From 5da13aa9b4c197e33a6f82eadff4f25ce66bd3b0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Jan 2025 16:54:48 +0000 Subject: [PATCH 1/3] updated logic on 5.2.3 inline with #4 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.2.x.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index aa70032..1452172 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -41,9 +41,8 @@ - NIST800-53R5_AU-12 ansible.builtin.lineinfile: path: /etc/sudoers - regexp: ^(Defaults\s*)logfile= - line: \1logfile="{{ deb12cis_sudolog_location }}" - backrefs: true + regexp: ^Defaults\s*logfile= + line: Defaults logfile="{{ deb12cis_sudolog_location }}" validate: '/usr/sbin/visudo -cf %s' - name: "5.2.4 | PATCH | Ensure users must provide password for escalation" From 23a81886a3c4387a688ff17e0310222bbc434c99 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Jan 2025 17:37:30 +0000 Subject: [PATCH 2/3] Fixed errors in variable for search_path Signed-off-by: Mark Bolwell --- defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 29da1c4..353bf87 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1305,17 +1305,17 @@ deb12cis_auditd_extra_conf: # Section 7 Vars # 7.1.12 Ensure no files or directories without an owner and a group exist -deb12cis_exclude_unowned_search_path: '! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "*/kubelet/plugins/*" -a ! -path "/sys/fs/cgroup/memory/*" -a ! -path "/var/*/private/*"' +deb12cis_exclude_unowned_search_path: '\( ! -path "/run/user/*" -a ! -path "/proc/*" -a ! -path "*/containerd/*" -a ! -path "*/kubelet/pods/*" -a ! -path "*/kubelet/plugins/*" -a ! -path "/sys/fs/cgroup/memory/*" -a ! -path "/var/*/private/*" \)' # Control 7.1.12 # The value of this variable specifies the owner that will be set for unowned files and directories. deb12cis_unowned_owner: root deb12cis_ungrouped_group: root # This variable is a toggle for enabling/disabling the automated -# setting of an owner (specified in variable `deb12cis_unowned_owner`) -# for all unowned files and directories. +# setting of an owner or group (specified in variable `deb12cis_unowned_owner`) +# for all unowned or ungrouped files and directories. # Possible values are `true` and `false`. -deb12cis_ownership_adjust: true +deb12cis_ownership_adjust: false ## Control 7.1.13 # This variable is a toggle for enabling/disabling the automated removal From 87ee7aa9ff5381f843da83bdd5079b8cf34173dc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Jan 2025 17:37:58 +0000 Subject: [PATCH 3/3] updated 7.1.2 based on issue#5 Signed-off-by: Mark Bolwell --- tasks/section_7/cis_7.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 93e4ed9..4d1a490 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -209,7 +209,7 @@ warn_control_id: '7.1.12' block: - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories" - ansible.builtin.command: find ({{ deb12cis_exclude_unowned_search_path }}) {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs + ansible.builtin.command: find {{ item.mount }} -xdev -type f {{ deb12cis_exclude_unowned_search_path }} \( -nouser -o -nogroup \) -not -fstype nfs changed_when: false failed_when: false check_mode: false @@ -240,7 +240,7 @@ ansible.builtin.file: path: "{{ item }}" owner: "{{ deb12cis_unowned_owner }}" - group: "{{ deb12cis_unowned_group }}" + group: "{{ deb12cis_ungrouped_group }}" with_items: - "{{ discovered_unowned_files_flatten }}"