5_CM-6 + - NIST800-53R5_CM-6 - name: | "1.1.6.2 | PATCH | Ensure noexec option set on /var/log/audit partition" @@ -49,5 +49,5 @@ - rule_1.1.6.2 - rule_1.1.6.3 - rule_1.1.6.4 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 6c04091..d2e583c 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -21,7 +21,7 @@ - audit - mounts - rule_1.1.7.1 - - nist_sp800-53r5_CM-6 + - NIST800-53R5_CM-6 - name: | "1.1.7.2 | PATCH | Ensure nodev option set on /home partition @@ -46,5 +46,5 @@ - mounts - rule_1.1.7.2 - rule_1.1.7.3 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index d9577ec..70f9be1 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -22,7 +22,7 @@ - audit - mounts - rule_1.1.8.1 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: | "1.1.8.2 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option @@ -46,5 +46,5 @@ - rule_1.1.8.2 - rule_1.1.8.3 - rule_1.1.8.4 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 diff --git a/tasks/section_1/cis_1.1.9.yml b/tasks/section_1/cis_1.1.9.yml index b8c7a57..1e468f6 100644 --- a/tasks/section_1/cis_1.1.9.yml +++ b/tasks/section_1/cis_1.1.9.yml @@ -33,4 +33,4 @@ - mounts - removable_storage - rule_1.1.9 - - nist_sp800-53r5_SI-3 + - NIST800-53R5_SI-3 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 6be3734..3eddc8b 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -29,7 +29,7 @@ - manual - patch - rule_1.2.1 - - nist_sp800-53r5_SI-2 + - NIST800-53R5_SI-2 - name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated" block: @@ -53,7 +53,7 @@ - level1-server - patch - rule_1.2.2 - - nist_sp800-53r5_SI-3 + - NIST800-53R5_SI-3 - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured" block: @@ -82,7 +82,7 @@ - manual - audit - rule_1.2.3 - - nist_sp800-53r5_SI-3 + - NIST800-53R5_SI-3 - name: "1.2.4 | AUDIT | Ensure repo_gpgcheck is globally activated" block: @@ -114,4 +114,4 @@ - manual - audit - rule_1.2.4 - - nist_sp800-53r5_SI-3 + - NIST800-53R5_SI-3 diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index ba181ee..7e45766 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -30,7 +30,7 @@ - aide - patch - rule_1.3.1 - - nist_sp800-53r5_AU-2 + - NIST800-53R5_AU-2 - name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" ansible.builtin.cron: @@ -51,7 +51,7 @@ - file_integrity - patch - rule_1.3.2 - - nist_sp800-53r5_AU-2 + - NIST800-53R5_AU-2 - name: "1.3.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" ansible.builtin.blockinfile: @@ -73,4 +73,4 @@ - file_integrity - patch - rule_1.3.3 - - nist_sp800-53r5_AU-2 + - NIST800-53R5_AU-2 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index b3911cc..083fb75 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -16,7 +16,7 @@ - patch - sysctl - rule_1.5.1 - - nist_sp800-53r5_CM-6 + - NIST800-53R5_CM-6 - name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted" block: @@ -34,7 +34,7 @@ - patch - sysctl - rule_1.5.2 - - nist_sp800-53r5_CM-6 + - NIST800-53R5_CM-6 - name: "1.5.3 | PATCH | Ensure core dump storage is disabled" ansible.builtin.lineinfile: @@ -49,7 +49,7 @@ - level1-server - patch - rule_1.5.3 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "1.5.4 | PATCH | Ensure core dump backtraces are disabled" ansible.builtin.lineinfile: @@ -63,4 +63,4 @@ - patch - sysctl - rule_1.5.4 - - nist_sp800-53r5_CM-6 + - NIST800-53R5_CM-6 diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 33ef1c7..39b82cc 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -10,8 +10,8 @@ - level1-server - patch - rule_1.6.1.1 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" ansible.builtin.replace: @@ -31,7 +31,7 @@ - scored - patch - rule_1.6.1.2 - - nist_sp800-53r5_SI-7 + - NIST800-53R5_SI-7 # State set to enforcing because control 1.6.1.5 requires enforcing to be set - name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured" @@ -47,8 +47,8 @@ - selinux - patch - rule_1.6.1.3 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "1.6.1.4 | PATCH | Ensure the SELinux state is not disabled" ansible.posix.selinux: @@ -63,8 +63,8 @@ - selinux - patch - rule_1.6.1.4 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" ansible.posix.selinux: @@ -80,8 +80,8 @@ - selinux - patch - rule_1.6.1.5 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_SI-6 + - NIST800-53R5_AC-3 + - NIST800-53R5_SI-6 - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist" block: @@ -109,8 +109,8 @@ - audit - services - rule_1.6.1.6 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "1.6.1.7 | PATCH | Ensure SETroubleshoot is not installed" ansible.builtin.package: @@ -124,8 +124,8 @@ - selinux - patch - rule_1.6.1.7 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "1.6.1.8 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" ansible.builtin.package: @@ -137,4 +137,4 @@ - level1-server - patch - rule_1.6.1.8 - - nist_sp800-53r5_SI-4 + - NIST800-53R5_SI-4 diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 3066933..f8694f8 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -14,7 +14,7 @@ - banner - patch - rule_1.7.1 - - nist_sp800-53r5_CM-3 + - NIST800-53R5_CM-3 - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" block: @@ -37,9 +37,9 @@ - level1-server - patch - rule_1.7.2 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-3 - - nist_sp800-53r5_CM-6 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-3 + - NIST800-53R5_CM-6 - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" block: @@ -63,9 +63,9 @@ - banner - patch - rule_1.7.3 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-3 - - nist_sp800-53r5_CM-6 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-3 + - NIST800-53R5_CM-6 - name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" ansible.builtin.file: @@ -80,8 +80,8 @@ - perms - patch - rule_1.7.4 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" ansible.builtin.file: @@ -96,8 +96,8 @@ - perms - patch - rule_1.7.5 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" ansible.builtin.file: @@ -112,5 +112,5 @@ - perms - patch - rule_1.7.6 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 diff --git a/tasks/section_1/cis_1.8.yml b/tasks/section_1/cis_1.8.yml index 032be6f..1321a2a 100644 --- a/tasks/section_1/cis_1.8.yml +++ b/tasks/section_1/cis_1.8.yml @@ -11,4 +11,4 @@ - level1-server - patch - rule_1.8 - - nist_sp800-53r5_SI-2 + - NIST800-53R5_SI-2 diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml index 1080df3..b9466ad 100644 --- a/tasks/section_1/cis_1.9.yml +++ b/tasks/section_1/cis_1.9.yml @@ -21,4 +21,4 @@ - automated - patch - rule_1.9 - - nist_sp800-53r5_SC-8 + - NIST800-53R5_SC-8 diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index df312f7..f3cfa73 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -11,8 +11,8 @@ - level1-server - patch - rule_2.1.1 - - nist_sp800-53r5_AU-3 - - nist_sp800-53r5_AU-12 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 - name: "2.1.2 | PATCH | Ensure chrony is configured" block: @@ -38,5 +38,5 @@ - level1-server - patch - rule_2.1.2 - - nist_sp800-53r5_AU-3 - - nist_sp800-53r5_AU-12 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 98677df..120109d 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -12,7 +12,7 @@ - patch - x11 - rule_2.2.1 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "2.2.2 | PATCH | Ensure Avahi Server is not installed" ansible.builtin.package: @@ -43,7 +43,7 @@ - patch - cups - rule_2.2.3 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "2.2.4 | PATCH | Ensure DHCP Server is not installed" ansible.builtin.package: @@ -58,7 +58,7 @@ - patch - dhcp - rule_2.2.4 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "2.2.5 | PATCH | Ensure DNS Server is not installed" ansible.builtin.package: @@ -73,7 +73,7 @@ - patch - dns - rule_2.2.5 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "2.2.6 | PATCH | Ensure an FTP Server is not installed" ansible.builtin.package: @@ -88,7 +88,7 @@ - patch - vsftpd - rule_2.2.6 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "2.2.7 | PACH | Ensure TFTP Server is not installed" ansible.builtin.package: @@ -103,7 +103,7 @@ - patch - tftp - rule_2.2.7 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "2.2.8 | PATCH | Ensure a web server is not installed" block: @@ -131,7 +131,7 @@ - nginx - webserver - rule_2.2.8 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "2.2.9 | PATCH | Ensure IMAP and POP3 server is not installed" block: @@ -162,7 +162,7 @@ - imap - pop3 - rule_2.2.9 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "2.2.10 | PATCH | Ensure Samba is not installed" ansible.builtin.package: @@ -177,7 +177,7 @@ - patch - samba - rule_2.2.10 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "2.2.11 | PATCH | Ensure HTTP Proxy Server is not installed" ansible.builtin.package: @@ -192,7 +192,7 @@ - patch - squid - rule_2.2.11 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "2.2.12 | PATCH | Ensure net-snmp is not installed or smpd service is not enabled" block: @@ -217,7 +217,7 @@ - patch - snmp - rule_2.2.12 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "2.2.13 | PATCH | Ensure telnet-server is not installed" ansible.builtin.package: @@ -232,7 +232,7 @@ - patch - telnet - rule_2.2.13 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "2.2.14 | PATCH | Ensure dnsmasq is not installed" ansible.builtin.package: @@ -247,7 +247,7 @@ - patch - dnsmasq - rule_2.2.14 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" ansible.builtin.lineinfile: @@ -264,7 +264,7 @@ - patch - postfix - rule_2.2.15 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 # The name title of the service says mask the service, but the fix allows for both options # Options available in default/main if to remove the package default is false just mask the server service @@ -294,8 +294,8 @@ - nfs - services - rule_2.2.16 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 # The name title of the service says mask the service, but the fix allows for both options # Options available in default/main if to remove the package default is false just mask the server service @@ -333,8 +333,8 @@ - patch - rpc - rule_2.2.17 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 # The name title of the service says mask the service, but the fix allows for both options # Options available in default/main if to remove the package default is false just mask the server service @@ -364,5 +364,5 @@ - patch - rsync - rule_2.2.18 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index 1b15931..412c5ab 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -13,7 +13,7 @@ - patch - telnet - rule_2.3.1 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "2.3.2 | PATCH | Ensure LDAP client is not installed" ansible.builtin.package: @@ -28,7 +28,7 @@ - patch - ldap - rule_2.3.2 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "2.3.3 | PATCH | Ensure FTP client is not installed" ansible.builtin.package: @@ -43,4 +43,4 @@ - patch - ftp - rule_2.3.3 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 393d4aa..6617e0a 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -37,4 +37,4 @@ - audit - services - rule_2.4 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index bbecfb9..e2f99d6 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -22,7 +22,7 @@ - ipv6 - networking - rule_3.1.1 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "3.1.2 | PATCH | Ensure DCCP is disabled" block: @@ -52,7 +52,7 @@ - patch - tipc - rule_3.1.2 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "3.1.3 | PATCH | Ensure SCTP is disabled" block: @@ -82,8 +82,8 @@ - patch - tipc - rule_3.1.3 - - nist_sp800-53r5_SI-4 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_SI-4 + - NIST800-53R5_CM-7 - name: "3.1.4 | PATCH | Ensure RDS is disabled" block: @@ -113,7 +113,7 @@ - patch - tipc - rule_3.1.4 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "3.1.5 | PATCH | Ensure TIPC is disabled" block: @@ -143,5 +143,5 @@ - patch - tipc - rule_3.1.5 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_SI-4 + - NIST800-53R5_CM-7 + - NIST800-53R5_SI-4 diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 4cc3eab..08a0dd9 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -30,11 +30,11 @@ - sysctl - patch - rule_3.2.1 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" block: @@ -53,8 +53,8 @@ - patch - sysctl - rule_3.2.2 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 92a464b..644c50a 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -27,11 +27,11 @@ - sysctl - patch - rule_3.3.1 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" block: @@ -61,11 +61,11 @@ - sysctl - patch - rule_3.3.2 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" block: @@ -84,11 +84,11 @@ - sysctl - patch - rule_3.3.3 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" block: @@ -107,7 +107,7 @@ - sysctl - patch - rule_3.3.4 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" block: @@ -126,11 +126,11 @@ - sysctl - patch - rule_3.3.5 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" block: @@ -149,11 +149,11 @@ - sysctl - patch - rule_3.3.6 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" block: @@ -172,11 +172,11 @@ - sysctl - patch - rule_3.3.7 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" block: @@ -195,11 +195,11 @@ - sysctl - patch - rule_3.3.8 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" block: @@ -219,8 +219,8 @@ - sysctl - patch - rule_3.3.9 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index b579fcf..851b721 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -13,8 +13,8 @@ - patch - nftables - rule_3.4.1.1 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_CA-9 + - NIST800-53R5_CM-7 + - NIST800-53R5_CA-9 - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use" block: diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 54a1ef0..8a92123 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -19,8 +19,8 @@ - patch - firewalld - rule_3.4.2.1 - - nist_sp800-53r5_CA-9 - - nist_sp800-53r5_SC-7 + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 - name: "3.4.2.2 | AUDIT | Ensure at least one nftables table exists" block: @@ -67,7 +67,7 @@ - patch - nftables - rule_3.4.2.2 - - nist_sp800-53r5_CA-9 + - NIST800-53R5_CA-9 - name: "3.4.2.3 | PATCH | Ensure nftables base chains exist" block: @@ -116,8 +116,8 @@ - patch - nftables - rule_3.4.2.3 - - nist_sp800-53r5_CA-9 - - nist_sp800-53r5_SC-7 + - NIST800-53R5_CA-9 + - NIST800-53R5_SC-7 - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured" block: @@ -158,7 +158,7 @@ - patch - nftables - rule_3.4.2.4 - - nist_sp800-53r5_CA-9 + - NIST800-53R5_CA-9 - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | firewalld" ansible.posix.firewalld: @@ -178,7 +178,7 @@ - patch - firewalld - rule_3.4.2.4 - - nist_sp800-53r5_CA-9 + - NIST800-53R5_CA-9 - name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports" block: @@ -202,7 +202,7 @@ - audit - firewalld - rule_3.4.2.5 - - nist_sp800-53r5_CA-9 + - NIST800-53R5_CA-9 - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured" block: @@ -249,7 +249,7 @@ - patch - nftables - rule_3.4.2.6 - - nist_sp800-53r5_CA-9 + - NIST800-53R5_CA-9 - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy" block: @@ -300,4 +300,4 @@ - patch - nftables - rule_3.4.2.7 - - nist_sp800-53r5_CA-9 + - NIST800-53R5_CA-9 diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index 27b20c7..8b109fe 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -11,11 +11,11 @@ - patch - cron - rule_4.1.1 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" ansible.builtin.file: @@ -30,8 +30,8 @@ - patch - cron - rule_4.1.2 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" ansible.builtin.file: @@ -47,8 +47,8 @@ - patch - cron - rule_4.1.3 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" ansible.builtin.file: @@ -64,8 +64,8 @@ - patch - cron - rule_4.1.4 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" ansible.builtin.file: @@ -80,8 +80,8 @@ - level1-server - patch - rule_4.1.5 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" ansible.builtin.file: @@ -96,8 +96,8 @@ - level1-server - patch - rule_4.1.6 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" ansible.builtin.file: @@ -113,8 +113,8 @@ - patch - cron - rule_4.1.7 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "4.1.8 | PATCH | Ensure cron is restricted to authorized users" block: @@ -142,8 +142,8 @@ - patch - cron - rule_4.1.8 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "4.1.9 | PATCH | Ensure at is restricted to authorized users" block: @@ -171,5 +171,5 @@ - patch - cron - rule_4.1.9 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index 656c3bb..fc21582 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -14,8 +14,8 @@ - ssh - permissions - rule_4.2.1 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "4.2.2 | PATCH | Ensure permissions on SSH private host key files are configured" block: @@ -44,8 +44,8 @@ - ssh - permissions - rule_4.2.2 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "4.2.3 | PATCH | Ensure permissions on SSH public host key files are configured" block: @@ -73,8 +73,8 @@ - patch - ssh - rule_4.2.3 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "4.2.4 | PATCH | Ensure SSH access is limited" block: @@ -120,8 +120,8 @@ - patch - ssh - rule_4.2.4 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "4.2.5 | PATCH | Ensure SSH LogLevel is appropriate" ansible.builtin.lineinfile: @@ -139,9 +139,9 @@ - patch - sshs - rule_4.2.5 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-12 - - nist_sp800-53r5_SI-5 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 - name: "4.2.6 | PATCH | Ensure SSH PAM is enabled" ansible.builtin.lineinfile: @@ -159,11 +159,11 @@ - patch - ssh - rule_4.2.6 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "4.2.7 | PATCH | Ensure SSH root login is disabled" ansible.builtin.lineinfile: @@ -181,7 +181,7 @@ - patch - ssh - rule_4.2.7 - - nist_sp800-53r5_AC-6 + - NIST800-53R5_AC-6 - name: "4.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" ansible.builtin.lineinfile: @@ -199,11 +199,11 @@ - patch - ssh - rule_4.2.8 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "4.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" ansible.builtin.lineinfile: @@ -221,11 +221,11 @@ - patch - ssh - rule_4.2.9 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "4.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" ansible.builtin.lineinfile: @@ -243,11 +243,11 @@ - patch - ssh - rule_4.2.10 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "4.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" ansible.builtin.lineinfile: @@ -262,11 +262,11 @@ - patch - ssh - rule_4.2.11 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "4.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" ansible.builtin.lineinfile: @@ -284,7 +284,7 @@ - patch - ssh - rule_4.2.12 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_CM-7 - name: "4.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" ansible.builtin.lineinfile: @@ -302,11 +302,11 @@ - patch - ssh - rule_4.2.13 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "4.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" block: @@ -327,9 +327,9 @@ - patch - ssh - rule_4.2.14 - - nist_sp800-53r5_SC-8 - - nist_sp800-53r5_AC-17 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_SC-8 + - NIST800-53R5_AC-17 + - NIST800-53R5_IA-5 - name: "4.2.15 | PATCH | Ensure SSH warning banner is configured" ansible.builtin.lineinfile: @@ -343,11 +343,11 @@ - patch - ssh - rule_4.2.15 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "4.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" ansible.builtin.lineinfile: @@ -365,7 +365,7 @@ - patch - ssh - rule_4.2.16 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 - name: "4.2.17 | PATCH | Ensure SSH MaxStartups is configured" ansible.builtin.lineinfile: @@ -383,11 +383,11 @@ - patch - ssh - rule_4.2.17 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "4.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" ansible.builtin.lineinfile: @@ -405,11 +405,11 @@ - patch - ssh - rule_4.2.18 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "4.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" ansible.builtin.lineinfile: @@ -427,7 +427,7 @@ - patch - ssh - rule_4.2.19 - - nist_sp800-53r5_CM-6 + - NIST800-53R5_CM-6 - name: "4.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured" block: @@ -457,8 +457,8 @@ - patch - ssh - rule_4.2.20 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml index d3cbb29..620a472 100644 --- a/tasks/section_4/cis_4.3.x.yml +++ b/tasks/section_4/cis_4.3.x.yml @@ -11,7 +11,7 @@ - patch - sudo - rule_4.3.1 - - nist_sp800-53r5_AC-6 + - NIST800-53R5_AC-6 - name: "4.3.2 | PATCH | Ensure sudo commands use pty" ansible.builtin.lineinfile: @@ -54,7 +54,7 @@ - patch - sudo - rule_4.3.4 - - nist_sp800-53r5_AC-6 + - NIST800-53R5_AC-6 - name: "4.3.5 | PATCH | Ensure sudo authentication timeout is configured correctly" block: @@ -87,7 +87,7 @@ - patch - sudo - rule_4.3.5 - - nist_sp800-53r5_AC-6 + - NIST800-53R5_AC-6 - name: "4.3.6 | PATCH | Ensure access to the su command is restricted" block: @@ -116,5 +116,5 @@ - patch - sudo - rule_4.3.6 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 diff --git a/tasks/section_4/cis_4.4.x.yml b/tasks/section_4/cis_4.4.x.yml index 8cdd4a9..14df157 100644 --- a/tasks/section_4/cis_4.4.x.yml +++ b/tasks/section_4/cis_4.4.x.yml @@ -26,7 +26,7 @@ - patch - authselect - rule_4.4.1 - - nist_sp800-53r5_CA-5 + - NIST800-53R5_CA-5 - name: "4.4.2 | PATCH | Ensure authselect includes with-faillock | with auth select profile" block: @@ -82,8 +82,8 @@ - patch - authselect - rule_4.4.2 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 diff --git a/tasks/section_4/cis_4.5.x.yml b/tasks/section_4/cis_4.5.x.yml index 0513a5c..a1b6741 100644 --- a/tasks/section_4/cis_4.5.x.yml +++ b/tasks/section_4/cis_4.5.x.yml @@ -30,7 +30,7 @@ - level1-server - patch - rule_4.5.1 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_IA-5 - name: "4.5.2 | PATCH | Ensure lockout for failed password attempts is configured" block: @@ -75,8 +75,8 @@ - level1-server - patch - rule_4.5.2 - - nist_sp800-53r5_AC-1 - - nist_sp800-53r5_AC-2 + - NIST800-53R5_AC-1 + - NIST800-53R5_AC-2 - name: "4.5.3 | PATCH | Ensure password reuse is limited | pwquality" ansible.builtin.lineinfile: @@ -89,7 +89,7 @@ - level1-server - patch - rule_4.5.3 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_IA-5 - name: "4.5.4 | PATCH | Ensure password hashing algorithm is SHA-512" block: @@ -122,4 +122,4 @@ - level1-server - patch - rule_4.5.4 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_IA-5 diff --git a/tasks/section_4/cis_4.6.1.x.yml b/tasks/section_4/cis_4.6.1.x.yml index 8590ae7..5921c37 100644 --- a/tasks/section_4/cis_4.6.1.x.yml +++ b/tasks/section_4/cis_4.6.1.x.yml @@ -31,11 +31,11 @@ - patch - password - rule_4.6.1.1 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "4.6.1.2 | PATCH | Ensure minimum days between password changes is configured" block: @@ -68,11 +68,11 @@ - patch - password - rule_4.6.1.2 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "4.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more" block: @@ -102,11 +102,11 @@ - patch - password - rule_4.6.1.3 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "4.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less" block: @@ -137,11 +137,11 @@ - patch - password - rule_4.6.1.4 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "4.6.1.5 | PATCH | Ensure all users last password change date is in the past" block: @@ -187,8 +187,8 @@ - level1-server - patch - rule_4.6.1.5 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 diff --git a/tasks/section_4/cis_4.6.x.yml b/tasks/section_4/cis_4.6.x.yml index 5195966..bc8b302 100644 --- a/tasks/section_4/cis_4.6.x.yml +++ b/tasks/section_4/cis_4.6.x.yml @@ -42,10 +42,10 @@ - patch - accounts - rule_4.6.2 - - nist_sp800-53r5_AC-2 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_AC-5 - - nist_sp800-53r5_MP-5 + - NIST800-53R5_AC-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_AC-5 + - NIST800-53R5_MP-5 - name: "4.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" ansible.builtin.blockinfile: @@ -68,7 +68,7 @@ - patch - accounts - rule_4.6.3 - - nist_sp800-53r5_AC-11 + - NIST800-53R5_AC-11 - name: "4.6.4 | PATCH | Ensure default group for the root account is GID 0" ansible.builtin.user: @@ -81,11 +81,11 @@ - patch - accounts - rule_4.6.4 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: @@ -112,8 +112,8 @@ - patch - accounts - rule_4.6.5 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "4.6.6 | PATCH | Ensure root password is set" ansible.builtin.debug: @@ -126,7 +126,7 @@ - accounts - root - rule_4.6.6 - - nist_sp800-53r5_AC-2 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_AC-5 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_AC-5 + - NIST800-53R5_MP-2 diff --git a/tasks/section_5/cis_5.1.1.x.yml b/tasks/section_5/cis_5.1.1.x.yml index b382c83..764a844 100644 --- a/tasks/section_5/cis_5.1.1.x.yml +++ b/tasks/section_5/cis_5.1.1.x.yml @@ -12,9 +12,9 @@ - patch - rsyslog - rule_5.1.1.1 - - nist_sp800-53r5_AU-3 - - nist_sp800-53r5_AU-12 - - nist_sp800-53r5_SI-5 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 - name: "5.1.1.2 | PATCH | Ensure rsyslog Service is enabled" ansible.builtin.systemd: @@ -27,8 +27,8 @@ - patch - rsyslog - rule_5.1.1.2 - - nist_sp800-53r5_AU-3 - - nist_sp800-53r5_AU-12 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 - name: "5.1.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog" ansible.builtin.lineinfile: @@ -44,12 +44,12 @@ - patch - rsyslog - rule_5.1.1.3 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-4 - - nist_sp800-53r5_AU-12 - - nist_sp800-53r5_MP-2 - - nist_sp800-53r5_SI-5 + - NIST800-53R5_AC-3 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-4 + - NIST800-53R5_AU-12 + - NIST800-53R5_MP-2 + - NIST800-53R5_SI-5 - name: "5.1.1.4 | PATCH | Ensure rsyslog default file permissions configured" ansible.builtin.lineinfile: @@ -64,9 +64,9 @@ - patch - rsyslog - rule_5.1.1.4 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_AC-6 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_AC-6 + - NIST800-53R5_MP-2 - name: "5.1.1.5 | PATCH | Ensure logging is configured" block: @@ -167,9 +167,9 @@ - patch - rsyslog - rule_5.1.1.5 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-7 - - nist_sp800-53r5_AU-12 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 - name: "5.1.1.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" ansible.builtin.blockinfile: @@ -192,7 +192,7 @@ - patch - rsyslog - rule_5.1.1.6 - - nist_sp800-53r5_AU-6 + - NIST800-53R5_AU-6 - name: "5.1.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" block: @@ -226,7 +226,7 @@ - patch - rsyslog - rule_5.1.1.7 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-7 - - nist_sp800-53r5_AU-12 - - nist_sp800-53r5_CM-6 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 + - NIST800-53R5_CM-6 diff --git a/tasks/section_5/cis_5.1.2.x.yml b/tasks/section_5/cis_5.1.2.x.yml index 70d04e7..e08cc9c 100644 --- a/tasks/section_5/cis_5.1.2.x.yml +++ b/tasks/section_5/cis_5.1.2.x.yml @@ -12,9 +12,9 @@ - patch - journald - rule_5.1.2.1.1 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-12 - - nist_sp800-53r5_SI-5 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 - name: "5.1.2.1.2 | PATCH | Ensure systemd-journal-remote is configured" ansible.builtin.lineinfile: @@ -35,9 +35,9 @@ - patch - journald - rule_5.1.2.1.2 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-7 - - nist_sp800-53r5_AU-12 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 - name: "5.1.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled" ansible.builtin.systemd: @@ -53,10 +53,10 @@ - patch - journald - rule_5.1.2.1.3 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-12 - - nist_sp800-53r5_SI-5 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + - NIST800-53R5_CM-7 - name: "5.1.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" ansible.builtin.systemd: @@ -72,10 +72,10 @@ - patch - journald - rule_5.1.2.1.4 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-12 - - nist_sp800-53r5_SI-5 - - nist_sp800-53r5_CM-7 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + - NIST800-53R5_CM-7 - name: "5.1.2.2 | PATCH | Ensure journald service is enabled" block: @@ -110,9 +110,9 @@ - audit - journald - rule_5.1.2.2 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-7 - - nist_sp800-53r5_AU-12 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 - name: "5.1.2.3 | PATCH | Ensure journald is configured to compress large log files" ansible.builtin.lineinfile: @@ -127,7 +127,7 @@ - patch - journald - rule_5.1.2.3 - - nist_sp800-53r5_AU-4 + - NIST800-53R5_AU-4 - name: "5.1.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" ansible.builtin.lineinfile: @@ -142,8 +142,8 @@ - patch - journald - rule_5.1.2.4 - - nist_sp800-53r5_AU-3 - - nist_sp800-53r5_AU-12 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 # This is counter to control 5.1.1.3?? - name: "5.1.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" @@ -160,10 +160,10 @@ - patch - journald - rule_5.1.2.5 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-6 - - nist_sp800-53r5_AU-7 - - nist_sp800-53r5_AU-12 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-6 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 - name: "5.1.2.6 | PATCH | Ensure journald log rotation is configured per site policy" ansible.builtin.lineinfile: @@ -185,9 +185,9 @@ - patch - journald - rule_5.1.2.6 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-7 - - nist_sp800-53r5_AU-12 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 - name: "5.1.2.7 | AUDIT | Ensure journald default file permissions configured" block: @@ -215,8 +215,8 @@ - patch - journald - rule_5.1.2.7 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-12 - - nist_sp800-53r5_MP-2 - - nist_sp800-53r5_SI-5 + - NIST800-53R5_AC-3 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_MP-2 + - NIST800-53R5_SI-5 diff --git a/tasks/section_5/cis_5.1.3.yml b/tasks/section_5/cis_5.1.3.yml index c050a10..189386e 100644 --- a/tasks/section_5/cis_5.1.3.yml +++ b/tasks/section_5/cis_5.1.3.yml @@ -27,5 +27,5 @@ - patch - logfiles - rule_5.1.3 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-5 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-5 diff --git a/tasks/section_5/cis_5.2.1.x.yml b/tasks/section_5/cis_5.2.1.x.yml index 30c1b0b..26582bb 100644 --- a/tasks/section_5/cis_5.2.1.x.yml +++ b/tasks/section_5/cis_5.2.1.x.yml @@ -20,10 +20,10 @@ - patch - auditd - rule_5.2.1.1 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-3 - - nist_sp800-53r5_AU-12 - - nist_sp800-53r5_SI-5 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 - name: "5.2.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" block: @@ -57,9 +57,9 @@ - auditd - grub - rule_5.2.1.2 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-3 - - nist_sp800-53r5_AU-12 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 - name: "5.2.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" block: @@ -93,9 +93,9 @@ - auditd - grub - rule_5.2.1.3 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-3 - - nist_sp800-53r5_AU-12 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 - name: "5.2.1.4 | PATCH | Ensure auditd service is enabled" ansible.builtin.systemd: @@ -109,6 +109,6 @@ - patch - auditd - rule_5.2.1.4 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-3 - - nist_sp800-53r5_AU-12 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 diff --git a/tasks/section_5/cis_5.2.2.x.yml b/tasks/section_5/cis_5.2.2.x.yml index c9efcb6..10171fd 100644 --- a/tasks/section_5/cis_5.2.2.x.yml +++ b/tasks/section_5/cis_5.2.2.x.yml @@ -13,7 +13,7 @@ - patch - auditd - rule_5.2.2.1 - - nist_sp800-53r5_AU-8 + - NIST800-53R5_AU-8 - name: "5.2.2.2 | PATCH | Ensure audit logs are not automatically deleted" ansible.builtin.lineinfile: @@ -28,7 +28,7 @@ - patch - auditd - rule_5.2.2.2 - - nist_sp800-53r5_AU-8 + - NIST800-53R5_AU-8 - name: "5.2.2.3 | PATCH | Ensure system is disabled when audit logs are full" ansible.builtin.lineinfile: @@ -47,10 +47,10 @@ - patch - auditd - rule_5.2.2.3 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-8 - - nist_sp800-53r5_AU-12 - - nist_sp800-53r5_SI-5 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-8 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 - name: PATCH | Configure other keys for auditd.conf ansible.builtin.lineinfile: diff --git a/tasks/section_5/cis_5.2.3.x.yml b/tasks/section_5/cis_5.2.3.x.yml index 67514c7..c85f9ce 100644 --- a/tasks/section_5/cis_5.2.3.x.yml +++ b/tasks/section_5/cis_5.2.3.x.yml @@ -11,7 +11,7 @@ - patch - auditd - rule_5.2.3.1 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.2 | PATCH | Ensure actions as another user are always logged" @@ -24,7 +24,7 @@ - patch - auditd - rule_5.2.3.2 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.3 | PATCH | Ensure events that modify the sudo log file are collected" @@ -37,7 +37,7 @@ - patch - auditd - rule_5.2.3.3 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.4 | PATCH | Ensure events that modify date and time information are collected" @@ -50,8 +50,8 @@ - patch - auditd - rule_5.2.3.4 - - nist_sp800-53r5_AU-3 - - nist_sp800-53r5_CM-6 + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.5 | PATCH | Ensure events that modify the system's network environment are collected" @@ -64,8 +64,8 @@ - patch - auditd - rule_5.2.3.5 - - nist_sp800-53r5_AU-3 - - nist_sp800-53r5_CM-6 + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.6 | PATCH | Ensure use of privileged commands is collected" @@ -88,7 +88,7 @@ - patch - auditd - rule_5.2.3.6 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" @@ -101,7 +101,7 @@ - patch - auditd - rule_5.2.3.7 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.8 | PATCH | Ensure events that modify user/group information are collected" @@ -114,7 +114,7 @@ - patch - auditd - rule_5.2.3.8 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" @@ -127,8 +127,8 @@ - patch - auditd - rule_5.2.3.9 - - nist_sp800-53r5_AU-3 - - nist_sp800-53r5_CM-6 + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.10 | PATCH | Ensure successful file system mounts are collected" @@ -141,7 +141,7 @@ - patch - auditd - rule_5.2.3.10 - - nist_sp800-53r5_CM-6 + - NIST800-53R5_CM-6 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.11 | PATCH | Ensure session initiation information is collected" @@ -154,7 +154,7 @@ - patch - auditd - rule_5.2.3.11 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.12 | PATCH | Ensure login and logout events are collected" @@ -167,7 +167,7 @@ - patch - auditd - rule_5.2.3.12 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.13 | PATCH | Ensure file deletion events by users are collected" @@ -180,8 +180,8 @@ - auditd - patch - rule_5.2.3.13 - - nist_sp800-53r5_AU-12 - - nist_sp800-53r5_SC-7 + - NIST800-53R5_AU-12 + - NIST800-53R5_SC-7 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" @@ -194,8 +194,8 @@ - patch - auditd - rule_5.2.3.14 - - nist_sp800-53r5_AU-3 - - nist_sp800-53r5_CM-6 + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" @@ -208,9 +208,9 @@ - patch - auditd - rule_5.2.3.15 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-12 - - nist_sp800-53r5_SI-5 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" @@ -223,9 +223,9 @@ - patch - auditd - rule_5.2.3.16 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-12 - - nist_sp800-53r5_SI-5 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" @@ -238,9 +238,9 @@ - patch - auditd - rule_5.2.3.17 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-12 - - nist_sp800-53r5_SI-5 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" @@ -253,9 +253,9 @@ - patch - auditd - rule_5.2.3.18 - - nist_sp800-53r5_AU-2 - - nist_sp800-53r5_AU-12 - - nist_sp800-53r5_SI-5 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.19 | PATCH | Ensure kernel module loading and unloading is collected" @@ -268,8 +268,8 @@ - patch - auditd - rule_5.2.3.19 - - nist_sp800-53r5_AU-3 - - nist_sp800-53r5_CM-6 + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 # All changes selected are managed by the POST audit and handlers to update - name: "5.2.3.20 | PATCH | Ensure the audit configuration is immutable" @@ -282,10 +282,10 @@ - patch - auditd - rule_5.2.3.20 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_AU-3 - - nist_sp800-53r5_AU-12 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + - NIST800-53R5_MP-2 - name: "5.2.3.21 | AUDIT | Ensure the running and on disk configuration is the same" ansible.builtin.debug: @@ -299,7 +299,7 @@ - patch - auditd - rule_5.2.3.21 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 - name: Auditd | 5.2.3 | Auditd controls updated ansible.builtin.debug: diff --git a/tasks/section_5/cis_5.2.4.x.yml b/tasks/section_5/cis_5.2.4.x.yml index f4cf7ac..3392853 100644 --- a/tasks/section_5/cis_5.2.4.x.yml +++ b/tasks/section_5/cis_5.2.4.x.yml @@ -37,7 +37,7 @@ - rule_5.2.4.1 - rule_5.2.4.2 - rule_5.2.4.3 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 - name: "5.2.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive" block: @@ -74,7 +74,7 @@ - patch - auditd - rule_5.2.4.5 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 - name: "5.2.4.6 | PATCH | Ensure audit configuration files are owned by root" ansible.builtin.file: @@ -90,7 +90,7 @@ - patch - auditd - rule_5.2.4.6 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 - name: "5.2.4.7 | PATCH | Ensure audit configuration files belong to group root" ansible.builtin.file: @@ -106,7 +106,7 @@ - patch - auditd - rule_5.2.4.7 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 - name: "5.2.4.8 | PATCH | Ensure audit tools are 755 or more restrictive" block: @@ -138,7 +138,7 @@ - patch - auditd - rule_5.2.4.8 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 - name: "5.2.4.9 | PATCH | Ensure audit tools are owned by root" ansible.builtin.file: @@ -159,7 +159,7 @@ - patch - auditd - rule_5.2.4.9 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 - name: "5.2.4.10 | PATCH | Ensure audit tools belong to group root" ansible.builtin.file: @@ -179,4 +179,4 @@ - patch - auditd - rule_5.2.4.10 - - nist_sp800-53r5_AU-3 + - NIST800-53R5_AU-3 diff --git a/tasks/section_5/cis_5.3.yml b/tasks/section_5/cis_5.3.yml index e4b4fd9..eaa35ae 100644 --- a/tasks/section_5/cis_5.3.yml +++ b/tasks/section_5/cis_5.3.yml @@ -53,4 +53,4 @@ - patch - logrotate - rule_5.3 - - nist_sp800-53r5_AU-8 + - NIST800-53R5_AU-8 diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 55b209f..008ecc1 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -13,8 +13,8 @@ - patch - permissions - rule_6.1.1 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "6.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" ansible.builtin.file: @@ -29,8 +29,8 @@ - patch - permissions - rule_6.1.2 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "6.1.3 | PATCH | Ensure permissions on /etc/group are configured" ansible.builtin.file: @@ -45,8 +45,8 @@ - patch - permissions - rule_6.1.3 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "6.1.4 | PATCH | Ensure permissions on /etc/group- are configured" ansible.builtin.file: @@ -61,8 +61,8 @@ - patch - permissionss - rule_6.1.4 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "6.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" ansible.builtin.file: @@ -77,8 +77,8 @@ - patch - permissions - rule_6.1.5 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" ansible.builtin.file: @@ -93,8 +93,8 @@ - patch - permissions - rule_6.1.6 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "6.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" ansible.builtin.file: @@ -109,8 +109,8 @@ - patch - permissions - rule_6.1.7 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "6.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" ansible.builtin.file: @@ -125,8 +125,8 @@ - patch - permissions - rule_6.1.8 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "6.1.9 | AUDIT | Audit system file permissions" block: @@ -166,13 +166,13 @@ - audit - permissions - rule_6.1.9 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "6.1.10 | PATCH | Ensure world writable files and directories are secured" block: @@ -205,8 +205,8 @@ - permissions - stickybits - rule_6.1.10 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "6.1.11 | AUDIT | Ensure no unowned or ungrouped files or directories exist" block: @@ -281,8 +281,8 @@ - files - permissions - rule_6.1.11 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 - name: "6.1.12 | AUDIT | Ensure SUID and SGID files are reviewed" block: @@ -349,10 +349,10 @@ - audit - files - rule_6.1.12 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 - - nist_sp800-53r5_AC-3 - - nist_sp800-53r5_MP-2 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index f2a3538..07022f4 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -27,7 +27,7 @@ - patch - accounts - rule_6.2.1 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_IA-5 - name: "6.2.2 | PATCH | Ensure password fields are not empty" ansible.builtin.shell: passwd -l {{ item }} @@ -42,7 +42,7 @@ - patch - accounts - rule_6.2.2 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_IA-5 - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" block: @@ -72,11 +72,11 @@ - accounts - groups - rule_6.2.3 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist" block: @@ -105,11 +105,11 @@ - accounts - users - rule_6.2.4 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist" block: @@ -139,11 +139,11 @@ - accounts - groups - rule_6.2.5 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist" block: @@ -172,11 +172,11 @@ - accounts - users - rule_6.2.6 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist" block: @@ -206,11 +206,11 @@ - accounts - groups - rule_6.2.7 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "6.2.8 | PATCH | Ensure root PATH Integrity" block: @@ -270,11 +270,11 @@ - patch - paths - rule_6.2.8 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "6.2.9 | PATCH | Ensure root is the only UID 0 account" ansible.builtin.shell: passwd -l {{ item }} @@ -290,11 +290,11 @@ - accounts - users - rule_6.2.9 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" block: @@ -336,11 +336,11 @@ - patch - users - rule_6.2.10 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 - name: "6.2.11 | PATCH | Ensure local interactive user dot files access is configured" block: @@ -381,8 +381,8 @@ - users - permissions - rule_6.2.11 - - nist_sp800-53r5_CM-1 - - nist_sp800-53r5_CM-2 - - nist_sp800-53r5_CM-6 - - nist_sp800-53r5_CM-7 - - nist_sp800-53r5_IA-5 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 From 9d7c5c4fb7913f1346eb57b739a0dd03fee7888b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 10 Feb 2025 09:55:38 +0000 Subject: [PATCH 18/20] updated as per #101 Signed-off-by: Mark Bolwell --- site.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site.yml b/site.yml index 4d6c051..448a462 100644 --- a/site.yml +++ b/site.yml @@ -1,6 +1,6 @@ --- -- name: Amazon 2023 cis benchmark +- name: Apply Amazon Linux 2023 CIS hardening hosts: all become: true From 0188dee73ef7d24b51fc6b643ee7046951e05adb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 10 Feb 2025 10:57:39 +0000 Subject: [PATCH 19/20] corrected module used Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.7.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index f8694f8..4f451f4 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -27,7 +27,7 @@ mode: 'u-x,go-wx' - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly | Ensure symlink" - ansible.builtin.template: + ansible.builtin.file: src: /usr/lib/issue dest: /etc/issue state: link @@ -52,7 +52,7 @@ mode: 'u-x,go-wx' - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly | Ensure symlink" - ansible.builtin.template: + ansible.builtin.file: src: /usr/lib/issue.net dest: /etc/issue.net state: link From 982c2e099d852707b38c75cdcaf72f235230ea75 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 10 Feb 2025 17:53:27 +0000 Subject: [PATCH 20/20] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v25.1.1 → v25.1.2](https://github.com/ansible-community/ansible-lint/compare/v25.1.1...v25.1.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2233dbd..84cb4f9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,7 +40,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.1.1 + rev: v25.1.2 hooks: - id: ansible-lint name: Ansible-lint