ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

renamed variables

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-09-05 17:36:07 +01:00
parent c58c4eb4e8
commit 14d038e8eb
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
14 changed files with 113 additions and 113 deletions
Download patch file Download diff file Expand all files Collapse all files

8
tasks/section_5/cis_5.1.x.yml
View file

@ -37,7 +37,7 @@
patterns: 'ssh_host_*_key'
recurse: true
file_type: any
register: rhel9cis_5_1_2_ssh_private_host_key
register: discovered_ssh_private_host_key
- name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys"
ansible.builtin.file:
@ -45,7 +45,7 @@
owner: root
group: root
mode: 'u-x,go-rwx'
loop: "{{ rhel9cis_5_1_2_ssh_private_host_key.files }}"
loop: "{{ discovered_ssh_private_host_key.files }}"
loop_control:
label: "{{ item.path }}"
@ -67,7 +67,7 @@
patterns: 'ssh_host_*_key.pub'
recurse: true
file_type: any
register: rhel9cis_5_1_3_ssh_public_host_key
register: discovered_ssh_public_host_key
- name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys"
ansible.builtin.file:
@ -75,7 +75,7 @@
owner: root
group: root
mode: 'u-x,go-wx'
loop: "{{ rhel9cis_5_1_3_ssh_public_host_key.files }}"
loop: "{{ discovered_ssh_public_host_key.files }}"
loop_control:
label: "{{ item.path }}"

10
tasks/section_5/cis_5.2.x.yml
View file

@ -114,24 +114,24 @@
ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
changed_when: false
failed_when: false
register: rhel9cis_5_2_6_timeout_files
register: discovered_sudo_timeout_files
- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results"
when: discovered_sudo_timeout_files.stdout | length == 0
ansible.builtin.lineinfile:
path: /etc/sudoers
regexp: 'Defaults timestamp_timeout='
line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}"
validate: '/usr/sbin/visudo -cf %s'
when: rhel9cis_5_2_6_timeout_files.stdout | length == 0
- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results"
when: discovered_sudo_timeout_files.stdout | length > 0
ansible.builtin.replace:
path: "{{ item }}"
regexp: 'timestamp_timeout=(\d+)'
replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}"
validate: '/usr/sbin/visudo -cf %s'
loop: "{{ rhel9cis_5_2_6_timeout_files.stdout_lines }}"
when: rhel9cis_5_2_6_timeout_files.stdout | length > 0
loop: "{{ discovered_sudo_timeout_files.stdout_lines }}"
- name: "5.2.7 | PATCH | Ensure access to the su command is restricted"
when:
@ -149,7 +149,7 @@
ansible.builtin.group:
name: "{{ rhel9cis_sugroup }}"
state: present
register: rhel9cis_5_2_7_sugroup
register: discovered_sugroup
- name: "5.2.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
ansible.builtin.lineinfile:

18
tasks/section_5/cis_5.3.2.x.yml
View file

@ -61,11 +61,11 @@
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config"
ansible.builtin.shell: authselect current | grep faillock
changed_when: false
failed_when: rhel9cis_authselect_current_faillock.rc not in [ 0, 1 ]
register: rhel9cis_authselect_current_faillock
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: discovered_authselect_current_faillock
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing"
when: rhel9cis_authselect_current_faillock.rc != 0
when: discovered_authselect_current_faillock.rc != 0
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
- name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
@ -85,11 +85,11 @@
- name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Get current config"
ansible.builtin.shell: authselect current | grep quality
changed_when: false
failed_when: rhel9cis_authselect_current_quality.rc not in [ 0, 1 ]
register: rhel9cis_authselect_current_quality
failed_when: discovered_authselect_current_quality.rc not in [ 0, 1 ]
register: discovered_authselect_current_quality
- name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Add feature if missing"
when: rhel9cis_authselect_current_quality.rc != 0
when: discovered_authselect_current_quality.rc != 0
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
notify: Authselect update
@ -110,11 +110,11 @@
- name: "5.3.2.4 | AUDIT | Ensure pam_pwhistory module is enabled | Get current config"
ansible.builtin.shell: authselect current | grep pwhistory
changed_when: false
failed_when: rhel9cis_authselect_current_history.rc not in [ 0, 1 ]
register: rhel9cis_authselect_current_history
failed_when: discovered_authselect_current_history.rc not in [ 0, 1 ]
register: discovered_authselect_current_history
- name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled | enable feature"
when: rhel9cis_authselect_current_history.rc != 0
when: discovered_authselect_current_history.rc != 0
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
notify: Authselect update

34
tasks/section_5/cis_5.3.3.4.x.yml
View file

@ -14,18 +14,18 @@
- name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | capture state"
ansible.builtin.shell: grep -E "pam_unix.so.*nullok" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq
changed_when: false
failed_when: rhel9cis_pam_nullok.rc not in [ 0, 1 ]
register: rhel9cis_pam_nullok
failed_when: discovered_pam_nullok.rc not in [ 0, 1 ]
register: discovered_pam_nullok
- name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Ensure nullok removed"
when:
- rhel9cis_pam_nullok.stdout | length > 0
- discovered_pam_nullok.stdout | length > 0
- not rhel9cis_allow_authselect_updates
ansible.builtin.replace:
path: "{{ item }}"
regexp: nullok
replace: ''
loop: "{{ rhel9cis_pam_nullok.stdout_lines }}"
loop: "{{ discovered_pam_nullok.stdout_lines }}"
- name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect"
when:
@ -53,18 +53,18 @@
- name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state"
ansible.builtin.shell: grep -E "password.*pam_unix.so.*remember" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq
changed_when: false
failed_when: rhel9cis_pam_remember.rc not in [ 0, 1 ]
register: rhel9cis_pam_remember
failed_when: discovered_pam_remember.rc not in [ 0, 1 ]
register: discovered_pam_remember
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Ensure remember removed"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_pam_remember.stdout | length > 0
- discovered_pam_remember.stdout | length > 0
ansible.builtin.replace:
path: "{{ item }}"
regexp: remember
replace: ''
loop: "{{ rhel9cis_pam_remember.stdout_lines }}"
loop: "{{ discovered_pam_remember.stdout_lines }}"
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect"
when:
@ -93,18 +93,18 @@
- name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state"
ansible.builtin.shell: grep -E "password.*pam_unix.so.*(sha512|yescrypt)" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq
changed_when: false
failed_when: rhel9cis_pam_pwhash.rc not in [ 0, 1 ]
register: rhel9cis_pam_pwhash
failed_when: discovered_pam_pwhash.rc not in [ 0, 1 ]
register: discovered_pam_pwhash
- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Ensure hash algorithm set"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_pam_remember.stdout | length > 0
- discovered_pam_remember.stdout | length > 0
ansible.builtin.replace:
path: "{{ item }}"
regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)"
replace: '{{ rhel9cis_passwd_hash_algo }}'
loop: "{{ rhel9cis_pam_remember.stdout_lines }}"
loop: "{{ discovered_pam_remember.stdout_lines }}"
- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Add hash algorithm to pam files AuthSelect"
when:
@ -134,20 +134,20 @@
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state"
ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix.so\b' /etc/pam.d/{password,system}-auth | grep -Pv -- '\buse_authtok\b'
changed_when: false
failed_when: rhel9cis_pam_authtok.rc not in [ 0, 1 ]
register: rhel9cis_pam_authtok
failed_when: discovered_pam_authtok.rc not in [ 0, 1 ]
register: discovered_pam_authtok
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | pam_files"
when:
- not rhel9cis_allow_authselect_updates
- rhel9cis_pam_authtok is defined
- rhel9cis_pam_authtok.stdout | length > 0
- discovered_pam_authtok is defined
- discovered_pam_authtok.stdout | length > 0
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$)
line: \1\2\3\4use_authtok \5
backrefs: true
loop: "{{ rhel9cis_pam_authtok.stdout_lines }}"
loop: "{{ discovered_pam_authtok.stdout_lines }}"
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | Add use_authtok pam files AuthSelect"
when:

24
tasks/section_5/cis_5.4.1.x.yml
View file

@ -129,22 +129,22 @@
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_5_4_1_5_inactive_settings
register: discovered_passwdlck_inactive_settings
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set default inactive setting"
ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
when: rhel9cis_5_4_1_5_inactive_settings.stdout | length == 0
when: discovered_passwdlck_inactive_settings.stdout | length == 0
- name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
changed_when: false
check_mode: false
register: rhel9cis_5_4_1_5_user_list
register: discovered_passwdlck_user_list
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
when: item in prelim_interactive_usernames.stdout
ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
loop: "{{ rhel9cis_5_4_1_5_user_list.stdout_lines }}"
loop: "{{ discovered_passwdlck_user_list.stdout_lines }}"
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past"
when:
@ -162,32 +162,32 @@
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_5_4_1_6_currentut
register: discovered_passwdlck_currentunixtime
- name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_4_1_6_currentut.stdout }})print$1}'"
ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ discovered_passwdlck_currentunixtime.stdout }})print$1}'"
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_5_4_1_6_user_list
register: discovered_passwdlck_user_future
- name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
ansible.builtin.debug:
msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_4_1_6_user_list.stdout_lines }}"
msg: "Warning!! The following accounts have the last PW change date in the future: {{ discovered_passwdlck_user_future.stdout_lines }}"
when:
- rhel9cis_5_4_1_6_user_list.stdout | length > 0
- discovered_passwdlck_user_future.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
- name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
when:
- rhel9cis_5_4_1_6_user_list.stdout | length > 0
- discovered_passwdlck_user_future.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
ansible.builtin.shell: passwd --expire {{ item }}
when:
- rhel9cis_5_4_1_5_user_list.stdout | length > 0
- discovered_passwdlck_user_future.stdout | length > 0
- rhel9cis_futurepwchgdate_autofix
loop: "{{ rhel9cis_5_4_1_6_user_list.stdout_lines }}"
loop: "{{ discovered_passwdlck_user_future.stdout_lines }}"