update readme and fix lint

README.md

@@ -1,4 +1,9 @@
-Ansible CIS Ubuntu Linux 20.04 LTS [![Build Status](https://travis-ci.com/alivx/CIS-Ubuntu-20.04-Ansible.svg?branch=master)](https://travis-ci.com/alivx/CIS-Ubuntu-20.04-Ansible)
+<div align="center">
+  <img src="https://raw.githubusercontent.com/alivx/CIS-Ubuntu-20.04-Ansible/master/files/header.png">
+</div>
+
+
+Ansible CIS Ubuntu 20.04 LTS [![Build Status](https://travis-ci.com/alivx/CIS-Ubuntu-20.04-Ansible.svg?branch=master)](https://travis-ci.com/alivx/CIS-Ubuntu-20.04-Ansible)
 =========
 
 CIS hardened Ubuntu: cyber attack and malware prevention for mission-critical systems

files/1_1_22.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}'

files/3_2_2.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+grep -Els "^\s*net\.ipv4\.ip_forward\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri "s/^\s*(net\.ipv4\.ip_forward\s*)(=)(\s*\S+\b).*$/#*REMOVED* \1/" $filename; done
+sysctl -w net.ipv4.ip_forward=0
+sysctl -w net.ipv4.route.flush=1

files/3_2_2_2.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+grep -Els "^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri "s/^\s*(net\.ipv6\.conf\.all\.forwarding\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done
+sysctl -w net.ipv6.conf.all.forwarding=0
+sysctl -w net.ipv6.route.flush=1

files/4_1_11.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>='"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' -F auid!=4294967295 -k privileged" }'

tasks/section_1_Initial_Setup.yaml

@@ -370,8 +370,7 @@
       register: worldWriteableList
 
     - name: 1.1.22 Ensure sticky bit is set on all world-writable directories | fix
-      shell: |
-        df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null | xargs -I '{}' chmod a+t '{}'
+      script: 1_1_22.sh
       when: worldWriteableList.stdout_lines |length > 0
 
   tags:

tasks/section_3_Network_Configuration.yaml

@@ -82,14 +82,12 @@
         value: "0"
         state: present
         reload: true
-      when: IPv6_is_enabled
+      # when: IPv6_is_enabled
     - name: 3.2.2 Ensure IP forwarding is disabled | IPV4 load"
-      shell: |
-        grep -Els "^\s*net\.ipv4\.ip_forward\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri "s/^\s*(net\.ipv4\.ip_forward\s*)(=)(\s*\S+\b).*$/#*REMOVED* \1/" $filename; done; sysctl -w net.ipv4.ip_forward=0; sysctl -w net.ipv4.route.flush=1
+      script: 3_2_2.sh
     - name: 3.2.2 Ensure IP forwarding is disabled | IPV6 load"
-      shell: |
-        grep -Els "^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf | while read filename; do sed -ri "s/^\s*(net\.ipv6\.conf\.all\.forwarding\s*)(=)(\s*\S+\b).*$/# *REMOVED* \1/" $filename; done; sysctl -w net.ipv6.conf.all.forwarding=0; sysctl -w net.ipv6.route.flush=1
-      when: IPv6_is_enabled
+      script: 3_2_2_2.sh
+      # when: IPv6_is_enabled
   tags:
     - section3
     - level_1_server

tasks/section_4_Logging_and_Auditing.yaml

@@ -231,10 +231,8 @@
 - name: 4.1.11 Ensure use of privileged commands is collected
   block:
     - name: 4.1.11 Ensure use of privileged commands is collected | get data
-      shell: |
-        find / -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>='"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' -F auid!=4294967295 -k privileged" }'
+      script: 4_1_11.sh
       register: output_4_1_11
-
     - name: 4.1.11 Ensure use of privileged commands is collected | apply
       template:
         src: files/templates/auditd/privileged.rules.j2

tasks/section_6_System_Maintenance.yaml

@@ -344,14 +344,14 @@
 # 6.2.5 Ensure users' home directories permissions are 750 or more restrictive
 - name: 6.2.5 Ensure users' home directories permissions are 750 or more restrictive
   block:
-    - name: 6.2.5 Ensure users' home directories permissions are 750 or more restrictive | list
+    - name: 6.2.5 Ensure users home directories permissions are 750 or more restrictive - list
       script: 6_2_5.sh
       register: output_6_2_5
-    - name: 6.2.5 Ensure users' home directories permissions are 750 or more restrictive | save
+    - name: 6.2.5 Ensure users' home directories permissions are 750 or more restrictive - save
       copy:
         dest: "{{ outputfiles }}/6.2.5"
         content: "{{ output_6_2_5.stdout_lines }}"
-    - name: 6.2.5 Ensure users' home directories permissions are 750 or more restrictive | fix
+    - name: 6.2.5 Ensure users home directories permissions are 750 or more restrictive - fix
       file:
         name: "{{ item }}"
         mode: "g-w,o-rwx"