From 113d422dd41f0858ece61552d86802342b31c2eb Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Mon, 31 Jan 2022 17:03:51 +0000
Subject: [PATCH] added uid discovery and usage

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 defaults/main.yml                  |  8 ++++++--
 tasks/prelim.yml                   | 23 +++++++++++++++++++++++
 tasks/section_5/cis_5.5.x.yml      |  4 ++--
 tasks/section_6/cis_6.2.x.yml      |  6 +++---
 templates/audit/99_auditd.rules.j2 | 30 +++++++++++++++---------------
 5 files changed, 49 insertions(+), 22 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index cb2ac8e..9f3df3e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -546,8 +546,12 @@ rhel9cis_pam_password:
     minlen: "14"
     minclass: "4"
 
-# Starting GID for interactive users
-rhel9cis_int_gid: 1000
+# UID settings for interactive users
+# These are discovered via logins.def is set true
+discover_int_uid: false
+min_int_uid: 1000
+max_int_uid: 65533
+
 
 # RHEL-09-5.4.5
 # Session timeout setting file (TMOUT setting can be set in multiple files)
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
index c61356c..eadfb56 100644
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@@ -190,3 +190,26 @@
   tags:
       - rule_1.2.2
       - skip_ansible_lint
+
+- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def"
+  block:
+      - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def"
+        shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
+        register: uid_min_id
+   
+      - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def"
+        shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}'
+        register: uid_max_id
+
+      - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def"
+        shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}'
+        register: gid_min_id
+
+      - name: "PRELIM | AUDIT | set_facts for interactive uid/gid"
+        set_fact:
+            min_int_uid: uid_min_id.stdout
+            max_int_uid: uid_max_id.stdout
+
+  when:
+      - not discover_int_uid
+
diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml
index 0d8cfa0..83f8d7e 100644
--- a/tasks/section_5/cis_5.5.x.yml
+++ b/tasks/section_5/cis_5.5.x.yml
@@ -13,7 +13,7 @@
             - item.id != "sync"
             - item.id != "shutdown"
             - item.id != "halt"
-            - item.gid < rhel9cis_int_gid
+            - item.gid < min_int_uid
             - item.shell != "      /bin/false"
             - item.shell != "      /usr/sbin/nologin"
 
@@ -28,7 +28,7 @@
             - item.id != "shutdown"
             - item.id != "sync"
             - item.id != "root"
-            - item.gid < rhel9cis_int_gid
+            - item.gid < min_int_uid
             - item.shell != "      /bin/false"
             - item.shell != "      /usr/sbin/nologin"
   when:
diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml
index ad51121..7242132 100644
--- a/tasks/section_6/cis_6.2.x.yml
+++ b/tasks/section_6/cis_6.2.x.yml
@@ -134,7 +134,7 @@
       - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
         stat:
             path: "{{ item }}"
-        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
+        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid) | selectattr('uid', '!=', max_int_uid) | map(attribute='dir') | list }}"
         register: rhel_09_6_2_7_audit
 
       - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
@@ -204,7 +204,7 @@
   loop_control:
       label: "{{ rhel9cis_passwd_label }}"
   when:
-      - item.uid >= rhel9cis_int_gid
+      - item.uid >= min_int_uid
       - rhel9cis_rule_6_2_8
   tags:
       - skip_ansible_lint  # settings found on 6_2_7
@@ -500,7 +500,7 @@
         stat:
             path: "{{ item }}"
         register: rhel_09_6_2_20_audit
-        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
+        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid) | selectattr('uid', '!=', max_int_uid) | map(attribute='dir') | list }}"
 
       - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist"
         shell: find -H {{ item.0 | quote }} -not -type l -perm /027
diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2
index da5664b..43897d7 100644
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@@ -32,18 +32,18 @@
 -w /etc/sysconfig/network -p wa -k system-locale
 {% endif %}
 {% if rhel9cis_rule_4_1_9 %}
--a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
--a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
--a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
--a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
--a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
--a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
 {% endif %}
 {% if rhel9cis_rule_4_1_10 %}
--a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
--a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
--a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
--a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access
 {% endif %}
 {% if rhel9cis_rule_4_1_11 %}
 -w /etc/group -p wa -k identity
@@ -53,17 +53,17 @@
 -w /etc/security/opasswd -p wa -k identity
 {% endif %}
 {% if rhel9cis_rule_4_1_12 %}
--a always,exit -F arch=b32 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts
--a always,exit -F arch=b64 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts
 {% endif %}
 {% if rhel9cis_rule_4_1_13 %}
 {% for proc in priv_procs.stdout_lines -%}
--a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k privileged
+-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=4294967295 -k privileged
 {% endfor %}
 {% endif %}
 {% if rhel9cis_rule_4_1_14 %}
--a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete
--a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete
+-a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete
+-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete
 {% endif %}
 {% if rhel9cis_rule_4_1_15 %}
 -w /usr/sbin/insmod -p x -k modules