ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

section 7 v2 initial

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-07-24 14:01:10 +01:00
parent 9755b0fb62
commit 06a1f2997c
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
3 changed files with 676 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

321
tasks/section_7/cis_7.1.x.yml Normal file
View file

@ -0,0 +1,321 @@
---
- name: "7.1.1 | PATCH | Ensure permissions on /etc/passwd are configured"
when:
- rhel9cis_rule_7_1_1
tags:
- level1-server
- level1-workstation
- patch
- permissions
- rule_7.1.1
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.file:
path: /etc/passwd
owner: root
group: root
mode: 'u-x,go-wx'
- name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured"
when:
- rhel9cis_rule_7_1_2
tags:
- level1-server
- level1-workstation
- patch
- permissions
- rule_7.1.2
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.file:
path: /etc/passwd-
owner: root
group: root
mode: 'u-x,go-wx'
- name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured"
when:
- rhel9cis_rule_7_1_3
tags:
- level1-server
- level1-workstation
- patch
- permissions
- rule_7.1.3
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.file:
path: /etc/group
owner: root
group: root
mode: 'u-x,go-wx'
- name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured"
when:
- rhel9cis_rule_7_1_4
tags:
- level1-server
- level1-workstation
- patch
- permissionss
- rule_7.1.4
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.file:
path: /etc/group-
owner: root
group: root
mode: 'u-x,go-wx'
- name: "7.1.5 | PATCH | Ensure permissions on /etc/shadow are configured"
when:
- rhel9cis_rule_7_1_5
tags:
- level1-server
- level1-workstation
- patch
- permissions
- rule_7.1.5
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.file:
path: /etc/shadow
owner: root
group: root
mode: '0000'
- name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured"
when:
- rhel9cis_rule_7_1_6
tags:
- level1-server
- level1-workstation
- patch
- permissions
- rule_7.1.6
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.file:
path: /etc/shadow-
owner: root
group: root
mode: '0000'
- name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured"
when:
- rhel9cis_rule_7_1_7
tags:
- level1-server
- level1-workstation
- patch
- permissions
- rule_7.1.7
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.file:
path: /etc/gshadow
owner: root
group: root
mode: '0000'
- name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured"
when:
- rhel9cis_rule_7_1_8
tags:
- level1-server
- level1-workstation
- patch
- permissions
- rule_7.1.8
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.file:
path: /etc/gshadow-
owner: root
group: root
mode: '0000'
- name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured"
when:
- rhel9cis_rule_7_1_9
tags:
- level1-server
- level1-workstation
- patch
- permissions
- rule_7.1.9
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.file:
path: /etc/shells
owner: root
group: root
mode: 'u-x,go-wx'
- name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured"
when:
- rhel9cis_rule_7_1_10
tags:
- level1-server
- level1-workstation
- patch
- permissions
- rule_7.1.10
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
ansible.builtin.file:
path: /etc/security/opasswd
owner: root
group: root
mode: 'u-x,go-wx'
- name: "7.1.11 | PATCH | Ensure world writable files and directories are secured"
when:
- rhel9cis_rule_7_1_11
tags:
- level1-server
- level1-workstation
- patch
- files
- permissions
- rule_7.1.11
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
block:
- name: "7.1.11 | AUDIT | Ensure world writable files and directories are secured | Get list of world-writable files"
ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
failed_when: false
changed_when: false
register: rhel_09_7_1_11_perms_results
- name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)"
when:
- rhel_09_7_1_11_perms_results.stdout_lines is defined
- rhel9cis_no_world_write_adjust
ansible.builtin.file:
path: '{{ item }}'
mode: o-w
state: touch
loop: "{{ rhel_09_7_1_11_perms_results.stdout_lines }}"
- name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit"
ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
- name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist"
when:
- rhel9cis_rule_7_1_12
tags:
- level1-server
- level1-workstation
- patch
- rule_7.1.12
- permissions
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
warn_control_id: '7.1.12'
block:
- name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories"
ansible.builtin.shell: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs
changed_when: false
failed_when: false
check_mode: false
register: discovered_unowned_files
with_items:
- "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.mount }}"
- name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Flatten no_user_items results for easier use"
ansible.builtin.set_fact:
discovered_unowned_files_flatten: "{{ discovered_unowned_files.results | map(attribute='stdout_lines') | flatten }}"
- name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Alert on unowned files and directories"
when:
- not rhel9cis_ownership_adjust
- discovered_unowned_files_flatten | length > 0
ansible.builtin.debug:
msg:
- "Warning!! You have unowned files and are configured to not auto-remediate for this task"
- "Please review the files/directories below and assign an owner"
- "{{ discovered_unowned_files_flatten }}"
- name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist | Set files/directories to configured owner and group"
when:
- rhel9cis_ownership_adjust
- discovered_unowned_files_flatten | length > 0
ansible.builtin.file:
path: "{{ item }}"
owner: "{{ rhel9cis_unowned_owner }}"
group: "{{ rhel9cis_unowned_group }}"
with_items:
- "{{ udiscovered_unowned_files_flatten }}"
- name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Warn Count"
when:
- not rhel9cis_ownership_adjust
- discovered_unowned_files_flatten | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed"
when:
- rhel9cis_rule_7_1_13
tags:
- level1-server
- level1-workstation
- audit
- rule_7.1.13
- permissions
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
vars:
warn_control_id: '7.1.13'
block:
- name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID"
ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs
changed_when: false
failed_when: false
check_mode: false
register: discovered_suid_sgid_files
with_items:
- "{{ ansible_facts.mounts }}"
loop_control:
label: "{{ item.mount }}"
- name: "7.1.13 | AUDIT | Audit SUID executables | Flatten suid_executables results for easier use"
ansible.builtin.set_fact:
discovered_suid_sgid_files_flatten: "{{ discovered_suid_sgid_files.results | map(attribute='stdout_lines') | flatten }}"
- name: "7.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist"
when:
- discovered_suid_sgid_files_flatten | length > 0
- not rhel9cis_suid_sgid_adjust
ansible.builtin.debug:
msg:
- "Warning!! You have SUID executables"
- "The files are listed below, please confirm the integrity of these binaries"
- "{{ discovered_suid_sgid_files_flatten }}"
- name: "7.1.13 | PATCH | Audit SUID executables | Remove SUID bit"
when:
- rhel9cis_suid_sgid_adjust
- discovered_suid_sgid_files_flatten | length > 0
ansible.builtin.file:
path: "{{ item }}"
mode: 'u-s'
with_items:
- "{{ discovered_suid_sgid_files_flatten }}"
- name: "7.1.13 | AUDIT | Audit SUID executables | Warn Count"
ansible.builtin.import_tasks:
file: warning_facts.yml
when:
- discovered_suid_sgid_files_flatten | length > 0
- not rhel9cis_suid_sgid_adjust

346
tasks/section_7/cis_7.2.x.yml Normal file
View file

@ -0,0 +1,346 @@
---
- name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords"
when:
- rhel9cis_rule_7_2_1
tags:
- level1-server
- level1-workstation
- audit
- rule_7.2.1
- user_accounts
- NIST800-53R5_IA-5
vars:
warn_control_id: '7.2.1'
block:
- name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Get users not using shadowed passwords"
ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd
changed_when: false
failed_when: false
register: discovered_nonshadowed_users
- name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Warn on findings"
when: discovered_nonshadowed_users.stdout | length > 0
ansible.builtin.debug:
msg:
- "Warning!! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password"
- "{{ discovered_nonshadowed_users.stdout_lines }}"
- name: "7.2.1 | WARNING | Ensure accounts in /etc/passwd use shadowed passwords | warn_count"
when: discovered_nonshadowed_users.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty"
when:
- rhel9cis_rule_7_2_2
tags:
- level1-server
- level1-workstation
- patch
- rule_7.2.2
- user
- permissions
- NIST800-53R5_IA-5
block:
- name: "7.2.2 | AUDIT | Ensure /etc/shadow password fields are not empty | Find users with no password"
ansible.builtin.shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow
changed_when: false
check_mode: false
register: discovered_empty_password_acct
- name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty | Lock users with empty password"
when: discovered_empty_password_acct.stdout | length > 0
ansible.builtin.user:
name: "{{ item }}"
password_lock: true
loop:
- "{{ discovered_empty_password_acct.stdout_lines }}"
- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group"
when:
- rhel9cis_rule_7_2_3
tags:
- level1-server
- level1-workstation
- audit
- rule_7.2.3
- groups
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
vars:
warn_control_id: '7.2.3'
block:
- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries"
ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}'
changed_when: false
failed_when: false
check_mode: false
register: discovered_passwd_gid_check
- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
when: discovered_passwd_gid_check.stdout | length > 0
ansible.builtin.debug:
msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join (', ') }}"
- name: "7.2.3 | WARNING | Ensure all groups in /etc/passwd exist in /etc/group | warn_count"
when: discovered_passwd_gid_check.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist"
when:
- rhel9cis_rule_7_2_4
tags:
- level1-server
- level1-workstation
- audit
- rule_7.2.4
- user
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
vars:
warn_control_id: '7.2.4'
block:
- name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
changed_when: false
failed_when: false
check_mode: false
register: discovered_user_uid_check
- name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs"
when: discovered_user_uid_check.stdout | length > 0
ansible.builtin.debug:
msg: "Warning!! The following users have UIDs that are duplicates: {{ discovered_user_uid_check.stdout_lines }}"
- name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist | Set warning count"
when: discovered_user_uid_check.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist"
when:
- rhel9cis_rule_7_2_5
tags:
- level1-server
- level1-workstation
- audit
- rule_7.2.5
- groups
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
vars:
warn_control_id: '7.2.5'
block:
- name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"
changed_when: false
failed_when: false
check_mode: false
register: discovered_user_gid_check
- name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs"
when: discovered_user_gid_check.stdout | length > 0
ansible.builtin.debug:
msg: "Warning!! The following groups have duplicate GIDs: {{ discovered_user_gid_check.stdout_lines }}"
- name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist | Set warning count"
when: discovered_user_gid_check.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.2.6 | AUDIT | Ensure no duplicate user names exist"
vars:
warn_control_id: '7.2.6'
when:
- rhel9cis_rule_7_2_6
tags:
- level1-server
- level1-workstation
- audit
- rule_7.2.6
- user
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
block:
- name: "7.2.6 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
changed_when: false
failed_when: false
check_mode: false
register: discovered_username_check
- name: "7.2.6 | WARNING | Ensure no duplicate user names exist | Print warning about users with duplicate User Names"
when: discovered_username_check.stdout | length > 0
ansible.builtin.debug:
msg: "Warning!! The following user names are duplicates: {{ discovered_user_username_check.stdout_lines }}"
- name: "7.2.6 | WARNING | Ensure no duplicate user names exist | Set warning count"
when: discovered_username_check.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.2.7 | AUDIT | Ensure no duplicate group names exist"
when:
- rhel9cis_rule_7_2_7
tags:
- level1-server
- level1-workstation
- audit
- rule_7.2.7
- groups
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
vars:
warn_control_id: '7.2.7'
block:
- name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names"
ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
changed_when: false
failed_when: false
check_mode: false
register: discovered_group_check
- name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
when: discovered_group_check.stdout | length > 0
ansible.builtin.debug:
msg: "Warning!! The following group names are duplicates: {{ discovered_group_group_check.stdout_lines }}"
- name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Set warning count"
when: discovered_group_check.stdout | length > 0
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured"
when:
- rhel9cis_rule_7_2_8
tags:
- level1-server
- level1-workstation
- patch
- users
- rule_7.2.8
block:
- name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent"
ansible.builtin.file:
path: "{{ item.dir }}"
state: directory
owner: "{{ item.id }}"
group: "{{ item.gid }}"
loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}"
loop_control:
label: "{{ item.id }}"
# set default ACLs so the homedir has an effective umask of 0027
- name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Set group ACL"
when: not system_is_container
ansible.posix.acl:
path: "{{ item }}"
default: true
etype: group
permissions: rx
state: present
loop: "{{ prelim_interactive_users_home.stdout_lines }}"
- name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Set other ACL"
when: not system_is_container
ansible.posix.acl:
path: "{{ item }}"
default: true
etype: other
permissions: 0
state: present
loop: "{{ prelim_interactive_users_home.stdout_lines }}"
- name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured"
when:
- rhel9cis_rule_7_2_9
- rhel9cis_disruption_high
tags:
- level1-server
- level1-workstation
- patch
- rule_7.2.9
- user
- NIST800-53R5_CM-1
- NIST800-53R5_CM-2
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
vars:
warn_control_id: '7.2.9'
block:
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Check for files"
ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w
changed_when: false
failed_when: discovered_homedir_dot_files.rc not in [ 0, 1 ]
check_mode: false
register: discovered_homedir_dot_files
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Warning on files found"
when:
- discovered_homedir_dot_files.stdout | length > 0
- rhel9cis_dotperm_ansiblemanaged
ansible.builtin.debug:
msg:
- "Warning!! We have discovered group or world-writable dot files on your system and this host is configured for manual intervention. Please investigate these files further."
- name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Set warning count"
when:
- discovered_homedir_dot_files.stdout | length > 0
- rhel9cis_dotperm_ansiblemanaged
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured"
when:
- discovered_homedir_dot_files.stdout | length > 0
- rhel9cis_dotperm_ansiblemanaged
ansible.builtin.file:
path: '{{ item }}'
mode: 'go-w'
with_items: "{{ discovered_homedir_dot_files.stdout_lines }}"
- name: "7.2.4 | PATCH | Ensure shadow group is empty"
when:
- rhel9cis_rule_7_2_4
tags:
- level1-server
- level1-workstation
- patch
- rule_6.2.4
- user
vars:
warn_control_id: '7.2.4'
block:
- name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group"
ansible.builtin.getent:
database: group
split: ':'
key: shadow
- name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group"
ansible.builtin.debug:
msg: "Warning!! - You have users in the shadow group"
when: ansible_facts.getent_group.shadow[2] | length > 0
- name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group"
ansible.builtin.import_tasks:
file: warning_facts.yml
when: ansible_facts.getent_group.shadow[2] | length > 0

9
tasks/section_7/main.yml Normal file
View file

@ -0,0 +1,9 @@
---
- name: "SECTION | 7.1 | System File Permissions"
ansible.builtin.import_tasks:
file: cis_7.1.x.yml
- name: "SECTION | 7.2 | Local User and Group Settings"
ansible.builtin.import_tasks:
file: cis_7.2.x.yml