Control 6.2.3 - Ensure root PATH Integrity

We need to figure out the jinja2 filter to use. I pull the paths from $PATH. The control wants all of those paths to exist so I do a stat on them. Which creates a multi dictionary. I can have it do what I need but I want to message out the list of paths that don’t exist. I can get it to list the “exists” value or the “item” value with the map(attribute) however I can’t list the “item” value if “exists” is false. This is the gist of what I’m trying to do {{ ubtu18cis_6_2_7_path_stat.results | selectattr('stat.exists','equalto','false') | map(attribute='item') | list }}". Item is the path even if the file doesn’t exist and is in ubtu18cis_6_2_7_path_stat.results.item in the tree and the exists is in ubtu18cis_6_2_7_path_stat.results.stat.exists of the tree. With that I’m trying to just get the dictionary items where exists is false and list the item value. Hopefully that makes sense, I’ve done that before with single dictionary things but I can’t figure out with the multiple dict stuff.

Feature Request or Enhancement
Remove redundant code.

Summary of Request
The loop is not necessary because each iteration does the same. In other words, the iteration variable item isn't used at all.

        set_fact:
            ubtu20cis_passwd: "{{ ubtu20cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
        with_items: "{{ ubtu20cis_passwd_file_audit.stdout_lines }}"

Describe alternatives you've considered

Alternatively use module ansible.builtin.getent

Suggested Code

        set_fact:
            ubtu20cis_passwd: "{{ ubtu20cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"

I feel this is minor as people should be going through the list to see what each control is, but I figured I would mention it anyway in case people are pulling this via git in something like AWX/Tower. If appears as though both devel and main branches have the typo.

Line 325:

ubtu20cis_squid_server: fase

should be

ubtu20cis_squid_server: false

Describe the Issue
TMOUT is set twice in /etc/profile.d/tmout.sh, causing a warning when starting shells.

Expected Behavior
TMOUT should be set once

Actual Behavior
At login, this warning is given:

$ bash: TMOUT: readonly variable
_

Control(s) Affected
Session timeout - CIS ID 5.5.5

Environment (please complete the following information):

• Any

Additional Notes
A fix for this was taken in #44, but it appears to have been merged incorrectly, giving both the unconditional line and the conditional one:

        TMOUT={{ ubtu20cis_shell_session_timeout.timeout }}
        # only set TMOUT if it isn't set yet to avoid a shell error
        : ${TMOUT={{ ubtu20cis_shell_session_timeout.timeout }}}

Possible Solution
Remove first TMOUT line.

Describe the Issue
The tasks for CIS 5.5.4 are inconsistent (some use lineinfile and some use replace which results in some files not having the proper umask added if a line is not already present in the file.

Expected Behavior
CIS 5.5.4 tasks should be consistent and ensure the necessary umask settings are added/updated to all files noted in the CIS criteria, including:

• /etc/bashrc
• /etc/profile
• /etc/profile.d/*.sh files

Actual Behavior
For example I'm working with the Ubuntu 20.04 public cloud AMIs and /etc/profile does not have a umask line by default. When the UBUNTU20-CIS Ansible role is run it fails to add the necessary umask setting in /etc/profile because the task uses a replace instead of lineinfile

Control(s) Affected

• AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive

Environment (please complete the following information):

• Ansible Version: 5.3.0
• Host Python Version: 3.8
• Ansible Server Python Version: 3.10.2
• Additional Details:

Additional Notes
Anything additional goes here

Possible Solution
CIS 5.5.4 tasks should be updated to use lineinfile to handle cases where a file may not already have a umask setting in place. It appears that is how https://github.com/ansible-lockdown/UBUNTU18-CIS handles this criteria

Task 4.1.12 creates file /etc/audit/rules.d/audit.rules and that way overwrites the Ubuntu original default audit.rules. And removes rules (below) which might not be necessary but at least introducing them back fixes concatenation problems with rest of the rules.

If this is intentional then this issue is unnecessary.

Ubuntu 20.04 original /etc/audit/rules.d/audit.rules:

## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 0

## Set failure mode to syslog
-f 1

We have tested this at freshly installed Ubuntu 20.04 but I think same happens with Ubuntu 18.04 lockdown too.

Thank you helping making my job easier and keep going.

Kind Regards,
Timo Snellman

Describe the Issue
When attempting to run the role from the devel branch, I am getting this bit executed:

• name: "PRELIM | Find wireless network devices"
  ansible.builtin.shell: find /sys/class/net/*/wireless | awk -F'/' awk '{print $5}'
  failed_when: wireless_interfaces.rc not in [ 0, 2 ]
  changed_when: false
  register: wireless_interfaces
  when:
  - ubtu20cis_rule_3_1_2
  tags:
  - rule_3.1.2
  - section3

Then it should have registered a value in wireless_interfaces for it to be used with the next task:

• name: "PRELIM | Install Network-Manager"
  ansible.builtin.package:
  name: network-manager
  state: present
  when:
  - wireless_interfaces.stdout | length > 0
  - ubtu20cis_install_network_manager
  - ubtu20cis_rule_3_1_2
  - not ubtu20cis_system_is_container
  tags:
  - rule_3.1.2
  - section3

But it throws me an error, see details below.

Expected Behavior
The prelim task to not fail when there are not network adapters or perhaps just run this not as prelim but as a regular role task.

Actual Behavior
fatal: [default]: FAILED! => {"msg": "The conditional check 'wireless_interfaces.stdout | length > 0' failed. The error was: error while evaluating conditional (wireless_interfaces.stdout | length > 0): 'dict object' has no attribute 'stdout'
The error appears to be in '/root/.ansible/roles/ubuntu-20-lockdown/tasks/prelim.yml': line 56, column 3, but may be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:

• name: "PRELIM | Install Network-Manager"\n ^ here\n"}

Control(s) Affected
Rule 3_1_2

Possible Solution
main branch already doesn't have that added to prelim, perhaps doing it that way would be great.

** My role vars **
- role: ubuntu-20-lockdown
vars:
ubtu20cis_warning_banner: "{{ banner_text }}"
ansible_python_interpreter: /usr/bin/python3
ubtu20cis_grub_pw: "grub.pbkdf2.sha512.10000.{{ ansible_ops_cred }}"
ubtu20cis_set_root_password: false

    #Disable LVL 2 CIS tasks:
    ubtu20cis_rule_1_1_10: false
    ubtu20cis_rule_1_1_11: false
    ubtu20cis_rule_1_1_15: false
    ubtu20cis_rule_1_1_16: false
    ubtu20cis_rule_1_1_1_6: false
    ubtu20cis_rule_1_1_17: false
    ubtu20cis_rule_1_6_1_4: false
    ubtu20cis_rule_1_8_1: false
    ubtu20cis_rule_3_1_1: false
    ubtu20cis_rule_3_4_1: false
    ubtu20cis_rule_3_4_2: false
    ubtu20cis_rule_3_4_3: false
    ubtu20cis_rule_3_4_4: false 
    ubtu20cis_rule_4_1_1_4: false
    ubtu20cis_rule_5_3_20: false
    ubtu20cis_rule_5_3_6: false
    ubtu20cis_rule_6_1_1: false

** Additional Notes**
I would love to use the main branch but that one has the known bug which was fixed on devel:
2023-03-06T15:55:38Z: ubuntu20-ami-build.amazon-ebs.ubuntu_20_ami: TASK [ubuntu-20-lockdown : AUTOMATED | 1.3.2 | PATCH | Ensure filesystem integrity is regularly checked] ***
2023-03-06T15:55:39Z: ubuntu20-ami-build.amazon-ebs.ubuntu_20_ami: fatal: [default]: FAILED! => {"changed": false, "msg": "Will not manage /etc/crontab via cron_file, see documentation."}

• Feature [x]

Summary of Request
Right now the ansible scripts allow to open outgoing firewall ports, however most if the time the configuration of incoming ports is more relevant. for this the ansible role could have a variable ubtu20cis_ufw_allow_in_ports which is used to programmatically configure incoming ports in a similar fashion

Describe alternatives you've considered
to implement this feature we currently perform firewall opening as extra steps after the ansible-lockdown role is run

Suggested Code

- name: "add incoming ports"
  ufw:
    rule: allow
    direction: in
    to_port: '{{ item }}'
  with_items:
    - "{{ ubtu20cis_ufw_allow_in_ports }}"
  notify: reload ufw

Describe the Issue
Rule 5.4.2 looks for a pattern in /etc/pam.d/common-auth and changes a line to meet a regular expression. But the line it is changed to is not consistent with the line it is search for, so it will result in multiple lines addressing the same concern.

The test looks for regexp

^auth\s+required pam_tally2 .*onerr=fail.*

But it inserts:

auth required pam_tally2.so {{ ubtu20cis_pamtally2_login_opts }}

Since the insert "pam_tally2.so[:space:]" can never match the search "pam_tally2[:space:]", the PATCH will apply every time the rule is run.

Expected Behavior
If a matching line is found, it is updated to the specified content rather than inserting a new line

Actual Behavior
A new line gets inserted which does not match the test expression (in worst case, this new line will get inserted on every test run).

Control(s) Affected
5.4.2

Environment (please complete the following information):

• Ansible Version: 2.14.4
• Host Python Version: 3.8.10
• Ansible Server Python Version: 3.11.2
• Additional Details:

Additional Notes
Anything additional goes here

Possible Solution
Make regex match the inserted line.

PR coming.

Control 1.5.1 - Ensure bootloader password is set

You need to set the boot loader pw for grub. There is a custom module for RHEL that is used for this task. I was not able to get it working with Ubuntu, I am not sure why. We can use shell/command with the grub-mkpasswd-pbkdf2 command. However that command requires a password to be entered twice and I haven't found a good way to work that on the ansible side. The custom module creates a randomized pw to use and hides that random pw, which is great and what I hope to get for this.

- name: "AUTOMATED | 1.3.2 | PATCH | Ensure filesystem integrity is regularly checked"
  cron:
      name: Run AIDE integrity check
      cron_file: "{{ ubtu20cis_aide_cron['cron_file'] }}"
      user: "{{ ubtu20cis_aide_cron['cron_user'] }}"
      minute: "{{ ubtu20cis_aide_cron['aide_minute'] | default('0') }}"
      hour: "{{ ubtu20cis_aide_cron['aide_hour'] | default('5') }}"
      day: "{{ ubtu20cis_aide_cron['aide_day'] | default('*') }}"
      month: "{{ ubtu20cis_aide_cron['aide_month'] | default('*') }}"
      weekday: "{{ ubtu20cis_aide_cron['aide_weekday'] | default('*') }}"
      job: "{{ ubtu20cis_aide_cron['aide_job'] }}"
  when:
      - ubtu20cis_rule_1_3_2
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - rule_1.3.2
      - cron

Error:

TASK [UBUNTU20-CIS : AUTOMATED | 1.3.2 | PATCH | Ensure filesystem integrity is regularly checked] ********************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Will not manage /etc/crontab via cron_file, see documentation."}

cron_file parameter refers to /etc/crontab but according to the ansible docs, it does not allow editing of /etc/crontab

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/cron_module.html#parameter-cron_file

Current ansible version is 2.12.1

on "defaults/main.yml" file,

ubtu20cis_vartmp:
source: /tmp

source value should be "/var/tmp" and not "/tmp", right?

Describe the Issue
Fails to create a bootloader line on fresh installs where the line doesn't already exist

Expected Behavior
Should create the bootloader line even if the entries are not there yet

Actual Behavior

Control(s) Affected
1.4.1 Ensure bootloader password

Environment (please complete the following information):

• Ansible Version: ansible [core 2.15.2]
• Host Python Version: Python 3.8.10
• Ansible Server Python Version: Python 3.10.12
• Additional Details: branch is cis_2.0.1

Additional Notes
Anything additional goes here

Possible Solution
Enter a suggested fix here

Describe the Issue
CIS v1.1.0 list 3 remediation steps - but ansible-lockdown/UBUNTU20-CIS implements only one of them ("fs.suid_dumpable = 0
")

Expected Behavior
should do all the remediation steps

Actual Behavior
does only 1/3 of the remediation steps in CIS Benchmark

Control(s) Affected

• dunno

Environment (please complete the following information):

• not applicaple

Additional Notes

• N/A

Possible Solution

• N/A

Describe the Issue
Line 412 there is a reference to ubtu20cis_dotperm_ansibleManaged but it doesn't exist in defaults/main.yaml and Not sure what its purpose is.

Expected Behavior
All variables should be in defaults/main.yml

Actual Behavior
rule 6.2.12 fails

Control(s) Affected
6.2.12

Environment (please complete the following information):

• branch being used: [devel]
• Ansible Version: [any]
• Host Python Version: [any]
• Ansible Server Python Version: [any]
• Additional Details:

Additional Notes
Anything additional goes here

Possible Solution
Enter a suggested fix here

Question
we've identified the need for a rollback mechanism. This is crucial for addressing emergency situations or issues that may arise post-hardening. Can I safely perform a rollback after hardening? If not, I would like to request the addition of a rollback feature.

Expected Steps

1. Identify the specific changes made during the hardening process that need to be reverted during a rollback.
2. Implement a playbook or playbook steps that will undo the hardening changes safely.
3. Test the rollback functionality in various scenarios to ensure reliability.

Environment (please complete the following information):

• Operating System: Ubuntu 20.04
• Ansible 2.9+
• Python 3.6+

In the following rule

the create statement will be placed at the wrong line if there is no create statement at the beginning of a line.
This doesn't work as it is ignored by logrotate.
Put the following rule instead:

   lineinfile:
    path: "{{ item.path }}"
    regexp: '^\s*create\s\s*[0-9]'
    line: 'create {{ ubtu20cis_logrotate_create_settings }}'
    insertbefore: '^}'

Describe the Issue
Duplicate entries of the pam_umask.so line show up in the file after running the hardening on the hosts.

Expected Behavior
Line should only be added if the conditional is not met and the entry is not present in the configuration file already.

Actual Behavior
The line gets added anyways at the end of the file, causing duplicates. With that said, this is not an issue nor causes the system to fail.

Control(s) Affected
5.5.4: Ensure default user umask is 027 or more restrictive.

Environment (please complete the following information)

• Ansible Version: ansible core 2.11.7
• Host Python Version: Python 3.8.10
• Ansible Server Python Version: Python 3.8.10
• Additional Details: n/a

Additional Notes

Pre

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_umask.so
session required        pam_unix.so
session optional                        pam_sss.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional        pam_systemd.so

Post

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_umask.so
session required        pam_unix.so
session optional                        pam_sss.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional        pam_systemd.so
session optional                        pam_umask.so

Possible Solution
Simply changing the when condition to when: not ubtu20cis_5_5_4_umask_pam_status.stdout | length > 0 seems to solve the problem.

Additionally, this could be achieved by using the pamd module instead of lineinfile but this is purely personal.

      - name: AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive
        community.general.pamd:
          name: common-session
          type: session
          control: required
          module_path: pam_unix.so
          state: before
          new_type: session
          new_control: optional
          new_module_path: pam_umask.so
        when: not ubtu20cis_5_5_4_umask_pam_status.stdout | length > 0

Hello,
I wanted to give an update on a tagging change that will take place on the next release, scheduled at some point in May. Without realizing that Ansible Galaxy needs version numbers in the Semantic format that excludes the preceding “v”, for example 1.2.1 vs v1.2., we have been using tags with the preceding v. This has caused our galaxy space to not update with our latest releases.

The plan going forward we plan to adjust the version number formatting on the first release for each repo in May. Please make note that if you are relying on release tags to keep up with latest versions, the numbering format will change. The cadence of the version numbers will continue and progress through as they have been, however the preceding “v” will be dropped from the tag.

George

Describe the Issue
The audit-related .rules-files miss a new line at EOF. This produces a faulty configuration. It seems this has been fixed in RHEL8-version, but the fix is missing in other versions of lockdown: ansible-lockdown/RHEL8-CIS@59fd82a )

Expected Behavior
the audit .rules should have a new line at EOF

Actual Behavior
The audit-related .rules-files generated by lockdown miss a new line at EOF. auditd generated a concatenated file using augenrules, and because of the missing new lines, some rules are catenated at the same line, which effectily causes syntax errors for the generated "audit.rules"-files

Control(s) Affected
What controls are being affected by the issue

Environment (please complete the following information):

• not relevant

Additional Notes

• not relevant

Possible Solution
add the missing new lines in the auditd rule-templates

Describe the Issue

When ensuring that AppArmor is enabled in the bootloader configuration, the line-ending quote is removed, causing the grub configuration to become invalid

Expected Behavior
Compliant configurations should not be altered. Non-complaint configurations should be fixed with a valid replacement

Actual Behavior

The ending quote is removed from GRUB_CMDLINE_LINUX

--- before: /etc/default/grub
+++ after: /etc/default/grub
@@ -30,5 +30,5 @@
 
 # Uncomment to get a beep at grub start
 #GRUB_INIT_TUNE="480 440 1"
-GRUB_CMDLINE_LINUX="audit=1 audit_backlog_limit=8192 apparmor=1 security=apparmor"
+GRUB_CMDLINE_LINUX="audit=1 audit_backlog_limit=8192 apparmor=1 security=apparmor

Control(s) Affected
1.6.1.2 | Ensure AppArmor is enabled in the bootloader configuration

Environment (please complete the following information):

• branch being used: main, devel
• Ansible Version: 2.16.1
• Host Python Version: 3.12.1
• Ansible Server Python Version: 3.12.1
• Additional Details:

Additional Notes
I will upload a PR later today

Possible Solution
Replace

            path: /etc/default/grub
            regexp: "{{ item.regexp }}"
            replace: "{{ item.replace }}"
        with_items:
            - { regexp: 'apparmor=\S+', replace: 'apparmor=1' }
            - { regexp: 'security=\S+', replace: 'security=apparmor' }

with

            path: /etc/default/grub
            regexp: "{{ item.regexp }}"
            replace: "{{ item.replace }}"
        with_items:
            - { regexp: 'apparmor=[^\s"]+', replace: 'apparmor=1' }
            - { regexp: 'security=[^\s"]+', replace: 'security=apparmor' }

Control 5.3.2 - Ensure lockout for failed password attempts is configured

When I add the account requisite pam_deny.so module this kills all users. I can't login with root or vagrant locally on my vagrant image, or with ssh. I have added the allow users/groups items for pam but that doesn't seem to help. There is a note about a bug in the tally2.so module however I don't think that is related. I have the workaround for that setup on the control

Do you have plans to create playbook for ubuntu 22?

1.3.1 requires you to run aideinit to initialize the database and rename the .db.new file to .db.

1.3.1 in cis_1.3.x.yml only installs aide.

- name: "AUTOMATED | 1.3.1 | PATCH | Ensure AIDE is installed"
  apt:
      name: ['aide', 'aide-common']
      state: present
  when:
      - ubtu20cis_rule_1_3_1
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - rule_1.3.1
      - aide

Describe the Issue
4.1.2.3 adds admin_space_left_action twice in /etc/audit/auditd.conf

The problem is in this line, which has " = halt" also in the regexp:

Expected Behavior
replace the current admin_space_left_action-entry in /etc/audit/auditd.conf

Actual Behavior
adds a new admin_space_left_action-entry in /etc/audit/auditd.conf

Control(s) Affected

• dunno

Environment (please complete the following information):

• not relevant

Additional Notes

• none

Possible Solution
fix the regexp

NTP (Network Time Protocol) is misspelled "NPT" in section 2.1 - lines 140 and 144.

Describe the Issue
I have ubtu20cis_ipv6_required: false
after ansible deployment and reboot, I still have ipv6 active.

    - name: Include UBUNTU20-CIS tasks
      vars:
        setup_audit: true
        run_audit: false
        ubtu20cis_set_grub_password: false
       ...
       ...
        ubtu20cis_section1_patch: true
        ubtu20cis_section2_patch: true
        ubtu20cis_section3_patch: true
        ubtu20cis_section4_patch: true
        ubtu20cis_section5_patch: true
        ubtu20cis_section6_patch: true
        #
        ubtu20cis_ipv6_required: false
        #
      include_role:
        name: ansible-lockdown.UBUNTU20-CIS
        tasks_from: main.yml

requirements.yml

  - name: ansible-lockdown.UBUNTU20-CIS
    src: https://github.com/ansible-lockdown/UBUNTU20-CIS.git
    version: 5f03547a83f1439c7c0e6d70c6e860c247c06ac6

Expected Behavior
ipv6 disabled.

Actual Behavior
apply, reboot, ipv6 still active.

$ ip a | grep inet6 
    inet6 ::1/128 scope host 
    inet6 fe80::20d:3aff:fed2:dec/64 scope link

Control(s) Affected
3.1.1

Environment (please complete the following information):

• branch being used: [e.g. devel]
  1. devel
• Ansible Version: [e.g. 2.10]
  1. ansible [core 2.16.2]
• Host Python Version: [e.g. Python 3.7.6]
  1. Python 3.11.2
• Ansible Server Python Version: [e.g. Python 3.7.6]
  1. Python 3.8.10
• Additional Details:
  1. Grub config looks ok.

$ cat /etc/default/grub | grep ipv6
GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor  ipv6.disable=1 audit=1 audit_backlog_limit=8192"

2. Azure ubuntu vm

Additional Notes
Anything additional goes here
Q: in

Possible Solution
Enter a suggested fix here
Also add the ipv6 disable to /etc/sysctl.conf
e.g.

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

Describe the Issue
The following errors when my ansible tries to run my playbook

TASK [UBUNTU20-CIS : 4.2.1.3 | PATCH | Ensure logging is configured | Automated rsyslog configuration] *****************failed: [localhost] (item=*.emerg                         :omusrmsg:*) => {"ansible_loop_var": "item", "changed": false, "item": {"insertafter": "^# Emergencies are sent to everybody logged in", "line": "*.emerg                         :omusrmsg:*", "regexp": "^\\*.emerg"}, "msg": "Destination /etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/rsyslog.d/50-default.conf does not exist !", "rc": 257}
failed: [localhost] (item=auth,authpriv.*                  /var/log/auth.log) => {"ansible_loop_var": "item", "changed": false, "item": {"insertafter": "^# First some standard log files.  Log by facility", "line": "auth,authpriv.*
        /var/log/auth.log", "regexp": "^auth,authpriv.\\*"}, "msg": "Destination /etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/rsyslog.d/50-default.conf does not exist !", "rc": 257}
failed: [localhost] (item=mail.*                          -/var/log/mail) => {"ansible_loop_var": "item", "changed": false, "item": {"insertafter": "^# First some standard log files", "line": "mail.*                          -/var/log/mail", "regexp": "^mail.\\*|^#mail.\\*"}, "msg": "Destination /etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/rsyslog.d/50-default.conf does not exist !", "rc": 257}
failed: [localhost] (item=mail.info                      -/var/log/mail.info) => {"ansible_loop_var": "item", "changed": false, "item": {"insertafter": "^# Logging for the mail system", "line": "mail.info                      -/var/log/mail.info", "regexp": "^mail.info|^#mail.info"}, "msg": "Destination /etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/rsyslog.d/50-default.conf does not exist !", "rc": 257}
failed: [localhost] (item=mail.warn                      -/var/log/mail.warn) => {"ansible_loop_var": "item", "changed": false, "item": {"insertafter": "^# Logging for the mail system.", "line": "mail.warn                      -/var/log/mail.warn", "regexp": "^mail.warn|^#mail.warn"}, "msg": "Destination /etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/rsyslog.d/50-default.conf does not exist !", "rc": 257}
failed: [localhost] (item=mail.err                        /var/log/mail.err) => {"ansible_loop_var": "item", "changed": false, "item": {"insertafter": "^# Logging for the mail system.", "line": "mail.err                        /var/log/mail.err", "regexp": "^mail.err|^#mail.err"}, "msg": "Destination /etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/rsyslog.d/50-default.conf does not exist !", "rc": 257}
failed: [localhost] (item=news.crit                       -/var/log/news/news.crit) => {"ansible_loop_var": "item", "changed": false, "item": {"insertafter": "^# First some standard log files", "line": "news.crit                       -/var/log/news/news.crit", "regexp": "^news.crit|^#news.crit"}, "msg": "Destination /etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/rsyslog.d/50-default.conf does not exist !", "rc": 257}
failed: [localhost] (item=news.err                        -/var/log/news/news.err) => {"ansible_loop_var": "item", "changed": false, "item": {"insertafter": "^# First some standard log files", "line": "news.err                        -/var/log/news/news.err", "regexp": "^news.err|^#news.err"}, "msg": "Destination /etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/rsyslog.d/50-default.conf does not exist !", "rc": 257}
failed: [localhost] (item=news.notice                     -/var/log/news/news.notice) => {"ansible_loop_var": "item", "changed": false, "item": {"insertafter": "^# First some standard log files", "line": "news.notice                     -/var/log/news/news.notice", "regexp": "^news.notice|^#news.notice"}, "msg": "Destination /etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/rsyslog.d/50-default.conf does not exist !", "rc": 257}
failed: [localhost] (item=*.=warning;*.=err               -/var/log/warn) => {"ansible_loop_var": "item", "changed": false, "item": {"insertafter": "^# First some standard log files", "line": "*.=warning;*.=err               -/var/log/warn", "regexp": "^\\*.=warning;\\*.=err|^#\\*.=warning;\\*.=err"}, "msg": "Destination /etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/rsyslog.d/50-default.conf does not exist !", "rc": 257}
failed: [localhost] (item=*.crit                           /var/log/warn) => {"ansible_loop_var": "item", "changed": false, "item": {"insertafter": "^# First some standard log files", "line": "*.crit                           /var/log/warn", "regexp": "^\\*.crit|^#\\*.crit"}, "msg": "Destination /etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/rsyslog.d/50-default.conf does not exist !", "rc": 257}
failed: [localhost] (item=*.*;mail.none;news.none         -/var/log/messages) => {"ansible_loop_var": "item", "changed": false, "item": {"insertafter": "^# First some standard log files", "line": "*.*;mail.none;news.none         -/var/log/messages", "regexp": "^\\*.\\*;mail.none;news.none|^#\\*.\\*;mail.none;news.none"}, "msg": "Destination /etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/rsyslog.d/50-default.conf does not exist !", "rc": 257}
failed: [localhost] (item=local0,local1.*                 -/var/log/localmessages) => {"ansible_loop_var": "item", "changed": false, "item": {"insertafter": "^# First some standard log files", "line": "local0,local1.*                 -/var/log/localmessages", "regexp": "^local0,local1.\\*|^#local0,local1.\\*"}, "msg": "Destination /etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/rsyslog.d/50-default.conf does not exist !", "rc": 257}
failed: [localhost] (item=local2,local3.*                 -/var/log/localmessages) => {"ansible_loop_var": "item", "changed": false, "item": {"insertafter": "^# First some standard log files", "line": "local2,local3.*                 -/var/log/localmessages", "regexp": "^local2,local3.\\*|^#local2,local3.\\*"}, "msg": "Destination /etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/rsyslog.d/50-default.conf does not exist !", "rc": 257}
failed: [localhost] (item=local4,local5.*                 -/var/log/localmessages) => {"ansible_loop_var": "item", "changed": false, "item": {"insertafter": "^# First some standard log files", "line": "local4,local5.*                 -/var/log/localmessages", "regexp": "^local4,local5.\\*|^#local4,local5.\\*"}, "msg": "Destination /etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/rsyslog.d/50-default.conf does not exist !", "rc": 257}
failed: [localhost] (item=local6,local7.*                 -/var/log/localmessages) => {"ansible_loop_var": "item", "changed": false, "item": {"insertafter": "^# First some standard log files", "line": "local6,local7.*                 -/var/log/localmessages", "regexp": "^local6,local7.\\*|^#local6,local7.\\*"}, "msg": "Destination /etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/ansible/roles/UBUNTU20-CIS/tasks/section_4/cis_4.2.1.x.yml\n/etc/rsyslog.d/50-default.conf does not exist !", "rc": 257}

Expected Behavior
Run without errors

Actual Behavior
A clear and concise description of what's happening.

Control(s) Affected
4.2.1.3

Environment (please complete the following information):

ansible --version
ansible [core 2.13.11]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /root/.local/pipx/venvs/ansible/lib/python3.8/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /root/.local/bin/ansible
  python version = 3.8.10 (default, May 26 2023, 14:05:08) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True

Additional Notes
Playbook:

- hosts: localhost
  any_errors_fatal: true
  tasks:
    - name: Install git
      become: true
      ansible.builtin.package:
        name: git
        state: present

    - name: UBUNTU20-CIS
      become: true
      ansible.builtin.git:
        repo: 'https://github.com/ansible-lockdown/UBUNTU20-CIS'
        dest: /etc/ansible/roles/UBUNTU20-CIS
        version: devel

    - name: Include the hardening role
      ansible.builtin.include_role:
        name: UBUNTU20-CIS

Describe the Issue
In templates/audit/ubtu20cis_5_2_3_12_logins.rules.j2, auditd 5.2.3.12 logins should refer to /var/run/faillock and not /var/log/faillock.

From CIS:

Verify the output matches:

-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock -p wa -k logins

From man pam_faillockK

FILES
/var/run/faillock/*
the files logging the authentication failures for users

Expected Behavior
The audit rules should match the specification of the CIS controls and should pass scans by other software (e.g., Wazuh SIEM)

Actual Behavior
The current rule does not reflect the CIS control or the behavior of pam_faillock

Control(s) Affected

5.2.3.12

Environment (please complete the following information):

• branch being used: devel
• Ansible Version: 2.5.16
• Host Python Version: 3.12.0
• Ansible Server Python Version: [e.g. Python 3.7.6]
• Additional Details:

Additional Notes
Anything additional goes here

Possible Solution
See #114

Describe the Issue
There appears to be a typo in the template for 4.1.15.
The files is written as follows:

-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
{% if ansible_architecture == 'x86_64' -%}
-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
{% endif %}

Expected Behavior
There should be a space between -F and auid>=1000.

Actual Behavior
This configuration is not valid according to the auditctl man page. This control also fails in the audit as the stdout search is correct there.

Control(s) Affected
4.1.15

Environment (please complete the following information):

• Ansible Version: 2.12.4
• Host Python Version: 3.9.1
• Ansible Server Python Version: 3.8.10

Possible Solution

-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions
{% if ansible_architecture == 'x86_64' -%}
-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions
{% endif %}

Describe the Issue
The steps implemented for "4.4 Ensure logrotate assigns appropriate permissions" in lockdown break system logging. The CIS benchmark gives an example "create 0640 root utmp" and it seems that this has been taken too literally in the lockdown implementation. The bug is: only the permissions were supposed to be changed - not the ownership of the log files. Now the files get created with ownership "root:utmp", and rsyslog by default is configured to drop privileges to "syslog:syslog". On such system, rsyslog can no more write logs after the first log rotation.

Also, the intention in the CIS Benchmark is to scan also files in /etc/logrotate.d, which is currently skipped by lockdown.

Expected Behavior
logs produced after lockdown

Actual Behavior
logfiles empty after lockdown -after first logrotate round

Control(s) Affected
Version 7:
6.2 Activate audit logging
6.3 Enable Detailed Logging

Environment (please complete the following information):

• not relevant

Additional Notes

• N/A

Possible Solution
Should only set the permission mode in the "create"-line of logrotate-configuration files, and leave the ownership as it is.

Describe the Issue
Necessary umask settings for CIS 4.5.4 are not being applied due to issues with the lineinfile task ie.

• some files are not updated (ie. /etc/bash.bashrc and /etc/profile)
• some files are updated incorrectly (ie. /etc/login.defs ends up with duplicate and conflicting umask and UMASK values)

Expected Behavior
The required <umask|UMASK> 027 should be applied to the required files:

• /etc/bash.bashrc
• /etc/profile
• /etc/login.defs

Actual Behavior
Not. sure if this is an issue with the regex, or the subsequent CIS 4.5.5 control overwriting the umask, but the files are not updated, or updated incorrectly ie.

    TASK [UBUNTU20-CIS : 4.5.4 | PATCH | Ensure default user umask is 027 or more restrictive] ***
    ok: [default] => (item=/etc/bash.bashrc)
    ok: [default] => (item=/etc/profile)
    changed: [default] => (item=/etc/login.defs)

And here are the contents of /etc/profile (missing umask) and a snippet from /etc/login.defs (duplicate umask) as an example after applying the UBUNTU20-CIS role:

$ cat /etc/profile
# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).

if [ "${PS1-}" ]; then
  if [ "${BASH-}" ] && [ "$BASH" != "/bin/sh" ]; then
    # The file bash.bashrc already sets the default PS1.
    # PS1='\h:\w\$ '
    if [ -f /etc/bash.bashrc ]; then
      . /etc/bash.bashrc
    fi
  else
    if [ "`id -u`" -eq 0 ]; then
      PS1='# '
    else
      PS1='$ '
    fi
  fi
fi

if [ -d /etc/profile.d ]; then
  for i in /etc/profile.d/*.sh; do
    if [ -r $i ]; then
      . $i
    fi
  done
  unset i
fi
# BEGIN ANSIBLE MANAGED
# Set session timeout - CIS ID 4.5.5
# only set TMOUT if it isn't set yet to avoid a shell error
: ${TMOUT=1800}
readonly TMOUT
export TMOUT
# END ANSIBLE MANAGED

$ grep -i umask /etc/login.defs
#	UMASK		Default "umask" value.
# UMASK is the default umask value for pam_umask and is used by
# 022 is the "historical" value in Debian for UMASK
# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
UMASK		022
umask 027

Control(s) Affected
CIS 4.5.4

Environment (please complete the following information):

• branch being used: devel
• Ansible Version: 8.2.0
• Host Python Version: 3.8.10
• Ansible Server Python Version: 3.9.13
• Additional Details:

Additional Notes
Anything additional goes here

Possible Solution
Looks like this may have been partially fixed in the UBUNTU22-CIS role as it checks for upper vs lower case umask settings ie.

      - name: "5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive"
        ansible.builtin.lineinfile:
            path: "{{ item.path }}"
            regexp: '(?i)(umask\s*\d\d\d)'
            line: '{{ item.line }} {{ ubtu22cis_bash_umask }}'
        with_items:
            - { path: '/etc/bash.bashrc', line: 'umask' }
            - { path: '/etc/profile', line: 'umask' }
            - { path: '/etc/login.defs', line: 'UMASK' }

The regex should probably also check to make sure it's a line starting with umask (ie. ^umask\s) to ensure it doesn't match a comment with the word umask in it

Describe the Issue
"2.1.1.3 | PATCH | Ensure chrony is configured | Disable/Mask systemd-timesyncd" checks to ensure systemd-timesyncd is
disabled. But the chrony package and the systemd-timesyncd are mutually exclusive. The check runs a systemd check to ensure systemd-timesyncd is stopped -- but that test cannot run because the systemd-timesyncd service cannot be installed

Expected Behavior
The check should run.

Actual Behavior
Ansible experiences a fatal error when trying to check the systemd-timesyncd service.

Control(s) Affected
This affects control 2.1.1.3

Environment (please complete the following information):

• Ansible Version: 2.14.4
• Host Python Version: 3.8.10
• Ansible Server Python Version: 3.11.2
• Additional Details:

Additional Notes
None

Possible Solution

Change:

  - name: "2.1.1.3 | PATCH | Ensure chrony is configured | Disable/Mask systemd-timesyncd"
     ...

To:

  - name: "2.1.1.3 | PATCH | Ensure chrony is configured | Remove systemd-timesyncd"
    ansible.builtin.package:
        name: systemd-timesyncd
        state: absent

Or delete the action entirely since the packages exclusion makes the step unnecessary.

Describe the Issue
1.1.6-1.1.9 /dev/shm sets non-CIS option "size=2G" by default. Setting the size is not actually recommended by the CIS Benchmark and not really a hardening step - though, it's included in an example in the benchmark document.

Fortunately, the implementation makes it possible to modify the default options using the variable - but still, the default should not include a non-hardening related size-option.

Expected Behavior
Should not set size by default for /dev/shm.

Actual Behavior
Sets size by default for /dev/shm.

Control(s) Affected

• dunno

Environment (please complete the following information):

• not applicable

Additional Notes

• N/A

Possible Solution

• N/A

Hello

Do you plan to migrate the ansible role "ansiblelockdown/ubuntu20-CIS" into an Ansible collection?

Best

See

Use the additional rule (maybe an additional when for ufw check is missing...)

- name: "AUTOMATED | 3.3.4 | PATCH | Ensure suspicious packets are logged, ufw part"
  sysctl:
    name: "{{ item }}"
    value: '1'
    sysctl_set: yes
    state: present
    reload: yes
    ignoreerrors: yes
    sysctl_file: /etc/ufw/sysctl.conf
  with_items:
    - net.ipv4.conf.all.log_martians
    - net.ipv4.conf.default.log_martians
  notify: sysctl flush ipv4 route table
  when:
    - ubtu20cis_rule_3_3_4
  tags:
    - level1-server
    - level1-workstation
    - automated
    - patch
    - rule_3.3.4
    - suspicious_packets
    - sysctl