From fc446f59e3d9806b7e1a5c6c4f59247336f6b88b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 9 Nov 2023 09:14:20 +0000 Subject: [PATCH 1/4] typo fix Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8d6d18f1..ea0943dd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -893,7 +893,7 @@ ubtu22cis_sshd: # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, see https://linux.die.net/man/5/sshd_config allow_users: "" - # (String) This variable, if spcieifed, configures a list of GROUP name patterns, separated by spaces, to allow SSH access + # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access # for users whose primary group or supplementary group list matches one of the patterns. This is done # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. From daabd256e7a5c4e5a8eaa0e37b9ceceb5a71f3cb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 9 Nov 2023 09:23:32 +0000 Subject: [PATCH 2/4] issue #165 addressed thanks to @r0bc94 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.2.x.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 1661fdc6..d0f297b5 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -80,7 +80,7 @@ regexp: '^AllowUsers|^#AllowUsers' line: 'AllowUsers {{ ubtu22cis_sshd.allow_users }}' notify: restart sshd - when: "ubtu22cis_sshd['allow_users']|default('') != ''" + when: "ubtu22cis_sshd['allow_users']| default('') | length > 0 " - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add allowed groups" ansible.builtin.lineinfile: @@ -88,7 +88,7 @@ regexp: '^AllowGroups|^#AllowGroups' line: 'AllowGroups {{ ubtu22cis_sshd.allow_groups }}' notify: restart sshd - when: "ubtu22cis_sshd['allow_groups']|default('') != ''" + when: "ubtu22cis_sshd['allow_groups']| default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add deny users" ansible.builtin.lineinfile: @@ -96,7 +96,7 @@ regexp: '^DenyUsers|^#DenyUsers' line: 'DenyUsers {{ ubtu22cis_sshd.deny_users }} ' notify: restart sshd - when: "ubtu22cis_sshd['deny_users']| length > 0" + when: "ubtu22cis_sshd['deny_users']| default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add deny groups" ansible.builtin.lineinfile: @@ -104,7 +104,7 @@ regexp: '^DenyGroups|^#DenyGroups' line: 'DenyGroups {{ ubtu22cis_sshd.deny_groups }}' notify: restart sshd - when: "ubtu22cis_sshd['deny_groups']| length > 0" + when: "ubtu22cis_sshd['deny_groups']| default('') | length > 0" when: - ubtu22cis_rule_5_2_4 tags: From 055dd8c89508da8a6207fff8bcb069d5bdb0f0d2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 9 Nov 2023 09:26:56 +0000 Subject: [PATCH 3/4] updated Signed-off-by: Mark Bolwell --- Changelog.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Changelog.md b/Changelog.md index 95a1bd81..dd64ef53 100644 --- a/Changelog.md +++ b/Changelog.md @@ -60,6 +60,18 @@ thanks to @lozzolloz - #153 - #154 +thanks to @brisky + +- #158 + +thanks to Jeroen0494 + +- #161 + +thanks to @r0bc94 + +- #164 + ### v1.0.6 collections links updates since galaxy-ng changes and older ansible versions not supported From 7b80d39b44f746659c96b02ba77a541fd98ad3b1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 9 Nov 2023 17:17:17 +0000 Subject: [PATCH 4/4] added line Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.6.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 734dad54..22cc7616 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -130,6 +130,7 @@ changed_when: false when: - ubtu22cis_apparmor_mode == "enforce" + - name: "1.6.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only false for GOSS" ansible.builtin.set_fact: ubtu22cis_apparmor_enforce_only: false