diff --git a/defaults/main.yml b/defaults/main.yml index 700c969..da56799 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -441,6 +441,13 @@ expected_tmp_mnt: fstab # Options are "remove" or "mask" debian11cis_autofs: mask debian11cis_allow_usb_storage: false +# We have found that some systems may have UAS kernel running and if it is +# usb-storage will fail to be removed which is control 1.1.10. By default This +# is set to false. By having this set to false control 1.1.10 will run but if UAS +# Is loaded you will receive a warning message instead of usb-storage being removed +# and the playbook will have to be re-run with this switch set to true. +# Default: false +debian11cis_uas_remove: false # Control 1.3.1 - allow aide to be configured debian11cis_config_aide: true diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 978cb7f..9114575 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -236,3 +236,44 @@ - debian11cis_ufw_use_sysctl tags: - always + +- name: "Optional | PATCH | Check for UAS running for usb-storage" + block: + - name: "Optional | AUDIT | Check if UAS kernel module is running" + ansible.builtin.shell: "lsmod | grep uas" + register: discovered_uas_status + changed_when: false + failed_when: false + ignore_errors: true + - block: + - name: "Optional | PATCH | Set UAS config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/uas.conf + regexp: '^install uas' + line: 'install uas /bin/true' + create: true + + - name: "Optional | PATCH | Blacklist usb-storage" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + line: 'blacklist uas' + insertafter: EOF + + - name: "Optional | PATCH | Remove usb-storage module" + community.general.modprobe: + name: uas + state: absent + when: + - ansible_connection != 'docker' + notify: Update_Initramfs + when: + - discovered_uas_status.rc == 0 + - not debian11cis_allow_usb_storage + - debian11cis_uas_remove + when: + - debian11cis_rule_1_1_10 + tags: + - level1-server + - level2-workstation + - patch + - always diff --git a/tasks/section_1/cis_1.1.10.yml b/tasks/section_1/cis_1.1.10.yml index b6405c4..661fde9 100644 --- a/tasks/section_1/cis_1.1.10.yml +++ b/tasks/section_1/cis_1.1.10.yml @@ -2,28 +2,56 @@ - name: "1.1.10 | PATCH | Disable USB Storage" block: - - name: "1.1.10 | PATCH | Disable USB Storage | Set modprobe config" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/usb_storage.conf - regexp: '^install usb-storage' - line: 'install usb-storage /bin/true' - create: true + - block: + - name: "1.1.10 | PATCH | Disable USB Storage | Set modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/usb_storage.conf + regexp: '^install usb-storage' + line: 'install usb-storage /bin/true' + create: true - - name: "1.1.10 | PATCH | Disable USB Storage | Blacklist usb-storage" - ansible.builtin.lineinfile: - path: /etc/modprobe.d/blacklist.conf - line: 'blacklist usb-storage' - insertafter: EOF + - name: "1.1.10 | PATCH | Disable USB Storage | Blacklist usb-storage" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + line: 'blacklist usb-storage' + insertafter: EOF - - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module" - community.general.modprobe: - name: usb-storage - state: absent - when: ansible_connection != 'docker' - notify: Update_Initramfs + - name: "1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module" + community.general.modprobe: + name: usb-storage + state: absent + when: ansible_connection != 'docker' + when: + - debian11cis_rule_1_1_10 + - not debian11cis_allow_usb_storage + - discovered_uas_status.rc != 0 + notify: Update_Initramfs + + - name: "1.1.10 | AUDIT | Disable USB Storage | Warning Message" + ansible.builtin.debug: + msg: + - "Warning!! USB Attached SCSI (UAS) support is still detected." + - "Removing UAS may cause performance issues or prevent certain USB devices from functioning correctly." + - "UAS provides higher speeds and better I/O performance compared to traditional USB mass storage" + - "Ensure that this action is intentional and consider testing on non-critical systems before applying in production." + - "Please review your setting for variable debian11cis_uas_remove and make sure it is set to true" + - "And rerun the Ansible playbook to properly remove usb_storage." + when: + - debian11cis_rule_1_1_10 + - not debian11cis_allow_usb_storage + - discovered_uas_status.rc == 0 + + - name: "1.1.10 | WARN | Disable USB Storage | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '1.1.10' + when: + - debian11cis_rule_1_1_10 + - not debian11cis_allow_usb_storage + - discovered_uas_status.rc == 0 when: - debian11cis_rule_1_1_10 - - not debian11cis_allow_usb_storage tags: - level1-server - level2-workstation diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 60bdde7..64c8377 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -65,7 +65,7 @@ path: /etc/shadow owner: root group: root - mode: 0000 + mode: 0640 when: - debian11cis_rule_6_1_5 tags: @@ -80,7 +80,7 @@ path: /etc/shadow- owner: root group: root - mode: 0000 + mode: 0640 when: - debian11cis_rule_6_1_6 tags: @@ -95,7 +95,7 @@ path: /etc/gshadow owner: root group: root - mode: 0000 + mode: 0640 when: - debian11cis_rule_6_1_7 tags: @@ -110,7 +110,7 @@ path: /etc/gshadow- owner: root group: root - mode: 0000 + mode: 0640 when: - debian11cis_rule_6_1_8 tags: