From f40d17df92588a7e97655fa9691805fd17b93c59 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 12 Jun 2025 12:42:44 -0400 Subject: [PATCH 1/6] Update eprep based tasks to grep/awk Signed-off-by: Frederick Witty --- tasks/main.yml | 2 +- tasks/section_1/cis_1.3.1.x.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index e285e8d..fe50b10 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -132,7 +132,7 @@ - rule_5.4.2.4 block: - name: "Ensure root password is set" - ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)" + ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)" changed_when: false register: prelim_root_passwd_set diff --git a/tasks/section_1/cis_1.3.1.x.yml b/tasks/section_1/cis_1.3.1.x.yml index 198ae7b..17e138e 100644 --- a/tasks/section_1/cis_1.3.1.x.yml +++ b/tasks/section_1/cis_1.3.1.x.yml @@ -106,7 +106,7 @@ warn_control_id: '1.3.1.6' block: - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" - ansible.builtin.shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' + ansible.builtin.shell: ps -eZ | awk -F':'' '/unconfined_service_t/ && $NF !~ /tr|ps|egrep|bash|awk/ {print $NF}' register: discovered_unconf_services failed_when: false changed_when: false From 3a0ee6e9f8ccea92c22bf5838e0a514ae63c76b7 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 12 Jun 2025 15:44:03 -0400 Subject: [PATCH 2/6] update 1.3.1.6 log to grep -E Signed-off-by: Frederick Witty --- tasks/section_1/cis_1.3.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.3.1.x.yml b/tasks/section_1/cis_1.3.1.x.yml index 17e138e..ad7d844 100644 --- a/tasks/section_1/cis_1.3.1.x.yml +++ b/tasks/section_1/cis_1.3.1.x.yml @@ -106,7 +106,7 @@ warn_control_id: '1.3.1.6' block: - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" - ansible.builtin.shell: ps -eZ | awk -F':'' '/unconfined_service_t/ && $NF !~ /tr|ps|egrep|bash|awk/ {print $NF}' + ansible.builtin.shell: ps -eZ | grep unconfined_service_t | grep -Evw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' register: discovered_unconf_services failed_when: false changed_when: false From 6ced990430e326cb9151046bb690c981fd49eb20 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 16 Jun 2025 14:58:21 -0400 Subject: [PATCH 3/6] Update handler naming change_requires_reboot to set reboot required Signed-off-by: Frederick Witty --- handlers/main.yml | 8 ++++---- tasks/prelim.yml | 8 ++------ tasks/section_1/cis_1.2.2.x.yml | 2 +- 3 files changed, 7 insertions(+), 11 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 1a3b66e..8ac3b22 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -150,7 +150,7 @@ ansible.posix.mount: path: "{{ mount_point }}" state: remounted - notify: Change_requires_reboot + notify: Set reboot required listen: "Remount /boot/efi" - name: Reload sysctl @@ -194,7 +194,7 @@ ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" changed_when: true notify: - - Change_requires_reboot + - Set reboot required - Restart sshd - name: Restart firewalld @@ -255,7 +255,7 @@ when: discovered_auditd_immutable_check.stdout == '1' ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" - notify: Change_requires_reboot + notify: Set reboot required - name: Stop auditd process ansible.builtin.command: systemctl kill auditd @@ -268,6 +268,6 @@ state: started listen: Restart auditd -- name: Change_requires_reboot +- name: Set reboot required ansible.builtin.set_fact: change_requires_reboot: true diff --git a/tasks/prelim.yml b/tasks/prelim.yml index ced76ce..2e0dd95 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -4,9 +4,7 @@ # List users in order to look files inside each home directory - name: "PRELIM | Include audit specific variables" - when: - - run_audit or audit_only - - setup_audit + when: run_audit or audit_only or setup_audit tags: - setup_audit - run_audit @@ -14,9 +12,7 @@ file: audit.yml - name: "PRELIM | Include pre-remediation audit tasks" - when: - - run_audit or audit_only - - setup_audit + when: run_audit or audit_only or setup_audit tags: run_audit ansible.builtin.import_tasks: pre_remediation_audit.yml diff --git a/tasks/section_1/cis_1.2.2.x.yml b/tasks/section_1/cis_1.2.2.x.yml index 2ccb59f..379b92d 100644 --- a/tasks/section_1/cis_1.2.2.x.yml +++ b/tasks/section_1/cis_1.2.2.x.yml @@ -13,4 +13,4 @@ ansible.builtin.package: name: "*" state: latest - notify: Change_requires_reboot + notify: Set reboot required From b38e7d06eb757c2af71f5fd8482afb48a97162fb Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 16 Jun 2025 15:14:08 -0400 Subject: [PATCH 4/6] var fixes for 1.1.2.3.x and 1.1.2.4.x Signed-off-by: Frederick Witty --- tasks/pre_remediation_audit.yml | 2 +- tasks/prelim.yml | 16 +++++----------- tasks/section_1/cis_1.1.2.3.x.yml | 4 ++-- tasks/section_1/cis_1.1.2.4.x.yml | 4 ++-- 4 files changed, 10 insertions(+), 16 deletions(-) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 61959fa..a2a37f1 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -46,7 +46,7 @@ remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}" extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}" -- name: Pre Audit Setup | Check Goss is available +- name: Pre Audit Setup | Check goss is available when: run_audit block: - name: Pre Audit Setup | Check for goss file diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 2e0dd95..0e2b155 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -136,8 +136,7 @@ register: prelim_systemd_coredump - name: "PRELIM | PATCH | Setup crypto-policy" - when: - - rhel9cis_rule_1_6_1 + when: rhel9cis_rule_1_6_1 tags: - level1-server - level1-workstation @@ -185,15 +184,13 @@ grub2_path: /etc/grub2-efi.cfg - name: "PRELIM | AUDIT | Discover Gnome Desktop Environment" - tags: - - always + tags: always ansible.builtin.stat: path: /usr/share/gnome/gnome-version.xml register: prelim_gnome_present - name: "PRELIM | PATCH | Install dconf if gui installed" - when: - - rhel9cis_gui + when: rhel9cis_gui tags: - always ansible.builtin.package: @@ -251,9 +248,7 @@ state: touch - name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists" - when: - - rhel9cis_rule_5_1_10 or - rhel9cis_rule_5_1_11 + when: rhel9cis_rule_5_1_10 or rhel9cis_rule_5_1_11 ansible.builtin.stat: path: /etc/ssh/sshd_config.d/50-redhat.conf register: discovered_sshd_50_redhat_file @@ -281,8 +276,7 @@ - name: "PRELIM | PATCH | Create journald config directory" when: - rhel9cis_syslog == 'journald' - - rhel9cis_rule_6_2_1_3 or - rhel9cis_rule_6_2_1_4 + - rhel9cis_rule_6_2_1_3 or rhel9cis_rule_6_2_1_4 tags: always ansible.builtin.file: path: /etc/systemd/journald.conf.d diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index 998d1ba..635648d 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -21,12 +21,12 @@ register: discovered_home_mount - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Absent" - when: discovered_dev_shm_mount is undefined + when: discovered_home_mount is undefined ansible.builtin.debug: msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Present" - when: discovered_dev_shm_mount is undefined + when: discovered_home_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index e0afd4e..f89fe3f 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -22,12 +22,12 @@ register: discovered_var_mount - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent" - when: discovered_dev_shm_mount is undefined + when: discovered_var_mount is undefined ansible.builtin.debug: msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present" - when: discovered_dev_shm_mount is undefined + when: discovered_var_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml From 38a173546cce29a2eb779a40ff5f805c706eb74d Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 16 Jun 2025 16:49:36 -0400 Subject: [PATCH 5/6] Update auditd with check_mode Signed-off-by: Frederick Witty --- tasks/auditd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 7b86b94..0fa0b32 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -7,6 +7,7 @@ - name: "POST | AUDITD | Set supported_syscalls variable" ansible.builtin.shell: ausyscall --dump | awk '{print $2}' changed_when: false + check_mode: false failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ] register: discovered_auditd_syscalls From acacb7a6bc6582a5b1e706a9002fa6d74d054fae Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 16 Jun 2025 17:18:08 -0400 Subject: [PATCH 6/6] QA Fixes Signed-off-by: Frederick Witty --- tasks/main.yml | 7 ++----- tasks/pre_remediation_audit.yml | 1 + tasks/prelim.yml | 6 ++---- tasks/section_1/cis_1.1.1.x.yml | 3 +-- 4 files changed, 6 insertions(+), 11 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index fe50b10..e106120 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -17,9 +17,7 @@ success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" - name: "Setup rules if container" - when: - - ansible_connection == 'docker' or - ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + when: ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] tags: - container_discovery - always @@ -101,8 +99,7 @@ - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template] ansible.builtin.assert: - that: - - not prelim_ansible_user_password_set.stdout.startswith("!") + that: not prelim_ansible_user_password_set.stdout.startswith("!") fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access" success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index a2a37f1..80df209 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,4 +1,5 @@ --- + - name: Pre Audit Setup | Setup the LE audit when: setup_audit tags: setup_audit diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 0e2b155..3970db8 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -191,8 +191,7 @@ - name: "PRELIM | PATCH | Install dconf if gui installed" when: rhel9cis_gui - tags: - - always + tags: always ansible.builtin.package: name: dconf state: present @@ -201,8 +200,7 @@ when: - rhel9cis_rule_3_1_2 - not system_is_container - tags: - - always + tags: always block: - name: "PRELIM | AUDIT | Discover is wireless adapter on system" ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index adc094d..e67bb39 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -27,8 +27,7 @@ mode: 'go-rwx' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: cramfs state: absent