ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 14:23:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge pull request #228 from ansible-lockdown/august_issues

Browse source 
August issues
This commit is contained in:
uk-bolly 2024-08-13 13:38:52 +01:00 committed by GitHub
commit 0bcb867ef4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 29 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.config/requirements.txt
View file

@ -1,5 +1,4 @@
passlib
lxml
xmltodict
jmespath
yamllint

2
tasks/LE_audit_setup.yml
View file

@ -10,7 +10,7 @@
- name: Pre Audit Setup | Set audit package name | ARM64
ansible.builtin.set_fact:
audit_pkg_arch_name: ARM64
when: ansible_facts.machine == "arm64"
when: ansible_facts.machine == "aarch64"
- name: Pre Audit Setup | Download audit binary
ansible.builtin.get_url:

2
tasks/audit_only.yml
View file

@ -22,7 +22,7 @@
when:
- audit_only
ansible.builtin.debug:
msg: "The Audit results are: {{ pre_audit_summary }}."
msg: "{{ audit_results.split('\n') }}"
- name: Audit_only | Stop Playbook Audit Only selected
when:

2
tasks/post_remediation_audit.yml
View file

@ -35,7 +35,7 @@
- audit_format == "documentation"
block:
- name: Post Audit | Capture audit data if documentation format
ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation"
ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' '
register: post_audit_summary
changed_when: false

15
tasks/section_4/cis_4.1.4.x.yml
View file

@ -23,7 +23,7 @@
"4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
ansible.builtin.file:
path: "{{ audit_discovered_logfile.stdout }}"
mode: "{% if auditd_logfile.stat.mode != '0600' %}0640{% endif %}"
mode: 'u-x,g-rw,o-rwx'
owner: root
group: root
when:
@ -50,7 +50,7 @@
ansible.builtin.file:
path: "{{ audit_discovered_logfile.stdout | dirname }}"
state: directory
mode: '0750'
mode: 'g-w,o-rwx'
when: not auditlog_dir.stat.mode is match('07(0|5)0')
when:
- rhel9cis_rule_4_1_4_4
@ -64,7 +64,9 @@
- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
ansible.builtin.file:
path: "{{ item.path }}"
mode: "{{ '0600' if item.mode == '0600' else '0640' }}"
mode: 'u-x,g-wx,o-rwx'
failed_when: rhel9cis_4_1_4_5_file_list.state not in '[ file, absent ]'
register: rhel9cis_4_1_4_5_file_list
loop: "{{ auditd_conf_files.files }}"
loop_control:
label: "{{ item.path }}"
@ -81,6 +83,8 @@
ansible.builtin.file:
path: "{{ item.path }}"
owner: root
failed_when: rhel9cis_4_1_4_6_file_list.state not in '[ file, absent ]'
register: rhel9cis_4_1_4_6_file_list
loop: "{{ auditd_conf_files.files | default([]) }}"
loop_control:
label: "{{ item.path }}"
@ -97,6 +101,8 @@
ansible.builtin.file:
path: "{{ item.path }}"
group: root
failed_when: rhel9cis_4_1_4_7_file_list.state not in '[ file, absent ]'
register: rhel9cis_4_1_4_7_file_list
loop: "{{ auditd_conf_files.files | default([]) }}"
loop_control:
label: "{{ item.path }}"
@ -126,8 +132,7 @@
- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required"
ansible.builtin.file:
path: "{{ item.item }}"
mode: '0750'
mode: 'go-w'
loop: "{{ audit_bins.results }}"
loop_control:
label: "{{ item.item }}"

2
tasks/section_4/cis_4.2.3.yml
View file

@ -14,6 +14,8 @@
ansible.builtin.file:
path: "{{ item.path }}"
mode: "{{ '0600' if item.mode == '0600' else '0640' }}"
failed_when: rhel9cis_4_2_3_file_list.state not in '[ file, absent ]'
register: rhel9cis_4_2_3_file_list
loop: "{{ logfiles.files }}"
loop_control:
label: "{{ item.path }}"

36
tasks/section_6/cis_6.1.x.yml
View file

@ -150,7 +150,7 @@
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist"
block:
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories"
ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser
ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser -not -fstype nfs
changed_when: false
failed_when: false
check_mode: false
@ -162,28 +162,21 @@
- item['device'].startswith('/dev')
- not 'bind' in item['options']
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | set fact"
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use"
ansible.builtin.set_fact:
rhel_09_6_1_10_unowned_files_found: true
loop: "{{ rhel_09_6_1_10_audit.results }}"
when:
- item | length > 0
- item.stdout is defined # skipped items are part of results list, but don't have the registered module properties
- item.stdout | length > 0
discovered_unowned_files_flatten: "{{ rhel_09_6_1_10_audit.results | map(attribute='stdout_lines') | flatten }}"
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
ansible.builtin.debug:
msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit.stdout_lines }}"
when: rhel_09_6_1_10_unowned_files_found
msg: "Warning!! Missing owner on items in {{ discovered_unowned_files_flatten }}"
when: discovered_unowned_files_flatten | length > 0
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning"
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '6.1.10'
when: rhel_09_6_1_10_unowned_files_found
vars:
rhel_09_6_1_10_unowned_files_found: false
when: discovered_unowned_files_flatten | length > 0
when:
- rhel9cis_rule_6_1_10
tags:
@ -209,28 +202,21 @@
- item['device'].startswith('/dev')
- not 'bind' in item['options']
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | set fact"
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Flatten no_user_items results for easier use"
ansible.builtin.set_fact:
rhel_09_6_1_11_ungrouped_files_found: true
loop: "{{ rhel_09_6_1_11_audit.results }}"
when:
- item | length > 0
- item.stdout is defined # skipped items are part of results list, but don't have the registered module properties
- item.stdout | length > 0
discovered_ungrouped_files_flatten: "{{ rhel_09_6_1_11_audit.results | map(attribute='stdout_lines') | flatten }}"
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
ansible.builtin.debug:
msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit.stdout_lines }}"
when: rhel_09_6_1_11_ungrouped_files_found
msg: "Warning!! Missing group on items in {{ discovered_ungrouped_files_flatten }}"
when: discovered_ungrouped_files_flatten | length > 0
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '6.1.11'
when: rhel_09_6_1_11_ungrouped_files_found
vars:
rhel_09_6_1_11_ungrouped_files_found: false
when: discovered_ungrouped_files_flatten | length > 0
when:
- rhel9cis_rule_6_1_11
tags:

5
vars/audit.yml
View file

@ -26,8 +26,9 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma
### Audit binary settings ###
audit_bin_version:
release: v0.4.4
AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5'
release: v0.4.8
AMD64_checksum: 'sha256:85d00b7bba5f175bec95de7dfe1f71f8f25204914aad4c6f03c8457868eb6e2f'
ARM64_checksum: 'sha256:bca8c898bfd35b94c51455ece6193c95e2cd7b2b183ac2047b2d76291e73e47d'
audit_bin_path: /usr/local/bin/
audit_bin: "{{ audit_bin_path }}goss"
audit_format: json