Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Alignment #100

Merged
merged 2 commits into from
Dec 17, 2024
Merged

Alignment #100

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
810d157
License file updated
uk-bolly Dec 17, 2024
e611335
Updated company name
uk-bolly Dec 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion LICENSE
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
MIT License

Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases
Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
Expand Down
2 changes: 1 addition & 1 deletion tasks/post.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
dest: "/etc/sysctl.d/{{ item }}"
owner: root
group: root
mode: 0600
mode: 'u-x,go-rwx'
register: sysctl_updated
notify: Reload sysctl
loop:
Expand Down
2 changes: 1 addition & 1 deletion tasks/prelim.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@
path: "{{ amzn2023cis_sshd_config_file }}"
owner: root
group: root
mode: '0600'
mode: 'u-x,o-rwx'
state: touch
when:
- amzn2023cis_sshd_config_file != '/etc/ssh/sshd_config'
Expand Down
28 changes: 14 additions & 14 deletions tasks/section_1/cis_1.1.1.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,15 @@
regexp: "^(#)?install squashfs(\\s|$)"
line: "install squashfs /bin/true"
create: true
mode: '0600'
mode: 'u-x,go-rwx'

- name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist squashfs(\\s|$)"
line: "blacklist squashfs"
create: true
mode: '0600'
mode: 'u-x,go-rwx'

- name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs"
community.general.modprobe:
Expand All @@ -41,15 +41,15 @@
regexp: "^(#)?install udf(\\s|$)"
line: "install udf /bin/true"
create: true
mode: '0600'
mode: 'u-x,go-rwx'

- name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist udf(\\s|$)"
line: "blacklist udf"
create: true
mode: '0600'
mode: 'u-x,go-rwx'

- name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf"
community.general.modprobe:
Expand All @@ -72,15 +72,15 @@
regexp: "^(#)?install cramfs(\\s|$)"
line: "install cramfs /bin/true"
create: true
mode: '0600'
mode: 'u-x,go-rwx'

- name: "1.1.1.3 | PATCH | Ensure mounting of cramfs filesystems is disabled | blacklist"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist cramfs(\\s|$)"
line: "blacklist cramfs"
create: true
mode: '0600'
mode: 'u-x,go-rwx'

- name: "1.1.1.3 | PATCH | Ensure mounting of cramfs filesystems is disable | Disable cramfs"
community.general.modprobe:
Expand All @@ -104,15 +104,15 @@
regexp: "^(#)?install freevxfs(\\s|$)"
line: "install freevxfs /bin/true"
create: true
mode: '0600'
mode: 'u-x,go-rwx'

- name: "1.1.1.4 | PATCH | Ensure mounting of freevxfs filesystems is disabled | blacklist"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist freevxfs(\\s|$)"
line: "blacklist freevxfs"
create: true
mode: '0600'
mode: 'u-x,go-rwx'

- name: "1.1.1.4 | PATCH | Ensure mounting of freevxfs filesystems is disable | Disable freevxfs"
community.general.modprobe:
Expand All @@ -136,15 +136,15 @@
regexp: "^(#)?install jffs2(\\s|$)"
line: "install jffs2 /bin/true"
create: true
mode: '0600'
mode: 'u-x,go-rwx'

- name: "1.1.1.5 | PATCH | Ensure mounting of jffs2 filesystems is disabled | blacklist"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist jffs2(\\s|$)"
line: "blacklist jffs2"
create: true
mode: '0600'
mode: 'u-x,go-rwx'

- name: "1.1.1.5 | PATCH | Ensure mounting of jffs2 filesystems is disable | Disable jffs2"
community.general.modprobe:
Expand All @@ -168,15 +168,15 @@
regexp: "^(#)?install hfs(\\s|$)"
line: "install hfs /bin/true"
create: true
mode: '0600'
mode: 'u-x,go-rwx'

- name: "1.1.1.6 | PATCH | Ensure mounting of hfs filesystems is disabled | blacklist"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist hfs(\\s|$)"
line: "blacklist hfs"
create: true
mode: '0600'
mode: 'u-x,go-rwx'

- name: "1.1.1.6 | PATCH | Ensure mounting of hfs filesystems is disable | Disable hfs"
community.general.modprobe:
Expand All @@ -200,15 +200,15 @@
regexp: "^(#)?install hfsplus(\\s|$)"
line: "install hfsplus /bin/true"
create: true
mode: '0600'
mode: 'u-x,go-rwx'

- name: "1.1.1.7 | PATCH | Ensure mounting of hfsplus filesystems is disabled | blacklist"
ansible.builtin.lineinfile:
path: /etc/modprobe.d/blacklist.conf
regexp: "^(#)?blacklist hfsplus(\\s|$)"
line: "blacklist hfsplus"
create: true
mode: '0600'
mode: 'u-x,go-rwx'

- name: "1.1.1.7 | PATCH | Ensure mounting of hfsplus filesystems is disable | Disable hfsplus"
community.general.modprobe:
Expand Down
2 changes: 1 addition & 1 deletion tasks/section_1/cis_1.1.2.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@
dest: /etc/systemd/system/tmp.mount
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
notify: Systemd restart tmp.mount
when:
- amzn2023cis_tmp_svc
Expand Down
4 changes: 2 additions & 2 deletions tasks/section_1/cis_1.1.9.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
create: true
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'

- name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config"
community.general.modprobe:
Expand All @@ -24,7 +24,7 @@
regexp: "^(#)?blacklist usb-storage(\\s|$)"
line: "blacklist usb-storage"
create: true
mode: '0600'
mode: 'u-x,go-rwx'
when:
- amzn2023cis_rule_1_1_9
tags:
Expand Down
12 changes: 6 additions & 6 deletions tasks/section_1/cis_1.7.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
dest: /etc/motd
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
when:
- amzn2023cis_rule_1_7_1
tags:
Expand All @@ -22,7 +22,7 @@
dest: /etc/issue
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
when:
- amzn2023cis_rule_1_7_2
tags:
Expand All @@ -39,7 +39,7 @@
dest: /etc/issue.net
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
when:
- amzn2023cis_rule_1_7_3
tags:
Expand All @@ -56,7 +56,7 @@
path: /etc/motd
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
when:
- amzn2023cis_rule_1_7_4
tags:
Expand All @@ -72,7 +72,7 @@
path: /etc/issue
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
when:
- amzn2023cis_rule_1_7_5
tags:
Expand All @@ -88,7 +88,7 @@
path: /etc/issue.net
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'
when:
- amzn2023cis_rule_1_7_6
tags:
Expand Down
4 changes: 2 additions & 2 deletions tasks/section_2/cis_2.1.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,15 @@
dest: /etc/chrony.d/chrony.conf
owner: root
group: root
mode: '0644'
mode: 'u-x,go-wx'

- name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1"
ansible.builtin.lineinfile:
path: /etc/sysconfig/chronyd
regexp: "^(#)?OPTIONS"
line: "OPTIONS=\"-u chrony\""
create: true
mode: '0644'
mode: 'u-x,go-wx'
when:
- amzn2023cis_rule_2_1_2
- not system_is_container
Expand Down
16 changes: 8 additions & 8 deletions tasks/section_3/cis_3.1.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
ansible.builtin.template:
src: "etc/modprobe.d/modprobe.conf.j2"
dest: "/etc/modprobe.d/{{ item }}.conf"
mode: '0600'
mode: 'u-x,go-rwx'
owner: root
group: root
loop:
Expand All @@ -42,7 +42,7 @@
regexp: "^(#)?blacklist {{ protocol }}(\\s|$)"
line: "blacklist {{ protocol }}"
create: true
mode: '0600'
mode: 'u-x,go-rwx'
vars:
protocol: dccp
when:
Expand All @@ -60,7 +60,7 @@
ansible.builtin.template:
src: "etc/modprobe.d/modprobe.conf.j2"
dest: "/etc/modprobe.d/{{ item }}.conf"
mode: '0600'
mode: 'u-x,go-rwx'
owner: root
group: root
loop:
Expand All @@ -72,7 +72,7 @@
regexp: "^(#)?blacklist {{ protocol }}(\\s|$)"
line: "blacklist {{ protocol }}"
create: true
mode: '0600'
mode: 'u-x,go-rwx'
vars:
protocol: sctp
when:
Expand All @@ -91,7 +91,7 @@
ansible.builtin.template:
src: "etc/modprobe.d/modprobe.conf.j2"
dest: "/etc/modprobe.d/{{ item }}.conf"
mode: '0600'
mode: 'u-x,go-rwx'
owner: root
group: root
loop:
Expand All @@ -103,7 +103,7 @@
regexp: "^(#)?blacklist {{ protocol }}(\\s|$)"
line: "blacklist {{ protocol }}"
create: true
mode: '0600'
mode: 'u-x,go-rwx'
vars:
protocol: rds
when:
Expand All @@ -121,7 +121,7 @@
ansible.builtin.template:
src: "etc/modprobe.d/modprobe.conf.j2"
dest: "/etc/modprobe.d/{{ item }}.conf"
mode: '0600'
mode: 'u-x,go-rwx'
owner: root
group: root
loop:
Expand All @@ -133,7 +133,7 @@
regexp: "^(#)?blacklist {{ protocol }}(\\s|$)"
line: "blacklist {{ protocol }}"
create: true
mode: '0600'
mode: 'u-x,go-rwx'
vars:
protocol: tipc
when:
Expand Down
16 changes: 8 additions & 8 deletions tasks/section_4/cis_4.1.x.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
path: /etc/crontab
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'
when:
- amzn2023cis_rule_4_1_2
tags:
Expand All @@ -39,7 +39,7 @@
state: directory
owner: root
group: root
mode: '0700'
mode: 'u+x,go-rwx'
when:
- amzn2023cis_rule_4_1_3
tags:
Expand All @@ -56,7 +56,7 @@
state: directory
owner: root
group: root
mode: '0700'
mode: 'u+x,go-rwx'
when:
- amzn2023cis_rule_4_1_4
tags:
Expand All @@ -73,7 +73,7 @@
state: directory
owner: root
group: root
mode: '0700'
mode: 'u+x,go-rwx'
when:
- amzn2023cis_rule_4_1_5
tags:
Expand All @@ -89,7 +89,7 @@
state: directory
owner: root
group: root
mode: '0700'
mode: 'u+x,go-rwx'
when:
- amzn2023cis_rule_4_1_6
tags:
Expand All @@ -105,7 +105,7 @@
state: directory
owner: root
group: root
mode: '0700'
mode: 'u+x,go-rwx'
when:
- amzn2023cis_rule_4_1_7
tags:
Expand Down Expand Up @@ -134,7 +134,7 @@
state: '{{ "file" if amzn2023cis_5_1_8_cron_allow_state.stat.exists else "touch" }}'
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'
when:
- amzn2023cis_rule_4_1_8
tags:
Expand Down Expand Up @@ -163,7 +163,7 @@
state: '{{ "file" if amzn2023cis_5_1_9_at_allow_state.stat.exists else "touch" }}'
owner: root
group: root
mode: '0600'
mode: 'u-x,go-rwx'
when:
- amzn2023cis_rule_4_1_9
tags:
Expand Down
Loading