From de7555aa1045fb30caeb292f34d74a9ad8e69920 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 2 Sep 2025 17:14:30 -0400 Subject: [PATCH 1/7] Update Changelog with fixes Signed-off-by: Frederick Witty --- Changelog.md | 2 +- tasks/prelim.yml | 20 +++++++------------- tasks/section_1/cis_1.6.x.yml | 5 +++-- tasks/section_4/cis_4.3.x.yml | 2 +- 4 files changed, 12 insertions(+), 17 deletions(-) diff --git a/Changelog.md b/Changelog.md index 68ba2d4..af7476e 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,7 +1,7 @@ # Changes to rhel9CIS ## 2.0.3 - Based on CIS v2.0.0 - +- update command to shell module on tasks - addressed issue 371 thanks to @bgro and kodebach - addressed issue 350 thanks to @chrispipo - addressed issue 364 thanks to @polski-g diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 715b0cb..bd69172 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -167,6 +167,7 @@ current_crypto_module: "{{ prelim_system_wide_crypto_policy.stdout.split(':')[1] }}" - name: "PRELIM | AUDIT | Set facts based on boot type" + tags: always block: - name: "PRELIM | AUDIT | Check whether machine is UEFI-based" ansible.builtin.stat: @@ -185,17 +186,14 @@ grub2_path: /etc/grub2-efi.cfg - name: "PRELIM | AUDIT | Discover Gnome Desktop Environment" - tags: - - always + tags: always ansible.builtin.stat: path: /usr/share/gnome/gnome-version.xml register: prelim_gnome_present - name: "PRELIM | PATCH | Install dconf if gui installed" - when: - - rhel9cis_gui - tags: - - always + when: rhel9cis_gui + tags: always ansible.builtin.package: name: dconf state: present @@ -204,8 +202,7 @@ when: - rhel9cis_rule_3_1_2 - not system_is_container - tags: - - always + tags: always block: - name: "PRELIM | AUDIT | Discover is wireless adapter on system" ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless @@ -251,9 +248,7 @@ state: touch - name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists" - when: - - rhel9cis_rule_5_1_10 or - rhel9cis_rule_5_1_11 + when: rhel9cis_rule_5_1_10 or rhel9cis_rule_5_1_11 ansible.builtin.stat: path: /etc/ssh/sshd_config.d/50-redhat.conf register: prelim_sshd_50_redhat_file @@ -361,7 +356,6 @@ prelim_max_int_uid: "{{ prelim_uid_max_id.stdout | default(max_int_uid) }}" - name: "PRELIM | AUDIT | Gather the package facts after prelim" - tags: - - always + tags: always ansible.builtin.package_facts: manager: auto diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index c418324..0530645 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -21,12 +21,14 @@ tags: - level1-server - level1-workstation + - sshd - automated - patch - rule_1.6.2 - NIST800-53R5_SC-8 - NIST800-53R5_IA-5 - - NIST800-53R5_AC-17- NIST800-53R5_SC-6 + - NIST800-53R5_AC-17 + - NIST800-53R5_SC-6 ansible.builtin.lineinfile: path: /etc/sysconfig/sshd regexp: ^CRYPTO_POLICY\s*= @@ -76,7 +78,6 @@ - rule_1.6.4 - NIST800-53R5_SC-6 block: - - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion" ansible.builtin.template: src: etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml index 4e23998..4398df2 100644 --- a/tasks/section_4/cis_4.3.x.yml +++ b/tasks/section_4/cis_4.3.x.yml @@ -81,7 +81,7 @@ register: discovered_nftables_inconnectionrule - name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules" - ansible.builtin.command: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' changed_when: false failed_when: false register: discovered_nftables_outconnectionrule From b0ec6c48208d026e59939c6b9750e033a6bc00d0 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 5 Sep 2025 16:24:11 -0400 Subject: [PATCH 2/7] Fix for #384, thank you @polski-g Signed-off-by: Frederick Witty --- Changelog.md | 1 + defaults/main.yml | 2 +- tasks/main.yml | 2 +- tasks/section_1/main.yml | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index af7476e..fb4a9f4 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changes to rhel9CIS ## 2.0.3 - Based on CIS v2.0.0 +- addressed issue #384 thank you @polski-g - update command to shell module on tasks - addressed issue 371 thanks to @bgro and kodebach - addressed issue 350 thanks to @chrispipo diff --git a/defaults/main.yml b/defaults/main.yml index 98efbba..344e195 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -618,7 +618,7 @@ rhel9cis_warning_banner: Authorized users only. All activity may be monitored an ## Control 1.8.x - Settings for GDM # do not run Control 1.8.x if using a display manager different than gdm -rhel10cis_display_manager: "gdm" +rhel9cis_display_manager: "gdm" # This variable governs whether rules dealing with GUI specific packages(and/or their settings) should # be executed either to: # - secure GDM, if GUI is needed('rhel9cis_gui: true') diff --git a/tasks/main.yml b/tasks/main.yml index 83aff0c..968debd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -97,7 +97,7 @@ ( ((prelim_ansible_user_password_set.stdout | length != 0) and (prelim_ansible_user_password_set.stdout != "!!" )) or - (ansible_env.SUDO_USER in rhel10cis_sudoers_exclude_nopasswd_list) + (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list) ) fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4" diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 29687b3..fff557b 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -61,6 +61,6 @@ file: cis_1.7.x.yml - name: "SECTION | 1.8 | Gnome Display Manager" - when: rhel10cis_display_manager == 'gdm' + when: rhel9cis_display_manager == 'gdm' ansible.builtin.import_tasks: file: cis_1.8.x.yml From 413ccb96b7131dcc7c3427cf806758b7223b8038 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 5 Sep 2025 16:39:55 -0400 Subject: [PATCH 3/7] Update cryto policy based controls with improved logic Signed-off-by: Frederick Witty --- Changelog.md | 1 + defaults/main.yml | 1 + tasks/prelim.yml | 3 +-- tasks/section_1/cis_1.6.x.yml | 9 ++++++++- tasks/section_5/cis_5.1.x.yml | 3 +++ 5 files changed, 14 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index fb4a9f4..252418c 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changes to rhel9CIS ## 2.0.3 - Based on CIS v2.0.0 +- improvment on crypto policy managed controls with var logic - addressed issue #384 thank you @polski-g - update command to shell module on tasks - addressed issue 371 thanks to @bgro and kodebach diff --git a/defaults/main.yml b/defaults/main.yml index 344e195..b829873 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -595,6 +595,7 @@ rhel9cis_set_boot_pass: true # -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' ## Controls 1.6.x and Controls 5.1.x +rhel9cis_crypto_policy_ansible_managed: true # This variable contains the value of the crypto policy module(combinations of policies and # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, # using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index bd69172..1368993 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -136,8 +136,7 @@ register: prelim_systemd_coredump - name: "PRELIM | PATCH | Setup crypto-policy" - when: - - rhel9cis_rule_1_6_1 + when: rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 0530645..6f3d6af 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -1,7 +1,9 @@ --- - name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy" - when: rhel9cis_rule_1_6_1 + when: + - rhel9cis_rule_1_6_1 + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -39,6 +41,7 @@ when: - rhel9cis_rule_1_6_3 - "'NO-SHA1' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -69,6 +72,7 @@ when: - rhel9cis_rule_1_6_4 - "'NO-WEAKMAC' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -99,6 +103,7 @@ when: - rhel9cis_rule_1_6_5 - "'NO-SSHCBC' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -129,6 +134,7 @@ when: - rhel9cis_rule_1_6_6 - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -159,6 +165,7 @@ when: - rhel9cis_rule_1_6_7 - "'NO-SSHETM' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 3fd366c..ee384d3 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -80,6 +80,7 @@ when: - rhel9cis_rule_5_1_4 - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -108,6 +109,7 @@ when: - rhel9cis_rule_5_1_5 - "'NO-SHA1' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -136,6 +138,7 @@ when: - rhel9cis_rule_5_1_6 - "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation From 2dfa9266a8ce9f0d08b210302c523e8b8058e0f8 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 8 Sep 2025 11:54:57 -0400 Subject: [PATCH 4/7] Update cryto policy var to standard Signed-off-by: Frederick Witty --- defaults/main.yml | 6 +++--- tasks/prelim.yml | 2 +- tasks/section_1/cis_1.6.x.yml | 12 ++++++------ tasks/section_5/cis_5.1.x.yml | 6 +++--- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index b829873..c46ece3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -586,7 +586,9 @@ rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pr # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. rhel9cis_set_boot_pass: true -## Controls 1.6.x +## Controls 1.6.x and Controls 5.1.x +# This variable governs if current Ansible role should manage system-wide crypto policy. +rhel9cis_crypto_policy_ansiblemanaged: true # This variable contains the value to be set as the system-wide crypto policy. Current rule enforces NOT USING # 'LEGACY' value(as it is less secure, it just ensures compatibility with legacy systems), therefore # possible values for this variable are, as explained by RedHat docs: @@ -594,8 +596,6 @@ rhel9cis_set_boot_pass: true # -'FUTURE': conservative security level that is believed to withstand any near-term future attacks # -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' -## Controls 1.6.x and Controls 5.1.x -rhel9cis_crypto_policy_ansible_managed: true # This variable contains the value of the crypto policy module(combinations of policies and # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, # using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1368993..7321267 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -136,7 +136,7 @@ register: prelim_systemd_coredump - name: "PRELIM | PATCH | Setup crypto-policy" - when: rhel9cis_crypto_policy_ansible_managed + when: rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 6f3d6af..8aace04 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -3,7 +3,7 @@ - name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy" when: - rhel9cis_rule_1_6_1 - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -41,7 +41,7 @@ when: - rhel9cis_rule_1_6_3 - "'NO-SHA1' not in rhel9cis_crypto_policy_module" - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -72,7 +72,7 @@ when: - rhel9cis_rule_1_6_4 - "'NO-WEAKMAC' not in rhel9cis_crypto_policy_module" - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -103,7 +103,7 @@ when: - rhel9cis_rule_1_6_5 - "'NO-SSHCBC' not in rhel9cis_crypto_policy_module" - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -134,7 +134,7 @@ when: - rhel9cis_rule_1_6_6 - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module" - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -165,7 +165,7 @@ when: - rhel9cis_rule_1_6_7 - "'NO-SSHETM' not in rhel9cis_crypto_policy_module" - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index ee384d3..42ca036 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -80,7 +80,7 @@ when: - rhel9cis_rule_5_1_4 - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module" - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -109,7 +109,7 @@ when: - rhel9cis_rule_5_1_5 - "'NO-SHA1' not in rhel9cis_crypto_policy_module" - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -138,7 +138,7 @@ when: - rhel9cis_rule_5_1_6 - "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module" - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation From 5794114b3e2207655b173a098c0b01bdc9a2474a Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 9 Sep 2025 15:12:01 -0400 Subject: [PATCH 5/7] Update prelim logic to address #382 Signed-off-by: Frederick Witty --- Changelog.md | 1 + tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 252418c..9e27290 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changes to rhel9CIS ## 2.0.3 - Based on CIS v2.0.0 +- addressed issue #382 to improve regex logic on 5.4.2.4 - improvment on crypto policy managed controls with var logic - addressed issue #384 thank you @polski-g - update command to shell module on tasks diff --git a/tasks/main.yml b/tasks/main.yml index 968debd..760ee1b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -134,7 +134,7 @@ - rule_5.4.2.4 block: - name: "Ensure root password is set" - ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)" + ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)" changed_when: false failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ] register: prelim_root_passwd_set From e61cafb59be8b9c447fab098d9e3acb77de723dd Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 9 Sep 2025 15:59:30 -0400 Subject: [PATCH 6/7] addressed issue #387, thank you @fragglexarmy Signed-off-by: Frederick Witty --- Changelog.md | 1 + tasks/section_5/cis_5.4.1.x.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 9e27290..099c93d 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changes to rhel9CIS ## 2.0.3 - Based on CIS v2.0.0 +- addressed issue #387, thank you @fragglexarmy - addressed issue #382 to improve regex logic on 5.4.2.4 - improvment on crypto policy managed controls with var logic - addressed issue #384 thank you @polski-g diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 7fcfb0b..3ea1c99 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -64,7 +64,7 @@ - rhel9cis_force_user_mindays ansible.builtin.user: name: "{{ item }}" - password_expire_max: "{{ rhel9cis_pass_min_days }}" + password_expire_min: "{{ rhel9cis_pass_min_days }}" loop: "{{ discovered_min_days.stdout_lines }}" - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured" From d92ec8c5640319995ea3f33e3409f8c9d0230d75 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 9 Sep 2025 16:31:14 -0400 Subject: [PATCH 7/7] typo fix Signed-off-by: Frederick Witty --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 099c93d..ec3d9aa 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,7 +3,7 @@ ## 2.0.3 - Based on CIS v2.0.0 - addressed issue #387, thank you @fragglexarmy - addressed issue #382 to improve regex logic on 5.4.2.4 -- improvment on crypto policy managed controls with var logic +- improvement on crypto policy managed controls with var logic - addressed issue #384 thank you @polski-g - update command to shell module on tasks - addressed issue 371 thanks to @bgro and kodebach