diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ceb4475..331d150 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,13 +42,13 @@ repos: name: Detect Secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.24.2 + rev: v8.24.3 hooks: - id: gitleaks name: GitLeaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.1.3 + rev: v25.2.1 hooks: - id: ansible-lint name: Ansible-lint diff --git a/defaults/main.yml b/defaults/main.yml index ffc7e0f..8609e56 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,5 @@ --- + # defaults file for rhel9-cis # WARNING: # These values may be overridden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here: diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index 1377f9f..39c9f7d 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -9,14 +9,6 @@ delegate_to: localhost become: false -- name: Audit_only | Get audits from systems and put in group dir - when: fetch_audit_files - ansible.builtin.fetch: - dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" - flat: true - mode: 'go-wx' - src: "{{ pre_audit_outfile }}" - - name: Audit_only | Show Audit Summary when: audit_only ansible.builtin.debug: diff --git a/tasks/fetch_audit_output.yml b/tasks/fetch_audit_output.yml index c6f7b5e..563b699 100644 --- a/tasks/fetch_audit_output.yml +++ b/tasks/fetch_audit_output.yml @@ -2,7 +2,7 @@ # Stage to copy audit output to a centralised location -- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller" +- name: "POST | FETCH | Fetch files and copy to controller" when: audit_output_collection_method == "fetch" ansible.builtin.fetch: src: "{{ item }}" @@ -17,7 +17,7 @@ # Added this option for continuity but could be changed by adjusting the variable audit_conf_dest # Allowing backup to one location -- name: "FETCH_AUDIT_FILES | Copy files to location available to managed node" +- name: "POST | FETCH | Copy files to location available to managed node" when: audit_output_collection_method == "copy" ansible.builtin.copy: src: "{{ item }}" @@ -25,21 +25,21 @@ mode: 'u-x,go-wx' flat: true failed_when: false - register: discovered_audit_fetch_copy_state + register: discovered_audit_copy_state loop: - - pre_audit_outfile - - post_audit_outfile + - "{{ pre_audit_outfile }}" + - "{{ post_audit_outfile }}" -- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" +- name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files" when: - - (discovered_audit_fetch_state is defined and not discovered_audit_fetch_state.changed) or - (discovered_audit_copy_state is defined and not discovered_audit_copy_state.changed) + - (audit_output_collection_method == "fetch" and not discovered_audit_fetch_state.changed) or + (audit_output_collection_method == "copy" and not discovered_audit_copy_state.changed) block: - - name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" + - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files" ansible.builtin.debug: msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy" - - name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" + - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files" vars: warn_control_id: "FETCH_AUDIT_FILES" ansible.builtin.import_tasks: diff --git a/tasks/main.yml b/tasks/main.yml index 3468075..e285e8d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -209,16 +209,20 @@ - name: "Run post_remediation audit" when: run_audit + tags: always ansible.builtin.import_tasks: file: post_remediation_audit.yml -- name: Add ansible file showing Benchmark and levels applied - when: create_benchmark_facts +- name: Add ansible file showing Benchmark and levels applied if audit details not present + when: + - create_benchmark_facts + - (post_audit_summary is defined) or + (ansible_local['compliance_facts']['lockdown_audit_details']['audit_summary'] is undefined and post_audit_summary is undefined) tags: - always - benchmark block: - - name: Create ansible facts directory + - name: Create ansible facts directory if audit facts not present ansible.builtin.file: path: "{{ ansible_facts_path }}" state: directory @@ -226,13 +230,13 @@ group: root mode: 'u=rwx,go=rx' - - name: Create ansible facts file + - name: Create ansible facts file and levels applied if audit facts not present ansible.builtin.template: src: etc/ansible/compliance_facts.j2 dest: "{{ ansible_facts_path }}/compliance_facts.fact" owner: root group: root - mode: "u-x,go-wx" + mode: 'u-x,go=r' - name: Fetch audit files when: @@ -244,6 +248,7 @@ - name: "Show Audit Summary" when: run_audit + tags: always ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index e49e733..28e372d 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -25,7 +25,7 @@ when: - not rhel9cis_autofs_services - rhel9cis_autofs_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: autofs enabled: false @@ -57,7 +57,7 @@ when: - not rhel9cis_avahi_server - rhel9cis_avahi_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -90,7 +90,7 @@ when: - not rhel9cis_dhcp_server - rhel9cis_dhcp_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -123,7 +123,7 @@ when: - not rhel9cis_dns_server - rhel9cis_dns_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: named.service enabled: false @@ -153,7 +153,7 @@ when: - not rhel9cis_dnsmasq_server - rhel9cis_dnsmasq_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: dnsmasq.service enabled: false @@ -184,7 +184,7 @@ when: - not rhel9cis_samba_server - rhel9cis_samba_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: smb.service enabled: false @@ -215,7 +215,7 @@ when: - not rhel9cis_ftp_server - rhel9cis_ftp_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: vsftpd.service enabled: false @@ -249,7 +249,7 @@ when: - not rhel9cis_message_server - rhel9cis_message_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -285,7 +285,7 @@ when: - not rhel9cis_nfs_server - rhel9cis_nfs_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: nfs-server.service enabled: false @@ -302,7 +302,7 @@ - nis - NIST800-53R5_CM-7 - rule_2.1.10 - notify: Systemd_daemon_reload + notify: Systemd daemon reload block: - name: "2.1.10 | PATCH | Ensure nis server services are not in use | Remove package" when: @@ -344,7 +344,7 @@ when: - not rhel9cis_print_server - rhel9cis_print_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -378,7 +378,7 @@ when: - not rhel9cis_rpc_server - rhel9cis_rpc_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -412,7 +412,7 @@ when: - not rhel9cis_rsync_server - rhel9cis_rsync_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -445,7 +445,7 @@ when: - not rhel9cis_snmp_server - rhel9cis_snmp_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: snmpd.service enabled: false @@ -476,7 +476,7 @@ when: - not rhel9cis_telnet_server - rhel9cis_telnet_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: telnet.socket enabled: false @@ -506,7 +506,7 @@ when: - not rhel9cis_tftp_server - rhel9cis_tftp_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -540,7 +540,7 @@ when: - not rhel9cis_squid_server - rhel9cis_squid_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: squid.service enabled: false @@ -580,7 +580,7 @@ when: - not rhel9cis_httpd_server - rhel9cis_httpd_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: httpd.service enabled: false @@ -591,7 +591,7 @@ when: - not rhel9cis_nginx_server - rhel9cis_nginx_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: ngnix.service enabled: false @@ -621,7 +621,7 @@ when: - not rhel9cis_xinetd_server - rhel9cis_xinetd_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: xinetd.service enabled: false @@ -657,7 +657,7 @@ - postfix - NIST800-53R5_CM-7 - rule_2.1.21 - notify: Restart_postfix + notify: Restart postfix ansible.builtin.lineinfile: path: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index e8934d4..68a66de 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -86,7 +86,7 @@ when: - not rhel9cis_bluetooth_service - rhel9cis_bluetooth_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: bluetooth.service enabled: false diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 296ebf9..99176fd 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -6,7 +6,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - permissions - rule_5.1.1 - NIST800-53R5_AC-3 @@ -23,7 +23,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - permissions - rule_5.1.2 - NIST800-53R5_AC-3 @@ -53,7 +53,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 @@ -166,7 +166,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.7 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 @@ -195,6 +195,8 @@ path: "{{ rhel9cis_sshd_config_file }}" regexp: "^DenyUsers" line: "DenyUsers {{ rhel9cis_sshd_denyusers }}" + insertbefore: "^Match" + firstmatch: true validate: sshd -t -f %s notify: Restart sshd @@ -213,7 +215,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.8 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -231,7 +233,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.9 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -261,7 +263,7 @@ - level2-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.10 - NIST800-53R5_CM-7 block: @@ -287,7 +289,7 @@ - level1-server - level1-workstation - patch - - sshs + - sshd - rule_5.1.11 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -317,7 +319,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.12 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -337,7 +339,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.13 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -348,6 +350,8 @@ path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*IgnoreRhosts line: 'IgnoreRhosts yes' + insertbefore: "^Match" + firstmatch: true validate: sshd -t -f %s notify: Restart sshd @@ -357,13 +361,15 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.14 - NIST800-53R5_CM-6 ansible.builtin.lineinfile: path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*LoginGraceTime line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}" + insertbefore: "^Match" + firstmatch: true validate: sshd -t -f %s notify: Restart sshd @@ -373,7 +379,7 @@ - level1-server - level1-workstation - patch - - sshs + - sshd - rule_5.1.15 - NIST800-53R5_AU-3 - NIST800-53R5_AU-12 @@ -382,6 +388,8 @@ path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*LogLevel line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' + insertbefore: "^Match" + firstmatch: true validate: sshd -t -f %s notify: Restart sshd @@ -391,7 +399,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.16 - NIST800-53R5_AU-3 ansible.builtin.lineinfile: @@ -407,7 +415,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.17 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -427,7 +435,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.18 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -447,7 +455,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.19 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -467,7 +475,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.20 - NIST800-53R5_AC-6 block: @@ -491,7 +499,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.21 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -511,7 +519,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.22 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 diff --git a/tasks/section_5/cis_5.3.3.1.x.yml b/tasks/section_5/cis_5.3.3.1.x.yml index 1730521..0aadbe3 100644 --- a/tasks/section_5/cis_5.3.3.1.x.yml +++ b/tasks/section_5/cis_5.3.3.1.x.yml @@ -23,7 +23,7 @@ - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/pam.d/{{ item }}-auth" - regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$) + regexp: ^(\s*auth\s+(?:requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$) replace: \1 \2\3 loop: - password diff --git a/tasks/section_6/cis_6.2.1.x.yml b/tasks/section_6/cis_6.2.1.x.yml index 3afa31c..fa75880 100644 --- a/tasks/section_6/cis_6.2.1.x.yml +++ b/tasks/section_6/cis_6.2.1.x.yml @@ -96,15 +96,20 @@ - rule_6.2.1.4 block: - name: "6.2.1.4 | PATCH | Ensure only one logging system is in use | when rsyslog" - when: rhel9cis_syslog == "rsyslog" + when: + - rhel9cis_syslog == "rsyslog" + - "'systemd-journald' in ansible_facts.packages" ansible.builtin.systemd: name: systemd-journald state: stopped enabled: false - name: "6.2.1.4 | PATCH | Ensure only one logging system is in use | when journald" - when: rhel9cis_syslog == "journald" + when: + - rhel9cis_syslog == "journald" + - "'rsyslog' in ansible_facts.packages" ansible.builtin.systemd: name: rsyslog state: stopped enabled: false + register: discovered_rsyslog_service diff --git a/templates/etc/ansible/compliance_facts.j2 b/templates/etc/ansible/compliance_facts.j2 index f313bec..f8725e1 100644 --- a/templates/etc/ansible/compliance_facts.j2 +++ b/templates/etc/ansible/compliance_facts.j2 @@ -29,6 +29,7 @@ Level_2_workstation_tag_run = true [lockdown_audit_details] {% if run_audit %} # Audit run +audit_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }} audit_file_local_location = {{ audit_log_dir }} {% if not audit_only %} audit_summary = {{ post_audit_results }}