Comments (3)
uk-bolly
commented on June 2, 2024
Thanks for raising this question. This should indeed and appears to work for me if it runs all the 1.1.10 controls. Can i ask how you are testing it? to be able to load it again?
many thanks
uk-bolly
from ubuntu22-cis.
paulquevedojdrf
commented on June 2, 2024
Fresh install of 22.04.3 onto a physical machine
upgrade, reboot.
ansible-playbook site.yml --tags rule_1.1.10
plug in a USB storage device
reboot
After logging in the device is automounted in gnome.
run sudo update-initramfs -u
reboot
Device is no longer automounted in gnome on subsequent reboots
stdout
PLAY [all] ************************************************************************************************************************************************************************************************
TASK [Gathering Facts] ************************************************************************************************************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : Gather distribution info] **************************************************************************************************************************
skipping: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : Check OS version and family] ***********************************************************************************************************************
skipping: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : Check ansible version] *****************************************************************************************************************************
ok: [pquevedo-ideapad] => {
"changed": false,
"msg": "This role is running a supported version of ansible 2.13.13 >= 2.10.1"
}
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : Capture current password state of connecting user"] ************************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : Assert that password set for pquevedo and account not locked] **************************************************************************************
ok: [pquevedo-ideapad] => {
"changed": false,
"msg": "You have a password set for sudo user pquevedo"
}
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : Check ubtu22cis_bootloader_password_hash variable has been changed] ********************************************************************************
ok: [pquevedo-ideapad] => {
"changed": false,
"msg": "All assertions passed"
}
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : Check ubtu22cis_grub_user password variable has been changed | check password is set] **************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : Check ubtu22cis_grub_user password variable has been changed | check password is set] **************************************************************
skipping: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : Check ubtu22cis_grub_user password variable has been changed | if password blank or incorrect type and not being set] ******************************
ok: [pquevedo-ideapad] => {
"changed": false,
"msg": "Grub User pquevedo has a valid password set to be used in single user mode"
}
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : Discover and set container variable if required] ***************************************************************************************************
skipping: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : Load variable for container] ***********************************************************************************************************************
skipping: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : Output if discovered is a container] ***************************************************************************************************************
skipping: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : Gather the package facts before prelim] ************************************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Register if snap being used] **************************************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Register if squashfs is built into the kernel] ********************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Section 1.1 | Create list of mount points] ************************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Capture tmp mount type | discover mount tmp type] *****************************************************************************************
skipping: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Capture tmp mount type | Set to expected_tmp_mnt variable] ********************************************************************************
skipping: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Capture tmp mount type | Set systemd service] *********************************************************************************************
skipping: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Run apt update] ***************************************************************************************************************************
changed: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Check for autofs service] *****************************************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Check for avahi-daemon service] ***********************************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Install Network-Manager] ******************************************************************************************************************
skipping: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | PATCH | Ensure auditd is installed] *******************************************************************************************************
changed: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | 4.1.4.5 | Audit conf and rules files | list files] ****************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | 5.3.4 | Find all sudoers files.] **********************************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Capture UID_MIN information from logins.def] **********************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Capture UID_MAX information from logins.def] **********************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Capture GID_MIN information from logins.def] **********************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | set_facts for interactive uid/gid] ********************************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Interactive User accounts] ****************************************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Install ACL] ******************************************************************************************************************************
skipping: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Gather UID 0 accounts other than root] ****************************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | List users accounts] **********************************************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Recapture packages] ***********************************************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : Optional | Patch | UFW firewall force to use /etc/sysctl.conf settings] ****************************************************************************
changed: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : Gather the package facts after prelim] *************************************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Parse /etc/passwd | Get /etc/password contents] *******************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : PRELIM | Parse /etc/passwd | Split passwd entries] *************************************************************************************************
ok: [pquevedo-ideapad] => (item=root:x:0:0:root:/root:/bin/bash)
ok: [pquevedo-ideapad] => (item=daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=bin:x:2:2:bin:/bin:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=sys:x:3:3:sys:/dev:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=sync:x:4:65534:sync:/bin:/bin/sync)
ok: [pquevedo-ideapad] => (item=games:x:5:60:games:/usr/games:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=man:x:6:12:man:/var/cache/man:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=mail:x:8:8:mail:/var/mail:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=news:x:9:9:news:/var/spool/news:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=proxy:x:13:13:proxy:/bin:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=backup:x:34:34:backup:/var/backups:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=messagebus:x:102:105::/nonexistent:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=syslog:x:104:111::/home/syslog:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=_apt:x:105:65534::/nonexistent:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=tss:x:106:113:TPM software stack,,,:/var/lib/tpm:/bin/false)
ok: [pquevedo-ideapad] => (item=uuidd:x:107:116::/run/uuidd:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=systemd-oom:x:108:117:systemd Userspace OOM Killer,,,:/run/systemd:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=tcpdump:x:109:118::/nonexistent:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=avahi:x:114:121:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=cups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=rtkit:x:116:123:RealtimeKit,,,:/proc:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=whoopsie:x:117:124::/nonexistent:/bin/false)
ok: [pquevedo-ideapad] => (item=sssd:x:118:125:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false)
ok: [pquevedo-ideapad] => (item=fwupd-refresh:x:120:126:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=nm-openvpn:x:121:127:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=saned:x:122:129::/var/lib/saned:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=colord:x:123:130:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=geoclue:x:124:131::/var/lib/geoclue:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=pulse:x:125:132:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin)
ok: [pquevedo-ideapad] => (item=gnome-initial-setup:x:126:65534::/run/gnome-initial-setup/:/bin/false)
ok: [pquevedo-ideapad] => (item=hplip:x:127:7:HPLIP system user,,,:/run/hplip:/bin/false)
ok: [pquevedo-ideapad] => (item=gdm:x:128:134:Gnome Display Manager:/var/lib/gdm3:/bin/false)
ok: [pquevedo-ideapad] => (item=pquevedo:x:1000:1000:pquevedo,,,:/home/pquevedo:/bin/bash)
ok: [pquevedo-ideapad] => (item=sshd:x:129:65534::/run/sshd:/usr/sbin/nologin)
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : Gather the package facts] **************************************************************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : 1.1.10 | PATCH | Disable USB Storage | Set modprobe config] ****************************************************************************************
changed: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : 1.1.10 | PATCH | Disable USB Storage | Blacklist usb-storage] **************************************************************************************
changed: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : 1.1.10 | PATCH | Disable USB Storage | Remove usb-storage module] **********************************************************************************
ok: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : POST | AUDITD | Apply auditd template for section 4.1.3.x] *****************************************************************************************
skipping: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : POST | Set up auditd user logging exceptions] ******************************************************************************************************
skipping: [pquevedo-ideapad]
TASK [/home/pquevedo/dev/fw-deploy-snuc/UBUNTU22-CIS : If Warnings found Output count and control IDs affected] *******************************************************************************************
skipping: [pquevedo-ideapad]
PLAY RECAP ************************************************************************************************************************************************************************************************
pquevedo-ideapad : ok=33 changed=5 unreachable=0 failed=0 skipped=14 rescued=0 ignored=0
from ubuntu22-cis.
Related Issues (20)
- 3.5.1.4 ipv6 settings should be configured either way
- 3.5.1.x UFW not disabling nftables HOT 4
- 5.4.3 Not being triggered due to regexp not matching.
- 3.1.1 Regex will not match when ipv6.disable=(0|1) not already present in /etc/default/grub
- Please add assertion for ubtu22cis_sshd formatting HOT 6
- Controls 5.5.1.1-3 (Password expiration) have incorrect return values defined
- All tasks under cis_3.3.x.yml (3.3.1-3.3.9) are being appled to the file defined by ubtu22cis_sysctl_network_conf but not commented from other file matches
- Release latest 1.2.0 to Ansible Galaxy? HOT 5
- 5.6.5 Ensure default user umask is 027 or more restrictive: CIS-CAT check fails. HOT 1
- 3.3.7 Ensure Reverse Path Filtering is enabled HOT 1
- systemd-timesyncd NTP configuration error
- Update Release Branch HOT 2
- 5.2.4 Script Fails if no SSH denied_users are Passed HOT 1
- Not able to ssh after hardening of Ubuntu OS HOT 12
- ipv6.disabled=1 is appended to grub every time it's run
- Task 5.4.3 does not completely implement the settings required by CIS HOT 2
- 5.4.1 | PATCH | Ensure password creation requirements are configured HOT 3
- A value for var: *container_vars_file* is not defined in this role HOT 2
- Unexpected Deletion of Tanium Configuration Files during CIS Benchmark Application HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ubuntu22-cis.