ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

improved tests and updated

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-08-09 13:13:17 +01:00
parent 485a85db76
commit 265423eb0a
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
11 changed files with 171 additions and 152 deletions
Download patch file Download diff file Expand all files Collapse all files

4
tasks/section_5/cis_5.3.2.x.yml
View file

@ -14,7 +14,9 @@
- rule_5.3.2.1
block:
- name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles"
when: prelim_authselect_current_config.stdout is not defined
when:
- rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or
prelim_authselect_current_profile.stdout is not defined
ansible.builtin.shell: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
args:
creates: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}"

28
tasks/section_5/cis_5.3.3.4.x.yml
View file

@ -51,7 +51,7 @@
- rule_5.3.3.4.2
block:
- name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state"
ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/{password,system}-auth | grep -P -- '\bremember\b'
ansible.builtin.shell: grep -E "password.*pam_unix.so.*remember" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq
changed_when: false
failed_when: rhel9cis_pam_remember.rc not in [ 0, 1 ]
register: rhel9cis_pam_remember
@ -61,9 +61,10 @@
- not rhel9cis_allow_authselect_updates
- rhel9cis_pam_remember.stdout | length > 0
ansible.builtin.replace:
path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwunix_file }}"
regexp: remember=\d+
path: "{{ item }}"
regexp: remember
replace: ''
loop: "{{ rhel9cis_pam_remember.stdout_lines }}"
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect"
when:
@ -90,7 +91,7 @@
- NIST800-53R5_IA-5
block:
- name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state"
ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?("{{ rhel9cis_passwd_hash_algo }}")\b' /etc/pam.d/*-auth
ansible.builtin.shell: grep -E "password.*pam_unix.so.*(sha512|yescrypt)" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq
changed_when: false
failed_when: rhel9cis_pam_pwhash.rc not in [ 0, 1 ]
register: rhel9cis_pam_pwhash
@ -100,17 +101,18 @@
- not rhel9cis_allow_authselect_updates
- rhel9cis_pam_remember.stdout | length > 0
ansible.builtin.replace:
path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwunix_file }}"
path: "{{ item }}"
regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)"
replace: '{{ rhel9cis_passwd_hash_algo }}'
loop: "{{ rhel9cis_pam_remember.stdout_lines }}"
- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Remove remember from pam files AuthSelect"
- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Add hash algorithm to pam files AuthSelect"
when:
- rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)(sha512|yescrypt)(.*$)
line: \1\2 {{ rhel9cis_passwd_hash_algo }}\4
regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)(sha512|yescrypt)(.*$)
line: \1\2\3\4{{ rhel9cis_passwd_hash_algo }}\6
backrefs: true
loop:
- password
@ -130,7 +132,7 @@
- NIST800-53R5_IA-5
block:
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state"
ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/{password,system}-auth | grep -Pv -- '\buse_authtok\b'
ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix.so\b' /etc/pam.d/{password,system}-auth | grep -Pv -- '\buse_authtok\b'
changed_when: false
failed_when: rhel9cis_pam_authtok.rc not in [ 0, 1 ]
register: rhel9cis_pam_authtok
@ -142,8 +144,8 @@
- rhel9cis_pam_authtok.stdout | length > 0
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)use_authtok(.*$)
line: \1\2 use_authtok\3
regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$)
line: \1\2\3\4use_authtok \5
backrefs: true
loop: "{{ rhel9cis_pam_authtok.stdout_lines }}"
@ -152,8 +154,8 @@
- rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)use_authtok(.*$)
line: \1\2 use_authtok\3
regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$)
line: \1\2\3\4use_authtok\5
backrefs: true
loop:
- password

16
tasks/section_5/cis_5.4.1.x.yml
View file

@ -19,10 +19,10 @@
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
line: "PASS_MAX_DAYS {{ rhel9cis_pass_max_days }}"
- name: "5.4.1.1 | AUDIT | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS"
ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass['max_days'] }} || $5< {{ rhel9cis_pass['max_days'] }} || $5 == -1)){print $1}' /etc/shadow"
ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass_max_days }} || $5< {{ rhel9cis_pass_max_days }} || $5 == -1)){print $1}' /etc/shadow"
changed_when: false
failed_when: false
register: discovered_max_days
@ -34,7 +34,7 @@
- rhel9cis_force_user_maxdays
ansible.builtin.user:
name: "{{ item }}"
password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
password_expire_max: "{{ rhel9cis_pass_max_days }}"
loop: "{{ discovered_max_days.stdout_lines }}"
- name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
@ -51,10 +51,10 @@
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MIN_DAYS'
line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
line: "PASS_MIN_DAYS {{ rhel9cis_pass_min_days }}"
- name: "5.4.1.2 | AUDIT | Ensure minimum password days is configured | Get existing users PASS_MIN_DAYS"
ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $4< {{ rhel9cis_pass['min_days'] }} {print $1}' /etc/shadow"
ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $4< {{ rhel9cis_pass_min_days }} {print $1}' /etc/shadow"
changed_when: false
failed_when: false
register: discovered_min_days
@ -66,7 +66,7 @@
- rhel9cis_force_user_mindays
ansible.builtin.user:
name: "{{ item }}"
password_expire_max: "{{ rhel9cis_pass['min_days'] }}"
password_expire_max: "{{ rhel9cis_pass_min_days }}"
loop: "{{ discovered_min_days.stdout_lines }}"
- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"
@ -83,10 +83,10 @@
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_WARN_AGE'
line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
line: "PASS_WARN_AGE {{ rhel9cis_pass_warn_age }}"
- name: "5.4.1.3 | AUDIT | Ensure password expiration warning days is configured | Get existing users WARN_DAYS"
ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel9cis_pass['warn_age'] }} {print $1}' /etc/shadow"
ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel9cis_pass_warn_age }} {print $1}' /etc/shadow"
changed_when: false
failed_when: false
register: discovered_warn_days