Adds Ubuntu Jammy & Rocky 9 CIS benchmark hardening playbooks

[jovial]

No description provided.

[jovial]

@technowhizz pointed out that we might need: https://github.com/ansible-lockdown/RHEL9-CIS/blob/9fa57a2b41bfefb0f46eb0795333e71480367642/defaults/main.yml#L499-L503

[MoteHue]

Just to note that setting rhelcis_rule_5_5_6: false should be done, as we have root passwords locked. This is as secure as (if not more than) setting a root password, but the check will fail as a password isn't technically set.

New changes

[markgoddard]

Did you test it with check/diff mode?

[jovial]

Did you test it with check/diff mode?

No, that could be pretty useful though. Will see if my test environment is still on SMS.

[jovial]

Did you test it with check/diff mode?

No, that could be pretty useful though. Will see if my test environment is still on SMS.

There seems to be a few issues in check mode:

TASK [ansible-lockdown.ubuntu22_cis : "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive"
"4.1.4.2 | PATCH | Ensure only authorized users own audit log files"
"4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"] ***
Wednesday 15 November 2023  10:46:52 +0000 (0:00:00.469)       0:01:43.464 ****
fatal: [controller0]: FAILED! => 
  msg: |-
    The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'mode'
  
    The error appears to be in '/home/cloud-user/kayobe-env-yoga-2/src/kayobe-config/etc/kayobe/ansible/roles/ansible-lockdown.ubuntu22_cis/tasks/section_4/cis_4.1.4.x.yml': line 20, column 9, but may                              
    be elsewhere in the file depending on the exact syntax problem.
  
    The offending line appears to be:
  
  
          - name: |
            ^ here

Seems like we need check_mode: true on a few stat tasks.

[markgoddard]

Did you test it with check/diff mode?

No, that could be pretty useful though. Will see if my test environment is still on SMS.

There seems to be a few issues in check mode:

TASK [ansible-lockdown.ubuntu22_cis : "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive"
"4.1.4.2 | PATCH | Ensure only authorized users own audit log files"
"4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"] ***
Wednesday 15 November 2023  10:46:52 +0000 (0:00:00.469)       0:01:43.464 ****
fatal: [controller0]: FAILED! => 
  msg: |-
    The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'mode'
  
    The error appears to be in '/home/cloud-user/kayobe-env-yoga-2/src/kayobe-config/etc/kayobe/ansible/roles/ansible-lockdown.ubuntu22_cis/tasks/section_4/cis_4.1.4.x.yml': line 20, column 9, but may                              
    be elsewhere in the file depending on the exact syntax problem.
  
    The offending line appears to be:
  
  
          - name: |
            ^ here

Seems like we need check_mode: true on a few stat tasks.

Not too surprising. Never mind.