From 683177e46fd0cfc8a3e4a4a98adbc3a4948d6b7f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Mar 2025 12:33:56 +0100 Subject: [PATCH 01/66] issue #305 addressed Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.1.x.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tasks/section_6/cis_6.2.1.x.yml b/tasks/section_6/cis_6.2.1.x.yml index 3afa31c..2d861e8 100644 --- a/tasks/section_6/cis_6.2.1.x.yml +++ b/tasks/section_6/cis_6.2.1.x.yml @@ -96,15 +96,21 @@ - rule_6.2.1.4 block: - name: "6.2.1.4 | PATCH | Ensure only one logging system is in use | when rsyslog" - when: rhel9cis_syslog == "rsyslog" + when: + - rhel9cis_syslog == "rsyslog" + - "'systemd-journald' in ansible_facts.packages" ansible.builtin.systemd: name: systemd-journald state: stopped enabled: false - name: "6.2.1.4 | PATCH | Ensure only one logging system is in use | when journald" - when: rhel9cis_syslog == "journald" + when: + - rhel9cis_syslog == "journald" + - "'rsyslog' in ansible_facts.packages" ansible.builtin.systemd: name: rsyslog state: stopped enabled: false + register: discovered_rsyslog_service + From b616f70d862527715ffd6d0092a87efe3b3a1512 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Mar 2025 12:35:07 +0100 Subject: [PATCH 02/66] addressed #306 Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index e49e733..98ede95 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -657,7 +657,7 @@ - postfix - NIST800-53R5_CM-7 - rule_2.1.21 - notify: Restart_postfix + notify: Restart postfix ansible.builtin.lineinfile: path: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" From cedf510b94abb6220981d87b29cb349f5418f5c8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Mar 2025 12:36:27 +0100 Subject: [PATCH 03/66] addressed #309 Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 40 +++++++++++++++++------------------ 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 98ede95..28e372d 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -25,7 +25,7 @@ when: - not rhel9cis_autofs_services - rhel9cis_autofs_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: autofs enabled: false @@ -57,7 +57,7 @@ when: - not rhel9cis_avahi_server - rhel9cis_avahi_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -90,7 +90,7 @@ when: - not rhel9cis_dhcp_server - rhel9cis_dhcp_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -123,7 +123,7 @@ when: - not rhel9cis_dns_server - rhel9cis_dns_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: named.service enabled: false @@ -153,7 +153,7 @@ when: - not rhel9cis_dnsmasq_server - rhel9cis_dnsmasq_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: dnsmasq.service enabled: false @@ -184,7 +184,7 @@ when: - not rhel9cis_samba_server - rhel9cis_samba_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: smb.service enabled: false @@ -215,7 +215,7 @@ when: - not rhel9cis_ftp_server - rhel9cis_ftp_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: vsftpd.service enabled: false @@ -249,7 +249,7 @@ when: - not rhel9cis_message_server - rhel9cis_message_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -285,7 +285,7 @@ when: - not rhel9cis_nfs_server - rhel9cis_nfs_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: nfs-server.service enabled: false @@ -302,7 +302,7 @@ - nis - NIST800-53R5_CM-7 - rule_2.1.10 - notify: Systemd_daemon_reload + notify: Systemd daemon reload block: - name: "2.1.10 | PATCH | Ensure nis server services are not in use | Remove package" when: @@ -344,7 +344,7 @@ when: - not rhel9cis_print_server - rhel9cis_print_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -378,7 +378,7 @@ when: - not rhel9cis_rpc_server - rhel9cis_rpc_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -412,7 +412,7 @@ when: - not rhel9cis_rsync_server - rhel9cis_rsync_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -445,7 +445,7 @@ when: - not rhel9cis_snmp_server - rhel9cis_snmp_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: snmpd.service enabled: false @@ -476,7 +476,7 @@ when: - not rhel9cis_telnet_server - rhel9cis_telnet_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: telnet.socket enabled: false @@ -506,7 +506,7 @@ when: - not rhel9cis_tftp_server - rhel9cis_tftp_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: "{{ item }}" enabled: false @@ -540,7 +540,7 @@ when: - not rhel9cis_squid_server - rhel9cis_squid_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: squid.service enabled: false @@ -580,7 +580,7 @@ when: - not rhel9cis_httpd_server - rhel9cis_httpd_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: httpd.service enabled: false @@ -591,7 +591,7 @@ when: - not rhel9cis_nginx_server - rhel9cis_nginx_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: ngnix.service enabled: false @@ -621,7 +621,7 @@ when: - not rhel9cis_xinetd_server - rhel9cis_xinetd_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: xinetd.service enabled: false From 7b1c8e9ef0f3654ef65e86606508ceca9d0e4b24 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Mar 2025 12:37:58 +0100 Subject: [PATCH 04/66] additional fix for #309 Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index e8934d4..68a66de 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -86,7 +86,7 @@ when: - not rhel9cis_bluetooth_service - rhel9cis_bluetooth_mask - notify: Systemd_daemon_reload + notify: Systemd daemon reload ansible.builtin.systemd: name: bluetooth.service enabled: false From 82904557c7443a584988c5badf9bfa9f1550befd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Mar 2025 12:38:51 +0100 Subject: [PATCH 05/66] updated workflows Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 1 + .github/workflows/main_pipeline_validation.yml | 2 ++ 2 files changed, 3 insertions(+) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index c9328cb..10750a2 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -7,6 +7,7 @@ types: [opened, reopened, synchronize] branches: - devel + - benchmark* paths: - '**.yml' - '**.sh' diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index ab11c37..6792a00 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -7,6 +7,7 @@ types: [opened, reopened, synchronize] branches: - main + - latest paths: - '**.yml' - '**.sh' @@ -23,6 +24,7 @@ # A workflow run is made up of one or more jobs # that can run sequentially or in parallel jobs: + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on From 576531e9862c596da454e1283cdd549cf6806827 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Mar 2025 14:50:40 +0100 Subject: [PATCH 06/66] fetch audit and compliance facts added Signed-off-by: Mark Bolwell --- defaults/main.yml | 17 +++++++++ tasks/fetch_audit_output.yml | 46 +++++++++++++++++++++++ tasks/main.yml | 32 ++++++++++++++++ templates/etc/ansible/compliance_facts.j2 | 39 +++++++++++++++++++ 4 files changed, 134 insertions(+) create mode 100644 tasks/fetch_audit_output.yml create mode 100644 templates/etc/ansible/compliance_facts.j2 diff --git a/defaults/main.yml b/defaults/main.yml index da5ca20..f2bd882 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -33,6 +33,9 @@ rhel9cis_section7: true rhel9cis_level_1: true rhel9cis_level_2: true +# Create managed not custom local_facts files +Create_benchmark_facts: true +ansible_facts_path: /etc/ansible/facts.d ## Section 1.6 - Mandatory Access Control # This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting # 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed. @@ -107,6 +110,20 @@ audit_conf_dest: "/opt" # Where the audit logs are stored audit_log_dir: '/opt' +## Ability to collect and take audit files moving to a centralised location +# This enables the collection of the files from the host +fetch_audit_output: false + +# Method of getting,uploading the summary files +## Ensure access and permissions are avaiable for these to occur. +## options are +# fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller) +# copy - copies file to a location available to the managed node +audit_output_collection_method: fetch + +# Location to put the audit files +audit_output_destination: /opt/audit_summaries/ + ### Goss Settings ## ####### END ######## diff --git a/tasks/fetch_audit_output.yml b/tasks/fetch_audit_output.yml new file mode 100644 index 0000000..c6f7b5e --- /dev/null +++ b/tasks/fetch_audit_output.yml @@ -0,0 +1,46 @@ +--- + +# Stage to copy audit output to a centralised location + +- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller" + when: audit_output_collection_method == "fetch" + ansible.builtin.fetch: + src: "{{ item }}" + dest: "{{ audit_output_destination }}" + flat: true + failed_when: false + register: discovered_audit_fetch_state + loop: + - "{{ pre_audit_outfile }}" + - "{{ post_audit_outfile }}" + become: false + +# Added this option for continuity but could be changed by adjusting the variable audit_conf_dest +# Allowing backup to one location +- name: "FETCH_AUDIT_FILES | Copy files to location available to managed node" + when: audit_output_collection_method == "copy" + ansible.builtin.copy: + src: "{{ item }}" + dest: "{{ audit_output_destination }}" + mode: 'u-x,go-wx' + flat: true + failed_when: false + register: discovered_audit_fetch_copy_state + loop: + - pre_audit_outfile + - post_audit_outfile + +- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" + when: + - (discovered_audit_fetch_state is defined and not discovered_audit_fetch_state.changed) or + (discovered_audit_copy_state is defined and not discovered_audit_copy_state.changed) + block: + - name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" + ansible.builtin.debug: + msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy" + + - name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" + vars: + warn_control_id: "FETCH_AUDIT_FILES" + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/main.yml b/tasks/main.yml index a0a58f8..ccd6c1d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -209,11 +209,43 @@ - name: "Run post_remediation audit" when: run_audit + tags: always ansible.builtin.import_tasks: file: post_remediation_audit.yml +- name: Add ansible file showing Benchmark and levels applied + when: Create_benchmark_facts + tags: + - always + - benchmark + block: + - name: Create ansible facts directory + ansible.builtin.file: + path: "{{ ansible_facts_path }}" + state: directory + owner: root + group: root + mode: 'u=rwx,go=rx' + + - name: Create ansible facts file + ansible.builtin.template: + src: etc/ansible/compliance_facts.j2 + dest: "{{ ansible_facts_path }}/compliance_facts.fact" + owner: root + group: root + mode: "u-x,go-wx" + +- name: Fetch audit files + when: + - fetch_audit_output + - run_audit + tags: always + ansible.builtin.import_tasks: + file: fetch_audit_output.yml + - name: "Show Audit Summary" when: run_audit + tags: always ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" diff --git a/templates/etc/ansible/compliance_facts.j2 b/templates/etc/ansible/compliance_facts.j2 new file mode 100644 index 0000000..1e7d896 --- /dev/null +++ b/templates/etc/ansible/compliance_facts.j2 @@ -0,0 +1,39 @@ +# CIS Hardening Carried out +# Added as part of ansible-lockdown CIS baseline +# provided by Mindpoint Group - A Tyto Athene Company + +[Benchmark_Details] +# Benchmark release +Benchmark_release = CIS-{{ benchmark_version }} +Benchmark_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }} +# If options set (doesn't mean it ran all controls) +level_1_hardening_enabled = {{ rhel9cis_level_1 }} +level_2_hardening_enabled = {{ rhel9cis_level_2 }} + +{% if ansible_run_tags | length > 0 %} +# If tags used to stipulate run level +{% if 'level1-server' in ansible_run_tags %} +Level_1_Server_tag_run = true +{% endif %} +{% if 'level2-server' in ansible_run_tags %} +Level_2_Server_tag_run = true +{% endif %} +{% if 'level1-workstation' in ansible_run_tags %} +Level_1_workstation_tag_run = true +{% endif %} +{% if 'level2-workstation' in ansible_run_tags %} +Level_2_workstation_tag_run = true +{% endif %} +{% endif %} + +[Benchmark_Audit_Details] +{% if run_audit %} +# Audit run +audit_file_location_local = {{ audit_log_dir }} +{% if not audit_only %} +audit_summary = {{ post_audit_results }} +{% endif %} +{% if fetch_audit_output %} +audit_files_location_central = {{ audit_output_destination }} +{% endif %} +{% endif %} From 04666c219c9a1eb751419852ba752c355b3040c1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Mar 2025 15:13:46 +0100 Subject: [PATCH 07/66] Added for #288 ansible_facts Signed-off-by: Mark Bolwell --- templates/etc/ansible/compliance_facts.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/etc/ansible/compliance_facts.j2 b/templates/etc/ansible/compliance_facts.j2 index 1e7d896..ffa366c 100644 --- a/templates/etc/ansible/compliance_facts.j2 +++ b/templates/etc/ansible/compliance_facts.j2 @@ -2,7 +2,7 @@ # Added as part of ansible-lockdown CIS baseline # provided by Mindpoint Group - A Tyto Athene Company -[Benchmark_Details] +[benchmark_details] # Benchmark release Benchmark_release = CIS-{{ benchmark_version }} Benchmark_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }} @@ -26,14 +26,14 @@ Level_2_workstation_tag_run = true {% endif %} {% endif %} -[Benchmark_Audit_Details] +[benchmark_audit_details] {% if run_audit %} # Audit run -audit_file_location_local = {{ audit_log_dir }} +audit_file_local_location = {{ audit_log_dir }} {% if not audit_only %} audit_summary = {{ post_audit_results }} {% endif %} {% if fetch_audit_output %} -audit_files_location_central = {{ audit_output_destination }} +audit_files_centralized_location = {{ audit_output_destination }} {% endif %} {% endif %} From fc2e153ce90350576e8ae83b91893edca0bc9ddf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Apr 2025 07:55:08 +0100 Subject: [PATCH 08/66] updated section naming Signed-off-by: Mark Bolwell --- templates/etc/ansible/compliance_facts.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/etc/ansible/compliance_facts.j2 b/templates/etc/ansible/compliance_facts.j2 index ffa366c..f313bec 100644 --- a/templates/etc/ansible/compliance_facts.j2 +++ b/templates/etc/ansible/compliance_facts.j2 @@ -2,7 +2,7 @@ # Added as part of ansible-lockdown CIS baseline # provided by Mindpoint Group - A Tyto Athene Company -[benchmark_details] +[lockdown_details] # Benchmark release Benchmark_release = CIS-{{ benchmark_version }} Benchmark_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }} @@ -26,7 +26,7 @@ Level_2_workstation_tag_run = true {% endif %} {% endif %} -[benchmark_audit_details] +[lockdown_audit_details] {% if run_audit %} # Audit run audit_file_local_location = {{ audit_log_dir }} From 9bbf5b7a81d8a4db1048cc055318363df4c3c9cb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Apr 2025 08:08:28 +0100 Subject: [PATCH 09/66] updated var name to remove capital Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f2bd882..32c4679 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -34,7 +34,7 @@ rhel9cis_level_1: true rhel9cis_level_2: true # Create managed not custom local_facts files -Create_benchmark_facts: true +create_benchmark_facts: true ansible_facts_path: /etc/ansible/facts.d ## Section 1.6 - Mandatory Access Control # This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting diff --git a/tasks/main.yml b/tasks/main.yml index ccd6c1d..57fd8fd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -214,7 +214,7 @@ file: post_remediation_audit.yml - name: Add ansible file showing Benchmark and levels applied - when: Create_benchmark_facts + when: create_benchmark_facts tags: - always - benchmark From bd425a068d4b23e16d8793a1fb94a205323bd33c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Apr 2025 08:14:02 +0100 Subject: [PATCH 10/66] lint updates Signed-off-by: Mark Bolwell --- tasks/main.yml | 6 +++--- tasks/section_1/cis_1.4.x.yml | 2 +- tasks/section_6/cis_6.2.1.x.yml | 1 - 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 57fd8fd..00281da 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -116,7 +116,7 @@ fail_msg: "You still have the default name for your authselect profile" - name: "Check authselect profile is selected | Check current profile" - ansible.builtin.shell: authselect list + ansible.builtin.command: authselect list changed_when: false failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ] register: prelim_authselect_current_profile @@ -216,8 +216,8 @@ - name: Add ansible file showing Benchmark and levels applied when: create_benchmark_facts tags: - - always - - benchmark + - always + - benchmark block: - name: Create ansible facts directory ansible.builtin.file: diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index d3534cd..c6c3aac 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -57,7 +57,7 @@ - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Build Options" when: item not in discovered_efi_fstab.stdout ansible.builtin.set_fact: - efi_mount_opts_addition: "{{ efi_mount_opts_addition + ',' + item }}" + efi_mount_opts_addition: "{{ efi_mount_opts_addition + ',' + item }}" loop: "{{ efi_mount_options }}" - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Add mount options" diff --git a/tasks/section_6/cis_6.2.1.x.yml b/tasks/section_6/cis_6.2.1.x.yml index 2d861e8..fa75880 100644 --- a/tasks/section_6/cis_6.2.1.x.yml +++ b/tasks/section_6/cis_6.2.1.x.yml @@ -113,4 +113,3 @@ state: stopped enabled: false register: discovered_rsyslog_service - From 97baa4afe04097d319d36233e85732255a90f419 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 7 Apr 2025 17:34:10 +0000 Subject: [PATCH 11/66] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.24.0 → v8.24.2](https://github.com/gitleaks/gitleaks/compare/v8.24.0...v8.24.2) - [github.com/ansible-community/ansible-lint: v25.1.3 → v25.2.1](https://github.com/ansible-community/ansible-lint/compare/v25.1.3...v25.2.1) - [github.com/adrienverge/yamllint.git: v1.35.1 → v1.37.0](https://github.com/adrienverge/yamllint.git/compare/v1.35.1...v1.37.0) --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4791982..c12360b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,12 +41,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.24.0 + rev: v8.24.2 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.1.3 + rev: v25.2.1 hooks: - id: ansible-lint name: Ansible-lint @@ -65,7 +65,7 @@ repos: # - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.35.1 # or higher tag + rev: v1.37.0 # or higher tag hooks: - id: yamllint name: Check YAML Lint From ba57380a72a12f49342ac9e84e87e6600142b45a Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 14 Apr 2025 17:21:59 +0000 Subject: [PATCH 12/66] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.24.2 → v8.24.3](https://github.com/gitleaks/gitleaks/compare/v8.24.2...v8.24.3) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index c12360b..99408de 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,7 +41,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.24.2 + rev: v8.24.3 hooks: - id: gitleaks From 52f5f23b00b06d795e55bd94e10b2bd2723cd1e8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 15 Apr 2025 11:04:33 +0100 Subject: [PATCH 13/66] improve ansible facts conditionals Signed-off-by: Mark Bolwell --- tasks/main.yml | 13 ++++++++----- templates/etc/ansible/compliance_facts.j2 | 1 + 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 00281da..e285e8d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -213,13 +213,16 @@ ansible.builtin.import_tasks: file: post_remediation_audit.yml -- name: Add ansible file showing Benchmark and levels applied - when: create_benchmark_facts +- name: Add ansible file showing Benchmark and levels applied if audit details not present + when: + - create_benchmark_facts + - (post_audit_summary is defined) or + (ansible_local['compliance_facts']['lockdown_audit_details']['audit_summary'] is undefined and post_audit_summary is undefined) tags: - always - benchmark block: - - name: Create ansible facts directory + - name: Create ansible facts directory if audit facts not present ansible.builtin.file: path: "{{ ansible_facts_path }}" state: directory @@ -227,13 +230,13 @@ group: root mode: 'u=rwx,go=rx' - - name: Create ansible facts file + - name: Create ansible facts file and levels applied if audit facts not present ansible.builtin.template: src: etc/ansible/compliance_facts.j2 dest: "{{ ansible_facts_path }}/compliance_facts.fact" owner: root group: root - mode: "u-x,go-wx" + mode: 'u-x,go=r' - name: Fetch audit files when: diff --git a/templates/etc/ansible/compliance_facts.j2 b/templates/etc/ansible/compliance_facts.j2 index f313bec..f8725e1 100644 --- a/templates/etc/ansible/compliance_facts.j2 +++ b/templates/etc/ansible/compliance_facts.j2 @@ -29,6 +29,7 @@ Level_2_workstation_tag_run = true [lockdown_audit_details] {% if run_audit %} # Audit run +audit_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }} audit_file_local_location = {{ audit_log_dir }} {% if not audit_only %} audit_summary = {{ post_audit_results }} From 3d4bc2ab3d35bb1f58a56c1d42cf364f30010987 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 15 Apr 2025 11:07:15 +0100 Subject: [PATCH 14/66] Update name and conditionals Signed-off-by: Mark Bolwell --- tasks/fetch_audit_output.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/tasks/fetch_audit_output.yml b/tasks/fetch_audit_output.yml index c6f7b5e..563b699 100644 --- a/tasks/fetch_audit_output.yml +++ b/tasks/fetch_audit_output.yml @@ -2,7 +2,7 @@ # Stage to copy audit output to a centralised location -- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller" +- name: "POST | FETCH | Fetch files and copy to controller" when: audit_output_collection_method == "fetch" ansible.builtin.fetch: src: "{{ item }}" @@ -17,7 +17,7 @@ # Added this option for continuity but could be changed by adjusting the variable audit_conf_dest # Allowing backup to one location -- name: "FETCH_AUDIT_FILES | Copy files to location available to managed node" +- name: "POST | FETCH | Copy files to location available to managed node" when: audit_output_collection_method == "copy" ansible.builtin.copy: src: "{{ item }}" @@ -25,21 +25,21 @@ mode: 'u-x,go-wx' flat: true failed_when: false - register: discovered_audit_fetch_copy_state + register: discovered_audit_copy_state loop: - - pre_audit_outfile - - post_audit_outfile + - "{{ pre_audit_outfile }}" + - "{{ post_audit_outfile }}" -- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" +- name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files" when: - - (discovered_audit_fetch_state is defined and not discovered_audit_fetch_state.changed) or - (discovered_audit_copy_state is defined and not discovered_audit_copy_state.changed) + - (audit_output_collection_method == "fetch" and not discovered_audit_fetch_state.changed) or + (audit_output_collection_method == "copy" and not discovered_audit_copy_state.changed) block: - - name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" + - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files" ansible.builtin.debug: msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy" - - name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" + - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files" vars: warn_control_id: "FETCH_AUDIT_FILES" ansible.builtin.import_tasks: From ec57b85fdf5de6054fd7b42fe59975d6547241d6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 15 Apr 2025 11:11:19 +0100 Subject: [PATCH 15/66] Updated 5.3.3.1.1 regex issue #315 thanks to @jrdbarnes Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.3.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.3.3.1.x.yml b/tasks/section_5/cis_5.3.3.1.x.yml index 1730521..0aadbe3 100644 --- a/tasks/section_5/cis_5.3.3.1.x.yml +++ b/tasks/section_5/cis_5.3.3.1.x.yml @@ -23,7 +23,7 @@ - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/pam.d/{{ item }}-auth" - regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$) + regexp: ^(\s*auth\s+(?:requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$) replace: \1 \2\3 loop: - password From b04570dfe4086b7063632c48b433d6198ac5baf5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 15 Apr 2025 11:40:49 +0100 Subject: [PATCH 16/66] removed legacy option Signed-off-by: Mark Bolwell --- tasks/audit_only.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index 1377f9f..39c9f7d 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -9,14 +9,6 @@ delegate_to: localhost become: false -- name: Audit_only | Get audits from systems and put in group dir - when: fetch_audit_files - ansible.builtin.fetch: - dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" - flat: true - mode: 'go-wx' - src: "{{ pre_audit_outfile }}" - - name: Audit_only | Show Audit Summary when: audit_only ansible.builtin.debug: From 4aeac7e6625133b4bac1aaed68a32a11c2752ab0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 15 Apr 2025 11:41:46 +0100 Subject: [PATCH 17/66] typos and tidy up Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 32c4679..eaf33a1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,8 @@ --- + # defaults file for rhel9-cis # WARNING: -# These values may be overriden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here: +# These values may be overridden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here: # https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable # Run the OS validation check @@ -36,6 +37,7 @@ rhel9cis_level_2: true # Create managed not custom local_facts files create_benchmark_facts: true ansible_facts_path: /etc/ansible/facts.d + ## Section 1.6 - Mandatory Access Control # This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting # 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed. @@ -85,7 +87,7 @@ audit_capture_files_dir: /some/location to copy to on control node # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file -# you will need to access to either github or the file already dowmloaded +# you will need to access to either github or the file already downloaded get_audit_binary_method: download ## if get_audit_binary_method - copy the following needs to be updated for your environment From ce43c573ee5435653a32119926bd94e47359da21 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 15 Apr 2025 12:51:42 +0100 Subject: [PATCH 18/66] update tags and issue #311 thanks to @rilatu Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 46 ++++++++++++++++++++--------------- 1 file changed, 27 insertions(+), 19 deletions(-) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 296ebf9..99176fd 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -6,7 +6,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - permissions - rule_5.1.1 - NIST800-53R5_AC-3 @@ -23,7 +23,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - permissions - rule_5.1.2 - NIST800-53R5_AC-3 @@ -53,7 +53,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 @@ -166,7 +166,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.7 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 @@ -195,6 +195,8 @@ path: "{{ rhel9cis_sshd_config_file }}" regexp: "^DenyUsers" line: "DenyUsers {{ rhel9cis_sshd_denyusers }}" + insertbefore: "^Match" + firstmatch: true validate: sshd -t -f %s notify: Restart sshd @@ -213,7 +215,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.8 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -231,7 +233,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.9 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -261,7 +263,7 @@ - level2-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.10 - NIST800-53R5_CM-7 block: @@ -287,7 +289,7 @@ - level1-server - level1-workstation - patch - - sshs + - sshd - rule_5.1.11 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -317,7 +319,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.12 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -337,7 +339,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.13 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -348,6 +350,8 @@ path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*IgnoreRhosts line: 'IgnoreRhosts yes' + insertbefore: "^Match" + firstmatch: true validate: sshd -t -f %s notify: Restart sshd @@ -357,13 +361,15 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.14 - NIST800-53R5_CM-6 ansible.builtin.lineinfile: path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*LoginGraceTime line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}" + insertbefore: "^Match" + firstmatch: true validate: sshd -t -f %s notify: Restart sshd @@ -373,7 +379,7 @@ - level1-server - level1-workstation - patch - - sshs + - sshd - rule_5.1.15 - NIST800-53R5_AU-3 - NIST800-53R5_AU-12 @@ -382,6 +388,8 @@ path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*LogLevel line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' + insertbefore: "^Match" + firstmatch: true validate: sshd -t -f %s notify: Restart sshd @@ -391,7 +399,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.16 - NIST800-53R5_AU-3 ansible.builtin.lineinfile: @@ -407,7 +415,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.17 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -427,7 +435,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.18 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -447,7 +455,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.19 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -467,7 +475,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.20 - NIST800-53R5_AC-6 block: @@ -491,7 +499,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.21 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 @@ -511,7 +519,7 @@ - level1-server - level1-workstation - patch - - ssh + - sshd - rule_5.1.22 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 From de63984cd8ef4bd83163ab99dd7453862f943471 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 22 Apr 2025 16:10:53 -0400 Subject: [PATCH 19/66] Typo fixes Signed-off-by: Frederick Witty --- README.md | 2 +- defaults/main.yml | 4 ++-- templates/ansible_vars_goss.yml.j2 | 10 +++++----- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index d3bf75a..098c50a 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ This is managed using tags: - level2-server - level2-workstation -The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. +The control found in defaults main also need to reflect this as this control the testing that takes place if you are using the audit component. ## Coming from a previous release diff --git a/defaults/main.yml b/defaults/main.yml index eaf33a1..071e55b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1046,14 +1046,14 @@ rhel9cis_bash_umask: '0027' # 0027 or more restrictive # These are discovered via logins.def if set true rhel9cis_discover_int_uid: true # This variable sets the minimum number from which to search for UID -# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# Note that the value will be dynamically overwritten if variable `discover_int_uid` has # been set to `true`. min_int_uid: 1000 ### Controls: # - Ensure local interactive user home directories exist # - Ensure local interactive users own their home directories # This variable sets the maximum number at which the search stops for UID -# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# Note that the value will be dynamically overwritten if variable `discover_int_uid` has # been set to `true`. max_int_uid: 65533 diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ad44fb3..7cb906b 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -34,7 +34,7 @@ rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }} # UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg'). rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }} -## Benchmark name used by audting control role +## Benchmark name used by auditing control role # The audit variable found at the base ## metadata for Audit benchmark benchmark_version: 'v2.0.0' @@ -151,7 +151,7 @@ rhel9cis_rule_1_8_8: {{ rhel9cis_rule_1_8_8 }} rhel9cis_rule_1_8_9: {{ rhel9cis_rule_1_8_9 }} rhel9cis_rule_1_8_10: {{ rhel9cis_rule_1_8_10 }} -# Section 2 rules are controling Services (Special Purpose Services, and service clients) +# Section 2 rules are controlling Services (Special Purpose Services, and service clients) ## Configure Server Services rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }} rhel9cis_rule_2_1_2: {{ rhel9cis_rule_2_1_2 }} @@ -625,21 +625,21 @@ rhel9cis_authselect_custom_profile_name: {{ rhel9cis_authselect_custom_profile_n # These are discovered via logins.def if set true rhel9cis_discover_int_uid: {{ rhel9cis_discover_int_uid }} # This variable sets the minimum number from which to search for UID -# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# Note that the value will be dynamically overwritten if variable `discover_int_uid` has # been set to `true`. min_int_uid: 1000 ### Controls: # - Ensure local interactive user home directories exist # - Ensure local interactive users own their home directories # This variable sets the maximum number at which the search stops for UID -# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# Note that the value will be dynamically overwritten if variable `discover_int_uid` has # been set to `true`. max_int_uid: 65533 ## Section6 vars ## Control 6.1.2 AIDE schedule -# how aide sceduler runs can be one of cron or timer +# how aide scheduler runs can be one of cron or timer rhel9cis_aide_scan: {{ rhel9cis_aide_scan }} # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. From 7173eba3f68faf6e7e8b72f6d417798491a3cc36 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 22 Apr 2025 16:29:43 -0400 Subject: [PATCH 20/66] Typo fixes v2 Signed-off-by: Frederick Witty --- defaults/main.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 071e55b..9358939 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -12,7 +12,7 @@ os_check: true # Disruption is high ## Run tests that are considered higher risk and could have a system impact if not properly tested ## Default false -## Will be fine if clean new unconfigured build +## Will be fine if clean new un-configured build rhel9cis_disruption_high: false ## Switching on/off specific baseline sections @@ -46,7 +46,7 @@ rhel9cis_selinux_disable: false # UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg'). rhel9cis_legacy_boot: false -## Benchmark name used by audting control role +## Benchmark name used by auditing control role # The audit variable found at the base ## metadata for Audit benchmark benchmark_version: 'v2.0.0' @@ -112,12 +112,12 @@ audit_conf_dest: "/opt" # Where the audit logs are stored audit_log_dir: '/opt' -## Ability to collect and take audit files moving to a centralised location +## Ability to collect and take audit files moving to a centralized location # This enables the collection of the files from the host fetch_audit_output: false # Method of getting,uploading the summary files -## Ensure access and permissions are avaiable for these to occur. +## Ensure access and permissions are available for these to occur. ## options are # fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller) # copy - copies file to a location available to the managed node @@ -514,7 +514,7 @@ rhel9cis_rule_7_2_9: true ## Section 1 vars -## Ability to enabe debug on mounts to assist in troubleshooting +## Ability to enable debug on mounts to assist in troubleshooting # Mount point changes are set based upon facts created in Prelim # these then build the variable and options that is passed to the handler to set the mount point for the controls in section1. rhel9cis_debug_mount_data: false @@ -722,7 +722,7 @@ rhel9cis_bluetooth_mask: false rhel9cis_ipv6_required: true ## 3.1.2 wireless network requirements -# if wireless adapetr found allow network manager to be installed +# if wireless adapter found allow network manager to be installed rhel9cis_install_network_manager: false # 3.3 System network parameters (host only OR host and router) # This variable governs whether specific CIS rules @@ -730,15 +730,15 @@ rhel9cis_install_network_manager: false rhel9cis_is_router: false # This variable governs if the task which updates sysctl(including sysctl reload) is executed. -# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). +# NOTE: The current default value is likely to be overridden by other further tasks(via 'set_fact'). rhel9cis_sysctl_update: false # This variable governs if the task which flushes the IPv4 routing table is executed(forcing subsequent connections to # use the new configuration). -# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). +# NOTE: The current default value is likely to be overridden by other further tasks(via 'set_fact'). rhel9cis_flush_ipv4_route: false # This variable governs if the task which flushes the IPv6 routing table is executed(forcing subsequent connections to # use the new configuration). -# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). +# NOTE: The current default value is likely to be overridden by other further tasks(via 'set_fact'). rhel9cis_flush_ipv6_route: false # Section 4 vars @@ -890,13 +890,13 @@ rhel9cis_authselect_pkg_update: false # NOTE the risks if system is using SSSD # To create a new profile (best for greenfield fresh sites not configured) # This allows creation of a custom profile using an existing one to build from -# will only create if profiel does not already exist +# will only create if profile does not already exist ## options true or false rhel9cis_authselect_custom_profile_create: true ## Controls: # - 5.3.2.1 - Ensure custom authselect profile is used # Settings in place now will fail, they are placeholders from the control example. Due to the way many multiple -# options and ways to configure this control needs to be enabled and settings adjusted to minimise risk. +# options and ways to configure this control needs to be enabled and settings adjusted to minimize risk. # This variable configures the name of the custom profile to be created and selected. # To be changed from default - cis_example_profile @@ -1046,14 +1046,14 @@ rhel9cis_bash_umask: '0027' # 0027 or more restrictive # These are discovered via logins.def if set true rhel9cis_discover_int_uid: true # This variable sets the minimum number from which to search for UID -# Note that the value will be dynamically overwritten if variable `discover_int_uid` has +# Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has # been set to `true`. min_int_uid: 1000 ### Controls: # - Ensure local interactive user home directories exist # - Ensure local interactive users own their home directories # This variable sets the maximum number at which the search stops for UID -# Note that the value will be dynamically overwritten if variable `discover_int_uid` has +# Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has # been set to `true`. max_int_uid: 65533 From 350b30dfe4d117395dcf25ae21cab713c0440c59 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 22 Apr 2025 16:32:47 -0400 Subject: [PATCH 21/66] prelim_ prefix added to max_int_uid and min_int_uid Signed-off-by: Frederick Witty --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9358939..385d160 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1048,14 +1048,14 @@ rhel9cis_discover_int_uid: true # This variable sets the minimum number from which to search for UID # Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has # been set to `true`. -min_int_uid: 1000 +prelim_min_int_uid: 1000 ### Controls: # - Ensure local interactive user home directories exist # - Ensure local interactive users own their home directories # This variable sets the maximum number at which the search stops for UID # Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has # been set to `true`. -max_int_uid: 65533 +prelim_max_int_uid: 65533 ## Section6 vars ## Control 6.1.x - allow aide to be configured From 42024903e3eb83901f44dc4bf8596e785ad77d46 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 23 Apr 2025 12:47:22 -0400 Subject: [PATCH 22/66] revamp set facts premlim_ max_int_uid and prelim_min_int_uid Signed-off-by: Frederick Witty --- defaults/main.yml | 4 ++-- tasks/prelim.yml | 21 ++++++++++++--------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 385d160..9358939 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1048,14 +1048,14 @@ rhel9cis_discover_int_uid: true # This variable sets the minimum number from which to search for UID # Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has # been set to `true`. -prelim_min_int_uid: 1000 +min_int_uid: 1000 ### Controls: # - Ensure local interactive user home directories exist # - Ensure local interactive users own their home directories # This variable sets the maximum number at which the search stops for UID # Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has # been set to `true`. -prelim_max_int_uid: 65533 +max_int_uid: 65533 ## Section6 vars ## Control 6.1.x - allow aide to be configured diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1ec355b..dbd1493 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -320,24 +320,27 @@ patterns: '*.conf,*.rules' register: prelim_auditd_conf_files -- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" +- name: "PRELIM | AUDIT | Discover Interactive UID_MIN and UID_MAX from /etc/login.defs" when: rhel9cis_discover_int_uid tags: always block: - - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" - ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' + - name: "PRELIM | AUDIT | Capture UID_MIN from /etc/login.defs" + ansible.builtin.command: awk '/^UID_MIN/ {print $2}' /etc/login.defs changed_when: false + failed_when: false register: prelim_uid_min_id - - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" - ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' + - name: "PRELIM | AUDIT | Capture UID_MAX from /etc/login.defs" + ansible.builtin.command: awk '/^UID_MAX/ {print $2}' /etc/login.defs changed_when: false + failed_when: false register: prelim_uid_max_id - - name: "PRELIM | AUDIT | Set Fact for interactive uid/gid" - ansible.builtin.set_fact: - prelim_min_int_uid: "{{ prelim_uid_min_id.stdout }}" - prelim_max_int_uid: "{{ prelim_uid_max_id.stdout }}" +- name: "PRELIM | AUDIT | Set facts for interactive UID/GID ranges" + tags: always + ansible.builtin.set_fact: + prelim_min_int_uid: "{{ prelim_uid_min_id.stdout | default(min_int_uid) }}" + prelim_max_int_uid: "{{ prelim_uid_max_id.stdout | default(max_int_uid) }}" - name: "PRELIM | AUDIT | Gather the package facts after prelim" tags: From e27e413f943d00253c3c4d702cbc6bb6d0efaf9b Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 23 Apr 2025 16:04:16 -0400 Subject: [PATCH 23/66] Update URL in defaults/main Signed-off-by: Frederick Witty --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9358939..91261b7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -102,7 +102,7 @@ audit_content: git # If using either archive, copy, get_url: ## Note will work with .tar files - zip will require extra configuration ### If using get_url this is expecting github url in tar.gz format e.g. -### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz +### https://github.com/ansible-lockdown/RHEL9-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz audit_conf_source: "some path or url to copy from" # Destination for the audit content to be placed on managed node From dd909b48c8aff1f5fb63560eb611ccd8084e0b62 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 25 Apr 2025 11:47:17 -0400 Subject: [PATCH 24/66] Fix for #320 thank you @kodebach Signed-off-by: Frederick Witty --- Changelog.md | 4 ++++ .../policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 4bd1c86..34b9c2c 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,9 @@ # Changes to rhel9CIS +## 2.0.0 - Based on CIS v2.0.0 + +- #320 - thanks to @kodebach + ## 1.1.6 - Based on CIS v1.0.0 - #190 - thanks to @ipruteanu-sie diff --git a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 index d325a11..393cf88 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 @@ -1,4 +1,4 @@ # This is a subpolicy to disable weak ciphers # for the SSH protocol (libssh and OpenSSH) # Carried out as part of CIS Benchmark rules combined 1.6.6 and 5.1.4 -cipher@SSH ={% if rhel9cis_rule_1_6_6 %} -CHACHA20-POLY1305{% endif %}{% if rhel9cis_rule_5_1_5 %} -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC{% endif %} +cipher@SSH ={% if rhel9cis_rule_1_6_6 %} -CHACHA20-POLY1305{% endif %}{% if rhel9cis_rule_5_1_4 %} -3DES-CBC -AES-128-CBC -AES-192-CBC -AES-256-CBC{% endif %} From 48c05f038f24e660a94a1c8db9f53f23eabb5158 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 25 Apr 2025 14:36:58 -0400 Subject: [PATCH 25/66] Fix for #322 thank @mindrb Signed-off-by: Frederick Witty --- Changelog.md | 3 ++- defaults/main.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 34b9c2c..4accf38 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,7 +2,8 @@ ## 2.0.0 - Based on CIS v2.0.0 -- #320 - thanks to @kodebach +- #322 - thanks to @mindrb +- #320 - thanks to @anup-ad ## 1.1.6 - Based on CIS v1.0.0 diff --git a/defaults/main.yml b/defaults/main.yml index 91261b7..6a360fa 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -588,7 +588,7 @@ rhel9cis_crypto_policy_module: '' # - 1.7.2 - Ensure local login warning banner is configured properly # - 1.7.3 - Ensure remote login warning banner is configured properly # This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd). -rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and reported. +rhel9cis_warning_banner: Authorized users only. All activity may be monitored and reported. # End Banner ## Control 1.8.x - Settings for GDM From 5e2e4db20e955f90a024b17d92626a82bff461c8 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 19 May 2025 17:24:24 +0000 Subject: [PATCH 26/66] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.24.3 → v8.26.0](https://github.com/gitleaks/gitleaks/compare/v8.24.3...v8.26.0) - [github.com/ansible-community/ansible-lint: v25.2.1 → v25.4.0](https://github.com/ansible-community/ansible-lint/compare/v25.2.1...v25.4.0) - [github.com/adrienverge/yamllint.git: v1.37.0 → v1.37.1](https://github.com/adrienverge/yamllint.git/compare/v1.37.0...v1.37.1) --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 99408de..ebc85d7 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,12 +41,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.24.3 + rev: v8.26.0 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.2.1 + rev: v25.4.0 hooks: - id: ansible-lint name: Ansible-lint @@ -65,7 +65,7 @@ repos: # - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.37.0 # or higher tag + rev: v1.37.1 # or higher tag hooks: - id: yamllint name: Check YAML Lint From 4948d3cb095955447032292831c907733b355151 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 23 May 2025 14:22:30 +0100 Subject: [PATCH 27/66] added ignore comments in file Signed-off-by: Mark Bolwell --- tasks/parse_etc_password.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 86c1cac..70f79c6 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -4,7 +4,7 @@ tags: always block: - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - ansible.builtin.command: cat /etc/passwd + ansible.builtin.command: cat /etc/passwd | grep -v '^#' changed_when: false check_mode: false register: prelim_passwd_file_audit From 8d5a32bc392ce53c9d94f0e6aeff7c07a572de29 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 23 May 2025 14:25:42 +0100 Subject: [PATCH 28/66] added rhel9cis_rsyslog_ansiblemanage conditional Signed-off-by: Mark Bolwell --- tasks/section_6/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index dda7ee5..dbff078 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -20,7 +20,9 @@ file: cis_6.2.2.x.yml - name: "SECTION | 6.2.3 | Configure rsyslog" - when: rhel9cis_syslog == 'rsyslog' + when: + - rhel9cis_syslog == 'rsyslog' + - rhel9cis_rsyslog_ansiblemanaged ansible.builtin.import_tasks: file: cis_6.2.3.x.yml From 2b37d0d7321dec9511f61a0064764ac779b8cb4e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 23 May 2025 14:30:17 +0100 Subject: [PATCH 29/66] added check_mode logic Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index c000fe1..1db531b 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -58,6 +58,10 @@ dest: /var/lib/aide/aide.db.gz remote_src: true mode: 'ug-wx,o-rwx' + register: aide_db_cp + failed_when: + - not ansible_check_mode + - aide_db_cp.failed - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked" when: @@ -119,4 +123,7 @@ /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - validate: aide -D --config %s + register: aide_file_integrity_check + failed_when: + - not ansible_check_mode + - aide_file_integrity_check.failed From 15bf03c75490746568ef21a610236fc714f0630c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 23 May 2025 14:34:30 +0100 Subject: [PATCH 30/66] added check mode logic Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index dbd1493..a0fc2fe 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -25,6 +25,7 @@ ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }' changed_when: false + check_mode: false register: prelim_interactive_usernames - name: "PRELIM | AUDIT | Interactive User accounts home directories" @@ -32,6 +33,7 @@ ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }' changed_when: false + check_mode: false register: prelim_interactive_users_home - name: "PRELIM | AUDIT | Interactive UIDs" @@ -39,6 +41,7 @@ ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }' changed_when: false + check_mode: false register: prelim_interactive_uids - name: "PRELIM | AUDIT | Capture /etc/password variables" @@ -64,6 +67,7 @@ ansible.builtin.shell: | mount | awk '{print $1, $3, $5, $6}' changed_when: false + check_mode: false register: prelim_mount_output - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact # This is inherited and used in mountpoints tasks @@ -100,6 +104,7 @@ ansible.builtin.command: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' # noqa command-instead-of-module changed_when: false failed_when: false + check_mode: false register: prelim_check_gpg_imported - name: "PRELIM | AUDIT | Import gpg keys | Check Package" # noqa command-instead-of-module @@ -328,12 +333,14 @@ ansible.builtin.command: awk '/^UID_MIN/ {print $2}' /etc/login.defs changed_when: false failed_when: false + check_mode: false register: prelim_uid_min_id - name: "PRELIM | AUDIT | Capture UID_MAX from /etc/login.defs" ansible.builtin.command: awk '/^UID_MAX/ {print $2}' /etc/login.defs changed_when: false failed_when: false + check_mode: false register: prelim_uid_max_id - name: "PRELIM | AUDIT | Set facts for interactive UID/GID ranges" From daf5a3f4621adf7e357f2422aedecef7ccfc14f9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 23 May 2025 15:01:16 +0100 Subject: [PATCH 31/66] changed command to shell for grep Signed-off-by: Mark Bolwell --- tasks/parse_etc_password.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 70f79c6..9190421 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -4,7 +4,7 @@ tags: always block: - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - ansible.builtin.command: cat /etc/passwd | grep -v '^#' + ansible.builtin.shell: cat /etc/passwd | grep -v '^#' changed_when: false check_mode: false register: prelim_passwd_file_audit From 0e61e796c6633c127fa7bdf10e6c2535ec7dd98e Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 23 May 2025 11:00:13 -0400 Subject: [PATCH 32/66] Fix for #325 thank you @mindrb Signed-off-by: Frederick Witty --- Changelog.md | 2 +- tasks/section_6/cis_6.2.2.1.x.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 4accf38..edcb223 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,7 +2,7 @@ ## 2.0.0 - Based on CIS v2.0.0 -- #322 - thanks to @mindrb +- #322, #325 - thanks to @mindrb - #320 - thanks to @anup-ad ## 1.1.6 - Based on CIS v1.0.0 diff --git a/tasks/section_6/cis_6.2.2.1.x.yml b/tasks/section_6/cis_6.2.2.1.x.yml index 945c2e4..aa2415d 100644 --- a/tasks/section_6/cis_6.2.2.1.x.yml +++ b/tasks/section_6/cis_6.2.2.1.x.yml @@ -35,7 +35,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" loop: - - { regexp: 'URL=', line: 'URL={{ rhel9cis_remote_log_server }}'} + - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'} - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'} - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'} - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'} From f83e5a69a2399c47e139b356c4c8714a9005257b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 23 May 2025 16:05:01 +0100 Subject: [PATCH 33/66] interactive users ilogic improvements thanks to @polski-g Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 16 +++++++--------- tasks/section_5/cis_5.4.1.x.yml | 8 ++++---- tasks/section_5/cis_5.4.2.x.yml | 4 ++-- tasks/section_7/cis_7.2.x.yml | 8 ++++---- vars/main.yml | 3 +++ 5 files changed, 20 insertions(+), 19 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index a0fc2fe..c1edb39 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -23,18 +23,16 @@ - name: "PRELIM | AUDIT | Interactive Users" tags: always ansible.builtin.shell: > - grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }' + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1":"$3":"$6 }' changed_when: false check_mode: false - register: prelim_interactive_usernames + register: prelim_interactive_users_raw -- name: "PRELIM | AUDIT | Interactive User accounts home directories" +- name: "PRELIM | AUDIT | Interactive Users (reformat)" tags: always - ansible.builtin.shell: > - grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }' - changed_when: false - check_mode: false - register: prelim_interactive_users_home + ansible.builtin.set_fact: + prelim_interactive_usernames: "{{ prelim_interactive_users | default([]) + [dict([('username', item.split(':')[0]), ('uid', item.split(':')[1]), ('home', item.split(':')[2])])] }}" + loop: "{{ prelim_interactive_users_raw.stdout_lines }}" - name: "PRELIM | AUDIT | Interactive UIDs" tags: always @@ -205,7 +203,7 @@ tags: - always block: - - name: "PRELIM | AUDIT | Discover is wirelss adapter on system" + - name: "PRELIM | AUDIT | Discover is wireless adapter on system" ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless register: discover_wireless_adapters changed_when: false diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 6a492e5..1962101 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -29,7 +29,7 @@ - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" when: - discovered_max_days.stdout_lines | length > 0 - - item in prelim_interactive_usernames.stdout + - item in prelim_interactive_usernames | map(attribute='username') | list - rhel9cis_force_user_maxdays ansible.builtin.user: name: "{{ item }}" @@ -60,7 +60,7 @@ - name: "5.4.1.2 | PATCH | Ensure minimum password days is configured | Set existing users PASS_MIN_DAYS" when: - discovered_min_days.stdout_lines | length > 0 - - item in prelim_interactive_usernames.stdout + - item in prelim_interactive_usernames | map(attribute='username') | list - rhel9cis_force_user_mindays ansible.builtin.user: name: "{{ item }}" @@ -91,7 +91,7 @@ - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users WARN_DAYS" when: - discovered_warn_days.stdout_lines | length > 0 - - item in prelim_interactive_usernames.stdout + - item in prelim_interactive_usernames | map(attribute='username') | list - rhel9cis_force_user_warnage ansible.builtin.command: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}" changed_when: true @@ -140,7 +140,7 @@ register: discovered_passwdlck_user_list - name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - when: item in prelim_interactive_usernames.stdout + when: item in prelim_interactive_usernames | map(attribute='username') | list ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" changed_when: true loop: "{{ discovered_passwdlck_user_list.stdout_lines }}" diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index 12390b3..a8eb4d0 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -195,7 +195,7 @@ - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell" when: - rhel9cis_rule_5_4_2_7 - - "item.id not in prelim_interactive_usernames.stdout" + - "item.id not in prelim_interactive_usernames | map(attribute='username')" - item.id not in rhel9cis_system_users_shell - "'root' not in item.id" - rhel9cis_disruption_high @@ -220,7 +220,7 @@ when: - rhel9cis_rule_5_4_2_8 - rhel9cis_disruption_high - - "item.id not in prelim_interactive_usernames.stdout" + - "item.id not in prelim_interactive_usernames | map(attribute='username')" - "'root' not in item.id" tags: - level1-server diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index cc1825c..8706877 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -256,7 +256,7 @@ etype: group permissions: rx state: present - loop: "{{ prelim_interactive_users_home.stdout_lines }}" + loop: "{{ prelim_interactive_users | map(attribute='home') | list }}" - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Set other ACL" when: not system_is_container @@ -266,7 +266,7 @@ etype: other permissions: 0 state: present - loop: "{{ prelim_interactive_users_home.stdout_lines }}" + loop: "{{ prelim_interactive_users | map(attribute='home') | list }}" - name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured" when: @@ -315,6 +315,6 @@ ansible.builtin.file: path: '{{ item }}' mode: 'go-w' - owner: "{{ rhel9cis_passwd | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}" - group: "{{ rhel9cis_passwd | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}" + owner: "{{ rhel9cis_passwd | selectattr('dir', 'in', prelim_interactive_users_raw.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}" + group: "{{ rhel9cis_passwd | selectattr('dir', 'in', prelim_interactive_users_raw.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}" with_items: "{{ discovered_homedir_hidden_files.stdout_lines }}" diff --git a/vars/main.yml b/vars/main.yml index cdca90d..5eed07c 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -22,6 +22,9 @@ rhel9cis_allowed_crypto_policies_modules: warn_control_list: "" warn_count: 0 +# list of dicts of interactive users, filled in during prelim.yml +prelim_interactive_users: [] + # Default empty values for 1.4.2 efi_mount_opts_addition: '' From f564135e72384a79f2f99f0ac9d0bf7d90bddfdc Mon Sep 17 00:00:00 2001 From: polski_g Date: Thu, 8 May 2025 11:17:29 -0400 Subject: [PATCH 34/66] Check for existence of sshd_config.d/50-redhat.conf before trying to modify it Signed-off-by: polski-g --- tasks/prelim.yml | 8 ++++++++ tasks/section_5/cis_5.1.x.yml | 2 ++ 2 files changed, 10 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c1edb39..b8f39d6 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -246,6 +246,14 @@ mode: 'go-rwx' state: touch +- name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists" + when: + - rhel9cis_rule_5_1_10 or + rhel9cis_rule_5_1_11 + ansible.builtin.stat: + path: /etc/ssh/sshd_config.d/50-redhat.conf + register: discovered_sshd_50_redhat_file + - name: "PRELIM | AUDIT | Capture pam security related files" tags: always ansible.builtin.find: diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 99176fd..eaee7de 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -276,6 +276,7 @@ notify: Restart sshd - name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | override" + when: discovered_sshd_50_redhat_file.stat.exists ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/50-redhat.conf regexp: ^(?i)(#|)\s*X11Forwarding @@ -298,6 +299,7 @@ - NIST800-53R5_IA-5 block: - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | redhat file" + when: discovered_sshd_50_redhat_file.stat.exists ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/50-redhat.conf regexp: ^(?i)(#|)\s*GSSAPIAuthentication From 4e49532e2030320148fcb272dca5a2950b4e2575 Mon Sep 17 00:00:00 2001 From: polski_g Date: Thu, 8 May 2025 10:52:21 -0400 Subject: [PATCH 35/66] Variablize network-manager package name Signed-off-by: polski-g --- defaults/main.yml | 1 + tasks/section_3/cis_3.1.x.yml | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6a360fa..c55f93a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -724,6 +724,7 @@ rhel9cis_ipv6_required: true ## 3.1.2 wireless network requirements # if wireless adapter found allow network manager to be installed rhel9cis_install_network_manager: false +rhel9cis_network_manager_package_name: NetworkManager # 3.3 System network parameters (host only OR host and router) # This variable governs whether specific CIS rules # concerned with acceptance and routing of packages are skipped. diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 68a66de..a20c0e9 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -39,7 +39,7 @@ warn_control_id: '3.1.2' block: - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" - when: "'network-manager' in ansible_facts.packages" + when: "rhel9cis_network_manager_package_name in ansible_facts.packages" ansible.builtin.command: nmcli radio wifi changed_when: false failed_when: false @@ -48,19 +48,19 @@ - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" when: - - "'network-manager' in ansible_facts.packages" + - "rhel9cis_network_manager_package_name in ansible_facts.packages" - "'enabled' in discovered_wifi_status.stdout" ansible.builtin.command: nmcli radio all off changed_when: discovered_nmcli_radio_off.rc == 0 register: discovered_nmcli_radio_off - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" - when: "'network-manager' not in ansible_facts.packages" + when: "rhel9cis_network_manager_package_name not in ansible_facts.packages" ansible.builtin.debug: msg: "Warning!! You need to disable wireless interfaces manually since network-manager is not installed" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Set warning count" - when: "'network-manager' not in ansible_facts.packages" + when: "rhel9cis_network_manager_package_name not in ansible_facts.packages" ansible.builtin.import_tasks: file: warning_facts.yml From fb9577f7d9c5f4f41efce4454ab626f1a579f367 Mon Sep 17 00:00:00 2001 From: polski_g Date: Thu, 8 May 2025 10:53:27 -0400 Subject: [PATCH 36/66] Fix typo in variable name discovered_group_check Signed-off-by: polski-g --- tasks/section_7/cis_7.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index 8706877..cb01c21 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -220,7 +220,7 @@ - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" when: discovered_group_check.stdout | length > 0 ansible.builtin.debug: - msg: "Warning!! The following group names are duplicates: {{ discovered_group_group_check.stdout_lines }}" + msg: "Warning!! The following group names are duplicates: {{ discovered_group_check.stdout_lines }}" - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Set warning count" when: discovered_group_check.stdout | length > 0 From 68579ae85e7ff7613bd9ae89f66fd96cd57374f8 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 26 May 2025 17:23:15 +0000 Subject: [PATCH 37/66] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v25.4.0 → v25.5.0](https://github.com/ansible-community/ansible-lint/compare/v25.4.0...v25.5.0) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ebc85d7..ddcc701 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.4.0 + rev: v25.5.0 hooks: - id: ansible-lint name: Ansible-lint From d136bfa381f6b2766782fbca28b60b1c1def55e6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 May 2025 10:22:30 +0100 Subject: [PATCH 38/66] Updated variable naming for interactive_users Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 +- tasks/section_5/cis_5.4.1.x.yml | 8 ++++---- tasks/section_5/cis_5.4.2.x.yml | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c1edb39..7d3b295 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -31,7 +31,7 @@ - name: "PRELIM | AUDIT | Interactive Users (reformat)" tags: always ansible.builtin.set_fact: - prelim_interactive_usernames: "{{ prelim_interactive_users | default([]) + [dict([('username', item.split(':')[0]), ('uid', item.split(':')[1]), ('home', item.split(':')[2])])] }}" + prelim_interactive_users: "{{ prelim_interactive_users | default([]) + [dict([('username', item.split(':')[0]), ('uid', item.split(':')[1]), ('home', item.split(':')[2])])] }}" loop: "{{ prelim_interactive_users_raw.stdout_lines }}" - name: "PRELIM | AUDIT | Interactive UIDs" diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 1962101..7fcfb0b 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -29,7 +29,7 @@ - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" when: - discovered_max_days.stdout_lines | length > 0 - - item in prelim_interactive_usernames | map(attribute='username') | list + - item in prelim_interactive_users | map(attribute='username') | list - rhel9cis_force_user_maxdays ansible.builtin.user: name: "{{ item }}" @@ -60,7 +60,7 @@ - name: "5.4.1.2 | PATCH | Ensure minimum password days is configured | Set existing users PASS_MIN_DAYS" when: - discovered_min_days.stdout_lines | length > 0 - - item in prelim_interactive_usernames | map(attribute='username') | list + - item in prelim_interactive_users | map(attribute='username') | list - rhel9cis_force_user_mindays ansible.builtin.user: name: "{{ item }}" @@ -91,7 +91,7 @@ - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users WARN_DAYS" when: - discovered_warn_days.stdout_lines | length > 0 - - item in prelim_interactive_usernames | map(attribute='username') | list + - item in prelim_interactive_users | map(attribute='username') | list - rhel9cis_force_user_warnage ansible.builtin.command: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}" changed_when: true @@ -140,7 +140,7 @@ register: discovered_passwdlck_user_list - name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - when: item in prelim_interactive_usernames | map(attribute='username') | list + when: item in prelim_interactive_users | map(attribute='username') | list ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" changed_when: true loop: "{{ discovered_passwdlck_user_list.stdout_lines }}" diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index a8eb4d0..26985a3 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -195,7 +195,7 @@ - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell" when: - rhel9cis_rule_5_4_2_7 - - "item.id not in prelim_interactive_usernames | map(attribute='username')" + - "item.id not in prelim_interactive_users | map(attribute='username')" - item.id not in rhel9cis_system_users_shell - "'root' not in item.id" - rhel9cis_disruption_high @@ -220,7 +220,7 @@ when: - rhel9cis_rule_5_4_2_8 - rhel9cis_disruption_high - - "item.id not in prelim_interactive_usernames | map(attribute='username')" + - "item.id not in prelim_interactive_users | map(attribute='username')" - "'root' not in item.id" tags: - level1-server From 5dc2541731f3e544939f44d112a94bc6af015974 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 May 2025 14:57:29 +0100 Subject: [PATCH 39/66] Updated passwd variable name Signed-off-by: Mark Bolwell --- tasks/parse_etc_password.yml | 6 +++--- tasks/section_5/cis_5.4.2.x.yml | 4 ++-- tasks/section_7/cis_7.2.x.yml | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 9190421..9f137cb 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -7,11 +7,11 @@ ansible.builtin.shell: cat /etc/passwd | grep -v '^#' changed_when: false check_mode: false - register: prelim_passwd_file_audit + register: prelim_capture_passwd_file - - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries" + - name: "PRELIM | 5.4.2 | 7.2.8 | Split passwd entries" ansible.builtin.set_fact: - rhel9cis_passwd: "{{ prelim_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" + prelim_captured_passwd_data: "{{ prelim_capture_passwd_file.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" loop: "{{ prelim_passwd_file_audit.stdout_lines }}" vars: ld_passwd_regex: >- diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index 26985a3..37a4e11 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -212,7 +212,7 @@ ansible.builtin.user: name: "{{ item.id }}" shell: /usr/sbin/nologin - loop: "{{ rhel9cis_passwd }}" + loop: "{{ prelim_captured_passwd_data }}" loop_control: label: "{{ item.id }}" @@ -235,6 +235,6 @@ ansible.builtin.user: name: "{{ item.id }}" password_lock: true - loop: "{{ rhel9cis_passwd }}" + loop: "{{ prelim_captured_passwd_data }}" loop_control: label: "{{ item.id }}" diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index 8706877..c63ee2f 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -243,7 +243,7 @@ state: directory owner: "{{ item.id }}" group: "{{ item.gid }}" - loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', prelim_max_int_uid | int) | list }}" + loop: "{{ prelim_captured_passwd_data | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', prelim_max_int_uid | int) | list }}" loop_control: label: "{{ item.id }}" @@ -315,6 +315,6 @@ ansible.builtin.file: path: '{{ item }}' mode: 'go-w' - owner: "{{ rhel9cis_passwd | selectattr('dir', 'in', prelim_interactive_users_raw.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}" - group: "{{ rhel9cis_passwd | selectattr('dir', 'in', prelim_interactive_users_raw.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}" + owner: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}" + group: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}" with_items: "{{ discovered_homedir_hidden_files.stdout_lines }}" From c4070c341b99a7ca2a76de22bc41e545d0fbf88f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 May 2025 15:35:34 +0100 Subject: [PATCH 40/66] Updated logic on 7.2.9 tasks Signed-off-by: Mark Bolwell --- tasks/section_7/cis_7.2.x.yml | 64 ++++++++++++++++++++++++++++------- 1 file changed, 51 insertions(+), 13 deletions(-) diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index c63ee2f..90da743 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -286,8 +286,8 @@ vars: warn_control_id: '7.2.9' block: - - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Check for files" - ansible.builtin.shell: find /home/ -name "\.*" + - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured" + ansible.builtin.shell: find {{ prelim_interactive_users_home.stdout_lines | list | join(' ') }} -name "\.*" -type f changed_when: false failed_when: discovered_homedir_hidden_files.rc not in [ 0, 1 ] check_mode: false @@ -296,25 +296,63 @@ - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Warning on files found" when: - discovered_homedir_hidden_files.stdout | length > 0 - - rhel9cis_dotperm_ansiblemanaged + - not rhel9cis_dotperm_ansiblemanaged ansible.builtin.debug: msg: - - "Warning!! We have discovered group or world-writable dot files on your system and this host is configured for manual intervention. Please investigate these files further." + - "Warning!! Please investigate that hidden files found in users home directories match control requirements." - - name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Set warning count" + - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Set warning count" when: - discovered_homedir_hidden_files.stdout | length > 0 - - rhel9cis_dotperm_ansiblemanaged + - not rhel9cis_dotperm_ansiblemanaged ansible.builtin.import_tasks: file: warning_facts.yml - - name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured" + - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured" when: - discovered_homedir_hidden_files.stdout | length > 0 - rhel9cis_dotperm_ansiblemanaged - ansible.builtin.file: - path: '{{ item }}' - mode: 'go-w' - owner: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}" - group: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}" - with_items: "{{ discovered_homedir_hidden_files.stdout_lines }}" + block: + - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Changes files if configured .bash_history & .netrc" + when: + - discovered_homedir_hidden_files.stdout | length > 0 + - item | basename in ['.bash_history','.netrc'] + ansible.builtin.file: + path: "{{ item }}" + mode: 'u-x,go-rwx' + failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]' + register: discovered_dot_bash_history_to_change + loop: "{{ discovered_homedir_hidden_files.stdout_lines }}" + + - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Changes files if configured file mode" + ansible.builtin.file: + path: '{{ item }}' + mode: 'u-x,go-wx' + failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]' + register: discovered_dot_bash_history_to_change + loop: "{{ discovered_homedir_hidden_files.stdout_lines }}" + + - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Changes files ownerships" + ansible.builtin.file: + path: "{{ item }}" + owner: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}" + group: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}" + failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]' + register: discovered_dot_bash_history_to_change + loop: "{{ discovered_homedir_hidden_files.stdout_lines }}" + + - name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured" + ansible.builtin.file: + path: '{{ item }}' + mode: 'go-w' + owner: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}" + group: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}" + with_items: "{{ discovered_homedir_hidden_files.stdout_lines }}" + + - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | rename .forward or .rhosts files" + when: + - item | basename in ['.forward','.rhosts'] + - item is not search ("CIS") + ansible.builtin.command: "mv {{ item }} {{ item }}_CIS_TOBEREVIEWED" + changed_when: true + loop: "{{ discovered_homedir_hidden_files.stdout_lines }}" From 210535bf4f14b00b5f9de8c7dab8c291e646f7bf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 May 2025 15:36:04 +0100 Subject: [PATCH 41/66] updated loop var name Signed-off-by: Mark Bolwell --- tasks/parse_etc_password.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 9f137cb..c7ed865 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -12,7 +12,7 @@ - name: "PRELIM | 5.4.2 | 7.2.8 | Split passwd entries" ansible.builtin.set_fact: prelim_captured_passwd_data: "{{ prelim_capture_passwd_file.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" - loop: "{{ prelim_passwd_file_audit.stdout_lines }}" + loop: "{{ prelim_capture_passwd_file.stdout_lines }}" vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) From f740d89b54c77aca6056571fad56124f6907f018 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 May 2025 15:36:39 +0100 Subject: [PATCH 42/66] Added user home discovery Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 7d3b295..4c170a1 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -34,6 +34,14 @@ prelim_interactive_users: "{{ prelim_interactive_users | default([]) + [dict([('username', item.split(':')[0]), ('uid', item.split(':')[1]), ('home', item.split(':')[2])])] }}" loop: "{{ prelim_interactive_users_raw.stdout_lines }}" +- name: "PRELIM | AUDIT | Interactive User accounts home directories" + tags: always + ansible.builtin.shell: > + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $6 }' + changed_when: false + check_mode: false + register: prelim_interactive_users_home + - name: "PRELIM | AUDIT | Interactive UIDs" tags: always ansible.builtin.shell: > From cb475d336892def111d1817363afa48aa1ff6ed4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 28 May 2025 16:10:28 +0100 Subject: [PATCH 43/66] fixed typo on post audit file name Signed-off-by: Mark Bolwell --- tasks/post_remediation_audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 54d5785..68e7035 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -33,7 +33,7 @@ when: audit_format == "documentation" block: - name: Post Audit | Capture audit data if documentation format - ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' + ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' ' changed_when: false register: post_audit_summary From 30d7e3a7616e9d938c8c208cfe6003c053f84255 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 2 Jun 2025 17:25:10 +0000 Subject: [PATCH 44/66] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.26.0 → v8.27.0](https://github.com/gitleaks/gitleaks/compare/v8.26.0...v8.27.0) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ddcc701..79d19fb 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,7 +41,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.26.0 + rev: v8.27.0 hooks: - id: gitleaks From 1bff329a058de7a7148108f3423cf5a636287edf Mon Sep 17 00:00:00 2001 From: polski-g Date: Tue, 3 Jun 2025 11:35:05 -0400 Subject: [PATCH 45/66] auditd: ensure check mode runs non-destructive call to ausyscall --dump Signed-off-by: polski-g --- tasks/auditd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 7b86b94..0fa0b32 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -7,6 +7,7 @@ - name: "POST | AUDITD | Set supported_syscalls variable" ansible.builtin.shell: ausyscall --dump | awk '{print $2}' changed_when: false + check_mode: false failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ] register: discovered_auditd_syscalls From 5226f14b3e61eb23e740aac886520ddd309e7242 Mon Sep 17 00:00:00 2001 From: polski-g Date: Fri, 6 Jun 2025 10:03:47 -0400 Subject: [PATCH 46/66] fetch of auditd logfile should run in check_mode Signed-off-by: polski-g --- tasks/prelim.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index ced76ce..0081cc6 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -317,6 +317,7 @@ tags: always ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' changed_when: false + check_mode: false register: prelim_auditd_logfile - name: "PRELIM | AUDIT | Audit conf and rules files | list files" From 2ce05a345ddb7ddc3c4c00d121ef3b05c91dbb4c Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 9 Jun 2025 17:24:11 +0000 Subject: [PATCH 47/66] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.27.0 → v8.27.2](https://github.com/gitleaks/gitleaks/compare/v8.27.0...v8.27.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 79d19fb..cbcb7a4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,7 +41,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.27.0 + rev: v8.27.2 hooks: - id: gitleaks From 30bb04b1d487b19b8663bda48283a9c457340b8b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jun 2025 12:10:44 +0100 Subject: [PATCH 48/66] updates root password check Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index e285e8d..fe50b10 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -132,7 +132,7 @@ - rule_5.4.2.4 block: - name: "Ensure root password is set" - ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)" + ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)" changed_when: false register: prelim_root_passwd_set From 9f50effd30052ff24c0a02c8e47c6b7e437238cd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Jun 2025 10:01:10 +0100 Subject: [PATCH 49/66] updated logic Signed-off-by: Mark Bolwell --- tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/main.yml b/tasks/main.yml index fe50b10..43ec09c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -134,6 +134,7 @@ - name: "Ensure root password is set" ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)" changed_when: false + failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ] register: prelim_root_passwd_set - name: "Ensure root password is set" From 51b20d383d98965bf44290388edbc9322bcb7a28 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Jun 2025 10:07:27 +0100 Subject: [PATCH 50/66] Renamed variable to prelim Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index ced76ce..0a3c42a 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -260,7 +260,7 @@ rhel9cis_rule_5_1_11 ansible.builtin.stat: path: /etc/ssh/sshd_config.d/50-redhat.conf - register: discovered_sshd_50_redhat_file + register: prelim_sshd_50_redhat_file - name: "PRELIM | AUDIT | Capture pam security related files" tags: always From b2308ac31097f1e44bffb0e0c2a9b7978c47f891 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Jun 2025 10:07:55 +0100 Subject: [PATCH 51/66] fixed typos in logic Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.3.x.yml | 4 ++-- tasks/section_1/cis_1.1.2.4.x.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index 998d1ba..635648d 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -21,12 +21,12 @@ register: discovered_home_mount - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Absent" - when: discovered_dev_shm_mount is undefined + when: discovered_home_mount is undefined ansible.builtin.debug: msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Present" - when: discovered_dev_shm_mount is undefined + when: discovered_home_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index e0afd4e..f89fe3f 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -22,12 +22,12 @@ register: discovered_var_mount - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent" - when: discovered_dev_shm_mount is undefined + when: discovered_var_mount is undefined ansible.builtin.debug: msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present" - when: discovered_dev_shm_mount is undefined + when: discovered_var_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml From 18fc4ea585f7f3812e391ebc0ca75cf2528f741e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Jun 2025 10:08:56 +0100 Subject: [PATCH 52/66] updated conditional var name and regex best practices Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index eaee7de..3fd366c 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -276,10 +276,10 @@ notify: Restart sshd - name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | override" - when: discovered_sshd_50_redhat_file.stat.exists + when: prelim_sshd_50_redhat_file.stat.exists ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/50-redhat.conf - regexp: ^(?i)(#|)\s*X11Forwarding + regexp: (?i)^(#|)\s*X11Forwarding line: 'X11Forwarding {{ rhel9cis_sshd_x11forwarding }}' validate: sshd -t -f %s notify: Restart sshd @@ -299,10 +299,10 @@ - NIST800-53R5_IA-5 block: - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | redhat file" - when: discovered_sshd_50_redhat_file.stat.exists + when: prelim_sshd_50_redhat_file.stat.exists ansible.builtin.lineinfile: path: /etc/ssh/sshd_config.d/50-redhat.conf - regexp: ^(?i)(#|)\s*GSSAPIAuthentication + regexp: (?i)^(#|)\s*GSSAPIAuthentication line: GSSAPIAuthentication no validate: sshd -t -f %s notify: Restart sshd @@ -310,7 +310,7 @@ - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | ssh config" ansible.builtin.lineinfile: path: "{{ rhel9cis_sshd_config_file }}" - regexp: ^(?i)(#|)\s*GSSAPIAuthentication + regexp: (?i)^(#|)\s*GSSAPIAuthentication line: GSSAPIAuthentication no validate: sshd -t -f %s notify: Restart sshd @@ -330,7 +330,7 @@ - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: "{{ rhel9cis_sshd_config_file }}" - regexp: ^(?i)(#|)\s*HostbasedAuthentication + regexp: (?i)^(#|)\s*HostbasedAuthentication line: 'HostbasedAuthentication no' validate: sshd -t -f %s notify: Restart sshd @@ -350,7 +350,7 @@ - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: "{{ rhel9cis_sshd_config_file }}" - regexp: ^(?i)(#|)\s*IgnoreRhosts + regexp: (?i)^(#|)\s*IgnoreRhosts line: 'IgnoreRhosts yes' insertbefore: "^Match" firstmatch: true @@ -368,7 +368,7 @@ - NIST800-53R5_CM-6 ansible.builtin.lineinfile: path: "{{ rhel9cis_sshd_config_file }}" - regexp: ^(?i)(#|)\s*LoginGraceTime + regexp: (?i)^(#|)\s*LoginGraceTime line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}" insertbefore: "^Match" firstmatch: true @@ -388,7 +388,7 @@ - NIST800-53R5_SI-5 ansible.builtin.lineinfile: path: "{{ rhel9cis_sshd_config_file }}" - regexp: ^(?i)(#|)\s*LogLevel + regexp: (?i)^(#|)\s*LogLevel line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' insertbefore: "^Match" firstmatch: true @@ -426,7 +426,7 @@ - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: "{{ rhel9cis_sshd_config_file }}" - regexp: ^(?i)(#|)\s*MaxStartups + regexp: (?i)^(#|)\s*MaxStartups line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}' validate: sshd -t -f %s notify: Restart sshd @@ -446,7 +446,7 @@ - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: "{{ rhel9cis_sshd_config_file }}" - regexp: ^(?i)(#|)\s*MaxSessions + regexp: (?i)^(#|)\s*MaxSessions line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' validate: sshd -t -f %s notify: Restart sshd @@ -466,7 +466,7 @@ - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: "{{ rhel9cis_sshd_config_file }}" - regexp: ^(?i)(#|)\s*PermitEmptyPasswords + regexp: (?i)^(#|)\s*PermitEmptyPasswords line: 'PermitEmptyPasswords no' validate: sshd -t -f %s notify: Restart sshd @@ -484,7 +484,7 @@ - name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled | config file" ansible.builtin.lineinfile: path: "{{ rhel9cis_sshd_config_file }}" - regexp: ^(?i)(#|)\s*PermitRootLogin + regexp: (?i)^(#|)\s*PermitRootLogin line: 'PermitRootLogin no' validate: sshd -t -f %s notify: Restart sshd @@ -510,7 +510,7 @@ - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: "{{ rhel9cis_sshd_config_file }}" - regexp: ^(?i)(#|)\s*PermitUserEnvironment + regexp: (?i)^(#|)\s*PermitUserEnvironment line: 'PermitUserEnvironment no' validate: sshd -t -f %s notify: Restart sshd @@ -530,7 +530,7 @@ - NIST800-53R5_IA-5 ansible.builtin.lineinfile: path: "{{ rhel9cis_sshd_config_file }}" - regexp: ^(?i)(#|)\s*UsePAM + regexp: (?i)^(#|)\s*UsePAM line: 'UsePAM yes' validate: sshd -t -f %s notify: Restart sshd From 7bef2eda62c06b670893f13111f45a5d87a04650 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Jun 2025 10:12:27 +0100 Subject: [PATCH 53/66] added check_mode false Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 7b86b94..0fa0b32 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -7,6 +7,7 @@ - name: "POST | AUDITD | Set supported_syscalls variable" ansible.builtin.shell: ausyscall --dump | awk '{print $2}' changed_when: false + check_mode: false failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ] register: discovered_auditd_syscalls From ca14eeb1476ef4594de5ecc1ac658300663ee971 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Jun 2025 10:18:26 +0100 Subject: [PATCH 54/66] updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog.md b/Changelog.md index edcb223..83157e9 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,12 @@ # Changes to rhel9CIS +## 2.0.1 - Based on CIS v2.0.0 + +- Thanks to @polski-g several issues and improvements added +- Improved testing for 50-redhat.conf for ssh +- 5.1.x regexp improvements +- Improved root password check + ## 2.0.0 - Based on CIS v2.0.0 - #322, #325 - thanks to @mindrb From 35d0bf9c4be05139e540edad74873690e57d576f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Jun 2025 13:19:14 +0100 Subject: [PATCH 55/66] updated auditing conditionals Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 0a3c42a..1eed552 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -4,9 +4,7 @@ # List users in order to look files inside each home directory - name: "PRELIM | Include audit specific variables" - when: - - run_audit or audit_only - - setup_audit + when: run_audit or audit_only or setup_audit tags: - setup_audit - run_audit @@ -14,9 +12,7 @@ file: audit.yml - name: "PRELIM | Include pre-remediation audit tasks" - when: - - run_audit or audit_only - - setup_audit + when: run_audit or audit_only or setup_audit tags: run_audit ansible.builtin.import_tasks: pre_remediation_audit.yml From 3173b74481ebcab6448bc37ed0c863313a8d77a8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Jun 2025 17:21:45 +0100 Subject: [PATCH 56/66] updated grep command 1.3.1.6 Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.3.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.3.1.x.yml b/tasks/section_1/cis_1.3.1.x.yml index 198ae7b..ad7d844 100644 --- a/tasks/section_1/cis_1.3.1.x.yml +++ b/tasks/section_1/cis_1.3.1.x.yml @@ -106,7 +106,7 @@ warn_control_id: '1.3.1.6' block: - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" - ansible.builtin.shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' + ansible.builtin.shell: ps -eZ | grep unconfined_service_t | grep -Evw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' register: discovered_unconf_services failed_when: false changed_when: false From 3ea5b92259d5998129b0274043571c66ab44dac3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 16 Jun 2025 17:22:31 +0100 Subject: [PATCH 57/66] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 83157e9..ede8f72 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,7 @@ - Improved testing for 50-redhat.conf for ssh - 5.1.x regexp improvements - Improved root password check +- egrep command changed to grep -E ## 2.0.0 - Based on CIS v2.0.0 From 908ac57db767d6952c057db34d55faaa87a998e6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jun 2025 16:26:01 +0100 Subject: [PATCH 58/66] enabled fetch report and updated title Signed-off-by: Mark Bolwell --- tasks/audit_only.yml | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index 39c9f7d..a33cb94 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -1,19 +1,17 @@ --- -- name: Audit_Only | Create local Directories for hosts - when: fetch_audit_files - ansible.builtin.file: - mode: 'u+x,go-w' - path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" - recurse: true - state: directory - delegate_to: localhost - become: false + +- name: Audit_only | Fetch audit files + when: + - fetch_audit_output + - audit_only + ansible.builtin.import_tasks: + file: fetch_audit_output.yml - name: Audit_only | Show Audit Summary when: audit_only ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" -- name: Audit_only | Stop Playbook Audit Only selected +- name: Audit_only | Stop task for host as audit_only selected when: audit_only - ansible.builtin.meta: end_play + ansible.builtin.meta: end_host From 515d5c3bf77a87385aea862e496e8502a5a50141 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jun 2025 16:26:48 +0100 Subject: [PATCH 59/66] added changed_when to resolve false warning message Signed-off-by: Mark Bolwell --- tasks/fetch_audit_output.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fetch_audit_output.yml b/tasks/fetch_audit_output.yml index 563b699..e440185 100644 --- a/tasks/fetch_audit_output.yml +++ b/tasks/fetch_audit_output.yml @@ -8,6 +8,7 @@ src: "{{ item }}" dest: "{{ audit_output_destination }}" flat: true + changed_when: true failed_when: false register: discovered_audit_fetch_state loop: From 72dfe581e970267fe500ee84365439a0f16c6fe6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jun 2025 16:27:53 +0100 Subject: [PATCH 60/66] updated Signed-off-by: Mark Bolwell --- Changelog.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Changelog.md b/Changelog.md index edcb223..57ac1bc 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,11 @@ # Changes to rhel9CIS +## Based on CIS v2.0.0 + +Update to audit_only to allow fetching results +resolved false warning for fetch audit +fix root user check + ## 2.0.0 - Based on CIS v2.0.0 - #322, #325 - thanks to @mindrb From bd1547313a69a7750ad1a312796b35e081346646 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jun 2025 11:28:19 +0100 Subject: [PATCH 61/66] Fix logic and notes for in crypto policy building Signed-off-by: Mark Bolwell --- Changelog.md | 1 + defaults/main.yml | 4 ++-- handlers/main.yml | 2 +- tasks/main.yml | 2 +- vars/main.yml | 6 ++++++ 5 files changed, 11 insertions(+), 4 deletions(-) diff --git a/Changelog.md b/Changelog.md index 3cb8dad..331a17e 100644 --- a/Changelog.md +++ b/Changelog.md @@ -5,6 +5,7 @@ Update to audit_only to allow fetching results resolved false warning for fetch audit fix root user check +Improved documentation and variable compilation for crypto policies ## 2.0.1 - Based on CIS v2.0.0 diff --git a/defaults/main.yml b/defaults/main.yml index c55f93a..23312e5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -580,8 +580,8 @@ rhel9cis_crypto_policy: 'DEFAULT' ## Control 1.6 # This variable contains the value of the crypto policy module(combinations of policies and # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, -# using 'rhel9cis_allowed_crypto_policies_modules' variable. -rhel9cis_crypto_policy_module: '' +# using those listed in the 'rhel9cis_allowed_crypto_policies_modules' variable. +rhel9cis_additional_crypto_policy_module: '' ## Controls: # - 1.7.1 - Ensure message of the day is configured properly diff --git a/handlers/main.yml b/handlers/main.yml index 1a3b66e..4bc5a08 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -186,7 +186,7 @@ - name: Update Crypto Policy ansible.builtin.set_fact: - rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}{{ rhel9cis_crypto_policy_module }}{% endif %}" + rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{{ rhel9cis_crypto_policy_module }}:{{ rhel9cis_additional_crypto_policy_module }}" notify: Set Crypto Policy - name: Set Crypto Policy diff --git a/tasks/main.yml b/tasks/main.yml index 43ec09c..25bb7bc 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -61,7 +61,7 @@ - crypto - NIST800-53R5_SC-6 ansible.builtin.assert: - that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules + that: rhel9cis_additional_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules fail_msg: "Crypto policy module is not a permitted version" success_msg: "Crypto policy module is a permitted version" diff --git a/vars/main.yml b/vars/main.yml index 5eed07c..9337d58 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -7,10 +7,16 @@ rhel9cis_allowed_crypto_policies: - 'FUTURE' - 'FIPS' +# Following is left blank for ability to build string +rhel9cis_crypto_policy_module: '' + +# Do not adjust these are recognized as part of the CIS benchmark and used during testing rhel9cis_allowed_crypto_policies_modules: + # Recognized by CIS as possible extra options - 'OSPP' - 'AD-SUPPORT' - 'AD-SUPPORT-LEGACY' + # The following are already included in 1.6.x controls - 'NO-SHA1' - 'NO-SSHCBC' - 'NO-SSHETM' From 37f4d0c9f09c34410c9b8893de37f5046d9db347 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jun 2025 12:15:13 +0100 Subject: [PATCH 62/66] fixed crypto logic Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index 4bc5a08..1894300 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -186,7 +186,7 @@ - name: Update Crypto Policy ansible.builtin.set_fact: - rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{{ rhel9cis_crypto_policy_module }}:{{ rhel9cis_additional_crypto_policy_module }}" + rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{{ rhel9cis_crypto_policy_module }}{% if rhel9cis_additional_crypto_policy_module | length > 0 %}:{{ rhel9cis_additional_crypto_policy_module }}{% endif %}" notify: Set Crypto Policy - name: Set Crypto Policy From fc2f5895ced1fbee59d117f05d86b925b8b7912a Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 23 Jun 2025 17:27:59 +0000 Subject: [PATCH 63/66] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v25.5.0 → v25.6.1](https://github.com/ansible-community/ansible-lint/compare/v25.5.0...v25.6.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index cbcb7a4..a4d0a42 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.5.0 + rev: v25.6.1 hooks: - id: ansible-lint name: Ansible-lint From 23338ccd314d433049606b36114d6d32c004d5e3 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 27 Jun 2025 11:12:07 -0400 Subject: [PATCH 64/66] Addresses #318 - Thank you @kodebach & @bgro Signed-off-by: Frederick Witty --- Changelog.md | 12 +++++++----- tasks/main.yml | 5 ++--- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/Changelog.md b/Changelog.md index 331a17e..53cf91d 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,11 +1,13 @@ # Changes to rhel9CIS -## Based on CIS v2.0.0 +## 2.0.1 - Based on CIS v2.0.0 -Update to audit_only to allow fetching results -resolved false warning for fetch audit -fix root user check -Improved documentation and variable compilation for crypto policies +- Update to audit_only to allow fetching results +- resolved false warning for fetch audit +- fix root user check +- Improved documentation and variable compilation for crypto policies +- Addresses #318 - Thank you @kodebach & @bgro + - Improved logic for 5.2.4 to exclude rhel9cis_sudoers_exclude_nopasswd_list in pre-check task/main.yml ## 2.0.1 - Based on CIS v2.0.0 diff --git a/tasks/main.yml b/tasks/main.yml index 25bb7bc..460acc8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -101,10 +101,9 @@ - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template] ansible.builtin.assert: - that: - - not prelim_ansible_user_password_set.stdout.startswith("!") + that: (not prelim_ansible_user_password_set.stdout.startswith("!")) or (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list) fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access" - success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" + success_msg: "The local account {{ ansible_env.SUDO_USER }} is not locked or included in the exception list for rule 5.2.4" - name: "Check authselect profile is selected" when: rhel9cis_allow_authselect_updates From ac276f34fc8e5773e232fc51b90446df796b9fb5 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 27 Jun 2025 11:15:19 -0400 Subject: [PATCH 65/66] ChangeLog versioning fix Signed-off-by: Frederick Witty --- Changelog.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 53cf91d..b6db646 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,13 +1,13 @@ # Changes to rhel9CIS -## 2.0.1 - Based on CIS v2.0.0 +## 2.0.2 - Based on CIS v2.0.0 - Update to audit_only to allow fetching results - resolved false warning for fetch audit - fix root user check - Improved documentation and variable compilation for crypto policies - Addresses #318 - Thank you @kodebach & @bgro - - Improved logic for 5.2.4 to exclude rhel9cis_sudoers_exclude_nopasswd_list in pre-check task/main.yml + - Improved logic for 5.2.4 to exclude rhel9cis_sudoers_exclude_nopasswd_list in pre-check tasks/main.yml ## 2.0.1 - Based on CIS v2.0.0 From 7ec2c9bf5efa92a2b90697d7d9f4d239dc08f4e7 Mon Sep 17 00:00:00 2001 From: davidalexander83 Date: Wed, 2 Jul 2025 12:32:20 +1000 Subject: [PATCH 66/66] Fix re.error due to (?i) not at start of re 6.2.2.3 and 6.2.2.4 cause issues due to current re syntax: ^(?i)(\s*compress=) re.error: global flags not at the start of the expression at position 1 Fix removes ^ which resolves issue without affecting functionality. Signed-off-by: davidalexander83 --- tasks/section_6/cis_6.2.2.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_6/cis_6.2.2.x.yml b/tasks/section_6/cis_6.2.2.x.yml index a57efe2..fe0f8c4 100644 --- a/tasks/section_6/cis_6.2.2.x.yml +++ b/tasks/section_6/cis_6.2.2.x.yml @@ -50,7 +50,7 @@ - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf - regexp: ^(?i)(\s*compress=) + regexp: (?i)(\s*compress=) replace: '#\1' - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured" @@ -76,5 +76,5 @@ - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf - regexp: ^(?i)(\s*storage=) + regexp: (?i)(\s*storage=) replace: '#\1'