From 2de8a39cdcfc44d770b169c642cbfcb8fbbdd287 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 4 Dec 2024 11:45:13 +0000 Subject: [PATCH] updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell --- .yamllint | 2 +- LICENSE | 2 +- handlers/main.yml | 26 +++--- tasks/LE_audit_setup.yml | 5 +- tasks/audit_only.yml | 11 +-- tasks/check_prereqs.yml | 3 +- tasks/main.yml | 50 ++++------- tasks/parse_etc_password.yml | 10 +-- tasks/post.yml | 26 ++---- tasks/post_remediation_audit.yml | 10 +-- tasks/pre_remediation_audit.yml | 55 +++++------- tasks/prelim.yml | 40 ++++----- tasks/section_1/cis_1.1.1.x.yml | 38 ++++----- tasks/section_1/cis_1.1.2.1.x.yml | 2 +- tasks/section_1/cis_1.1.2.2.x.yml | 5 +- tasks/section_1/cis_1.2.1.x.yml | 16 ++-- tasks/section_1/cis_1.3.1.x.yml | 9 +- tasks/section_1/cis_1.4.x.yml | 9 +- tasks/section_1/cis_1.5.x.yml | 9 +- tasks/section_1/cis_1.6.x.yml | 16 ++-- tasks/section_1/cis_1.7.x.yml | 30 +++---- tasks/section_1/cis_1.8.x.yml | 30 +++---- tasks/section_2/cis_2.1.x.yml | 84 +++++-------------- tasks/section_2/cis_2.2.x.yml | 5 -- tasks/section_2/cis_2.3.x.yml | 4 +- tasks/section_2/cis_2.4.x.yml | 45 ++++------ tasks/section_3/cis_3.1.x.yml | 7 +- tasks/section_3/cis_3.2.x.yml | 24 +++--- tasks/section_3/cis_3.3.x.yml | 24 ++---- tasks/section_4/cis_4.1.x.yml | 5 +- tasks/section_4/cis_4.2.x.yml | 6 +- tasks/section_4/cis_4.3.x.yml | 33 +++++--- tasks/section_5/cis_5.1.x.yml | 65 +++++--------- tasks/section_5/cis_5.2.x.yml | 21 ++--- tasks/section_5/cis_5.3.2.x.yml | 35 ++++---- tasks/section_5/cis_5.3.3.1.x.yml | 10 +-- tasks/section_5/cis_5.3.3.2.x.yml | 38 ++++----- tasks/section_5/cis_5.3.3.3.x.yml | 9 +- tasks/section_5/cis_5.3.3.4.x.yml | 12 +-- tasks/section_5/cis_5.4.1.x.yml | 42 +++++----- tasks/section_5/cis_5.4.2.x.yml | 19 ++--- tasks/section_5/cis_5.4.3.x.yml | 11 +-- tasks/section_6/cis_6.1.x.yml | 12 +-- tasks/section_6/cis_6.2.1.x.yml | 16 ++-- tasks/section_6/cis_6.2.2.x.yml | 15 ++-- tasks/section_6/cis_6.2.3.x.yml | 20 ++--- tasks/section_6/cis_6.2.4.1.yml | 3 +- tasks/section_6/cis_6.3.1.x.yml | 22 ++--- tasks/section_6/cis_6.3.2.x.yml | 12 +-- tasks/section_6/cis_6.3.3.x.yml | 66 +++++---------- tasks/section_6/cis_6.3.4.x.yml | 21 ++--- tasks/section_7/cis_7.1.x.yml | 14 ++-- tasks/section_7/cis_7.2.x.yml | 2 +- tasks/warning_facts.yml | 3 +- templates/audit/98_auditd_exception.rules.j2 | 2 +- templates/audit/99_auditd.rules.j2 | 2 +- templates/etc/cron.d/aide.cron.j2 | 2 +- templates/etc/dconf/db/00-automount_lock.j2 | 2 +- templates/etc/dconf/db/00-autorun_lock.j2 | 2 +- templates/etc/dconf/db/00-media-automount.j2 | 2 +- templates/etc/dconf/db/00-media-autorun.j2 | 2 +- templates/etc/dconf/db/00-screensaver.j2 | 2 +- templates/etc/dconf/db/00-screensaver_lock.j2 | 2 +- .../etc/dconf/db/gdm.d/01-banner-message.j2 | 2 +- templates/fs_with_cves.sh | 5 +- vars/audit.yml | 2 +- 66 files changed, 461 insertions(+), 675 deletions(-) diff --git a/.yamllint b/.yamllint index 9c0a13b..4cf7047 100644 --- a/.yamllint +++ b/.yamllint @@ -17,7 +17,7 @@ rules: comments: ignore-shebangs: true min-spaces-from-content: 1 # prettier compatibility - comments-indentation: enabled + comments-indentation: enable empty-lines: max: 1 indentation: diff --git a/LICENSE b/LICENSE index f6d2b57..7e51eb7 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/handlers/main.yml b/handlers/main.yml index 27e4a56..f6a2806 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -2,7 +2,8 @@ # handlers file for RHEL9-CIS - name: Reload sysctl - ansible.builtin.shell: sysctl --system + ansible.builtin.command: sysctl --system + changed_when: true - name: Sysctl flush ipv4 route table when: @@ -43,8 +44,8 @@ - name: Set Crypto Policy when: prelim_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy - ansible.builtin.shell: | - update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" + ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" + changed_when: true notify: - Change_requires_reboot - Restart sshd @@ -65,11 +66,13 @@ state: restarted - name: Reload dconf - ansible.builtin.shell: dconf update + ansible.builtin.command: dconf update + changed_when: true - name: Grub2cfg - ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" + ansible.builtin.command: "grub2-mkconfig -o /boot/grub2/grub.cfg" ignore_errors: true # noqa ignore-errors + changed_when: true - name: Restart rsyslog ansible.builtin.systemd: @@ -91,24 +94,25 @@ daemon-reload: true - name: Authselect update - ansible.builtin.shell: authselect apply-changes + ansible.builtin.command: authselect apply-changes + changed_when: true ## Auditd tasks note order for handlers to run - name: Auditd immutable check - ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules + ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules changed_when: false register: discovered_auditd_immutable_check - name: Audit immutable fact - when: - - discovered_auditd_immutable_check.stdout == '1' + when: discovered_auditd_immutable_check.stdout == '1' ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" notify: Change_requires_reboot -- name: Restart auditd - ansible.builtin.shell: service auditd restart +- name: Restart auditd # noqa command-instead-of-module + ansible.builtin.command: service auditd restart + changed_when: true - name: Change_requires_reboot ansible.builtin.set_fact: diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 4b407eb..7c2243f 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,5 +1,4 @@ --- - - name: Pre Audit Setup | Set audit package name block: - name: Pre Audit Setup | Set audit package name | 64bit @@ -20,13 +19,13 @@ owner: root group: root checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" - mode: '0555' + mode: "0555" - name: Pre Audit Setup | Copy audit binary when: get_audit_binary_method == 'copy' ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" - mode: '0555' + mode: "0555" owner: root group: root diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index b7dad08..c3d9596 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -1,9 +1,8 @@ --- - - name: Audit_Only | Create local Directories for hosts when: fetch_audit_files ansible.builtin.file: - mode: '0755' + mode: "0755" path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" recurse: true state: directory @@ -15,16 +14,14 @@ ansible.builtin.fetch: dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" flat: true - mode: '0644' + mode: "0644" src: "{{ pre_audit_outfile }}" - name: Audit_only | Show Audit Summary - when: - - audit_only + when: audit_only ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" - name: Audit_only | Stop Playbook Audit Only selected - when: - - audit_only + when: audit_only ansible.builtin.meta: end_play diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml index 159b72f..b9bf2af 100644 --- a/tasks/check_prereqs.yml +++ b/tasks/check_prereqs.yml @@ -1,8 +1,7 @@ --- - name: "PREREQ | If required install libselinux package to manage file changes." - when: - - '"libselinux-python3" not in ansible_facts.packages' + when: '"libselinux-python3" not in ansible_facts.packages' ansible.builtin.package: name: libselinux-python3 state: present diff --git a/tasks/main.yml b/tasks/main.yml index 4598f85..2ea223c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,22 +2,19 @@ # tasks file for RHEL9-CIS - name: "Check OS version and family" + when: os_check + tags: always ansible.builtin.assert: that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}" - when: - - os_check - tags: - - always - name: "Check ansible version" + tags: always ansible.builtin.assert: that: ansible_version.full is version_compare(min_ansible_version, '>=') fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" - tags: - - always - name: "Setup rules if container" when: @@ -36,8 +33,7 @@ file: "{{ container_vars_file }}" - name: "Output if discovered is a container" - when: - - system_is_container + when: system_is_container ansible.builtin.debug: msg: system has been discovered as a container @@ -51,8 +47,7 @@ when: - rhel9cis_set_boot_pass - rhel9cis_rule_1_4_1 - tags: - - always + tags: always ansible.builtin.assert: that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" @@ -81,23 +76,22 @@ vars: sudo_password_rule: rhel9cis_rule_5_2_4 # pragma: allowlist secret block: - - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state" + - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state" # noqa name[template] ansible.builtin.shell: "(grep {{ ansible_env.SUDO_USER }} /etc/shadow || echo 'not found:not found') | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: prelim_ansible_user_password_set - - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account" + - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account" # noqa name[template] when: prelim_ansible_user_password_set.stdout == "not found" ansible.builtin.debug: msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks." - name: "Check local account" - when: - - prelim_ansible_user_password_set.stdout != "not found" + when: prelim_ansible_user_password_set.stdout != "not found" block: - - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" + - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" # noqa name[template] ansible.builtin.assert: that: - prelim_ansible_user_password_set.stdout | length != 0 @@ -105,7 +99,7 @@ fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" - - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" + - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template] ansible.builtin.assert: that: - not prelim_ansible_user_password_set.stdout.startswith("!") @@ -113,10 +107,8 @@ success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" - name: "PRELIM | AUDIT | Check authselect profile is selected" - when: - - rhel9cis_allow_authselect_updates - tags: - - always + when: rhel9cis_allow_authselect_updates + tags: always block: - name: "PRELIM | AUDIT | Check authselect profile name has been updated" ansible.builtin.assert: @@ -136,8 +128,7 @@ fail_msg: Authselect updates have been selected there are issues with profile selection" - name: "Ensure root password is set" - when: - - rhel9cis_rule_5_4_2_4 + when: rhel9cis_rule_5_4_2_4 tags: - level1-server - level1-workstation @@ -158,14 +149,12 @@ success_msg: "You have a root password set" - name: "Gather the package facts" - tags: - - always + tags: always ansible.builtin.package_facts: manager: auto - name: "Include OS specific variables" - tags: - - always + tags: always ansible.builtin.include_vars: file: "{{ ansible_facts.distribution }}.yml" @@ -213,8 +202,7 @@ - name: "Run auditd logic" when: update_audit_template - tags: - - always + tags: always ansible.builtin.import_tasks: file: auditd.yml @@ -226,8 +214,7 @@ file: post.yml - name: "Run post_remediation audit" - when: - - run_audit + when: run_audit ansible.builtin.import_tasks: file: post_remediation_audit.yml @@ -238,7 +225,6 @@ - name: "If Warnings found Output count and control IDs affected" when: warn_count != 0 - tags: - - always + tags: always ansible.builtin.debug: msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 8270b5a..102acef 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -1,19 +1,17 @@ --- - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - tags: - - always + tags: always block: - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - ansible.builtin.shell: cat /etc/passwd + ansible.builtin.command: cat /etc/passwd changed_when: false check_mode: false - register: rhel9cis_passwd_file_audit + register: prelim_passwd_file_audit - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries" ansible.builtin.set_fact: - rhel9cis_passwd: "{{ rhel9cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" - loop: "{{ rhel9cis_passwd_file_audit.stdout_lines }}" + rhel9cis_passwd: "{{ prelim_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) diff --git a/tasks/post.yml b/tasks/post.yml index 198d9c0..b6efdfe 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -1,9 +1,7 @@ --- -# Post tasks - name: POST | Gather the package facts after remediation - tags: - - always + tags: always ansible.builtin.package_facts: manager: auto @@ -17,7 +15,7 @@ dest: "/etc/sysctl.d/{{ item }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' notify: Reload sysctl loop: - 60-kernel_sysctl.conf @@ -29,28 +27,22 @@ ansible.builtin.meta: flush_handlers - name: POST | reboot system if changes require it and not skipped - tags: - - always + when: change_requires_reboot + tags: always + vars: + warn_control_id: Reboot_required block: - name: POST | Reboot system if changes require it and not skipped + when: not skip_reboot ansible.builtin.reboot: - when: - - change_requires_reboot - - not skip_reboot - name: POST | Warning a reboot required but skip option set + when: skip_reboot ansible.builtin.debug: msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" changed_when: true - when: - - change_requires_reboot - - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" + when: skip_reboot ansible.builtin.import_tasks: file: warning_facts.yml - when: - - change_requires_reboot - - skip_reboot - vars: - warn_control_id: Reboot_required diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 8004ed3..294d45a 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,7 +1,7 @@ --- -- name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" +- name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template] + ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" @@ -18,8 +18,7 @@ - "{{ pre_audit_outfile }}" - name: Post Audit | Capture audit data if json format - when: - - audit_format == "json" + when: audit_format == "json" block: - name: Post Audit | Capture audit data if json format ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 @@ -31,8 +30,7 @@ post_audit_results: "{{ post_audit_summary.stdout }}" - name: Post Audit | Capture audit data if documentation format - when: - - audit_format == "documentation" + when: audit_format == "documentation" block: - name: Post Audit | Capture audit data if documentation format ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' ' diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 3a3304c..c6a531a 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,22 +1,18 @@ --- - - name: Pre Audit Setup | Setup the LE audit - when: - - setup_audit - tags: - - setup_audit + when: setup_audit + tags: setup_audit ansible.builtin.include_tasks: file: LE_audit_setup.yml -- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists +- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists # noqa name[template] ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory - mode: '0755' + mode: "0755" - name: Pre Audit Setup | If using git for content set up - when: - - audit_content == 'git' + when: audit_content == 'git' block: - name: Pre Audit Setup | Install git ansible.builtin.package: @@ -30,32 +26,28 @@ version: "{{ audit_git_version }}" - name: Pre Audit Setup | Copy to audit content files to server - when: - - audit_content == 'copy' + when: audit_content == 'copy' ansible.builtin.copy: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server - when: - - audit_content == 'archive' + when: audit_content == 'archive' ansible.builtin.unarchive: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url - when: - - audit_content == 'get_url' + when: audit_content == 'get_url' ansible.builtin.unarchive: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" - remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" - extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" + remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}" + extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}" - name: Pre Audit Setup | Check Goss is available - when: - - run_audit + when: run_audit block: - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: @@ -63,24 +55,22 @@ register: discovered_goss_available - name: Pre Audit Setup | If audit ensure goss is available - when: - - not discovered_goss_available.stat.exists + when: not discovered_goss_available.stat.exists ansible.builtin.assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit - when: - - run_audit + when: run_audit tags: - goss_template - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" - mode: '0600' + mode: "0600" -- name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" +- name: Pre Audit | Run pre_remediation {{ benchmark }} audit # noqa name[template] + ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" @@ -88,33 +78,30 @@ AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format - when: - - audit_format == "json" + when: audit_format == "json" block: - name: Pre Audit | Capture audit data if json format ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 - register: pre_audit_summary changed_when: false + register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Pre Audit | Capture audit data if documentation format - when: - - audit_format == "documentation" + when: audit_format == "documentation" block: - name: Pre Audit | Capture audit data if documentation format ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' - register: pre_audit_summary changed_when: false + register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Audit_Only | Run Audit Only - when: - - audit_only + when: audit_only ansible.builtin.import_tasks: file: audit_only.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 28292fb..1e67bb3 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -17,50 +17,43 @@ when: - run_audit or audit_only - setup_audit - tags: - - run_audit + tags: run_audit ansible.builtin.import_tasks: pre_remediation_audit.yml - name: "PRELIM | AUDIT | Interactive Users" - tags: - - always + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }' changed_when: false register: prelim_interactive_usernames - name: "PRELIM | AUDIT | Interactive User accounts home directories" - tags: - - always + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }' changed_when: false register: prelim_interactive_users_home - name: "PRELIM | AUDIT | Interactive UIDs" - tags: - - always + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }' changed_when: false register: prelim_interactive_uids - name: "PRELIM | AUDIT | Capture /etc/password variables" + tags: always ansible.builtin.include_tasks: file: parse_etc_password.yml - tags: - - always - name: "PRELIM | PATCH | Ensure python3-libselinux is installed" - when: - - '"python3-libselinux" not in ansible_facts.packages' + when: '"python3-libselinux" not in ansible_facts.packages' ansible.builtin.package: name: python3-libselinux state: present - name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points" - tags: - - Always + tags: always ansible.builtin.set_fact: mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" @@ -80,27 +73,27 @@ - ansible_facts.distribution == 'RedHat' block: - name: "PRELIM | AUDIT | Import gpg keys | get data" - ansible.builtin.shell: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' + ansible.builtin.command: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' # noqa command-instead-of-module changed_when: false failed_when: false register: prelim_check_gpg_imported - - name: "PRELIM | AUDIT | Import gpg keys | Check Package" + - name: "PRELIM | AUDIT | Import gpg keys | Check Package" # noqa command-instead-of-module when: "'not installed' in prelim_check_gpg_imported.stdout" ansible.builtin.shell: rpm -qi redhat-release | grep Signature changed_when: false failed_when: false register: prelim_os_gpg_package_valid - - name: "PRELIM | PATCH | Force keys to be imported" + - name: "PRELIM | PATCH | Force keys to be imported" # noqa command-instead-of-module when: - "'not installed' in prelim_check_gpg_imported.stdout" - "'Key ID 199e2f91fd431d51' in prelim_os_gpg_package_valid.stdout" - ansible.builtin.shell: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + ansible.builtin.command: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + changed_when: false - name: "PRELIM | AUDIT | Check systemd coredump" - when: - - rhel9cis_rule_1_5_4 + when: rhel9cis_rule_1_5_4 tags: - level1-server - level1-workstation @@ -127,7 +120,7 @@ state: present - name: "PRELIM | AUDIT | Gather system-wide crypto-policy" - ansible.builtin.shell: 'update-crypto-policies --show' + ansible.builtin.command: 'update-crypto-policies --show' changed_when: false check_mode: false register: prelim_system_wide_crypto_policy @@ -183,7 +176,7 @@ - always block: - name: "PRELIM | AUDIT | Discover is wirelss adapter on system" - ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless + ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless register: discover_wireless_adapters changed_when: false failed_when: discover_wireless_adapters.rc not in [ 0, 1 ] @@ -222,7 +215,7 @@ path: "{{ rhel9cis_sshd_config_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' state: touch - name: "PRELIM | AUDIT | Gather UID 0 accounts other than root" @@ -246,6 +239,7 @@ ansible.builtin.file: path: /etc/systemd/journald.conf.d state: directory + mode: 'go-w' - name: "PRELIM | PATCH | Configure System Accounting (auditd)" when: diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index e67edd9..579fb1b 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -16,7 +16,7 @@ regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -24,7 +24,7 @@ regexp: "^(#)?blacklist cramfs(\\s|$)" line: "blacklist cramfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs" when: @@ -49,7 +49,7 @@ regexp: "^(#)?install freevxfs(\\s|$)" line: "install freevxfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -57,7 +57,7 @@ regexp: "^(#)?blacklist freevxfs(\\s|$)" line: "blacklist freevxfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs" when: not system_is_container @@ -81,7 +81,7 @@ regexp: "^(#)?install hfs(\\s|$)" line: "install hfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -89,7 +89,7 @@ regexp: "^(#)?blacklist hfs(\\s|$)" line: "blacklist hfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable hfs" when: not system_is_container @@ -113,7 +113,7 @@ regexp: "^(#)?install hfsplus(\\s|$)" line: "install hfsplus /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -121,7 +121,7 @@ regexp: "^(#)?blacklist hfsplus(\\s|$)" line: "blacklist hfsplus" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus" when: not system_is_container @@ -145,7 +145,7 @@ regexp: "^(#)?install jffs2(\\s|$)" line: "install jffs2 /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -153,7 +153,7 @@ regexp: "^(#)?blacklist jffs2(\\s|$)" line: "blacklist jffs2" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2" when: not system_is_container @@ -177,7 +177,7 @@ regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -185,7 +185,7 @@ regexp: "^(#)?blacklist squashfs(\\s|$)" line: "blacklist squashfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs" when: not system_is_container @@ -209,7 +209,7 @@ regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -217,7 +217,7 @@ regexp: "^(#)?blacklist udf(\\s|$)" line: "blacklist udf" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Disable udf" when: not system_is_container @@ -241,7 +241,7 @@ regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -249,7 +249,7 @@ regexp: "^(#)?blacklist usb-storage(\\s|$)" line: "blacklist usb-storage" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Disable usb" when: not system_is_container @@ -273,10 +273,10 @@ dest: /var/fs_with_cves.sh owner: root group: root - mode: '0744' + mode: 'u+x,go-wx' - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Run discovery script" - ansible.builtin.shell: /var/fs_with_cves.sh + ansible.builtin.command: /var/fs_with_cves.sh changed_when: false failed_when: discovered_fs_modules_loaded.rc not in [ 0, 99 ] register: discovered_fs_modules_loaded @@ -286,7 +286,7 @@ ansible.builtin.debug: msg: | "Warning!! Discovered loaded Filesystem modules that need attention. This is a manual task - {{ discovered_fs_modules_loaded.stdout_lines}}" + {{ discovered_fs_modules_loaded.stdout_lines }}" - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Capture Warning" when: discovered_fs_modules_loaded.stdout | length > 0 diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index 04402ab..4457624 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -84,5 +84,5 @@ dest: /etc/systemd/system/tmp.mount owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Systemd restart tmp.mount diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index f360a21..6f0df56 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -2,8 +2,7 @@ # Skips if mount is absent - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition" - when: - - rhel9cis_rule_1_1_2_2_1 + when: rhel9cis_rule_1_1_2_2_1 tags: - level1-server - level1-workstation @@ -14,7 +13,7 @@ vars: warn_control_id: '1.1.2.2.1' block: - - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists" + - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists" # noqa command-instead-of-module ansible.builtin.shell: mount -l | grep -w /dev/shm changed_when: false register: discovered_dev_shm_mount_check diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml index dca12b0..28cd7cd 100644 --- a/tasks/section_1/cis_1.2.1.x.yml +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -14,18 +14,18 @@ - rule_1.2.1.1 - NIST800-53R5_SI-2 block: - - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" + - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" # noqa command-instead-of-module ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" changed_when: false failed_when: false register: discovered_os_installed_pub_keys - - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys" + - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys" # noqa command-instead-of-module + when: discovered_os_installed_pub_keys.rc == 0 ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"' changed_when: false failed_when: false register: discovered_os_gpg_key_check - when: discovered_os_installed_pub_keys.rc == 0 - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | expected keys fail" when: @@ -35,8 +35,7 @@ msg: Installed GPG Keys do not meet expected values or expected keys are not installed - name: "1.2.1.2 | PATCH | Ensure gpgcheck is globally activated" - when: - - rhel9cis_rule_1_2_1_2 + when: rhel9cis_rule_1_2_1_2 tags: - level1-server - level1-workstation @@ -94,8 +93,7 @@ label: "{{ item.path }}" - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured" - when: - - rhel9cis_rule_1_2_1_4 + when: rhel9cis_rule_1_2_1_4 tags: - level1-server - level1-workstation @@ -107,11 +105,11 @@ warn_control_id: '1.2.1.4' block: - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Get repo list" - ansible.builtin.shell: dnf repolist + ansible.builtin.command: dnf repolist changed_when: false failed_when: false - register: discovered_dnf_configured check_mode: false + register: discovered_dnf_configured - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" ansible.builtin.debug: diff --git a/tasks/section_1/cis_1.3.1.x.yml b/tasks/section_1/cis_1.3.1.x.yml index f3f67f8..198ae7b 100644 --- a/tasks/section_1/cis_1.3.1.x.yml +++ b/tasks/section_1/cis_1.3.1.x.yml @@ -122,8 +122,7 @@ file: warning_facts.yml - name: "1.3.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" - when: - - rhel9cis_rule_1_3_1_7 + when: rhel9cis_rule_1_3_1_7 tags: - level1-server - level1-workstation @@ -136,9 +135,6 @@ state: absent - name: "1.3.1.8 | PATCH | Ensure SETroubleshoot is not installed" - ansible.builtin.package: - name: setroubleshoot - state: absent when: - rhel9cis_rule_1_3_1_8 - "'setroubleshoot' in ansible_facts.packages" @@ -149,3 +145,6 @@ - rule_1.3.1.8 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 + ansible.builtin.package: + name: setroubleshoot + state: absent diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 747faa8..d422f14 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -16,12 +16,11 @@ content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy owner: root group: root - mode: '0600' + mode: 'go-rwx' notify: Grub2cfg - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" - when: - - rhel9cis_rule_1_4_2 + when: rhel9cis_rule_1_4_2 tags: - level1-server - level1-workstation @@ -41,5 +40,5 @@ access_time: preserve loop: - { path: 'grub.cfg', mode: '0700' } - - { path: 'grubenv', mode: '0600' } - - { path: 'user.cfg', mode: '0600' } + - { path: 'grubenv', mode: 'go-rwx' } + - { path: 'user.cfg', mode: 'go-rwx' } diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 3767a58..992785b 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,8 +1,7 @@ --- - name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - when: - - rhel9cis_rule_1_5_1 + when: rhel9cis_rule_1_5_1 tags: - level1-server - level1-workstation @@ -21,8 +20,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" - name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted" - when: - - rhel9cis_rule_1_5_2 + when: rhel9cis_rule_1_5_2 tags: - level1-server - level1-workstation @@ -39,8 +37,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" - name: "1.5.3 | PATCH | Ensure core dump backtraces are disabled" - when: - - rhel9cis_rule_1_5_3 + when: rhel9cis_rule_1_5_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 5d9441e..c418324 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -1,8 +1,7 @@ --- - name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy" - when: - - rhel9cis_rule_1_6_1 + when: rhel9cis_rule_1_6_1 tags: - level1-server - level1-workstation @@ -18,8 +17,7 @@ - Set Crypto Policy - name: "1.6.2 | PATCH | Ensure system wide crypto policy is not set in sshd configuration" - when: - - rhel9cis_rule_1_6_2 + when: rhel9cis_rule_1_6_2 tags: - level1-server - level1-workstation @@ -54,7 +52,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' register: discovered_no_sha1_template - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules" @@ -85,7 +83,7 @@ dest: /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' register: discovered_no_weakmac_template - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules" @@ -115,7 +113,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' register: discovered_no_sshcbc_template - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules" @@ -145,7 +143,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' register: discovered_no_sshweakciphers_template - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules" @@ -175,7 +173,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SSHETM.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' register: discovered_no_sshetm_template - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules" diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index c7484cd..7f45476 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -1,8 +1,7 @@ --- - name: "1.7.1 | PATCH | Ensure message of the day is configured properly" - when: - - rhel9cis_rule_1_7_1 + when: rhel9cis_rule_1_7_1 tags: - level1-server - level1-workstation @@ -17,11 +16,10 @@ dest: /etc/motd owner: root group: root - mode: u-x,go-wx + mode: 'u-x,go-wx' - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" - when: - - rhel9cis_rule_1_7_2 + when: rhel9cis_rule_1_7_2 tags: - level1-server - level1-workstation @@ -35,11 +33,10 @@ dest: /etc/issue owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" - when: - - rhel9cis_rule_1_7_3 + when: rhel9cis_rule_1_7_3 tags: - level1-server - level1-workstation @@ -54,11 +51,10 @@ dest: /etc/issue.net owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" - when: - - rhel9cis_rule_1_7_4 + when: rhel9cis_rule_1_7_4 tags: - level1-server - level1-workstation @@ -71,11 +67,10 @@ path: /etc/motd owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" - when: - - rhel9cis_rule_1_7_5 + when: rhel9cis_rule_1_7_5 tags: - level1-server - level1-workstation @@ -88,11 +83,10 @@ path: /etc/issue owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - when: - - rhel9cis_rule_1_7_6 + when: rhel9cis_rule_1_7_6 tags: - level1-server - level1-workstation @@ -105,4 +99,4 @@ path: /etc/issue.net owner: root group: root - mode: '0644' + mode: 'go-wx' diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 427eb79..c38b75c 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -35,7 +35,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf loop: - { regexp: 'user-db', line: 'user-db:user' } @@ -48,7 +48,7 @@ dest: /etc/dconf/db/gdm.d/01-banner-message owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.3 | PATCH | Ensure GDM disable-user-list option is enabled" @@ -68,7 +68,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf loop: - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } @@ -96,7 +96,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'go-wx' loop: - { regexp: '^user-db', line: 'user-db:user' } - { regexp: '^system-db', line: 'system-db:local' } @@ -106,7 +106,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make conf file" @@ -115,7 +115,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-screensaver" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden" @@ -134,7 +134,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file" @@ -143,7 +143,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled" @@ -161,7 +161,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-automount" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden" @@ -180,7 +180,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock file" @@ -189,7 +189,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-automount_lock" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled" @@ -208,7 +208,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make conf file" @@ -217,7 +217,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-autorun" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden" @@ -236,7 +236,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile" @@ -245,7 +245,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.10 | PATCH | Ensure XDMCP is not enabled" diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 73e7986..fb0351f 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -33,9 +33,8 @@ masked: true - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use" - when: - - rhel9cis_rule_2_1_2 - - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" + when: rhel9cis_rule_2_1_2 + tags: - level1-server - level2-workstation @@ -70,9 +69,7 @@ - avahi-daemon.service - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use" - when: - - "'dhcp-server' in ansible_facts.packages" - - rhel9cis_rule_2_1_3 + when: rhel9cis_rule_2_1_3 tags: - level1-server - level1-workstation @@ -105,9 +102,7 @@ - dhcpd6.service - name: "2.1.4 | PATCH | Ensure dns server services are not in use" - when: - - "'bind' in ansible_facts.packages" - - rhel9cis_rule_2_1_4 + when: rhel9cis_rule_2_1_4 tags: - level1-server - level1-workstation @@ -137,9 +132,7 @@ masked: true - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use" - when: - - "'dnsmasq' in ansible_facts.packages" - - rhel9cis_rule_2_1_5 + when: rhel9cis_rule_2_1_5 tags: - level1-server - level1-workstation @@ -169,9 +162,7 @@ masked: true - name: "2.1.6 | PATCH | Ensure samba file server services are not in use" - when: - - "'samba' in ansible_facts.packages" - - rhel9cis_rule_2_1_6 + when: rhel9cis_rule_2_1_6 tags: - level1-server - level1-workstation @@ -202,9 +193,7 @@ masked: true - name: "2.1.7 | PATCH | Ensure ftp server services are not in use" - when: - - "'ftp' in ansible_facts.packages" - - rhel9cis_rule_2_1_7 + when: rhel9cis_rule_2_1_7 tags: - level1-server - level1-workstation @@ -235,9 +224,7 @@ masked: true - name: "2.1.8 | PATCH | Ensure message access server services are not in use" - when: - - "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages" - - rhel9cis_rule_2_1_8 + when: rhel9cis_rule_2_1_8 tags: - level1-server - level1-workstation @@ -275,9 +262,7 @@ - "cyrus-imapd.service" - name: "2.1.9 | PATCH | Ensure network file system services are not in use" - when: - - "'nfs-utils' in ansible_facts.packages" - - rhel9cis_rule_2_1_9 + when: rhel9cis_rule_2_1_9 tags: - level1-server - level1-workstation @@ -309,9 +294,7 @@ masked: true - name: "2.1.10 | PATCH | Ensure nis server services are not in use" - when: - - "'ypserv' in ansible_facts.packages" - - rhel9cis_rule_2_1_10 + when: rhel9cis_rule_2_1_10 tags: - level1-server - level1-workstation @@ -341,9 +324,7 @@ masked: true - name: "2.1.11 | PATCH | Ensure print server services are not in use" - when: - - "'cups' in ansible_facts.packages" - - rhel9cis_rule_2_1_11 + when: rhel9cis_rule_2_1_11 tags: - level1-server - automated @@ -375,9 +356,7 @@ - "cups.service" - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use" - when: - - "'rpcbind' in ansible_facts.packages" - - rhel9cis_rule_2_1_12 + when: rhel9cis_rule_2_1_12 tags: - level1-server - level1-workstation @@ -411,9 +390,7 @@ - rpcbind.socket - name: "2.1.13 | PATCH | Ensure rsync services are not in use" - when: - - "'rsync-daemon' in ansible_facts.packages" - - rhel9cis_rule_2_1_13 + when: rhel9cis_rule_2_1_13 tags: - level1-server - level1-workstation @@ -447,9 +424,7 @@ - 'rsyncd.service' - name: "2.1.14 | PATCH | Ensure snmp services are not in use" - when: - - "'net-snmp' in ansible_facts.packages" - - rhel9cis_rule_2_1_14 + when: rhel9cis_rule_2_1_14 tags: - level1-server - level1-workstation @@ -479,9 +454,7 @@ masked: true - name: "2.1.15 | PATCH | Ensure telnet server services are not in use" - when: - - "'telnet-server' in ansible_facts.packages" - - rhel9cis_rule_2_1_15 + when: rhel9cis_rule_2_1_15 tags: - level1-server - level1-workstation @@ -512,9 +485,7 @@ masked: true - name: "2.1.16 | PATCH | Ensure tftp server services are not in use" - when: - - "'tftp-server' in ansible_facts.packages" - - rhel9cis_rule_2_1_16 + when: rhel9cis_rule_2_1_16 tags: - level1-server - level1-workstation @@ -547,9 +518,7 @@ - 'tftp.service' - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use" - when: - - "'squid' in ansible_facts.packages" - - rhel9cis_rule_2_117 + when: rhel9cis_rule_2_1_17 tags: - level1-server - level1-workstation @@ -580,8 +549,7 @@ masked: true - name: "2.1.18 | PATCH | Ensure web server services are not in use" - when: - - rhel9cis_rule_2_1_18 + when: rhel9cis_rule_2_1_18 tags: - level1-server - level1-workstation @@ -597,7 +565,6 @@ when: - not rhel9cis_httpd_server - not rhel9cis_httpd_mask - - "'httpd' in ansible_facts.packages" ansible.builtin.package: name: httpd state: absent @@ -606,7 +573,6 @@ when: - not rhel9cis_nginx_server - not rhel9cis_nginx_mask - - "'nginx' in ansible_facts.packages" ansible.builtin.package: name: nginx state: absent @@ -615,7 +581,6 @@ when: - not rhel9cis_httpd_server - rhel9cis_httpd_mask - - "'httpd' in ansible_facts.packages" notify: Systemd_daemon_reload ansible.builtin.systemd: name: httpd.service @@ -627,7 +592,6 @@ when: - not rhel9cis_nginx_server - rhel9cis_nginx_mask - - "'nginx' in ansible_facts.packages" notify: Systemd_daemon_reload ansible.builtin.systemd: name: ngnix.service @@ -636,9 +600,7 @@ masked: true - name: "2.1.19 | PATCH | Ensure xinetd services are not in use" - when: - - "'xinetd' in ansible_facts.packages" - - rhel9cis_rule_2_1_19 + when: rhel9cis_rule_2_1_19 tags: - level1-server - level1-workstation @@ -670,7 +632,6 @@ - name: "2.1.20 | PATCH | Ensure X window server services are not in use" when: - not rhel9cis_xwindow_server - - "'xorg-x11-server-common' in ansible_facts.packages" - rhel9cis_rule_2_1_20 tags: - level1-server @@ -704,8 +665,7 @@ line: "inet_interfaces = loopback-only" - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface" - when: - - rhel9cis_rule_2_1_22 + when: rhel9cis_rule_2_1_22 tags: - level1-server - level1-workstation @@ -717,8 +677,8 @@ vars: warn_control_id: '2.1.22' block: - - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" - ansible.builtin.shell: systemctl list-units --type=service + - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" # noqa command-instead-of-module + ansible.builtin.command: systemctl list-units --type=service changed_when: false failed_when: discovered_running_services.rc not in [ 0, 1 ] check_mode: false diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index cdd03b8..0e019e7 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -3,7 +3,6 @@ - name: "2.2.1 | PATCH | Ensure ftp client is not installed" when: - not rhel9cis_ftp_client - - "'ftp' in ansible_facts.packages" - rhel9cis_rule_2_2_1 tags: - level1-server @@ -20,7 +19,6 @@ - name: "2.2.2 | PATCH | Ensure ldap client is not installed" when: - not rhel9cis_openldap_clients_required - - "'openldap-clients' in ansible_facts.packages" - rhel9cis_rule_2_2_2 tags: - level2-server @@ -37,7 +35,6 @@ - name: "2.2.3 | PATCH | Ensure nis client is not installed" when: - not rhel9cis_ypbind_required - - "'ypbind' in ansible_facts.packages" - rhel9cis_rule_2_2_3 tags: - level1-server @@ -54,7 +51,6 @@ - name: "2.2.4 | PATCH | Ensure telnet client is not installed" when: - not rhel9cis_telnet_required - - "'telnet' in ansible_facts.packages" - rhel9cis_rule_2_2_4 tags: - level1-server @@ -71,7 +67,6 @@ - name: "2.2.5 | PATCH | Ensure TFTP client is not installed" when: - not rhel9cis_tftp_client - - "'tftp' in ansible_facts.packages" - rhel9cis_rule_2_2_5 tags: - level1-server diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index dacd624..b84a84b 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -31,7 +31,7 @@ dest: /etc/chrony.conf owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "2.3.3 | PATCH | Ensure chrony is not run as the root user" when: @@ -48,4 +48,4 @@ line: OPTIONS="\1 -u chrony" create: true backrefs: true - mode: '0644' + mode: 'go-wx' diff --git a/tasks/section_2/cis_2.4.x.yml b/tasks/section_2/cis_2.4.x.yml index 16ed0e9..c4b6b8b 100644 --- a/tasks/section_2/cis_2.4.x.yml +++ b/tasks/section_2/cis_2.4.x.yml @@ -1,8 +1,7 @@ --- - name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled" - when: - - rhel9cis_rule_2_4_1_1 + when: rhel9cis_rule_2_4_1_1 tags: - level1-server - level1-workstation @@ -19,8 +18,7 @@ enabled: true - name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" - when: - - rhel9cis_rule_2_4_1_2 + when: rhel9cis_rule_2_4_1_2 tags: - level1-server - level1-workstation @@ -33,11 +31,10 @@ path: /etc/crontab owner: root group: root - mode: og-rwx + mode: 'og-rwx' - name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" - when: - - rhel9cis_rule_2_4_1_3 + when: rhel9cis_rule_2_4_1_3 tags: - level1-server - level1-workstation @@ -51,11 +48,10 @@ state: directory owner: root group: root - mode: og-rwx + mode: 'og-rwx' - name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" - when: - - rhel9cis_rule_2_4_1_4 + when: rhel9cis_rule_2_4_1_4 tags: - level1-server - level1-workstation @@ -67,11 +63,10 @@ state: directory owner: root group: root - mode: og-rwx + mode: 'og-rwx' - name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" - when: - - rhel9cis_rule_2_4_1_5 + when: rhel9cis_rule_2_4_1_5 tags: - level1-server - level1-workstation @@ -84,11 +79,10 @@ state: directory owner: root group: root - mode: og-rwx + mode: 'og-rwx' - name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" - when: - - rhel9cis_rule_2_4_1_6 + when: rhel9cis_rule_2_4_1_6 tags: - level1-server - level1-workstation @@ -101,11 +95,10 @@ state: directory owner: root group: root - mode: og-rwx + mode: 'og-rwx' - name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" - when: - - rhel9cis_rule_2_4_1_7 + when: rhel9cis_rule_2_4_1_7 tags: - level1-server - level1-workstation @@ -119,11 +112,10 @@ state: directory owner: root group: root - mode: '0700' + mode: 'og-rwx' - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users" - when: - - rhel9cis_rule_2_4_1_8 + when: rhel9cis_rule_2_4_1_8 tags: - level1-server - level1-workstation @@ -146,14 +138,13 @@ - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users" ansible.builtin.file: path: /etc/cron.allow - state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}' + state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}' owner: root group: root - mode: u-x,g-wx,o-rwx + mode: 'u-x,g-wx,o-rwx' - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users" - when: - - rhel9cis_rule_2_4_2_1 + when: rhel9cis_rule_2_4_2_1 tags: - level1-server - level1-workstation @@ -179,4 +170,4 @@ state: '{{ "file" if discovered_at_allow_state.stat.exists else "touch" }}' owner: root group: root - mode: u-x,g-wx,o-rwx + mode: 'u-x,g-wx,o-rwx' diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 98e3a93..e8934d4 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -40,7 +40,7 @@ block: - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" when: "'network-manager' in ansible_facts.packages" - ansible.builtin.shell: nmcli radio wifi + ansible.builtin.command: nmcli radio wifi changed_when: false failed_when: false check_mode: false @@ -50,7 +50,7 @@ when: - "'network-manager' in ansible_facts.packages" - "'enabled' in discovered_wifi_status.stdout" - ansible.builtin.shell: nmcli radio all off + ansible.builtin.command: nmcli radio all off changed_when: discovered_nmcli_radio_off.rc == 0 register: discovered_nmcli_radio_off @@ -65,8 +65,7 @@ file: warning_facts.yml - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use" - when: - - rhel9cis_rule_3_1_3 + when: rhel9cis_rule_3_1_3 tags: - level1-server - level2-workstation diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index bc210ae..4903070 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -1,8 +1,7 @@ --- - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available" - when: - - rhel9cis_rule_3_2_1 + when: rhel9cis_rule_3_2_1 tags: - level2-server - level2-workstation @@ -18,6 +17,7 @@ regexp: '^(#)?install dccp(\\s|$)' line: "{{ item }}" create: true + mode: 'go-wx' loop: - install dccp /bin/true - blacklist dccp @@ -28,11 +28,10 @@ regexp: "^(#)?blacklist cramfs(\\s|$)" line: "blacklist cramfs" create: true - mode: '0600' + mode: 'go-wx' - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available" - when: - - rhel9cis_rule_3_2_2 + when: rhel9cis_rule_3_2_2 tags: - level2-server - level2-workstation @@ -48,6 +47,7 @@ regexp: '^(#)?install tipc(\\s|$)' line: "{{ item }}" create: true + mode: 'go-wx' loop: - install tipc /bin/true - blacklist tipc @@ -58,11 +58,10 @@ regexp: "^(#)?blacklist tipc(\\s|$)" line: "blacklist tipc" create: true - mode: '0600' + mode: 'go-wx' - name: "3.2.3 | PATCH | Ensure rds kernel module is not available" - when: - - rhel9cis_rule_3_2_3 + when: rhel9cis_rule_3_2_3 tags: - level2-server - level2-workstation @@ -78,6 +77,7 @@ regexp: '^(#)?install rds(\\s|$)' line: "{{ item }}" create: true + mode: 'go-wx' loop: - install rds /bin/true - blacklist rds @@ -88,11 +88,10 @@ regexp: "^(#)?blacklist rds(\\s|$)" line: "blacklist rds" create: true - mode: '0600' + mode: 'go-wx' - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available" - when: - - rhel9cis_rule_3_2_4 + when: rhel9cis_rule_3_2_4 tags: - level2-server - level2-workstation @@ -108,6 +107,7 @@ regexp: '^(#)?install sctp(\\s|$)' line: "{{ item }}" create: true + mode: 'go-wx' loop: - install sctp /bin/true - blacklist sctp @@ -118,4 +118,4 @@ regexp: "^(#)?blacklist sctp(\\s|$)" line: "blacklist sctp" create: true - mode: '0600' + mode: 'go-wx' diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 2f73979..123928e 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -61,8 +61,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored" - when: - - rhel9cis_rule_3_3_3 + when: rhel9cis_rule_3_3_3 tags: - level1-server - level1-workstation @@ -85,8 +84,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored" - when: - - rhel9cis_rule_3_3_4 + when: rhel9cis_rule_3_3_4 tags: - level1-server - level1-workstation @@ -109,8 +107,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted" - when: - - rhel9cis_rule_3_3_5 + when: rhel9cis_rule_3_3_5 tags: - level1-server - level1-workstation @@ -144,8 +141,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted" - when: - - rhel9cis_rule_3_3_6 + when: rhel9cis_rule_3_3_6 tags: - level1-server - level1-workstation @@ -179,8 +175,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - when: - - rhel9cis_rule_3_3_7 + when: rhel9cis_rule_3_3_7 tags: - level1-server - level1-workstation @@ -203,8 +198,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted" - when: - - rhel9cis_rule_3_3_8 + when: rhel9cis_rule_3_3_8 tags: - level1-server - level1-workstation @@ -237,8 +231,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - name: "3.3.9 | PATCH | Ensure suspicious packets are logged" - when: - - rhel9cis_rule_3_3_9 + when: rhel9cis_rule_3_3_9 tags: - level1-server - level1-workstation @@ -257,8 +250,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled" - when: - - rhel9cis_rule_3_3_10 + when: rhel9cis_rule_3_3_10 tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index f0a6636..ab61c81 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -17,8 +17,7 @@ state: present - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use" - when: - - rhel9cis_rule_4_1_2 + when: rhel9cis_rule_4_1_2 tags: - level1-server - level1-workstation @@ -52,7 +51,7 @@ name: "{{ rhel9cis_firewall }}" state: installed - - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" + - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" # noqa name[template] ansible.builtin.systemd: name: "{{ rhel9cis_firewall }}" enabled: true diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index 0fca4cc..6e8eb3c 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -1,8 +1,7 @@ --- - name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports" - when: - - rhel9cis_rule_4_2_1 + when: rhel9cis_rule_4_2_1 tags: - level1-server - level1-workstation @@ -25,8 +24,7 @@ - "{{ discovered_services_and_ports.stdout_lines }}" - name: "4.2.2 | PATCH | Ensure firewalld loopback traffic is configured | firewalld" - when: - - rhel9cis_rule_4_2_2 + when: rhel9cis_rule_4_2_2 tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml index 4e85deb..450ef3b 100644 --- a/tasks/section_4/cis_4.3.x.yml +++ b/tasks/section_4/cis_4.3.x.yml @@ -8,11 +8,11 @@ - rhel9cis_rule_4_3_3 - rhel9cis_rule_4_3_4 tags: always - ansible.builtin.shell: "nft add table inet {{ rhel9cis_nft_tables_tablename }}" + ansible.builtin.command: "nft add table inet {{ rhel9cis_nft_tables_tablename }}" + changed_when: true - name: "4.3.1 | PATCH | Ensure nftables base chains exist" - when: - - rhel9cis_rule_4_3_1 + when: rhel9cis_rule_4_3_1 tags: - level1-server - level1-workstation @@ -52,7 +52,8 @@ - name: "4.3.1 | PATCH | Ensure nftables base chains exist | Create chains if needed" when: rhel9cis_nft_tables_autochaincreate - ansible.builtin.shell: "{{ item }}" + ansible.builtin.command: "{{ item }}" + changed_when: true failed_when: false loop: - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } @@ -60,8 +61,7 @@ - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } - name: "4.3.2 | PATCH | Ensure nftables established connections are configured" - when: - - rhel9cis_rule_4_3_2 + when: rhel9cis_rule_4_3_2 tags: - level1-server - level1-workstation @@ -84,31 +84,36 @@ - name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy" when: '"ip protocol tcp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' - ansible.builtin.shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + changed_when: true - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy" when: '"ip protocol udp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept + changed_when: true - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy" when: '"ip protocol icmp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept + changed_when: true - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy" when: '"ip protocol tcp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept + changed_when: true - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy" when: '"ip protocol udp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept + changed_when: true - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy" when: '"ip protocol icmp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept + changed_when: true - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy" - when: - - rhel9cis_rule_4_3_3 + when: rhel9cis_rule_4_3_3 tags: - level1-server - level1-workstation @@ -144,22 +149,25 @@ - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" when: '"tcp dport ssh accept" not in discovered_nftables_sshallowcheck.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept + changed_when: true - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" when: '"type filter hook input priority 0; policy drop;" not in discovered_nftables_inputpolicy.stdout' ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } + changed_when: true - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" when: '"type filter hook forward priority 0; policy drop;" not in discovered_nftables_forwardpolicy.stdout' ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } + changed_when: true - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" when: '"type filter hook output priority 0; policy drop;" not in discovered_nftables_outputpolicy.stdout' ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } + changed_when: true - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured" - when: - - rhel9cis_rule_4_3_4 + when: rhel9cis_rule_4_3_4 tags: - level1-server - level1-workstation @@ -189,11 +197,14 @@ - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule | nftables" when: '"iif \"lo\" accept" not in discovered_nftables_iiflo.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept + changed_when: true - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule | nftables" when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in discovered_nftables_ipsaddr.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop + changed_when: true - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule | nftables" when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in discovered_nftables_ip6saddr.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop + changed_when: true diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 31ba7e2..296ebf9 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -1,8 +1,7 @@ --- - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" - when: - - rhel9cis_rule_5_1_1 + when: rhel9cis_rule_5_1_1 tags: - level1-server - level1-workstation @@ -16,11 +15,10 @@ path: "/etc/ssh/sshd_config" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured" - when: - - rhel9cis_rule_5_1_2 + when: rhel9cis_rule_5_1_2 tags: - level1-server - level1-workstation @@ -50,8 +48,7 @@ label: "{{ item.path }}" - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured" - when: - - rhel9cis_rule_5_1_3 + when: rhel9cis_rule_5_1_3 tags: - level1-server - level1-workstation @@ -98,7 +95,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' notify: - Update Crypto Policy - Set Crypto Policy @@ -126,7 +123,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' notify: - Update Crypto Policy - Set Crypto Policy @@ -154,7 +151,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' notify: - Update Crypto Policy - Set Crypto Policy @@ -164,8 +161,7 @@ rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}" - name: "5.1.7 | PATCH | Ensure sshd access is configured" - when: - - rhel9cis_rule_5_1_7 + when: rhel9cis_rule_5_1_7 tags: - level1-server - level1-workstation @@ -212,8 +208,7 @@ notify: Restart sshd - name: "5.1.8 | PATCH | Ensure sshd Banner is configured" - when: - - rhel9cis_rule_5_1_8 + when: rhel9cis_rule_5_1_8 tags: - level1-server - level1-workstation @@ -231,8 +226,7 @@ line: 'Banner /etc/issue.net' - name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured" - when: - - rhel9cis_rule_5_1_9 + when: rhel9cis_rule_5_1_9 tags: - level1-server - level1-workstation @@ -262,8 +256,7 @@ notify: Restart sshd - name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled" - when: - - rhel9cis_rule_5_1_10 + when: rhel9cis_rule_5_1_10 tags: - level2-server - level1-workstation @@ -289,8 +282,7 @@ notify: Restart sshd - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled" - when: - - rhel9cis_rule_5_1_11 + when: rhel9cis_rule_5_1_11 tags: - level1-server - level1-workstation @@ -320,8 +312,7 @@ notify: Restart sshd - name: "5.1.12 | PATCH | Ensure sshd HostbasedAuthentication is disabled" - when: - - rhel9cis_rule_5_1_12 + when: rhel9cis_rule_5_1_12 tags: - level1-server - level1-workstation @@ -341,8 +332,7 @@ notify: Restart sshd - name: "5.1.13 | PATCH | Ensure sshd IgnoreRhosts is enabled" - when: - - rhel9cis_rule_5_1_13 + when: rhel9cis_rule_5_1_13 tags: - level1-server - level1-workstation @@ -362,8 +352,7 @@ notify: Restart sshd - name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less" - when: - - rhel9cis_rule_5_1_14 + when: rhel9cis_rule_5_1_14 tags: - level1-server - level1-workstation @@ -379,8 +368,7 @@ notify: Restart sshd - name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate" - when: - - rhel9cis_rule_5_1_15 + when: rhel9cis_rule_5_1_15 tags: - level1-server - level1-workstation @@ -398,8 +386,7 @@ notify: Restart sshd - name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less" - when: - - rhel9cis_rule_5_1_16 + when: rhel9cis_rule_5_1_16 tags: - level1-server - level1-workstation @@ -415,8 +402,7 @@ notify: Restart sshd - name: "5.1.17 | PATCH | Ensure sshd MaxStartups is configured" - when: - - rhel9cis_rule_5_1_17 + when: rhel9cis_rule_5_1_17 tags: - level1-server - level1-workstation @@ -436,8 +422,7 @@ notify: Restart sshd - name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" - when: - - rhel9cis_rule_5_1_18 + when: rhel9cis_rule_5_1_18 tags: - level1-server - level1-workstation @@ -457,8 +442,7 @@ notify: Restart sshd - name: "5.1.19 | PATCH | Ensure sshd PermitEmptyPasswords is disabled" - when: - - rhel9cis_rule_5_1_19 + when: rhel9cis_rule_5_1_19 tags: - level1-server - level1-workstation @@ -478,8 +462,7 @@ notify: Restart sshd - name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled" - when: - - rhel9cis_rule_5_1_20 + when: rhel9cis_rule_5_1_20 tags: - level1-server - level1-workstation @@ -503,8 +486,7 @@ notify: Restart sshd - name: "5.1.21 | PATCH | Ensure sshd PermitUserEnvironment is disabled" - when: - - rhel9cis_rule_5_1_21 + when: rhel9cis_rule_5_1_21 tags: - level1-server - level1-workstation @@ -524,8 +506,7 @@ notify: Restart sshd - name: "5.1.22 | PATCH | Ensure SSH PAM is enabled" - when: - - rhel9cis_rule_5_1_22 + when: rhel9cis_rule_5_1_22 tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 87fe46e..3d57dbf 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,8 +1,7 @@ --- - name: "5.2.1 | PATCH | Ensure sudo is installed" - when: - - rhel9cis_rule_5_2_1 + when: rhel9cis_rule_5_2_1 tags: - level1-server - level1-workstation @@ -15,8 +14,7 @@ state: present - name: "5.2.2 | PATCH | Ensure sudo commands use pty" - when: - - rhel9cis_rule_5_2_2 + when: rhel9cis_rule_5_2_2 tags: - level1-server - level1-workstation @@ -30,8 +28,7 @@ validate: '/usr/sbin/visudo -cf %s' - name: "5.2.3 | PATCH | Ensure sudo log file exists" - when: - - rhel9cis_rule_5_2_3 + when: rhel9cis_rule_5_2_3 tags: - level1-server - level1-workstation @@ -47,8 +44,7 @@ validate: '/usr/sbin/visudo -cf %s' - name: "5.2.4 | PATCH | Ensure users must provide password for escalation" - when: - - rhel9cis_rule_5_2_4 + when: rhel9cis_rule_5_2_4 tags: - level2-server - level2-workstation @@ -74,8 +70,7 @@ loop: "{{ discovered_nopasswd_sudoers.stdout_lines }}" - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" - when: - - rhel9cis_rule_5_2_5 + when: rhel9cis_rule_5_2_5 tags: - level1-server - level1-workstation @@ -101,8 +96,7 @@ loop: "{{ discovered_priv_reauth.stdout_lines }}" - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly" - when: - - rhel9cis_rule_5_2_6 + when: rhel9cis_rule_5_2_6 tags: - level1-server - level1-workstation @@ -134,8 +128,7 @@ loop: "{{ discovered_sudo_timeout_files.stdout_lines }}" - name: "5.2.7 | PATCH | Ensure access to the su command is restricted" - when: - - rhel9cis_rule_5_2_7 + when: rhel9cis_rule_5_2_7 tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 18e9cfd..7923d50 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -17,12 +17,13 @@ when: - rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or prelim_authselect_current_profile.stdout is not defined - ansible.builtin.shell: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}" + ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}" + changed_when: true args: creates: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}" - name: "5.3.2.1 | AUDIT | Ensure active authselect profile includes pam modules | get profile features" - ansible.builtin.shell: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}" + ansible.builtin.command: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}" changed_when: false register: discovered_authselect_profile_features @@ -37,7 +38,8 @@ - password - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Backup and Add pam modules" - ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}" + ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}" + changed_when: true - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled" when: @@ -64,9 +66,11 @@ failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ] register: discovered_authselect_current_faillock - - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" + - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" # noqa syntax-check[specific]" when: discovered_authselect_current_faillock.rc != 0 - ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + changed_when: true + notify: Authselect update - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled" when: @@ -90,7 +94,8 @@ - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Add feature if missing" when: discovered_authselect_current_quality.rc != 0 - ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + changed_when: true notify: Authselect update - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled" @@ -115,7 +120,8 @@ - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled | enable feature" when: discovered_authselect_current_history.rc != 0 - ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + changed_when: true notify: Authselect update - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled" @@ -133,8 +139,7 @@ - rule_5.3.2.5 block: - name: "5.3.2.5 | AUDIT | Ensure pam_unix module is enabled" - ansible.builtin.shell: | - grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth + ansible.builtin.command: grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth changed_when: false failed_when: discovered_discovered_authselect_pam_unix.rc not in [ 0, 1 ] register: discovered_discovered_authselect_pam_unix @@ -142,12 +147,12 @@ - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | system-auth" when: "'system-auth:password' not in discovered_authselect_pam_unix.stdout" ansible.builtin.lineinfile: - path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth + path: /etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/system-auth regexp: "{{ item.regexp }}" line: "{{ item.line }}" backrefs: true - insertafter: "{{ item.after | default (omit) }}" - insertbefore: "{{ item.before | default (omit) }}" + insertafter: "{{ item.after | default(omit) }}" + insertbefore: "{{ item.before | default(omit) }}" loop: - { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', after: '^auth.*pam_faillock.*preauth' } - { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' } @@ -156,12 +161,12 @@ - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | password-auth" when: "'password-auth:password' not in discovered_authselect_pam_unix.stdout" ansible.builtin.lineinfile: - path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth + path: /etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/password-auth line: "{{ item.line }}" regexp: "{{ item.regexp }}" backrefs: true - insertafter: "{{ item.after | default (omit) }}" - insertbefore: "{{ item.before | default (omit) }}" + insertafter: "{{ item.after | default(omit) }}" + insertbefore: "{{ item.before | default(omit) }}" loop: - { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\2', after: '^auth.*pam_faillock.*preauth' } - { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' } diff --git a/tasks/section_5/cis_5.3.3.1.x.yml b/tasks/section_5/cis_5.3.3.1.x.yml index 8206074..f7bfb64 100644 --- a/tasks/section_5/cis_5.3.3.1.x.yml +++ b/tasks/section_5/cis_5.3.3.1.x.yml @@ -1,8 +1,7 @@ --- - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured" - when: - - rhel9cis_rule_5_3_3_1_1 + when: rhel9cis_rule_5_3_3_1_1 tags: - level1-server - level1-workstation @@ -44,8 +43,7 @@ notify: Authselect update - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured" - when: - - rhel9cis_rule_5_3_3_1_2 + when: rhel9cis_rule_5_3_3_1_2 tags: - level1-server - level1-workstation @@ -87,8 +85,7 @@ notify: Authselect update - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account" - when: - - rhel9cis_rule_5_3_3_1_3 + when: rhel9cis_rule_5_3_3_1_3 tags: - level1-server - level1-workstation @@ -104,6 +101,7 @@ line: "{{ rhel9cis_pamroot_lock_option }}" insertafter: '^# end of pam-auth-update config' create: true + mode: 'go-rwx' - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | remove lockout from pam files NOT AuthSelect" when: diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml index 9317326..920ed88 100644 --- a/tasks/section_5/cis_5.3.3.2.x.yml +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -1,8 +1,7 @@ --- - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured" - when: - - rhel9cis_rule_5_3_3_2_1 + when: rhel9cis_rule_5_3_3_2_1 tags: - level1-server - level1-workstation @@ -30,7 +29,7 @@ dest: "/{{ rhel9cis_passwd_difok_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from pam files Not AuthSelect" when: @@ -58,8 +57,7 @@ notify: Authselect update - name: "5.3.3.2.2 | PATCH | Ensure password length is configured" - when: - - rhel9cis_rule_5_3_3_2_2 + when: rhel9cis_rule_5_3_3_2_2 tags: - level1-server - level1-workstation @@ -87,7 +85,7 @@ dest: "/{{ rhel9cis_passwd_minlen_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect" when: @@ -115,8 +113,7 @@ notify: Authselect update - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured" - when: - - rhel9cis_rule_5_3_3_2_3 + when: rhel9cis_rule_5_3_3_2_3 tags: - level1-server - level1-workstation @@ -144,7 +141,7 @@ dest: "/{{ rhel9cis_passwd_complex_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove complexity from pam files NOT AuthSelect" when: @@ -172,8 +169,7 @@ notify: Authselect update - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured" - when: - - rhel9cis_rule_5_3_3_2_4 + when: rhel9cis_rule_5_3_3_2_4 tags: - level1-server - level1-workstation @@ -183,8 +179,7 @@ - pam block: - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file" - when: - - item != rhel9cis_passwd_maxrepeat_file + when: item != rhel9cis_passwd_maxrepeat_file ansible.builtin.replace: path: "{{ item }}" regexp: 'maxrepeat\s*=\s*\d+\b' @@ -200,7 +195,7 @@ dest: "/{{ rhel9cis_passwd_maxrepeat_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat from pam files NOT AuthSelect" when: @@ -228,8 +223,7 @@ notify: Authselect update - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured" - when: - - rhel9cis_rule_5_3_3_2_5 + when: rhel9cis_rule_5_3_3_2_5 tags: - level1-server - level1-workstation @@ -257,7 +251,7 @@ dest: "/{{ rhel9cis_passwd_maxsequence_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence from pam files NOT AuthSelect" when: @@ -285,8 +279,7 @@ notify: Authselect update - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled" - when: - - rhel9cis_rule_5_3_3_2_6 + when: rhel9cis_rule_5_3_3_2_6 tags: - level1-server - level1-workstation @@ -313,7 +306,7 @@ dest: "/{{ rhel9cis_passwd_dictcheck_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck from pam files NOT AuthSelect" when: @@ -342,8 +335,7 @@ notify: Authselect update - name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user" - when: - - rhel9cis_rule_5_3_3_2_7 + when: rhel9cis_rule_5_3_3_2_7 tags: - level1-server - level1-workstation @@ -356,4 +348,4 @@ dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}" owner: root group: root - mode: '0600' + mode: 'o-rwx' diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml index 21a03ee..ca5a5dc 100644 --- a/tasks/section_5/cis_5.3.3.3.x.yml +++ b/tasks/section_5/cis_5.3.3.3.x.yml @@ -1,8 +1,7 @@ --- - name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured" - when: - - rhel9cis_rule_5_3_3_3_1 + when: rhel9cis_rule_5_3_3_3_1 tags: - level1-server - level1-workstation @@ -48,8 +47,7 @@ notify: Authselect update - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user" - when: - - rhel9cis_rule_5_3_3_3_2 + when: rhel9cis_rule_5_3_3_3_2 tags: - level1-server - level1-workstation @@ -95,8 +93,7 @@ notify: Authselect update - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok" - when: - - rhel9cis_rule_5_3_3_3_3 + when: rhel9cis_rule_5_3_3_3_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml index a1e5768..ddca97a 100644 --- a/tasks/section_5/cis_5.3.3.4.x.yml +++ b/tasks/section_5/cis_5.3.3.4.x.yml @@ -28,8 +28,7 @@ loop: "{{ discovered_pam_nullok.stdout_lines }}" - name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect" - when: - - rhel9cis_allow_authselect_updates + when: rhel9cis_allow_authselect_updates ansible.builtin.replace: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)\snullok(.*$) @@ -67,8 +66,7 @@ loop: "{{ discovered_pam_remember.stdout_lines }}" - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect" - when: - - rhel9cis_allow_authselect_updates + when: rhel9cis_allow_authselect_updates ansible.builtin.replace: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)\sremember\s*=\s*=\d*(.*$) @@ -107,8 +105,7 @@ loop: "{{ discovered_pam_remember.stdout_lines }}" - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Add hash algorithm to pam files AuthSelect" - when: - - rhel9cis_allow_authselect_updates + when: rhel9cis_allow_authselect_updates ansible.builtin.lineinfile: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)(sha512|yescrypt)(.*$) @@ -150,8 +147,7 @@ loop: "{{ discovered_pam_authtok.stdout_lines }}" - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | Add use_authtok pam files AuthSelect" - when: - - rhel9cis_allow_authselect_updates + when: rhel9cis_allow_authselect_updates ansible.builtin.lineinfile: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$) diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 9e92e86..2363590 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -1,8 +1,7 @@ --- - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less" - when: - - rhel9cis_rule_5_4_1_1 + when: rhel9cis_rule_5_4_1_1 tags: - level1-server - level1-workstation @@ -38,8 +37,7 @@ loop: "{{ discovered_max_days.stdout_lines }}" - name: "5.4.1.2 | PATCH | Ensure minimum password days is configured" - when: - - rhel9cis_rule_5_4_1_2 + when: rhel9cis_rule_5_4_1_2 tags: - level1-server - level1-workstation @@ -70,8 +68,7 @@ loop: "{{ discovered_min_days.stdout_lines }}" - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured" - when: - - rhel9cis_rule_5_4_1_3 + when: rhel9cis_rule_5_4_1_3 tags: - level1-server - level1-workstation @@ -96,12 +93,12 @@ - discovered_warn_days.stdout_lines | length > 0 - item in prelim_interactive_usernames.stdout - rhel9cis_force_user_warnage - ansible.builtin.shell: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}" + ansible.builtin.command: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}" + changed_when: true loop: "{{ discovered_warn_days.stdout_lines }}" - name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured" - when: - - rhel9cis_rule_5_4_1_4 + when: rhel9cis_rule_5_4_1_4 tags: - level1-server - level1-workstation @@ -115,8 +112,7 @@ line: 'ENCRYPT_METHOD {{ rhel9cis_passwd_hash_algo | upper }}' - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured" - when: - - rhel9cis_rule_5_4_1_5 + when: rhel9cis_rule_5_4_1_5 tags: - level1-server - level1-workstation @@ -132,23 +128,24 @@ register: discovered_passwdlck_inactive_settings - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set default inactive setting" - ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + changed_when: true when: discovered_passwdlck_inactive_settings.stdout | length == 0 - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" + ansible.builtin.command: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false check_mode: false register: discovered_passwdlck_user_list - name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" when: item in prelim_interactive_usernames.stdout - ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + changed_when: true loop: "{{ discovered_passwdlck_user_list.stdout_lines }}" - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past" - when: - - rhel9cis_rule_5_4_1_6 + when: rhel9cis_rule_5_4_1_6 tags: - level1-server - level1-workstation @@ -172,22 +169,23 @@ register: discovered_passwdlck_user_future - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" + when: + - discovered_passwdlck_user_future.stdout | length > 0 + - not rhel9cis_futurepwchgdate_autofix ansible.builtin.debug: msg: "Warning!! The following accounts have the last PW change date in the future: {{ discovered_passwdlck_user_future.stdout_lines }}" - when: - - discovered_passwdlck_user_future.stdout | length > 0 - - not rhel9cis_futurepwchgdate_autofix - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml when: - discovered_passwdlck_user_future.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix + ansible.builtin.import_tasks: + file: warning_facts.yml - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - ansible.builtin.shell: passwd --expire {{ item }} when: - discovered_passwdlck_user_future.stdout | length > 0 - rhel9cis_futurepwchgdate_autofix + ansible.builtin.command: passwd --expire {{ item }} + changed_when: true loop: "{{ discovered_passwdlck_user_future.stdout_lines }}" diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index 2cf378c..0153820 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -17,7 +17,7 @@ - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - ansible.builtin.shell: passwd -l {{ item }} + ansible.builtin.command: passwd -l {{ item }} changed_when: false failed_when: false loop: "{{ prelim_uid_zero_accounts_except_root.stdout_lines }}" @@ -56,8 +56,7 @@ loop: "{{ discovered_gid0_members.stdout_lines }}" - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group" - when: - - rhel9cis_rule_5_4_2_3 + when: rhel9cis_rule_5_4_2_3 tags: - level1-server - level1-workstation @@ -96,8 +95,7 @@ warn_control_id: '5.4.2.3' - name: "5.4.2.4 | PATCH | Ensure root account access is controlled " - when: - - rhel9cis_rule_5_4_2_4 + when: rhel9cis_rule_5_4_2_4 tags: - level1-server - level1-workstation @@ -108,8 +106,7 @@ msg: "This is set as an assert in tasks/main" - name: "5.4.2.5 | PATCH | Ensure root PATH Integrity" - when: - - rhel9cis_rule_5_4_2_5 + when: rhel9cis_rule_5_4_2_5 tags: - level1-server - level1-workstation @@ -172,15 +169,14 @@ state: directory owner: root group: root - mode: '0755' + mode: 'go-w' follow: false loop: "{{ discovered_root_path_perms.results }}" loop_control: label: "{{ item }}" - name: "5.4.2.6 | PATCH | Ensure root user umask is configured" - when: - - rhel9cis_rule_5_4_2_6 + when: rhel9cis_rule_5_4_2_6 tags: - level1-server - level1-workstation @@ -194,6 +190,9 @@ regexp: \s*umask line: "umask {{ rhel9cis_root_umask }}" create: true + owner: root + group: root + mode: 'go-rwx' - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell" when: diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml index 7816938..109b6a5 100644 --- a/tasks/section_5/cis_5.4.3.x.yml +++ b/tasks/section_5/cis_5.4.3.x.yml @@ -1,8 +1,7 @@ --- - name: "5.4.3.1 | PATCH | Ensure nologin is not listed in /etc/shells" - when: - - rhel9cis_rule_5_4_3_1 + when: rhel9cis_rule_5_4_3_1 tags: - level2-server - level2-workstation @@ -20,8 +19,7 @@ replace: "" - name: "5.4.3.2 | PATCH | Ensure default user shell timeout is configured" - when: - - rhel9cis_rule_5_4_3_2 + when: rhel9cis_rule_5_4_3_2 tags: - level1-server - level1-workstation @@ -33,7 +31,7 @@ state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true - mode: '0644' + mode: 'go-wx' block: | TMOUT={{ rhel9cis_shell_session_timeout }} readonly TMOUT @@ -43,8 +41,7 @@ - { path: /etc/profile, state: "{{ (rhel9cis_shell_session_file == '/etc/profile') | ternary('present', 'absent') }}" } - name: "5.4.3.3 | PATCH | Ensure default user umask is configured" - when: - - rhel9cis_rule_5_4_3_3 + when: rhel9cis_rule_5_4_3_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 898444f..5896695 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -19,10 +19,11 @@ register: discovered_aide_installed - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB" - when: discovered_aide_installed.changed # noqa: no-handler + when: discovered_aide_installed.changed # noqa no-handler block: - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB" - ansible.builtin.shell: /usr/sbin/aide --init + ansible.builtin.command: /usr/sbin/aide --init + changed_when: true - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB | Wait for file before continuing" ansible.builtin.wait_for: @@ -33,6 +34,7 @@ src: /var/lib/aide/aide.db.new.gz dest: /var/lib/aide/aide.db.gz remote_src: true + mode: 'go-wx' - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked" when: @@ -62,15 +64,15 @@ - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service" when: rhel9cis_aide_scan == "timer" - ansible.builtin.systemd: + ansible.builtin.systemd_service: name: aidecheck.service enabled: true - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service" when: rhel9cis_aide_scan == "timer" - ansible.builtin.systemd: + ansible.builtin.systemd_service: name: aidecheck.timer - state: running + state: started enabled: true - name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" diff --git a/tasks/section_6/cis_6.2.1.x.yml b/tasks/section_6/cis_6.2.1.x.yml index 1a2a8aa..3afa31c 100644 --- a/tasks/section_6/cis_6.2.1.x.yml +++ b/tasks/section_6/cis_6.2.1.x.yml @@ -1,8 +1,7 @@ --- - name: "6.2.1.1 | PATCH | Ensure journald service is enabled and active" - when: - - rhel9cis_rule_6_2_1_1 + when: rhel9cis_rule_6_2_1_1 tags: - level1-server - level1-workstation @@ -15,8 +14,7 @@ state: started - name: "6.2.1.2 | PATCH | Ensure journald log file access is configured" - when: - - rhel9cis_rule_6_2_1_2 + when: rhel9cis_rule_6_2_1_2 tags: - level1-server - level1-workstation @@ -27,7 +25,7 @@ - name: "6.2.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions" ansible.builtin.file: path: /usr/lib/tmpfiles.d/systemd.conf - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file" ansible.builtin.stat: @@ -58,8 +56,7 @@ warn_control_id: '6.2.1.2' - name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured" - when: - - rhel9cis_rule_6_2_1_3 + when: rhel9cis_rule_6_2_1_3 tags: - level1-server - level1-workstation @@ -74,7 +71,7 @@ dest: /etc/systemd/journald.conf.d/rotation.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries" ansible.builtin.replace: @@ -89,8 +86,7 @@ - '^(\s*MaxFileSec\s*=.*)' - name: "6.2.1.4 | PATCH | Ensure only one logging system is in use" - when: - - rhel9cis_rule_6_2_1_4 + when: rhel9cis_rule_6_2_1_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_6/cis_6.2.2.x.yml b/tasks/section_6/cis_6.2.2.x.yml index 3dd8dab..a57efe2 100644 --- a/tasks/section_6/cis_6.2.2.x.yml +++ b/tasks/section_6/cis_6.2.2.x.yml @@ -1,8 +1,7 @@ --- - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled" - when: - - rhel9cis_rule_6_2_2_2 + when: rhel9cis_rule_6_2_2_2 tags: - level1-server - level2-workstation @@ -21,7 +20,7 @@ dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" ansible.builtin.replace: @@ -30,8 +29,7 @@ replace: '#\1' - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured" - when: - - rhel9cis_rule_6_2_2_3 + when: rhel9cis_rule_6_2_2_3 tags: - level1-server - level1-workstation @@ -47,7 +45,7 @@ dest: /etc/systemd/journald.conf.d/storage.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries" ansible.builtin.replace: @@ -56,8 +54,7 @@ replace: '#\1' - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured" - when: - - rhel9cis_rule_6_2_2_4 + when: rhel9cis_rule_6_2_2_4 tags: - level1-server - level1-workstation @@ -74,7 +71,7 @@ dest: /etc/systemd/journald.conf.d/storage.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries" ansible.builtin.replace: diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml index 5af5fcd..9333697 100644 --- a/tasks/section_6/cis_6.2.3.x.yml +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -18,8 +18,7 @@ state: present - name: "6.2.3.2 | PATCH | Ensure rsyslog Service is enabled and active" - when: - - rhel9cis_rule_6_2_3_2 + when: rhel9cis_rule_6_2_3_2 tags: - level1-server - level1-workstation @@ -35,8 +34,7 @@ state: started - name: "6.2.3.3 | PATCH | Ensure journald is configured to send logs to rsyslog" - when: - - rhel9cis_rule_6_2_3_3 + when: rhel9cis_rule_6_2_3_3 tags: - level1-server - level1-workstation @@ -54,8 +52,7 @@ notify: Restart rsyslog - name: "6.2.3.4 | PATCH | Ensure rsyslog log file creation mode is configured" - when: - - rhel9cis_rule_6_2_3_4 + when: rhel9cis_rule_6_2_3_4 tags: - level1-server - level1-workstation @@ -72,8 +69,7 @@ notify: Restart rsyslog - name: "6.2.3.5 | PATCH | Ensure logging is configured" - when: - - rhel9cis_rule_6_2_3_5 + when: rhel9cis_rule_6_2_3_5 tags: - level1-server - level1-workstation @@ -200,8 +196,7 @@ notify: Restart rsyslog - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" - when: - - rhel9cis_rule_6_2_3_7 + when: rhel9cis_rule_6_2_3_7 tags: - level1-server - level1-workstation @@ -238,8 +233,7 @@ - 'InputTCPServerRun' - name: "6.2.3.8 | PATCH | Ensure rsyslog logrotate is configured" - when: - - rhel9cis_rule_6_2_3_8 + when: rhel9cis_rule_6_2_3_8 tags: - level1-server - level1-workstation @@ -266,4 +260,4 @@ dest: /etc/logrotate.d/rsyslog.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' diff --git a/tasks/section_6/cis_6.2.4.1.yml b/tasks/section_6/cis_6.2.4.1.yml index 8111ef4..814c46c 100644 --- a/tasks/section_6/cis_6.2.4.1.yml +++ b/tasks/section_6/cis_6.2.4.1.yml @@ -1,8 +1,7 @@ --- - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured" - when: - - rhel9cis_rule_6_2_4_1 + when: rhel9cis_rule_6_2_4_1 tags: - level1-server - level1-workstation diff --git a/tasks/section_6/cis_6.3.1.x.yml b/tasks/section_6/cis_6.3.1.x.yml index 3039f2c..b27ba99 100644 --- a/tasks/section_6/cis_6.3.1.x.yml +++ b/tasks/section_6/cis_6.3.1.x.yml @@ -27,8 +27,7 @@ state: present - name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" - when: - - rhel9cis_rule_6_3_1_2 + when: rhel9cis_rule_6_3_1_2 tags: - level2-server - level2-workstation @@ -49,11 +48,11 @@ - discovered_grubby_curr_value_audit_linux.stdout == '' or '0' in discovered_grubby_curr_value_audit_linux.stdout or 'off' in discovered_grubby_curr_value_audit_linux.stdout|lower - ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" + ansible.builtin.command: grubby --update-kernel=ALL --args="audit=1" + changed_when: true - name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" - when: - - rhel9cis_rule_6_3_1_3 + when: rhel9cis_rule_6_3_1_3 tags: - level2-server - level2-workstation @@ -81,21 +80,18 @@ discovered_reset_backlog_limits: true - name: "6.3.1.3 | AUDIT | Check to see if any limits are too low" - when: - - (item | int < rhel9cis_audit_back_log_limit) + when: (item | int < rhel9cis_audit_back_log_limit) ansible.builtin.set_fact: discovered_reset_backlog_limits: true loop: "{{ discovered_grubby_curr_value_backlog_linux.stdout_lines }}" - name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied" - when: - - discovered_reset_backlog_limits is defined - ansible.builtin.shell: - cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' + when: discovered_reset_backlog_limits is defined + ansible.builtin.command: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' + changed_when: true - name: "6.3.1.4 | PATCH | Ensure auditd service is enabled and active" - when: - - rhel9cis_rule_6_3_1_4 + when: rhel9cis_rule_6_3_1_4 tags: - level2-server - level2-workstation diff --git a/tasks/section_6/cis_6.3.2.x.yml b/tasks/section_6/cis_6.3.2.x.yml index 08a5365..dc0804f 100644 --- a/tasks/section_6/cis_6.3.2.x.yml +++ b/tasks/section_6/cis_6.3.2.x.yml @@ -1,8 +1,7 @@ --- - name: "6.3.2.1 | PATCH | Ensure audit log storage size is configured" - when: - - rhel9cis_rule_6_3_2_1 + when: rhel9cis_rule_6_3_2_1 tags: - level2-server - level2-workstation @@ -17,8 +16,7 @@ notify: Restart auditd - name: "6.3.2.2 | PATCH | Ensure audit logs are not automatically deleted" - when: - - rhel9cis_rule_6_3_2_2 + when: rhel9cis_rule_6_3_2_2 tags: - level2-server - level2-workstation @@ -33,8 +31,7 @@ notify: Restart auditd - name: "6.3.2.3 | PATCH | Ensure system is disabled when audit logs are full" - when: - - rhel9cis_rule_6_3_2_3 + when: rhel9cis_rule_6_3_2_3 tags: - level2-server - level2-workstation @@ -55,8 +52,7 @@ - { regexp: '^disk_error_action', line: 'disk_error_action = {{ rhel9cis_auditd_disk_error_action }}' } - name: "6.3.2.4 | PATCH | Ensure system warns when audit logs are low on space" - when: - - rhel9cis_rule_6_3_2_4 + when: rhel9cis_rule_6_3_2_4 tags: - level2-server - level2-workstation diff --git a/tasks/section_6/cis_6.3.3.x.yml b/tasks/section_6/cis_6.3.3.x.yml index d279259..5ff73f9 100644 --- a/tasks/section_6/cis_6.3.3.x.yml +++ b/tasks/section_6/cis_6.3.3.x.yml @@ -2,8 +2,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - when: - - rhel9cis_rule_6_3_3_1 + when: rhel9cis_rule_6_3_3_1 tags: - level2-server - level2-workstation @@ -16,8 +15,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.2 | PATCH | Ensure actions as another user are always logged" - when: - - rhel9cis_rule_6_3_3_2 + when: rhel9cis_rule_6_3_3_2 tags: - level2-server - level2-workstation @@ -30,8 +28,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.3 | PATCH | Ensure events that modify the sudo log file are collected" - when: - - rhel9cis_rule_6_3_3_3 + when: rhel9cis_rule_6_3_3_3 tags: - level2-server - level2-workstation @@ -43,8 +40,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.4 | PATCH | Ensure events that modify date and time information are collected" - when: - - rhel9cis_rule_6_3_3_4 + when: rhel9cis_rule_6_3_3_4 tags: - level2-server - level2-workstation @@ -58,8 +54,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.5 | PATCH | Ensure events that modify the system's network environment are collected" - when: - - rhel9cis_rule_6_3_3_5 + when: rhel9cis_rule_6_3_3_5 tags: - level2-server - level2-workstation @@ -73,8 +68,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" - when: - - rhel9cis_rule_6_3_3_6 + when: rhel9cis_rule_6_3_3_6 tags: - level2-server - level2-workstation @@ -97,8 +91,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.7 | PATCH | Ensure unsuccessful file access attempts are collected" - when: - - rhel9cis_rule_6_3_3_7 + when: rhel9cis_rule_6_3_3_7 tags: - level2-server - level2-workstation @@ -111,8 +104,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.8 | PATCH | Ensure events that modify user/group information are collected" - when: - - rhel9cis_rule_6_3_3_8 + when: rhel9cis_rule_6_3_3_8 tags: - level2-server - level2-workstation @@ -125,8 +117,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" - when: - - rhel9cis_rule_6_3_3_9 + when: rhel9cis_rule_6_3_3_9 tags: - level2-server - level2-workstation @@ -140,8 +131,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.10 | PATCH | Ensure successful file system mounts are collected" - when: - - rhel9cis_rule_6_3_3_10 + when: rhel9cis_rule_6_3_3_10 tags: - level2-server - level2-workstation @@ -154,8 +144,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.11 | PATCH | Ensure session initiation information is collected" - when: - - rhel9cis_rule_6_3_3_11 + when: rhel9cis_rule_6_3_3_11 tags: - level2-server - level2-workstation @@ -168,8 +157,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.12 | PATCH | Ensure login and logout events are collected" - when: - - rhel9cis_rule_6_3_3_12 + when: rhel9cis_rule_6_3_3_12 tags: - level2-server - level2-workstation @@ -182,8 +170,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.13 | PATCH | Ensure file deletion events by users are collected" - when: - - rhel9cis_rule_6_3_3_13 + when: rhel9cis_rule_6_3_3_13 tags: - level2-server - level2-workstation @@ -197,8 +184,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - when: - - rhel9cis_rule_6_3_3_14 + when: rhel9cis_rule_6_3_3_14 tags: - level2-server - level2-workstation @@ -212,8 +198,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - when: - - rhel9cis_rule_6_3_3_15 + when: rhel9cis_rule_6_3_3_15 tags: - level2-server - level2- workstation @@ -228,8 +213,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - when: - - rhel9cis_rule_6_3_3_16 + when: rhel9cis_rule_6_3_3_16 tags: - level2-server - level2-workstation @@ -244,8 +228,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - when: - - rhel9cis_rule_6_3_3_17 + when: rhel9cis_rule_6_3_3_17 tags: - level2-server - level2-workstation @@ -260,8 +243,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - when: - - rhel9cis_rule_6_3_3_18 + when: rhel9cis_rule_6_3_3_18 tags: - level2-server - level2-workstation @@ -276,8 +258,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading and modification is collected" - when: - - rhel9cis_rule_6_3_3_19 + when: rhel9cis_rule_6_3_3_19 tags: - level2-server - level2-workstation @@ -291,8 +272,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.20 | PATCH | Ensure the audit configuration is immutable" - when: - - rhel9cis_rule_6_3_3_20 + when: rhel9cis_rule_6_3_3_20 tags: - level2-server - level2-workstation @@ -306,8 +286,7 @@ update_audit_template: true - name: "6.3.3.21 | AUDIT | Ensure the running and on disk configuration is the same" - when: - - rhel9cis_rule_6_3_3_21 + when: rhel9cis_rule_6_3_3_21 tags: - level2-server - level2-workstation @@ -321,8 +300,7 @@ - "Please run augenrules --load if you suspect there is a configuration that is not active" - name: Auditd | 6.3.3.x | Auditd controls updated - when: - - update_audit_template + when: update_audit_template ansible.builtin.debug: msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules" changed_when: false diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml index c89af87..806a1ec 100644 --- a/tasks/section_6/cis_6.3.4.x.yml +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -1,8 +1,7 @@ --- - name: "6.3.4.1 | PATCH | Ensure the audit log file directory mode is configured" - when: - - rhel9cis_rule_6_3_4_1 + when: rhel9cis_rule_6_3_4_1 tags: - level2-server - level2-workstation @@ -39,8 +38,7 @@ group: root - name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured" - when: - - rhel9cis_rule_6_3_4_5 + when: rhel9cis_rule_6_3_4_5 tags: - level2-server - level2-workstation @@ -57,8 +55,7 @@ label: "{{ item.path }}" - name: "6.3.4.6 | PATCH | Ensure audit configuration files owner is configured" - when: - - rhel9cis_rule_6_3_4_6 + when: rhel9cis_rule_6_3_4_6 tags: - level2-server - level2-workstation @@ -75,8 +72,7 @@ label: "{{ item.path }}" - name: "6.3.4.7 | PATCH | Ensure audit configuration files group owner is configured" - when: - - rhel9cis_rule_6_3_4_7 + when: rhel9cis_rule_6_3_4_7 tags: - level2-server - level2-workstation @@ -93,8 +89,7 @@ label: "{{ item.path }}" - name: "6.3.4.8 | PATCH | Ensure audit tools mode is configured" - when: - - rhel9cis_rule_6_3_4_8 + when: rhel9cis_rule_6_3_4_8 tags: - level2-server - level2-workstation @@ -114,8 +109,7 @@ - /sbin/augenrules - name: "6.3.4.9 | PATCH | Ensure audit tools owner is configured" - when: - - rhel9cis_rule_6_3_4_9 + when: rhel9cis_rule_6_3_4_9 tags: - level2-server - level2-workstation @@ -135,8 +129,7 @@ - /sbin/augenrules - name: "6.3.4.10 | PATCH | Ensure audit tools group owner is configured" - when: - - rhel9cis_rule_6_3_4_10 + when: rhel9cis_rule_6_3_4_10 tags: - level2-server - level2-workstation diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 232b224..83c83a0 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -83,7 +83,7 @@ path: /etc/shadow owner: root group: root - mode: '0000' + mode: 'ugo-rwx' - name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" when: @@ -100,7 +100,7 @@ path: /etc/shadow- owner: root group: root - mode: '0000' + mode: 'ugo-rwx' - name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" when: @@ -117,7 +117,7 @@ path: /etc/gshadow owner: root group: root - mode: '0000' + mode: 'ugo-rwx' - name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" when: @@ -134,7 +134,7 @@ path: /etc/gshadow- owner: root group: root - mode: '0000' + mode: 'ugo-rwx' - name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured" when: @@ -196,7 +196,7 @@ - rhel9cis_no_world_write_adjust ansible.builtin.file: path: '{{ item }}' - mode: o-w + mode: 'o-w' state: touch loop: "{{ discovered_world_writable.stdout_lines }}" @@ -221,7 +221,7 @@ warn_control_id: '7.1.12' block: - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories" - ansible.builtin.shell: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs + ansible.builtin.command: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs changed_when: false failed_when: false check_mode: false @@ -283,7 +283,7 @@ warn_control_id: '7.1.13' block: - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID" - ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs + ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs changed_when: false failed_when: false check_mode: false diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index 47d48f6..28c7fc6 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -237,7 +237,7 @@ - users - rule_7.2.8 block: - - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent" + - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent" # noqa risky-file-permissions ansible.builtin.file: path: "{{ item.dir }}" state: directory diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index 98cd4b6..b70a836 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -1,5 +1,4 @@ --- - # This task is used to create variables used in giving a warning summary for manual tasks # that need attention # @@ -14,7 +13,7 @@ # # warn_count the main variable for the number of warnings and each time a warn_control_id is added # the count increases by a value of 1 -- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." +- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." # noqa name[template] ansible.builtin.set_fact: warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" warn_count: "{{ warn_count | int + 1 }}" diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index 0f4a4f9..70ebd03 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index bf2d191..e977e4e 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually diff --git a/templates/etc/cron.d/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 index db93323..4c1af92 100644 --- a/templates/etc/cron.d/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,7 +1,7 @@ # Run AIDE integrity check ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # CIS 1.3.2 diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 index efebeac..0e55b5a 100644 --- a/templates/etc/dconf/db/00-automount_lock.j2 +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop media-handling automount setting /org/gnome/desktop/media-handling/automount diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 index 4506f4f..cf9ed5d 100644 --- a/templates/etc/dconf/db/00-autorun_lock.j2 +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop media-handling settings /org/gnome/desktop/media-handling/autorun-never diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 index 78ad883..640538c 100644 --- a/templates/etc/dconf/db/00-media-automount.j2 +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/desktop/media-handling] automount=false diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 index 81bdfea..382469c 100644 --- a/templates/etc/dconf/db/00-media-autorun.j2 +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/desktop/media-handling] autorun-never=true diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index acfeaee..a747336 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Specify the dconf path [org/gnome/desktop/session] diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 index d6c5d70..5988316 100644 --- a/templates/etc/dconf/db/00-screensaver_lock.j2 +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop screensaver idle-delay setting /org/gnome/desktop/session/idle-delay diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 index c7ae76e..901e9e0 100644 --- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/login-screen] banner-message-enable=true diff --git a/templates/fs_with_cves.sh b/templates/fs_with_cves.sh index 89ba49b..a6d937c 100644 --- a/templates/fs_with_cves.sh +++ b/templates/fs_with_cves.sh @@ -1,11 +1,8 @@ -{% raw %} -#! /usr/bin/env bash +{% raw %}#! /usr/bin/env bash # Based on original Script provided by CIS # CVEs correct at time of creation - April2024 -#! /usr/bin/env bash - { a_output=(); a_output2=(); a_modprope_config=(); a_excluded=(); a_available_modules=() a_ignore=("xfs" "vfat" "ext2" "ext3" "ext4") diff --git a/vars/audit.yml b/vars/audit.yml index e54deb8..1dc1cf1 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -35,7 +35,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results}} + The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }} {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %} Full breakdown can be found in {{ audit_log_dir }}