ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-26 06:37:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #30 from ansible-lockdown/interactive_user_update

Browse source 
Interactive user update
This commit is contained in:
Fred W. 2025-05-28 12:15:41 -04:00 committed by GitHub
commit 1416780797
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 54 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

10
.pre-commit-config.yaml
View file

@ -39,16 +39,16 @@ repos:
rev: v1.5.0 rev: v1.5.0
hooks: hooks:
- id: detect-secrets - id: detect-secrets
name: Detect Secrets name: Detect Secrets test
- repo: https://github.com/gitleaks/gitleaks - repo: https://github.com/gitleaks/gitleaks
rev: v8.24.3 rev: v8.26.0
hooks: hooks:
- id: gitleaks - id: gitleaks
name: GitLeaks name: Run Gitleaks test
- repo: https://github.com/ansible-community/ansible-lint - repo: https://github.com/ansible-community/ansible-lint
rev: v25.2.1 rev: v25.5.0
hooks: hooks:
- id: ansible-lint - id: ansible-lint
name: Ansible-lint name: Ansible-lint
@ -67,7 +67,7 @@ repos:
# - ansible-core>=2.10.1 # - ansible-core>=2.10.1
- repo: https://github.com/adrienverge/yamllint.git - repo: https://github.com/adrienverge/yamllint.git
rev: v1.37.0 # or higher tag rev: v1.37.1 # or higher tag
hooks: hooks:
- id: yamllint - id: yamllint
name: Check YAML Lint name: Check YAML Lint

11
defaults/main.yml
View file

@ -12,7 +12,7 @@ os_check: true
# Disruption is high # Disruption is high
## Run tests that are considered higher risk and could have a system impact if not properly tested ## Run tests that are considered higher risk and could have a system impact if not properly tested
## Default false ## Default false
## Will be fine if clean new unconfigured build ## Will be fine if clean new un configured build
rhel9cis_disruption_high: false rhel9cis_disruption_high: false
## Switching on/off specific baseline sections ## Switching on/off specific baseline sections
@ -513,7 +513,7 @@ rhel9cis_rule_7_2_9: true
## Section 1 vars ## Section 1 vars
## Ability to enabe debug on mounts to assist in troubleshooting ## Ability to enable debug on mounts to assist in troubleshooting
# Mount point changes are set based upon facts created in Prelim # Mount point changes are set based upon facts created in Prelim
# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1. # these then build the variable and options that is passed to the handler to set the mount point for the controls in section1.
rhel9cis_debug_mount_data: false rhel9cis_debug_mount_data: false
@ -723,6 +723,7 @@ rhel9cis_ipv6_required: true
## 3.1.2 wireless network requirements ## 3.1.2 wireless network requirements
# if wireless adapter found allow network manager to be installed # if wireless adapter found allow network manager to be installed
rhel9cis_install_network_manager: false rhel9cis_install_network_manager: false
rhel9cis_network_manager_package_name: NetworkManager
# 3.3 System network parameters (host only OR host and router) # 3.3 System network parameters (host only OR host and router)
# This variable governs whether specific CIS rules # This variable governs whether specific CIS rules
# concerned with acceptance and routing of packages are skipped. # concerned with acceptance and routing of packages are skipped.
@ -815,7 +816,7 @@ rhel9cis_sshd_clientalivecountmax: 3
rhel9cis_sshd_clientaliveinterval: 15 rhel9cis_sshd_clientaliveinterval: 15
## Control 5.1.12 - disable forwarding ## Control 5.1.12 - disable forwarding
# By Default this will also disablex11 forwarding # By Default this will also disable x11 forwarding
# set 'yes' if x11 is required this can be changed to run in /etc/ssh/ssh_config.d/50-redhat.conf # set 'yes' if x11 is required this can be changed to run in /etc/ssh/ssh_config.d/50-redhat.conf
rhel9cis_sshd_x11forwarding: 'no' rhel9cis_sshd_x11forwarding: 'no'
@ -1045,14 +1046,14 @@ rhel9cis_bash_umask: '0027' # 0027 or more restrictive
# These are discovered via logins.def if set true # These are discovered via logins.def if set true
rhel9cis_discover_int_uid: true rhel9cis_discover_int_uid: true
# This variable sets the minimum number from which to search for UID # This variable sets the minimum number from which to search for UID
# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has # Note that the value will be dynamically overwritten if variable `discover_int_uid` has
# been set to `true`. # been set to `true`.
min_int_uid: 1000 min_int_uid: 1000
### Controls: ### Controls:
# - Ensure local interactive user home directories exist # - Ensure local interactive user home directories exist
# - Ensure local interactive users own their home directories # - Ensure local interactive users own their home directories
# This variable sets the maximum number at which the search stops for UID # This variable sets the maximum number at which the search stops for UID
# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has # Note that the value will be dynamically overwritten if variable `discover_int_uid` has
# been set to `true`. # been set to `true`.
max_int_uid: 65533 max_int_uid: 65533

10
tasks/audit_only.yml
View file

@ -1,15 +1,5 @@
--- ---
- name: Audit_Only | Create local Directories for hosts
when: fetch_audit_files
ansible.builtin.file:
mode: 'u+x,go-w'
path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
recurse: true
state: directory
delegate_to: localhost
become: false
- name: Audit_only | Show Audit Summary - name: Audit_only | Show Audit Summary
when: audit_only when: audit_only
ansible.builtin.debug: ansible.builtin.debug:

4
tasks/main.yml
View file

@ -17,7 +17,9 @@
success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
- name: "Setup rules if container" - name: "Setup rules if container"
when: ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] when:
- ansible_connection == 'docker' or
ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
tags: tags:
- container_discovery - container_discovery
- always - always

8
tasks/parse_etc_password.yml
View file

@ -7,12 +7,12 @@
ansible.builtin.shell: cat /etc/passwd | grep -v '^#' ansible.builtin.shell: cat /etc/passwd | grep -v '^#'
changed_when: false changed_when: false
check_mode: false check_mode: false
register: prelim_passwd_file_audit register: prelim_capture_passwd_file
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries" - name: "PRELIM | 5.4.2 | 7.2.8 | Split passwd entries"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_passwd: "{{ prelim_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" prelim_captured_passwd_data: "{{ prelim_capture_passwd_file.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
loop: "{{ prelim_passwd_file_audit.stdout_lines }}" loop: "{{ prelim_capture_passwd_file.stdout_lines }}"
vars: vars:
ld_passwd_regex: >- ld_passwd_regex: >-
^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*) ^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*)

20
tasks/prelim.yml
View file

@ -31,9 +31,17 @@
- name: "PRELIM | AUDIT | Interactive Users (reformat)" - name: "PRELIM | AUDIT | Interactive Users (reformat)"
tags: always tags: always
ansible.builtin.set_fact: ansible.builtin.set_fact:
prelim_interactive_usernames: "{{ prelim_interactive_users | default([]) + [dict([('username', item.split(':')[0]), ('uid', item.split(':')[1]), ('home', item.split(':')[2])])] }}" prelim_interactive_users: "{{ prelim_interactive_users | default([]) + [dict([('username', item.split(':')[0]), ('uid', item.split(':')[1]), ('home', item.split(':')[2])])] }}"
loop: "{{ prelim_interactive_users_raw.stdout_lines }}" loop: "{{ prelim_interactive_users_raw.stdout_lines }}"
- name: "PRELIM | AUDIT | Interactive User accounts home directories"
tags: always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $6 }'
changed_when: false
check_mode: false
register: prelim_interactive_users_home
- name: "PRELIM | AUDIT | Interactive UIDs" - name: "PRELIM | AUDIT | Interactive UIDs"
tags: always tags: always
ansible.builtin.shell: > ansible.builtin.shell: >
@ -203,7 +211,7 @@
tags: tags:
- always - always
block: block:
- name: "PRELIM | AUDIT | Discover is wirelss adapter on system" - name: "PRELIM | AUDIT | Discover is wireless adapter on system"
ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
register: discover_wireless_adapters register: discover_wireless_adapters
changed_when: false changed_when: false
@ -246,6 +254,14 @@
mode: 'go-rwx' mode: 'go-rwx'
state: touch state: touch
- name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists"
when:
- rhel9cis_rule_5_1_10 or
rhel9cis_rule_5_1_11
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d/50-redhat.conf
register: discovered_sshd_50_redhat_file
- name: "PRELIM | AUDIT | Capture pam security related files" - name: "PRELIM | AUDIT | Capture pam security related files"
tags: always tags: always
ansible.builtin.find: ansible.builtin.find:

8
tasks/section_3/cis_3.1.x.yml
View file

@ -39,7 +39,7 @@
warn_control_id: '3.1.2' warn_control_id: '3.1.2'
block: block:
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool"
when: "'network-manager' in ansible_facts.packages" when: "rhel9cis_network_manager_package_name in ansible_facts.packages"
ansible.builtin.command: nmcli radio wifi ansible.builtin.command: nmcli radio wifi
changed_when: false changed_when: false
failed_when: false failed_when: false
@ -48,19 +48,19 @@
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed"
when: when:
- "'network-manager' in ansible_facts.packages" - "rhel9cis_network_manager_package_name in ansible_facts.packages"
- "'enabled' in discovered_wifi_status.stdout" - "'enabled' in discovered_wifi_status.stdout"
ansible.builtin.command: nmcli radio all off ansible.builtin.command: nmcli radio all off
changed_when: discovered_nmcli_radio_off.rc == 0 changed_when: discovered_nmcli_radio_off.rc == 0
register: discovered_nmcli_radio_off register: discovered_nmcli_radio_off
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed"
when: "'network-manager' not in ansible_facts.packages" when: "rhel9cis_network_manager_package_name not in ansible_facts.packages"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Warning!! You need to disable wireless interfaces manually since network-manager is not installed" msg: "Warning!! You need to disable wireless interfaces manually since network-manager is not installed"
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Set warning count" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Set warning count"
when: "'network-manager' not in ansible_facts.packages" when: "rhel9cis_network_manager_package_name not in ansible_facts.packages"
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml

2
tasks/section_5/cis_5.1.x.yml
View file

@ -276,6 +276,7 @@
notify: Restart sshd notify: Restart sshd
- name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | override" - name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | override"
when: discovered_sshd_50_redhat_file.stat.exists
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/50-redhat.conf path: /etc/ssh/sshd_config.d/50-redhat.conf
regexp: ^(?i)(#|)\s*X11Forwarding regexp: ^(?i)(#|)\s*X11Forwarding
@ -298,6 +299,7 @@
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | redhat file" - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | redhat file"
when: discovered_sshd_50_redhat_file.stat.exists
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/50-redhat.conf path: /etc/ssh/sshd_config.d/50-redhat.conf
regexp: ^(?i)(#|)\s*GSSAPIAuthentication regexp: ^(?i)(#|)\s*GSSAPIAuthentication

8
tasks/section_5/cis_5.4.1.x.yml
View file

@ -29,7 +29,7 @@
- name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"
when: when:
- discovered_max_days.stdout_lines | length > 0 - discovered_max_days.stdout_lines | length > 0
- item in prelim_interactive_usernames | map(attribute='username') | list - item in prelim_interactive_users | map(attribute='username') | list
- rhel9cis_force_user_maxdays - rhel9cis_force_user_maxdays
ansible.builtin.user: ansible.builtin.user:
name: "{{ item }}" name: "{{ item }}"
@ -60,7 +60,7 @@
- name: "5.4.1.2 | PATCH | Ensure minimum password days is configured | Set existing users PASS_MIN_DAYS" - name: "5.4.1.2 | PATCH | Ensure minimum password days is configured | Set existing users PASS_MIN_DAYS"
when: when:
- discovered_min_days.stdout_lines | length > 0 - discovered_min_days.stdout_lines | length > 0
- item in prelim_interactive_usernames | map(attribute='username') | list - item in prelim_interactive_users | map(attribute='username') | list
- rhel9cis_force_user_mindays - rhel9cis_force_user_mindays
ansible.builtin.user: ansible.builtin.user:
name: "{{ item }}" name: "{{ item }}"
@ -91,7 +91,7 @@
- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users WARN_DAYS" - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users WARN_DAYS"
when: when:
- discovered_warn_days.stdout_lines | length > 0 - discovered_warn_days.stdout_lines | length > 0
- item in prelim_interactive_usernames | map(attribute='username') | list - item in prelim_interactive_users | map(attribute='username') | list
- rhel9cis_force_user_warnage - rhel9cis_force_user_warnage
ansible.builtin.command: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}" ansible.builtin.command: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}"
changed_when: true changed_when: true
@ -140,7 +140,7 @@
register: discovered_passwdlck_user_list register: discovered_passwdlck_user_list
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
when: item in prelim_interactive_usernames | map(attribute='username') | list when: item in prelim_interactive_users | map(attribute='username') | list
ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
changed_when: true changed_when: true
loop: "{{ discovered_passwdlck_user_list.stdout_lines }}" loop: "{{ discovered_passwdlck_user_list.stdout_lines }}"

8
tasks/section_5/cis_5.4.2.x.yml
View file

@ -195,7 +195,7 @@
- name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell" - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell"
when: when:
- rhel9cis_rule_5_4_2_7 - rhel9cis_rule_5_4_2_7
- "item.id not in prelim_interactive_usernames | map(attribute='username')" - "item.id not in prelim_interactive_users | map(attribute='username')"
- item.id not in rhel9cis_system_users_shell - item.id not in rhel9cis_system_users_shell
- "'root' not in item.id" - "'root' not in item.id"
- rhel9cis_disruption_high - rhel9cis_disruption_high
@ -212,7 +212,7 @@
ansible.builtin.user: ansible.builtin.user:
name: "{{ item.id }}" name: "{{ item.id }}"
shell: /usr/sbin/nologin shell: /usr/sbin/nologin
loop: "{{ rhel9cis_passwd }}" loop: "{{ prelim_captured_passwd_data }}"
loop_control: loop_control:
label: "{{ item.id }}" label: "{{ item.id }}"
@ -220,7 +220,7 @@
when: when:
- rhel9cis_rule_5_4_2_8 - rhel9cis_rule_5_4_2_8
- rhel9cis_disruption_high - rhel9cis_disruption_high
- "item.id not in prelim_interactive_usernames | map(attribute='username')" - "item.id not in prelim_interactive_users | map(attribute='username')"
- "'root' not in item.id" - "'root' not in item.id"
tags: tags:
- level1-server - level1-server
@ -235,6 +235,6 @@
ansible.builtin.user: ansible.builtin.user:
name: "{{ item.id }}" name: "{{ item.id }}"
password_lock: true password_lock: true
loop: "{{ rhel9cis_passwd }}" loop: "{{ prelim_captured_passwd_data }}"
loop_control: loop_control:
label: "{{ item.id }}" label: "{{ item.id }}"

8
tasks/section_7/cis_7.2.x.yml
View file

@ -220,7 +220,7 @@
- name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
when: discovered_group_check.stdout | length > 0 when: discovered_group_check.stdout | length > 0
ansible.builtin.debug: ansible.builtin.debug:
msg: "Warning!! The following group names are duplicates: {{ discovered_group_group_check.stdout_lines }}" msg: "Warning!! The following group names are duplicates: {{ discovered_group_check.stdout_lines }}"
- name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Set warning count" - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Set warning count"
when: discovered_group_check.stdout | length > 0 when: discovered_group_check.stdout | length > 0
@ -243,7 +243,7 @@
state: directory state: directory
owner: "{{ item.id }}" owner: "{{ item.id }}"
group: "{{ item.gid }}" group: "{{ item.gid }}"
loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', prelim_max_int_uid | int) | list }}" loop: "{{ prelim_captured_passwd_data | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', prelim_max_int_uid | int) | list }}"
loop_control: loop_control:
label: "{{ item.id }}" label: "{{ item.id }}"
@ -315,6 +315,6 @@
ansible.builtin.file: ansible.builtin.file:
path: '{{ item }}' path: '{{ item }}'
mode: 'go-w' mode: 'go-w'
owner: "{{ rhel9cis_passwd | selectattr('dir', 'in', prelim_interactive_users_raw.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}" owner: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_raw.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}"
group: "{{ rhel9cis_passwd | selectattr('dir', 'in', prelim_interactive_users_raw.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}" group: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_raw.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}"
with_items: "{{ discovered_homedir_hidden_files.stdout_lines }}" with_items: "{{ discovered_homedir_hidden_files.stdout_lines }}"