search

florianutz / Ubuntu1804-CIS

Ubuntu CIS Hardening Ansible Role
MIT License
212 stars 127 forks source link

Script fails with issue: "Incorrect sudo password" when using correct credentials #89

Closed GrifKies closed 3 years ago

GrifKies commented 3 years ago

Describe the bug During script, ssh isn't restarted and the script crashes during PAM security. By the way, this is a very useful script so thank you!

To Reproduce Get a blank copy of ubuntu18.04x64 server. Updare and

Expected behavior Script runs and finishes with no errors.

Software (please complete the following information):

Additional context Here is a partial output of the script: TASK [Ubuntu1804-CIS : NOTSCORED | 3.7 | Disable IPv6] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.1.1 | PATCH | Ensure auditd is installed] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.1.2 | PATCH | Ensure auditd service is enabled] ** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient] ** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.2.1 | PATCH | Ensure audit log storage size is configured] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.1.2 | PATCH | Ensure email on non-admin audit space alert] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.3 | PATCH | Ensure events that modify date and time information are collected] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.4 | PATCH | Ensure events that modify user/group information are collected] ** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.5 | PATCH | Ensure events that modify the system's network environment are collected] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.6 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected] ** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.7 | PATCH | Ensure login and logout events are collected] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.8 | PATCH | Ensure session initiation information is collected] ** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.9 | PATCH | Ensure discretionary access control permission modification events are collected] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.10 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.11 | PATCH | Get list of setuid/setguid binaries] **** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.11 | PATCH | Ensure use of privileged commands is collected] ***** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.12 | PATCH | Ensure successful file system mounts are collected] ***** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.13 | PATCH | Ensure file deletion events by users are collected] ***** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.14 | PATCH | Ensure changes to system administration scope (sudoers) is collected] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.15 | PATCH | Ensure system administrator actions (sudolog) are collected] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.16 | PATCH | Ensure kernel module loading and unloading is collected] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.1.17 | PATCH | Ensure the audit configuration is immutable] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.2.1.1 | PATCH | Ensure rsyslog or is installed] **** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.2.1.2 | PATCH | Ensure rsyslog Service is enabled] ***** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : NOTSCORED | 4.2.1.3 | PATCH | Ensure logging is configured] *** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured] **** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.2.1.5 | PATCH | Ensure rsyslog is configured to send logs to a remote log host] **** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : NOTSCORED | 4.2.1.6 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts.] ** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.2.2.1 | PATCH | Ensure journald is configured to send logs to rsyslog] ***** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.2.2.2 | PATCH | Ensure journald is configured to compress large log files] ***** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.2.2.3 | PATCH | Ensure journald is configured to write logfiles to persistent disk] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 4.2.3 | PATCH | Ensure permissions on all logfiles are configured] *** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : NOTSCORED | 4.3 | PATCH | Register logrotate.d files] ***** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : NOTSCORED | 4.3 | PATCH | Ensure logrotate.conf exists] *** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : NOTSCORED | 4.3 | PATCH | Ensure logrotate is configured] ***** changed: [192.168.1.15] => (item={'path': '/etc/logrotate.d/apt', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 173, 'inode': 2098360, 'dev': 64768, 'nlink': 1, 'atime': 1608765475.7366014, 'mtime': 1524218898.0, 'ctime': 1608765213.2947357, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False})
ok: [192.168.1.15] => (item={'path': '/etc/logrotate.d/chrony', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 160, 'inode': 2098605, 'dev': 64768, 'nlink': 1, 'atime': 1608767589.0598674, 'mtime': 1598373766.0, 'ctime': 1608767589.0598674, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False})
ok: [192.168.1.15] => (item={'path': '/etc/logrotate.d/mysql-server', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 802, 'inode': 2098624, 'dev': 64768, 'nlink': 1, 'atime': 1608767174.257933, 'mtime': 1602519884.0, 'ctime': 1608765765.3485005, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False})
ok: [192.168.1.15] => (item={'path': '/etc/logrotate.d/lxd', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 146, 'inode': 2098362, 'dev': 64768, 'nlink': 1, 'atime': 1608767174.257933, 'mtime': 1542999344.0, 'ctime': 1608765213.2947357, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False})
changed: [192.168.1.15] => (item={'path': '/etc/logrotate.d/alternatives', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 120, 'inode': 2098358, 'dev': 64768, 'nlink': 1, 'atime': 1608767174.257933, 'mtime': 1509661706.0, 'ctime': 1608765213.2947357, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False})
changed: [192.168.1.15] => (item={'path': '/etc/logrotate.d/unattended-upgrades', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 235, 'inode': 2098365, 'dev': 64768, 'nlink': 1, 'atime': 1608767174.257933, 'mtime': 1581939423.0, 'ctime': 1608765213.2947357, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False})
changed: [192.168.1.15] => (item={'path': '/etc/logrotate.d/dpkg', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 112, 'inode': 2098361, 'dev': 64768, 'nlink': 1, 'atime': 1608767174.257933, 'mtime': 1509661706.0, 'ctime': 1608765213.2947357, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False})
changed: [192.168.1.15] => (item={'path': '/etc/logrotate.d/rsyslog', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 501, 'inode': 2098363, 'dev': 64768, 'nlink': 1, 'atime': 1608767174.257933, 'mtime': 1515946775.0, 'ctime': 1608765213.2947357, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False})
ok: [192.168.1.15] => (item={'path': '/etc/logrotate.d/apport', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 126, 'inode': 2098359, 'dev': 64768, 'nlink': 1, 'atime': 1608765476.1725945, 'mtime': 1573509476.0, 'ctime': 1608765213.2947357, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False})
changed: [192.168.1.15] => (item={'path': '/etc/logrotate.d/ufw', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 178, 'inode': 2098364, 'dev': 64768, 'nlink': 1, 'atime': 1608767174.257933, 'mtime': 1502815674.0, 'ctime': 1608765213.2947357, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False})
changed: [192.168.1.15] => (item={'path': '/etc/logrotate.conf'})

TASK [Ubuntu1804-CIS : SCORED | 5.1.1 | PATCH | Ensure cron daemon is enabled] *** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured] ** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.1.8 | PATCH | Ensure at is restricted to authorized users] ***** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.1.8 | PATCH | Ensure at is restricted to authorized users] ***** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.1.8 | PATCH | Ensure cron is restricted to authorized users] *** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.1.8 | PATCH | Ensure cron is restricted to authorized users] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured | find keys] *** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.2 | PATCH | 5.2.2 Ensure permissions on SSH private host key files are configured | change permissions] ** ok: [192.168.1.15] => (item={'path': '/etc/ssh/ssh_host_ed25519_key', 'mode': '0600', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 411, 'inode': 2098579, 'dev': 64768, 'nlink': 1, 'atime': 1608765549.1430821, 'mtime': 1608765545.311082, 'ctime': 1608765545.311082, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': False, 'xgrp': False, 'woth': False, 'roth': False, 'xoth': False, 'isuid': False, 'isgid': False})
ok: [192.168.1.15] => (item={'path': '/etc/ssh/ssh_host_dsa_key', 'mode': '0600', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 668, 'inode': 2098575, 'dev': 64768, 'nlink': 1, 'atime': 1608767174.3419316, 'mtime': 1608765545.295082, 'ctime': 1608765545.295082, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': False, 'xgrp': False, 'woth': False, 'roth': False, 'xoth': False, 'isuid': False, 'isgid': False})
ok: [192.168.1.15] => (item={'path': '/etc/ssh/ssh_host_ecdsa_key', 'mode': '0600', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 227, 'inode': 2098577, 'dev': 64768, 'nlink': 1, 'atime': 1608765549.1430821, 'mtime': 1608765545.303082, 'ctime': 1608765545.303082, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': False, 'xgrp': False, 'woth': False, 'roth': False, 'xoth': False, 'isuid': False, 'isgid': False})
ok: [192.168.1.15] => (item={'path': '/etc/ssh/ssh_host_rsa_key', 'mode': '0600', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 1679, 'inode': 2097897, 'dev': 64768, 'nlink': 1, 'atime': 1608765549.1430821, 'mtime': 1608765545.223082, 'ctime': 1608765545.223082, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': False, 'xgrp': False, 'woth': False, 'roth': False, 'xoth': False, 'isuid': False, 'isgid': False})

TASK [Ubuntu1804-CIS : SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured | find keys] **** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.3 | PATCH | 5.2.3 Ensure permissions on SSH public host key files are configured | change permissions] *** ok: [192.168.1.15] => (item={'path': '/etc/ssh/ssh_host_ed25519_key.pub', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 97, 'inode': 2098599, 'dev': 64768, 'nlink': 1, 'atime': 1608765549.1430821, 'mtime': 1608765545.311082, 'ctime': 1608765545.311082, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False})
ok: [192.168.1.15] => (item={'path': '/etc/ssh/ssh_host_dsa_key.pub', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 605, 'inode': 2098576, 'dev': 64768, 'nlink': 1, 'atime': 1608765555.5270824, 'mtime': 1608765545.295082, 'ctime': 1608765545.295082, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False})
ok: [192.168.1.15] => (item={'path': '/etc/ssh/ssh_host_rsa_key.pub', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 397, 'inode': 2098574, 'dev': 64768, 'nlink': 1, 'atime': 1608765545.311082, 'mtime': 1608765545.223082, 'ctime': 1608765545.223082, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False})
ok: [192.168.1.15] => (item={'path': '/etc/ssh/ssh_host_ecdsa_key.pub', 'mode': '0644', 'isdir': False, 'ischr': False, 'isblk': False, 'isreg': True, 'isfifo': False, 'islnk': False, 'issock': False, 'uid': 0, 'gid': 0, 'size': 177, 'inode': 2098578, 'dev': 64768, 'nlink': 1, 'atime': 1608765545.311082, 'mtime': 1608765545.303082, 'ctime': 1608765545.303082, 'gr_name': 'root', 'pw_name': 'root', 'wusr': True, 'rusr': True, 'xusr': False, 'wgrp': False, 'rgrp': True, 'xgrp': False, 'woth': False, 'roth': True, 'xoth': False, 'isuid': False, 'isgid': False})

TASK [Ubuntu1804-CIS : SCORED | 5.2.4 | PATCH | Ensure SSH Protocol is not set to 1] ***** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.5 | PATCH | Ensure SSH LogLevel is set to INFO] ** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.6 | PATCH | Ensure SSH X11 forwarding is disabled] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.7 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less] ***** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.8 | PATCH | Ensure SSH IgnoreRhosts is enabled] ** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.9 | PATCH | Ensure SSH HostbasedAuthentication is disabled] ** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.10 | PATCH | Ensure SSH root login is disabled] ** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.11 | PATCH | Ensure SSH PermitEmptyPasswords is disabled] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.12 | PATCH | Ensure SSH PermitUserEnvironment is disabled] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.13 | PATCH | Ensure only strong Ciphers are used] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.14 | PATCH | Ensure only approved MAC algorithms are used] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.15 | PATCH | Ensure only strong Key Exchange algorithms are used] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.16 | PATCH | Ensure SSH Idle Timeout Interval is configured] ***** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.16 | PATCH | Ensure SSH ClientAliveCountMax set to <= 3] ***** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.17 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less] ***** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.18 | PATCH | Ensure SSH access is limited | allowusers] ** skipping: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.18 | PATCH | Ensure SSH access is limited | allowgroups] ***** skipping: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.18 | PATCH | Ensure SSH access is limited | denyusers] *** skipping: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.18 | PATCH | Ensure SSH access is limited | denygroups] ** skipping: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.19 | PATCH | Ensure SSH warning banner is configured] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.20 | PATCH | Ensure SSH PAM is enabled] ** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.21 | PATCH | Ensure SSH AllowTcpForwarding is disabled] ** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.22 | PATCH | Ensure SSH MaxStartups is configured] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.2.23 | PATCH | Ensure SSH MaxSessions is set to 4 or less] ***** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.3.1 | PATCH | Ensure lipam-pwquality is installed] ***** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.3.1 | PATCH | Ensure password creation requirements are configured] **** changed: [192.168.1.15] => (item={'key': 'minlen', 'value': '14'}) changed: [192.168.1.15] => (item={'key': 'dcredit', 'value': '-1'}) changed: [192.168.1.15] => (item={'key': 'ucredit', 'value': '-1'}) changed: [192.168.1.15] => (item={'key': 'ocredit', 'value': '-1'}) changed: [192.168.1.15] => (item={'key': 'lcredit', 'value': '-1'})

TASK [Ubuntu1804-CIS : SCORED | 5.3.2 | PATCH | Ensure lockout for failed password attempts is configured] *** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.3.3 | PATCH | Ensure password reuse is limited] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.3.4 | PATCH | Ensure password hashing algorithm is SHA-512] **** ok: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.4.1.1 | PATCH | Ensure password expiration is 365 days or less] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.4.1.2 | PATCH | Ensure minimum days between password changes is configured] **** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.4.1.3 | PATCH | Ensure password expiration warning days is 7 or more] ** changed: [192.168.1.15]

TASK [Ubuntu1804-CIS : SCORED | 5.4.1.4 | PATCH | Ensure inactive password lock is 30 days or less] ** fatal: [192.168.1.15]: FAILED! => {"msg": "Incorrect sudo password"}

RUNNING HANDLER [Ubuntu1804-CIS : sysctl flush ipv4 route table] *****

RUNNING HANDLER [Ubuntu1804-CIS : sysctl flush ipv6 route table] *****

RUNNING HANDLER [Ubuntu1804-CIS : systemd restart tmp.mount] *****

RUNNING HANDLER [Ubuntu1804-CIS : generate new grub config] **

RUNNING HANDLER [Ubuntu1804-CIS : restart sshd] **

RUNNING HANDLER [Ubuntu1804-CIS : restart auditd] ****

RUNNING HANDLER [Ubuntu1804-CIS : load audit rules] **

RUNNING HANDLER [Ubuntu1804-CIS : restart systemd-coredump] **

RUNNING HANDLER [Ubuntu1804-CIS : restart journald] ****

PLAY RECAP ***** 192.168.1.15 : ok=225 changed=118 unreachable=0 failed=1 skipped=106 rescued=0 ignored=0 running it as: ansible-playbook -u -k -K playbook.yml** I am semi new to ansible, so anything that I am doing wrong here is much appreciated. Thank you and have a good day!

GrifKies commented 3 years ago

I tracked down the issue, and it seems to be caused by a small flaw in PAM's pam_tally2.so module with SSH. It counts any password attempt for sudo as invalid, and thus blocks the privilege once enabled. I am not sure how to fix it, because that is the exact code from the CIS benchmark. For now, I have set 5.3.2 to disabled.

florianutz commented 3 years ago

@GrifKies thanks for your feedback. I am also looking for the problem right now and came across the following link https://access.redhat.com/solutions/29233 . Are you able to verify if disabling ChallengeResponseAuthentication solve the problem?