ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

improved tests and updated

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-08-09 13:13:17 +01:00
parent 485a85db76
commit 265423eb0a
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
11 changed files with 171 additions and 152 deletions
Download patch file Download diff file Expand all files Collapse all files

8
tasks/main.yml
View file

@ -124,14 +124,14 @@
fail_msg: "You still have the default name for your authselect profile" fail_msg: "You still have the default name for your authselect profile"
- name: "PRELIM | AUDIT | Check authselect profile is selected" - name: "PRELIM | AUDIT | Check authselect profile is selected"
ansible.builtin.shell: authselect current ansible.builtin.shell: authselect current | head -1 | awk '{print $NF}'
changed_when: false changed_when: false
failed_when: prelim_authselect_current_config.rc not in [ 0, 1 ] failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
register: prelim_authselect_current_config register: prelim_authselect_current_profile
- name: "PRELIM | AUDIT | Check authselect profile is selected" - name: "PRELIM | AUDIT | Check authselect profile is selected"
ansible.builtin.assert: ansible.builtin.assert:
that: prelim_authselect_current_config is defined that: prelim_authselect_current_profile is defined
success_msg: "Authselect is running and profile is selected" success_msg: "Authselect is running and profile is selected"
fail_msg: Authselect updates have been selected there are issues with profile selection" fail_msg: Authselect updates have been selected there are issues with profile selection"

4
tasks/section_5/cis_5.3.2.x.yml
View file

@ -14,7 +14,9 @@
- rule_5.3.2.1 - rule_5.3.2.1
block: block:
- name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles" - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles"
when: prelim_authselect_current_config.stdout is not defined when:
- rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or
prelim_authselect_current_profile.stdout is not defined
ansible.builtin.shell: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}" ansible.builtin.shell: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
args: args:
creates: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}" creates: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}"

28
tasks/section_5/cis_5.3.3.4.x.yml
View file

@ -51,7 +51,7 @@
- rule_5.3.3.4.2 - rule_5.3.3.4.2
block: block:
- name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state" - name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state"
ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/{password,system}-auth | grep -P -- '\bremember\b' ansible.builtin.shell: grep -E "password.*pam_unix.so.*remember" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq
changed_when: false changed_when: false
failed_when: rhel9cis_pam_remember.rc not in [ 0, 1 ] failed_when: rhel9cis_pam_remember.rc not in [ 0, 1 ]
register: rhel9cis_pam_remember register: rhel9cis_pam_remember
@ -61,9 +61,10 @@
- not rhel9cis_allow_authselect_updates - not rhel9cis_allow_authselect_updates
- rhel9cis_pam_remember.stdout | length > 0 - rhel9cis_pam_remember.stdout | length > 0
ansible.builtin.replace: ansible.builtin.replace:
path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwunix_file }}" path: "{{ item }}"
regexp: remember=\d+ regexp: remember
replace: '' replace: ''
loop: "{{ rhel9cis_pam_remember.stdout_lines }}"
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect" - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect"
when: when:
@ -90,7 +91,7 @@
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state" - name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state"
ansible.builtin.shell: grep -PH -- '^\h*password\h+([^#\n\r]+)\h+pam_unix\.so\h+([^#\n\r]+\h+)?("{{ rhel9cis_passwd_hash_algo }}")\b' /etc/pam.d/*-auth ansible.builtin.shell: grep -E "password.*pam_unix.so.*(sha512|yescrypt)" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq
changed_when: false changed_when: false
failed_when: rhel9cis_pam_pwhash.rc not in [ 0, 1 ] failed_when: rhel9cis_pam_pwhash.rc not in [ 0, 1 ]
register: rhel9cis_pam_pwhash register: rhel9cis_pam_pwhash
@ -100,17 +101,18 @@
- not rhel9cis_allow_authselect_updates - not rhel9cis_allow_authselect_updates
- rhel9cis_pam_remember.stdout | length > 0 - rhel9cis_pam_remember.stdout | length > 0
ansible.builtin.replace: ansible.builtin.replace:
path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwunix_file }}" path: "{{ item }}"
regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)" regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)"
replace: '{{ rhel9cis_passwd_hash_algo }}' replace: '{{ rhel9cis_passwd_hash_algo }}'
loop: "{{ rhel9cis_pam_remember.stdout_lines }}"
- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Remove remember from pam files AuthSelect" - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Add hash algorithm to pam files AuthSelect"
when: when:
- rhel9cis_allow_authselect_updates - rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)(sha512|yescrypt)(.*$) regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)(sha512|yescrypt)(.*$)
line: \1\2 {{ rhel9cis_passwd_hash_algo }}\4 line: \1\2\3\4{{ rhel9cis_passwd_hash_algo }}\6
backrefs: true backrefs: true
loop: loop:
- password - password
@ -130,7 +132,7 @@
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
block: block:
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state" - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state"
ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix\.so\b' /etc/pam.d/{password,system}-auth | grep -Pv -- '\buse_authtok\b' ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix.so\b' /etc/pam.d/{password,system}-auth | grep -Pv -- '\buse_authtok\b'
changed_when: false changed_when: false
failed_when: rhel9cis_pam_authtok.rc not in [ 0, 1 ] failed_when: rhel9cis_pam_authtok.rc not in [ 0, 1 ]
register: rhel9cis_pam_authtok register: rhel9cis_pam_authtok
@ -142,8 +144,8 @@
- rhel9cis_pam_authtok.stdout | length > 0 - rhel9cis_pam_authtok.stdout | length > 0
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ item }}" path: "{{ item }}"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)use_authtok(.*$) regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$)
line: \1\2 use_authtok\3 line: \1\2\3\4use_authtok \5
backrefs: true backrefs: true
loop: "{{ rhel9cis_pam_authtok.stdout_lines }}" loop: "{{ rhel9cis_pam_authtok.stdout_lines }}"
@ -152,8 +154,8 @@
- rhel9cis_allow_authselect_updates - rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)use_authtok(.*$) regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$)
line: \1\2 use_authtok\3 line: \1\2\3\4use_authtok\5
backrefs: true backrefs: true
loop: loop:
- password - password

16
tasks/section_5/cis_5.4.1.x.yml
View file

@ -19,10 +19,10 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/login.defs path: /etc/login.defs
regexp: '^PASS_MAX_DAYS' regexp: '^PASS_MAX_DAYS'
line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" line: "PASS_MAX_DAYS {{ rhel9cis_pass_max_days }}"
- name: "5.4.1.1 | AUDIT | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS" - name: "5.4.1.1 | AUDIT | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS"
ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass['max_days'] }} || $5< {{ rhel9cis_pass['max_days'] }} || $5 == -1)){print $1}' /etc/shadow" ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass_max_days }} || $5< {{ rhel9cis_pass_max_days }} || $5 == -1)){print $1}' /etc/shadow"
changed_when: false changed_when: false
failed_when: false failed_when: false
register: discovered_max_days register: discovered_max_days
@ -34,7 +34,7 @@
- rhel9cis_force_user_maxdays - rhel9cis_force_user_maxdays
ansible.builtin.user: ansible.builtin.user:
name: "{{ item }}" name: "{{ item }}"
password_expire_max: "{{ rhel9cis_pass['max_days'] }}" password_expire_max: "{{ rhel9cis_pass_max_days }}"
loop: "{{ discovered_max_days.stdout_lines }}" loop: "{{ discovered_max_days.stdout_lines }}"
- name: "5.4.1.2 | PATCH | Ensure minimum password days is configured" - name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
@ -51,10 +51,10 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/login.defs path: /etc/login.defs
regexp: '^PASS_MIN_DAYS' regexp: '^PASS_MIN_DAYS'
line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" line: "PASS_MIN_DAYS {{ rhel9cis_pass_min_days }}"
- name: "5.4.1.2 | AUDIT | Ensure minimum password days is configured | Get existing users PASS_MIN_DAYS" - name: "5.4.1.2 | AUDIT | Ensure minimum password days is configured | Get existing users PASS_MIN_DAYS"
ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $4< {{ rhel9cis_pass['min_days'] }} {print $1}' /etc/shadow" ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $4< {{ rhel9cis_pass_min_days }} {print $1}' /etc/shadow"
changed_when: false changed_when: false
failed_when: false failed_when: false
register: discovered_min_days register: discovered_min_days
@ -66,7 +66,7 @@
- rhel9cis_force_user_mindays - rhel9cis_force_user_mindays
ansible.builtin.user: ansible.builtin.user:
name: "{{ item }}" name: "{{ item }}"
password_expire_max: "{{ rhel9cis_pass['min_days'] }}" password_expire_max: "{{ rhel9cis_pass_min_days }}"
loop: "{{ discovered_min_days.stdout_lines }}" loop: "{{ discovered_min_days.stdout_lines }}"
- name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured" - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"
@ -83,10 +83,10 @@
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/login.defs path: /etc/login.defs
regexp: '^PASS_WARN_AGE' regexp: '^PASS_WARN_AGE'
line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" line: "PASS_WARN_AGE {{ rhel9cis_pass_warn_age }}"
- name: "5.4.1.3 | AUDIT | Ensure password expiration warning days is configured | Get existing users WARN_DAYS" - name: "5.4.1.3 | AUDIT | Ensure password expiration warning days is configured | Get existing users WARN_DAYS"
ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel9cis_pass['warn_age'] }} {print $1}' /etc/shadow" ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel9cis_pass_warn_age }} {print $1}' /etc/shadow"
changed_when: false changed_when: false
failed_when: false failed_when: false
register: discovered_warn_days register: discovered_warn_days

36
tasks/section_6/cis_6.1.x.yml
View file

@ -46,16 +46,32 @@
- patch - patch
- rule_6.1.2 - rule_6.1.2
- NIST800-53R5_AU-2 - NIST800-53R5_AU-2
ansible.builtin.cron: block:
name: Run AIDE integrity check - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked"
cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}" when: rhel9cis_aide_scan == "cron"
user: "{{ rhel9cis_aide_cron['cron_user'] }}" ansible.builtin.cron:
minute: "{{ rhel9cis_aide_cron['aide_minute'] | default('0') }}" name: Run AIDE integrity check
hour: "{{ rhel9cis_aide_cron['aide_hour'] | default('5') }}" cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}"
day: "{{ rhel9cis_aide_cron['aide_day'] | default('*') }}" user: "{{ rhel9cis_aide_cron['cron_user'] }}"
month: "{{ rhel9cis_aide_cron['aide_month'] | default('*') }}" minute: "{{ rhel9cis_aide_cron['aide_minute'] | default('0') }}"
weekday: "{{ rhel9cis_aide_cron['aide_weekday'] | default('*') }}" hour: "{{ rhel9cis_aide_cron['aide_hour'] | default('5') }}"
job: "{{ rhel9cis_aide_cron['aide_job'] }}" day: "{{ rhel9cis_aide_cron['aide_day'] | default('*') }}"
month: "{{ rhel9cis_aide_cron['aide_month'] | default('*') }}"
weekday: "{{ rhel9cis_aide_cron['aide_weekday'] | default('*') }}"
job: "{{ rhel9cis_aide_cron['aide_job'] }}"
- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
when: rhel9cis_aide_scan == "timer"
ansible.builtin.systemd:
name: aidecheck.service
enabled: true
- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
when: rhel9cis_aide_scan == "timer"
ansible.builtin.systemd:
name: aidecheck.timer
state: running
enabled: true
- name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" - name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
when: when:

82
tasks/section_6/cis_6.2.2.1.x.yml
View file

@ -78,85 +78,3 @@
loop: loop:
- systemd-journal-remote.socket - systemd-journal-remote.socket
- systemd-journal-remote.service - systemd-journal-remote.service
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled"
when:
- rhel9cis_rule_6_2_2_2
tags:
- level1-server
- level2-workstation
- patch
- journald
- rule_6.2.2.2
- NIST800-53R5_AU-2
- NIST800-53R5_AU-6
- NIST800-53R5_AU-7
- NIST800-53R5_AU-12
notify: Restart journald
block:
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | Add file"
ansible.builtin.template:
src: etc/systemd/journald.conf.d/forwardtosyslog.conf.j2
dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf
owner: root
group: root
mode: '0640'
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
ansible.builtin.replace:
path: /etc/systemd/journald.conf
regexp: ^(\s*ForwardToSyslog)
replace: '#\1'
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
when:
- rhel9cis_rule_6_2_2_3
tags:
- level1-server
- level1-workstation
- patch
- journald
- rule_6.2.2.3
- NIST800-53R5_AU-4
notify: Restart journald
block:
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | Add file"
ansible.builtin.template:
src: etc/systemd/journald.conf.d/storage.conf.j2 # Added to the same file as 6.2.1.1.4
dest: /etc/systemd/journald.conf.d/storage.conf
owner: root
group: root
mode: '0640'
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
ansible.builtin.replace:
path: /etc/systemd/journald.conf
regexp: ^(?i)(\s*compress=)
replace: '#\1'
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
when:
- rhel9cis_rule_6_2_2_4
tags:
- level1-server
- level1-workstation
- patch
- journald
- rule_6.2.2.4
- NIST800-53R5_AU-3
- NIST800-53R5_AU-12
notify: Restart journald
block:
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | Add file"
ansible.builtin.template:
src: etc/systemd/journald.conf.d/storage.conf.j2
dest: /etc/systemd/journald.conf.d/storage.conf
owner: root
group: root
mode: '0640'
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
ansible.builtin.replace:
path: /etc/systemd/journald.conf
regexp: ^(?i)(\s*storage=)
replace: '#\1'

83
tasks/section_6/cis_6.2.2.x.yml Normal file
View file

@ -0,0 +1,83 @@
---
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled"
when:
- rhel9cis_rule_6_2_2_2
tags:
- level1-server
- level2-workstation
- patch
- journald
- rule_6.2.2.2
- NIST800-53R5_AU-2
- NIST800-53R5_AU-6
- NIST800-53R5_AU-7
- NIST800-53R5_AU-12
notify: Restart journald
block:
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | Add file"
ansible.builtin.template:
src: etc/systemd/journald.conf.d/forwardtosyslog.conf.j2
dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf
owner: root
group: root
mode: '0640'
- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
ansible.builtin.replace:
path: /etc/systemd/journald.conf
regexp: ^(\s*ForwardToSyslog)
replace: '#\1'
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
when:
- rhel9cis_rule_6_2_2_3
tags:
- level1-server
- level1-workstation
- patch
- journald
- rule_6.2.2.3
- NIST800-53R5_AU-4
notify: Restart journald
block:
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | Add file"
ansible.builtin.template:
src: etc/systemd/journald.conf.d/storage.conf.j2 # Added to the same file as 6.2.1.1.4
dest: /etc/systemd/journald.conf.d/storage.conf
owner: root
group: root
mode: '0640'
- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
ansible.builtin.replace:
path: /etc/systemd/journald.conf
regexp: ^(?i)(\s*compress=)
replace: '#\1'
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
when:
- rhel9cis_rule_6_2_2_4
tags:
- level1-server
- level1-workstation
- patch
- journald
- rule_6.2.2.4
- NIST800-53R5_AU-3
- NIST800-53R5_AU-12
notify: Restart journald
block:
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | Add file"
ansible.builtin.template:
src: etc/systemd/journald.conf.d/storage.conf.j2
dest: /etc/systemd/journald.conf.d/storage.conf
owner: root
group: root
mode: '0640'
- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
ansible.builtin.replace:
path: /etc/systemd/journald.conf
regexp: ^(?i)(\s*storage=)
replace: '#\1'

48
tasks/section_6/cis_6.2.4.1.yml
View file

@ -16,47 +16,37 @@
failed_when: false failed_when: false
register: discovered_logfiles register: discovered_logfiles
- name: "6.2.4.1 | AUDIT | Ensure access to all logfiles has been configured | set_fact" - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
when: when:
- discovered_logfiles.stdout_lines | length > 0 - discovered_logfiles.stdout_lines | length > 0
- discovered_logfiles is defined - ('audit.log' in item or 'journal' in item) or
ansible.builtin.set_fact: item == '/var/log/secure' or
discovered_logfiles_flattened: "{{ discovered_logfiles.stdout_lines | flatten }}" item == '/var/log/syslog' or
item == '/var/log/messages' or
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" item == '/var/log/auth.log'
when:
- discovered_logfiles_flattened is defined
- item == "/var/log/secure"
- item == "/var/log/auth.log"
- item == "/var/log/syslog"
- "'journal' in item"
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
mode: 'u-x,g-wx,o-rwx' mode: 'u-x,g-wx,o-rwx'
loop: "{{ discovered_logfiles_flattened }}" loop: "{{ discovered_logfiles.stdout_lines }}"
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
when: when:
- discovered_logfiles_flattened is defined - discovered_logfiles.stdout_lines | length > 0
- item == "/var/log/btmp" - ('anaconda' in item or 'dnf' in item or 'secure' in item or 'messages' in item or 'hawkey' in item)
- item == "/var/log/utmp"
- item == "/var/log/wtmp"
- item == "/var/log/lastlog"
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
mode: 'u-x,g-wx,o-rwx' mode: 'u-x,g-x,o-rwx'
owner: root loop: "{{ discovered_logfiles.stdout_lines }}"
group: root
loop: "{{ discovered_logfiles_flattened }}"
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
when: when:
- discovered_logfiles_flattened is defined - discovered_logfiles.stdout_lines | length > 0
- "'sssd' in item" - ('sssd' in item or 'lastlog' in item) or
- item == "/var/log/utmp" item == "/var/log/btmp" or
- item == "/var/log/wtmp" item == "/var/log/utmp" or
- item == "/var/log/lastlog" item == "/var/log/wtmp" or
item == "/var/log/lastlog"
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
mode: 'u-x,g-wx,o-rwx' mode: 'ug-x,o-wx'
loop: "{{ discovered_logfiles_flattened }}" loop: "{{ discovered_logfiles.stdout_lines }}"

7
tasks/section_6/main.yml
View file

@ -8,11 +8,16 @@
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: cis_6.2.1.x.yml file: cis_6.2.1.x.yml
- name: "SECTION | 6.2.2 | Configure journald" - name: "SECTION | 6.2.2.1.x | Configure journald-remote"
when: rhel9cis_syslog == 'journald' when: rhel9cis_syslog == 'journald'
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: cis_6.2.2.1.x.yml file: cis_6.2.2.1.x.yml
- name: "SECTION | 6.2.2.x | Configure journald"
when: rhel9cis_syslog == 'journald'
ansible.builtin.import_tasks:
file: cis_6.2.2.x.yml
- name: "SECTION | 6.2.3 | Configure rsyslog" - name: "SECTION | 6.2.3 | Configure rsyslog"
when: rhel9cis_syslog == 'rsyslog' when: rhel9cis_syslog == 'rsyslog'
ansible.builtin.import_tasks: ansible.builtin.import_tasks:

5
templates/audit/99_auditd.rules.j2
View file

@ -46,6 +46,9 @@
-w /etc/gshadow -p wa -k identity -w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity -w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity -w /etc/security/opasswd -p wa -k identity
-w /etc/nsswitch.conf -p wa -k identity
-w /etc/pam.conf -p wa -k identity
-w /etc/pam.d -p wa -k identity
{% endif %} {% endif %}
{% if rhel9cis_rule_6_3_3_9 %} {% if rhel9cis_rule_6_3_3_9 %}
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
@ -83,7 +86,7 @@
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng
{% endif %} {% endif %}
{% if rhel9cis_rule_6_3_3_17 %} {% if rhel9cis_rule_6_3_3_17 %}
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k priv_cmd -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k priv_chng
{% endif %} {% endif %}
{% if rhel9cis_rule_6_3_3_18 %} {% if rhel9cis_rule_6_3_3_18 %}
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod

6
templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2
View file

@ -1,9 +1,9 @@
# CIS Configurations # CIS Configurations
# 5.3.3.2.3 Ensure password complexity is configured # 5.3.3.2.3 Ensure password complexity is configured
{% if rhel9cis_passwd_complex_option == minclass %} {% if rhel9cis_passwd_complex_option == 'minclass' %}
minclass = {{ rhel9cis_passwd_minclass }} minclass = {{ rhel9cis_passwd_minclass }}
{ %endif %} {% endif %}
{% if rhel9cis_passwd_complex_option == credits %} {% if rhel9cis_passwd_complex_option == 'credits' %}
dcredit = {{rhel9cis_passwd_dcredit }} dcredit = {{rhel9cis_passwd_dcredit }}
ucredit = {{ rhel9cis_passwd_ucredit }} ucredit = {{ rhel9cis_passwd_ucredit }}
ocredit = {{ rhel9cis_passwd_ocredit }} ocredit = {{ rhel9cis_passwd_ocredit }}