2022-01-07 09:06:18 +00:00
---
2022-03-30 16:18:11 +01:00
- name : "6.2.1 | PATCH | Ensure password fields are not empty"
command : passwd -l {{ item }}
2022-01-07 09:06:18 +00:00
changed_when : false
failed_when : false
with_items : "{{ empty_password_accounts.stdout_lines }}"
when :
- empty_password_accounts.rc
- rhel9cis_rule_6_2_1
tags :
- level1-server
- level1-workstation
2022-03-30 16:18:11 +01:00
- automated
2022-01-07 09:06:18 +00:00
- patch
2022-03-30 16:18:11 +01:00
- accounts
2022-01-07 09:06:18 +00:00
- rule_6.2.1
2022-03-30 16:18:11 +01:00
- name : "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group"
block :
- name : "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries"
shell : pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}'
changed_when : false
failed_when : false
check_mode : false
register : rhel9cis_6_2_2_passwd_gid_check
- name : "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files"
debug :
msg : "Good News! There are no users that have non-existent GUIDs (Groups)"
2022-05-11 11:20:12 +01:00
when : rhel9cis_6_2_2_passwd_gid_check.stdout | length == 0
2022-03-30 16:18:11 +01:00
- name : "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
debug :
2022-05-11 11:20:12 +01:00
msg : "Warning! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}"
when : rhel9cis_6_2_2_passwd_gid_check.stdout | length > 0
2022-01-07 09:06:18 +00:00
when :
- rhel9cis_rule_6_2_2
tags :
- level1-server
- level1-workstation
2022-03-30 16:18:11 +01:00
- automated
- audit
- accounts
- groups
2022-01-07 09:06:18 +00:00
- rule_6.2.2
2022-03-30 16:18:11 +01:00
- name : "6.2.3 | AUDIT Ensure no duplicate UIDs exist"
2022-01-07 09:06:18 +00:00
block :
2022-03-30 16:18:11 +01:00
- name : "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
shell : "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
changed_when : false
failed_when : false
register : rhel9cis_6_2_3_user_uid_check
2022-01-07 09:06:18 +00:00
2022-03-30 16:18:11 +01:00
- name : "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist"
2022-01-07 09:06:18 +00:00
debug :
2022-03-30 16:18:11 +01:00
msg : "Good News! There are no duplicate UID's in the system"
2022-05-11 11:20:12 +01:00
when : rhel9cis_6_2_3_user_uid_check.stdout | length == 0
2022-01-07 09:06:18 +00:00
2022-03-30 16:18:11 +01:00
- name : "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs"
debug :
2022-05-11 11:20:12 +01:00
msg : "Warning! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}"
when : rhel9cis_6_2_3_user_uid_check.stdout | length > 0
2022-01-07 09:06:18 +00:00
when :
- rhel9cis_rule_6_2_3
tags :
- level1-server
- level1-workstation
2022-03-30 16:18:11 +01:00
- automated
- audit
- accounts
- users
2022-01-07 09:06:18 +00:00
- rule_6.2.3
2022-03-30 16:18:11 +01:00
- name : "6.2.4 | AUDIT | Ensure no duplicate GIDs exist"
block :
- name : "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs"
shell : "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"
changed_when : false
failed_when : false
register : rhel9cis_6_2_4_user_user_check
- name : "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist"
debug :
msg : "Good News! There are no duplicate GIDs in the system"
2022-05-11 11:20:12 +01:00
when : rhel9cis_6_2_4_user_user_check.stdout | length == 0
2022-03-30 16:18:11 +01:00
- name : "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs"
debug :
2022-05-11 11:20:12 +01:00
msg : "Warning! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}"
when : rhel9cis_6_2_4_user_user_check.stdout | length > 0
2022-01-07 09:06:18 +00:00
when :
- rhel9cis_rule_6_2_4
tags :
- level1-server
- level1-workstation
2022-03-30 16:18:11 +01:00
- automated
- audit
- accounts
- groups
2022-01-07 09:06:18 +00:00
- rule_6.2.4
2022-03-30 16:18:11 +01:00
- name : "6.2.5 | AUDIT | Ensure no duplicate user names exist"
block :
- name : "6.2.5 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
shell : "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
changed_when : false
failed_when : false
register : rhel9cis_6_2_5_user_username_check
- name : "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist"
debug :
msg : "Good News! There are no duplicate user names in the system"
2022-05-11 11:20:12 +01:00
when : rhel9cis_6_2_5_user_username_check.stdout | length == 0
2022-03-30 16:18:11 +01:00
- name : "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names"
debug :
2022-05-11 11:20:12 +01:00
msg : "Warning! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}"
when : rhel9cis_6_2_5_user_username_check.stdout | length > 0
2022-01-07 09:06:18 +00:00
when :
- rhel9cis_rule_6_2_5
tags :
- level1-server
- level1-workstation
2022-03-30 16:18:11 +01:00
- automated
- audit
- accounts
- users
2022-01-07 09:06:18 +00:00
- rule_6.2.5
2022-03-30 16:18:11 +01:00
- name : "6.2.6 | AUDIT |Ensure no duplicate group names exist"
block :
- name : "6.2.6 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names"
shell: 'getent passwd | cut -d : -f1 | sort -n | uniq -d'
changed_when : false
failed_when : false
check_mode : no
register : rhel9cis_6_2_6_group_group_check
- name : "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist"
debug :
msg : "Good News! There are no duplicate group names in the system"
2022-05-11 11:20:12 +01:00
when : rhel9cis_6_2_6_group_group_check.stdout | length == 0
2022-03-30 16:18:11 +01:00
- name : "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
debug :
2022-05-11 11:20:12 +01:00
msg : "Warning! The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}"
when : rhel9cis_6_2_6_group_group_check.stdout | length > 0
2022-03-30 16:18:11 +01:00
when :
- rhel9cis_rule_6_2_6
tags :
- level1-server
- level1-workstation
- automated
- audit
- accounts
- groups
- rule_6.2.6
- name : "6.2.7 | PATCH | Ensure root PATH Integrity"
block :
- name : "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine empty value"
shell : 'echo $PATH | grep ::'
changed_when : False
failed_when : rhel9cis_6_2_7_path_colon.rc == 0
check_mode : no
register : rhel9cis_6_2_7_path_colon
- name : "6.2.7 | AUDIT | Ensure root PATH Integrity | Determin colon end"
shell : 'echo $PATH | grep :$'
changed_when : False
failed_when : rhel9cis_6_2_7_path_colon_end.rc == 0
check_mode : no
register : rhel9cis_6_2_7_path_colon_end
- name : "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine dot in path"
shell : "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'"
changed_when : False
failed_when : '"." in rhel9cis_6_2_7_dot_in_path.stdout_lines'
check_mode : no
register : rhel9cis_6_2_7_dot_in_path
- name : "6.2.7 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path"
debug :
msg :
- "The following paths have an empty value: {{ rhel9cis_6_2_7_path_colon.stdout_lines }}"
- "The following paths have colon end: {{ rhel9cis_6_2_7_path_colon_end.stdout_lines }}"
- "The following paths have a dot in the path: {{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}"
2022-06-07 10:07:19 +01:00
- name : "6.2.7 | PATCH | Ensure root PATH Integrity | Determine rights and owner"
2022-03-30 16:18:11 +01:00
file : >
path='{{ item }}'
follow=yes
state=directory
owner=root
mode='o-w,g-w'
with_items : "{{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}"
when :
- rhel9cis_rule_6_2_7
tags :
- level1-server
- level1-workstation
- automated
- patch
- paths
- rule_6.2.7
- name : "6.2.8 | PATCH | Ensure root is the only UID 0 account"
command : passwd -l {{ item }}
2022-01-07 09:06:18 +00:00
changed_when : false
failed_when : false
2022-03-30 16:18:11 +01:00
with_items : "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}"
2022-01-07 09:06:18 +00:00
when :
2022-03-30 16:18:11 +01:00
- rhel9cis_uid_zero_accounts_except_root.rc
- rhel9cis_rule_6_2_8
2022-01-07 09:06:18 +00:00
tags :
- level1-server
- level1-workstation
2022-03-30 16:18:11 +01:00
- automated
2022-01-07 09:06:18 +00:00
- patch
2022-03-30 16:18:11 +01:00
- accounts
- users
- rule_6.2.8
2022-01-07 09:06:18 +00:00
2022-03-30 16:18:11 +01:00
- name : "6.2.9 | PATCH | Ensure all users' home directories exist"
2022-01-07 09:06:18 +00:00
block :
2022-03-30 16:18:11 +01:00
- name : "6.2.9 | AUDIT | Ensure all users' home directories exist"
2022-01-07 09:06:18 +00:00
stat :
path : "{{ item }}"
2022-03-30 16:18:11 +01:00
register : rhel_08_6_2_9_audit
2022-06-07 10:07:19 +01:00
with_items : "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<', max_int_uid | int ) | map(attribute='dir') | list }}"
2022-02-02 11:34:50 +00:00
2022-03-30 16:18:11 +01:00
- name : "6.2.9 | AUDIT | Ensure all users' home directories exist"
command : find -H {{ item.0 | quote }} -not -type l -perm /027
2022-01-07 09:06:18 +00:00
check_mode : false
2022-03-30 16:18:11 +01:00
changed_when : rhel_08_6_2_9_patch_audit.stdout | length > 0
register : rhel_08_6_2_9_patch_audit
2022-01-07 09:06:18 +00:00
when :
- ansible_check_mode
- item.1.exists
with_together :
2022-03-30 16:18:11 +01:00
- "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}"
- "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}"
2022-01-07 09:06:18 +00:00
loop_control :
label : "{{ item.0 }}"
2022-03-30 16:18:11 +01:00
- name : "6.2.9 | PATCH | Ensure all users' home directories exist"
2022-01-07 09:06:18 +00:00
file :
path : "{{ item.0 }}"
2022-03-30 16:18:11 +01:00
recurse : yes
2022-01-07 09:06:18 +00:00
mode : a-st,g-w,o-rwx
2022-03-30 16:18:11 +01:00
register : rhel_08_6_2_9_patch
2022-01-07 09:06:18 +00:00
when :
- not ansible_check_mode
- item.1.exists
with_together :
2022-03-30 16:18:11 +01:00
- "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}"
- "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}"
2022-01-07 09:06:18 +00:00
loop_control :
label : "{{ item.0 }}"
# set default ACLs so the homedir has an effective umask of 0027
2022-03-30 16:18:11 +01:00
- name : "6.2.9 | PATCH | Ensure all users' home directories exist"
2022-01-07 09:06:18 +00:00
acl :
path : "{{ item.0 }}"
2022-03-30 16:18:11 +01:00
default : yes
2022-01-07 09:06:18 +00:00
state : present
2022-03-30 16:18:11 +01:00
recursive : yes
2022-01-07 09:06:18 +00:00
etype : "{{ item.1.etype }}"
permissions : "{{ item.1.mode }}"
2022-04-01 15:26:13 +01:00
when : not system_is_container
2022-01-07 09:06:18 +00:00
with_nested :
2022-03-30 16:18:11 +01:00
- "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results |
2022-01-07 09:06:18 +00:00
rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
-
- etype : group
mode : rx
- etype : other
mode : '0'
when :
2022-03-30 16:18:11 +01:00
- rhel9cis_rule_6_2_9
2022-01-07 09:06:18 +00:00
tags :
- level1-server
- level1-workstation
2022-03-30 16:18:11 +01:00
- automated
2022-01-07 09:06:18 +00:00
- patch
2022-03-30 16:18:11 +01:00
- users
- rule_6.2.9
2022-01-07 09:06:18 +00:00
2022-03-30 16:18:11 +01:00
- name : "6.2.10 | PATCH | Ensure users own their home directories"
2022-01-07 09:06:18 +00:00
file :
path : "{{ item.dir }}"
owner : "{{ item.id }}"
state : directory
with_items : "{{ rhel9cis_passwd }}"
loop_control :
label : "{{ rhel9cis_passwd_label }}"
when :
2022-04-01 15:26:13 +01:00
- min_int_uid | int <= item.uid
2022-03-30 16:18:11 +01:00
- rhel9cis_rule_6_2_10
2022-01-07 09:06:18 +00:00
tags :
- skip_ansible_lint # settings found on 6_2_7
- level1-server
- level1-workstation
2022-04-01 15:26:13 +01:00
- automated
2022-01-07 09:06:18 +00:00
- patch
2022-03-30 16:18:11 +01:00
- users
- rule_6.2.10
2022-01-07 09:06:18 +00:00
2022-03-30 16:18:11 +01:00
- name : "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
2022-01-07 09:06:18 +00:00
block :
2022-03-30 16:18:11 +01:00
- name : "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
stat :
path : "{{ item }}"
2022-06-07 10:07:19 +01:00
with_items : "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<', max_int_uid | int ) | map(attribute='dir') | list }}"
2022-03-30 16:18:11 +01:00
register : rhel_08_6_2_11_audit
2022-01-07 09:06:18 +00:00
2022-03-30 16:18:11 +01:00
- name : "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
command : find -H {{ item.0 | quote }} -not -type l -perm /027
check_mode : false
changed_when : rhel_08_6_2_11_patch_audit.stdout | length > 0
register : rhel_08_6_2_11_patch_audit
2022-01-07 09:06:18 +00:00
when :
2022-03-30 16:18:11 +01:00
- ansible_check_mode
- item.1.exists
with_together :
- "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}"
- "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}"
loop_control :
label : "{{ item.0 }}"
2022-01-07 09:06:18 +00:00
2022-03-30 16:18:11 +01:00
- name : "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
2022-01-07 09:06:18 +00:00
file :
2022-03-30 16:18:11 +01:00
path : "{{ item.0 }}"
recurse : yes
mode : a-st,g-w,o-rwx
register : rhel_08_6_2_11_patch
2022-01-07 09:06:18 +00:00
when :
2022-03-30 16:18:11 +01:00
- not ansible_check_mode
- item.1.exists
with_together :
- "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}"
- "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}"
loop_control :
label : "{{ item.0 }}"
2022-01-07 09:06:18 +00:00
2022-03-30 16:18:11 +01:00
# set default ACLs so the homedir has an effective umask of 0027
- name : "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
acl :
path : "{{ item.0 }}"
default : yes
state : present
recursive : yes
etype : "{{ item.1.etype }}"
permissions : "{{ item.1.mode }}"
2022-04-01 15:26:13 +01:00
when : not system_is_container
2022-03-30 16:18:11 +01:00
with_nested :
- "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results |
rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
-
- etype : group
mode : rx
- etype : other
mode : '0'
2022-01-07 09:06:18 +00:00
when :
- rhel9cis_rule_6_2_11
tags :
- level1-server
- level1-workstation
2022-03-30 16:18:11 +01:00
- automated
2022-01-07 09:06:18 +00:00
- patch
2022-03-30 16:18:11 +01:00
- users
- permissions
2022-01-07 09:06:18 +00:00
- rule_6.2.11
2022-03-30 16:18:11 +01:00
- name : "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable"
block :
- name : "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files"
shell : find /home/ -maxdepth 2 -name "\.*" -perm /g+w,o+w
changed_when : false
failed_when : false
register : rhel9cis_6_2_12_audit
- name : "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found"
debug :
msg : "Good news! We have not found any group or world-writable dot files on your sytem"
when :
- rhel9cis_6_2_12_audit.stdout is not defined
- name : "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured"
file :
path : '{{ item }}'
mode : go-w
with_items : "{{ rhel9cis_6_2_12_audit.stdout_lines }}"
when :
- rhel9cis_6_2_12_audit.stdout is defined
- rhel9cis_dotperm_ansiblemanaged
2022-01-07 09:06:18 +00:00
when :
- rhel9cis_rule_6_2_12
tags :
- level1-server
- level1-workstation
2022-03-30 16:18:11 +01:00
- automated
2022-01-07 09:06:18 +00:00
- patch
2022-03-30 16:18:11 +01:00
- users
- permissions
2022-01-07 09:06:18 +00:00
- rule_6.2.12
2022-03-30 16:18:11 +01:00
- name : "6.2.13 | PATCH | Ensure users' .netrc Files are not group or world accessible"
command : /bin/true
changed_when : false
failed_when : false
2022-01-07 09:06:18 +00:00
when :
- rhel9cis_rule_6_2_13
tags :
- level1-server
- level1-workstation
2022-03-30 16:18:11 +01:00
- automated
2022-01-07 09:06:18 +00:00
- patch
2022-03-30 16:18:11 +01:00
- users
- permissions
- notimplemented
2022-01-07 09:06:18 +00:00
- rule_6.2.13
2022-03-30 16:18:11 +01:00
- name : "6.2.14 | PATCH | Ensure no users have .forward files"
file :
state : absent
dest : "~{{ item }}/.forward"
with_items :
- "{{ users.stdout_lines }}"
2022-01-07 09:06:18 +00:00
when :
- rhel9cis_rule_6_2_14
tags :
- level1-server
- level1-workstation
2022-03-30 16:18:11 +01:00
- automated
- patch
- users
- files
2022-01-07 09:06:18 +00:00
- rule_6.2.14
2022-03-30 16:18:11 +01:00
- name : "6.2.15 | PATCH | Ensure no users have .netrc files"
file :
state : absent
dest : "~{{ item }}/.netrc"
with_items :
- "{{ users.stdout_lines }}"
2022-01-07 09:06:18 +00:00
when :
- rhel9cis_rule_6_2_15
tags :
- level1-server
- level1-workstation
2022-03-30 16:18:11 +01:00
- automated
2022-01-07 09:06:18 +00:00
- patch
2022-03-30 16:18:11 +01:00
- users
- files
2022-01-07 09:06:18 +00:00
- rule_6.2.15
2022-03-30 16:18:11 +01:00
- name : "6.2.16 | PATCH | Ensure no users have .rhosts files"
file :
state : absent
dest : "~{{ item }}/.rhosts"
with_items : "{{ users.stdout_lines }}"
2022-01-07 09:06:18 +00:00
when :
- rhel9cis_rule_6_2_16
tags :
- level1-server
- level1-workstation
2022-03-30 16:18:11 +01:00
- automated
2022-01-07 09:06:18 +00:00
- patch
2022-03-30 16:18:11 +01:00
- users
- files
- rule_6.2.16
