ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 22:37:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Apply latest public fixes benchmark_v2.0.0

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2025-07-02 10:47:56 +01:00
commit 1bdef212bd
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
9 changed files with 73 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

3
tasks/main.yml
View file

@ -101,7 +101,7 @@
ansible.builtin.assert:
that: (not prelim_ansible_user_password_set.stdout.startswith("!")) or (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access"
success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} is not locked or included in the exception list for rule 5.2.4"
success_msg: "The local account {{ ansible_env.SUDO_USER }} is not locked or included in the exception list for rule 5.2.4"
- name: "Check authselect profile is selected"
when: rhel9cis_allow_authselect_updates
@ -131,6 +131,7 @@
- name: "Ensure root password is set"
ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
changed_when: false
failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
register: prelim_root_passwd_set
- name: "Ensure root password is set"

1
tasks/prelim.yml
View file

@ -305,6 +305,7 @@
tags: always
ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'
changed_when: false
check_mode: false
register: prelim_auditd_logfile
- name: "PRELIM | AUDIT | Audit conf and rules files | list files"

1
tasks/section_6/cis_6.1.x.yml
View file

@ -123,7 +123,6 @@
/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
validate: aide -D --config %s
register: aide_file_integrity_check
failed_when:
- not ansible_check_mode

4
tasks/section_6/cis_6.2.2.x.yml
View file

@ -50,7 +50,7 @@
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
ansible.builtin.replace:
path: /etc/systemd/journald.conf
regexp: ^(?i)(\s*compress=)
regexp: (?i)(\s*compress=)
replace: '#\1'
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
@ -76,5 +76,5 @@
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
ansible.builtin.replace:
path: /etc/systemd/journald.conf
regexp: ^(?i)(\s*storage=)
regexp: (?i)(\s*storage=)
replace: '#\1'

64
tasks/section_7/cis_7.2.x.yml
View file

@ -286,8 +286,8 @@
vars:
warn_control_id: '7.2.9'
block:
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Check for files"
ansible.builtin.shell: find /home/ -name "\.*"
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured"
ansible.builtin.shell: find {{ prelim_interactive_users_home.stdout_lines | list | join(' ') }} -name "\.*" -type f
changed_when: false
failed_when: discovered_homedir_hidden_files.rc not in [ 0, 1 ]
check_mode: false
@ -296,25 +296,63 @@
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Warning on files found"
when:
- discovered_homedir_hidden_files.stdout | length > 0
- rhel9cis_dotperm_ansiblemanaged
- not rhel9cis_dotperm_ansiblemanaged
ansible.builtin.debug:
msg:
- "Warning!! We have discovered group or world-writable dot files on your system and this host is configured for manual intervention. Please investigate these files further."
- "Warning!! Please investigate that hidden files found in users home directories match control requirements."
- name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Set warning count"
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Set warning count"
when:
- discovered_homedir_hidden_files.stdout | length > 0
- rhel9cis_dotperm_ansiblemanaged
- not rhel9cis_dotperm_ansiblemanaged
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured"
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured"
when:
- discovered_homedir_hidden_files.stdout | length > 0
- rhel9cis_dotperm_ansiblemanaged
ansible.builtin.file:
path: '{{ item }}'
mode: 'go-w'
owner: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_raw.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}"
group: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_raw.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}"
with_items: "{{ discovered_homedir_hidden_files.stdout_lines }}"
block:
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Changes files if configured .bash_history & .netrc"
when:
- discovered_homedir_hidden_files.stdout | length > 0
- item | basename in ['.bash_history','.netrc']
ansible.builtin.file:
path: "{{ item }}"
mode: 'u-x,go-rwx'
failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]'
register: discovered_dot_bash_history_to_change
loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Changes files if configured file mode"
ansible.builtin.file:
path: '{{ item }}'
mode: 'u-x,go-wx'
failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]'
register: discovered_dot_bash_history_to_change
loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Changes files ownerships"
ansible.builtin.file:
path: "{{ item }}"
owner: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}"
group: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}"
failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]'
register: discovered_dot_bash_history_to_change
loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"
- name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured"
ansible.builtin.file:
path: '{{ item }}'
mode: 'go-w'
owner: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}"
group: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}"
with_items: "{{ discovered_homedir_hidden_files.stdout_lines }}"
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | rename .forward or .rhosts files"
when:
- item | basename in ['.forward','.rhosts']
- item is not search ("CIS")
ansible.builtin.command: "mv {{ item }} {{ item }}_CIS_TOBEREVIEWED"
changed_when: true
loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"