alivx · peteryang · May 24, 2022 · May 24, 2022 · May 24, 2022 · May 24, 2022
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -19,16 +19,16 @@ set_bootloader_credentials: no
 bootloader_credentials: { user: "root", password: "b00tl04derPwd" }
 # 1.4.3 Ensure authentication required for single user mode
 set_root_password: yes
-root_password: r00tP4ssw0rd
+root_password: SingTel5G@SingTel5G
 ## 1.7.1 Ensure permissions on /etc/motd are configured: allow for custom motd template (if the file doesn't exist, the
 ## default template in files/templates/motd.j2 will be used)
-custom_motd_file_path: "{{ inventory_dir }}/custom_templates/motd_custom.txt"
+custom_motd_file_path: "{{ inventory_dir }}/../custom_templates/motd_custom.txt"
 ## 1.7.2 Ensure permissions on /etc/issue are configured: allow for custom issue template (if the file doesn't exist, the
 ## default template in files/templates/issue.j2 will be used)
-custom_issue_file_path: "{{ inventory_dir }}/custom_templates/issue_custom.txt"
+custom_issue_file_path: "{{ inventory_dir }}/../custom_templates/issue_custom.txt"
 ## 1.7.3 Ensure permissions on /etc/issue.net are configured: allow for custom issue.net template (if the file doesn't exist, the
 ## default template in files/templates/issue.net.j2 will be used)
-custom_issue_net_file_path: "{{ inventory_dir }}/custom_templates/issue_net_custom.txt"
+custom_issue_net_file_path: "{{ inventory_dir }}/../custom_templates/issue_net_custom.txt"
 
 # Section 2 Settings
 ##Setting for systemd-timesyncd
@@ -96,10 +96,17 @@ remove_RPC: yes
 disable_wifi: no
 IPv6_is_enabled: no
 enable_firewall: yes
-UFWEnable: yes # Running both ufw and the services included in the iptables-persistent package may lead to conflict
+UFWEnable: no # Running both ufw and the services included in the iptables-persistent package may lead to conflict
 ## 3.5.1.6 Ensure firewall rules exist for all open ports | defined ports
 firewall_list_of_ports_to_allow:
-  - { rule: "allow", port: "8080", proto: "tcp" }
+  - { rule: "allow", port: "22", proto: "tcp" }
+  - { rule: "allow", port: "80", proto: "tcp" }
+  - { rule: "allow", port: "81", proto: "tcp" }
+  - { rule: "allow", port: "443", proto: "tcp" }
+  - { rule: "allow", port: "1880", proto: "tcp" }
+  - { rule: "allow", port: "1883", proto: "tcp" }
+  - { rule: "allow", port: "8883", proto: "tcp" }
+  - { rule: "allow", port: "5432", proto: "tcp" }
 ## 3.5.1.6 Ensure firewall rules exist for all open ports | keep_alived
 firewall_allow_keep_alive: no
 
@@ -124,14 +131,14 @@ grub_backlog_limit: 8192
 
 # Section 5 settings
 ## 5.1.8 Ensure cron is restricted to authorized users
-allowd_hosts: "ALL: 0.0.0.0/0.0.0.0, 192.168.2.0/255.255.255.0"
+allowd_hosts: "ALL: 0.0.0.0/0.0.0.0, 10.2.0.0/255.255.0.0"
 ## 5.2.13 Ensure only strong MAC algorithms are used
 ssh_MACs: "[email protected],[email protected],hmac-sha2-512,hmac-sha2-256"
 ## 5.2.14 Ensure only strong Key Exchange algorithms are used
 ssh_key_algorithms: "curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
-ssh_ciphers: [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
+ssh_ciphers: [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
 ## 5.2.17 Ensure SSH access is limited
-allowed_users: ubuntu root #Put None or list of users space between each user
+allowed_users: adminuser #Put None or list of users space between each user
 allowed_groups: None
 deny_users: None
 deny_groups: None
@@ -148,7 +155,7 @@ pass_warn_age: 7
 pass_min_days: 1
 ## 5.4.1.1 Ensure password expiration is 365 days or less
 list_of_os_users:
-  - ubuntu
+  - adminuser
 ## 5.4.1.4 Ensure inactive password lock is 30 days or less
 ##Note: A value of -1 would disable this setting
 account_inactive: 30

diff --git a/tasks/section_1_Initial_Setup.yaml b/tasks/section_1_Initial_Setup.yaml
@@ -214,7 +214,7 @@
       modprobe:
         name: vfat
         state: absent
-  ignore_errors: yes
+  ignore_errors: true
   when: disable_fat
   tags:
     - section1
@@ -420,7 +420,7 @@
       shell: |
         df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null
       register: worldWriteableList
-      ignore_errors: yes
+      ignore_errors: true
     - name: 1.1.22 Ensure sticky bit is set on all world-writable directories | fix
       script: 1_1_22.sh
       when: worldWriteableList.stdout_lines |length > 0
@@ -443,7 +443,7 @@
       service:
         name: autofs
         enabled: false
-      ignore_errors: yes
+      ignore_errors: true
     - name: 1.1.23 Disable Automounting | package remove
       apt:
         name: autofs
@@ -567,7 +567,7 @@
   lineinfile:
     dest: /etc/sudoers
     state: present
-    regexp: "^Defaults logfile.*"
+    regexp: "^#?\\s*Defaults logfile.*"
     line: 'Defaults logfile="/var/log/sudo.log"'
     validate: "visudo -cf %s"
   tags:
@@ -793,7 +793,7 @@
       shell: |
         dmesg | grep -E "NX|XD" | grep " active"
       register: xdnx
-      ignore_errors: yes
+      ignore_errors: true
     - name: 1.5.1 Ensure XD/NX support is enabled
       debug:
         msg: |
@@ -802,7 +802,7 @@
           If necessary configure your bootloader to load the new kernel and reboot the system.
           You may need to enable NX or XD support in your bios.
           {{ xdnx.stdout_lines }}
-      ignore_errors: yes
+      ignore_errors: true
   tags:
     - section1
     - level_1_server
@@ -829,7 +829,7 @@
   block:
     - name: 1.5.3 Ensure prelink is not installed
       command: prelink -ua
-      ignore_errors: yes
+      ignore_errors: true
     - name: 1.5.3 Ensure prelink is not installed
       apt:
         name: prelink
@@ -1080,7 +1080,7 @@
 - name: 1.9 Ensure updates, patches, and additional security software are installed
   apt:
     upgrade: dist
-  ignore_errors: yes
+  ignore_errors: true
   tags:
     - section1
     - level_1_server

diff --git a/tasks/section_2_Services.yaml b/tasks/section_2_Services.yaml
@@ -363,7 +363,7 @@
       lineinfile:
         dest: /etc/postfix/main.cf
         regexp: "^(#)?inet_interfaces"
-        line: "inet_interfaces = localhost"
+        line: "inet_interfaces = loopback-only"
       when: postfix.stat.exists
   tags:
     - section2
@@ -376,7 +376,7 @@
   apt:
     name: rsync
     state: absent
-  ignore_errors: yes
+  ignore_errors: true
   when: remove_rsyncservice
   tags:
     - section2

diff --git a/tasks/section_4_Logging_and_Auditing.yaml b/tasks/section_4_Logging_and_Auditing.yaml
@@ -326,7 +326,7 @@
       notify:
         - audit rules load
         - auditd restart
-  ignore_errors: yes
+  ignore_errors: true
   tags:
     - section4
     - level_2_server

diff --git a/tasks/section_5_Access_Authentication_and_Authorization.yaml b/tasks/section_5_Access_Authentication_and_Authorization.yaml
@@ -96,7 +96,7 @@
       file:
         path: /etc/cron.deny
         state: absent
-      ignore_errors: yes
+      ignore_errors: true
     - stat:
         path: /etc/cron.allow
       register: cfile
@@ -119,7 +119,7 @@
       file:
         path: /etc/at.deny
         state: absent
-      ignore_errors: yes
+      ignore_errors: true
     - stat:
         path: /etc/at.allow
       register: cfile
@@ -523,14 +523,15 @@
         state: present
         create: yes
         dest: /etc/security/pwquality.conf
-        regexp: "^{{ item.key }}"
+        regexp: "^#?\\s*{{ item.key }}"
         line: "{{ item.key }} = {{ item.value }}"
       with_items:
         - { key: "minlen", value: "14" }
         - { key: "dcredit", value: "-1" }
         - { key: "ucredit", value: "-1" }
         - { key: "ocredit", value: "-1" }
         - { key: "lcredit", value: "-1" }
+        - { key: "minclass", value: "4" }
   tags:
     - section5
     - level_1_server
@@ -634,7 +635,7 @@
     - name: 5.5.1.3 Ensure password expiration warning days is 7 or more  | chage --warndays
       command: "chage --warndays {{ pass_warn_age }} {{ item }}"
       with_items: "{{ list_of_os_users }}"
-  ignore_errors: yes
+  ignore_errors: true
   tags:
     - section5
     - level_1_server
@@ -650,7 +651,7 @@
     - name: 5.5.1.4 Ensure inactive password lock is 30 days or less | useradd
       command: "chage --inactive {{ account_inactive }} {{ item }}"
       with_items: "{{ list_of_os_users }}"
-  ignore_errors: yes
+  ignore_errors: true
   tags:
     - section5
     - level_1_server
@@ -800,7 +801,7 @@
       copy:
         dest: "{{ outputfiles }}/5.6"
         content: "{{ securetty }}"
-  ignore_errors: yes
+  ignore_errors: true
   tags:
     - section5
     - level_1_server