From 2634fabd41e801ca8d62ebbe5decb326e747e9a1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Jan 2023 16:29:47 +0000 Subject: [PATCH 001/143] v1.0.0 updates Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 83 +++++++++---------------- tasks/section_1/cis_1.1.2.x.yml | 10 ++- tasks/section_1/cis_1.1.3.x.yml | 20 +++--- tasks/section_1/cis_1.1.4.x.yml | 12 ++-- tasks/section_1/cis_1.1.5.x.yml | 12 ++-- tasks/section_1/cis_1.1.6.x.yml | 10 ++- tasks/section_1/cis_1.1.7.x.yml | 20 +++--- tasks/section_1/cis_1.1.8.x.yml | 78 +++++++++++++++--------- tasks/section_1/cis_1.1.x.yml | 31 +++------- tasks/section_1/cis_1.10.yml | 3 +- tasks/section_1/cis_1.2.x.yml | 104 +++++++++++++++++--------------- tasks/section_1/cis_1.3.x.yml | 25 ++++++-- tasks/section_1/cis_1.4.x.yml | 43 ++----------- tasks/section_1/cis_1.5.x.yml | 12 ++-- tasks/section_1/cis_1.6.1.x.yml | 84 ++++++++++++++++---------- tasks/section_1/cis_1.7.x.yml | 18 ++---- tasks/section_1/cis_1.8.x.yml | 49 +++++++-------- tasks/section_1/cis_1.9.yml | 3 +- 18 files changed, 288 insertions(+), 329 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 1c99b62..cc2156c 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -1,76 +1,49 @@ --- -- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" +- name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled" block: - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" - lineinfile: - path: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install cramfs(\\s|$)" - line: "install cramfs /bin/true" - create: true - mode: 0600 - - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" - modprobe: - name: cramfs - state: absent - when: not system_is_container - when: - - rhel9cis_rule_1_1_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.1.1 - - cramfs - -- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled" - block: - - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" - lineinfile: + - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" + ansible.builtin.lineinfile: path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: true mode: 0600 - - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" + - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" modprobe: name: squashfs state: absent when: not system_is_container + when: + - rhel9cis_rule_1_1_1_1 + tags: + - level2-server + - level2-workstation + - patch + - rule_1.1.1.1 + - squashfs + +- name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled" + block: + - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install udf(\\s|$)" + line: "install udf /bin/true" + create: true + mode: 0600 + + - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" + modprobe: + name: udf + state: absent + when: not system_is_container when: - rhel9cis_rule_1_1_1_2 tags: - level2-server - level2-workstation - - automated - patch - rule_1.1.1.2 - - squashfs - -- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled" - block: - - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" - lineinfile: - path: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install udf(\\s|$)" - line: "install udf /bin/true" - create: true - mode: 0600 - - - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" - modprobe: - name: udf - state: absent - when: not system_is_container - when: - - rhel9cis_rule_1_1_1_3 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_1.1.1.3 - udf diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index d7db5a6..ab737cc 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -3,13 +3,13 @@ - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition" block: - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! /tmp is not mounted on a separate partition" when: - required_mount not in mount_names - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.2.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: @@ -28,7 +28,6 @@ tags: - level1-server - level1-workstation - - automated - audit - mounts - rule_1.1.2.1 @@ -38,7 +37,7 @@ "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" - mount: + ansible.builtin.mount: name: /tmp src: "{{ item.device }}" fstype: "{{ item.fstype }}" @@ -58,7 +57,6 @@ tags: - level1-server - level1-workstation - - automated - patch - mounts - rule_1.1.2.2 @@ -71,7 +69,7 @@ "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" - template: + ansible.builtin.template: src: etc/systemd/system/tmp.mount.j2 dest: /etc/systemd/system/tmp.mount owner: root diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 9e4feb8..3780e2f 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -3,7 +3,7 @@ - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var" block: - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_mount_absent changed_when: var_mount_absent.skipped is undefined @@ -11,14 +11,14 @@ - required_mount not in mount_names - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" - debug: + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: var_mount_present when: @@ -30,7 +30,6 @@ tags: - level2-server - level2-workstation - - automated - patch - mounts - rule_1.1.3.1 @@ -38,14 +37,13 @@ # skips if mount is absent - name: | "1.1.3.2 | PATCH | Ensure nodev option set on /var partition" - "1.1.3.3 | PATCH | Ensure noexec option set on /var partition" - "1.1.3.4 | PATCH | Ensure nosuid option set on /var partition" - mount: + "1.1.3.3 | PATCH | Ensure nosuid option set on /var partition" + ansible.builtin.mount: name: /var src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -56,15 +54,13 @@ - item.mount == "/var" - rhel9cis_rule_1_1_3_1 # This is required so the check takes place - rhel9cis_rule_1_1_3_2 or - rhel9cis_rule_1_1_3_3 or - rhel9cis_rule_1_1_3_4 + rhel9cis_rule_1_1_3_3 tags: - level1-server - level1-workstation - - automated - patch - mounts - skip_ansible_lint - rule_1.1.3.2 - rule_1.1.3.3 - - rule_1.1.3.4 + diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index d05db6a..742a5d7 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -4,7 +4,7 @@ - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp" block: - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_tmp_mount_absent changed_when: var_tmp_mount_absent.skipped is undefined @@ -12,14 +12,14 @@ - required_mount not in mount_names - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - debug: + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: var_tmp_mount_present when: @@ -31,7 +31,6 @@ tags: - level2-server - level2-workstation - - automated - audit - mounts - rule_1.1.4.1 @@ -41,12 +40,12 @@ "1.1.4.2 | PATCH | Ensure noexec option set on /var/tmp partition" "1.1.4.3 | PATCH | Ensure nosuid option set on /var/tmp partition" "1.1.4.4 | PATCH | Ensure nodev option set on /var/tmp partition" - mount: + ansible.builtin.mount: name: /var/tmp src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nodev{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -62,7 +61,6 @@ tags: - level1-server - level1-workstation - - automated - patch - mounts - skip_ansible_lint diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index dd4ab9f..0fa245b 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -3,7 +3,7 @@ - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log" block: - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_log_mount_absent changed_when: var_log_mount_absent.skipped is undefined @@ -11,14 +11,14 @@ - required_mount not in mount_names - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" - debug: + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: var_log_mount_present when: @@ -30,7 +30,6 @@ tags: - level2-server - level2-workstation - - automated - audit - mounts - rule_1.1.5.1 @@ -40,12 +39,12 @@ "1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition" "1.1.5.3 | PATCH | Ensure noexec option set on /var/log partition" "1.1.5.4 | PATCH | Ensure nosuid option set on /var/log partition" - mount: + ansible.builtin.mount: name: /var/log src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -61,7 +60,6 @@ tags: - level1-server - level1-workstation - - automated - patch - mounts - skip_ansible_lint diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index afbe41a..a496f43 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -3,7 +3,7 @@ - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit" block: - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_log_audit_mount_absent changed_when: var_log_audit_mount_absent.skipped is undefined @@ -11,14 +11,14 @@ - required_mount not in mount_names - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - debug: + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: var_log_audit_mount_present when: @@ -30,7 +30,6 @@ tags: - level2-server - level2-workstation - - automated - audit - mounts - rule_1.1.6.1 @@ -39,7 +38,7 @@ "1.1.6.2 | PATCH | Ensure noexec option set on /var/log/audit partition" "1.1.6.3 | PATCH | Ensure nodev option set on /var/log/audit partition" "1.1.6.4 | PATCH | Ensure nosuid option set on /var/log/audit partition" - mount: + ansible.builtin.mount: name: /var/log/audit src: "{{ item.device }}" fstype: "{{ item.fstype }}" @@ -60,7 +59,6 @@ tags: - level1-server - level1-workstation - - automated - patch - mounts - skip_ansible_lint diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 59f28ba..dc9ea6a 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -3,7 +3,7 @@ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home" block: - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: home_mount_absent changed_when: home_mount_absent.skipped is undefined @@ -11,14 +11,14 @@ - required_mount not in mount_names - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" - debug: + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: home_mount_present when: @@ -30,7 +30,6 @@ tags: - level2-server - level2-workstation - - automated - audit - mounts - rule_1.1.7.1 @@ -38,15 +37,13 @@ - name: | "1.1.7.2 | PATCH | Ensure nodev option set on /home partition - 1.1.7.3 | PATCH | Ensure nosuid option set on /home partition - 1.1.7.4 | PATCH | Ensure usrquota option set on /home partition - 1.1.7.5 | PATCH | Ensure grpquota option set on /home partition" - mount: + 1.1.7.3 | PATCH | Ensure nosuid option set on /home partition" + ansible.builtin.mount: name: /home src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel9cis_rule_1_1_7_5 %}grpquota{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -57,13 +54,10 @@ - item.mount == "/home" - rhel9cis_rule_1_1_7_1 - rhel9cis_rule_1_1_7_2 or - rhel9cis_rule_1_1_7_3 or - rhel9cis_rule_1_1_7_4 or - rhel9cis_rule_1_1_7_5 + rhel9cis_rule_1_1_7_3 tags: - level1-server - level1-workstation - - automated - patch - mounts - rule_1.1.7.2 diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 26ae877..c9a6394 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -1,43 +1,61 @@ --- # Skips if mount is absent -- name: | - "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition - 1.1.8.2 | PATCH | Ensure nosuid option set on /dev/shm partition - 1.1.8.3 | PATCH | Ensure noexec option set on /dev/shm partition" +- name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a sepretae partition" block: - - name: | - "1.1.8.1 | AUDIT | Ensure nodev option set on /dev/shm partition | Check for /dev/shm existence - 1.1.8.2 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence - 1.1.8.3 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence" - shell: mount -l | grep -E '\s/dev/shm\s' - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_1_1_8_x_dev_shm_status + - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a sepretae partition | Absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + register: home_mount_absent + changed_when: home_mount_absent.skipped is undefined + when: + - required_mount not in mount_names - - name: | - "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option - 1.1.8.2 | PATCH | Ensure noexec option set on /dev/shm partition | Set nosuid option - 1.1.8.3 | PATCH | Ensure nosuid option set on /dev/shm partition | Set noexec option" - mount: - name: /dev/shm - src: tmpfs - fstype: tmpfs - state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} - when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" - notify: change_requires_reboot + - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" + ansible.builtin.set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.8.1' ]" + warn_count: "{{ warn_count | int + 1 }}" + when: + - required_mount not in mount_names + + - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" + ansible.builtin.debug: + msg: "Congratulations: {{ required_mount }} exists." + register: home_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/dev/shm' when: - - rhel9cis_rule_1_1_8_1 or - rhel9cis_rule_1_1_8_2 or - rhel9cis_rule_1_1_8_3 + - rhel9cis_rule_1_1_8_1 tags: - level1-server - level1-workstation - - automated - - patch + - audit - mounts - rule_1.1.8.1 + - skip_ansible_lint + +- name: | + "1.1.8.2 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option + 1.1.8.3 | PATCH | Ensure noexec option set on /dev/shm partition | Set nosuid option + 1.1.8.4 | PATCH | Ensure nosuid option set on /dev/shm partition | Set noexec option" + ansible.builtin.mount: + name: /dev/shm + src: tmpfs + fstype: tmpfs + state: mounted + opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_4 %}nosuid{% endif %} + notify: change_requires_reboot + when: + - rhel9cis_rule_1_1_8_2 or + rhel9cis_rule_1_1_8_3 or + rhel9cis_rule_1_1_8_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.8.2 - rule_1.1.8.3 + - rule_1.1.8.4 diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index ea5c862..77cbf0f 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -1,26 +1,9 @@ --- -- name: "1.1.9 | PATCH | Disable Automounting" - service: - name: autofs - enabled: false - when: - - not rhel9cis_allow_autofs - - "'autofs' in ansible_facts.packages" - - rhel9cis_rule_1_1_9 - tags: - - level1-server - - level2-workstation - - automated - - patch - - mounts - - automounting - - rule_1.1.9 - -- name: "1.1.10 | PATCH | Disable USB Storage" +- name: "1.1.9 | PATCH | Disable USB Storage" block: - - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" - lineinfile: + - name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config" + ansible.builtin.lineinfile: path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" @@ -29,12 +12,12 @@ group: root mode: 0600 - - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" - modprobe: + - name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config" + ansible.builtin.modprobe: name: usb-storage state: absent when: - - rhel9cis_rule_1_1_10 + - rhel9cis_rule_1_1_9 tags: - level1-server - level2-workstation @@ -42,4 +25,4 @@ - patch - mounts - removable_storage - - rule_1.1.10 + - rule_1.1.9 diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index 19ddc3f..1b0d2a2 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -1,7 +1,7 @@ --- - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" - shell: | + ansible.builtin.shell: | update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" update-crypto-policies notify: change_requires_reboot @@ -11,7 +11,6 @@ tags: - level1-server - level1-workstation - - automated - no system_is_ec2 - patch - rule_1.10 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 9445d15..9a1a6c2 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -1,54 +1,35 @@ --- -- name: "1.2.1 | PATCH | Ensure Red Hat Subscription Manager connection is configured" - redhat_subscription: - state: present - username: "{{ rhel9cis_rh_sub_user }}" - password: "{{ rhel9cis_rh_sub_password }}" - auto_attach: true - no_log: true - when: - - ansible_distribution == "RedHat" - - rhel9cis_rhnsd_required - - rhel9cis_rule_1_2_1 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_1.2.1 - - skip_ansible_lint # Added as no_log still errors on ansuible-lint - -- name: "1.2.2 | AUDIT | Ensure GPG keys are configured" +- name: "1.2.1 | AUDIT | Ensure GPG keys are configured" block: - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" - shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" + - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" + ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" changed_when: false failed_when: false register: os_installed_pub_keys - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Query found keys" - shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\"" + - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys" + ansible.builtin.shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\"" changed_when: false failed_when: false register: os_gpg_key_check when: os_installed_pub_keys.rc == 0 - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys pass" - debug: + - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys pass" + ansible.builtin.debug: msg: "Congratulations !! - The installed gpg keys match expected values" when: - os_installed_pub_keys.rc == 0 - os_gpg_key_check.rc == 0 - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys fail" - fail: + - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail" + ansible.builtin.fail: msg: Installed GPG Keys do not meet expected values or keys installed that are not expected when: - os_installed_pub_keys.rc == 1 or os_gpg_key_check.rc == 1 when: - - rhel9cis_rule_1_2_2 + - rhel9cis_rule_1_2_1 - ansible_distribution == "RedHat" or ansible_distribution == "Rocky" or ansible_distribution == "AlmaLinux" @@ -57,19 +38,19 @@ - level1-workstation - manual - patch - - rule_1.2.2 + - rule_1.2.1 -- name: "1.2.3| PATCH | Ensure gpgcheck is globally activated" +- name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated" block: - - name: "1.2.3 | AUDIT | Ensure gpgcheck is globally activated | Find repos" - find: + - name: "1.2.2 | AUDIT | Ensure gpgcheck is globally activated | Find repos" + ansible.builtin.find: paths: /etc/yum.repos.d patterns: "*.repo" register: yum_repos changed_when: false - - name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" - replace: + - name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" + ansible.builtin.replace: name: "{{ item.path }}" regexp: "^gpgcheck=0" replace: "gpgcheck=1" @@ -78,35 +59,63 @@ loop_control: label: "{{ item.path }}" when: - - rhel9cis_rule_1_2_3 + - rhel9cis_rule_1_2_2 tags: - level1-server - level1-workstation - automated - patch - - rule_1.2.3 + - rule_1.2.2 -- name: "1.2.4 | AUDIT | Ensure package manager repositories are configured" +- name: "1.2.3 | AUDIT | Ensure package manager repositories are configured" block: - - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Get repo list" - command: dnf repolist + - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Get repo list" + ansible.builtin.command: dnf repolist changed_when: false failed_when: false register: dnf_configured check_mode: false - args: - warn: false - - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" - debug: + - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Display repo list" + ansible.builtin.debug: msg: - "Warning!! Below are the configured repos. Please review and make sure all align with site policy" - "{{ dnf_configured.stdout_lines }}" - - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Warn Count" - set_fact: - control_number: "{{ control_number }} + ['rule_1.2.4']" + - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count" + ansible.builtin.set_fact: + control_number: "{{ control_number }} + ['rule_1.2.3']" warn_count: "{{ warn_count | int + 1 }}" + when: + - rhel9cis_rule_1_2_3 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.2.3 + - skip_ansible_lint + +- name: "1.2.4 | AUDIT | Ensure repo_gpgcheck is globally activated" + block: + - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | dnf.conf" + ansible.builtin.lineinfile: + path: /etc/dnf/dnf.conf + regexp: '^repo_gpgcheck' + line: repo_gpgcheck 1 + + - name: "1.2.4 | AUDIT| Ensure repo_gpgcheck is globally activated | get repo files" + ansible.builtin.find: + path: /etc/yum.repos.d + patterns: '*.repo' + register: repo_files + + - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" + ansible.builtin.lineinfile: + path: "{{ item }}" + regexp: '^repo_gpgcheck' + line: repo_gpgcheck=1 + loop: "{{ repo_files.files }}" when: - rhel9cis_rule_1_2_4 tags: @@ -115,4 +124,3 @@ - manual - audit - rule_1.2.4 - - skip_ansible_lint diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 4dd7bcd..1fce7fa 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -3,12 +3,12 @@ - name: "1.3.1 | PATCH | Ensure AIDE is installed" block: - name: "1.3.1 | PATCH | Ensure AIDE is installed | Install AIDE" - package: + ansible.builtin.package: name: aide state: present - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + ansible.builtin.command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' changed_when: false failed_when: false async: 45 @@ -22,13 +22,12 @@ tags: - level1-server - level1-workstation - - automated - aide - patch - rule_1.3.1 - name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" - cron: + ansible.builtin.cron: name: Run AIDE integrity check cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}" user: "{{ rhel9cis_aide_cron['cron_user'] }}" @@ -44,8 +43,24 @@ tags: - level1-server - level1-workstation - - automated - aide - file_integrity - patch - rule_1.3.2 + +- name: "1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools" + ansible.builtin.template: + src: etc/aide.conf.d/crypt_audit_procs.conf.j2 + dest: /etc/aide.conf.d/crypt_audit_procs.conf + owner: root + group: 0640 + when: + - rhel9cis_rule_1_3_2 + - not system_is_ec2 + tags: + - level1-server + - level1-workstation + - aide + - file_integrity + - patch + - rule_1.3.3 diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index cdad67f..61174d2 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -1,7 +1,7 @@ --- - name: "1.4.1 | PATCH | Ensure bootloader password is set" - copy: + ansible.builtin.copy: dest: /boot/grub2/user.cfg content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy owner: root @@ -14,7 +14,6 @@ tags: - level1-server - level1-workstation - - automated - grub - patch - rule_1.4.1 @@ -22,51 +21,21 @@ - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" block: - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" - file: + ansible.builtin.file: path: /boot/grub2/grub.cfg owner: root group: root mode: 0600 + loop: + - grub.cfg + - grubenv + - user.cfg - - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | UEFI" - mount: - name: /boot/efi - src: "UUID={{ item.uuid }}" - fstype: vfat - state: present - opts: defaults,umask=0027,fmask=0077,uid=0,gid=0 - passno: '0' - with_items: - - "{{ ansible_mounts }}" - loop_control: - label: "{{ item.mount }}" - when: - - not rhel9cis_legacy_boot - - item.mount == "/boot/efi" when: - rhel9cis_rule_1_4_2 tags: - level1-server - level1-workstation - - automated - grub - patch - rule_1.4.2 - -- name: "1.4.3 | PATCH | Ensure authentication is required when booting into rescue mode" - lineinfile: - path: /etc/systemd/system/rescue.service.d/00-require-auth.conf - regexp: '^ExecStart=' - line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" - create: true - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_4_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.4.3 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 031ba5c..d025981 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,7 +1,7 @@ --- - name: "1.5.1 | PATCH | Ensure core dump storage is disabled" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/coredump.conf regexp: '^Storage\s*=\s*(?!none).*' line: 'Storage=none' @@ -12,12 +12,11 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_1.5.1 - name: "1.5.2 | PATCH | Ensure core dump backtraces are disabled" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/coredump.conf regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$' line: 'ProcessSizeMax=0' @@ -26,7 +25,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sysctl - rule_1.5.2 @@ -34,17 +32,17 @@ - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" block: - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - set_fact: + ansible.builtin.set_fact: sysctl_update: true + - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" when: - rhel9cis_rule_1_5_3 tags: - level1-server - level1-workstation - - automated - patch - sysctl - rule_1.5.3 diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 9a8d134..bfb9c91 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -1,7 +1,7 @@ --- - name: "1.6.1.1 | PATCH | Ensure SELinux is installed" - package: + ansible.builtin.package: name: libselinux state: present when: @@ -14,10 +14,13 @@ - rule_1.6.1.1 - name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" - replace: + ansible.builtin.replace: dest: /etc/default/grub - regexp: 'selinux=0' + regexp: '{{ item }}' replace: '' + loop: + - selinux=0 + - enforcing=0 register: selinux_grub_patch ignore_errors: true # noqa ignore-errors notify: grub2cfg @@ -32,10 +35,10 @@ # State set to enforcing because control 1.6.1.5 requires enforcing to be set - name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured" - selinux: + ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" - state: enforcing + state: "{{ rhel9cis_selinux_enforce }}" when: - not rhel9cis_selinux_disable - rhel9cis_rule_1_6_1_3 @@ -47,78 +50,95 @@ - patch - rule_1.6.1.3 -- name: "1.6.1.4 | PATCH | Ensure the SELinux state is enforcing" - selinux: +- name: "1.6.1.4 | PATCH | Ensure the SELinux state is not disabled" + ansible.posix.selinux: + conf: /etc/selinux/config + policy: "{{ rhel9cis_selinux_pol }}" + state: "{{ rhel9cis_selinux_enforce }}" + when: + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_4 + tags: + - level1-server + - level1-workstation + - automated + - selinux + - patch + - rule_1.6.1.4 + +- name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" + ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" state: enforcing when: - not rhel9cis_selinux_disable - - rhel9cis_rule_1_6_1_4 + - rhel9cis_selinux_enforce == 'enforcing' + - rhel9cis_rule_1_6_1_5 tags: - level2-server - level2-workstation - automated - selinux - patch - - rule_1.6.1.4 + - rule_1.6.1.5 -- name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist" +- name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist" block: - - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" - shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' - register: rhelcis_1_6_1_5_unconf_services + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" + ansible.builtin.shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' + register: rhelcis_1_6_1_6_unconf_services failed_when: false changed_when: false - - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" - debug: + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" + ansible.builtin.debug: msg: "Good News! There are no services found on your system" - when: rhelcis_1_6_1_5_unconf_services.stdout | length == 0 + when: rhelcis_1_6_1_6_unconf_services.stdout | length == 0 - - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" - debug: + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" + ansible.builtin.debug: msg: "Warning!! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" - when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 + when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 - - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | warning count" - set_fact: + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.6.1.5' ]" warn_count: "{{ warn_count | int + 1 }}" - when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 + when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 when: - - rhel9cis_rule_1_6_1_5 + - rhel9cis_rule_1_6_1_6 tags: - level1-server - level1-workstation - automated - audit - services - - rule_1.6.1.5 + - rule_1.6.1.6 -- name: "1.6.1.6 | PATCH | Ensure SETroubleshoot is not installed" - package: +- name: "1.6.1.7 | PATCH | Ensure SETroubleshoot is not installed" + ansible.builtin.package: name: setroubleshoot state: absent when: - - rhel9cis_rule_1_6_1_6 + - rhel9cis_rule_1_6_1_7 - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server - automated - selinux - patch - - rule_1.6.1.6 + - rule_1.6.1.7 -- name: "1.6.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" - package: +- name: "1.6.1.8 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" + ansible.builtin.package: name: mcstrans state: absent when: - - rhel9cis_rule_1_6_1_7 + - rhel9cis_rule_1_6_1_8 tags: - level1-server - level1-workstation - automated - patch - - rule_1.6.1.7 + - rule_1.6.1.8 diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 1ee5579..a66cb6c 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -1,7 +1,7 @@ --- - name: "1.7.1 | PATCH | Ensure message of the day is configured properly" - template: + ansible.builtin.template: src: etc/motd.j2 dest: /etc/motd owner: root @@ -12,13 +12,12 @@ tags: - level1-server - level1-workstation - - automated - banner - patch - rule_1.7.1 - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" - template: + ansible.builtin.template: src: etc/issue.j2 dest: /etc/issue owner: root @@ -29,12 +28,11 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_1.7.2 - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" - template: + ansible.builtin.template: src: etc/issue.net.j2 dest: /etc/issue.net owner: root @@ -45,13 +43,12 @@ tags: - level1-server - level1-workstation - - automated - banner - patch - rule_1.7.3 - name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" - file: + ansible.builtin.file: dest: /etc/motd state: file owner: root @@ -62,13 +59,12 @@ tags: - level1-server - level1-workstation - - automated - perms - patch - rule_1.7.4 - name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" - file: + ansible.builtin.file: dest: /etc/issue state: file owner: root @@ -79,13 +75,12 @@ tags: - level1-server - level1-workstation - - automated - perms - patch - rule_1.7.5 - name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - file: + ansible.builtin.file: dest: /etc/issue.net state: file owner: root @@ -96,7 +91,6 @@ tags: - level1-server - level1-workstation - - automated - perms - patch - rule_1.7.6 diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index f47d2a1..fe690c5 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -1,7 +1,7 @@ --- - name: "1.8.1 | PATCH | Ensure GNOME Display Manager is removed" - package: + ansible.builtin.package: name: gdm state: absent when: @@ -16,7 +16,7 @@ - rule_1.8.1 - name: "1.8.2 | PATCH | Ensure GDM login banner is configured" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -45,8 +45,8 @@ - gdm - rule_1.8.2 -- name: "1.8.3 | PATCH | Ensure last logged in user display is disabled" - lineinfile: +- name: "1.8.3 | PATCH | Ensure GDM disable-user-list option is enabled" + ansible.builtin.lineinfile: path: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -72,24 +72,8 @@ - gui - rule_1.8.3 -- name: "1.8.4 | PATCH | Ensure XDMCP is not enabled" - lineinfile: - path: /etc/gdm/custom.conf - regexp: 'Enable=true' - state: absent - when: - - rhel9cis_rule_1_8_4 - - rhel9cis_gui - tags: - - level1-server - - level1-workstation - - automated - - patch - - gui - - rule_1.8.4 - -- name: "1.8.5 | PATCH | Ensure automatic mounting of removable media is disabled" - lineinfile: +- name: "1.8.6 | PATCH | Ensure automatic mounting of removable media is disabled" + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/00-media-automount regexp: "{{ item.regex }}" line: "{{ item.line }}" @@ -103,7 +87,7 @@ - { regex: 'automount=', line: 'automount=false' } - { regex: 'automount-open=', line: 'automount-open=false'} when: - - rhel9cis_rule_1_8_5 + - rhel9cis_rule_1_8_6 - rhel9cis_gui tags: - level1-server @@ -111,4 +95,21 @@ - automated - patch - gui - - rule_1.8.5 + - rule_1.8.6 + + +- name: "1.8.10 | PATCH | Ensure XDMCP is not enabled" + ansible.builtin.lineinfile: + path: /etc/gdm/custom.conf + regexp: 'Enable=true' + state: absent + when: + - rhel9cis_rule_1_8_10 + - rhel9cis_gui + tags: + - level1-server + - level1-workstation + - automated + - patch + - gui + - rule_1.8.4 diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml index 42c27b1..37ede1b 100644 --- a/tasks/section_1/cis_1.9.yml +++ b/tasks/section_1/cis_1.9.yml @@ -1,7 +1,7 @@ --- - name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed" - package: + ansible.builtin.package: name: "*" state: latest notify: change_requires_reboot @@ -11,7 +11,6 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_1.9 - skip_ansible_lint From 50e24dfac11e6215fd9ea4be13c1b3e7b8a49429 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 9 Jan 2023 16:30:02 +0000 Subject: [PATCH 002/143] v1.0.0 updates Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 7 +- tasks/section_2/cis_2.2.x.yml | 243 ++++++++++++++-------------------- tasks/section_2/cis_2.3.x.yml | 92 +++++-------- tasks/section_2/cis_2.4.yml | 24 ++-- 4 files changed, 147 insertions(+), 219 deletions(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 1db8179..43cc226 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -1,7 +1,7 @@ --- - name: "2.1.1 | PATCH | Ensure time synchronization is in use" - package: + ansible.builtin.package: name: chrony state: present when: @@ -10,14 +10,13 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_2.1.1 - name: "2.1.2 | PATCH | Ensure chrony is configured" block: - name: "2.1.2 | PATCH | Ensure chrony is configured | Set configuration" - template: + ansible.builtin.template: src: etc/chrony.conf.j2 dest: /etc/chrony.conf owner: root @@ -25,7 +24,7 @@ mode: 0644 - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sysconfig/chronyd regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u chrony\"" diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 6a195ca..4f1be78 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -1,54 +1,38 @@ --- -- name: "2.2.1 | PATCH | Ensure xinetd is not installed" - package: - name: xinetd - state: absent - when: - - rhel9cis_rule_2_2_1 - - not rhel9cis_xinetd_server - - "'xinetd' in ansible_facts.packages" - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_2.2.1 -- name: "2.2.2 | PATCH | Ensure xorg-x11-server-common is not installed" - package: +- name: "2.2.1 | PATCH | Ensure xorg-x11-server-common is not installed" + ansible.builtin.package: name: xorg-x11-server-common state: absent when: - - rhel9cis_rule_2_2_2 + - rhel9cis_rule_2_2_1 - "'xorg-x11-server-common' in ansible_facts.packages" tags: - level1-server - - automated - patch - x11 - - rule_2.2.2 + - rule_2.2.1 -- name: "2.2.3 | PATCH | Ensure Avahi Server is not installed" - package: +- name: "2.2.2 | PATCH | Ensure Avahi Server is not installed" + ansible.builtin.package: name: - avahi-autoipd - avahi state: absent when: - - rhel9cis_rule_2_2_3 + - rhel9cis_rule_2_2_2 - not rhel9cis_avahi_server - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" tags: - level1-server - level2-workstation - - automated - patch - avahi - - rule_2.2.3 + - rule_2.2.2 -- name: "2.2.4 | PATCH | Ensure CUPS is not installed" - package: +- name: "2.2.3 | PATCH | Ensure CUPS is not installed" + ansible.builtin.package: name: cups state: absent when: @@ -57,124 +41,102 @@ - rhel9cis_rule_2_2_3 tags: - level1-server - - automated - patch - cups - rule_2.2.3 -- name: "2.2.5 | PATCH | Ensure DHCP Server is not installed" - package: +- name: "2.2.4 | PATCH | Ensure DHCP Server is not installed" + ansible.builtin.package: name: dhcp-server state: absent when: - not rhel9cis_dhcp_server - "'dhcp-server' in ansible_facts.packages" - - rhel9cis_rule_2_2_5 + - rhel9cis_rule_2_2_4 tags: - level1-server - level1-workstation - - automated - patch - dhcp - - rule_2.2.5 + - rule_2.2.4 -- name: "2.2.6 | PATCH | Ensure DNS Server is not installed" - package: +- name: "2.2.5 | PATCH | Ensure DNS Server is not installed" + ansible.builtin.package: name: bind state: absent when: - not rhel9cis_dns_server - "'bind' in ansible_facts.packages" - - rhel9cis_rule_2_2_6 + - rhel9cis_rule_2_2_5 tags: - level1-server - level1-workstation - - automated - patch - dns - - rule_2.2.6 + - rule_2.2.5 -- name: "2.2.7 | PATCH | Ensure FTP Server is not installed" - package: - name: ftp - state: absent - when: - - not rhel9cis_ftp_server - - "'ftp' in ansible_facts.packages" - - rhel9cis_rule_2_2_7 - tags: - - level1-server - - level1-workstation - - automated - - patch - - ftp - - rule_2.2.7 - -- name: "2.2.8 | PATCH | Ensure VSFTP Server is not installed" - package: +- name: "2.2.6 | PATCH | Ensure VSFTP Server is not installed" + ansible.builtin.package: name: vsftpd state: absent when: - not rhel9cis_vsftpd_server - "'vsftpd' in ansible_facts.packages" - - rhel9cis_rule_2_2_8 + - rhel9cis_rule_2_2_6 tags: - level1-server - level1-workstation - - automated - patch - vsftpd - - rule_2.2.8 + - rule_2.2.6 -- name: "2.2.9 | PACH | Ensure TFTP Server is not installed" - package: +- name: "2.2.7 | PACH | Ensure TFTP Server is not installed" + ansible.builtin.package: name: tftp-server state: absent when: - not rhel9cis_tftp_server - "'tftp-server' in ansible_facts.packages" - - rhel9cis_rule_2_2_9 + - rhel9cis_rule_2_2_7 tags: - level1-server - level1-workstation - - automated - patch - tftp - - rule_2.2.9 + - rule_2.2.7 -- name: "2.2.10 | PATCH | Ensure a web server is not installed" +- name: "2.2.8 | PATCH | Ensure a web server is not installed" block: - - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove httpd server" - package: + - name: "2.2.8 | PATCH | Ensure a web server is not installed | Remove httpd server" + ansible.builtin.package: name: httpd state: absent when: - not rhel9cis_httpd_server - "'httpd' in ansible_facts.packages" - - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove nginx server" - package: + - name: "2.2.8 | PATCH | Ensure a web server is not installed | Remove nginx server" + ansible.builtin.package: name: nginx state: absent when: - not rhel9cis_nginx_server - "'nginx' in ansible_facts.packages" when: - - rhel9cis_rule_2_2_10 + - rhel9cis_rule_2_2_8 tags: - level1-server - level1-workstation - - automated - patch - httpd - nginx - webserver - - rule_2.2.9 + - rule_2.2.8 -- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" +- name: "2.2.9 | PATCH | Ensure IMAP and POP3 server is not installed" block: - - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" - package: + - name: "2.2.9 | PATCH | Ensure IMAP and POP3 server is not installed" + ansible.builtin.package: name: - dovecot state: absent @@ -182,8 +144,8 @@ - not rhel9cis_dovecot_server - "'dovecot' in ansible_facts.packages" - - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" - package: + - name: "2.2.9 | PATCH | Ensure IMAP and POP3 server is not installed" + ansible.builtin.package: name: - cyrus-imapd state: absent @@ -192,99 +154,94 @@ - "'cyrus-imapd' in ansible_facts.packages" when: - - rhel9cis_rule_2_2_11 + - rhel9cis_rule_2_2_9 tags: - level1-server - level1-workstation - - automated - patch - dovecot - imap - pop3 - - rule_2.2.11 + - rule_2.2.9 -- name: "2.2.12 | PATCH | Ensure Samba is not enabled" - package: +- name: "2.2.10 | PATCH | Ensure Samba is not enabled" + ansible.builtin.package: name: samba state: absent when: - not rhel9cis_samba_server - "'samba' in ansible_facts.packages" - - rhel9cis_rule_2_2_12 + - rhel9cis_rule_2_2_10 tags: - level1-server - level1-workstation - - automated - patch - samba - - rule_2.2.12 + - rule_2.2.10 -- name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed" - package: +- name: "2.2.11 | PATCH | Ensure HTTP Proxy Server is not installed" + ansible.builtin.package: name: squid state: absent when: - not rhel9cis_squid_server - "'squid' in ansible_facts.packages" - - rhel9cis_rule_2_2_6 + - rhel9cis_rule_2_2_11 tags: - level1-server - level1-workstation - - automated - patch - squid - - rule_2.2.13 + - rule_2.2.11 -- name: "2.2.14 | PATCH | Ensure net-snmp is not installed" - package: +- name: "2.2.12 | PATCH | Ensure net-snmp is not installed" + ansible.builtin.package: name: net-snmp state: absent when: - not rhel9cis_snmp_server - "'net-snmp' in ansible_facts.packages" - - rhel9cis_rule_2_2_14 + - rhel9cis_rule_2_2_12 tags: - level1-server - level1-workstation - - automated - patch - snmp - - rule_2.2.14 + - rule_2.2.12 -- name: "2.2.15 | PATCH | Ensure NIS Server is not installed" - package: - name: ypserv - state: absent - when: - - not rhel9cis_nis_server - - "'ypserv' in ansible_facts.packages" - - rhel9cis_rule_2_2_17 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nis - - rule_2.2.17 - -- name: "2.2.16 | PATCH | Ensure telnet-server is not installed" - package: +- name: "2.2.13 | PATCH | Ensure telnet-server is not installed" + ansible.builtin.package: name: telnet-server state: absent when: - not rhel9cis_telnet_server - "'telnet-server' in ansible_facts.packages" - - rhel9cis_rule_2_2_16 + - rhel9cis_rule_2_2_13 tags: - level1-server - level1-workstation - - automated - patch - telnet - - rule_2.2.16 + - rule_2.2.13 -- name: "2.2.17 | PATCH | Ensure mail transfer agent is configured for local-only mode" - lineinfile: +- name: "2.2.14 | PATCH | Ensure dnsmasq is not installed" + ansible.builtin.package: + name: dnsmasq + state: absent + notify: restart postfix + when: + - not rhel9cis_is_mail_server + - "'dnsmasq' in ansible_facts.packages" + - rhel9cis_rule_2_2_14 + tags: + - level1-server + - level1-workstation + - patch + - dnsmasq + - rule_2.2.14 + +- name: "2.2.15 | PATCH | Ensure mail transfer agent is configured for local-only mode" + ansible.builtin.lineinfile: path: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" line: "inet_interfaces = loopback-only" @@ -292,29 +249,28 @@ when: - not rhel9cis_is_mail_server - "'postfix' in ansible_facts.packages" - - rhel9cis_rule_2_2_17 + - rhel9cis_rule_2_2_15 tags: - level1-server - level1-workstation - - automated - patch - postfix - - rule_2.2.17 + - rule_2.2.15 # The name title of the service says mask the service, but the fix allows for both options # Options available in default/main if to remove the package default is false just mask the server service -- name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked" +- name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked" block: - - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | remove package" - package: + - name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | remove package" + ansible.builtin.package: name: nfs-utils state: absent when: - not rhel9cis_use_nfs_server - not rhel9cis_use_nfs_service - - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service" - systemd: + - name: "2.2.16 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service" + ansible.builtin.systemd: name: nfs-server masked: true state: stopped @@ -323,30 +279,29 @@ - rhel9cis_use_nfs_service when: - "'nfs-utils' in ansible_facts.packages" - - rhel9cis_rule_2_2_18 + - rhel9cis_rule_2_2_16 tags: - level1-server - level1-workstation - - automated - patch - nfs - services - - rule_2.2.18 + - rule_2.2.16 # The name title of the service says mask the service, but the fix allows for both options # Options available in default/main if to remove the package default is false just mask the server service -- name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked" +- name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked" block: - - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | remove package" - package: + - name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | remove package" + ansible.builtin.package: name: rpcbind state: absent when: - not rhel9cis_use_rpc_server - not rhel9cis_use_rpc_service - - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" - systemd: + - name: "2.2.17 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" + ansible.builtin.systemd: name: rpcbind.socket masked: true state: stopped @@ -355,29 +310,28 @@ - not rhel9cis_use_rpc_service when: - "'rpcbind' in ansible_facts.packages" - - rhel9cis_rule_2_2_19 + - rhel9cis_rule_2_2_17 tags: - level1-server - level1-workstation - - automated - patch - rpc - - rule_2.2.19 + - rule_2.2.17 # The name title of the service says mask the service, but the fix allows for both options # Options available in default/main if to remove the package default is false just mask the server service -- name: "2.2.20 | PATCH | Ensure rsync service is not enabled " +- name: "2.2.18 | PATCH | Ensure rsync service is not enabled " block: - - name: "2.2.20 | PATCH | Ensure rsync service is not enabled | remove package" - package: - name: rsync + - name: "2.2.18 | PATCH | Ensure rsync-daemon is not installed or the rsync service is masked | remove package" + ansible.builtin.package: + name: rsync-daemon state: absent when: - not rhel9cis_use_rsync_server - not rhel9cis_use_rsync_service - - name: "2.2.20 | PATCH | Ensure rsync service is not enabled | mask service" - systemd: + - name: "2.2.18 | PATCH | Ensure rsync service is not enabled | mask service" + ansible.builtin.systemd: name: rsyncd masked: true state: stopped @@ -386,11 +340,10 @@ - not rhel9cis_use_rsync_service when: - "'rsync' in ansible_facts.packages" - - rhel9cis_rule_2_2_20 + - rhel9cis_rule_2_2_18 tags: - level1-server - level1-workstation - - automated - patch - rsync - - rule_2.2.20 + - rule_2.2.18 diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index a1941da..38f24c0 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -1,97 +1,65 @@ --- -- name: "2.3.1 | PATCH | Ensure NIS Client is not installed" - package: - name: ypbind +- name: "2.3.1 | PATCH | Ensure telnet client is not installed" + ansible.builtin.package: + name: telnet state: absent when: - - not rhel9cis_ypbind_required - - "'ypbind' in ansible_facts.packages" + - not rhel9cis_telnet_required + - "'telnet' in ansible_facts.packages" - rhel9cis_rule_2_3_1 tags: - level1-server - level1-workstation - automated - patch - - nis + - telnet - rule_2.3.1 -- name: "2.3.2 | PATCH | Ensure rsh client is not installed" - package: - name: rsh - state: absent - when: - - not rhel9cis_rsh_required - - "'rsh' in ansible_facts.packages" - - rhel9cis_rule_2_3_2 - tags: - - level1-server - - level2-server - - automated - - patch - - rsh - - rule_2.3.2 - -- name: "2.3.3 | PATCH | Ensure talk client is not installed" - package: - name: talk - state: absent - when: - - not rhel9cis_talk_required - - "'talk' in ansible_facts.packages" - - rhel9cis_rule_2_3_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - talk - - rule_2.3.3 - -- name: "2.3.4 | PATCH | Ensure telnet client is not installed" - package: - name: telnet - state: absent - when: - - not rhel9cis_telnet_required - - "'telnet' in ansible_facts.packages" - - rhel9cis_rule_2_3_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - telnet - - rule_2.3.4 - -- name: "2.3.5 | PATCH | Ensure LDAP client is not installed" - package: +- name: "2.3.2 | PATCH | Ensure LDAP client is not installed" + ansible.builtin.package: name: openldap-clients state: absent when: - not rhel9cis_openldap_clients_required - "'openldap-clients' in ansible_facts.packages" - - rhel9cis_rule_2_3_5 + - rhel9cis_rule_2_3_2 tags: - level1-server - level1-workstation - automated - patch - ldap - - rule_2.3.5 + - rule_2.3.2 -- name: "2.3.6 | PATCH | Ensure TFTP client is not installed" - package: +- name: "2.3.3 | PATCH | Ensure TFTP client is not installed" + ansible.builtin.package: name: tftp state: absent when: - not rhel9cis_tftp_client - "'tftp' in ansible_facts.packages" - - rhel9cis_rule_2_3_6 + - rhel9cis_rule_2_3_3 tags: - level1-server - level1-workstation - automated - patch - tftp - - rule_2.3.6 + - rule_2.3.3 + +- name: "2.3.4 | PATCH | Ensure FTP client is not installed" + ansible.builtin.package: + name: ftp + state: absent + when: + - not rhel9cis_tftp_client + - "'ftp' in ansible_facts.packages" + - rhel9cis_rule_2_3_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - ftp + - rule_2.3.4 diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 3373e54..a59184b 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -1,23 +1,31 @@ --- -- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked" +- name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked" block: - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Get list of services" - shell: systemctl list-units --type=service + - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Get list of services" + ansible.builtin.shell: systemctl list-units --type=service changed_when: false failed_when: false check_mode: false register: rhel9cis_2_4_services - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" - debug: + - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Get list of sockets" + ansible.builtin.shell: systemctl list-units --type=sockets + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_2_4_sockets + + - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Display list of services" + ansible.builtin.debug: msg: - - "Warning!! Below are the list of services, both active and inactive" + - "Warning!! Below are the list of services and sockets, both active and inactive" - "Please review to make sure all are essential" - "{{ rhel9cis_2_4_services.stdout_lines }}" + - "{{ rhel9cis_2_4_sockets.stdout_lines }}" - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Warn Count" - set_fact: + - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count" + ansible.builtin.set_fact: control_number: "{{ control_number }} + ['rule_2.4']" warn_count: "{{ warn_count | int + 1 }}" when: From cb0dd58df54ae1804bedf56a7f039e78634de803 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Jan 2023 11:18:45 +0000 Subject: [PATCH 003/143] updated for v1.0.0 Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 77 +++----- tasks/section_3/cis_3.2.x.yml | 2 - tasks/section_3/cis_3.3.x.yml | 44 ++--- tasks/section_3/cis_3.4.1.x.yml | 153 +++------------- tasks/section_3/cis_3.4.2.yml | 301 ++++++++++++++++++++++++++++++++ 5 files changed, 377 insertions(+), 200 deletions(-) create mode 100644 tasks/section_3/cis_3.4.2.yml diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index ebe4325..68da340 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -2,14 +2,14 @@ # The CIS Control wants IPv6 disabled if not in use. # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use -- name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" +- name: "3.1.1 | PATCH | Ensure IPv6 status is identified" block: - - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh" set_fact: sysctl_update: true flush_ipv6_route: true - - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" when: @@ -24,72 +24,49 @@ - networking - rule_3.1.1 -- name: "3.1.2 | PATCH | Ensure SCTP is disabled" - template: - src: "etc/modprobe.d/modprobe.conf.j2" - dest: "/etc/modprobe.d/{{ item }}.conf" - mode: "0600" - owner: root - group: root - with_items: - - sctp - when: - - rhel9cis_rule_3_1_2 - tags: - - level2-server - - level2-workstation - - automated - - patch - - sctp - - rule_3.1.2 - -- name: "3.1.3 | PATCH | Ensure DCCP is disabled" - template: - src: "etc/modprobe.d/modprobe.conf.j2" - dest: "/etc/modprobe.d/{{ item }}.conf" - mode: "0600" - owner: root - group: root - with_items: - - dccp - when: - - rhel9cis_rule_3_1_3 - tags: - - level2-server - - level2-workstation - - automated - - dccp - - patch - - rule_3.1.3 - -- name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled" +- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" block: - - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" + - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" command: rpm -q NetworkManager changed_when: false failed_when: false check_mode: false - args: - warn: false register: rhel_08_nmcli_available - - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" + - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" command: nmcli radio wifi register: rhel_08_wifi_enabled changed_when: rhel_08_wifi_enabled.stdout != "disabled" failed_when: false when: rhel_08_nmcli_available.rc == 0 - - name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" command: nmcli radio all off changed_when: false failed_when: false when: rhel_08_wifi_enabled is changed when: - - rhel9cis_rule_3_1_4 + - rhel9cis_rule_3_1_2 tags: - level1-server - - automated - patch - wireless - - rule_3.1.4 + - rule_3.1.2 + +- name: "3.1.3 | PATCH | Ensure TIPC is disabled" + template: + src: "etc/modprobe.d/modprobe.conf.j2" + dest: "/etc/modprobe.d/{{ item }}.conf" + mode: "0600" + owner: root + group: root + with_items: + - tipc + when: + - rhel9cis_rule_3_1_3 + tags: + - level2-server + - level2-workstation + - patch + - tipc + - rule_3.1.3 diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 6e07c55..708deb8 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -28,7 +28,6 @@ tags: - level1-server - level1-workstation - - automated - sysctl - patch - rule_3.2.1 @@ -48,7 +47,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sysctl - rule_3.2.2 diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index b78593e..84363e7 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -3,21 +3,21 @@ - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" block: - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" block: - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact" - set_fact: + ansible.builtin.set_fact: flush_ipv6_route: true - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" when: rhel9cis_ipv6_required when: @@ -32,22 +32,22 @@ - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" block: - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" block: - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" - set_fact: + ansible.builtin.set_fact: flush_ipv6_route: true - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" when: rhel9cis_ipv6_required when: @@ -62,12 +62,12 @@ - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" block: - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_3 @@ -81,12 +81,12 @@ - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" block: - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_4 @@ -100,12 +100,12 @@ - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" block: - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_5 @@ -119,12 +119,12 @@ - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" block: - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_6 @@ -138,12 +138,12 @@ - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" block: - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_7 @@ -157,12 +157,12 @@ - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" block: - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_8 @@ -176,12 +176,12 @@ - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" block: - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv6_route: true - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl" when: - rhel9cis_ipv6_required diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index d43dfe6..9498c97 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -1,153 +1,54 @@ --- -- name: "3.4.1.1 | PATCH | Ensure firewalld is installed" +- name: "3.4.1.1 | PATCH | Ensure nftables is installed" package: name: - - firewalld - - iptables + - nftables state: present when: - rhel9cis_rule_3_4_1_1 + - rhel9cis_firewall == 'nftables' tags: - level1-server - level1-workstation - - automated - patch - - firewalld + - nftables - rule_3.4.1.1 -- name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld" +- name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use" block: - - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services" + - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | nftables" systemd: name: "{{ item }}" masked: true with_items: - - iptables - - ip6tables - when: item in ansible_facts.packages + - firewalld + when: + - item in ansible_facts.packages + - rhel9cis_firewall == 'nftables' + + - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | firewalld" + systemd: + name: "{{ item }}" + masked: true + with_items: + - nftables + when: + - item in ansible_facts.packages + - rhel9cis_firewall == 'firewalld' + + - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" + systemd: + name: "{{ rhel9cis_firewall }}" + enabled: true + state: started - - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | remove iptables-services pkg " - package: - name: iptables-services - state: absent - when: when: - rhel9cis_rule_3_4_1_2 - - "'iptables-services' in ansible_facts.packages" tags: - level1-server - level1-workstation - - automated - patch - firewalld + - nftables - rule_3.4.1.2 - -- name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld" - block: - - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | mask service" - systemd: - name: nftables - state: stopped - masked: true - when: - - rhel9cis_firewalld_nftables_state == "masked" - - - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | pkg removed" - package: - name: nftables - state: absent - when: - - rhel9cis_firewalld_nftables_state == "absent" - when: - - rhel9cis_rule_3_4_1_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - firewalld - - rule_3_4_1_3 - -- name: "3.4.1.4 | PATCH | Ensure firewalld service is enabled and running" - systemd: - name: firewalld - state: started - enabled: true - when: - - rhel9cis_rule_3_4_1_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - firewalld - - rule_3_4_1_4 -- name: "3.4.1.5 | PATCH | Ensure firewalld default zone is set" - block: - - name: "3.4.1.5 | AUDIT | Ensure firewalld default zone is set" - shell: "firewall-cmd --get-default-zone | grep {{ rhel9cis_default_zone }}" - changed_when: false - failed_when: ( firewalld_zone_set.rc not in [ 0, 1 ] ) - register: firewalld_zone_set - - - name: "3.4.1.5 | AUDIT | Ensure firewalld default zone is set" - command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" - when: - - firewalld_zone_set.rc != 0 - when: - - rhel9cis_firewall == "firewalld" - - rhel9cis_rule_3_4_1_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - firewalld - - rule_3.4.1.5 - -- name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone" - block: - - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies" - shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_3_4_1_6_interfacepolicy - - - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy" - debug: - msg: - - "The items below are the policies tied to the interfaces, please correct as needed" - - "{{ rhel9cis_3_4_1_6_interfacepolicy.stdout_lines }}" - when: - - rhel9cis_rule_3_4_1_6 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_3.4.1.6 - -- name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports" - block: - - name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" - shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_3_4_1_7_servicesport - - - name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" - debug: - msg: - - "The items below are the services and ports that are accepted, please correct as needed" - - "{{ rhel9cis_3_4_1_7_servicesport.stdout_lines }}" - when: - - rhel9cis_rule_3_4_1_7 - tags: - - level1-server - - level1-workstation - - manual - - audit - - rule_3.4.1.7 diff --git a/tasks/section_3/cis_3.4.2.yml b/tasks/section_3/cis_3.4.2.yml new file mode 100644 index 0000000..7fc873e --- /dev/null +++ b/tasks/section_3/cis_3.4.2.yml @@ -0,0 +1,301 @@ +--- + +- name: "3.4.2.1 | PATCH | Ensure firewalld default zone is set" + block: + - name: "3.4.2.1 | AUDIT | Ensure firewalld default zone is set" + shell: "firewall-cmd --get-default-zone | grep {{ rhel9cis_default_zone }}" + changed_when: false + failed_when: ( firewalld_zone_set.rc not in [ 0, 1 ] ) + register: firewalld_zone_set + + - name: "3.4.2.1 | AUDIT | Ensure firewalld default zone is set" + command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" + when: + - firewalld_zone_set.rc != 0 + when: + - rhel9cis_firewall == "firewalld" + - rhel9cis_rule_3_4_2_1 + tags: + - level1-server + - level1-workstation + - patch + - firewalld + - rule_3.4.2.1 + +- name: "3.4.2.2 | AUDIT | Ensure at least one nftables table exists" + block: + - name: "3.4.2.2 | AUDIT | Ensure a table exists | Check for tables" + command: nft list tables + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_2_nft_tables + + - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Show existing tables" + debug: + msg: + - "Below are the current nft tables, please review" + - "{{ rhel9cis_3_4_2_2_nft_tables.stdout_lines }}" + when: rhel9cis_3_4_2_2_nft_tables.stdout | length > 0 + + - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables" + debug: + msg: + - "Warning!! You currently have no nft tables, please review your setup" + - 'Use the command "nft create table inet " to create a new table' + when: + - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0 + - not rhel9cis_nft_tables_autonewtable + + - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_3.4.2.2' ]" + warn_count: "{{ warn_count | int + 1 }}" + when: + - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0 + - not rhel9cis_nft_tables_autonewtable + + - name: "3.4.2.2 | PATCH | Ensure a table exists | Create table if needed" + command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" + failed_when: false + when: rhel9cis_nft_tables_autonewtable + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_2 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_3.4.2.2 + +- name: "3.4.2.3 | PATCH | Ensure nftables base chains exist" + block: + - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT" + shell: nft list ruleset | grep 'hook input' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_3_input_chains + + - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" + shell: nft list ruleset | grep 'hook forward' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_3_forward_chains + + - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" + shell: nft list ruleset | grep 'hook output' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_3_output_chains + + - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Display chains for review" + debug: + msg: + - "Below are the current INPUT chains" + - "{{ rhel9cis_3_4_2_3_input_chains.stdout_lines }}" + - "Below are the current FORWARD chains" + - "{{ rhel9cis_3_4_2_3_forward_chains.stdout_lines }}" + - "Below are teh current OUTPUT chains" + - "{{ rhel9cis_3_4_2_3_output_chains.stdout_lines }}" + when: not rhel9cis_nft_tables_autochaincreate + + - name: "3.4.2.3 | PATCH | Ensure nftables base chains exist | Create chains if needed" + shell: "{{ item }}" + failed_when: false + with_items: + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } + when: rhel9cis_nft_tables_autochaincreate + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_3 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_3.4.2.3 + +- name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured" + block: + - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather iif lo accept existence | nftables" + shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_4_iiflo + + - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather ip saddr existence | nftables" + shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_4_ipsaddr + + - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather ip6 saddr existence | nftables" + shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_4_ip6saddr + + - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set iif lo accept rule | nftables" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept + when: '"iif \"lo\" accept" not in rhel9cis_3_4_2_4_iiflo.stdout' + + - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set ip sddr rule | nftables" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop + when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_4_ipsaddr.stdout' + + - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set ip6 saddr rule | nftables" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop + when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_4_ip6saddr.stdout' + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_4 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_3.4.2.4 + + +- name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | firewalld" + ansible.posix.firewalld: + rich_rule: "{{ item }}" + zone: "{{ rhel9cis_firewall_zone }}" + permanent: yes + immediate: yes + state: enabled + loop: + - rule family="ipv4" source address="127.0.0.1" destination not address="127.0.0.1" drop + - rule family="ipv6" source address="::1" destination not address="::1" drop + when: + - rhel9cis_firewall == "firewalld" + - rhel9cis_rule_3_4_2_4 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_3.4.2.4 + +- name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports" + block: + - name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" + shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_3_4_2_5_servicesport + + - name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" + debug: + msg: + - "The items below are the services and ports that are accepted, please correct as needed" + - "{{ rhel9cis_3_4_2_5_servicesport.stdout_lines }}" + when: + - rhel9cis_rule_3_4_2_5 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_3.4.2.5 + +- name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured" + block: + - name: "3.4.2.6 | AUDIT | EEnsure nftables established connections are configured | Gather incoming connection rules" + shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_6_inconnectionrule + + - name: "3.4.2.6| AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules" + shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_6_outconnectionrule + + - name: "3.4.2.6| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout' + + - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept + when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout' + + - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept + when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout' + + - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept + when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout' + + - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept + when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout' + + - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept + when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout' + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_6 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_3.4.2.6 + +- name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy" + block: + - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_7_inputpolicy + + - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_7_forwardpolicy + + - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_7_outputpolicy + + - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_7_sshallowcheck + + - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept + when: '"tcp dport ssh accept" not in rhel9cis_3_4_2_7_sshallowcheck.stdout' + + - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" + command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } + when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_2_7_inputpolicy.stdout' + + - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" + command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } + when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_2_7_forwardpolicy.stdout' + + - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" + command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } + when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_7_outputpolicy.stdout' + when: + - rhel9cis_firewall == "nftables" + - rhel9cis_rule_3_4_2_7 + tags: + - level1-server + - level1-workstation + - patch + - nftables + - rule_3.4.2.7 From 77dd593e0f2caff99d90b7e75bba867db5e38148 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Jan 2023 11:19:41 +0000 Subject: [PATCH 004/143] removed arg warn Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 -- tasks/post_remediation_audit.yml | 6 ------ tasks/pre_remediation_audit.yml | 6 ------ tasks/prelim.yml | 8 -------- tasks/section_5/cis_5.2.x.yml | 4 ---- tasks/section_5/cis_5.4.x.yml | 4 ---- 6 files changed, 30 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 0d272b1..d6b026a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -84,8 +84,6 @@ block: - name: "Check su group exists if defined" shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group - args: - warn: false register: sugroup_exists changed_when: false failed_when: sugroup_exists.rc >= 2 diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 4429b7e..599e104 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -5,8 +5,6 @@ environment: "{{ audit_run_script_environment | default({}) }}" changed_when: audit_run_post_remediation.rc == 0 register: audit_run_post_remediation - args: - warn: false - name: Post Audit | ensure audit files readable by users file: @@ -21,8 +19,6 @@ block: - name: "capture data {{ post_audit_outfile }}" shell: "cat {{ post_audit_outfile }}" - args: - warn: false register: post_audit changed_when: false @@ -38,8 +34,6 @@ block: - name: "Post Audit | capture data {{ post_audit_outfile }}" shell: "tail -2 {{ post_audit_outfile }}" - args: - warn: false register: post_audit changed_when: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 93c4985..94e9bcf 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -76,15 +76,11 @@ environment: "{{ audit_run_script_environment | default({}) }}" changed_when: audit_run_pre_remediation.rc == 0 register: audit_run_pre_remediation - args: - warn: false - name: Pre Audit | Capture audit data if json format block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" shell: "cat {{ pre_audit_outfile }}" - args: - warn: false register: pre_audit changed_when: false @@ -100,8 +96,6 @@ block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" shell: "tail -2 {{ pre_audit_outfile }}" - args: - warn: false register: pre_audit changed_when: false diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 80a273b..f17d47c 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -4,8 +4,6 @@ # List users in order to look files inside each home directory - name: "PRELIM | List users accounts" shell: "awk -F: '{print $1}' /etc/passwd" - args: - warn: false changed_when: false check_mode: false register: users @@ -16,8 +14,6 @@ - name: "PRELIM | Gather accounts with empty password fields" shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" - args: - warn: false changed_when: false check_mode: false register: empty_password_accounts @@ -28,8 +24,6 @@ - name: "PRELIM | Gather UID 0 accounts other than root" shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" - args: - warn: false changed_when: false check_mode: false register: rhel9cis_uid_zero_accounts_except_root @@ -50,8 +44,6 @@ - name: "PRELIM | Gather system-wide crypto-policy" shell: update-crypto-policies --show - args: - warn: false changed_when: false check_mode: false register: system_wide_crypto_policy diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 14484b6..11eca29 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -274,16 +274,12 @@ block: - name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden" shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd - args: - warn: false changed_when: false failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] ) register: ssh_crypto_discovery - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd - args: - warn: false notify: restart sshd when: ssh_crypto_discovery.stdout | length > 0 when: diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 11ddbbd..fc0f2ad 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -17,8 +17,6 @@ - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles" shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} - args: - warn: false when: rhel9cis_authselect_custom_profile_create when: - rhel9cis_rule_5_4_1 @@ -47,8 +45,6 @@ - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" - args: - warn: false when: rhel9cis_authselect_custom_profile_select when: - rhel9cis_rule_5_4_2 From efc686a742d27b7bb891369331e6dd56749f172e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Jan 2023 11:20:05 +0000 Subject: [PATCH 005/143] rewritten Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.2.x.yml | 352 -------------------------------- 1 file changed, 352 deletions(-) delete mode 100644 tasks/section_3/cis_3.4.2.x.yml diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml deleted file mode 100644 index ebb3631..0000000 --- a/tasks/section_3/cis_3.4.2.x.yml +++ /dev/null @@ -1,352 +0,0 @@ ---- - -- name: "3.4.2.1 | PATCH | Ensure nftables is installed" - package: - name: nftables - state: present - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.2.1 - -# The control allows the service it be masked or not installed -# We have chosen not installed -- name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables" - package: - name: firewalld - state: absent - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_2 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.2.2 - -- name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables" - block: - - name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables | Stop services" - systemd: - name: "{{ item }}" - enabled: false - masked: true - ignore_errors: true # noqa ignore-errors - with_items: - - iptables - - ip6tables - - - name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables | Remove IPTables" - package: - name: iptables-service - state: absent - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.2.3 - -- name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables" - block: - - name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables | IPv4" - command: iptables -F - - - name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables | IPv6" - command: ip6tables -F - when: rhel9cis_ipv6_required - when: - - rhel9cis_rule_3_4_2_4 - - rhel9cis_firewall != "firewalld" - tags: - - level1-server - - level1-workstation - - manual - - patch - - nftables - - rule_3.4.2.4 - -- name: "3.4.2.5 | AUDIT | Ensure an nftables table exists" - block: - - name: "3.4.2.5 | AUDIT | Ensure a table exists | Check for tables" - command: nft list tables - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_5_nft_tables - - - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Show existing tables" - debug: - msg: - - "Below are the current nft tables, please review" - - "{{ rhel9cis_3_4_2_5_nft_tables.stdout_lines }}" - when: rhel9cis_3_4_2_5_nft_tables.stdout | length > 0 - - - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables" - debug: - msg: - - "Warning!! You currently have no nft tables, please review your setup" - - 'Use the command "nft create table inet
" to create a new table' - when: - - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0 - - not rhel9cis_nft_tables_autonewtable - - - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_3.4.2.5' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0 - - not rhel9cis_nft_tables_autonewtable - - - name: "3.4.2.5 | PATCH | Ensure a table exists | Create table if needed" - command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" - failed_when: false - when: rhel9cis_nft_tables_autonewtable - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_5 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.2.5 - -- name: "3.4.2.6 | PATCH | Ensure nftables base chains exist" - block: - - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT" - shell: nft list ruleset | grep 'hook input' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_6_input_chains - - - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" - shell: nft list ruleset | grep 'hook forward' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_6_forward_chains - - - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" - shell: nft list ruleset | grep 'hook output' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_6_output_chains - - - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Display chains for review" - debug: - msg: - - "Below are the current INPUT chains" - - "{{ rhel9cis_3_4_2_6_input_chains.stdout_lines }}" - - "Below are the current FORWARD chains" - - "{{ rhel9cis_3_4_2_6_forward_chains.stdout_lines }}" - - "Below are teh current OUTPUT chains" - - "{{ rhel9cis_3_4_2_6_output_chains.stdout_lines }}" - when: not rhel9cis_nft_tables_autochaincreate - - - name: "3.4.2.6 | PATCH | Ensure nftables base chains exist | Create chains if needed" - shell: "{{ item }}" - args: - warn: false - failed_when: false - with_items: - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } - when: rhel9cis_nft_tables_autochaincreate - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_6 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.2.6 - -- name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured" - block: - - name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_7_iiflo - - - name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_7_ipsaddr - - - name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_7_ip6saddr - - - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept - when: '"iif \"lo\" accept" not in rhel9cis_3_4_2_7_iiflo.stdout' - - - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop - when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ipsaddr.stdout' - - - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop - when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ip6saddr.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_7 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.2.7 - -- name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured" - block: - - name: "3.4.2.8 | AUDIT | Ensure nftables outbound and established connections are configured | Gather incoming connection rules" - shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_8_inconnectionrule - - - name: "3.4.2.8| AUDIT | Ensure nftables outbound and established connections are configured | Gather outbound connection rules" - shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' - changed_when: false - failed_when: false - register: rhel9cis_3_4_2_8_outconnectionrule - - - name: "3.4.2.8| PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept - when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout' - - - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept - when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout' - - - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept - when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout' - - - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept - when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' - - - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept - when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' - - - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept - when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_8 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.3.5 - -- name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy" - block: - - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' - failed_when: false - changed_when: false - register: rhel9cis_3_4_2_9_inputpolicy - - - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' - failed_when: false - changed_when: false - register: rhel9cis_3_4_2_9_forwardpolicy - - - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' - failed_when: false - changed_when: false - register: rhel9cis_3_4_2_9_outputpolicy - - - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' - failed_when: false - changed_when: false - register: rhel9cis_3_4_2_9_sshallowcheck - - - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept - when: '"tcp dport ssh accept" not in rhel9cis_3_4_2_9_sshallowcheck.stdout' - - - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } - when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_2_9_inputpolicy.stdout' - - - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } - when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_2_9_forwardpolicy.stdout' - - - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } - when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_9_outputpolicy.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_9 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.2.9 - -- name: "3.4.2.10 | PATCH | Ensure nftables service is enabled" - service: - name: nftables - enabled: true - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_10 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.3.7 - -- name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent" - lineinfile: - path: /etc/sysconfig/nftables.conf - state: present - insertafter: EOF - line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_2_11 - tags: - - level1-server - - level1-workstation - - automated - - patch - - nftables - - rule_3.4.2.11 From 95ad5fac9d632ba4201b8769d32f033657e2afdd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Jan 2023 11:20:25 +0000 Subject: [PATCH 006/143] aide template added Signed-off-by: Mark Bolwell --- templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 diff --git a/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 b/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 new file mode 100644 index 0000000..fb12b29 --- /dev/null +++ b/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 @@ -0,0 +1,7 @@ +# Audit Tools +/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 +/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 From e62e5630b4287ba2a12c6af1d13b19b8d9a63b95 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 11:38:53 +0000 Subject: [PATCH 007/143] section 4 updates Signed-off-by: Mark Bolwell --- defaults/main.yml | 79 ++++++------ tasks/section_4/cis_4.1.1.x.yml | 98 ++++++++------- tasks/section_4/cis_4.1.2.x.yml | 3 - tasks/section_4/cis_4.1.3.x.yml | 62 ++++------ tasks/section_4/cis_4.1.4.x.yml | 188 +++++++++++++++++++++++++++++ tasks/section_4/cis_4.2.1.x.yml | 57 ++++----- tasks/section_4/cis_4.2.2.x.yml | 64 ++++------ tasks/section_4/cis_4.2.3.yml | 15 ++- tasks/section_4/cis_4.3.yml | 54 +++------ templates/ansible_vars_goss.yml.j2 | 63 +++++----- 10 files changed, 413 insertions(+), 270 deletions(-) create mode 100644 tasks/section_4/cis_4.1.4.x.yml diff --git a/defaults/main.yml b/defaults/main.yml index 2cbbbc8..3436dea 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -71,7 +71,6 @@ audit_cmd_timeout: 60000 # Section 1 rules rhel9cis_rule_1_1_1_1: true rhel9cis_rule_1_1_1_2: true -rhel9cis_rule_1_1_1_3: true rhel9cis_rule_1_1_2_1: true rhel9cis_rule_1_1_2_2: true rhel9cis_rule_1_1_2_3: true @@ -79,7 +78,6 @@ rhel9cis_rule_1_1_2_4: true rhel9cis_rule_1_1_3_1: true rhel9cis_rule_1_1_3_2: true rhel9cis_rule_1_1_3_3: true -rhel9cis_rule_1_1_3_4: true rhel9cis_rule_1_1_4_1: true rhel9cis_rule_1_1_4_2: true rhel9cis_rule_1_1_4_3: true @@ -95,26 +93,24 @@ rhel9cis_rule_1_1_6_4: true rhel9cis_rule_1_1_7_1: true rhel9cis_rule_1_1_7_2: true rhel9cis_rule_1_1_7_3: true -rhel9cis_rule_1_1_7_4: true -rhel9cis_rule_1_1_7_5: true rhel9cis_rule_1_1_8_1: true rhel9cis_rule_1_1_8_2: true rhel9cis_rule_1_1_8_3: true +rhel9cis_rule_1_1_8_4: true rhel9cis_rule_1_1_18: true rhel9cis_rule_1_1_19: true rhel9cis_rule_1_1_20: true rhel9cis_rule_1_1_21: true rhel9cis_rule_1_1_9: true -rhel9cis_rule_1_1_10: true rhel9cis_rule_1_2_1: true rhel9cis_rule_1_2_2: true rhel9cis_rule_1_2_3: true rhel9cis_rule_1_2_4: true rhel9cis_rule_1_3_1: true rhel9cis_rule_1_3_2: true +rhel9cis_rule_1_3_3: true rhel9cis_rule_1_4_1: true rhel9cis_rule_1_4_2: true -rhel9cis_rule_1_4_3: true rhel9cis_rule_1_5_1: true rhel9cis_rule_1_5_2: true rhel9cis_rule_1_5_3: true @@ -125,6 +121,7 @@ rhel9cis_rule_1_6_1_4: true rhel9cis_rule_1_6_1_5: true rhel9cis_rule_1_6_1_6: true rhel9cis_rule_1_6_1_7: true +rhel9cis_rule_1_6_1_8: true rhel9cis_rule_1_7_1: true rhel9cis_rule_1_7_2: true rhel9cis_rule_1_7_3: true @@ -136,6 +133,11 @@ rhel9cis_rule_1_8_2: true rhel9cis_rule_1_8_3: true rhel9cis_rule_1_8_4: true rhel9cis_rule_1_8_5: true +rhel9cis_rule_1_8_6: true +rhel9cis_rule_1_8_7: true +rhel9cis_rule_1_8_8: true +rhel9cis_rule_1_8_9: true +rhel9cis_rule_1_8_10: true rhel9cis_rule_1_9: true rhel9cis_rule_1_10: true @@ -160,21 +162,16 @@ rhel9cis_rule_2_2_15: true rhel9cis_rule_2_2_16: true rhel9cis_rule_2_2_17: true rhel9cis_rule_2_2_18: true -rhel9cis_rule_2_2_19: true -rhel9cis_rule_2_2_20: true rhel9cis_rule_2_3_1: true rhel9cis_rule_2_3_2: true rhel9cis_rule_2_3_3: true rhel9cis_rule_2_3_4: true -rhel9cis_rule_2_3_5: true -rhel9cis_rule_2_3_6: true rhel9cis_rule_2_4: true Section 3 rules rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_3: true -rhel9cis_rule_3_1_4: true rhel9cis_rule_3_2_1: true rhel9cis_rule_3_2_2: true rhel9cis_rule_3_3_1: true @@ -188,11 +185,6 @@ rhel9cis_rule_3_3_8: true rhel9cis_rule_3_3_9: true rhel9cis_rule_3_4_1_1: true rhel9cis_rule_3_4_1_2: true -rhel9cis_rule_3_4_1_3: true -rhel9cis_rule_3_4_1_4: true -rhel9cis_rule_3_4_1_5: true -rhel9cis_rule_3_4_1_6: true -rhel9cis_rule_3_4_1_7: true rhel9cis_rule_3_4_2_1: true rhel9cis_rule_3_4_2_2: true rhel9cis_rule_3_4_2_3: true @@ -200,11 +192,6 @@ rhel9cis_rule_3_4_2_4: true rhel9cis_rule_3_4_2_5: true rhel9cis_rule_3_4_2_6: true rhel9cis_rule_3_4_2_7: true -rhel9cis_rule_3_4_2_8: true -rhel9cis_rule_3_4_2_9: true -rhel9cis_rule_3_4_2_10: true -rhel9cis_rule_3_4_2_11: true - # Section 4 rules rhel9cis_rule_4_1_1_1: true @@ -235,6 +222,16 @@ rhel9cis_rule_4_1_3_18: true rhel9cis_rule_4_1_3_19: true rhel9cis_rule_4_1_3_20: true rhel9cis_rule_4_1_3_21: true +rhel9cis_rule_4_1_4_1: true +rhel9cis_rule_4_1_4_2: true +rhel9cis_rule_4_1_4_3: true +rhel9cis_rule_4_1_4_4: true +rhel9cis_rule_4_1_4_5: true +rhel9cis_rule_4_1_4_6: true +rhel9cis_rule_4_1_4_7: true +rhel9cis_rule_4_1_4_8: true +rhel9cis_rule_4_1_4_9: true +rhel9cis_rule_4_1_4_10: true rhel9cis_rule_4_2_1_1: true rhel9cis_rule_4_2_1_2: true rhel9cis_rule_4_2_1_3: true @@ -253,9 +250,7 @@ rhel9cis_rule_4_2_2_5: true rhel9cis_rule_4_2_2_6: true rhel9cis_rule_4_2_2_7: true rhel9cis_rule_4_2_3: true -rhel9cis_rule_4_3_1: true -rhel9cis_rule_4_3_2: true -rhel9cis_rule_4_3_3: true +rhel9cis_rule_4_3: true # Section 5 rules rhel9cis_rule_5_1_1: true @@ -400,6 +395,8 @@ rhel9cis_aide_cron: # SELinux policy rhel9cis_selinux_pol: targeted +# chose onf or enfocing or permissive +rhel9cis_selinux_enforce: enforcing # Whether or not to run tasks related to auditing/patching the desktop environment @@ -417,13 +414,12 @@ rhel9cis_chrony_server_options: "minpoll 8" ### 2.2 Special Purposes ##### Service configuration booleans set true to keep service -rhel9cis_xinetd_server: false rhel9cis_gui: false rhel9cis_avahi_server: false rhel9cis_cups_server: false rhel9cis_dhcp_server: false rhel9cis_dns_server: false -rhel9cis_ftp_server: false +rhel9cis_dnsmasq_server: false rhel9cis_vsftpd_server: false rhel9cis_tftp_server: false rhel9cis_httpd_server: false @@ -433,7 +429,6 @@ rhel9cis_imap_server: false rhel9cis_samba_server: false rhel9cis_squid_server: false rhel9cis_snmp_server: false -rhel9cis_nis_server: false rhel9cis_telnet_server: false rhel9cis_is_mail_server: false # Note the options @@ -450,12 +445,10 @@ rhel9cis_use_rsync_server: false rhel9cis_use_rsync_service: false #### 2.3 Service clients -rhel9cis_ypbind_required: false -rhel9cis_rsh_required: false -rhel9cis_talk_required: false rhel9cis_telnet_required: false rhel9cis_openldap_clients_required: false rhel9cis_tftp_client: false +rhel9cis_ftp_client: false ## Section3 vars @@ -473,15 +466,29 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy + +# These are the default service add accordingly +rhel9_firewalld_service: + - ssh + - dhcpv6-client +# These are added to demonstrate how this can be done +rhel9cis_firewalld_ports: + - number: 80 + protocol: tcp #### nftables -rhel9cis_nftables_firewalld_state: masked rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true - - +rhel9_nftables_ports: + - port: ssh + protocol: tcp + type: dport + rule: accept + - port: igmp + protocol: ip + type: protocol + rule: accept # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: | Authorized uses only. All activity may be monitored and reported. @@ -522,6 +529,10 @@ rhel9cis_preferred_log_capture: rsyslog #### 4.2.1.6 remote and destation log server name rhel9cis_remote_log_server: logagg.example.com +rhel9cis_remote_log_port: 514 +rhel9cis_remote_log_protocol: tcp +rhel9cis_remote_log_retrycount: 100 +rhel9cis_remote_log_queuesize: 1000 #### 4.2.1.7 rhel9cis_system_is_log_server: false diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index 258b64f..d21e6c4 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -18,92 +18,88 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.1.1 -- name: "4.1.1.2 | PATCH | Ensure auditd service is enabled" - service: - name: auditd - state: started - enabled: true +- name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" + block: + - name: "4.1.1.2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" + shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_4_1_1_2_grub_cmdline_linux + + - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" + replace: + dest: /etc/default/grub + regexp: 'audit=.' + replace: 'audit=1' + notify: grub2cfg + when: "'audit=' in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" + + - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" + lineinfile: + path: /etc/default/grub + regexp: '^GRUB_CMDLINE_LINUX=' + line: '{{ rhel9cis_4_1_1_2_grub_cmdline_linux.stdout }} audit=1"' + notify: grub2cfg + when: "'audit=' not in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" when: - rhel9cis_rule_4_1_1_2 tags: - level2-server - level2-workstation - - automated - patch - auditd + - grub - rule_4.1.1.2 -- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" +- name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" block: - - name: "4.1.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" + - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX" shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false check_mode: false register: rhel9cis_4_1_1_3_grub_cmdline_linux - - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" - replace: - dest: /etc/default/grub - regexp: 'audit=.' - replace: 'audit=1' - notify: grub2cfg - when: "'audit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" - - - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" - lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit=1"' - notify: grub2cfg - when: "'audit=' not in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" - when: - - rhel9cis_rule_4_1_1_3 - tags: - - level2-server - - level2-workstation - - automated - - patch - - auditd - - grub - - rule_4.1.1.3 - -- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient" - block: - - name: "4.1.1.4 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX" - shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_4_1_1_4_grub_cmdline_linux - - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" + - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" replace: dest: /etc/default/grub regexp: 'audit_backlog_limit=\d+' replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}' notify: grub2cfg - when: "'audit_backlog_limit=' in rhel9cis_4_1_1_4_grub_cmdline_linux.stdout" + when: "'audit_backlog_limit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" - - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" + - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' - line: '{{ rhel9cis_4_1_1_4_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' + line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' notify: grub2cfg - when: "'audit_backlog_limit=' not in rhel9cis_4_1_1_4_grub_cmdline_linux.stdout" + when: "'audit_backlog_limit=' not in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" + when: + - rhel9cis_rule_4_1_1_3 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - grub + - rule_4.1.1.3 + +- name: "4.1.1.4 | PATCH | Ensure auditd service is enabled" + service: + name: auditd + state: started + enabled: true when: - rhel9cis_rule_4_1_1_4 tags: - level2-server - level2-workstation - - automated - patch - auditd - - grub - rule_4.1.1.4 diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index a3ab990..62bee82 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -27,7 +27,6 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.2.2 @@ -47,7 +46,6 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.2.3 @@ -64,6 +62,5 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index 8272b7e..ec61402 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -2,63 +2,59 @@ # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_1 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.1 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.2 | PATCH | Ensure actions as another user are always logged" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_2 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.2 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.3 | PATCH | Ensure events that modify the sudo log file are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_3 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.3 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.4 | PATCH | Ensure events that modify date and time information are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_4 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.4 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.5 | PATCH | Ensure events that modify the system's network environment are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_5 @@ -81,7 +77,7 @@ register: priv_procs - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true notify: update auditd when: @@ -89,98 +85,91 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.6 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_7 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3_7 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_8 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.8 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_9 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.9 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_10 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.10 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.11 | PATCH | Ensure session initiation information is collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_11 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.11 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.12 | PATCH | Ensure login and logout events are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_12 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.12 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_13 @@ -193,104 +182,97 @@ # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_14 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.14 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_15 tags: - level2-server - level2- workstation - - automated - patch - auditd - rule_4.1.3.15 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_16 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.16 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_17 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.17 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_18 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.18 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_19 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.19 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable" - set_fact: + ansible.builtin.set_fact: update_audit_template: true when: - rhel9cis_rule_4_1_3_20 tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.20 - name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same" - debug: + ansible.builtin.debug: msg: - "Please run augenrules --load if you suspect there is a configuration that is not active" when: @@ -304,7 +286,7 @@ - rule_4.1.3.21 - name: Auditd | 4.1.3 | Auditd controls updated - debug: + ansible.builtin.debug: msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules" changed_when: false when: diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml new file mode 100644 index 0000000..b7828ae --- /dev/null +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -0,0 +1,188 @@ +--- + +- name: | + "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive" + "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" + "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" + + block: + - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | discover file" + ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' + register: audit_logfile + changed_when: false + + - name: | + "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive" + "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" + "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" + ansible.builtin.file: + path: "{{ audit_logfile.stdout }}" + state: file + mode: 0640 + owner: root + group: root + when: + - rhel9cis_rule_4_1_4_1 or + rhel9cis_rule_4_1_4_2 or + rhel9cis_rule_4_1_4_3 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.1 + - rule_4.1.4.2 + - rule_4.1.4.3 + +- name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive" + block: + - name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions" + ansible.builtin.stat: + path: "{{ audit_logfile.stdout | dirname }}" + register: auditlog_dir + + - name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set" + ansible.builtin.file: + path: "{{ audit_logfile.stdout | dirname }}" + state: directory + mode: 0750 + when: not auditlog_dir.stat.mode is match('07(0|5)0') + when: + - rhel9cis_rule_4_1_4_4 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.4 + +- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" + block: + + - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | get permissions" + ansible.builtin.stat: + path: "{{ item.path }}" + register: item_file + loop: "{{ audit_conf_files.results | map(attribute='files') | flatten }}" + loop_control: + label: "{{ item.path }}" + + - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | set permissions" + ansible.builtin.file: + path: "{{ audit_logfile.stdout | dirname }}" + state: file + mode: 0640 + loop: "{{ audit_config_files }}" + when: not item_file.stat.mode is match('06(0|4)0') + when: + - rhel9cis_rule_4_1_4_5 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.5 + +- name: "4.1.4.6 | PATCH | Ensure audit configuration files are owned by root" + ansible.builtin.file: + path: "{{ audit_logfile.stdout | dirname }}" + state: file + owner: root + loop: "{{ audit_config_files }}" + when: + - rhel9cis_rule_4_1_4_6 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.6 + +- name: "4.1.4.7 | PATCH | Ensure audit configuration files belong to group root" + ansible.builtin.file: + path: "{{ audit_logfile.stdout | dirname }}" + state: file + group: root + loop: "{{ audit_config_files }}" + when: + - rhel9cis_rule_4_1_4_7 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.7 + +- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive" + block: + - name: "PRELIM | 4.1.4.8 | Get audit binarty file stat | get current mode" + ansible.builtin.stat: + path: "{{ item }}" + register: "audit_bins" + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + + - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" + ansible.builtin.file: + path: "{{ item }}" + state: file + mode: 0750 + register: "audit_bins" + loop: "{{ audit_bins.results.stat.path }}" + when: not audit_bins.stat.mode is match('07(0|5)(0|5)') + when: + - rhel9cis_rule_4_1_4_8 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.8 + +- name: "4.1.4.9 | PATCH | Ensure audit tools are owned by root" + ansible.builtin.file: + path: "{{ item }}" + state: file + owner: root + group: root + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + when: + - rhel9cis_rule_4_1_4_9 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.9 + +- name: "4.1.4.10 | PATCH | Ensure audit tools belong to group root" + ansible.builtin.file: + path: "{{ item }}" + state: file + group: root + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + when: + - rhel9cis_rule_4_1_4_10 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.10 diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 12afac1..e34f677 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -1,7 +1,7 @@ --- - name: "4.2.1.1 | PATCH | Ensure rsyslog installed" - package: + ansible.builtin.package: name: rsyslog state: present when: @@ -10,13 +10,12 @@ tags: - level1-server - level1-workstation - - automated - patch - rsyslog - rule_4.2.1.1 - name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" - service: + ansible.builtin.systemd: name: rsyslog enabled: true when: @@ -24,29 +23,27 @@ tags: - level1-server - level1-workstation - - automated - patch - rsyslog - rule_4.2.1.2 -# This is counter to control 4.2.2.5?? - name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" line: ForwardToSyslog=yes + notify: restart rsyslog when: - rhel9cis_rule_4_2_1_3 - rhel9cis_preferred_log_capture == "rsyslog" tags: - level1-server - level1-workstation - - manual - patch - rule_4.2.1.3 - name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" - lineinfile: + ansible.builtin.lineinfile: path: /etc/rsyslog.conf regexp: '^\$FileCreateMode' line: '$FileCreateMode 0640' @@ -56,7 +53,6 @@ tags: - level1-server - level1-workstation - - automated - patch - rsyslog - rule_4.2.1.4 @@ -64,20 +60,20 @@ - name: "4.2.1.5 | PATCH | Ensure logging is configured" block: - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" - command: cat /etc/rsyslog.conf + ansible.builtin.command: cat /etc/rsyslog.conf changed_when: false failed_when: false check_mode: false register: rhel_08_4_2_1_5_audit - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" - debug: + ansible.builtin.debug: msg: - "These are the current logging configurations for rsyslog, please review:" - "{{ rhel_08_4_2_1_5_audit.stdout_lines }}" - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "# {mark} MAIL LOG SETTINGS (ANSIBLE MANAGED)" @@ -92,7 +88,7 @@ when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "# {mark} NEWS LOG SETTINGS (ANSIBLE MANAGED)" @@ -105,7 +101,7 @@ when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "# {mark} MISC. LOG SETTINGS (ANSIBLE MANAGED)" @@ -119,7 +115,7 @@ when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "#{mark} LOCAL LOG SETTINGS (ANSIBLE MANAGED)" @@ -134,7 +130,7 @@ notify: restart rsyslog - name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)" @@ -145,7 +141,7 @@ notify: restart rsyslog - name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present marker: "#{mark} Cron SETTINGS (ANSIBLE MANAGED)" @@ -159,18 +155,17 @@ tags: - level1-server - level1-workstation - - manual - patch - rsyslog - rule_4.2.1.5 - name: "4.2.1.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" - blockinfile: + ansible.builtin.blockinfile: path: /etc/rsyslog.conf state: present block: | - # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional - *.* @@{{ rhel9cis_remote_log_server }} + # target can be IP or FQDN + *.* action(type="omfwd" target="{{ rhel9cis_remote_log_server }}" port="{{ rhel9cis_remote_log_port }}" protocol="{{ rhel9cis_remote_log_protocol }}" action.resumeRetryCount="{{ rhel9cis_remote_log_retrycount }}" queue.type="LinkedList" queue.size="{{ rhel9cis_remote_log_queuesize }}") insertafter: EOF register: result failed_when: @@ -179,11 +174,10 @@ notify: restart rsyslog when: - rhel9cis_rule_4_2_1_6 - - rhel9cis_remote_log_server is defined + - rhel9cis_remote_log_server tags: - level1-server - level1-workstation - - manual - patch - rsyslog - rule_4.2.1.6 @@ -191,20 +185,20 @@ - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" block: - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host" - replace: + ansible.builtin.replace: path: /etc/rsyslog.conf - regexp: '({{ item }})' + regexp: '{{ item }}' replace: '#\1' notify: restart rsyslog with_items: - - '^(\$ModLoad imtcp)' - - '^(\$InputTCPServerRun)' - - '^(module\(load="imtcp"\))' - - '^(input\(type="imtcp")' + - '^\$ModLoad imtcp' + - '^\$InputTCPServerRun' + - '^module\(load="imtcp"\)' + - '^input\(type="imtcp" port=.*\)' when: not rhel9cis_system_is_log_server - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host" - replace: + ansible.builtin.replace: path: /etc/rsyslog.conf regexp: '^#(.*{{ item }}.*)' replace: '\1' @@ -213,14 +207,13 @@ - 'ModLoad imtcp' - 'InputTCPServerRun' - 'module\(load="imtcp"\)' - - 'input\(type="imtcp"' + - 'input\(type="imtcp" port=".*")' when: rhel9cis_system_is_log_server when: - rhel9cis_rule_4_2_1_7 tags: - level1-server - level1-workstation - - automated - patch - rsyslog - rule_4.2.1.7 diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index f172f96..08db497 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -1,7 +1,7 @@ --- - name: "4.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed" - package: + ansible.builtin.package: name: systemd-journal-remote state: present when: @@ -15,7 +15,7 @@ - rule_4.2.2.1.1 - name: "4.2.2.1.2 | PATCH | Ensure systemd-journal-remote is configured" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journal-upload.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -36,7 +36,7 @@ - rule_4.2.2.1.2 - name: "4.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled" - systemd: + ansible.builtin.systemd: name: systemd-journal-upload state: started enabled: true @@ -52,7 +52,7 @@ - rule_4.2.2.1.3 - name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" - systemd: + ansible.builtin.systemd: name: systemd-journal-remote.socket state: stopped enabled: false @@ -71,25 +71,25 @@ - name: "4.2.2.2 | PATCH | Ensure journald service is enabled" block: - name: "4.2.2.2 | PATCH | Ensure journald service is enabled | Enable service" - systemd: + ansible.builtin.systemd: name: systemd-journald state: started enabled: true - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status" - shell: systemctl is-enabled systemd-journald.service + ansible.builtin.shell: systemctl is-enabled systemd-journald.service changed_when: false failed_when: false register: rhel9cis_4_2_2_2_status - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" - debug: + ansible.builtin.debug: msg: - "Warning!! The status of systemd-journald should be static and it is not. Please investigate" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]" warn_count: "{{ warn_count | int + 1 }}" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" @@ -104,10 +104,11 @@ - rule_4.2.2.2 - name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "^#Compress=|^Compress=" line: Compress=yes + notify: restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_3 tags: @@ -119,10 +120,11 @@ - rule_4.2.2.3 - name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "^#Storage=|^Storage=" line: Storage=persistent + notify: restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_4 tags: @@ -135,7 +137,7 @@ # This is counter to control 4.2.1.3?? - name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "^ForwardToSyslog=" line: "#ForwardToSyslog=yes" @@ -151,7 +153,7 @@ - rule_4.2.2.5 - name: "4.2.2.6 | PATCH | Ensure journald log rotation is configured per site policy" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -175,35 +177,21 @@ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured" block: - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Check for override file" - find: - paths: /etc/tmpfiles.d - patterns: systemd.conf - register: rhel9cis_4_2_2_7_override_status + ansible.builtin.stat: + path: /etc/tmpfiles.d/systemd.conf + register: rhel9cis_4_2_2_7_override - - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get override file settings" - shell: cat /etc/tmpfiles.d/systemd.conf - changed_when: false - failed_when: false - register: rhel9cis_4_2_2_7_override_settings - when: rhel9cis_4_2_2_7_override_status.matched >= 1 + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Set live file" + ansible.builtin.set_fact: + systemd_conf_file: /etc/tmpfiles.d/systemd.conf + when: rhel9cis_4_2_2_7_override_stat.exists - - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get non-override file settings" - shell: cat /usr/lib/tmpfiles.d/systemd.conf - changed_when: false - failed_when: false - register: rhel9cis_4_2_2_7_notoverride_settings - when: rhel9cis_4_2_2_7_override_status.matched == 0 + - name: "4.2.2.7 | PATCH | Ensure journald default file permissions configured | Set permission" + ansible.builtin.lineinfile: + path: "{{ /etc/tmpfiles.d/systemd.conf | default('/usr/lib/tmpfiles.d/systemd.conf') }}" + regexp: "^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root" + line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -' - - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings" - debug: - msg: - - "Warning!! Below are the current default settings for journald, please confirm they align with your site policies" - - "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}" - - - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Warn Count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_4.2.2.7' ]" - warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_rule_4_2_2_7 tags: diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index a1b3bb7..e1e6bec 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -1,9 +1,18 @@ --- - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" - command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + - changed_when: false - failed_when: false + block: + - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" + ansible.builtin.find: + paths: "/var/log" + type: file + register: logfiles + + - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" + ansible.builtin.file: + paths: "{{ item.path }}" + mode: 0640 + register: logfiles when: - rhel9cis_rule_4_2_3 tags: diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 2283d6a..6709458 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -1,43 +1,25 @@ --- -- name: "4.3.1 | PATCH | Ensure logrotate is installed" - package: - name: rsyslog-logrotate - state: present - when: - - rhel9cis_rule_4_3_1 - tags: - - level1-server - - level1-workstation - - manual - - patch - - logrotate - - rule_4.3.1 - -- name: "4.3.2 | PATCH | Ensure logrotate is running and enabled" - systemd: - name: logrotate.timer - state: started - enabled: true - when: - - rhel9cis_rule_4_3_2 - tags: - - level1-server - - level1-workstation - - manual - - patch - - logrotate - - rule_4.3.2 - -- name: "4.3.3 | PATCH | Ensure logrotate is configured" +- name: "4.3 | PATCH | Ensure logrotate is configured" block: - - name: "4.3.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" - find: + - name: "4.3 | PATCH | Ensure logrotate is configured | installed" + ansible.builtin.package: + name: rsyslog-logrotate + state: present + + - name: "4.3.2 | PATCH | Ensure logrotate is configured | scheduled" + ansible.builtin.systemd: + name: logrotate.timer + state: started + enabled: true + + - name: "4.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" + ansible.builtin.find: paths: /etc/logrotate.d/ register: log_rotates - - name: "4.3.3 | PATCH | Ensure logrotate is configured" - replace: + - name: "4.3 | PATCH | Ensure logrotate is configured" + ansible.builtin.replace: path: "{{ item.path }}" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' replace: "\\1{{ rhel9cis_logrotate }}" @@ -47,11 +29,11 @@ loop_control: label: "{{ item.path }}" when: - - rhel9cis_rule_4_3_3 + - rhel9cis_rule_4_3 tags: - level1-server - level1-workstation - manual - patch - logrotate - - rule_4.3.3 + - rule_4.3.1 diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 1431ed4..89f2787 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -3,7 +3,7 @@ ## metadata for benchmark ## metadata for Audit benchmark -benchmark_version: '2.0.0' +benchmark_version: '1.0.0' # Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS # If run via script this is discovered and set @@ -44,7 +44,6 @@ rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} # 1.1.1 Disable unused filesystems rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }} rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }} -rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }} # 1.1.2 Configure /tmp rhel9cis_rule_1_1_2_1: {{ rhel9cis_rule_1_1_2_1 }} rhel9cis_rule_1_1_2_2: {{ rhel9cis_rule_1_1_2_2 }} @@ -74,28 +73,25 @@ rhel9cis_rule_1_1_6_4: {{ rhel9cis_rule_1_1_6_4 }} rhel9cis_rule_1_1_7_1: {{ rhel9cis_rule_1_1_7_1 }} rhel9cis_rule_1_1_7_2: {{ rhel9cis_rule_1_1_7_2 }} rhel9cis_rule_1_1_7_3: {{ rhel9cis_rule_1_1_7_3 }} -rhel9cis_rule_1_1_7_4: {{ rhel9cis_rule_1_1_7_4 }} -rhel9cis_rule_1_1_7_5: {{ rhel9cis_rule_1_1_7_5 }} # 1.1.8 Configure /dev/shm rhel9cis_rule_1_1_8_1: {{ rhel9cis_rule_1_1_8_1 }} rhel9cis_rule_1_1_8_2: {{ rhel9cis_rule_1_1_8_2 }} rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_3 }} -# 1.9 autofs +rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_4 }} +# 1.9 usb-storage rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }} -# 1.10 usb-storage -rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }} # 1.2 Configure Software Updates -rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %} # Only run if Redhat and Subscribed +rhel9cis_rule_1_2_1: {{ rhel9cis_rule_1_2_1 }} rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }} rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }} rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }} # 1.3 Filesystem Integrity Checking rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }} rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }} +rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }} # 1.4 Secure Boot Settings rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }} rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }} -rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }} # 1.5 Additional Process Hardening rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} @@ -108,6 +104,7 @@ rhel9cis_rule_1_6_1_4: {{ rhel9cis_rule_1_6_1_4 }} rhel9cis_rule_1_6_1_5: {{ rhel9cis_rule_1_6_1_5 }} rhel9cis_rule_1_6_1_6: {{ rhel9cis_rule_1_6_1_6 }} rhel9cis_rule_1_6_1_7: {{ rhel9cis_rule_1_6_1_7 }} +rhel9cis_rule_1_6_1_8: {{ rhel9cis_rule_1_6_1_8 }} # 1.7 Command Line Warning Banners rhel9cis_rule_1_7_1: {{ rhel9cis_rule_1_7_1 }} rhel9cis_rule_1_7_2: {{ rhel9cis_rule_1_7_2 }} @@ -121,6 +118,11 @@ rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_3 }} rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_4 }} rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_5 }} +rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_8_6 }} +rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_7 }} +rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_8 }} +rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_9 }} +rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_10 }} # 1.9 Ensure updates, patches, and additional security software are installed rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} # Ensure system-wide crypto policy is not legacy @@ -151,24 +153,19 @@ rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }} rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }} rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }} rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }} -rhel9cis_rule_2_2_19: {{ rhel9cis_rule_2_2_19 }} -rhel9cis_rule_2_2_20: {{ rhel9cis_rule_2_2_20 }} # 2.3 service clients rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }} rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }} rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }} rhel9cis_rule_2_3_4: {{ rhel9cis_rule_2_3_4 }} -rhel9cis_rule_2_3_5: {{ rhel9cis_rule_2_3_5 }} -rhel9cis_rule_2_3_6: {{ rhel9cis_rule_2_3_6 }} -rhel9cis_rule_2_4: true # todo +rhel9cis_rule_2_4: true # Section 3 rules # 3.1 Disable unused network protocols and devices rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }} rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }} rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }} -rhel9cis_rule_3_1_4: {{ rhel9cis_rule_3_1_4 }} # 3.2 Network Parameters (Host Only) rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }} rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }} @@ -185,11 +182,7 @@ rhel9cis_rule_3_3_9: {{ rhel9cis_rule_3_3_9 }} # 3.4.1 Configure firewalld rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }} rhel9cis_rule_3_4_1_2: {{ rhel9cis_rule_3_4_1_2 }} -rhel9cis_rule_3_4_1_3: {{ rhel9cis_rule_3_4_1_3 }} -rhel9cis_rule_3_4_1_4: {{ rhel9cis_rule_3_4_1_4 }} -rhel9cis_rule_3_4_1_5: {{ rhel9cis_rule_3_4_1_5 }} -rhel9cis_rule_3_4_1_6: {{ rhel9cis_rule_3_4_1_6 }} -rhel9cis_rule_3_4_1_7: {{ rhel9cis_rule_3_4_1_7 }} + # 3.4.1 Configure nftables rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }} rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }} @@ -198,10 +191,7 @@ rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }} rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }} rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }} rhel9cis_rule_3_4_2_7: {{ rhel9cis_rule_3_4_2_7 }} -rhel9cis_rule_3_4_2_8: {{ rhel9cis_rule_3_4_2_8 }} -rhel9cis_rule_3_4_2_9: {{ rhel9cis_rule_3_4_2_9 }} -rhel9cis_rule_3_4_2_10: {{ rhel9cis_rule_3_4_2_10 }} -rhel9cis_rule_3_4_2_11: {{ rhel9cis_rule_3_4_2_11 }} + # Section 4 rules # 4.1 Configure System Accounting @@ -238,6 +228,18 @@ rhel9cis_rule_4_1_3_19: {{ rhel9cis_rule_4_1_3_19 }} rhel9cis_rule_4_1_3_20: {{ rhel9cis_rule_4_1_3_20 }} rhel9cis_rule_4_1_3_21: {{ rhel9cis_rule_4_1_3_21 }} +# 4.1.4 Configure auditd file Access +rhel9cis_rule_4_1_4_1: {{ rhel9cis_rule_4_1_4_1 }} +rhel9cis_rule_4_1_4_2: {{ rhel9cis_rule_4_1_4_2 }} +rhel9cis_rule_4_1_4_3: {{ rhel9cis_rule_4_1_4_3 }} +rhel9cis_rule_4_1_4_4: {{ rhel9cis_rule_4_1_4_4 }} +rhel9cis_rule_4_1_4_5: {{ rhel9cis_rule_4_1_4_5 }} +rhel9cis_rule_4_1_4_6: {{ rhel9cis_rule_4_1_4_6 }} +rhel9cis_rule_4_1_4_7: {{ rhel9cis_rule_4_1_4_7 }} +rhel9cis_rule_4_1_4_8: {{ rhel9cis_rule_4_1_4_8 }} +rhel9cis_rule_4_1_4_9: {{ rhel9cis_rule_4_1_4_9 }} +rhel9cis_rule_4_1_4_10: {{ rhel9cis_rule_4_1_4_10 }} + # 4.2.1 Configure rsyslog rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }} rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }} @@ -262,9 +264,8 @@ rhel9cis_rule_4_2_2_7: {{ rhel9cis_rule_4_2_2_7 }} rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }} # 4.3 Logrotate -rhel9cis_rule_4_3_1: {{ rhel9cis_rule_4_3_1 }} -rhel9cis_rule_4_3_2: {{ rhel9cis_rule_4_3_2 }} -rhel9cis_rule_4_3_3: {{ rhel9cis_rule_4_3_3 }} +rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }} + # Section 5 # Authentication and Authorization @@ -391,12 +392,11 @@ rhel9_aide_scan: cron # Set to 'true' if X Windows is needed in your environment rhel9cis_xwindows_required: false ### Service configuration booleans set true to keep service -rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }} rhel9cis_avahi_server: {{ rhel9cis_avahi_server }} rhel9cis_cups_server: {{ rhel9cis_cups_server }} rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} rhel9cis_dns_server: {{ rhel9cis_dns_server }} -rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} +rhel9cis_dnsmasq_server: {{ rhel9cis_dnsmasq_server }} rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} @@ -406,7 +406,6 @@ rhel9cis_imap_server: {{ rhel9cis_imap_server }} rhel9cis_samba_server: {{ rhel9cis_samba_server }} rhel9cis_squid_server: {{ rhel9cis_squid_server }} rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} -rhel9cis_nis_server: {{ rhel9cis_nis_server }} rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} @@ -421,12 +420,10 @@ rhel9cis_use_rsync_server: {{ rhel9cis_use_rsync_server }} rhel9cis_use_rsync_service: {{ rhel9cis_use_rsync_service }} #### 2.3 Service clients -rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} -rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} -rhel9cis_talk_required: {{ rhel9cis_talk_required }} rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} +rhel9cis_ftp_client: {{ rhel9cis_ftp_client }} # Section 3 From 415f62faca98fb31756e7915c4f2e881464af3e1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 11:39:10 +0000 Subject: [PATCH 008/143] renamed Signed-off-by: Mark Bolwell --- tasks/section_3/{cis_3.4.2.yml => cis_3.4.2.x.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tasks/section_3/{cis_3.4.2.yml => cis_3.4.2.x.yml} (100%) diff --git a/tasks/section_3/cis_3.4.2.yml b/tasks/section_3/cis_3.4.2.x.yml similarity index 100% rename from tasks/section_3/cis_3.4.2.yml rename to tasks/section_3/cis_3.4.2.x.yml From c3f680d8fbecdccbc28dcf8b315241ad9bdda18c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 11:39:37 +0000 Subject: [PATCH 009/143] prelim added Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 27 ++++++++++++++++++--------- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f17d47c..d133108 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -114,16 +114,25 @@ - rule_4.1.1.1 - auditd -- name: "PRELIM | 4.1.12 | Ensure successful file system mounts are collected" - shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done - changed_when: false - failed_when: false - check_mode: false - register: priv_procs +- name: "PRELIM | 4.1.4.5 | Audit conf and rules files | list files" + ansible.builtin.find: + path: /etc/audit + file_type: file + recurse: true + patterns: '*.conf,*.rules' + register: auditd_conf_files + when: + - rhel9cis_rule_4_1_4_5 or + rhel9cis_rule_4_1_4_6 or + rhel9cis_rule_4_1_4_7 tags: - - level1-server - - level1-workstation - - always + - level2-server + - level2-workstation + - patch + - auditd + - rule_4.1.4.5 + - rule_4.1.4.6 + - rule_4.1.4.7 - name: "PRELIM | Section 5.1 | Configure cron" package: From 1b634f31939b5eaf2837e865a4b6dd2f80cdb90b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 11:39:50 +0000 Subject: [PATCH 010/143] updated for firewall Signed-off-by: Mark Bolwell --- tasks/section_3/main.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 6795a67..cb5c04a 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -9,12 +9,8 @@ - name: "SECTION | 3.3.x | Network Parameters (host and Router)" import_tasks: cis_3.3.x.yml -- name: "SECTION | 3.4.1.x | Configure firewalld" +- name: "SECTION | 3.4.1.x | Firewall configuration" import_tasks: cis_3.4.1.x.yml - when: - - rhel9cis_firewall == "firewalld" -- name: "SECTION | 3.4.2.x | Configure nftables" +- name: "SECTION | 3.4.2.x | Configure firewall" include_tasks: cis_3.4.2.x.yml - when: - - rhel9cis_firewall == "nftables" From dec098b5f3cb5014e9de14d0f47d09bc03a3c598 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 11:40:02 +0000 Subject: [PATCH 011/143] added new controls Signed-off-by: Mark Bolwell --- tasks/section_4/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index a4f05d2..a7a3659 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -11,6 +11,9 @@ - name: "SECTION | 4.1.3 | Configure Auditd rules" import_tasks: cis_4.1.3.x.yml +- name: "SECTION | 4.1.4 | Configure Audit files" + import_tasks: cis_4.1.4.x.yml + - name: "SECTION | 4.2 | Configure Logging" import_tasks: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' From 256f582b66506a3a8a72b174b3f2eba194b5a8aa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 13:38:14 +0000 Subject: [PATCH 012/143] lint fqcn & typo Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.x.yml | 4 ++-- tasks/section_1/cis_1.1.8.x.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index ab737cc..aa67b5c 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -15,8 +15,8 @@ when: - required_mount not in mount_names - - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" - debug: + - name: "1.1.2.1 | AUDIT | Ensure separate partition exists for /var | Present" + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: var_mount_present when: diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index c9a6394..fdaef15 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -1,9 +1,9 @@ --- # Skips if mount is absent -- name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a sepretae partition" +- name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition" block: - - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a sepretae partition | Absent" + - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: home_mount_absent From b347e5dd00f207a498c4e28d12ec9daed51dd648 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 13:38:27 +0000 Subject: [PATCH 013/143] lint Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 9a1a6c2..093e900 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -9,7 +9,7 @@ register: os_installed_pub_keys - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys" - ansible.builtin.shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\"" + ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"' changed_when: false failed_when: false register: os_gpg_key_check @@ -47,15 +47,13 @@ paths: /etc/yum.repos.d patterns: "*.repo" register: yum_repos - changed_when: false - name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" ansible.builtin.replace: name: "{{ item.path }}" regexp: "^gpgcheck=0" replace: "gpgcheck=1" - with_items: - - "{{ yum_repos.files }}" + loop: "{{ yum_repos.files }}" loop_control: label: "{{ item.path }}" when: @@ -102,20 +100,23 @@ ansible.builtin.lineinfile: path: /etc/dnf/dnf.conf regexp: '^repo_gpgcheck' - line: repo_gpgcheck 1 + line: repo_gpgcheck=1 - name: "1.2.4 | AUDIT| Ensure repo_gpgcheck is globally activated | get repo files" ansible.builtin.find: - path: /etc/yum.repos.d - patterns: '*.repo' - register: repo_files + paths: /etc/yum.repos.d + patterns: "*.repo" + register: repo_files - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" ansible.builtin.lineinfile: - path: "{{ item }}" + path: "{{ item.path }}" regexp: '^repo_gpgcheck' line: repo_gpgcheck=1 loop: "{{ repo_files.files }}" + loop_control: + label: "{{ item.path }}" + when: - rhel9cis_rule_1_2_4 tags: From 572f14ef6bbd8b9d055bcb5f1ce25506274bf120 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 13:38:37 +0000 Subject: [PATCH 014/143] task change Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.3.x.yml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 1fce7fa..607065c 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -48,12 +48,18 @@ - patch - rule_1.3.2 -- name: "1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools" - ansible.builtin.template: - src: etc/aide.conf.d/crypt_audit_procs.conf.j2 - dest: /etc/aide.conf.d/crypt_audit_procs.conf - owner: root - group: 0640 +- name: "1.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" + ansible.builtin.blockinfile: + path: /etc/aide.conf + marker: "# {mark} Audit tools (CIS - Ansible)" + block: | + /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 + /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 + /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 + /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 + /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 + /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 + validate: aide -D --config %s when: - rhel9cis_rule_1_3_2 - not system_is_ec2 From 3321547bfa8d83e63e1771ade73f5bfc96cde5bd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 13:38:50 +0000 Subject: [PATCH 015/143] lint Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 12 ++--- tasks/section_3/cis_3.2.x.yml | 12 ++--- tasks/section_3/cis_3.4.1.x.yml | 8 ++-- tasks/section_3/cis_3.4.2.x.yml | 82 ++++++++++++++++----------------- 4 files changed, 57 insertions(+), 57 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 68da340..9e1e484 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -5,12 +5,12 @@ - name: "3.1.1 | PATCH | Ensure IPv6 status is identified" block: - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv6_route: true - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" when: - not rhel9cis_ipv6_required @@ -27,21 +27,21 @@ - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" block: - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" - command: rpm -q NetworkManager + ansible.builtin.command: rpm -q NetworkManager changed_when: false failed_when: false check_mode: false register: rhel_08_nmcli_available - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" - command: nmcli radio wifi + ansible.builtin.command: nmcli radio wifi register: rhel_08_wifi_enabled changed_when: rhel_08_wifi_enabled.stdout != "disabled" failed_when: false when: rhel_08_nmcli_available.rc == 0 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" - command: nmcli radio all off + ansible.builtin.command: nmcli radio all off changed_when: false failed_when: false when: rhel_08_wifi_enabled is changed @@ -54,7 +54,7 @@ - rule_3.1.2 - name: "3.1.3 | PATCH | Ensure TIPC is disabled" - template: + ansible.builtin.template: src: "etc/modprobe.d/modprobe.conf.j2" dest: "/etc/modprobe.d/{{ item }}.conf" mode: "0600" diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 708deb8..56e47f7 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -3,22 +3,22 @@ - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled" block: - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | IPv6" block: - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" - set_fact: + ansible.builtin.set_fact: flush_ipv6_route: true - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" when: rhel9cis_ipv6_required @@ -35,11 +35,11 @@ - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" block: - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled | Set Fact" - set_fact: + ansible.builtin.set_fact: sysctl_update: true flush_ipv4_route: true - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - not rhel9cis_is_router diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 9498c97..226cd79 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -18,22 +18,22 @@ - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use" block: - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | nftables" - systemd: + ansible.builtin.systemd: name: "{{ item }}" masked: true with_items: - firewalld - when: + when: - item in ansible_facts.packages - rhel9cis_firewall == 'nftables' - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | firewalld" - systemd: + ansible.builtin.systemd: name: "{{ item }}" masked: true with_items: - nftables - when: + when: - item in ansible_facts.packages - rhel9cis_firewall == 'firewalld' diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 7fc873e..bbd1ad0 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -3,13 +3,13 @@ - name: "3.4.2.1 | PATCH | Ensure firewalld default zone is set" block: - name: "3.4.2.1 | AUDIT | Ensure firewalld default zone is set" - shell: "firewall-cmd --get-default-zone | grep {{ rhel9cis_default_zone }}" + ansible.builtin.shell: "firewall-cmd --get-default-zone | grep {{ rhel9cis_default_zone }}" changed_when: false failed_when: ( firewalld_zone_set.rc not in [ 0, 1 ] ) register: firewalld_zone_set - name: "3.4.2.1 | AUDIT | Ensure firewalld default zone is set" - command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" + ansible.builtin.command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" when: - firewalld_zone_set.rc != 0 when: @@ -25,20 +25,20 @@ - name: "3.4.2.2 | AUDIT | Ensure at least one nftables table exists" block: - name: "3.4.2.2 | AUDIT | Ensure a table exists | Check for tables" - command: nft list tables + ansible.builtin.command: nft list tables changed_when: false failed_when: false register: rhel9cis_3_4_2_2_nft_tables - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Show existing tables" - debug: + ansible.builtin.debug: msg: - "Below are the current nft tables, please review" - "{{ rhel9cis_3_4_2_2_nft_tables.stdout_lines }}" when: rhel9cis_3_4_2_2_nft_tables.stdout | length > 0 - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables" - debug: + ansible.builtin.debug: msg: - "Warning!! You currently have no nft tables, please review your setup" - 'Use the command "nft create table inet
" to create a new table' @@ -47,7 +47,7 @@ - not rhel9cis_nft_tables_autonewtable - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_3.4.2.2' ]" warn_count: "{{ warn_count | int + 1 }}" when: @@ -55,7 +55,7 @@ - not rhel9cis_nft_tables_autonewtable - name: "3.4.2.2 | PATCH | Ensure a table exists | Create table if needed" - command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" + ansible.builtin.command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" failed_when: false when: rhel9cis_nft_tables_autonewtable when: @@ -71,25 +71,25 @@ - name: "3.4.2.3 | PATCH | Ensure nftables base chains exist" block: - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT" - shell: nft list ruleset | grep 'hook input' + ansible.builtin.shell: nft list ruleset | grep 'hook input' changed_when: false failed_when: false register: rhel9cis_3_4_2_3_input_chains - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" - shell: nft list ruleset | grep 'hook forward' + ansible.builtin.shell: nft list ruleset | grep 'hook forward' changed_when: false failed_when: false register: rhel9cis_3_4_2_3_forward_chains - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" - shell: nft list ruleset | grep 'hook output' + ansible.builtin.shell: nft list ruleset | grep 'hook output' changed_when: false failed_when: false register: rhel9cis_3_4_2_3_output_chains - name: "3.4.2.3 | AUDIT | Ensure nftables base chains exist | Display chains for review" - debug: + ansible.builtin.debug: msg: - "Below are the current INPUT chains" - "{{ rhel9cis_3_4_2_3_input_chains.stdout_lines }}" @@ -100,7 +100,7 @@ when: not rhel9cis_nft_tables_autochaincreate - name: "3.4.2.3 | PATCH | Ensure nftables base chains exist | Create chains if needed" - shell: "{{ item }}" + ansible.builtin.shell: "{{ item }}" failed_when: false with_items: - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } @@ -120,33 +120,33 @@ - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured" block: - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather iif lo accept existence | nftables" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' changed_when: false failed_when: false register: rhel9cis_3_4_2_4_iiflo - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather ip saddr existence | nftables" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' changed_when: false failed_when: false register: rhel9cis_3_4_2_4_ipsaddr - name: "3.4.2.4 | AUDIT | Ensure host based firewall loopback traffic is configured | Gather ip6 saddr existence | nftables" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' changed_when: false failed_when: false register: rhel9cis_3_4_2_4_ip6saddr - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set iif lo accept rule | nftables" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept when: '"iif \"lo\" accept" not in rhel9cis_3_4_2_4_iiflo.stdout' - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set ip sddr rule | nftables" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_4_ipsaddr.stdout' - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | Set ip6 saddr rule | nftables" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_4_ip6saddr.stdout' when: - rhel9cis_firewall == "nftables" @@ -161,11 +161,11 @@ - name: "3.4.2.4 | PATCH | Ensure host based firewall loopback traffic is configured | firewalld" ansible.posix.firewalld: - rich_rule: "{{ item }}" - zone: "{{ rhel9cis_firewall_zone }}" - permanent: yes - immediate: yes - state: enabled + rich_rule: "{{ item }}" + zone: "{{ rhel9cis_default_zone }}" + permanent: true + immediate: true + state: enabled loop: - rule family="ipv4" source address="127.0.0.1" destination not address="127.0.0.1" drop - rule family="ipv6" source address="::1" destination not address="::1" drop @@ -182,14 +182,14 @@ - name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports" block: - name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" - shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" + ansible.builtin.shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" changed_when: false failed_when: false check_mode: false register: rhel9cis_3_4_2_5_servicesport - name: "3.4.2.5 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" - debug: + ansible.builtin.debug: msg: - "The items below are the services and ports that are accepted, please correct as needed" - "{{ rhel9cis_3_4_2_5_servicesport.stdout_lines }}" @@ -205,39 +205,39 @@ - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured" block: - name: "3.4.2.6 | AUDIT | EEnsure nftables established connections are configured | Gather incoming connection rules" - shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' changed_when: false failed_when: false register: rhel9cis_3_4_2_6_inconnectionrule - name: "3.4.2.6| AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules" - shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' changed_when: false failed_when: false register: rhel9cis_3_4_2_6_outconnectionrule - name: "3.4.2.6| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout' - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout' - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_2_6_inconnectionrule.stdout' - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout' - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout' - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_6_outconnectionrule.stdout' when: - rhel9cis_firewall == "nftables" @@ -252,43 +252,43 @@ - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy" block: - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' + ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' failed_when: false changed_when: false register: rhel9cis_3_4_2_7_inputpolicy - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' + ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' failed_when: false changed_when: false register: rhel9cis_3_4_2_7_forwardpolicy - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' + ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' failed_when: false changed_when: false register: rhel9cis_3_4_2_7_outputpolicy - name: "3.4.2.7 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' + ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' failed_when: false changed_when: false register: rhel9cis_3_4_2_7_sshallowcheck - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" - command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept when: '"tcp dport ssh accept" not in rhel9cis_3_4_2_7_sshallowcheck.stdout' - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } + ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_2_7_inputpolicy.stdout' - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } + ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_2_7_forwardpolicy.stdout' - name: "3.4.2.7 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" - command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } + ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_7_outputpolicy.stdout' when: - rhel9cis_firewall == "nftables" From dae7d03c342a16793b94872d51bc91a2c4894f42 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 13:47:13 +0000 Subject: [PATCH 016/143] lint Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.1.x.yml | 4 +-- tasks/section_4/cis_4.1.1.x.yml | 18 ++++++------ tasks/section_4/cis_4.1.2.x.yml | 10 +++---- tasks/section_4/cis_4.1.3.x.yml | 2 +- tasks/section_4/cis_4.1.4.x.yml | 52 ++++++++++++++++----------------- tasks/section_4/cis_4.2.2.x.yml | 8 ++--- tasks/section_4/cis_4.2.3.yml | 2 +- 7 files changed, 48 insertions(+), 48 deletions(-) diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 226cd79..ab15169 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -1,7 +1,7 @@ --- - name: "3.4.1.1 | PATCH | Ensure nftables is installed" - package: + ansible.builtin.package: name: - nftables state: present @@ -38,7 +38,7 @@ - rhel9cis_firewall == 'firewalld' - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" - systemd: + ansible.builtin.systemd: name: "{{ rhel9cis_firewall }}" enabled: true state: started diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index d21e6c4..167f8d2 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -3,13 +3,13 @@ - name: "4.1.1.1 | PATCH | Ensure auditd is installed" block: - name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd packages" - package: + ansible.builtin.package: name: audit state: present when: '"auditd" not in ansible_facts.packages' - name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages" - package: + ansible.builtin.package: name: audit-libs state: present when: '"auditd-lib" not in ansible_facts.packages' @@ -25,14 +25,14 @@ - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" block: - name: "4.1.1.2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" - shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false check_mode: false register: rhel9cis_4_1_1_2_grub_cmdline_linux - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" - replace: + ansible.builtin.replace: dest: /etc/default/grub regexp: 'audit=.' replace: 'audit=1' @@ -40,7 +40,7 @@ when: "'audit=' in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: '{{ rhel9cis_4_1_1_2_grub_cmdline_linux.stdout }} audit=1"' @@ -59,14 +59,14 @@ - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" block: - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX" - shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false check_mode: false register: rhel9cis_4_1_1_3_grub_cmdline_linux - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" - replace: + ansible.builtin.replace: dest: /etc/default/grub regexp: 'audit_backlog_limit=\d+' replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}' @@ -74,7 +74,7 @@ when: "'audit_backlog_limit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' @@ -91,7 +91,7 @@ - rule_4.1.1.3 - name: "4.1.1.4 | PATCH | Ensure auditd service is enabled" - service: + ansible.builtin.systemd: name: auditd state: started enabled: true diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index 62bee82..9850ce4 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -1,7 +1,7 @@ --- - name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured" - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ rhel9cis_max_log_file_size }}" @@ -17,7 +17,7 @@ - rule_4.1.2.1 - name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "^max_log_file_action" line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" @@ -32,7 +32,7 @@ - rule_4.1.2.2 - name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -51,14 +51,14 @@ - rule_4.1.2.3 - name: PATCH | Configure other keys for auditd.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "^{{ item }}( |=)" line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}" loop: "{{ rhel9cis_auditd_extra_conf.keys() }}" notify: restart auditd when: - - rhel9cis_auditd_extra_conf.keys() | length > 0 + - rhel9cis_auditd_extra_conf.keys() | length > 0 tags: - level2-server - level2-workstation diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index ec61402..e29f496 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -70,7 +70,7 @@ - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" block: - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done + ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done changed_when: false failed_when: false check_mode: false diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index b7828ae..d7cce3b 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -16,13 +16,13 @@ "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" ansible.builtin.file: - path: "{{ audit_logfile.stdout }}" - state: file - mode: 0640 - owner: root - group: root + path: "{{ audit_logfile.stdout }}" + state: file + mode: 0640 + owner: root + group: root when: - - rhel9cis_rule_4_1_4_1 or + - rhel9cis_rule_4_1_4_1 or rhel9cis_rule_4_1_4_2 or rhel9cis_rule_4_1_4_3 tags: @@ -38,14 +38,14 @@ block: - name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions" ansible.builtin.stat: - path: "{{ audit_logfile.stdout | dirname }}" + path: "{{ audit_logfile.stdout | dirname }}" register: auditlog_dir - name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set" ansible.builtin.file: - path: "{{ audit_logfile.stdout | dirname }}" - state: directory - mode: 0750 + path: "{{ audit_logfile.stdout | dirname }}" + state: directory + mode: 0750 when: not auditlog_dir.stat.mode is match('07(0|5)0') when: - rhel9cis_rule_4_1_4_4 @@ -58,22 +58,22 @@ - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" block: - - - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | get permissions" - ansible.builtin.stat: - path: "{{ item.path }}" - register: item_file - loop: "{{ audit_conf_files.results | map(attribute='files') | flatten }}" - loop_control: - label: "{{ item.path }}" - - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | set permissions" - ansible.builtin.file: - path: "{{ audit_logfile.stdout | dirname }}" - state: file - mode: 0640 - loop: "{{ audit_config_files }}" - when: not item_file.stat.mode is match('06(0|4)0') + - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | get permissions" + ansible.builtin.stat: + path: "{{ item.path }}" + register: item_file + loop: "{{ audit_conf_files.results | map(attribute='files') | flatten }}" + loop_control: + label: "{{ item.path }}" + + - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | set permissions" + ansible.builtin.file: + path: "{{ audit_logfile.stdout | dirname }}" + state: file + mode: 0640 + loop: "{{ audit_config_files }}" + when: not item_file.stat.mode is match('06(0|4)0') when: - rhel9cis_rule_4_1_4_5 tags: @@ -158,7 +158,7 @@ - /sbin/auditd - /sbin/augenrules when: - - rhel9cis_rule_4_1_4_9 + - rhel9cis_rule_4_1_4_9 tags: - level2-server - level2-workstation diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 08db497..474026c 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -183,14 +183,14 @@ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Set live file" ansible.builtin.set_fact: - systemd_conf_file: /etc/tmpfiles.d/systemd.conf + systemd_conf_file: /etc/tmpfiles.d/systemd.conf when: rhel9cis_4_2_2_7_override_stat.exists - name: "4.2.2.7 | PATCH | Ensure journald default file permissions configured | Set permission" ansible.builtin.lineinfile: - path: "{{ /etc/tmpfiles.d/systemd.conf | default('/usr/lib/tmpfiles.d/systemd.conf') }}" - regexp: "^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root" - line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -' + path: "{{ systemd_conf_file | default('/usr/lib/tmpfiles.d/systemd.conf') }}" + regexp: "^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root" + line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -' when: - rhel9cis_rule_4_2_2_7 diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index e1e6bec..3fa195c 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -3,7 +3,7 @@ - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" block: - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" - ansible.builtin.find: + ansible.builtin.find: paths: "/var/log" type: file register: logfiles From 60d01a65826bae75601970a19293addd91f8cb85 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 15:00:51 +0000 Subject: [PATCH 017/143] removed args Signed-off-by: Mark Bolwell --- handlers/main.yml | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 0fae419..6b47f85 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -3,8 +3,6 @@ - name: reload sysctl shell: sysctl --system - args: - warn: false when: - sysctl_updated.changed @@ -50,9 +48,9 @@ state: reloaded - name: remount tmp - shell: mount -o remount /tmp - args: - warn: false + ansible.posix.mount: + path: /tmp + state: remounted - name: restart firewalld service: @@ -71,13 +69,9 @@ - name: reload dconf shell: dconf update - args: - warn: false - name: grub2cfg shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" - args: - warn: false ignore_errors: true # noqa ignore-errors tags: - skip_ansible_lint @@ -118,8 +112,6 @@ - name: restart auditd shell: service auditd restart - args: - warn: false tags: - skip_ansible_lint From c18151e158ebcfacc7a39e7138a58dd921cb726e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 15:01:17 +0000 Subject: [PATCH 018/143] linting fqcn Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 26 ++++++++-------- tasks/section_5/cis_5.2.x.yml | 54 ++++++++++++++++----------------- tasks/section_5/cis_5.3.x.yml | 20 ++++++------ tasks/section_5/cis_5.4.x.yml | 12 ++++---- tasks/section_5/cis_5.5.x.yml | 20 ++++++------ tasks/section_5/cis_5.6.1.x.yml | 26 ++++++++-------- tasks/section_5/cis_5.6.x.yml | 19 ++++++------ 7 files changed, 88 insertions(+), 89 deletions(-) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 6af5981..7cbcd7f 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -1,7 +1,7 @@ --- - name: "5.1.1 | PATCH | Ensure cron daemon is enabled" - service: + ansible.builtin.service: name: crond enabled: true when: @@ -15,7 +15,7 @@ - rule_5.1.1 - name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" - file: + ansible.builtin.file: dest: /etc/crontab owner: root group: root @@ -31,7 +31,7 @@ - rule_5.1.2 - name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" - file: + ansible.builtin.file: dest: /etc/cron.hourly state: directory owner: root @@ -48,7 +48,7 @@ - rule_5.1.3 - name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" - file: + ansible.builtin.file: dest: /etc/cron.daily state: directory owner: root @@ -65,7 +65,7 @@ - rule_5.1.4 - name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" - file: + ansible.builtin.file: dest: /etc/cron.weekly state: directory owner: root @@ -80,7 +80,7 @@ - rule_5.1.5 - name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" - file: + ansible.builtin.file: dest: /etc/cron.monthly state: directory owner: root @@ -96,7 +96,7 @@ - rule_5.1.6 - name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" - file: + ansible.builtin.file: dest: /etc/cron.d state: directory owner: root @@ -115,17 +115,17 @@ - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users" block: - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" - file: + ansible.builtin.file: dest: /etc/cron.deny state: absent - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists" - stat: + ansible.builtin.stat: path: "/etc/cron.allow" register: rhel9cis_5_1_8_cron_allow_state - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" - file: + ansible.builtin.file: dest: /etc/cron.allow state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root @@ -144,17 +144,17 @@ - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users" block: - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" - file: + ansible.builtin.file: dest: /etc/at.deny state: absent - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" - stat: + ansible.builtin.stat: path: "/etc/at.allow" register: rhel9cis_5_1_9_at_allow_state - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" - file: + ansible.builtin.file: dest: /etc/at.allow state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 11eca29..580585e 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,7 +1,7 @@ --- - name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" - file: + ansible.builtin.file: dest: /etc/ssh/sshd_config state: file owner: root @@ -21,7 +21,7 @@ - name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured" block: - name: "5.2.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys" - find: + ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*_key' recurse: true @@ -29,7 +29,7 @@ register: rhel9cis_5_2_2_ssh_private_host_key - name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys" - file: + ansible.builtin.file: path: "{{ item.path }}" owner: root group: root @@ -52,7 +52,7 @@ - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured" block: - name: "5.2.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys" - find: + ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*_key.pub' recurse: true @@ -60,7 +60,7 @@ register: rhel9cis_5_2_3_ssh_public_host_key - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys" - file: + ansible.builtin.file: path: "{{ item.path }}" owner: root group: root @@ -82,7 +82,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited" block: - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^AllowUsers" line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} @@ -91,7 +91,7 @@ when: "rhel9cis_sshd['allowusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^AllowGroups" line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} @@ -100,7 +100,7 @@ when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^DenyUsers" line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} @@ -109,7 +109,7 @@ when: "rhel9cis_sshd['denyusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^DenyGroups" line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} @@ -127,7 +127,7 @@ - rule_5.2.4 - name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' @@ -143,7 +143,7 @@ - rule_5.2.5 - name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' @@ -159,7 +159,7 @@ - rule_5.2.6 - name: "5.2.7 | PATCH | Ensure SSH root login is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' @@ -175,7 +175,7 @@ - rule_5.2.7 - name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' @@ -191,7 +191,7 @@ - rule_5.2.8 - name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' @@ -207,7 +207,7 @@ - rule_5.2.9 - name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' @@ -223,7 +223,7 @@ - rule_5.2.10 - name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#IgnoreRhosts|^IgnoreRhosts" line: 'IgnoreRhosts yes' @@ -239,7 +239,7 @@ - rule_5.2.11 - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' @@ -255,7 +255,7 @@ - rule_5.2.12 - name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' @@ -273,13 +273,13 @@ - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" block: - name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden" - shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd + ansible.builtin.shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd changed_when: false failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] ) register: ssh_crypto_discovery - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" - shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd + ansible.builtin.shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd notify: restart sshd when: ssh_crypto_discovery.stdout | length > 0 when: @@ -293,7 +293,7 @@ - rule_5.2.14 - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: '^Banner' line: 'Banner /etc/issue.net' @@ -308,7 +308,7 @@ - rule_5.2.15 - name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' @@ -324,7 +324,7 @@ - rule_5.2.16 - name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' @@ -340,7 +340,7 @@ - rule_5.2.17 - name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' @@ -356,7 +356,7 @@ - rule_5.2.18 - name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" @@ -374,14 +374,14 @@ - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured" block: - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index f9dad14..0cdfaac 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -1,7 +1,7 @@ --- - name: "5.3.1 | PATCH | Ensure sudo is installed" - package: + ansible.builtin.package: name: sudo state: present when: @@ -15,7 +15,7 @@ - rule_5.3.1 - name: "5.3.2 | PATCH | Ensure sudo commands use pty" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers line: "Defaults use_pty" validate: '/usr/sbin/visudo -cf %s' @@ -30,7 +30,7 @@ - rule_5.3.2 - name: "5.3.3 | PATCH | Ensure sudo log file exists" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regexp: '^Defaults logfile=' line: 'Defaults logfile="{{ rhel9cis_sudolog_location }}"' @@ -46,7 +46,7 @@ - rule_5.3.3 - name: "5.3.4 | PATCH | Ensure users must provide password for escalation" - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' replace: '\1PASSWD\2' @@ -64,7 +64,7 @@ - rule_5.3.4 - name: "5.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#].*)!authenticate(.*)' replace: '\1authenticate\2' @@ -84,13 +84,13 @@ - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly" block: - name: "5.3.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" - shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false register: rhel9cis_5_3_6_timeout_files - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regexp: 'Defaults timestamp_timeout=' line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" @@ -98,7 +98,7 @@ when: rhel9cis_5_3_6_timeout_files.stdout | length == 0 - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: 'timestamp_timeout=(\d+)' replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" @@ -119,13 +119,13 @@ - name: "5.3.7 | PATCH | Ensure access to the su command is restricted" block: - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/su regexp: '^(#)?auth\s+required\s+pam_wheel\.so' line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}' - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root" - user: + ansible.builtin.user: name: "{{ rhel9cis_sugroup_users }}" groups: "{{ rhel9cis_sugroup | default('wheel') }}" when: diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index fc0f2ad..d78d6ce 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -3,20 +3,20 @@ - name: "5.4.1 | PATCH | Ensure custom authselect profile is used" block: - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles" - shell: 'authselect current | grep "Profile ID: custom/"' + ansible.builtin.shell: 'authselect current | grep "Profile ID: custom/"' failed_when: false changed_when: false check_mode: false register: rhel9cis_5_4_1_profiles - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles" - debug: + ansible.builtin.debug: msg: - "Below are the current custom profiles" - "{{ rhel9cis_5_4_1_profiles.stdout_lines }}" - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles" - shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} + ansible.builtin.shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} when: rhel9cis_authselect_custom_profile_create when: - rhel9cis_rule_5_4_1 @@ -31,20 +31,20 @@ - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock" block: - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" - shell: "authselect current | grep with-faillock" + ansible.builtin.shell: "authselect current | grep with-faillock" failed_when: false changed_when: false check_mode: false register: rhel9cis_5_4_2_profiles_faillock - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles" - debug: + ansible.builtin.debug: msg: - "Below are the current custom profiles" - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}" - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" - shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" + ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" when: rhel9cis_authselect_custom_profile_select when: - rhel9cis_rule_5_4_2 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index d16d91f..8f0f4d9 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -3,7 +3,7 @@ - name: "5.5.1 | PATCH | " block: - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: ^{{ item.name }} line: "{{ item.name }} = {{ item.value }}" @@ -12,14 +12,14 @@ - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" insertbefore: '^#?password ?' - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/password-auth regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" @@ -33,7 +33,7 @@ - rule_5.5.1 - name: "5.5.2 | PATCH | Ensure system accounts are secured" - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/faillock.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -46,13 +46,13 @@ - name: "5.5.3 | PATCH | Ensure password reuse is limited" block: - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwhistory" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" insertafter: '^password\s*requisite\s*pam_pwquality.so' - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" - replace: + ansible.builtin.replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' @@ -67,25 +67,25 @@ - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512" block: - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" - replace: + ansible.builtin.replace: path: /etc/libuser.conf regexp: '^crypt_style\s*=\s*.*$' replace: 'crypt_style = sha512' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs" - replace: + ansible.builtin.replace: path: /etc/login.defs regexp: '^ENCRYPT_METHOD.*' replace: 'ENCRYPT_METHOD SHA512' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth" - replace: + ansible.builtin.replace: path: /etc/pam.d/password-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth" - replace: + ansible.builtin.replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 358d075..2e178cd 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -1,7 +1,7 @@ --- - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less" - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MAX_DAYS' line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" @@ -16,7 +16,7 @@ - rule_5.5.1.1 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MIN_DAYS' line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" @@ -31,7 +31,7 @@ - rule_5.6.1.2 - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more" - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_WARN_AGE' line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" @@ -48,24 +48,24 @@ - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less" block: - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings" - shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= + ansible.builtin.shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= changed_when: false failed_when: false check_mode: false register: rhel9cis_5_6_1_4_inactive_settings - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" - command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0 - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false check_mode: false register: rhel_8_5_6_1_4_user_list - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" with_items: - "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}" when: @@ -81,33 +81,33 @@ - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" block: - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" - shell: echo $(($(date --utc --date "$1" +%s)/86400)) + ansible.builtin.shell: echo $(($(date --utc --date "$1" +%s)/86400)) changed_when: false failed_when: false check_mode: false register: rhel9cis_5_6_1_5_currentut - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" - shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'" + ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'" changed_when: false failed_when: false check_mode: false register: rhel9cis_5_6_1_5_user_list - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" - debug: + ansible.builtin.debug: msg: "Good News! All accounts have PW change dates that are in the past" when: rhel9cis_5_6_1_5_user_list.stdout | length == 0 - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" - debug: + ansible.builtin.debug: msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]" warn_count: "{{ warn_count | int + 1 }}" when: @@ -115,7 +115,7 @@ - not rhel9cis_futurepwchgdate_autofix - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - command: passwd --expire {{ item }} + ansible.builtin.command: passwd --expire {{ item }} when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index f1052c3..4f0ec0b 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -3,7 +3,7 @@ - name: "5.6.2 | PATCH | Ensure system accounts are secured" block: - name: "5.6.2 | Ensure system accounts are secured | Set nologin" - user: + ansible.builtin.user: name: "{{ item.id }}" shell: /usr/sbin/nologin with_items: @@ -21,11 +21,10 @@ label: "{{ item.id }}" - name: "5.6.2 | PATCH | Ensure system accounts are secured | Lock accounts" - user: + ansible.builtin.user: name: "{{ item.id }}" password_lock: true - with_items: - - "{{ rhel9cis_passwd }}" + loop: "{{ rhel9cis_passwd }}" when: - item.id != "halt" - item.id != "shutdown" @@ -48,7 +47,7 @@ - rule_5.6.2 - name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" - blockinfile: + ansible.builtin.blockinfile: create: true mode: 0644 dest: "{{ item.dest }}" @@ -58,7 +57,7 @@ TMOUT={{ rhel9cis_shell_session_timeout.timeout }} export TMOUT readonly TMOUT - with_items: + loop: - { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present } - { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } when: @@ -72,7 +71,7 @@ - rule_5.6.3 - name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0" - user: + ansible.builtin.user: name: root group: 0 when: @@ -88,7 +87,7 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings" - replace: + ansible.builtin.replace: path: /etc/login.defs regexp: "{{ item.regexp }}" replace: "{{ item.replace }}" @@ -97,13 +96,13 @@ - { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' } - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" - replace: + ansible.builtin.replace: path: /etc/bashrc regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' replace: '\1 027' - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" - replace: + ansible.builtin.replace: path: /etc/profile regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' replace: '\1 027' From a85902ef2fb4745bc7ea680a3ede61c4f2bf3114 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 15:01:31 +0000 Subject: [PATCH 019/143] loop improvememts Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.4.x.yml | 54 ++++++++++++++++----------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index d7cce3b..e79b506 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -57,25 +57,16 @@ - rule_4.1.4.4 - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" - block: - - - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | get permissions" - ansible.builtin.stat: - path: "{{ item.path }}" - register: item_file - loop: "{{ audit_conf_files.results | map(attribute='files') | flatten }}" - loop_control: - label: "{{ item.path }}" - - - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | set permissions" - ansible.builtin.file: - path: "{{ audit_logfile.stdout | dirname }}" - state: file - mode: 0640 - loop: "{{ audit_config_files }}" - when: not item_file.stat.mode is match('06(0|4)0') - when: - - rhel9cis_rule_4_1_4_5 + ansible.builtin.file: + path: "{{ item.path }}" + state: file + mode: 0640 + loop: "{{ auditd_conf_files.files }}" + loop_control: + label: "{{ item.path }}" + when: + - item.mode != '06(0|4)0' + - rhel9cis_rule_4_1_4_5 tags: - level2-server - level2-workstation @@ -85,10 +76,12 @@ - name: "4.1.4.6 | PATCH | Ensure audit configuration files are owned by root" ansible.builtin.file: - path: "{{ audit_logfile.stdout | dirname }}" + path: "{{ item.path }}" state: file owner: root - loop: "{{ audit_config_files }}" + loop: "{{ auditd_conf_files.files }}" + loop_control: + label: "{{ item.path }}" when: - rhel9cis_rule_4_1_4_6 tags: @@ -100,10 +93,12 @@ - name: "4.1.4.7 | PATCH | Ensure audit configuration files belong to group root" ansible.builtin.file: - path: "{{ audit_logfile.stdout | dirname }}" + path: "{{ item.path }}" state: file group: root - loop: "{{ audit_config_files }}" + loop: "{{ auditd_conf_files.files }}" + loop_control: + label: "{{ item.path }}" when: - rhel9cis_rule_4_1_4_7 tags: @@ -115,7 +110,7 @@ - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive" block: - - name: "PRELIM | 4.1.4.8 | Get audit binarty file stat | get current mode" + - name: "PRELIM | 4.1.4.8 | Get audit binary file stat | get current mode" ansible.builtin.stat: path: "{{ item }}" register: "audit_bins" @@ -127,14 +122,19 @@ - /sbin/auditd - /sbin/augenrules + - debug: + msg: "{{ audit_bins }}" + - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" ansible.builtin.file: - path: "{{ item }}" + path: "{{ item.item }}" state: file mode: 0750 register: "audit_bins" - loop: "{{ audit_bins.results.stat.path }}" - when: not audit_bins.stat.mode is match('07(0|5)(0|5)') + loop: "{{ audit_bins.results }}" + loop_control: + label: "{{ item.item }}" + when: not item.stat.mode is match('07(0|5)0') when: - rhel9cis_rule_4_1_4_8 tags: From c129d9af23f9913c9f047bddc3061dc53522f20e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 15:01:43 +0000 Subject: [PATCH 020/143] fix items Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.1.x.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index e34f677..b1a20a9 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -190,11 +190,11 @@ regexp: '{{ item }}' replace: '#\1' notify: restart rsyslog - with_items: - - '^\$ModLoad imtcp' - - '^\$InputTCPServerRun' - - '^module\(load="imtcp"\)' - - '^input\(type="imtcp" port=.*\)' + loop: + - '^(\$ModLoad imtcp)' + - '^(\$InputTCPServerRun)' + - '^(module\(load="imtcp"\))' + - '^(input\(type="imtcp")' when: not rhel9cis_system_is_log_server - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host" @@ -203,11 +203,11 @@ regexp: '^#(.*{{ item }}.*)' replace: '\1' notify: restart rsyslog - with_items: + loop: - 'ModLoad imtcp' - 'InputTCPServerRun' - 'module\(load="imtcp"\)' - - 'input\(type="imtcp" port=".*")' + - 'input\(type="imtcp"' when: rhel9cis_system_is_log_server when: - rhel9cis_rule_4_2_1_7 From 876b5d350895296dd8b876b85764eca00f847833 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 15:01:59 +0000 Subject: [PATCH 021/143] improved find Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.3.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index 3fa195c..a7a623a 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -5,14 +5,17 @@ - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" ansible.builtin.find: paths: "/var/log" - type: file + file_type: file + recurse: true register: logfiles - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" ansible.builtin.file: - paths: "{{ item.path }}" + path: "{{ item.path }}" mode: 0640 - register: logfiles + loop: "{{ logfiles.files }}" + loop_control: + label: "{{ item.path }}" when: - rhel9cis_rule_4_2_3 tags: From 793b1e16666cb8b082898c5723aed217755a707d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 15:02:10 +0000 Subject: [PATCH 022/143] title update Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.3.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 6709458..ac0078c 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -7,7 +7,7 @@ name: rsyslog-logrotate state: present - - name: "4.3.2 | PATCH | Ensure logrotate is configured | scheduled" + - name: "4.3 | PATCH | Ensure logrotate is configured | scheduled" ansible.builtin.systemd: name: logrotate.timer state: started @@ -36,4 +36,4 @@ - manual - patch - logrotate - - rule_4.3.1 + - rule_4.3 From bcc59228328d164608c6800f8cef2e7e6c238368 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Jan 2023 15:02:18 +0000 Subject: [PATCH 023/143] removed args Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 29d98b3..ae29cbb 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -4,8 +4,6 @@ block: - name: "6.1.1 | AUDIT | Audit system file permissions | Audit the packages" shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto - args: - warn: false changed_when: false failed_when: false register: rhel9cis_6_1_1_packages_rpm @@ -48,8 +46,6 @@ - name: "6.1.2 | PATCH | Ensure sticky bit is set on all world-writable directories" shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t - args: - warn: false changed_when: false failed_when: false when: From 7c6555d92ef27eff7249b3900550b63dd80c5dd9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 09:09:21 +0000 Subject: [PATCH 024/143] Lint updates & control alignment Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 8 -------- tasks/section_5/cis_5.2.x.yml | 20 -------------------- tasks/section_5/cis_5.3.x.yml | 7 ------- tasks/section_5/cis_5.4.x.yml | 1 - tasks/section_5/cis_5.5.x.yml | 12 ++++++------ tasks/section_5/cis_5.6.1.x.yml | 4 ---- tasks/section_5/cis_5.6.x.yml | 24 ++++++++++++++++++++---- 7 files changed, 26 insertions(+), 50 deletions(-) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 7cbcd7f..9edc7c7 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -9,7 +9,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.1 @@ -25,7 +24,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.2 @@ -42,7 +40,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.3 @@ -59,7 +56,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.4 @@ -91,7 +87,6 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_5.1.6 @@ -107,7 +102,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.7 @@ -136,7 +130,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.8 @@ -165,7 +158,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.9 diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 580585e..a599a4b 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -12,7 +12,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - permissions @@ -43,7 +42,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - permissions @@ -74,7 +72,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.3 @@ -121,7 +118,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.4 @@ -137,7 +133,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sshs - rule_5.2.5 @@ -153,7 +148,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.6 @@ -169,7 +163,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.7 @@ -185,7 +178,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.8 @@ -201,7 +193,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.9 @@ -217,7 +208,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.10 @@ -233,7 +223,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.11 @@ -249,7 +238,6 @@ tags: - level2-server - level1-workstation - - automated - patch - ssh - rule_5.2.12 @@ -265,7 +253,6 @@ tags: - level2-server - level2-workstation - - automated - patch - ssh - rule_5.2.13 @@ -287,7 +274,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.14 @@ -302,7 +288,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.15 @@ -318,7 +303,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.16 @@ -334,7 +318,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.17 @@ -350,7 +333,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.18 @@ -366,7 +348,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.19 @@ -391,7 +372,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.20 diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 0cdfaac..25d05d2 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -9,7 +9,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.1 @@ -24,7 +23,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.2 @@ -40,7 +38,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.3 @@ -58,7 +55,6 @@ tags: - level2-server - level2-workstation - - automated - patch - sudo - rule_5.3.4 @@ -76,7 +72,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.5 @@ -111,7 +106,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.6 @@ -133,7 +127,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.7 diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index d78d6ce..ac37cf2 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -51,7 +51,6 @@ tags: - level1-server - level1-workstation - - automated - patch - authselect - rule_5.4.2 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 8f0f4d9..51c18f9 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -1,6 +1,6 @@ --- -- name: "5.5.1 | PATCH | " +- name: "5.5.1 | PATCH | Ensure password creation requirements are configured" block: - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" ansible.builtin.lineinfile: @@ -32,7 +32,7 @@ - patch - rule_5.5.1 -- name: "5.5.2 | PATCH | Ensure system accounts are secured" +- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured" ansible.builtin.lineinfile: path: /etc/security/faillock.conf regexp: "{{ item.regexp }}" @@ -45,7 +45,7 @@ - name: "5.5.3 | PATCH | Ensure password reuse is limited" block: - - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwhistory" + - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality" ansible.builtin.lineinfile: path: /etc/pam.d/system-auth line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" @@ -54,8 +54,8 @@ - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" ansible.builtin.replace: path: /etc/pam.d/system-auth - regexp: '^password\s*sufficient\s*pam_unix.so.*$' - replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' + regexp: '^password\s*(sufficient|requisite|sufficient)\s*pam_unix.so.*$' + replace: 'password requisite pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_3 tags: @@ -64,7 +64,7 @@ - patch - rule_5.5.3 -- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512" +- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 or yescrypt" block: - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" ansible.builtin.replace: diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 2e178cd..df3478f 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -10,7 +10,6 @@ tags: - level1-server - level1-workstation - - automated - patch - password - rule_5.5.1.1 @@ -25,7 +24,6 @@ tags: - level1-server - level1-workstation - - automated - patch - password - rule_5.6.1.2 @@ -40,7 +38,6 @@ tags: - level1-server - level1-workstation - - automated - patch - password - rule_5.5.1.3 @@ -73,7 +70,6 @@ tags: - level1-server - level1-workstation - - automated - patch - password - rule_5.6.1.4 diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 4f0ec0b..884efd8 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -41,7 +41,6 @@ tags: - level1-server - level1-workstation - - automated - patch - accounts - rule_5.6.2 @@ -65,7 +64,6 @@ tags: - level1-server - level1-workstation - - automated - patch - accounts - rule_5.6.3 @@ -79,7 +77,6 @@ tags: - level1-server - level1-workstation - - automated - patch - accounts - rule_5.6.4 @@ -111,7 +108,26 @@ tags: - level1-server - level1-workstation - - automated - patch - accounts - rule_5.6.5 + +- name: "5.6.6 | PATCH | Ensure root password is set" + block: + - name: "5.6.6 | PATCH | Ensure root password is set" + ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt" + register: root_passwd + + - name: "5.6.6 | PATCH | Ensure root password is set" + ansible.builtin.fail: + msg: The root password is not set + when: root_passwd.rc != 0 + when: + - rhel9cis_rule_5_6_6 + tags: + - level1-server + - level1-workstation + - patch + - accounts + - root + - rule_5.6.6 From 0c279ad97deb49981f34754e0d4dc0de2f72b024 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 09:09:49 +0000 Subject: [PATCH 025/143] new control 5.6.6 added Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + templates/ansible_vars_goss.yml.j2 | 1 + 2 files changed, 2 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 3436dea..168ce67 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -305,6 +305,7 @@ rhel9cis_rule_5_6_2: true rhel9cis_rule_5_6_3: true rhel9cis_rule_5_6_4: true rhel9cis_rule_5_6_5: true +rhel9cis_rule_5_6_6: true # Section 6 rules rhel9cis_rule_6_1_1: true diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 89f2787..c553121 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -332,6 +332,7 @@ rhel9cis_rule_5_6_2: {{ rhel9cis_rule_5_6_2 }} rhel9cis_rule_5_6_3: {{ rhel9cis_rule_5_6_3 }} rhel9cis_rule_5_6_4: {{ rhel9cis_rule_5_6_4 }} rhel9cis_rule_5_6_5: {{ rhel9cis_rule_5_6_5 }} +rhel9cis_rule_5_6_6: {{ rhel9cis_rule_5_6_6 }} # Section 6 # 6 System Maintenance From 198359cfbb6918867b7a778214d083ad080a01c0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 10:04:16 +0000 Subject: [PATCH 026/143] reorder and lint Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 392 ++++++++++++++++------------------ 1 file changed, 190 insertions(+), 202 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index ae29cbb..1457f6e 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -1,68 +1,38 @@ --- -- name: "6.1.1 | AUDIT | Audit system file permissions" - block: - - name: "6.1.1 | AUDIT | Audit system file permissions | Audit the packages" - shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto - changed_when: false - failed_when: false - register: rhel9cis_6_1_1_packages_rpm - - - name: "6.1.1 | AUDIT | Audit system file permissions | Create list and warning" - block: - - name: "6.1.1 | AUDIT | Audit system file permissions | Add file discrepancy list to system" - copy: - dest: "{{ rhel9cis_rpm_audit_file }}" # noqa template-instead-of-copy - content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}" - owner: root - group: root - mode: 0640 - - - name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" - debug: - msg: | - "Warning!! You have some package descrepancies issues. - The file list can be found in {{ rhel9cis_rpm_audit_file }}" - - - name: "6.1.1 | AUDIT | Audit system file permissions | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.1.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_1_1_packages_rpm.stdout|length > 0 - - - name: "6.1.1 | AUDIT | Audit system file permissions | Message out no package descrepancies" - debug: - msg: "Good News! There are no package descrepancies" - when: rhel9cis_6_1_1_packages_rpm.stdout|length == 0 +- name: "6.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" + ansible.builtin.file: + dest: /etc/passwd + owner: root + group: root + mode: 0644 when: - rhel9cis_rule_6_1_1 tags: - - level2-server - - level2-workstation - - manual - - audit + - level1-server + - level1-workstation + - patch - permissions - rule_6.1.1 -- name: "6.1.2 | PATCH | Ensure sticky bit is set on all world-writable directories" - shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t - changed_when: false - failed_when: false +- name: "6.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" + ansible.builtin.file: + dest: /etc/passwd- + owner: root + group: root + mode: 0644 when: - rhel9cis_rule_6_1_2 tags: - - skip_ansible_lint - level1-server - level1-workstation - - automated - patch - - stickybits - - permissons - - rule_1.1.21 + - permissions + - rule_6.1.2 -- name: "6.1.3 | PATCH | Ensure permissions on /etc/passwd are configured" - file: - dest: /etc/passwd +- name: "6.1.3 | PATCH | Ensure permissions on /etc/group are configured" + ansible.builtin.file: + dest: /etc/group- owner: root group: root mode: 0644 @@ -71,77 +41,42 @@ tags: - level1-server - level1-workstation - - automated - patch - permissions - rule_6.1.3 -- name: "6.1.4 | PATCH | Ensure permissions on /etc/shadow are configured" - file: - dest: /etc/shadow - owner: root - group: root - mode: 0000 - when: - - rhel9cis_rule_6_1_4 - tags: - - level1-server - - level1-workstation - - automated - - patch - - permissions - - rule_6.1.4 - -- name: "6.1.5 | PATCH | Ensure permissions on /etc/group are configured" - file: +- name: "6.1.4 | PATCH | Ensure permissions on /etc/group- are configured" + ansible.builtin.file: dest: /etc/group- owner: root group: root mode: 0644 when: - - rhel9cis_rule_6_1_5 + - rhel9cis_rule_6_1_4 tags: - level1-server - level1-workstation - - automated - patch - - permissions - - rule_6.1.5 + - permissionss + - rule_6.1.4 -- name: "6.1.6 | PATCH | Ensure permissions on /etc/gshadow are configured" - file: - dest: /etc/gshadow +- name: "6.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" + ansible.builtin.file: + dest: /etc/shadow owner: root group: root mode: 0000 when: - - rhel9cis_rule_6_1_6 + - rhel9cis_rule_6_1_5 tags: - level1-server - level1-workstation - - automated - patch - permissions - - rule_6.1.6 - -- name: "6.1.7 | PATCH | Ensure permissions on /etc/passwd- are configured" - file: - dest: /etc/passwd- - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_6_1_7 - tags: - - level1-server - - level1-workstation - - automated - - patch - - permissions - - rule_6.1.7 + - rule_6.1.5 - name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" - file: + ansible.builtin.file: dest: /etc/shadow- owner: root group: root @@ -151,17 +86,63 @@ tags: - level1-server - level1-workstation - - automated - patch - permissions - rule_6.1.6 -- name: "6.1.9 | PATCH | Ensure permissions on /etc/group- are configured" - file: - dest: /etc/group- +- name: "6.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" + ansible.builtin.file: + dest: /etc/gshadow owner: root group: root - mode: 0644 + mode: 0000 + when: + - rhel9cis_rule_6_1_7 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_6.1.7 + +- name: "6.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" + ansible.builtin.file: + dest: /etc/gshadow- + owner: root + group: root + mode: 0000 + when: + - rhel9cis_rule_6_1_8 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_6.1.10 + +- name: "6.1.9 | PATCH | Ensure no world writable files exist" + block: + - name: "6.1.9 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" + ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + failed_when: false + changed_when: false + register: rhel_08_6_1_9_perms_results + + - name: "6.1.9 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist" + ansible.builtin.debug: + msg: "Good news! We have not found any world-writable files on your system" + when: + - rhel_08_6_1_9_perms_results.stdout is not defined + + - name: "6.1.9 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" + ansible.builtin.file: + path: '{{ item }}' + mode: o-w + state: touch + with_items: "{{ rhel_08_6_1_9_perms_results.stdout_lines }}" + when: + - rhel_08_6_1_9_perms_results.stdout_lines is defined + - rhel9cis_no_world_write_adjust when: - rhel9cis_rule_6_1_9 tags: @@ -169,125 +150,123 @@ - level1-workstation - automated - patch - - permissionss + - files + - permissions - rule_6.1.9 -- name: "6.1.10 | PATCH | Ensure permissions on /etc/gshadow- are configured" - file: - dest: /etc/gshadow- - owner: root - group: root - mode: 0000 +- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist" + block: + - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" + ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser + changed_when: false + failed_when: false + check_mode: false + register: rhel_08_6_1_10_audit + with_items: "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" + when: item['device'].startswith('/dev') and not 'bind' in item['options'] + + - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" + ansible.builtin.debug: + msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + with_items: "{{ rhel_08_6_1_10_audit.results }}" + when: + - item.stdout_lines is defined + - item.stdout_lines | length > 0 when: - rhel9cis_rule_6_1_10 tags: - level1-server - level1-workstation - - automated - - patch + - audit + - files - permissions - rule_6.1.10 -- name: "6.1.11 | PATCH | Ensure no world writable files exist" +- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist" block: - - name: "6.1.11 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" - shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" + ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup + check_mode: false failed_when: false changed_when: false - register: rhel_08_6_1_11_perms_results + register: rhel_08_6_1_11_audit + with_items: "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" + when: item['device'].startswith('/dev') and not 'bind' in item['options'] - - name: "6.1.11 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist" - debug: - msg: "Good news! We have not found any world-writable files on your system" + - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" + ansible.builtin.debug: + msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + with_items: "{{ rhel_08_6_1_11_audit.results }}" when: - - rhel_08_6_1_11_perms_results.stdout is not defined - - - name: "6.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" - file: - path: '{{ item }}' - mode: o-w - state: touch - with_items: "{{ rhel_08_6_1_11_perms_results.stdout_lines }}" - when: - - rhel_08_6_1_11_perms_results.stdout_lines is defined - - rhel9cis_no_world_write_adjust + - item.stdout_lines is defined + - item.stdout_lines | length > 0 when: - rhel9cis_rule_6_1_11 tags: - level1-server - level1-workstation - - automated - - patch + - audit - files - permissions - rule_6.1.11 -- name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist" - block: - - name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" - command: find "{{ item.mount }}" -xdev -nouser - changed_when: false - failed_when: false - check_mode: false - register: rhel_08_6_1_12_audit - with_items: "{{ ansible_mounts }}" - loop_control: - label: "{{ item.mount }}" - when: item['device'].startswith('/dev') and not 'bind' in item['options'] - - - name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" - debug: - msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_08_6_1_12_audit.results }}" - when: - - item.stdout_lines is defined - - item.stdout_lines | length > 0 +- name: "6.1.12 | PATCH | Ensure sticky bit is set on all world-writable directories" + ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + changed_when: false + failed_when: false when: - rhel9cis_rule_6_1_12 tags: - level1-server - level1-workstation - - automated - - audit - - files - - permissions - - rule_6.1.12 + - patch + - stickybits + - permissons + - rule_1.1.21 -- name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist" +- name: "6.1.13 | AUDIT | Audit SUID executables" block: - - name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" - command: find "{{ item.mount }}" -xdev -nogroup - check_mode: false + - name: "6.1.13 | AUDIT | Audit SUID executables | Find all SUID executables" + ansible.builtin.shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 failed_when: false changed_when: false - register: rhel_08_6_1_13_audit + register: rhel_08_6_1_13_perms_results with_items: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" - when: item['device'].startswith('/dev') and not 'bind' in item['options'] - - name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" - debug: - msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_08_6_1_13_audit.results }}" + - name: "6.1.13 | AUDIT | Audit SUID executables | Alert no SUID executables exist" + ansible.builtin.debug: + msg: "Good news! We have not found any SUID executable files on your system" + failed_when: false + changed_when: false when: - - item.stdout_lines is defined - - item.stdout_lines | length > 0 + - rhel_08_6_1_13_perms_results.stdout is not defined + + - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" + ansible.builtin.debug: + msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" + with_items: "{{ rhel_08_6_1_13_perms_results.stdout_lines }}" + when: + - rhel_08_6_1_13_perms_results.stdout is defined when: - rhel9cis_rule_6_1_13 tags: - level1-server - level1-workstation - - automated + - manual - audit - files - - permissions - rule_6.1.13 -- name: "6.1.14 | AUDIT | Audit SUID executables" +- name: "6.1.14 | AUDIT | Audit SGID executables" block: - - name: "6.1.14 | AUDIT | Audit SUID executables | Find all SUID executables" - shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 + - name: "6.1.14 | AUDIT | Audit SGID executables | Find all SGID executables" + ansible.builtin.shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 failed_when: false changed_when: false register: rhel_08_6_1_14_perms_results @@ -295,17 +274,17 @@ loop_control: label: "{{ item.mount }}" - - name: "6.1.14 | AUDIT | Audit SUID executables | Alert no SUID executables exist" - debug: - msg: "Good news! We have not found any SUID executable files on your system" + - name: "6.1.14 | AUDIT | Audit SGID executables | Alert no SGID executables exist" + ansible.builtin.debug: + msg: "Good news! We have not found any SGID executable files on your system" failed_when: false changed_when: false when: - rhel_08_6_1_14_perms_results.stdout is not defined - - name: "6.1.14 | AUDIT | Audit SUID executables | Alert SUID executables exist" - debug: - msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" + - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" + ansible.builtin.debug: + msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}" when: - rhel_08_6_1_14_perms_results.stdout is defined @@ -319,37 +298,46 @@ - files - rule_6.1.14 -- name: "6.1.15 | AUDIT | Audit SGID executables" +- name: "6.1.15 | AUDIT | Audit system file permissions" block: - - name: "6.1.15 | AUDIT | Audit SGID executables | Find all SGID executables" - shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 - failed_when: false + - name: "6.1.15 | AUDIT | Audit system file permissions | Audit the packages" + ansible.builtin.shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto changed_when: false - register: rhel_08_6_1_15_perms_results - with_items: "{{ ansible_mounts }}" - loop_control: - label: "{{ item.mount }}" - - - name: "6.1.15 | AUDIT | Audit SGID executables | Alert no SGID executables exist" - debug: - msg: "Good news! We have not found any SGID executable files on your system" failed_when: false - changed_when: false - when: - - rhel_08_6_1_15_perms_results.stdout is not defined + register: rhel9cis_6_1_15_packages_rpm - - name: "6.1.15 | AUDIT | Audit SGID executables | Alert SGID executables exist" - debug: - msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_08_6_1_15_perms_results.stdout_lines }}" - when: - - rhel_08_6_1_15_perms_results.stdout is defined + - name: "6.1.15 | AUDIT | Audit system file permissions | Create list and warning" + block: + - name: "6.1.15 | AUDIT | Audit system file permissions | Add file discrepancy list to system" + ansible.builtin.copy: + dest: "{{ rhel9cis_rpm_audit_file }}" # noqa template-instead-of-copy + content: "{{ rhel9cis_6_1_15_packages_rpm.stdout }}" + owner: root + group: root + mode: 0640 + + - name: "6.1.15 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" + ansible.builtin.debug: + msg: | + "Warning!! You have some package descrepancies issues. + The file list can be found in {{ rhel9cis_rpm_audit_file }}" + + - name: "6.1.15 | AUDIT | Audit system file permissions | warning count" + ansible.builtin.set_fact: + control_number: "{{ control_number }} + [ 'rule_6.1.1' ]" + warn_count: "{{ warn_count | int + 1 }}" + when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 + + - name: "6.1.15 | AUDIT | Audit system file permissions | Message out no package descrepancies" + ansible.builtin.debug: + msg: "Good News! There are no package descrepancies" + when: rhel9cis_6_1_15_packages_rpm.stdout|length == 0 when: - rhel9cis_rule_6_1_15 tags: - - level1-server - - level1-workstation + - level2-server + - level2-workstation - manual - audit - - files + - permissions - rule_6.1.15 From 440f1dfcd470dd2fa43e8d7078552917f269a837 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 10:04:33 +0000 Subject: [PATCH 027/143] reorder and lint Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 527 +++++++++++++++++----------------- 1 file changed, 257 insertions(+), 270 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 235146e..a280cab 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -1,300 +1,311 @@ --- -- name: "6.2.1 | PATCH | Ensure password fields are not empty" - command: passwd -l {{ item }} +- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" + block: + - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | discover" + ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd + register: shadow_passwd + + - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Output" + ansible.builtin.debug: + msg: | + - "Warning!! Below are the accounts that do not have shadowed passwords set" + - "{{ shadow_passwd.stdout_line }}" + when: shadow_passwd.stdout | length > 0 + + - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.1' + when: shadow_passwd.stdout | length >= 1 + + when: + - rhel9cis_rule_6_2_1 + tags: + - level1-server + - level1-workstation + - patch + - accounts + - rule_6.2.1 + +- name: "6.2.2 | PATCH | Ensure password fields are not empty" + ansible.builtin.shell: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ empty_password_accounts.stdout_lines }}" when: - empty_password_accounts.rc - - rhel9cis_rule_6_2_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - accounts - - rule_6.2.1 - - -- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" - block: - - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" - shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_6_2_2_passwd_gid_check - - - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" - debug: - msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: rhel9cis_6_2_2_passwd_gid_check.stdout | length == 0 - - - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" - debug: - msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" - when: rhel9cis_6_2_2_passwd_gid_check.stdout | length >= 1 - - - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.2.2' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_2_2_passwd_gid_check.stdout | length >= 1 - when: - rhel9cis_rule_6_2_2 tags: - level1-server - level1-workstation - automated + - patch + - accounts + - rule_6.2.2 + +- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" + block: + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" + ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_6_2_3_passwd_gid_check + + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" + ansible.builtin.debug: + msg: "Good News! There are no users that have non-existent GUIDs (Groups)" + when: rhel9cis_6_2_3_passwd_gid_check.stdout | length == 0 + + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" + ansible.builtin.debug: + msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" + when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 + + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.3' + when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 + when: + - rhel9cis_rule_6_2_2 + tags: + - level1-server + - level1-workstation - audit - accounts - groups - rule_6.2.2 -- name: "6.2.3 | AUDIT Ensure no duplicate UIDs exist" +- name: "6.2.4 | AUDIT Ensure no duplicate UIDs exist" block: - - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" - shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" + - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" changed_when: false failed_when: false - register: rhel9cis_6_2_3_user_uid_check + register: rhel9cis_6_2_4_user_uid_check - - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" - debug: + - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" + ansible.builtin.debug: msg: "Good News! There are no duplicate UID's in the system" - when: rhel9cis_6_2_3_user_uid_check.stdout | length == 0 + when: rhel9cis_6_2_4_user_uid_check.stdout | length == 0 - - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" - debug: - msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" - when: rhel9cis_6_2_3_user_uid_check.stdout | length >= 1 - - - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.2.3' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_2_3_user_uid_check.stdout | length >= 1 - when: - - rhel9cis_rule_6_2_3 - tags: - - level1-server - - level1-workstation - - automated - - audit - - accounts - - users - - rule_6.2.3 - -- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist" - block: - - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" - shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" - changed_when: false - failed_when: false - register: rhel9cis_6_2_4_user_user_check - - - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" - debug: - msg: "Good News! There are no duplicate GIDs in the system" - when: rhel9cis_6_2_4_user_user_check.stdout | length == 0 - - - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" - debug: - msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" - when: rhel9cis_6_2_4_user_user_check.stdout | length >= 1 - - - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.2.4' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_2_4_user_user_check.stdout | length >= 1 + - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" + ansible.builtin.debug: + msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_4_user_uid_check.stdout_lines }}" + when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 + - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.4' + when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_4 tags: - level1-server - level1-workstation - - automated - audit - accounts - - groups + - users - rule_6.2.4 -- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist" +- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist" block: - - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" - shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" + - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" changed_when: false failed_when: false - register: rhel9cis_6_2_5_user_username_check + register: rhel9cis_6_2_5_user_user_check - - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" - debug: - msg: "Good News! There are no duplicate user names in the system" - when: rhel9cis_6_2_5_user_username_check.stdout | length == 0 + - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" + ansible.builtin.debug: + msg: "Good News! There are no duplicate GIDs in the system" + when: rhel9cis_6_2_5_user_user_check.stdout | length == 0 - - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" - debug: - msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" - when: rhel9cis_6_2_5_user_username_check.stdout | length >= 1 + - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" + ansible.builtin.debug: + msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_5_user_user_check.stdout_lines }}" + when: rhel9cis_6_2_5_user_user_check.stdout | length >= 1 + + - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.5' + when: rhel9cis_6_2_5_user_user_check.stdout_lines | length >= 1 - - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.2.5' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_2_5_user_username_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_5 tags: - level1-server - level1-workstation - - automated - audit - accounts - - users + - groups - rule_6.2.5 -- name: "6.2.6 | AUDIT |Ensure no duplicate group names exist" +- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist" block: - - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" - shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' + - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" changed_when: false failed_when: false - check_mode: false - register: rhel9cis_6_2_6_group_group_check + register: rhel9cis_6_2_6_user_username_check - - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" - debug: - msg: "Good News! There are no duplicate group names in the system" - when: rhel9cis_6_2_6_group_group_check.stdout is defined + - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" + ansible.builtin.debug: + msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" + when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 - - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" - debug: - msg: "Warning!! The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}" - when: rhel9cis_6_2_6_group_group_check.stdout is not defined - - - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.2.6' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_2_6_group_group_check.stdout is not defined + - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.6' + when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_6 tags: - level1-server - level1-workstation - - automated - audit - accounts - - groups + - users - rule_6.2.6 -- name: "6.2.7 | PATCH | Ensure root PATH Integrity" +- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist" block: - - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine empty value" - shell: 'echo $PATH | grep ::' + - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" + ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' changed_when: false - failed_when: rhel9cis_6_2_7_path_colon.rc == 0 + failed_when: false check_mode: false - register: rhel9cis_6_2_7_path_colon + register: rhel9cis_6_2_7_group_group_check - - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determin colon end" - shell: 'echo $PATH | grep :$' - changed_when: false - failed_when: rhel9cis_6_2_7_path_colon_end.rc == 0 - check_mode: false - register: rhel9cis_6_2_7_path_colon_end + - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" + ansible.builtin.debug: + msg: "Warning!! The following group names are duplicates: {{ rhel9cis_6_2_7_group_group_check.stdout_lines }}" + when: rhel9cis_6_2_7_group_group_check.stdout is not defined - - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine dot in path" - shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" - changed_when: false - failed_when: '"." in rhel9cis_6_2_7_dot_in_path.stdout_lines' - check_mode: false - register: rhel9cis_6_2_7_dot_in_path - - - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" - debug: - msg: - - "The following paths have an empty value: {{ rhel9cis_6_2_7_path_colon.stdout_lines }}" - - "The following paths have colon end: {{ rhel9cis_6_2_7_path_colon_end.stdout_lines }}" - - "The following paths have a dot in the path: {{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}" - - - name: "6.2.7 | PATCH | Ensure root PATH Integrity | Determine rights and owner" - file: > - path='{{ item }}' - follow=yes - state=directory - owner=root - mode='o-w,g-w' - with_items: "{{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}" + - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.7' + when: rhel9cis_6_2_7_group_group_check.stdout is not defined when: - rhel9cis_rule_6_2_7 tags: - level1-server - level1-workstation - - automated - - patch - - paths + - audit + - accounts + - groups - rule_6.2.7 -- name: "6.2.8 | PATCH | Ensure root is the only UID 0 account" - command: passwd -l {{ item }} +- name: "6.2.8 | PATCH | Ensure root PATH Integrity" + block: + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determine empty value" + ansible.builtin.shell: 'echo $PATH | grep ::' + changed_when: false + failed_when: rhel9cis_6_2_8_path_colon.rc == 0 + check_mode: false + register: rhel9cis_6_2_8_path_colon + + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determin colon end" + ansible.builtin.shell: 'echo $PATH | grep :$' + changed_when: false + failed_when: rhel9cis_6_2_8_path_colon_end.rc == 0 + check_mode: false + register: rhel9cis_6_2_8_path_colon_end + + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determine dot in path" + ansible.builtin.shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" + changed_when: false + failed_when: '"." in rhel9cis_6_2_8_dot_in_path.stdout_lines' + check_mode: false + register: rhel9cis_6_2_8_dot_in_path + + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" + ansible.builtin.debug: + msg: + - "Warning!!" + - "The following paths have an empty value: {{ rhel9cis_6_2_8_path_colon.stdout_lines }}" + - "The following paths have colon end: {{ rhel9cis_6_2_8_path_colon_end.stdout_lines }}" + - "The following paths have a dot in the path: {{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}" + + - name: "6.2.8 | PATCH | Ensure root PATH Integrity | Determine rights and owner" + ansible.builtin.file: > + path='{{ item }}' + follow=yes + state=directory + owner=root + mode='o-w,g-w' + with_items: "{{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}" + when: + - rhel9cis_rule_6_2_8 + tags: + - level1-server + - level1-workstation + - patch + - paths + - rule_6.2.8 + +- name: "6.2.9 | PATCH | Ensure root is the only UID 0 account" + ansible.builtin.shell: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}" when: - rhel9cis_uid_zero_accounts_except_root.rc - - rhel9cis_rule_6_2_8 + - rhel9cis_rule_6_2_9 tags: - level1-server - level1-workstation - - automated - patch - accounts - users - - rule_6.2.8 + - rule_6.2.9 -- name: "6.2.9 | PATCH | Ensure all users' home directories exist" +- name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" block: - - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" - stat: + - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" + ansible.builtin.stat: path: "{{ item }}" - register: rhel_08_6_2_9_audit + register: rhel_08_6_2_10_audit with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}" - - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" - command: find -H {{ item.0 | quote }} -not -type l -perm /027 + - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" + ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false - changed_when: rhel_08_6_2_9_patch_audit.stdout | length > 0 - register: rhel_08_6_2_9_patch_audit + changed_when: rhel_08_6_2_10_patch_audit.stdout | length > 0 + register: rhel_08_6_2_10_patch_audit when: - ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_10_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_10_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" - - name: "6.2.9 | PATCH | Ensure all users' home directories exist" - file: + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" + ansible.builtin.file: path: "{{ item.0 }}" recurse: true mode: a-st,g-w,o-rwx - register: rhel_08_6_2_9_patch + register: rhel_08_6_2_10_patch when: - not ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_10_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_10_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.9 | PATCH | Ensure all users' home directories exist" - acl: + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" + ansible.posix.acl: path: "{{ item.0 }}" default: true state: present @@ -304,7 +315,7 @@ when: - not system_is_container with_nested: - - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results | + - "{{ (ansible_check_mode | ternary(rhel_08_6_2_10_patch_audit, rhel_08_6_2_10_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - etype: group @@ -312,18 +323,16 @@ - etype: other mode: '0' when: - - rhel9cis_rule_6_2_9 + - rhel9cis_rule_6_2_10 tags: - level1-server - level1-workstation - - automated - patch - users - - rule_6.2.9 + - rule_6.2.10 - -- name: "6.2.10 | PATCH | Ensure users own their home directories" - file: +- name: "6.2.11 | PATCH | Ensure local interactive users own their home directories" + ansible.builtin.file: path: "{{ item.dir }}" owner: "{{ item.id }}" state: directory @@ -334,56 +343,54 @@ - item.uid >= min_int_uid | int - item.id != 'nobody' - (item.id != 'tss' and item.dir != '/dev/null') - - rhel9cis_rule_6_2_10 + - rhel9cis_rule_6_2_11 tags: - - skip_ansible_lint # settings found on 6_2_7 - level1-server - level1-workstation - - automated - patch - users - rule_6.2.10 -- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" +- name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" block: - - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" - stat: + - name: "6.2.12 | AUDIT | Ensure local interactive user home directories are mode 750 or more restrictive" + ansible.builtin.stat: path: "{{ item }}" with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}" - register: rhel_08_6_2_11_audit + register: rhel_08_6_2_12_audit - - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" - command: find -H {{ item.0 | quote }} -not -type l -perm /027 + - name: "6.2.12 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" + ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false - changed_when: rhel_08_6_2_11_patch_audit.stdout | length > 0 - register: rhel_08_6_2_11_patch_audit + changed_when: rhel_08_6_2_12_patch_audit.stdout | length > 0 + register: rhel_08_6_2_12_patch_audit when: - ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_12_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_12_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" - - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" - file: + - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" + ansible.builtin.file: path: "{{ item.0 }}" recurse: true mode: a-st,g-w,o-rwx - register: rhel_08_6_2_11_patch + register: rhel_08_6_2_12_patch when: - not ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_12_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_12_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" - acl: + - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" + ansible.posix.acl: path: "{{ item.0 }}" default: true state: present @@ -393,75 +400,41 @@ when: - not system_is_container with_nested: - - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results | + - "{{ (ansible_check_mode | ternary(rhel_08_6_2_12_patch_audit, rhel_08_6_2_12_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - etype: group mode: rx - etype: other mode: '0' - when: - - rhel9cis_rule_6_2_11 - tags: - - level1-server - - level1-workstation - - automated - - patch - - users - - permissions - - rule_6.2.11 - -- name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable" - block: - - name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" - shell: find /home/ -maxdepth 2 -name "\.*" -perm /g+w,o+w - changed_when: false - failed_when: false - register: rhel9cis_6_2_12_audit - - - name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" - debug: - msg: "Good news! We have not found any group or world-writable dot files on your sytem" - when: - - rhel9cis_6_2_12_audit.stdout is not defined - - - name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" - file: - path: '{{ item }}' - mode: go-w - with_items: "{{ rhel9cis_6_2_12_audit.stdout_lines }}" - when: - - rhel9cis_6_2_12_audit.stdout is defined - - rhel9cis_dotperm_ansiblemanaged when: - rhel9cis_rule_6_2_12 tags: - level1-server - level1-workstation - - automated - patch - users - permissions - rule_6.2.12 -- name: "6.2.13 | PATCH | Ensure users' .netrc Files are not group or world accessible" - command: /bin/true - changed_when: false - failed_when: false +- name: "6.2.13 | PATCH | Ensure no local interactive user has .netrc files" + ansible.builtin.file: + path: "~{{ item }}/.netrc" + state: absent + with_items: + - "{{ users.stdout_lines }}" when: - rhel9cis_rule_6_2_13 tags: - level1-server - level1-workstation - - automated - patch - users - permissions - - notimplemented - rule_6.2.13 -- name: "6.2.14 | PATCH | Ensure no users have .forward files" - file: +- name: "6.2.14 | PATCH | Ensure no local interactive user has .forward files" + ansible.builtin.file: path: "~{{ item }}/.forward" state: absent with_items: @@ -471,15 +444,14 @@ tags: - level1-server - level1-workstation - - automated - patch - users - files - rule_6.2.14 -- name: "6.2.15 | PATCH | Ensure no users have .netrc files" - file: - path: "~{{ item }}/.netrc" +- name: "6.2.15 | PATCH | Ensure no users have .rhosts files" + ansible.builtin.file: + path: "~{{ item }}/.rhosts" state: absent with_items: - "{{ users.stdout_lines }}" @@ -488,24 +460,39 @@ tags: - level1-server - level1-workstation - - automated - patch - users - files - rule_6.2.15 -- name: "6.2.16 | PATCH | Ensure no users have .rhosts files" - file: - path: "~{{ item }}/.rhosts" - state: absent - with_items: "{{ users.stdout_lines }}" +- name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable" + block: + - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Check for files" + ansible.builtin.shell: find /home/ -maxdepth 2 -name "\.*" -perm /g+w,o+w + changed_when: false + failed_when: false + register: rhel9cis_6_2_16_audit + + - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Alert on files found" + ansible.builtin.debug: + msg: "Good news! We have not found any group or world-writable dot files on your sytem" + when: + - rhel9cis_6_2_16_audit.stdout is not defined + + - name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable | Changes files if configured" + ansible.builtin.file: + path: '{{ item }}' + mode: go-w + with_items: "{{ rhel9cis_6_2_16_audit.stdout_lines }}" + when: + - rhel9cis_6_2_16_audit.stdout is defined + - rhel9cis_dotperm_ansiblemanaged when: - rhel9cis_rule_6_2_16 tags: - level1-server - level1-workstation - - automated - patch - users - - files + - permissions - rule_6.2.16 From 3ead0d63ac5e893429c2e5d6822b128785a5b9af Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 11:05:25 +0000 Subject: [PATCH 028/143] warn control count updates Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- tasks/post.yml | 7 ++-- tasks/section_1/cis_1.1.2.x.yml | 21 +++------- tasks/section_1/cis_1.1.3.x.yml | 21 ++-------- tasks/section_1/cis_1.1.4.x.yml | 21 ++-------- tasks/section_1/cis_1.1.5.x.yml | 20 ++------- tasks/section_1/cis_1.1.6.x.yml | 22 +++------- tasks/section_1/cis_1.1.7.x.yml | 20 ++------- tasks/section_1/cis_1.1.8.x.yml | 20 ++------- tasks/section_1/cis_1.2.x.yml | 6 +-- tasks/section_1/cis_1.6.1.x.yml | 11 ++--- tasks/section_2/cis_2.4.yml | 6 +-- tasks/section_3/cis_3.4.2.x.yml | 6 +-- tasks/section_4/cis_4.1.4.x.yml | 3 -- tasks/section_4/cis_4.2.2.x.yml | 6 +-- tasks/section_5/cis_5.2.x.yml | 48 +++++++++++----------- tasks/section_5/cis_5.6.1.x.yml | 11 ++--- tasks/section_6/cis_6.1.x.yml | 72 ++++++++++++++++++--------------- tasks/section_6/cis_6.2.x.yml | 14 +------ tasks/warning_facts.yml | 20 +++++++++ 20 files changed, 137 insertions(+), 220 deletions(-) create mode 100644 tasks/warning_facts.yml diff --git a/tasks/main.yml b/tasks/main.yml index d6b026a..d1918d2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -203,7 +203,7 @@ - name: If Warnings found Output count and control IDs affected debug: - msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" + msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" when: warn_count != 0 tags: - always diff --git a/tasks/post.yml b/tasks/post.yml index 3b5c3f2..0d1260d 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -51,13 +51,12 @@ - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'Reboot_required' ]" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml when: - change_requires_reboot - skip_reboot - + vars: + warn_control_id: Reboot_required tags: - grub - level1-server diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index aa67b5c..118f93b 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -4,26 +4,15 @@ block: - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Absent" ansible.builtin.debug: - msg: "Warning!! /tmp is not mounted on a separate partition" - when: - - required_mount not in mount_names + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.2.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - - - name: "1.1.2.1 | AUDIT | Ensure separate partition exists for /var | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_mount_present - when: - - required_mount in mount_names + - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | warning" + ansible.builtin.import_tasks: warning_facts.yml vars: + warn_control_id: '1.1.2.1' required_mount: '/tmp' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_2_1 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 3780e2f..afe1b8c 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -5,27 +5,14 @@ - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_mount_absent - changed_when: var_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - - - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_mount_present - when: - - required_mount in mount_names + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | warning" + ansible.builtin.import_tasks: warning_facts.yml vars: + warn_control_id: '1.1.3.1' required_mount: '/var' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_3_1 tags: - level2-server diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 742a5d7..4a1deb0 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -6,27 +6,14 @@ - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_tmp_mount_absent - changed_when: var_tmp_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - - - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_tmp_mount_present - when: - - required_mount in mount_names + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" + ansible.builtin.import_tasks: warning_facts.yml vars: + warn_control_id: '1.1.4.1' required_mount: '/var/tmp' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_4_1 tags: - level2-server diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 0fa245b..ccaeb5c 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -5,27 +5,15 @@ - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_mount_absent - changed_when: var_log_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_log_mount_present - when: - - required_mount in mount_names + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '1.1.5.1' required_mount: '/var/log' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_5_1 tags: - level2-server diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index a496f43..4191899 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -5,27 +5,15 @@ - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_audit_mount_absent - changed_when: var_log_audit_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_log_audit_mount_present - when: - - required_mount in mount_names + ansible.builtin.import_tasks: warning_facts.yml + vars: - required_mount: '/var/log/audit' + warn_control_id: '1.1.6.1' + required_mount: '/var/log/audit' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_6_1 tags: - level2-server diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index dc9ea6a..60192d7 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -5,27 +5,15 @@ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: home_mount_absent - changed_when: home_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: home_mount_present - when: - - required_mount in mount_names + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '1.1.7.1' vars: required_mount: '/home' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_7_1 tags: - level2-server diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index fdaef15..7703ed4 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -6,27 +6,15 @@ - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: home_mount_absent - changed_when: home_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.8.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: home_mount_present - when: - - required_mount in mount_names + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '1.1.8.1' required_mount: '/dev/shm' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_8_1 tags: - level1-server diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 093e900..dcc8e5c 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -81,9 +81,9 @@ - "{{ dnf_configured.stdout_lines }}" - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + ['rule_1.2.3']" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '1.2.3' when: - rhel9cis_rule_1_2_3 tags: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index bfb9c91..c954f66 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -91,21 +91,16 @@ failed_when: false changed_when: false - - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" - ansible.builtin.debug: - msg: "Good News! There are no services found on your system" - when: rhelcis_1_6_1_6_unconf_services.stdout | length == 0 - - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" ansible.builtin.debug: msg: "Warning!! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.6.1.5' ]" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 + vars: + warn_control_id: '1.6.1.6' when: - rhel9cis_rule_1_6_1_6 tags: diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index a59184b..ce02b40 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -25,9 +25,9 @@ - "{{ rhel9cis_2_4_sockets.stdout_lines }}" - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + ['rule_2.4']" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '2.4' when: - rhel9cis_rule_2_4 tags: diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index bbd1ad0..60e769a 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -47,9 +47,7 @@ - not rhel9cis_nft_tables_autonewtable - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_3.4.2.2' ]" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml when: - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable @@ -58,6 +56,8 @@ ansible.builtin.command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" failed_when: false when: rhel9cis_nft_tables_autonewtable + vars: + warn_control_id: '3.4.2.2' when: - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_2 diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index e79b506..ca69e3d 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -122,9 +122,6 @@ - /sbin/auditd - /sbin/augenrules - - debug: - msg: "{{ audit_bins }}" - - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" ansible.builtin.file: path: "{{ item.item }}" diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 474026c..0c53795 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -89,10 +89,10 @@ when: "'static' not in rhel9cis_4_2_2_2_status.stdout" - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml when: "'static' not in rhel9cis_4_2_2_2_status.stdout" + vars: + warn_control_id: '4.2.2.2' when: - rhel9cis_rule_4_2_2_2 tags: diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index a599a4b..9dc785e 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -79,37 +79,37 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited" block: - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^AllowUsers" - line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} + line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}" validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['allowusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^AllowGroups" - line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} + line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}" validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^DenyUsers" - line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} + line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}" validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['denyusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^DenyGroups" - line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} + line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}" validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['denygroups']|default('') | length > 0" @@ -123,7 +123,7 @@ - rule_5.2.4 - name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' @@ -138,7 +138,7 @@ - rule_5.2.5 - name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' @@ -153,7 +153,7 @@ - rule_5.2.6 - name: "5.2.7 | PATCH | Ensure SSH root login is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' @@ -168,7 +168,7 @@ - rule_5.2.7 - name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' @@ -183,7 +183,7 @@ - rule_5.2.8 - name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' @@ -198,7 +198,7 @@ - rule_5.2.9 - name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' @@ -213,7 +213,7 @@ - rule_5.2.10 - name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#IgnoreRhosts|^IgnoreRhosts" line: 'IgnoreRhosts yes' @@ -228,7 +228,7 @@ - rule_5.2.11 - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' @@ -243,7 +243,7 @@ - rule_5.2.12 - name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' @@ -279,7 +279,7 @@ - rule_5.2.14 - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^Banner' line: 'Banner /etc/issue.net' @@ -293,7 +293,7 @@ - rule_5.2.15 - name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' @@ -308,7 +308,7 @@ - rule_5.2.16 - name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' @@ -323,7 +323,7 @@ - rule_5.2.17 - name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' @@ -338,7 +338,7 @@ - rule_5.2.18 - name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" @@ -355,14 +355,14 @@ - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured" block: - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index df3478f..5b4704c 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -90,11 +90,6 @@ check_mode: false register: rhel9cis_5_6_1_5_user_list - - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" - ansible.builtin.debug: - msg: "Good News! All accounts have PW change dates that are in the past" - when: rhel9cis_5_6_1_5_user_list.stdout | length == 0 - - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" ansible.builtin.debug: msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" @@ -103,9 +98,7 @@ - not rhel9cis_futurepwchgdate_autofix - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix @@ -117,6 +110,8 @@ - rhel9cis_futurepwchgdate_autofix with_items: - "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + vars: + warn_control_id: '5.6.1.5' when: - rhel9cis_rule_5_6_1_5 tags: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 1457f6e..e2985f8 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -128,12 +128,6 @@ changed_when: false register: rhel_08_6_1_9_perms_results - - name: "6.1.9 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist" - ansible.builtin.debug: - msg: "Good news! We have not found any world-writable files on your system" - when: - - rhel_08_6_1_9_perms_results.stdout is not defined - - name: "6.1.9 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" ansible.builtin.file: path: '{{ item }}' @@ -169,11 +163,20 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: - msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + msg: "Warning !! Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" with_items: "{{ rhel_08_6_1_10_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 + + - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.1.10' + when: + - item.stdout_lines is defined + - item.stdout_lines | length > 0 + when: - rhel9cis_rule_6_1_10 tags: @@ -199,11 +202,19 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: - msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + msg: "Warning !! Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" with_items: "{{ rhel_08_6_1_11_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 + + - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.1.11' + when: + - item.stdout_lines is defined + - item.stdout_lines | length > 0 when: - rhel9cis_rule_6_1_11 tags: @@ -239,20 +250,19 @@ loop_control: label: "{{ item.mount }}" - - name: "6.1.13 | AUDIT | Audit SUID executables | Alert no SUID executables exist" - ansible.builtin.debug: - msg: "Good news! We have not found any SUID executable files on your system" - failed_when: false - changed_when: false - when: - - rhel_08_6_1_13_perms_results.stdout is not defined - - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: - msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" + msg: "Warning!! Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" with_items: "{{ rhel_08_6_1_13_perms_results.stdout_lines }}" when: - rhel_08_6_1_13_perms_results.stdout is defined + + - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.1.13' + when: + - rhel_08_6_1_13_perms_results.stdout is defined when: - rhel9cis_rule_6_1_13 tags: @@ -274,20 +284,19 @@ loop_control: label: "{{ item.mount }}" - - name: "6.1.14 | AUDIT | Audit SGID executables | Alert no SGID executables exist" - ansible.builtin.debug: - msg: "Good news! We have not found any SGID executable files on your system" - failed_when: false - changed_when: false - when: - - rhel_08_6_1_14_perms_results.stdout is not defined - - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}" when: - rhel_08_6_1_14_perms_results.stdout is defined + + - name: "6.1.14 | AUDIT | Audit SGID executables| warning" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.1.14' + when: + - rhel_08_6_1_14_perms_results.stdout is defined when: - rhel9cis_rule_6_1_14 tags: @@ -323,15 +332,12 @@ The file list can be found in {{ rhel9cis_rpm_audit_file }}" - name: "6.1.15 | AUDIT | Audit system file permissions | warning count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_6.1.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.1.15' + when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 + - - name: "6.1.15 | AUDIT | Audit system file permissions | Message out no package descrepancies" - ansible.builtin.debug: - msg: "Good News! There are no package descrepancies" - when: rhel9cis_6_1_15_packages_rpm.stdout|length == 0 when: - rhel9cis_rule_6_1_15 tags: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index a280cab..30fe5fe 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -86,11 +86,6 @@ failed_when: false register: rhel9cis_6_2_4_user_uid_check - - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" - ansible.builtin.debug: - msg: "Good News! There are no duplicate UID's in the system" - when: rhel9cis_6_2_4_user_uid_check.stdout | length == 0 - - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" ansible.builtin.debug: msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_4_user_uid_check.stdout_lines }}" @@ -98,9 +93,9 @@ - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" ansible.builtin.import_tasks: warning_facts.yml - vars: - warn_control_id: '6.2.4' when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 + vars: + warn_control_id: '6.2.4' when: - rhel9cis_rule_6_2_4 tags: @@ -119,11 +114,6 @@ failed_when: false register: rhel9cis_6_2_5_user_user_check - - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" - ansible.builtin.debug: - msg: "Good News! There are no duplicate GIDs in the system" - when: rhel9cis_6_2_5_user_user_check.stdout | length == 0 - - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" ansible.builtin.debug: msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_5_user_user_check.stdout_lines }}" diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml new file mode 100644 index 0000000..37560bd --- /dev/null +++ b/tasks/warning_facts.yml @@ -0,0 +1,20 @@ +--- + +# This task is used to create variables used in giving a warning summary for manual tasks +# that need attention +# +# The warn_control_list and warn_count vars start life in vars/main.yml but get updated +# as the tasks that have a warning complete +# +# Those two variables are used in the tasks/main.yml to display a list of warnings +# +# warn_control_id is set within the task itself and has the control ID as the value +# +# warn_control_list is the main variable to be used and is a list made up of the warn_control_id’s +# +# warn_count the main variable for the number of warnings and each time a warn_control_id is added +# the count increases by a value of 1 +- name: "NO CONTROL ID | AUDIT | Set fact for manual task warning." + ansible.builtin.set_fact: + warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" + warn_count: "{{ warn_count | int + 1 }}" From acf0104f7afe46ee10ce472a4689551e6e25e1eb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 12:10:18 +0000 Subject: [PATCH 029/143] lint updates Signed-off-by: Mark Bolwell --- handlers/main.yml | 93 +++++++++++++----------------- site.yml | 1 + tasks/LE_audit_setup.yml | 10 ++-- tasks/auditd.yml | 12 ++-- tasks/check_prereqs.yml | 2 +- tasks/main.yml | 60 +++++++++---------- tasks/parse_etc_password.yml | 4 +- tasks/post.yml | 24 ++++---- tasks/post_remediation_audit.yml | 14 ++--- tasks/pre_remediation_audit.yml | 28 ++++----- tasks/prelim.yml | 42 +++++++------- tasks/section_1/cis_1.1.2.x.yml | 4 +- tasks/section_1/cis_1.1.3.x.yml | 2 +- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 6 +- tasks/section_1/cis_1.1.7.x.yml | 2 +- tasks/section_1/cis_1.1.8.x.yml | 2 +- tasks/section_1/cis_1.10.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 2 +- tasks/section_1/cis_1.3.x.yml | 2 +- tasks/section_1/cis_1.8.x.yml | 6 +- tasks/section_1/cis_1.9.yml | 2 +- tasks/section_2/cis_2.2.x.yml | 4 +- tasks/section_3/cis_3.1.x.yml | 6 +- tasks/section_4/cis_4.1.2.x.yml | 8 +-- tasks/section_4/cis_4.1.4.x.yml | 6 +- tasks/section_4/cis_4.2.1.x.yml | 26 ++++----- tasks/section_4/cis_4.2.2.x.yml | 12 ++-- tasks/section_5/cis_5.2.x.yml | 10 ++-- tasks/section_5/cis_5.6.1.x.yml | 10 ++-- tasks/section_6/cis_6.1.x.yml | 2 +- templates/ansible_vars_goss.yml.j2 | 2 +- vars/main.yml | 2 +- 34 files changed, 199 insertions(+), 213 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 6b47f85..404d74b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,14 +1,13 @@ --- # handlers file for RHEL9-CIS -- name: reload sysctl - shell: sysctl --system +- name: Reload sysctl + ansible.builtin.shell: sysctl --system when: - sysctl_updated.changed -- name: sysctl flush ipv4 route table - become: true - sysctl: +- name: Sysctl flush ipv4 route table + ansible.posix.sysctl: name: net.ipv4.route.flush value: '1' sysctl_set: true @@ -16,12 +15,9 @@ when: - flush_ipv4_route - not system_is_container - tags: - - skip_ansible_lint -- name: sysctl flush ipv6 route table - become: true - sysctl: +- name: Sysctl flush ipv6 route table + ansible.posix.sysctl: name: net.ipv6.route.flush value: '1' sysctl_set: true @@ -29,92 +25,81 @@ - flush_ipv6_route - not system_is_container -- name: systemd restart tmp.mount - become: true - systemd: +- name: Systemd restart tmp.mount + ansible.builtin.systemd: name: tmp.mount - daemon_reload: true + daemon_Reload: true enabled: true masked: false - state: reloaded + state: Reloaded -- name: systemd restart var-tmp.mount - become: true - systemd: - name: var-tmp.mount - daemon_reload: true - enabled: true - masked: false - state: reloaded +- name: Remount tmp + ansible.posix.mount: + path: /tmp + state: remounted -- name: remount tmp - ansible.posix.mount: - path: /tmp - state: remounted - -- name: restart firewalld - service: +- name: Restart firewalld + ansible.builtin.systemd: name: firewalld state: restarted -- name: restart sshd - service: +- name: Restart sshd + ansible.builtin.systemd: name: sshd state: restarted -- name: restart postfix - service: +- name: Restart postfix + ansible.builtin.systemd: name: postfix state: restarted -- name: reload dconf - shell: dconf update +- name: Reload dconf + ansible.builtin.shell: dconf update - name: grub2cfg - shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" + ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" ignore_errors: true # noqa ignore-errors tags: - skip_ansible_lint -- name: restart rsyslog - become: true - service: +- name: Restart rsyslog + ansible.builtin.systemd: name: rsyslog state: restarted -- name: restart journald - service: +- name: Restart journald + ansible.builtin.systemd: name: systemd-journald state: restarted -- name: restart systemd_journal_upload - service: +- name: Restart systemd_journal_upload + ansible.builtin.systemd: name: systemd-journal-upload state: restarted -- name: systemd_daemon_reload - systemd: +- name: Systemd_daemon_Reload + ansible.builtin.systemd: daemon-reload: true ## Auditd tasks note order for handlers to run -- name: auditd_immutable_check - shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules +- name: Auditd_immutable_check + ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules changed_when: false register: auditd_immutable_check -- name: audit_immutable_fact - debug: +- name: Audit_immutable_fact + ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" notify: change_requires_reboot when: - auditd_immutable_check.stdout == '1' -- name: restart auditd - shell: service auditd restart +- name: Restart auditd + ansible.builtin.shell: service auditd restart tags: - skip_ansible_lint -- name: change_requires_reboot - set_fact: +- name: Change_requires_reboot + ansible.builtin.set_fact: change_requires_reboot: true diff --git a/site.yml b/site.yml index 4446d3e..148ca0b 100644 --- a/site.yml +++ b/site.yml @@ -1,4 +1,5 @@ --- + - hosts: all become: true roles: diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 98f3855..bc929ae 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,7 +1,7 @@ --- - name: Download audit binary - get_url: + ansible.builtin.get_url: url: "{{ goss_url }}" dest: "{{ audit_bin }}" owner: root @@ -11,8 +11,8 @@ when: - get_goss_file == 'download' -- name: copy audit binary - copy: +- name: Copy audit binary + ansible.builtin.copy: src: dest: "{{ audit_bin }}" mode: 0555 @@ -21,8 +21,8 @@ when: - get_goss_file == 'copy' -- name: install git if not present - package: +- name: Install git if not present + ansible.builtin.package: name: git state: present register: git_installed diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 74830ca..a36a744 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,7 +1,7 @@ --- - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added - template: + ansible.builtin.template: src: audit/99_auditd.rules.j2 dest: /etc/audit/rules.d/99_auditd.rules owner: root @@ -9,18 +9,18 @@ mode: 0600 register: audit_rules_updated notify: - - auditd_immutable_check - - audit_immutable_fact - - restart auditd + - Auditd_immutable_check + - Audit_immutable_fact + - Restart auditd - name: POST | Set up auditd user logging exceptions - template: + ansible.builtin.template: src: audit/98_auditd_exception.rules.j2 dest: /etc/audit/rules.d/98_auditd_exceptions.rules owner: root group: root mode: 0600 - notify: restart auditd + notify: Restart auditd when: - allow_auditd_uid_user_exclusions - rhel9cis_auditd_uid_exclude | length > 0 diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml index abe6248..dcfee57 100644 --- a/tasks/check_prereqs.yml +++ b/tasks/check_prereqs.yml @@ -1,7 +1,7 @@ --- - name: "PREREQ | If required install libselinux package to manage file changes." - package: + ansible.builtin.package: name: libselinux-python3 state: present when: diff --git a/tasks/main.yml b/tasks/main.yml index d1918d2..8229390 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,7 +2,7 @@ # tasks file for RHEL9-CIS - name: Check OS version and family - assert: + ansible.builtin.assert: that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" @@ -13,7 +13,7 @@ - always - name: Check ansible version - assert: + ansible.builtin.assert: that: ansible_version.full is version_compare(min_ansible_version, '>=') fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" @@ -23,14 +23,14 @@ - name: "Check password set for {{ ansible_user }}" block: - name: Capture current password state of "{{ ansible_user }}" - shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" + ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: ansible_user_password_set - name: "Assert that password set for {{ ansible_user }} and account not locked" - assert: + ansible.builtin.assert: that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" success_msg: "You a password set for the {{ ansible_user }}" @@ -45,15 +45,15 @@ - name: Setup rules if container block: - name: Discover and set container variable if required - set_fact: + ansible.builtin.set_fact: system_is_container: true - name: Load variable for container - include_vars: + ansible.builtin.include_vars: file: "{{ container_vars_file }}" - - name: output if discovered is a container - debug: + - name: Output if discovered is a container + ansible.builtin.debug: msg: system has been discovered as a container when: - system_is_container @@ -65,13 +65,13 @@ - always - name: Check crypto-policy input - assert: + ansible.builtin.assert: that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies fail_msg: "Crypto policy is not a permitted version" success_msg: "Crypto policy is a permitted version" - name: Check rhel9cis_bootloader_password_hash variable has been changed - assert: + ansible.builtin.assert: that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" when: @@ -80,10 +80,10 @@ tags: - always -- name: "check sugroup exists if used" +- name: Check sugroup exists if used block: - name: "Check su group exists if defined" - shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group + ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group register: sugroup_exists changed_when: false failed_when: sugroup_exists.rc >= 2 @@ -91,7 +91,7 @@ - skip_ansible_lint - name: Check sugroup if defined exists before continuing - assert: + ansible.builtin.assert: that: sugroup_exists.rc == 0 msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" when: @@ -101,35 +101,35 @@ - rule_5.7 - name: Gather the package facts - package_facts: + ansible.builtin.package_facts: manager: auto tags: - always - name: Include OS specific variables - include_vars: "{{ ansible_distribution }}.yml" + ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" tags: - always - name: Include preliminary steps - import_tasks: prelim.yml + ansible.builtin.import_tasks: prelim.yml tags: - prelim_tasks - always - name: run pre_remediation audit - include_tasks: pre_remediation_audit.yml + ansible.builtin.include_tasks: pre_remediation_audit.yml when: - run_audit - name: Gather the package facts after prelim - package_facts: + ansible.builtin.package_facts: manager: auto tags: - always - name: capture /etc/password variables - include_tasks: parse_etc_password.yml + ansible.builtin.include_tasks: parse_etc_password.yml when: - rhel9cis_section6 tags: @@ -142,67 +142,67 @@ - rhel9cis_section6 - name: run Section 1 tasks - import_tasks: section_1/main.yml + ansible.builtin.import_tasks: section_1/main.yml when: rhel9cis_section1 tags: - rhel9cis_section1 - name: run Section 2 tasks - import_tasks: section_2/main.yml + ansible.builtin.import_tasks: section_2/main.yml when: rhel9cis_section2 tags: - rhel9cis_section2 - name: run Section 3 tasks - import_tasks: section_3/main.yml + ansible.builtin.import_tasks: section_3/main.yml when: rhel9cis_section3 tags: - rhel9cis_section3 - name: run Section 4 tasks - import_tasks: section_4/main.yml + ansible.builtin.import_tasks: section_4/main.yml when: rhel9cis_section4 tags: - rhel9cis_section4 - name: run Section 5 tasks - import_tasks: section_5/main.yml + ansible.builtin.import_tasks: section_5/main.yml when: rhel9cis_section5 tags: - rhel9cis_section5 - name: run Section 6 tasks - import_tasks: section_6/main.yml + ansible.builtin.import_tasks: section_6/main.yml when: rhel9cis_section6 tags: - rhel9cis_section6 - name: run auditd logic - import_tasks: auditd.yml + ansible.builtin.import_tasks: auditd.yml when: - update_audit_template tags: - always - name: run post remediation tasks - import_tasks: post.yml + ansible.builtin.import_tasks: post.yml tags: - post_tasks - always - name: run post_remediation audit - import_tasks: post_remediation_audit.yml + ansible.builtin.import_tasks: post_remediation_audit.yml when: - run_audit - name: Show Audit Summary - debug: + ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" when: - run_audit - name: If Warnings found Output count and control IDs affected - debug: + ansible.builtin.debug: msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" when: warn_count != 0 tags: diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 6a9ef7b..76cb085 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -3,13 +3,13 @@ - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" block: - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - shell: cat /etc/passwd + ansible.builtin.shell: cat /etc/passwd changed_when: false check_mode: false register: rhel9cis_passwd_file_audit - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries" - set_fact: + ansible.builtin.set_fact: rhel9cis_passwd: "{{ rhel9cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" with_items: "{{ rhel9cis_passwd_file_audit.stdout_lines }}" vars: diff --git a/tasks/post.yml b/tasks/post.yml index 0d1260d..7f8b1fb 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -2,25 +2,25 @@ # Post tasks - name: Perform DNF package cleanup - dnf: + ansible.builtin.package: autoremove: true changed_when: false - name: Gather the package facts after remediation - package_facts: + ansible.builtin.package_facts: manager: auto tags: - always -- name: update sysctl - template: +- name: Update sysctl + ansible.builtin.template: src: "etc/sysctl.d/{{ item }}.j2" dest: "/etc/sysctl.d/{{ item }}" owner: root group: root mode: 0600 register: sysctl_updated - notify: reload sysctl + notify: Reload sysctl with_items: - 60-kernel_sysctl.conf - 60-disable_ipv6.conf @@ -31,29 +31,29 @@ - not system_is_container - "'procps-ng' in ansible_facts.packages" -- name: flush handlers - meta: flush_handlers +- name: Flush handlers + ansible.builtin.meta: flush_handlers - name: POST | reboot system if changes require it and not skipped block: - name: POST | Reboot system if changes require it and not skipped - reboot: + ansible.builtin.reboot: when: - - change_requires_reboot + - Change_requires_reboot - not skip_reboot - name: POST | Warning a reboot required but skip option set - debug: + ansible.builtin.debug: msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" changed_when: true when: - - change_requires_reboot + - Change_requires_reboot - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" ansible.builtin.import_tasks: warning_facts.yml when: - - change_requires_reboot + - Change_requires_reboot - skip_reboot vars: warn_control_id: Reboot_required diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 599e104..0eb7608 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,13 +1,13 @@ --- - name: "Post Audit | Run post_remediation {{ benchmark }} audit" - shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" environment: "{{ audit_run_script_environment | default({}) }}" changed_when: audit_run_post_remediation.rc == 0 register: audit_run_post_remediation - name: Post Audit | ensure audit files readable by users - file: + ansible.builtin.file: path: "{{ item }}" mode: 0644 state: file @@ -17,13 +17,13 @@ - name: Post Audit | Capture audit data if json format block: - - name: "capture data {{ post_audit_outfile }}" - shell: "cat {{ post_audit_outfile }}" + - name: "Capture data {{ post_audit_outfile }}" + ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false - name: Capture post-audit result - set_fact: + ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' @@ -33,12 +33,12 @@ - name: Post Audit | Capture audit data if documentation format block: - name: "Post Audit | capture data {{ post_audit_outfile }}" - shell: "tail -2 {{ post_audit_outfile }}" + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false - name: Post Audit | Capture post-audit result - set_fact: + ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout_lines }}" when: - audit_format == "documentation" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 94e9bcf..96f16fe 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,20 +1,20 @@ --- - name: Pre Audit | Setup the audit - include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: LE_audit_setup.yml when: - setup_audit tags: - setup_audit - name: "Pre Audit | Ensure {{ audit_conf_dir }} exists" - file: + ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' - name: Pre Audit | retrieve audit content files from git - git: + ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" version: "{{ audit_git_version }}" @@ -22,7 +22,7 @@ - audit_content == 'git' - name: Pre Audit | copy to audit content files to server - copy: + ansible.builtin.copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dir }}" mode: 0644 @@ -30,7 +30,7 @@ - audit_content == 'copy' - name: Pre Audit | get audit content from url - get_url: + ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" owner: root @@ -42,12 +42,12 @@ - name: Pre Audit | Check Goss is available block: - name: Pre Audit | Check for goss file - stat: + ansible.builtin.stat: path: "{{ audit_bin }}" register: goss_available - name: Pre Audit | Alert if goss not available - assert: + ansible.builtin.assert: that: goss_available.stat.exists fail_msg: "Audit binary file {{ audit_bin }} does not exist" success_msg: "Audit binary file {{ audit_bin }} exists" @@ -55,14 +55,14 @@ - run_audit - name: "Pre Audit | Check whether machine is UEFI-based" - stat: + ansible.builtin.stat: path: /sys/firmware/efi register: rhel9_efi_boot tags: - goss_template - name: Pre Audit | Copy ansible default vars values to test audit - template: + ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: 0600 @@ -72,7 +72,7 @@ - goss_template - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" environment: "{{ audit_run_script_environment | default({}) }}" changed_when: audit_run_pre_remediation.rc == 0 register: audit_run_pre_remediation @@ -80,12 +80,12 @@ - name: Pre Audit | Capture audit data if json format block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - shell: "cat {{ pre_audit_outfile }}" + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result - set_fact: + ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' @@ -95,12 +95,12 @@ - name: Pre Audit | Capture audit data if documentation format block: - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - shell: "tail -2 {{ pre_audit_outfile }}" + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result - set_fact: + ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: - audit_format == "documentation" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index d133108..eaae1a3 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -3,7 +3,7 @@ # Preliminary tasks that should always be run # List users in order to look files inside each home directory - name: "PRELIM | List users accounts" - shell: "awk -F: '{print $1}' /etc/passwd" + ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd" changed_when: false check_mode: false register: users @@ -13,7 +13,7 @@ - users - name: "PRELIM | Gather accounts with empty password fields" - shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" + ansible.builtin.shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" changed_when: false check_mode: false register: empty_password_accounts @@ -23,7 +23,7 @@ - passwords - name: "PRELIM | Gather UID 0 accounts other than root" - shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" + ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" changed_when: false check_mode: false register: rhel9cis_uid_zero_accounts_except_root @@ -36,14 +36,14 @@ - name: "PRELIM | Setup crypto-policy" block: - name: "PRELIM | Install crypto-policies" - dnf: + ansible.builtin.package: name: - crypto-policies - crypto-policies-scripts state: present - name: "PRELIM | Gather system-wide crypto-policy" - shell: update-crypto-policies --show + ansible.builtin.shell: update-crypto-policies --show changed_when: false check_mode: false register: system_wide_crypto_policy @@ -56,7 +56,7 @@ - crypto - name: "PRELIM | if systemd coredump" - stat: + ansible.builtin.stat: path: /etc/systemd/coredump.conf register: systemd_coredump when: @@ -68,14 +68,14 @@ - systemd - name: "PRELIM | Section 1.1 | Create list of mount points" - set_fact: + ansible.builtin.set_fact: mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" tags: - level1-server - level1-workstation - name: "PRELIM | Ensure python3-libselinux is installed" - package: + ansible.builtin.package: name: python3-libselinux state: present when: @@ -84,23 +84,23 @@ - name: "PRELIM | Set facts based on boot type" block: - name: "PRELIM | Check whether machine is UEFI-based" - stat: + ansible.builtin.stat: path: /sys/firmware/efi register: rhel_09_efi_boot - name: "PRELIM | AUDIT | set legacy boot and grub path | Bios" - set_fact: + ansible.builtin.set_fact: rhel9cis_legacy_boot: true grub2_path: /etc/grub2.cfg when: not rhel_09_efi_boot.stat.exists - name: "PRELIM | set grub fact | UEFI" - set_fact: + ansible.builtin.set_fact: grub2_path: /etc/grub2-efi.cfg when: rhel_09_efi_boot.stat.exists - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" - package: + ansible.builtin.package: name: audit state: present become: true @@ -135,7 +135,7 @@ - rule_4.1.4.7 - name: "PRELIM | Section 5.1 | Configure cron" - package: + ansible.builtin.package: name: cronie state: present become: true @@ -149,7 +149,7 @@ - cron - name: "PRELIM | Install authconfig" - package: + ansible.builtin.package: name: authconfig state: present become: true @@ -170,7 +170,7 @@ - auditd - name: "PRELIM | 5.3.4 | Find all sudoers files." - command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" + ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false failed_when: false check_mode: false @@ -183,7 +183,7 @@ - rule_5.3.5 - name: "PRELIM | Check for rhnsd service" - shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" + ansible.builtin.shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" changed_when: false check_mode: false become: true @@ -198,28 +198,28 @@ - name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" block: - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" - shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' + ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_min_id - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" - shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' + ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_max_id - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" - shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' + ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: gid_min_id - name: "PRELIM | AUDIT | set_facts for interactive uid/gid" - set_fact: + ansible.builtin.set_fact: min_int_uid: "{{ uid_min_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}" - name: Output of uid findings - debug: + ansible.builtin.debug: msg: "{{ min_int_uid }} {{ max_int_uid }}" when: diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 118f93b..d4a7f7d 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -32,7 +32,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} - notify: remount tmp + notify: Remount tmp with_items: - "{{ ansible_mounts }}" loop_control: @@ -64,7 +64,7 @@ owner: root group: root mode: 0644 - notify: systemd restart tmp.mount + notify: Systemd restart tmp.mount when: - rhel9cis_tmp_svc - rhel9cis_rule_1_1_2_1 or diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index afe1b8c..7ea30d9 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -35,7 +35,7 @@ - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot + notify: Change_requires_reboot when: - var_mount_present is defined - item.mount == "/var" diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 4a1deb0..b32260b 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -37,7 +37,7 @@ - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot + notify: Change_requires_reboot when: - var_tmp_mount_present is defined - item.mount == "/var/tmp" diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index ccaeb5c..da3c0e8 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -37,7 +37,7 @@ - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot + notify: Change_requires_reboot when: - var_log_mount_present is defined - item.mount == "/var/log" diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 4191899..b030e8f 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -10,8 +10,8 @@ ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: '1.1.6.1' - required_mount: '/var/log/audit' + warn_control_id: '1.1.6.1' + required_mount: '/var/log/audit' when: - required_mount not in mount_names - rhel9cis_rule_1_1_6_1 @@ -36,7 +36,7 @@ - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot + notify: Change_requires_reboot when: - var_log_audit_mount_present is defined - item.mount == "/var/log/audit" diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 60192d7..946572c 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -36,7 +36,7 @@ - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" - notify: change_requires_reboot + notify: Change_requires_reboot when: - home_mount_present is defined - item.mount == "/home" diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 7703ed4..3b85af3 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -34,7 +34,7 @@ fstype: tmpfs state: mounted opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_4 %}nosuid{% endif %} - notify: change_requires_reboot + notify: Change_requires_reboot when: - rhel9cis_rule_1_1_8_2 or rhel9cis_rule_1_1_8_3 or diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index 1b0d2a2..c43e445 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -4,7 +4,7 @@ ansible.builtin.shell: | update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" update-crypto-policies - notify: change_requires_reboot + notify: Change_requires_reboot when: - rhel9cis_rule_1_10 - system_wide_crypto_policy['stdout'] == 'LEGACY' diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index dcc8e5c..99f24ea 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -68,7 +68,7 @@ - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured" block: - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Get repo list" - ansible.builtin.command: dnf repolist + ansible.builtin.shell: dnf repolist changed_when: false failed_when: false register: dnf_configured diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 607065c..cf20cb9 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -8,7 +8,7 @@ state: present - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - ansible.builtin.command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + ansible.builtin.shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' changed_when: false failed_when: false async: 45 diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index fe690c5..20be846 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -25,7 +25,7 @@ owner: root group: root mode: 0644 - notify: reload dconf + notify: Reload dconf with_items: - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } @@ -54,7 +54,7 @@ owner: root group: root mode: 0644 - notify: reload dconf + notify: Reload dconf with_items: - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } @@ -81,7 +81,7 @@ owner: root group: root mode: 0644 - notify: reload dconf + notify: Reload dconf with_items: - { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' } - { regex: 'automount=', line: 'automount=false' } diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml index 37ede1b..e226948 100644 --- a/tasks/section_1/cis_1.9.yml +++ b/tasks/section_1/cis_1.9.yml @@ -4,7 +4,7 @@ ansible.builtin.package: name: "*" state: latest - notify: change_requires_reboot + notify: Change_requires_reboot when: - rhel9cis_rule_1_9 - not system_is_ec2 diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 4f1be78..aac8a27 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -228,7 +228,7 @@ ansible.builtin.package: name: dnsmasq state: absent - notify: restart postfix + notify: Restart postfix when: - not rhel9cis_is_mail_server - "'dnsmasq' in ansible_facts.packages" @@ -245,7 +245,7 @@ path: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" line: "inet_interfaces = loopback-only" - notify: restart postfix + notify: Restart postfix when: - not rhel9cis_is_mail_server - "'postfix' in ansible_facts.packages" diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 9e1e484..b2e104a 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -27,21 +27,21 @@ - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" block: - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" - ansible.builtin.command: rpm -q NetworkManager + ansible.builtin.shell: rpm -q NetworkManager changed_when: false failed_when: false check_mode: false register: rhel_08_nmcli_available - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" - ansible.builtin.command: nmcli radio wifi + ansible.builtin.shell: nmcli radio wifi register: rhel_08_wifi_enabled changed_when: rhel_08_wifi_enabled.stdout != "disabled" failed_when: false when: rhel_08_nmcli_available.rc == 0 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" - ansible.builtin.command: nmcli radio all off + ansible.builtin.shell: nmcli radio all off changed_when: false failed_when: false when: rhel_08_wifi_enabled is changed diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index 9850ce4..2473e87 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -5,7 +5,7 @@ path: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ rhel9cis_max_log_file_size }}" - notify: restart auditd + notify: Restart auditd when: - rhel9cis_rule_4_1_2_1 tags: @@ -21,7 +21,7 @@ path: /etc/audit/auditd.conf regexp: "^max_log_file_action" line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" - notify: restart auditd + notify: Restart auditd when: - rhel9cis_rule_4_1_2_2 tags: @@ -36,7 +36,7 @@ path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - notify: restart auditd + notify: Restart auditd with_items: - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' } - { regexp: '^action_mail_acct', line: 'action_mail_acct = {{ rhel9cis_auditd.action_mail_acct }}' } @@ -56,7 +56,7 @@ regexp: "^{{ item }}( |=)" line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}" loop: "{{ rhel9cis_auditd_extra_conf.keys() }}" - notify: restart auditd + notify: Restart auditd when: - rhel9cis_auditd_extra_conf.keys() | length > 0 tags: diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index ca69e3d..5ee9b55 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -64,9 +64,9 @@ loop: "{{ auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" - when: - - item.mode != '06(0|4)0' - - rhel9cis_rule_4_1_4_5 + when: + - item.mode != '06(0|4)0' + - rhel9cis_rule_4_1_4_5 tags: - level2-server - level2-workstation diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index b1a20a9..5ff7e75 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -32,10 +32,10 @@ path: /etc/systemd/journald.conf regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" line: ForwardToSyslog=yes - notify: restart rsyslog + notify: Restart rsyslog when: - rhel9cis_rule_4_2_1_3 - - rhel9cis_preferred_log_capture == "rsyslog" + - rhel9cis_syslog == "rsyslog" tags: - level1-server - level1-workstation @@ -47,7 +47,7 @@ path: /etc/rsyslog.conf regexp: '^\$FileCreateMode' line: '$FileCreateMode 0640' - notify: restart rsyslog + notify: Restart rsyslog when: - rhel9cis_rule_4_2_1_4 tags: @@ -60,7 +60,7 @@ - name: "4.2.1.5 | PATCH | Ensure logging is configured" block: - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" - ansible.builtin.command: cat /etc/rsyslog.conf + ansible.builtin.shell: cat /etc/rsyslog.conf changed_when: false failed_when: false check_mode: false @@ -84,7 +84,7 @@ mail.warning -/var/log/mail.warning mail.err /var/log/mail.err insertafter: '# Log all the mail messages in one place.' - notify: restart rsyslog + notify: Restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting" @@ -97,7 +97,7 @@ news.crit -/var/log/news/news.crit news.notice -/var/log/news/news.crit insertafter: '# Save news errors of level crit and higher in a special file.' - notify: restart rsyslog + notify: Restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting" @@ -111,7 +111,7 @@ *.crit /var/log/warn *.*;mail.none;news.none /var/log/messages insertafter: '#### RULES ####' - notify: restart rsyslog + notify: Restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings" @@ -127,7 +127,7 @@ local6,local7.* -/var/log/localmessages *.emrg :omusrmsg:* insertafter: '#### RULES ####' - notify: restart rsyslog + notify: Restart rsyslog - name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings" ansible.builtin.blockinfile: @@ -138,7 +138,7 @@ # Private settings to meet CIS standards auth,authpriv.* /var/log/secure insertafter: '#### RULES ####' - notify: restart rsyslog + notify: Restart rsyslog - name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings" ansible.builtin.blockinfile: @@ -149,7 +149,7 @@ # Cron settings to meet CIS standards cron.* /var/log/cron insertafter: '#### RULES ####' - notify: restart rsyslog + notify: Restart rsyslog when: - rhel9cis_rule_4_2_1_5 tags: @@ -171,7 +171,7 @@ failed_when: - result is failed - result.rc != 257 - notify: restart rsyslog + notify: Restart rsyslog when: - rhel9cis_rule_4_2_1_6 - rhel9cis_remote_log_server @@ -189,7 +189,7 @@ path: /etc/rsyslog.conf regexp: '{{ item }}' replace: '#\1' - notify: restart rsyslog + notify: Restart rsyslog loop: - '^(\$ModLoad imtcp)' - '^(\$InputTCPServerRun)' @@ -202,7 +202,7 @@ path: /etc/rsyslog.conf regexp: '^#(.*{{ item }}.*)' replace: '\1' - notify: restart rsyslog + notify: Restart rsyslog loop: - 'ModLoad imtcp' - 'InputTCPServerRun' diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 0c53795..c6b0e2e 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -19,7 +19,7 @@ path: /etc/systemd/journal-upload.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - notify: restart systemd_journal_upload + notify: Restart systemd_journal_upload with_items: - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'} - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'} @@ -92,7 +92,7 @@ ansible.builtin.import_tasks: warning_facts.yml when: "'static' not in rhel9cis_4_2_2_2_status.stdout" vars: - warn_control_id: '4.2.2.2' + warn_control_id: '4.2.2.2' when: - rhel9cis_rule_4_2_2_2 tags: @@ -108,7 +108,7 @@ path: /etc/systemd/journald.conf regexp: "^#Compress=|^Compress=" line: Compress=yes - notify: restart systemd_journal_upload + notify: Restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_3 tags: @@ -124,7 +124,7 @@ path: /etc/systemd/journald.conf regexp: "^#Storage=|^Storage=" line: Storage=persistent - notify: restart systemd_journal_upload + notify: Restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_4 tags: @@ -141,7 +141,7 @@ path: /etc/systemd/journald.conf regexp: "^ForwardToSyslog=" line: "#ForwardToSyslog=yes" - notify: restart systemd_journal_upload + notify: Restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_5 tags: @@ -157,7 +157,7 @@ path: /etc/systemd/journald.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - notify: restart journald + notify: Restart systemd_journal_upload with_items: - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'} - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' } diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 9dc785e..f0286d9 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -84,7 +84,7 @@ regexp: "^AllowUsers" line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}" validate: sshd -t -f %s - notify: restart sshd + notify: Restart sshd when: "rhel9cis_sshd['allowusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" @@ -93,7 +93,7 @@ regexp: "^AllowGroups" line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}" validate: sshd -t -f %s - notify: restart sshd + notify: Restart sshd when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" @@ -102,7 +102,7 @@ regexp: "^DenyUsers" line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}" validate: sshd -t -f %s - notify: restart sshd + notify: Restart sshd when: "rhel9cis_sshd['denyusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" @@ -111,7 +111,7 @@ regexp: "^DenyGroups" line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}" validate: sshd -t -f %s - notify: restart sshd + notify: Restart sshd when: "rhel9cis_sshd['denygroups']|default('') | length > 0" when: - rhel9cis_rule_5_2_4 @@ -267,7 +267,7 @@ - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" ansible.builtin.shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd - notify: restart sshd + notify: Restart sshd when: ssh_crypto_discovery.stdout | length > 0 when: - rhel9cis_rule_5_2_14 diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 5b4704c..1f6b691 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -52,19 +52,19 @@ register: rhel9cis_5_6_1_4_inactive_settings - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" - ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0 - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false check_mode: false - register: rhel_8_5_6_1_4_user_list + register: rhel9cis_5_6_1_4_user_list - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" with_items: - - "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}" + - "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}" when: - rhel9cis_rule_5_6_1_4 tags: @@ -104,7 +104,7 @@ - not rhel9cis_futurepwchgdate_autofix - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - ansible.builtin.command: passwd --expire {{ item }} + ansible.builtin.shell: passwd --expire {{ item }} when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index e2985f8..e8cd62f 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -207,7 +207,7 @@ when: - item.stdout_lines is defined - item.stdout_lines | length > 0 - + - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" ansible.builtin.import_tasks: warning_facts.yml vars: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index c553121..ebc51d4 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -450,7 +450,7 @@ rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }} # Section 4 ## syslog -rhel9cis_syslog: {{ rhel9cis_preferred_log_capture }} +rhel9cis_syslog: {{ rhel9cis_syslog }} # Section 5 ## 5.2.4 Note the following to understand precedence and layout diff --git a/vars/main.yml b/vars/main.yml index 2ba64a1..165eff5 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -8,5 +8,5 @@ rhel9cis_allowed_crypto_policies: - 'FIPS' # Used to control warning summary -control_number: "" +warn_control_list: "" warn_count: 0 From 7a3a3d3444df65628893d9fbd9c1a8ed1e759f7f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 13:59:06 +0000 Subject: [PATCH 030/143] updated to latest actions Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 2c972d5..8d26a35 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -26,12 +26,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/first-interaction@v1.1.1 + - uses: actions/first-interaction@main with: repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/iansible-lockdown) as well. + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. # This workflow contains a single job called "build" build: # The type of runner that the job will run on @@ -44,7 +44,7 @@ jobs: steps: # Checks-out your repository under $GITHUB_WORKSPACE, # so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} From e17acee56daf27076e7da707efffd9b090d73637 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 13:59:15 +0000 Subject: [PATCH 031/143] fixed variables Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 168ce67..910b098 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -526,7 +526,8 @@ rhel9cis_auditd_extra_conf: {} ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 -rhel9cis_preferred_log_capture: rsyslog +rhel9cis_syslog: rsyslog +rhel9cis_rsyslog_ansiblemanaged: true #### 4.2.1.6 remote and destation log server name rhel9cis_remote_log_server: logagg.example.com @@ -600,9 +601,6 @@ rhel9cis_pass: max_days: 365 min_days: 7 warn_age: 7 -# Syslog system - either rsyslog or syslog-ng -rhel9cis_syslog: rsyslog -rhel9cis_rsyslog_ansiblemanaged: true # 5.5.1 ## PAM From 2e40e8c54e24b0e5f4aca09e0ef995866401da2c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 13:59:24 +0000 Subject: [PATCH 032/143] typo fix Signed-off-by: Mark Bolwell --- handlers/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 404d74b..a350df0 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -77,7 +77,7 @@ name: systemd-journal-upload state: restarted -- name: Systemd_daemon_Reload +- name: Systemd_daemon_reload ansible.builtin.systemd: daemon-reload: true @@ -91,7 +91,7 @@ - name: Audit_immutable_fact ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" - notify: change_requires_reboot + notify: Change_requires_reboot when: - auditd_immutable_check.stdout == '1' From 77c914998fc52625e37128b908cdca0f42b9d593 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 13:59:35 +0000 Subject: [PATCH 033/143] fix notify Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.5.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index d025981..6d3eb4e 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -5,7 +5,7 @@ path: /etc/systemd/coredump.conf regexp: '^Storage\s*=\s*(?!none).*' line: 'Storage=none' - notify: systemd_daemon_reload + notify: Systemd_daemon_reload when: - rhel9cis_rule_1_5_1 - systemd_coredump.stat.exists From 7f48dbd2c4782b0eb692700c1825977b01643a6d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 13:59:53 +0000 Subject: [PATCH 034/143] added gpg-key update Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index eaae1a3..c33afe3 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -99,6 +99,13 @@ grub2_path: /etc/grub2-efi.cfg when: rhel_09_efi_boot.stat.exists +- name: "PRELIM | Update to latest gpg keys" + ansible.builtin.package: + name: "{{ ansible_distribution | lower }}-gpg-keys" + state: latest + when: + - rhel9cis_rule_1_2_4 + - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" ansible.builtin.package: name: audit From 83bd6cd87c084cb2880b51896fe9e12695b634f5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 14:00:03 +0000 Subject: [PATCH 035/143] updated Signed-off-by: Mark Bolwell --- .ansible-lint | 2 -- 1 file changed, 2 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index c3dfee3..6dc3572 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -3,9 +3,7 @@ quiet: true skip_list: - 'schema' - 'no-changed-when' - - 'fqcn-builtins' - 'experimental' - - 'name[casing]' - 'name[template]' - 'jinja[spacing]' - '204' From 50d4cd83aabe5d899d37e5e741ce884ee416ccc5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 14:15:50 +0000 Subject: [PATCH 036/143] Removed -automated Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.x.yml | 1 - tasks/section_1/cis_1.2.x.yml | 1 - tasks/section_1/cis_1.6.1.x.yml | 7 ------- tasks/section_1/cis_1.8.x.yml | 5 ----- tasks/section_2/cis_2.3.x.yml | 4 ---- tasks/section_4/cis_4.1.2.x.yml | 1 - tasks/section_4/cis_4.1.3.x.yml | 1 - tasks/section_4/cis_4.2.2.x.yml | 6 +----- tasks/section_4/cis_4.2.3.yml | 1 - tasks/section_6/cis_6.1.x.yml | 1 - tasks/warning_facts.yml | 2 +- 11 files changed, 2 insertions(+), 28 deletions(-) diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 77cbf0f..dea0bbc 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -21,7 +21,6 @@ tags: - level1-server - level2-workstation - - automated - patch - mounts - removable_storage diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 99f24ea..6d64ebb 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -61,7 +61,6 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_1.2.2 diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index c954f66..89e3161 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -9,7 +9,6 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_1.6.1.1 @@ -45,7 +44,6 @@ tags: - level1-server - level1-workstation - - automated - selinux - patch - rule_1.6.1.3 @@ -61,7 +59,6 @@ tags: - level1-server - level1-workstation - - automated - selinux - patch - rule_1.6.1.4 @@ -78,7 +75,6 @@ tags: - level2-server - level2-workstation - - automated - selinux - patch - rule_1.6.1.5 @@ -106,7 +102,6 @@ tags: - level1-server - level1-workstation - - automated - audit - services - rule_1.6.1.6 @@ -120,7 +115,6 @@ - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server - - automated - selinux - patch - rule_1.6.1.7 @@ -134,6 +128,5 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_1.6.1.8 diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 20be846..23dd3c6 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -9,7 +9,6 @@ - "'gdm' in ansible_facts.packages" tags: - level2-server - - automated - patch - gui - gdm @@ -39,7 +38,6 @@ tags: - level1-server - level1-workstation - - automated - patch - gui - gdm @@ -67,7 +65,6 @@ tags: - level1-server - level1-workstation - - automated - patch - gui - rule_1.8.3 @@ -92,7 +89,6 @@ tags: - level1-server - level2-workstation - - automated - patch - gui - rule_1.8.6 @@ -109,7 +105,6 @@ tags: - level1-server - level1-workstation - - automated - patch - gui - rule_1.8.4 diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index 38f24c0..10a0662 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -11,7 +11,6 @@ tags: - level1-server - level1-workstation - - automated - patch - telnet - rule_2.3.1 @@ -27,7 +26,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ldap - rule_2.3.2 @@ -43,7 +41,6 @@ tags: - level1-server - level1-workstation - - automated - patch - tftp - rule_2.3.3 @@ -59,7 +56,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ftp - rule_2.3.4 diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index 2473e87..e9cee1c 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -11,7 +11,6 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.2.1 diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index e29f496..922ea61 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -61,7 +61,6 @@ tags: - level2-server - level2-workstation - - automated - patch - auditd - rule_4.1.3.5 diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index c6b0e2e..e22da77 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -63,7 +63,6 @@ tags: - level1-server - level1-workstation - - automated - patch - journald - rule_4.2.2.1.4 @@ -98,7 +97,6 @@ tags: - level1-server - level1-workstation - - automated - audit - journald - rule_4.2.2.2 @@ -114,7 +112,6 @@ tags: - level1-server - level1-workstation - - automated - patch - journald - rule_4.2.2.3 @@ -130,7 +127,6 @@ tags: - level1-server - level1-workstation - - automated - patch - journald - rule_4.2.2.4 @@ -184,7 +180,7 @@ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Set live file" ansible.builtin.set_fact: systemd_conf_file: /etc/tmpfiles.d/systemd.conf - when: rhel9cis_4_2_2_7_override_stat.exists + when: rhel9cis_4_2_2_7_override.stat.exists - name: "4.2.2.7 | PATCH | Ensure journald default file permissions configured | Set permission" ansible.builtin.lineinfile: diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index a7a623a..8a7ae83 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -21,7 +21,6 @@ tags: - level1-server - level1-workstation - - automated - patch - logfiles - rule_4.2.3 diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index e8cd62f..2360ec2 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -142,7 +142,6 @@ tags: - level1-server - level1-workstation - - automated - patch - files - permissions diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index 37560bd..6e80487 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -14,7 +14,7 @@ # # warn_count the main variable for the number of warnings and each time a warn_control_id is added # the count increases by a value of 1 -- name: "NO CONTROL ID | AUDIT | Set fact for manual task warning." +- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." ansible.builtin.set_fact: warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" warn_count: "{{ warn_count | int + 1 }}" From 8191b02c3ed104be08bd113d7bfee82ebce19b07 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 14:16:15 +0000 Subject: [PATCH 037/143] fixed changed_requires_reboot Signed-off-by: Mark Bolwell --- tasks/post.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/post.yml b/tasks/post.yml index 7f8b1fb..8facbd2 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -39,7 +39,7 @@ - name: POST | Reboot system if changes require it and not skipped ansible.builtin.reboot: when: - - Change_requires_reboot + - change_requires_reboot - not skip_reboot - name: POST | Warning a reboot required but skip option set @@ -47,13 +47,13 @@ msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" changed_when: true when: - - Change_requires_reboot + - change_requires_reboot - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" ansible.builtin.import_tasks: warning_facts.yml when: - - Change_requires_reboot + - change_requires_reboot - skip_reboot vars: warn_control_id: Reboot_required From e87cc3ade5496fb314c8f4953412b1b8215459fa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 14:16:27 +0000 Subject: [PATCH 038/143] Removed -automated Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 30fe5fe..36de90f 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -39,7 +39,6 @@ tags: - level1-server - level1-workstation - - automated - patch - accounts - rule_6.2.2 From e1c41c4652e067421ece0b6bfde3bb8feecd12d2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 14:16:48 +0000 Subject: [PATCH 039/143] removed rule not needed Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ebc51d4..abc4c1b 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -53,7 +53,6 @@ rhel9cis_rule_1_1_2_4: {{ rhel9cis_rule_1_1_2_4 }} rhel9cis_rule_1_1_3_1: {{ rhel9cis_rule_1_1_3_1 }} rhel9cis_rule_1_1_3_2: {{ rhel9cis_rule_1_1_3_2 }} rhel9cis_rule_1_1_3_3: {{ rhel9cis_rule_1_1_3_3 }} -rhel9cis_rule_1_1_3_4: {{ rhel9cis_rule_1_1_3_4 }} # 1.1.4 Configure /var/tmp rhel9cis_rule_1_1_4_1: {{ rhel9cis_rule_1_1_4_1 }} rhel9cis_rule_1_1_4_2: {{ rhel9cis_rule_1_1_4_2 }} From 801eff8a539568bfbd81ba45695152377294ea88 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 14:18:34 +0000 Subject: [PATCH 040/143] Added requirements Make Signed-off-by: Mark Bolwell --- Makefile | 11 +++++++++++ requirements.txt | 5 +++++ 2 files changed, 16 insertions(+) create mode 100644 Makefile create mode 100644 requirements.txt diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..46a81d1 --- /dev/null +++ b/Makefile @@ -0,0 +1,11 @@ +# TESTS + +all: yamllint + +yamllint: + git ls-files "*.yml"|xargs yamllint + +requirements: + @echo 'Python dependencies:' + @cat requirements.txt + pip install -r requirements.txt diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..52cb84d --- /dev/null +++ b/requirements.txt @@ -0,0 +1,5 @@ +passlib +lxml +xmltodict +jmespath +yamllint From 1fe3a88ff9cdbcdd5c02999bdae76585c916c7cc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 14:27:05 +0000 Subject: [PATCH 041/143] removed var not required Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index abc4c1b..2bc98e1 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -438,9 +438,9 @@ rhel9cis_is_router: {{ rhel9cis_is_router }} rhel9cis_firewall: {{ rhel9cis_firewall }} ##### firewalld rhel9cis_default_zone: {{ rhel9cis_default_zone }} -rhel9cis_firewalld_nftables_state: {{ rhel9cis_firewalld_nftables_state }} # Note if absent removes the firewalld pkg dependancy + #### nftables -rhel9cis_nftables_firewalld_state: {{ rhel9cis_nftables_firewalld_state }} + rhel9cis_nft_tables_autonewtable: {{ rhel9cis_nft_tables_autonewtable }} rhel9cis_nft_tables_tablename: {{ rhel9cis_nft_tables_tablename }} rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }} From 910d1599a2118e9c8af556f09de9136ff3a66819 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Jan 2023 09:23:29 +0000 Subject: [PATCH 042/143] updated versions Signed-off-by: Mark Bolwell --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 00d5a39..f54c90f 100644 --- a/README.md +++ b/README.md @@ -10,10 +10,9 @@ ![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL9-CIS/DevelToMain?label=Main%20Build%20Status&style=plastic) ![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS?style=plastic) -Configure RHEL 9 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant with RHEL8 settings (RHEL9 not yet released) -Based on v2.0.0 RHEL8 +Configure RHEL 9 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) -Based on [CIS RedHat Enterprise Linux 8 Benchmark v2.0.0. - 02-23-2022 ](https://www.cisecurity.org/cis-benchmarks/) +Based on [CIS RedHat Enterprise Linux 9 Benchmark v1.0.0. - 11-30-2022 ](https://www.cisecurity.org/cis-benchmarks/) ## Join us From a2d074a343cb9ddca1c1fc2669317a3fdfd7ce95 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Jan 2023 11:34:01 +0000 Subject: [PATCH 043/143] added blacklist requirement Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index cc2156c..00303ac 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -10,11 +10,20 @@ create: true mode: 0600 + - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist" + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist squashfs(\\s|$)" + line: "blacklist squashfs" + create: true + mode: 0600 + - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" modprobe: name: squashfs state: absent when: not system_is_container + when: - rhel9cis_rule_1_1_1_1 tags: @@ -34,6 +43,14 @@ create: true mode: 0600 + - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist" + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist udf(\\s|$)" + line: "blacklist udf" + create: true + mode: 0600 + - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" modprobe: name: udf From c9b97bec6e16da7b849a62b278c1c44822bf5572 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Jan 2023 12:31:47 +0000 Subject: [PATCH 044/143] fixed loop Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.4.x.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 61174d2..af1579f 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -22,14 +22,14 @@ block: - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" ansible.builtin.file: - path: /boot/grub2/grub.cfg + path: "/boot/grub2/{{ item.path }}" owner: root group: root - mode: 0600 + mode: "{{ item.mode }}" loop: - - grub.cfg - - grubenv - - user.cfg + - { path: 'grub.cfg', mode: '0700' } + - { path: 'grubenv', mode: '0600' } + - { path: 'user.cfg', mode: '0600' } when: - rhel9cis_rule_1_4_2 From 9d4120468ef940e7bc4698e8a0458cecbaf8a091 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:00:18 +0000 Subject: [PATCH 045/143] Thanks to @keystone-admin on discord missing tag Signed-off-by: Mark Bolwell --- tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/main.yml b/tasks/main.yml index 8229390..981ade5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -140,6 +140,7 @@ - rule_6.2.11 - rhel9cis_section5 - rhel9cis_section6 + - level1-server - name: run Section 1 tasks ansible.builtin.import_tasks: section_1/main.yml From bc90630ca81ccd0f4dd3e9ccace62f3e460eab0f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:21:51 +0000 Subject: [PATCH 046/143] git add set bootloader & gossupdates Signed-off-by: Mark Bolwell --- defaults/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 910b098..5e0baa7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -366,9 +366,9 @@ rhel9cis_rh_sub_password: password rhel9cis_rhnsd_required: false # 1.4.2 Bootloader password -rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' +rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.5783BF1560E32718E85FEC2E1B8D4D7FFCA39A409EE47995A515E3F22B9347131E627F8B42CE987535152103D82631E11F9C953E26B8C02A5C99787CBC395DD9.AF8C36AAA5FE5F3B4CE2B436F079F03645C7A87DD3301D083F7AD05B8C25770DB1DDB75BF329382B282C8AADE19206479FDA94BB63A4567C58C70DF126DC82DA' rhel9cis_bootloader_password: random -rhel9cis_set_boot_pass: false +rhel9cis_set_boot_pass: true # 1.10 Set crypto policy DEFAULT @@ -660,14 +660,14 @@ audit_run_script_environment: ### Goss binary settings ### goss_version: - release: v0.3.18 - checksum: 'sha256:432308ebca0caf8165d45bd27e3262126aad9d15572ac8cb3149b3c91f75aace' + release: v0.3.21 + checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json # if get_goss_file == download change accordingly -goss_url: "https://github.com/aelsabbahy/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64" +goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64" ## if get_goss_file - copy the following needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node From ade06951ffbff80436b5b7ab2959377888e8ea40 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:22:02 +0000 Subject: [PATCH 047/143] removed congrats Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 6d64ebb..62fae23 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -15,13 +15,6 @@ register: os_gpg_key_check when: os_installed_pub_keys.rc == 0 - - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys pass" - ansible.builtin.debug: - msg: "Congratulations !! - The installed gpg keys match expected values" - when: - - os_installed_pub_keys.rc == 0 - - os_gpg_key_check.rc == 0 - - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail" ansible.builtin.fail: msg: Installed GPG Keys do not meet expected values or keys installed that are not expected From e3a0ff8cd89d1da38ad084016f71e41520c1f6cc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:22:11 +0000 Subject: [PATCH 048/143] added logic Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.8.x.yml | 38 +++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 23dd3c6..f627f6a 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -69,6 +69,44 @@ - gui - rule_1.8.3 +- name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle" + copy: + dest: /etc/dconf/db/local.d/00-screensaver + content: | + [org/gnome/desktop/session] + idle-delay=uint32 300 + [org/gnome/desktop/screensaver] + lock-delay=uint32 5 + mode: '0644' + notify: Reload dconf + when: + - rhel9cis_rule_1_8_4 + - rhel9cis_gui + tags: + - level1-server + - level1-workstation + - patch + - gui + - rule_1.8.4 + +- name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden" + lineinfile: + path: /etc/dconf/db/local.d/locks/session + create: true + line: /org/gnome/desktop/screensaver/lock-delay + owner: root + group: root + mode: 0640 + when: + - rhel9cis_rule_1_8_5 + - rhel9cis_gui + tags: + - level1-server + - level1-workstation + - patch + - gui + - rule_1.8.3 + - name: "1.8.6 | PATCH | Ensure automatic mounting of removable media is disabled" ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/00-media-automount From 6e77a3ced6193b5762d58f432b901be78e267d8f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:22:30 +0000 Subject: [PATCH 049/143] removed older version Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.1.x.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 5ff7e75..3a9cd77 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -206,8 +206,6 @@ loop: - 'ModLoad imtcp' - 'InputTCPServerRun' - - 'module\(load="imtcp"\)' - - 'input\(type="imtcp"' when: rhel9cis_system_is_log_server when: - rhel9cis_rule_4_2_1_7 From 6845c8ad2fa634a4aca276e8f5a138e33ef30bec Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:26:38 +0000 Subject: [PATCH 050/143] updated Signed-off-by: Mark Bolwell --- .ansible-lint | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 6dc3572..2183403 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,16 +1,20 @@ parseable: true quiet: true skip_list: - - 'schema' - - 'no-changed-when' - - 'experimental' - - 'name[template]' - - 'jinja[spacing]' - - '204' - - '305' - - '303' - - '403' - - '306' - - '602' + - 'schema' + - 'no-changed-when' + - 'var-spacing' + - 'fqcn-builtins' + - 'experimental' + - 'name[casing]' + - 'name[template]' + - 'fqcn[action]' + - '204' + - '305' + - '303' + - '403' + - '306' + - '602' + - '208' use_default_rules: true verbosity: 0 From 05d425befef1091c84d9b6fd91d932a7e7ff090e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:26:58 +0000 Subject: [PATCH 051/143] updated Signed-off-by: Mark Bolwell --- .ansible-lint | 1 - 1 file changed, 1 deletion(-) diff --git a/.ansible-lint b/.ansible-lint index 2183403..7ef99f1 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -4,7 +4,6 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' - - 'fqcn-builtins' - 'experimental' - 'name[casing]' - 'name[template]' From 9e9e3abc43596fddb02ab4daab44abe414bb5fc2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:29:03 +0000 Subject: [PATCH 052/143] changed default grub password Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5e0baa7..6b916a5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -366,7 +366,7 @@ rhel9cis_rh_sub_password: password rhel9cis_rhnsd_required: false # 1.4.2 Bootloader password -rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.5783BF1560E32718E85FEC2E1B8D4D7FFCA39A409EE47995A515E3F22B9347131E627F8B42CE987535152103D82631E11F9C953E26B8C02A5C99787CBC395DD9.AF8C36AAA5FE5F3B4CE2B436F079F03645C7A87DD3301D083F7AD05B8C25770DB1DDB75BF329382B282C8AADE19206479FDA94BB63A4567C58C70DF126DC82DA' +rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' rhel9cis_bootloader_password: random rhel9cis_set_boot_pass: true From 32805d64979c3d4ece950457ec18ec624771890f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Jan 2023 16:34:58 +0000 Subject: [PATCH 053/143] fixed typo 1.1.8.4 Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 2bc98e1..7b0b8e6 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -76,7 +76,7 @@ rhel9cis_rule_1_1_7_3: {{ rhel9cis_rule_1_1_7_3 }} rhel9cis_rule_1_1_8_1: {{ rhel9cis_rule_1_1_8_1 }} rhel9cis_rule_1_1_8_2: {{ rhel9cis_rule_1_1_8_2 }} rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_3 }} -rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_4 }} +rhel9cis_rule_1_1_8_4: {{ rhel9cis_rule_1_1_8_4 }} # 1.9 usb-storage rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }} # 1.2 Configure Software Updates From b8085e5dc0e270c1b955de334ea36ec45c3b23a8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 10:07:14 +0000 Subject: [PATCH 054/143] cis_v1.0.0 alignment updated Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.1.3.x.yml | 4 +--- tasks/section_1/cis_1.1.4.x.yml | 6 ++---- tasks/section_1/cis_1.1.5.x.yml | 2 -- tasks/section_1/cis_1.1.6.x.yml | 2 -- tasks/section_1/cis_1.1.7.x.yml | 8 +++++--- tasks/section_1/cis_1.1.x.yml | 8 ++++++++ 7 files changed, 17 insertions(+), 15 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index d4a7f7d..d55f5ec 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -6,7 +6,7 @@ ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | warning" + - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Present" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: '1.1.2.1' diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 7ea30d9..649657f 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -6,7 +6,7 @@ ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | warning" + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: '1.1.3.1' @@ -37,9 +37,7 @@ label: "{{ item.device }}" notify: Change_requires_reboot when: - - var_mount_present is defined - item.mount == "/var" - - rhel9cis_rule_1_1_3_1 # This is required so the check takes place - rhel9cis_rule_1_1_3_2 or rhel9cis_rule_1_1_3_3 tags: diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index b32260b..b8ae48d 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -7,7 +7,7 @@ ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: '1.1.4.1' @@ -32,16 +32,14 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nodev{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot when: - - var_tmp_mount_present is defined - item.mount == "/var/tmp" - - rhel9cis_rule_1_1_4_1 # This is required so the check takes place - rhel9cis_rule_1_1_4_2 or rhel9cis_rule_1_1_4_3 or rhel9cis_rule_1_1_4_4 diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index da3c0e8..9f556ba 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -39,9 +39,7 @@ label: "{{ item.device }}" notify: Change_requires_reboot when: - - var_log_mount_present is defined - item.mount == "/var/log" - - rhel9cis_rule_1_1_5_1 # This is required so the check takes place - rhel9cis_rule_1_1_5_2 or rhel9cis_rule_1_1_5_3 or rhel9cis_rule_1_1_5_4 diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index b030e8f..fcfa92b 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -38,9 +38,7 @@ label: "{{ item.device }}" notify: Change_requires_reboot when: - - var_log_audit_mount_present is defined - item.mount == "/var/log/audit" - - rhel9cis_rule_1_1_6_1 # This is required so the check takes place - rhel9cis_rule_1_1_6_2 or rhel9cis_rule_1_1_6_3 or rhel9cis_rule_1_1_6_4 diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 946572c..9fadf59 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -1,5 +1,8 @@ --- +- ansible.builtin.debug: + msg: "{{ mount_names }}" + - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home" block: - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" @@ -8,9 +11,9 @@ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" ansible.builtin.import_tasks: warning_facts.yml - vars: - warn_control_id: '1.1.7.1' + vars: + warn_control_id: '1.1.7.1' required_mount: '/home' when: - required_mount not in mount_names @@ -38,7 +41,6 @@ label: "{{ item.device }}" notify: Change_requires_reboot when: - - home_mount_present is defined - item.mount == "/home" - rhel9cis_rule_1_1_7_1 - rhel9cis_rule_1_1_7_2 or diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index dea0bbc..19c99c0 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -16,6 +16,14 @@ ansible.builtin.modprobe: name: usb-storage state: absent + + - name: "1.1.9 | PATCH | Disable USB Storage | blacklist" + lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist usb-storage(\\s|$)" + line: "blacklist usb-storage" + create: true + mode: 0600 when: - rhel9cis_rule_1_1_9 tags: From 184832d2acfb8695acca1b79b795d00e5f3b3c3e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 11:28:53 +0000 Subject: [PATCH 055/143] update blacklist Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index b2e104a..6a46b78 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -54,14 +54,24 @@ - rule_3.1.2 - name: "3.1.3 | PATCH | Ensure TIPC is disabled" - ansible.builtin.template: - src: "etc/modprobe.d/modprobe.conf.j2" - dest: "/etc/modprobe.d/{{ item }}.conf" - mode: "0600" - owner: root - group: root - with_items: - - tipc + block: + - name: "3.1.3 | PATCH | Ensure TIPC is disabled" + ansible.builtin.template: + src: "etc/modprobe.d/modprobe.conf.j2" + dest: "/etc/modprobe.d/{{ item }}.conf" + mode: "0600" + owner: root + group: root + with_items: + - tipc + + - name: "3.1.3 | PATCH | Ensure TIPC is disabled | blacklist" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/blacklist.conf + regexp: "^(#)?blacklist tipc(\\s|$)" + line: "blacklist tipc" + create: true + mode: 0600 when: - rhel9cis_rule_3_1_3 tags: From 163900e277d318988c499852ad0b6429bbd0154d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 11:29:03 +0000 Subject: [PATCH 056/143] add file exclusions Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.3.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index 8a7ae83..a391254 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -9,13 +9,17 @@ recurse: true register: logfiles - - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" + - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" ansible.builtin.file: path: "{{ item.path }}" mode: 0640 loop: "{{ logfiles.files }}" loop_control: label: "{{ item.path }}" + when: + - item.path != "/var/log/btmp" + - item.path != "/var/log/utmp" + - item.path != "/var/log/wtmp" when: - rhel9cis_rule_4_2_3 tags: From 4e1ee6f8e6ed6a188eefc3c3b8607aee8e2cdadd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 11:29:12 +0000 Subject: [PATCH 057/143] add remote syslog option Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 7b0b8e6..ea288fc 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -448,6 +448,8 @@ rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }} # Section 4 +## Set if server is logserver +rhel9cis_remote_log_server: {{ rhel9cis_remote_log_server }} ## syslog rhel9cis_syslog: {{ rhel9cis_syslog }} From 4e8397b89ed5cb3284caf0194560880e2ceeadb5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 13:12:33 +0000 Subject: [PATCH 058/143] fqcn updates Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 8 ++++---- tasks/section_1/cis_1.1.7.x.yml | 3 --- tasks/section_1/cis_1.1.x.yml | 2 +- tasks/section_1/cis_1.8.x.yml | 4 ++-- 4 files changed, 7 insertions(+), 10 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 00303ac..7a88f6f 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -11,7 +11,7 @@ mode: 0600 - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "^(#)?blacklist squashfs(\\s|$)" line: "blacklist squashfs" @@ -19,7 +19,7 @@ mode: 0600 - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" - modprobe: + community.general.modprobe: name: squashfs state: absent when: not system_is_container @@ -44,7 +44,7 @@ mode: 0600 - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "^(#)?blacklist udf(\\s|$)" line: "blacklist udf" @@ -52,7 +52,7 @@ mode: 0600 - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" - modprobe: + community.general.modprobe: name: udf state: absent when: not system_is_container diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 9fadf59..54da358 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -1,8 +1,5 @@ --- -- ansible.builtin.debug: - msg: "{{ mount_names }}" - - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home" block: - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 19c99c0..0496300 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -18,7 +18,7 @@ state: absent - name: "1.1.9 | PATCH | Disable USB Storage | blacklist" - lineinfile: + ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf regexp: "^(#)?blacklist usb-storage(\\s|$)" line: "blacklist usb-storage" diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index f627f6a..97a5031 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -70,7 +70,7 @@ - rule_1.8.3 - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle" - copy: + ansible.builtin.copy: dest: /etc/dconf/db/local.d/00-screensaver content: | [org/gnome/desktop/session] @@ -90,7 +90,7 @@ - rule_1.8.4 - name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden" - lineinfile: + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/locks/session create: true line: /org/gnome/desktop/screensaver/lock-delay From cb609c1f1a179880af8417d8d3c6ad632faf426e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 13:31:53 +0000 Subject: [PATCH 059/143] fqcn update Signed-off-by: Mark Bolwell --- tasks/section_1/main.yml | 32 ++++++++++++++++---------------- tasks/section_2/main.yml | 8 ++++---- tasks/section_3/main.yml | 10 +++++----- tasks/section_4/main.yml | 16 ++++++++-------- tasks/section_5/main.yml | 14 +++++++------- tasks/section_6/main.yml | 4 ++-- 6 files changed, 42 insertions(+), 42 deletions(-) diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 1d6ab55..d9bc3b5 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,57 +1,57 @@ --- - name: "SECTION | 1.1.1.x | Disable unused filesystems" - import_tasks: cis_1.1.1.x.yml + ansible.builtin.import_tasks: cis_1.1.1.x.yml - name: "SECTION | 1.1.2.x | Configure /tmp" - import_tasks: cis_1.1.2.x.yml + ansible.builtin.import_tasks: cis_1.1.2.x.yml - name: "SECTION | 1.1.3.x | Configure /var" - import_tasks: cis_1.1.3.x.yml + ansible.builtin.import_tasks: cis_1.1.3.x.yml - name: "SECTION | 1.1.4.x | Configure /var/tmp" - import_tasks: cis_1.1.4.x.yml + ansible.builtin.import_tasks: cis_1.1.4.x.yml - name: "SECTION | 1.1.5.x | Configure /var/log" - import_tasks: cis_1.1.5.x.yml + ansible.builtin.import_tasks: cis_1.1.5.x.yml - name: "SECTION | 1.1.6.x | Configure /var/log/audit" - import_tasks: cis_1.1.6.x.yml + ansible.builtin.import_tasks: cis_1.1.6.x.yml - name: "SECTION | 1.1.7.x | Configure /home" - import_tasks: cis_1.1.7.x.yml + ansible.builtin.import_tasks: cis_1.1.7.x.yml - name: "SECTION | 1.1.8.x | Configure /dev/shm" - import_tasks: cis_1.1.8.x.yml + ansible.builtin.import_tasks: cis_1.1.8.x.yml - name: "SECTION | 1.1.x | Disable various mounting" - import_tasks: cis_1.1.x.yml + ansible.builtin.import_tasks: cis_1.1.x.yml - name: "SECTION | 1.2 | Configure Software Updates" - import_tasks: cis_1.2.x.yml + ansible.builtin.import_tasks: cis_1.2.x.yml - name: "SECTION | 1.3 | Filesystem Integrity Checking" - import_tasks: cis_1.3.x.yml + ansible.builtin.import_tasks: cis_1.3.x.yml when: rhel9cis_config_aide - name: "SECTION | 1.4 | Secure Boot Settings" - import_tasks: cis_1.4.x.yml + ansible.builtin.import_tasks: cis_1.4.x.yml - name: "SECTION | 1.5 | Additional Process Hardening" - import_tasks: cis_1.5.x.yml + ansible.builtin.import_tasks: cis_1.5.x.yml - name: "SECTION | 1.6 | Mandatory Access Control" include_tasks: cis_1.6.1.x.yml when: not rhel9cis_selinux_disable - name: "SECTION | 1.7 | Command Line Warning Banners" - import_tasks: cis_1.7.x.yml + ansible.builtin.import_tasks: cis_1.7.x.yml - name: "SECTION | 1.8 | Gnome Display Manager" - import_tasks: cis_1.8.x.yml + ansible.builtin.import_tasks: cis_1.8.x.yml - name: "SECTION | 1.9 | Updates and Patches" - import_tasks: cis_1.9.yml + ansible.builtin.import_tasks: cis_1.9.yml - name: "SECTION | 1.10 | Crypto policies" include_tasks: cis_1.10.yml diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 8f79854..39b912d 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,13 @@ --- - name: "SECTION | 2.1 | Time Synchronization" - import_tasks: cis_2.1.x.yml + ansible.builtin.import_tasks: cis_2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" - import_tasks: cis_2.2.x.yml + ansible.builtin.import_tasks: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" - import_tasks: cis_2.3.x.yml + ansible.builtin.import_tasks: cis_2.3.x.yml - name: "SECTION | 2.4 | Nonessential services removed" - import_tasks: cis_2.4.yml + ansible.builtin.import_tasks: cis_2.4.yml diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index cb5c04a..535aba9 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,16 +1,16 @@ --- - name: "SECTION | 3.1.x | Disable unused network protocols and devices" - import_tasks: cis_3.1.x.yml + ansible.builtin.import_tasks: cis_3.1.x.yml - name: "SECTION | 3.2.x | Network Parameters (Host Only)" - import_tasks: cis_3.2.x.yml + ansible.builtin.import_tasks: cis_3.2.x.yml - name: "SECTION | 3.3.x | Network Parameters (host and Router)" - import_tasks: cis_3.3.x.yml + ansible.builtin.import_tasks: cis_3.3.x.yml - name: "SECTION | 3.4.1.x | Firewall configuration" - import_tasks: cis_3.4.1.x.yml + ansible.builtin.import_tasks: cis_3.4.1.x.yml - name: "SECTION | 3.4.2.x | Configure firewall" - include_tasks: cis_3.4.2.x.yml + ansible.builtin.import_tasks: cis_3.4.2.x.yml diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index a7a3659..285a2f3 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,29 +1,29 @@ --- - name: "SECTION | 4.1 | Configure System Accounting (auditd)" - include_tasks: cis_4.1.1.x.yml + ansible.builtin.import_tasks: cis_4.1.1.x.yml when: - not system_is_container - name: "SECTION | 4.1.2 | Configure Data Retention" - import_tasks: cis_4.1.2.x.yml + ansible.builtin.import_tasks: cis_4.1.2.x.yml - name: "SECTION | 4.1.3 | Configure Auditd rules" - import_tasks: cis_4.1.3.x.yml + ansible.builtin.import_tasks: cis_4.1.3.x.yml - name: "SECTION | 4.1.4 | Configure Audit files" - import_tasks: cis_4.1.4.x.yml + ansible.builtin.import_tasks: cis_4.1.4.x.yml - name: "SECTION | 4.2 | Configure Logging" - import_tasks: cis_4.2.1.x.yml + ansible.builtin.import_tasks: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' - name: "SECTION | 4.2.2 | Configure journald" - import_tasks: cis_4.2.2.x.yml + ansible.builtin.import_tasks: cis_4.2.2.x.yml when: rhel9cis_syslog == 'journald' - name: "SECTION | 4.2.3 | Configure logile perms" - import_tasks: cis_4.2.3.yml + ansible.builtin.import_tasks: cis_4.2.3.yml - name: "SECTION | 4.3 | Configure logrotate" - import_tasks: cis_4.3.yml + ansible.builtin.import_tasks: cis_4.3.yml diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index b7db859..5aed1c1 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -3,24 +3,24 @@ # Access, Authentication, and Authorization - name: "SECTION | 5.1 | Configure time-based job schedulers" - import_tasks: cis_5.1.x.yml + ansible.builtin.import_tasks: cis_5.1.x.yml - name: "SECTION | 5.2 | Configure SSH Server" - include_tasks: cis_5.2.x.yml + ansible.builtin.import_tasks: cis_5.2.x.yml when: - "'openssh-server' in ansible_facts.packages" - name: "SECTION | 5.3 | Configure privilege escalation" - include_tasks: cis_5.3.x.yml + ansible.builtin.import_tasks: cis_5.3.x.yml - name: "SECTION | 5.4 | Configure authselect" - import_tasks: cis_5.4.x.yml + ansible.builtin.import_tasks: cis_5.4.x.yml - name: "SECTION | 5.5 | Configure PAM " - import_tasks: cis_5.5.x.yml + ansible.builtin.import_tasks: cis_5.5.x.yml - name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters" - import_tasks: cis_5.6.1.x.yml + ansible.builtin.import_tasks: cis_5.6.1.x.yml - name: "SECTION | 5.6.x | Misc. User Account Settings" - import_tasks: cis_5.6.x.yml + ansible.builtin.import_tasks: cis_5.6.x.yml diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index b6acabf..35328e5 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,7 +1,7 @@ --- - name: "SECTION | 6.1 | System File Permissions" - import_tasks: cis_6.1.x.yml + ansible.builtin.import_tasks: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - import_tasks: cis_6.2.x.yml + ansible.builtin.import_tasks: cis_6.2.x.yml From 999d7b5b1e3e420b47f33fd1283832c2144486a8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 13:33:11 +0000 Subject: [PATCH 060/143] fix csv sugroup option updated Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/section_5/cis_5.3.x.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6b916a5..635d8ea 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -637,7 +637,7 @@ rhel9cis_futurepwchgdate_autofix: true # 5.7 # rhel9cis_sugroup: sugroup # change accordingly wheel is default -# wheel users list +# wheel users list please supply comma seperated e.g. "vagrant,root" rhel9cis_sugroup_users: "root" ## Section6 vars diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 25d05d2..823d142 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -120,8 +120,9 @@ - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root" ansible.builtin.user: - name: "{{ rhel9cis_sugroup_users }}" + name: "{{ item }}" groups: "{{ rhel9cis_sugroup | default('wheel') }}" + loop: "{{ rhel9cis_sugroup_users | split (',') }}" when: - rhel9cis_rule_5_3_7 tags: From 499b67ceb252ea3fea55a7bda14854412f15eb25 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 14:51:30 +0000 Subject: [PATCH 061/143] Updated rsyslog server variable Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 +++- tasks/section_4/cis_4.2.1.x.yml | 2 +- templates/ansible_vars_goss.yml.j2 | 10 +++++++++- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 635d8ea..b488183 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -530,12 +530,14 @@ rhel9cis_syslog: rsyslog rhel9cis_rsyslog_ansiblemanaged: true #### 4.2.1.6 remote and destation log server name -rhel9cis_remote_log_server: logagg.example.com +rhel9cis_remote_log_server: false +rhel9cis_remote_log_host: logagg.example.com rhel9cis_remote_log_port: 514 rhel9cis_remote_log_protocol: tcp rhel9cis_remote_log_retrycount: 100 rhel9cis_remote_log_queuesize: 1000 + #### 4.2.1.7 rhel9cis_system_is_log_server: false diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 3a9cd77..d2cac93 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -165,7 +165,7 @@ state: present block: | # target can be IP or FQDN - *.* action(type="omfwd" target="{{ rhel9cis_remote_log_server }}" port="{{ rhel9cis_remote_log_port }}" protocol="{{ rhel9cis_remote_log_protocol }}" action.resumeRetryCount="{{ rhel9cis_remote_log_retrycount }}" queue.type="LinkedList" queue.size="{{ rhel9cis_remote_log_queuesize }}") + *.* action(type="omfwd" target="{{ rhel9cis_remote_log_host }}" port="{{ rhel9cis_remote_log_port }}" protocol="{{ rhel9cis_remote_log_protocol }}" action.resumeRetryCount="{{ rhel9cis_remote_log_retrycount }}" queue.type="LinkedList" queue.size="{{ rhel9cis_remote_log_queuesize }}") insertafter: EOF register: result failed_when: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ea288fc..be7bb00 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -448,8 +448,16 @@ rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }} # Section 4 -## Set if server is logserver +## Set if host is a logserver rhel9cis_remote_log_server: {{ rhel9cis_remote_log_server }} + +# Remote logserver settings +rhel9cis_remote_log_host: {{ rhel9cis_remote_log_host }} +rhel9cis_remote_log_port: {{ rhel9cis_remote_log_port }} +rhel9cis_remote_log_protocol: {{ rhel9cis_remote_log_protocol }} +rhel9cis_remote_log_retrycount: {{ rhel9cis_remote_log_retrycount }} +rhel9cis_remote_log_queuesize: {{ rhel9cis_remote_log_queuesize }} + ## syslog rhel9cis_syslog: {{ rhel9cis_syslog }} From fbe238091bddd5ff055de1494bb72bf3c3696b2e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 16:25:34 +0000 Subject: [PATCH 062/143] Added new prelim interactive_user_home Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c33afe3..9209849 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -12,6 +12,13 @@ - level1-workstation - users +- name: "PRELIM | Interactive User accounts" + ansible.builtin.shell: 'cat /etc/passwd | grep -Ev "nologin|/sbin" | cut -d: -f6' + changed_when: false + register: interactive_users_home + tags: + - always + - name: "PRELIM | Gather accounts with empty password fields" ansible.builtin.shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" changed_when: false From 77e48d3eccdc320fe61a7d57604765edab98a8e3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 16:29:44 +0000 Subject: [PATCH 063/143] 6.2.11 nologin to exclude & fixed tag Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 47 ++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 36de90f..257c6a6 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -332,13 +332,14 @@ - item.uid >= min_int_uid | int - item.id != 'nobody' - (item.id != 'tss' and item.dir != '/dev/null') + - item.shell != '/sbin/nologin' - rhel9cis_rule_6_2_11 tags: - level1-server - level1-workstation - patch - users - - rule_6.2.10 + - rule_6.2.11 - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" block: @@ -408,10 +409,10 @@ - name: "6.2.13 | PATCH | Ensure no local interactive user has .netrc files" ansible.builtin.file: - path: "~{{ item }}/.netrc" + path: "{{ item }}/.netrc" state: absent with_items: - - "{{ users.stdout_lines }}" + - "{{ interactive_users_home.stdout_lines }}" when: - rhel9cis_rule_6_2_13 tags: @@ -424,10 +425,10 @@ - name: "6.2.14 | PATCH | Ensure no local interactive user has .forward files" ansible.builtin.file: - path: "~{{ item }}/.forward" + path: "{{ item }}/.forward" state: absent with_items: - - "{{ users.stdout_lines }}" + - "{{ interactive_users_home.stdout_lines }}" when: - rhel9cis_rule_6_2_14 tags: @@ -438,12 +439,12 @@ - files - rule_6.2.14 -- name: "6.2.15 | PATCH | Ensure no users have .rhosts files" +- name: "6.2.15 | PATCH | Ensure no local interactive user has .rhosts files" ansible.builtin.file: path: "~{{ item }}/.rhosts" state: absent with_items: - - "{{ users.stdout_lines }}" + - "{{ interactive_users_home.stdout_lines }}" when: - rhel9cis_rule_6_2_15 tags: @@ -456,26 +457,26 @@ - name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable" block: + - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Check for files" - ansible.builtin.shell: find /home/ -maxdepth 2 -name "\.*" -perm /g+w,o+w - changed_when: false - failed_when: false - register: rhel9cis_6_2_16_audit + ansible.builtin.find: + path: "{{ item }}" + depth: 3 + patterns: ".*" + hidden: true + recurse: true + file_type: file + register: user_dot_files + loop: "{{ interactive_users_home.stdout_lines }}" - - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Alert on files found" - ansible.builtin.debug: - msg: "Good news! We have not found any group or world-writable dot files on your sytem" - when: - - rhel9cis_6_2_16_audit.stdout is not defined - - - name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable | Changes files if configured" + - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | update permissions" ansible.builtin.file: - path: '{{ item }}' + path: "{{ item.path }}" mode: go-w - with_items: "{{ rhel9cis_6_2_16_audit.stdout_lines }}" - when: - - rhel9cis_6_2_16_audit.stdout is defined - - rhel9cis_dotperm_ansiblemanaged + loop: "{{ user_dot_files.files }}" + loop_control: + label: "{{ item.path }}" + when: - rhel9cis_rule_6_2_16 tags: From 45435dd2baaa69bd0d4c50df2653f1a59784b0ad Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jan 2023 16:55:12 +0000 Subject: [PATCH 064/143] updated 6.2.16 Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 257c6a6..647a150 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -460,14 +460,13 @@ - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Check for files" ansible.builtin.find: - path: "{{ item }}" + path: /home depth: 3 patterns: ".*" hidden: true recurse: true file_type: file register: user_dot_files - loop: "{{ interactive_users_home.stdout_lines }}" - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | update permissions" ansible.builtin.file: From de88c96f24de1f28b15b594fd22ce7b89329fc83 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 10:29:50 +0000 Subject: [PATCH 065/143] section 1.8 alignment v1.0.0 Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 + tasks/section_1/cis_1.8.x.yml | 162 +++++++++++++++--- templates/ansible_vars_goss.yml.j2 | 5 + templates/etc/dconf/db/00-automount_lock.j2 | 9 + templates/etc/dconf/db/00-autorun_lock.j2 | 6 + templates/etc/dconf/db/00-media-automount.j2 | 7 + templates/etc/dconf/db/00-media-autorun.j2 | 6 + templates/etc/dconf/db/00-screensaver.j2 | 17 ++ templates/etc/dconf/db/00-screensaver_lock.j2 | 9 + 9 files changed, 198 insertions(+), 27 deletions(-) create mode 100644 templates/etc/dconf/db/00-automount_lock.j2 create mode 100644 templates/etc/dconf/db/00-autorun_lock.j2 create mode 100644 templates/etc/dconf/db/00-media-automount.j2 create mode 100644 templates/etc/dconf/db/00-media-autorun.j2 create mode 100644 templates/etc/dconf/db/00-screensaver.j2 create mode 100644 templates/etc/dconf/db/00-screensaver_lock.j2 diff --git a/defaults/main.yml b/defaults/main.yml index b488183..ab0c146 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -370,6 +370,10 @@ rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF4 rhel9cis_bootloader_password: random rhel9cis_set_boot_pass: true +# 1.8 Gnome Desktop +rhel9cis_dconf_db_name: local +rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) +rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) # 1.10 Set crypto policy DEFAULT # Control 1.10 states not to use LEGACY diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 97a5031..45124ec 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -70,14 +70,35 @@ - rule_1.8.3 - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle" - ansible.builtin.copy: - dest: /etc/dconf/db/local.d/00-screensaver - content: | - [org/gnome/desktop/session] - idle-delay=uint32 300 - [org/gnome/desktop/screensaver] - lock-delay=uint32 5 - mode: '0644' + block: + - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | User profile" + ansible.builtin.lineinfile: + path: /etc/dconf/profile/user + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + create: true + user: root + group: root + mode: 0644 + loop: + - { regexp: '^user-db', line: 'user-db: user' } + - { regexp: '^system-db', line: 'system-db: local' } + + - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make db directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d" + owner: root + group: root + mode: 0755 + state: directory + + - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | screensaver" + ansible.builtin.template: + src: etc/dconf/db/00-screensaver.j2 + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-screensaver" + owner: root + group: root + mode: '0644' notify: Reload dconf when: - rhel9cis_rule_1_8_4 @@ -90,13 +111,23 @@ - rule_1.8.4 - name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden" - ansible.builtin.lineinfile: - path: /etc/dconf/db/local.d/locks/session - create: true - line: /org/gnome/desktop/screensaver/lock-delay - owner: root - group: root - mode: 0640 + block: + - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lock directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" + owner: root + group: root + mode: 0755 + state: directory + + - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lockfile" + ansible.builtin.template: + src: etc/dconf/db/00-screensaver_lock.j2 + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" + owner: root + group: root + mode: 0644 + notify: Reload dconf when: - rhel9cis_rule_1_8_5 - rhel9cis_gui @@ -105,22 +136,16 @@ - level1-workstation - patch - gui - - rule_1.8.3 + - rule_1.8.5 -- name: "1.8.6 | PATCH | Ensure automatic mounting of removable media is disabled" - ansible.builtin.lineinfile: - path: /etc/dconf/db/local.d/00-media-automount - regexp: "{{ item.regex }}" - line: "{{ item.line }}" - create: true +- name: "1.8.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled" + ansible.builtin.template: + src: etc/dconf/db/00-media-automount.j2 + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-automount" owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf - with_items: - - { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' } - - { regex: 'automount=', line: 'automount=false' } - - { regex: 'automount-open=', line: 'automount-open=false'} when: - rhel9cis_rule_1_8_6 - rhel9cis_gui @@ -131,6 +156,89 @@ - gui - rule_1.8.6 +- name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden" + block: + - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" + owner: root + group: root + mode: 0755 + state: directory + + - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock file" + ansible.builtin.template: + src: etc/dconf/db/00-automount_lock.j2 + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-automount_lock" + owner: root + group: root + mode: 0644 + notify: Reload dconf + when: + - rhel9cis_rule_1_8_7 + - rhel9cis_gui + tags: + - level1-server + - level2-workstation + - patch + - gui + - rule_1.8.7 + +- name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled" + block: + - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d" + owner: root + group: root + mode: 0755 + state: directory + + - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make conf file" + ansible.builtin.template: + src: etc/dconf/db/00-media-autorun.j2 + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-autorun" + owner: root + group: root + mode: '0644' + notify: Reload dconf + when: + - rhel9cis_rule_1_8_8 + - rhel9cis_gui + tags: + - level1-server + - level2-workstation + - patch + - gui + - rule_1.8.8 + +- name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden" + block: + - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lock directory" + ansible.builtin.file: + path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" + owner: root + group: root + mode: 0755 + state: directory + + - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile" + ansible.builtin.template: + src: etc/dconf/db/00-autorun_lock.j2 + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock" + owner: root + group: root + mode: 0644 + notify: Reload dconf + when: + - rhel9cis_rule_1_8_9 + - rhel9cis_gui + tags: + - level1-server + - level2-workstation + - patch + - gui + - rule_1.8.9 - name: "1.8.10 | PATCH | Ensure XDMCP is not enabled" ansible.builtin.lineinfile: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index be7bb00..e7fe3b8 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -387,6 +387,11 @@ rhel9cis_warning_banner: {{ rhel9cis_warning_banner }} # aide setup via - cron, timer rhel9_aide_scan: cron +# 1.8 Gnome Desktop +rhel9cis_dconf_db_name: {{ rhel9cis_dconf_db_name }} +rhel9cis_screensaver_idle_delay: {{ rhel9cis_screensaver_idle_delay }} # Set max value for idle-delay in seconds (between 1 and 900) +rhel9cis_screensaver_lock_delay: {{ rhel9cis_screensaver_lock_delay }} # Set max value for lock-delay in seconds (between 0 and 5) + # Section 2 ## 2.2 Special Purposes # Set to 'true' if X Windows is needed in your environment diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 new file mode 100644 index 0000000..3534474 --- /dev/null +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -0,0 +1,9 @@ +## Ansible controlled file +# Added as part of CIS +# provided by MindPointGroup LLC + +# Lock desktop media-handling automount setting +/org/gnome/desktop/media-handling/automount + +# Lock desktop media-handling automount-open +/org/gnome/desktop/media-handling/automount-open diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 new file mode 100644 index 0000000..04e23a5 --- /dev/null +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -0,0 +1,6 @@ +## Ansible controlled file +# Added as part of CIS +# provided by MindPointGroup LLC + +# Lock desktop media-handling settings +/org/gnome/desktop/media-handling/autorun-never diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 new file mode 100644 index 0000000..227498e --- /dev/null +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -0,0 +1,7 @@ +## Ansible controlled file +# Added as part of CIS +# provided by MindPointGroup LLC + +[org/gnome/desktop/media-handling] +automount=false +automount-open=false diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 new file mode 100644 index 0000000..a8c297f --- /dev/null +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -0,0 +1,6 @@ +## Ansible controlled file +# Added as part of CIS +# provided by MindPointGroup LLC + +[org/gnome/desktop/media-handling] +autorun-never=true diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 new file mode 100644 index 0000000..139c429 --- /dev/null +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -0,0 +1,17 @@ +## Ansible controlled file +# Added as part of CIS +# provided by MindPointGroup LLC + + +# Specify the dconf path +[org/gnome/desktop/session] + +# Number of seconds of inactivity before the screen goes blank +# Set to 0 seconds if you want to deactivate the screensaver. +idle-delay=uint32 {{ ubtu22cis_screensaver_idle_delay }} + +# Specify the dconf path +[org/gnome/desktop/screensaver] + +# Number of seconds after the screen is blank before locking the screen +lock-delay=uint32 {{ ubtu22cis_screensaver_lock_delay }} diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 new file mode 100644 index 0000000..5d5869f --- /dev/null +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -0,0 +1,9 @@ +## Ansible controlled file +# Added as part of CIS +# provided by MindPointGroup LLC + +# Lock desktop screensaver idle-delay setting +/org/gnome/desktop/session/idle-delay + +# Lock desktop screensaver lock-delay setting +/org/gnome/desktop/screensaver/lock-delay From 949fcc687de982009611e69ff2e2321f8ba923f9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 10:32:21 +0000 Subject: [PATCH 066/143] fix typo Signed-off-by: Mark Bolwell --- templates/etc/dconf/db/00-screensaver.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index 139c429..5aa21c1 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -8,10 +8,10 @@ # Number of seconds of inactivity before the screen goes blank # Set to 0 seconds if you want to deactivate the screensaver. -idle-delay=uint32 {{ ubtu22cis_screensaver_idle_delay }} +idle-delay=uint32 {{ rhel9cis_screensaver_idle_delay }} # Specify the dconf path [org/gnome/desktop/screensaver] # Number of seconds after the screen is blank before locking the screen -lock-delay=uint32 {{ ubtu22cis_screensaver_lock_delay }} +lock-delay=uint32 {{ rhel9cis_screensaver_lock_delay }} From 5eb72bc54466832cb243c9fa4d1f9dfd16c7a4e7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 11:21:31 +0000 Subject: [PATCH 067/143] updated banner message Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ab0c146..80183cb 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -495,8 +495,7 @@ rhel9_nftables_ports: type: protocol rule: accept # Warning Banner Content (issue, issue.net, motd) -rhel9cis_warning_banner: | - Authorized uses only. All activity may be monitored and reported. +rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and reported. # End Banner ## Section4 vars From 6541736459b4b6832b195f0e3fbab822aee3985d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 11:21:47 +0000 Subject: [PATCH 068/143] updated to template for banner Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.8.x.yml | 44 +++++++++++++++++++++-------------- 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 45124ec..a25c783 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -7,6 +7,7 @@ when: - rhel9cis_rule_1_8_1 - "'gdm' in ansible_facts.packages" + - not rhel9cis_gui tags: - level2-server - patch @@ -15,23 +16,32 @@ - rule_1.8.1 - name: "1.8.2 | PATCH | Ensure GDM login banner is configured" - ansible.builtin.lineinfile: - path: "{{ item.file }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - state: present - create: true - owner: root - group: root - mode: 0644 + block: + - name: "1.8.2 | PATCH | Ensure GDM login banner is configured | gdm profile" + ansible.builtin.lineinfile: + path: /etc/dconf/profile/gdm + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + create: true + owner: root + group: root + mode: 0644 + notify: Reload dconf + with_items: + - { regexp: 'user-db', line: 'user-db:user' } + - { regexp: 'system-db', line: 'system-db:gdm' } + - { regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } + + - name: "1.8.2 | PATCH | Ensure GDM login banner is configured | gdm profile" + ansible.builtin.template: + src: etc/dconf/db/gdm.d/01-banner-message.j2 + dest: /etc/dconf/db/gdm.d/01-banner-message + owner: root + group: root + mode: 0644 + notify: Reload dconf - with_items: - - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } - - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " } when: - rhel9cis_rule_1_8_2 - rhel9cis_gui @@ -77,7 +87,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" create: true - user: root + owner: root group: root mode: 0644 loop: From b83083c2003f299ff537cae2c5ee13f261b10981 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 11:21:57 +0000 Subject: [PATCH 069/143] fix typos Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e7fe3b8..fde2a67 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -117,11 +117,11 @@ rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_3 }} rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_4 }} rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_5 }} -rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_8_6 }} -rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_7 }} -rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_8 }} -rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_9 }} -rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_10 }} +rhel9cis_rule_1_8_6: {{ rhel9cis_rule_1_8_6 }} +rhel9cis_rule_1_8_7: {{ rhel9cis_rule_1_8_7 }} +rhel9cis_rule_1_8_8: {{ rhel9cis_rule_1_8_8 }} +rhel9cis_rule_1_8_9: {{ rhel9cis_rule_1_8_9 }} +rhel9cis_rule_1_8_10: {{ rhel9cis_rule_1_8_10 }} # 1.9 Ensure updates, patches, and additional security software are installed rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} # Ensure system-wide crypto policy is not legacy From 0df5481788438c9f463b7d6e2c9ddbdb3467f3f0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 11:22:06 +0000 Subject: [PATCH 070/143] initial Signed-off-by: Mark Bolwell --- templates/etc/dconf/db/gdm.d/01-banner-message.j2 | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 templates/etc/dconf/db/gdm.d/01-banner-message.j2 diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 new file mode 100644 index 0000000..f83a74a --- /dev/null +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -0,0 +1,7 @@ +## Ansible controlled file +# Added as part of CIS +# provided by MindPointGroup LLC + +[org/gnome/login-screen] +banner-message-enable=true +banner-message-text="{{ rhel9cis_warning_banner }}" From 900d0f8d8e68a721f1fe6d13327f1ac76d0d8575 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 11:25:53 +0000 Subject: [PATCH 071/143] lint updates Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.8.x.yml | 40 +++++++++++++++++------------------ 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index a25c783..68faa94 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -124,19 +124,19 @@ block: - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lock directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" - owner: root - group: root - mode: 0755 - state: directory + path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" + owner: root + group: root + mode: 0755 + state: directory - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lockfile" ansible.builtin.template: - src: etc/dconf/db/00-screensaver_lock.j2 - dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" - owner: root - group: root - mode: 0644 + src: etc/dconf/db/00-screensaver_lock.j2 + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" + owner: root + group: root + mode: 0644 notify: Reload dconf when: - rhel9cis_rule_1_8_5 @@ -226,19 +226,19 @@ block: - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lock directory" ansible.builtin.file: - path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" - owner: root - group: root - mode: 0755 - state: directory + path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" + owner: root + group: root + mode: 0755 + state: directory - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile" ansible.builtin.template: - src: etc/dconf/db/00-autorun_lock.j2 - dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock" - owner: root - group: root - mode: 0644 + src: etc/dconf/db/00-autorun_lock.j2 + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock" + owner: root + group: root + mode: 0644 notify: Reload dconf when: - rhel9cis_rule_1_8_9 From aa19388de63a95f73c3b6fd8e11b262c41ec4bfe Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 12:34:07 +0000 Subject: [PATCH 072/143] tidy comments Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.8.x.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 68faa94..2836cee 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -102,7 +102,7 @@ mode: 0755 state: directory - - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | screensaver" + - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make conf file" ansible.builtin.template: src: etc/dconf/db/00-screensaver.j2 dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-screensaver" @@ -122,7 +122,7 @@ - name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden" block: - - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lock directory" + - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock directory" ansible.builtin.file: path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root @@ -130,7 +130,7 @@ mode: 0755 state: directory - - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | make lockfile" + - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file" ansible.builtin.template: src: etc/dconf/db/00-screensaver_lock.j2 dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" From 10f3a025d26974005da06d4c3814faa8225f8795 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 13:33:12 +0000 Subject: [PATCH 073/143] gui fix 2.2.1 Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.2.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index aac8a27..496a92f 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -8,6 +8,7 @@ when: - rhel9cis_rule_2_2_1 - "'xorg-x11-server-common' in ansible_facts.packages" + - not rhel9cis_gui tags: - level1-server - patch From 3f76affa5b0d653f9c287d92ce352f401fd3acee Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 13:34:30 +0000 Subject: [PATCH 074/143] changed_when for idempotency. 5.6. Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 884efd8..6100b0b 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -116,6 +116,7 @@ block: - name: "5.6.6 | PATCH | Ensure root password is set" ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt" + changed_when: false register: root_passwd - name: "5.6.6 | PATCH | Ensure root password is set" From 02113b783aca242fe952ed68cf41889232e37b00 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 13:36:34 +0000 Subject: [PATCH 075/143] Addec changed_when 6.2.1 Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 647a150..27c101d 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -4,6 +4,7 @@ block: - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | discover" ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd + changed_when: false register: shadow_passwd - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Output" From fdf298328cb3ff3ff7ea96d82c6a1e31aa039370 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jan 2023 17:14:24 +0000 Subject: [PATCH 076/143] documented 1.2.4 for rhel Signed-off-by: Mark Bolwell --- README.md | 6 ++++++ defaults/main.yml | 3 +++ tasks/prelim.yml | 1 + tasks/section_1/cis_1.2.x.yml | 7 ++++--- 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f54c90f..9829e4c 100644 --- a/README.md +++ b/README.md @@ -82,3 +82,9 @@ Below is an example of the tag section from a control within this role. Using th - patch - rule_2.2.4 ``` + +### Known Issues + +CIS 1.2.4 - repo_gpgcheck is not carried out for RedHat hosts as the default repos do not have this function. Rocky and Alma not affected. +Variable used to unset. +rhel9cis_rhel_default_repo: true # to be set to false if using repo that does have this ability diff --git a/defaults/main.yml b/defaults/main.yml index 80183cb..9d72d7b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -365,6 +365,9 @@ rhel9cis_rh_sub_password: password # RedHat Satellite Subscription items rhel9cis_rhnsd_required: false +# 1.2.4 repo_gpgcheck +rhel9cis_rhel_default_repo: true + # 1.4.2 Bootloader password rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' rhel9cis_bootloader_password: random diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 9209849..3593a90 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -112,6 +112,7 @@ state: latest when: - rhel9cis_rule_1_2_4 + - ansible_distribution != 'RedHat' - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" ansible.builtin.package: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 62fae23..67128a7 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -101,16 +101,17 @@ register: repo_files - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" - ansible.builtin.lineinfile: + ansible.builtin.replace: path: "{{ item.path }}" - regexp: '^repo_gpgcheck' - line: repo_gpgcheck=1 + regexp: '^repo_gpgcheck( |)=( |)0' + replace: repo_gpgcheck=1 loop: "{{ repo_files.files }}" loop_control: label: "{{ item.path }}" when: - rhel9cis_rule_1_2_4 + - not rhel9cis_rhel_default_repo or ansible_distribution != 'RedHat' tags: - level1-server - level1-workstation From deb509c8733cbf090e3db336c021ce3df6b8621f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 11:22:48 +0000 Subject: [PATCH 077/143] updated alma image ID Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index a5e2fda..634512b 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -1,5 +1,5 @@ #Ami Alma 9 -ami_id = "ami-02881bd671eb4ac61" +ami_id = "ami-0845395779540e3cb" ami_os = "rhel9" ami_username = "ec2-user" ami_user_home = "/home/ec2-user" From 5bcb791647befa8defa7b3c7a944bd38b4d22d8b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 13:58:50 +0000 Subject: [PATCH 078/143] lint updates Signed-off-by: Mark Bolwell --- .yamllint | 8 +------- tasks/section_1/cis_1.1.3.x.yml | 3 +-- tasks/section_1/cis_1.2.x.yml | 12 ++++++------ 3 files changed, 8 insertions(+), 15 deletions(-) diff --git a/.yamllint b/.yamllint index 693eec6..4823010 100644 --- a/.yamllint +++ b/.yamllint @@ -9,12 +9,6 @@ ignore: | extends: default rules: - indentation: - # Requiring 4 space indentation - spaces: 4 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent - truthy: disable braces: max-spaces-inside: 1 level: error @@ -32,4 +26,4 @@ rules: trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: false + check-keys: true diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 649657f..84135ae 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -39,7 +39,7 @@ when: - item.mount == "/var" - rhel9cis_rule_1_1_3_2 or - rhel9cis_rule_1_1_3_3 + rhel9cis_rule_1_1_3_3 tags: - level1-server - level1-workstation @@ -48,4 +48,3 @@ - skip_ansible_lint - rule_1.1.3.2 - rule_1.1.3.3 - diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 67128a7..452c009 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -90,9 +90,9 @@ block: - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | dnf.conf" ansible.builtin.lineinfile: - path: /etc/dnf/dnf.conf - regexp: '^repo_gpgcheck' - line: repo_gpgcheck=1 + path: /etc/dnf/dnf.conf + regexp: '^repo_gpgcheck' + line: repo_gpgcheck=1 - name: "1.2.4 | AUDIT| Ensure repo_gpgcheck is globally activated | get repo files" ansible.builtin.find: @@ -102,9 +102,9 @@ - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" ansible.builtin.replace: - path: "{{ item.path }}" - regexp: '^repo_gpgcheck( |)=( |)0' - replace: repo_gpgcheck=1 + path: "{{ item.path }}" + regexp: '^repo_gpgcheck( |)=( |)0' + replace: repo_gpgcheck=1 loop: "{{ repo_files.files }}" loop_control: label: "{{ item.path }}" From 95e574343a14709d9431578fe4116c7d70fc0b42 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 16:07:59 +0000 Subject: [PATCH 079/143] makefile tested Signed-off-by: Mark Bolwell --- Makefile | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) mode change 100644 => 100755 Makefile diff --git a/Makefile b/Makefile old mode 100644 new mode 100755 index 46a81d1..24e9763 --- a/Makefile +++ b/Makefile @@ -1,11 +1,32 @@ -# TESTS +.PHONY: all galaxy-install ansible-list yamllint pip-requirements help -all: yamllint + +GALAXY=ansible-galaxy +ANSIBLE_LINT=ansible-lint +ANSIBLE_FILE=site.yml + +all: help + +help: + @echo "Make command examples for Ansible" + @echo "Command for assisting with ansible setup" + @echo " galaxy-install to install roles using ansible-galaxy" + @echo " ansible-lint to lint playbook files" + @echo " yamllint to lint playbook files" + @echo " pip-requirements add pip required file" + + +galaxy-install: + $(GALAXY) install -r ./collections/requirements.yml + +ansible-lint: + $(ANSIBLE-LINT) $(ANSIBLE_FILE) yamllint: git ls-files "*.yml"|xargs yamllint -requirements: +pip-requirements: @echo 'Python dependencies:' @cat requirements.txt - pip install -r requirements.txt + $(ANSIBLE_LINT) install -r requirements.txt + From 255fc771ebf46bec198195722c0b917cf3affc76 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 16:08:11 +0000 Subject: [PATCH 080/143] syntax update Signed-off-by: Mark Bolwell --- meta/main.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/meta/main.yml b/meta/main.yml index b4a804e..c60c6a7 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: author: "Sam Doran, Josh Springer, Daniel Shepherd, Bas Meijeri, James Cassell, Mike Renfro, DFed, George Nalen, Mark Bolwell" - description: "Apply the RHEL 8 CIS" + description: "Apply the RHEL 9 CIS" company: "MindPoint Group" license: MIT role_name: rhel9_cis @@ -10,7 +10,7 @@ galaxy_info: platforms: - name: EL versions: - - 9 + - "9" galaxy_tags: - system - security @@ -22,6 +22,9 @@ galaxy_info: - complianceascode - disa - rhel9 + - cis + - rocky + - alma collections: - community.general - community.crypto From f59c2ccb6dd6c1bd85c7c44002c9980a334ffd31 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 16:08:19 +0000 Subject: [PATCH 081/143] changelog updated Signed-off-by: Mark Bolwell --- Changelog.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Changelog.md b/Changelog.md index 506b67a..78e08e1 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,18 @@ # Changes to rhel9CIS +## CIS v1.0.0 - Dec 2022 + +### Official CIS release + +- Lint file updates and improvements +- Many controls moved ID references +- Audit updates aligned +- Command warn arg removed +- Ansible 2.14 now supported +- makefile added (hopefully help some) +- fqcn added to all controls +- some controls rewritten using module rather than shell + ## 0.5 - audit path updated and output file name From 37b2faefa301af4a513a70dfd574adff81bd5de7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 16:21:56 +0000 Subject: [PATCH 082/143] tidy up Signed-off-by: Mark Bolwell --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 24e9763..c8bcd9c 100755 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: all galaxy-install ansible-list yamllint pip-requirements help +.PHONY: all help galaxy-install ansible-list yamllint pip-requirements GALAXY=ansible-galaxy From a72c81be1cf46d4a1a30548bc67e69e3ef95612b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 16:22:12 +0000 Subject: [PATCH 083/143] added callback plugin for yaml Signed-off-by: Mark Bolwell --- ansible.cfg | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ansible.cfg b/ansible.cfg index 831f01d..3bae35d 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -7,6 +7,12 @@ nocows=1 retry_files_save_path=/dev/null library=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:./library +# Use the YAML callback plugin. +stdout_callback = yaml +# Use the stdout_callback when running ad-hoc commands. +bin_ansible_callbacks = True + + [privilege_escalation] [paramiko_connection] From c3cf685c914842957b3ff80a055505de85135f02 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 16:22:18 +0000 Subject: [PATCH 084/143] updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 78e08e1..7fe29f7 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,9 +1,11 @@ # Changes to rhel9CIS -## CIS v1.0.0 - Dec 2022 +## Initial CIS v1.0.0 - released Dec 2022 ### Official CIS release +Jan-2023 release + - Lint file updates and improvements - Many controls moved ID references - Audit updates aligned @@ -12,6 +14,9 @@ - makefile added (hopefully help some) - fqcn added to all controls - some controls rewritten using module rather than shell +- incorporates issues + - #23 + - #24 ## 0.5 From fc0f39844b3f55fe24f2e88c901536da19442d8f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 16:22:31 +0000 Subject: [PATCH 085/143] updated Signed-off-by: Mark Bolwell --- README.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 9829e4c..fc0376e 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,7 @@ -# Development Only -## RHEL 9 CIS (predicted) - Beta - CIS baselines or OS not yet GA +# RHEL 9 CIS -## Testing if you have access to the RH developer branches - -### This should work on RHEL8 and derivatives currently +## v1.0.0 - released Dec 2022 ![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL9-CIS/CommunityToDevel?label=Devel%20Build%20Status&style=plastic) ![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL9-CIS/DevelToMain?label=Main%20Build%20Status&style=plastic) @@ -42,7 +39,9 @@ Rocky 9 - Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) -**General:** +- makefile - this is there purely for testing and initial setup purposes. + +## General - Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible - [Main Ansible documentation page](https://docs.ansible.com) @@ -60,7 +59,9 @@ Rocky 9 - Ansible 2.9+ - python-def (should be included in RHEL 9) - libselinux-python -- jmespath +- pip packages + - jmespath ( complete list found in requirements.txt) +- collections found in collections/requirememnts.yml ## Role Variables From 032e73348a5a5617ad7dd533bc40fa75999424ed Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 17:01:27 +0000 Subject: [PATCH 086/143] removed vars not used any longer Signed-off-by: Mark Bolwell --- defaults/main.yml | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9d72d7b..8a791b1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -475,10 +475,7 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -# These are the default service add accordingly -rhel9_firewalld_service: - - ssh - - dhcpv6-client + # These are added to demonstrate how this can be done rhel9cis_firewalld_ports: - number: 80 @@ -488,15 +485,7 @@ rhel9cis_firewalld_ports: rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true -rhel9_nftables_ports: - - port: ssh - protocol: tcp - type: dport - rule: accept - - port: igmp - protocol: ip - type: protocol - rule: accept + # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and reported. # End Banner From 6b219f32610ec3cd0b0da36e15c5bd4ff1446c8a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 17:03:42 +0000 Subject: [PATCH 087/143] fix typo Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 89e3161..c1fdd79 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -89,7 +89,7 @@ - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" ansible.builtin.debug: - msg: "Warning!! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" + msg: "Warning!! You have unconfined services: {{ rhelcis_1_6_1_6_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" From 939a06d3727bf64311effc242cdd35ce7b3926b0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 17:28:52 +0000 Subject: [PATCH 088/143] Ensure package installed Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.1.x.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index ab15169..684d0a5 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -37,6 +37,11 @@ - item in ansible_facts.packages - rhel9cis_firewall == 'firewalld' + - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | package installed" + ansible.builtin.package: + name: "{{ rhel9cis_firewall }}" + state: installed + - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" ansible.builtin.systemd: name: "{{ rhel9cis_firewall }}" From a4919ae339bd4a1b2b1168d5ccfed3c6051aad69 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 18:43:03 +0000 Subject: [PATCH 089/143] removed file not required Signed-off-by: Mark Bolwell --- .github/workflows/test.sh | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 .github/workflows/test.sh diff --git a/.github/workflows/test.sh b/.github/workflows/test.sh deleted file mode 100644 index 1a7202a..0000000 --- a/.github/workflows/test.sh +++ /dev/null @@ -1,6 +0,0 @@ -RHEL7=$(grep -c RHEL7 OS.tfvars) -if [ `echo $?` != 0 ]; then - exit 0 -fi - - From 511f9cf000a637cd1f45f453833f5c0bcca09db8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Jan 2023 18:43:23 +0000 Subject: [PATCH 090/143] Added urandom passwd for root Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 8d26a35..48e7eed 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,6 +87,12 @@ jobs: run: sleep 60s shell: bash +# Set up requirements for random root password CIS 5.6.6 + - name: add urandom passwd to root account + shell: bash + run: | + ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i .github/workflows/hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" --private-key ${{ secrets.SSH_PRV_KEY }} -b + # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master From ee9d7d6d153508908699016f631029989376c0a3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Jan 2023 10:22:26 +0000 Subject: [PATCH 091/143] updated to enable greater speed Signed-off-by: Mark Bolwell --- ansible.cfg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ansible.cfg b/ansible.cfg index 3bae35d..3bc6e07 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -5,7 +5,7 @@ system_warnings=False command_warnings=False nocows=1 retry_files_save_path=/dev/null -library=~/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:./library +pipelining=true # Use the YAML callback plugin. stdout_callback = yaml @@ -20,6 +20,7 @@ record_host_keys=False [ssh_connection] transfer_method=scp +ssh_args = -o ControlMaster=auto -o ControlPersist=60s [accelerate] From 64dc43fa229e42aebc8a6103d19095ba89f04017 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Jan 2023 10:22:58 +0000 Subject: [PATCH 092/143] enabled reboot of host Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 61da17c..dad096f 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -78,6 +78,7 @@ resource "local_file" "inventory" { run_audit: true system_is_ec2: true audit_git_version: devel + skip_reboot: false EOF } From eea2e1f4cc26446c4e216f192c262e1b4fc4e351 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Jan 2023 10:23:11 +0000 Subject: [PATCH 093/143] fixed new perms requirement Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index a36a744..632e4d1 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -6,7 +6,7 @@ dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: 0600 + mode: 0640 register: audit_rules_updated notify: - Auditd_immutable_check From b5c57abc33f05e9cc6c829543f70755dcc87cb14 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Jan 2023 10:23:39 +0000 Subject: [PATCH 094/143] removed congrats statement Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 27c101d..ca4b892 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -53,11 +53,6 @@ check_mode: false register: rhel9cis_6_2_3_passwd_gid_check - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" - ansible.builtin.debug: - msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: rhel9cis_6_2_3_passwd_gid_check.stdout | length == 0 - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" ansible.builtin.debug: msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" From 0350e234feb671de26228a598353e82fe75c9b50 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Jan 2023 11:02:32 +0000 Subject: [PATCH 095/143] rhel_09 updates Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 10 ++++---- tasks/section_4/cis_4.2.1.x.yml | 4 ++-- tasks/section_6/cis_6.1.x.yml | 30 +++++++++++------------ tasks/section_6/cis_6.2.x.yml | 42 ++++++++++++++++----------------- 4 files changed, 43 insertions(+), 43 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 6a46b78..98ca671 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -31,20 +31,20 @@ changed_when: false failed_when: false check_mode: false - register: rhel_08_nmcli_available + register: rhel_09_nmcli_available - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" ansible.builtin.shell: nmcli radio wifi - register: rhel_08_wifi_enabled - changed_when: rhel_08_wifi_enabled.stdout != "disabled" + register: rhel_09_wifi_enabled + changed_when: rhel_09_wifi_enabled.stdout != "disabled" failed_when: false - when: rhel_08_nmcli_available.rc == 0 + when: rhel_09_nmcli_available.rc == 0 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" ansible.builtin.shell: nmcli radio all off changed_when: false failed_when: false - when: rhel_08_wifi_enabled is changed + when: rhel_09_wifi_enabled is changed when: - rhel9cis_rule_3_1_2 tags: diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index d2cac93..90c68e0 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -64,13 +64,13 @@ changed_when: false failed_when: false check_mode: false - register: rhel_08_4_2_1_5_audit + register: rhel_09_4_2_1_5_audit - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" ansible.builtin.debug: msg: - "These are the current logging configurations for rsyslog, please review:" - - "{{ rhel_08_4_2_1_5_audit.stdout_lines }}" + - "{{ rhel_09_4_2_1_5_audit.stdout_lines }}" - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting" ansible.builtin.blockinfile: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 2360ec2..37b074d 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -126,16 +126,16 @@ ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 failed_when: false changed_when: false - register: rhel_08_6_1_9_perms_results + register: rhel_09_6_1_9_perms_results - name: "6.1.9 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" ansible.builtin.file: path: '{{ item }}' mode: o-w state: touch - with_items: "{{ rhel_08_6_1_9_perms_results.stdout_lines }}" + with_items: "{{ rhel_09_6_1_9_perms_results.stdout_lines }}" when: - - rhel_08_6_1_9_perms_results.stdout_lines is defined + - rhel_09_6_1_9_perms_results.stdout_lines is defined - rhel9cis_no_world_write_adjust when: - rhel9cis_rule_6_1_9 @@ -154,7 +154,7 @@ changed_when: false failed_when: false check_mode: false - register: rhel_08_6_1_10_audit + register: rhel_09_6_1_10_audit with_items: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" @@ -163,7 +163,7 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: msg: "Warning !! Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_08_6_1_10_audit.results }}" + with_items: "{{ rhel_09_6_1_10_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 @@ -193,7 +193,7 @@ check_mode: false failed_when: false changed_when: false - register: rhel_08_6_1_11_audit + register: rhel_09_6_1_11_audit with_items: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" @@ -202,7 +202,7 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: msg: "Warning !! Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_08_6_1_11_audit.results }}" + with_items: "{{ rhel_09_6_1_11_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 @@ -244,7 +244,7 @@ ansible.builtin.shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 failed_when: false changed_when: false - register: rhel_08_6_1_13_perms_results + register: rhel_09_6_1_13_perms_results with_items: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" @@ -252,16 +252,16 @@ - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: msg: "Warning!! Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_08_6_1_13_perms_results.stdout_lines }}" + with_items: "{{ rhel_09_6_1_13_perms_results.stdout_lines }}" when: - - rhel_08_6_1_13_perms_results.stdout is defined + - rhel_09_6_1_13_perms_results.stdout is defined - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: '6.1.13' when: - - rhel_08_6_1_13_perms_results.stdout is defined + - rhel_09_6_1_13_perms_results.stdout is defined when: - rhel9cis_rule_6_1_13 tags: @@ -278,7 +278,7 @@ ansible.builtin.shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 failed_when: false changed_when: false - register: rhel_08_6_1_14_perms_results + register: rhel_09_6_1_14_perms_results with_items: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" @@ -286,16 +286,16 @@ - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}" + with_items: "{{ rhel_09_6_1_14_perms_results.stdout_lines }}" when: - - rhel_08_6_1_14_perms_results.stdout is defined + - rhel_09_6_1_14_perms_results.stdout is defined - name: "6.1.14 | AUDIT | Audit SGID executables| warning" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: '6.1.14' when: - - rhel_08_6_1_14_perms_results.stdout is defined + - rhel_09_6_1_14_perms_results.stdout is defined when: - rhel9cis_rule_6_1_14 tags: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index ca4b892..ff30b6e 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -55,7 +55,7 @@ - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" ansible.builtin.debug: - msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" + msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_3_passwd_gid_check.stdout_lines | join (', ') }}" when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" @@ -64,7 +64,7 @@ warn_control_id: '6.2.3' when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 when: - - rhel9cis_rule_6_2_2 + - rhel9cis_rule_6_2_3 tags: - level1-server - level1-workstation @@ -140,7 +140,7 @@ - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" ansible.builtin.debug: - msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" + msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_6_user_username_check.stdout_lines }}" when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count" @@ -256,20 +256,20 @@ - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" ansible.builtin.stat: path: "{{ item }}" - register: rhel_08_6_2_10_audit + register: rhel_09_6_2_10_audit with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}" - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false - changed_when: rhel_08_6_2_10_patch_audit.stdout | length > 0 - register: rhel_08_6_2_10_patch_audit + changed_when: rhel_09_6_2_10_patch_audit.stdout | length > 0 + register: rhel_09_6_2_10_patch_audit when: - ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_10_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_10_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}" + - "{{ rhel_09_6_2_10_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" @@ -278,13 +278,13 @@ path: "{{ item.0 }}" recurse: true mode: a-st,g-w,o-rwx - register: rhel_08_6_2_10_patch + register: rhel_09_6_2_10_patch when: - not ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_10_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_10_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}" + - "{{ rhel_09_6_2_10_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" @@ -300,7 +300,7 @@ when: - not system_is_container with_nested: - - "{{ (ansible_check_mode | ternary(rhel_08_6_2_10_patch_audit, rhel_08_6_2_10_patch)).results | + - "{{ (ansible_check_mode | ternary(rhel_09_6_2_10_patch_audit, rhel_09_6_2_10_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - etype: group @@ -343,19 +343,19 @@ ansible.builtin.stat: path: "{{ item }}" with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}" - register: rhel_08_6_2_12_audit + register: rhel_09_6_2_12_audit - name: "6.2.12 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false - changed_when: rhel_08_6_2_12_patch_audit.stdout | length > 0 - register: rhel_08_6_2_12_patch_audit + changed_when: rhel_09_6_2_12_patch_audit.stdout | length > 0 + register: rhel_09_6_2_12_patch_audit when: - ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_12_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_12_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_09_6_2_12_audit.results | map(attribute='item') | list }}" + - "{{ rhel_09_6_2_12_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" @@ -364,13 +364,13 @@ path: "{{ item.0 }}" recurse: true mode: a-st,g-w,o-rwx - register: rhel_08_6_2_12_patch + register: rhel_09_6_2_12_patch when: - not ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_12_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_12_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_09_6_2_12_audit.results | map(attribute='item') | list }}" + - "{{ rhel_09_6_2_12_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" @@ -386,7 +386,7 @@ when: - not system_is_container with_nested: - - "{{ (ansible_check_mode | ternary(rhel_08_6_2_12_patch_audit, rhel_08_6_2_12_patch)).results | + - "{{ (ansible_check_mode | ternary(rhel_09_6_2_12_patch_audit, rhel_09_6_2_12_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - etype: group From 24391549697dae8d91ccb9a6e03a9d01dc6090ee Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 24 Jan 2023 11:02:40 +0000 Subject: [PATCH 096/143] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 7fe29f7..18369bf 100644 --- a/Changelog.md +++ b/Changelog.md @@ -14,6 +14,8 @@ Jan-2023 release - makefile added (hopefully help some) - fqcn added to all controls - some controls rewritten using module rather than shell +- typo fixes from rhel_08 inheritance +- workfolw update for 5.6.6 to set random root password to allow for testing - incorporates issues - #23 - #24 From 64a3e26e4f69727d4a12df5d913cdce2ef33263e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:29:19 +0000 Subject: [PATCH 097/143] moved su check to prelim Signed-off-by: Mark Bolwell --- tasks/main.yml | 19 ------------------- tasks/prelim.yml | 20 ++++++++++++++++++++ 2 files changed, 20 insertions(+), 19 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 981ade5..60374b3 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -80,25 +80,6 @@ tags: - always -- name: Check sugroup exists if used - block: - - name: "Check su group exists if defined" - ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group - register: sugroup_exists - changed_when: false - failed_when: sugroup_exists.rc >= 2 - tags: - - skip_ansible_lint - - - name: Check sugroup if defined exists before continuing - ansible.builtin.assert: - that: sugroup_exists.rc == 0 - msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" - when: - - rhel9cis_sugroup is defined - - rhel9cis_rule_5_7 - tags: - - rule_5.7 - name: Gather the package facts ansible.builtin.package_facts: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 3593a90..854e861 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -197,6 +197,26 @@ - rule_5.3.4 - rule_5.3.5 +- name: Check sugroup exists if used + block: + - name: "Check su group exists if defined" + ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group + register: sugroup_exists + changed_when: false + failed_when: sugroup_exists.rc >= 2 + tags: + - skip_ansible_lint + + - name: Check sugroup if defined exists before continuing + ansible.builtin.assert: + that: sugroup_exists.rc == 0 + msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" + when: + - rhel9cis_sugroup is defined + - rhel9cis_rule_5_7 + tags: + - rule_5.7 + - name: "PRELIM | Check for rhnsd service" ansible.builtin.shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" changed_when: false From f8577132f0790d6236020c9c3e09db9f93bcee6d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:29:51 +0000 Subject: [PATCH 098/143] removed old rhn check Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 854e861..702939c 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -217,19 +217,6 @@ tags: - rule_5.7 -- name: "PRELIM | Check for rhnsd service" - ansible.builtin.shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" - changed_when: false - check_mode: false - become: true - register: rhnsd_service_status - when: - - rhel9cis_rule_1_2_2 - - ansible_distribution == "RedHat" - tags: - - rule_1.2.2 - - skip_ansible_lint - - name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" block: - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" From df26c888ba016fdc7a71007ac9740feac040119c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:33:02 +0000 Subject: [PATCH 099/143] removed dnf clean up as not required Signed-off-by: Mark Bolwell --- tasks/post.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tasks/post.yml b/tasks/post.yml index 8facbd2..e482df6 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -1,11 +1,6 @@ --- # Post tasks -- name: Perform DNF package cleanup - ansible.builtin.package: - autoremove: true - changed_when: false - - name: Gather the package facts after remediation ansible.builtin.package_facts: manager: auto From a90941af41a8da76916454d77d1b72659f41319b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:33:14 +0000 Subject: [PATCH 100/143] fiex rule number 6.2.9 Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 702939c..5677f11 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -35,7 +35,7 @@ check_mode: false register: rhel9cis_uid_zero_accounts_except_root tags: - - rule_6.2.8 + - rule_6.2.9 - level1-server - level1-workstation - users From 4adb0ec812374ca6801bf214b01458f5cc6fdbfa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:41:32 +0000 Subject: [PATCH 101/143] standardize handler naming Signed-off-by: Mark Bolwell --- handlers/main.yml | 8 ++++---- tasks/auditd.yml | 4 ++-- tasks/section_1/cis_1.4.x.yml | 2 +- tasks/section_1/cis_1.5.x.yml | 2 +- tasks/section_1/cis_1.6.1.x.yml | 2 +- tasks/section_4/cis_4.1.1.x.yml | 8 ++++---- 6 files changed, 13 insertions(+), 13 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index a350df0..212eacc 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -56,7 +56,7 @@ - name: Reload dconf ansible.builtin.shell: dconf update -- name: grub2cfg +- name: Grub2cfg ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" ignore_errors: true # noqa ignore-errors tags: @@ -77,18 +77,18 @@ name: systemd-journal-upload state: restarted -- name: Systemd_daemon_reload +- name: Systemd daemon reload ansible.builtin.systemd: daemon-reload: true ## Auditd tasks note order for handlers to run -- name: Auditd_immutable_check +- name: Auditd immutable check ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules changed_when: false register: auditd_immutable_check -- name: Audit_immutable_fact +- name: Audit immutable fact ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" notify: Change_requires_reboot diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 632e4d1..6704125 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -9,8 +9,8 @@ mode: 0640 register: audit_rules_updated notify: - - Auditd_immutable_check - - Audit_immutable_fact + - Auditd immutable check + - Audit immutable fact - Restart auditd - name: POST | Set up auditd user logging exceptions diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index af1579f..f2dcaee 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -7,7 +7,7 @@ owner: root group: root mode: 0600 - notify: grub2cfg + notify: Grub2cfg when: - rhel9cis_set_boot_pass - rhel9cis_rule_1_4_1 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 6d3eb4e..443bfc1 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -5,7 +5,7 @@ path: /etc/systemd/coredump.conf regexp: '^Storage\s*=\s*(?!none).*' line: 'Storage=none' - notify: Systemd_daemon_reload + notify: Systemd daemon reload when: - rhel9cis_rule_1_5_1 - systemd_coredump.stat.exists diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index c1fdd79..6c52535 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -22,7 +22,7 @@ - enforcing=0 register: selinux_grub_patch ignore_errors: true # noqa ignore-errors - notify: grub2cfg + notify: Grub2cfg when: - rhel9cis_rule_1_6_1_2 tags: diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index 167f8d2..c430f2d 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -36,7 +36,7 @@ dest: /etc/default/grub regexp: 'audit=.' replace: 'audit=1' - notify: grub2cfg + notify: Grub2cfg when: "'audit=' in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" @@ -44,7 +44,7 @@ path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: '{{ rhel9cis_4_1_1_2_grub_cmdline_linux.stdout }} audit=1"' - notify: grub2cfg + notify: Grub2cfg when: "'audit=' not in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" when: - rhel9cis_rule_4_1_1_2 @@ -70,7 +70,7 @@ dest: /etc/default/grub regexp: 'audit_backlog_limit=\d+' replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}' - notify: grub2cfg + notify: Grub2cfg when: "'audit_backlog_limit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" @@ -78,7 +78,7 @@ path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' - notify: grub2cfg + notify: Grub2cfg when: "'audit_backlog_limit=' not in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" when: - rhel9cis_rule_4_1_1_3 From 2a39d54f41bcb2be1d9c5ce589c8ed2159c8d4b7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:41:47 +0000 Subject: [PATCH 102/143] remove conditional for parse etc passwd Signed-off-by: Mark Bolwell --- tasks/main.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 60374b3..c72dc5b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -111,8 +111,6 @@ - name: capture /etc/password variables ansible.builtin.include_tasks: parse_etc_password.yml - when: - - rhel9cis_section6 tags: - rule_5.5.2 - rule_5.6.2 @@ -161,8 +159,7 @@ - name: run auditd logic ansible.builtin.import_tasks: auditd.yml - when: - - update_audit_template + when: update_audit_template tags: - always @@ -180,8 +177,7 @@ - name: Show Audit Summary ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" - when: - - run_audit + when: run_audit - name: If Warnings found Output count and control IDs affected ansible.builtin.debug: From 9e633938998af3c03044054b325f643e67f3c48e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:47:13 +0000 Subject: [PATCH 103/143] removed state presnet from infile as default Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.8.x.yml | 1 - tasks/section_4/cis_4.2.1.x.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 2836cee..dff2930 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -22,7 +22,6 @@ path: /etc/dconf/profile/gdm regexp: "{{ item.regexp }}" line: "{{ item.line }}" - state: present create: true owner: root group: root diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 90c68e0..4eeb61d 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -75,7 +75,6 @@ - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting" ansible.builtin.blockinfile: path: /etc/rsyslog.conf - state: present marker: "# {mark} MAIL LOG SETTINGS (ANSIBLE MANAGED)" block: | # mail logging additions to meet CIS standards From 3c33ce50568cf3c7d38981bee99a1942934e3187 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:47:26 +0000 Subject: [PATCH 104/143] with_items to loop Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 18 +++++++++--------- tasks/section_6/cis_6.2.x.yml | 27 ++++++++++++--------------- 2 files changed, 21 insertions(+), 24 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 37b074d..a1c638d 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -133,7 +133,7 @@ path: '{{ item }}' mode: o-w state: touch - with_items: "{{ rhel_09_6_1_9_perms_results.stdout_lines }}" + loop: "{{ rhel_09_6_1_9_perms_results.stdout_lines }}" when: - rhel_09_6_1_9_perms_results.stdout_lines is defined - rhel9cis_no_world_write_adjust @@ -155,7 +155,7 @@ failed_when: false check_mode: false register: rhel_09_6_1_10_audit - with_items: "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" when: item['device'].startswith('/dev') and not 'bind' in item['options'] @@ -163,7 +163,7 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: msg: "Warning !! Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_10_audit.results }}" + loop: "{{ rhel_09_6_1_10_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 @@ -194,7 +194,7 @@ failed_when: false changed_when: false register: rhel_09_6_1_11_audit - with_items: "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" when: item['device'].startswith('/dev') and not 'bind' in item['options'] @@ -202,7 +202,7 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: msg: "Warning !! Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_11_audit.results }}" + loop: "{{ rhel_09_6_1_11_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 @@ -245,14 +245,14 @@ failed_when: false changed_when: false register: rhel_09_6_1_13_perms_results - with_items: "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: msg: "Warning!! Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_13_perms_results.stdout_lines }}" + loop: "{{ rhel_09_6_1_13_perms_results.stdout_lines }}" when: - rhel_09_6_1_13_perms_results.stdout is defined @@ -279,14 +279,14 @@ failed_when: false changed_when: false register: rhel_09_6_1_14_perms_results - with_items: "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.mount }}" - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_14_perms_results.stdout_lines }}" + loop: "{{ rhel_09_6_1_14_perms_results.stdout_lines }}" when: - rhel_09_6_1_14_perms_results.stdout is defined diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index ff30b6e..2a98e90 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -33,7 +33,7 @@ ansible.builtin.shell: passwd -l {{ item }} changed_when: false failed_when: false - with_items: "{{ empty_password_accounts.stdout_lines }}" + loop: "{{ empty_password_accounts.stdout_lines }}" when: - empty_password_accounts.rc - rhel9cis_rule_6_2_2 @@ -225,7 +225,7 @@ state=directory owner=root mode='o-w,g-w' - with_items: "{{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}" + loop: "{{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}" when: - rhel9cis_rule_6_2_8 tags: @@ -239,7 +239,7 @@ ansible.builtin.shell: passwd -l {{ item }} changed_when: false failed_when: false - with_items: "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}" + loop: "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}" when: - rhel9cis_uid_zero_accounts_except_root.rc - rhel9cis_rule_6_2_9 @@ -257,7 +257,7 @@ ansible.builtin.stat: path: "{{ item }}" register: rhel_09_6_2_10_audit - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}" + loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}" - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 @@ -321,7 +321,7 @@ path: "{{ item.dir }}" owner: "{{ item.id }}" state: directory - with_items: "{{ rhel9cis_passwd }}" + loop: "{{ rhel9cis_passwd }}" loop_control: label: "{{ rhel9cis_passwd_label }}" when: @@ -342,7 +342,7 @@ - name: "6.2.12 | AUDIT | Ensure local interactive user home directories are mode 750 or more restrictive" ansible.builtin.stat: path: "{{ item }}" - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}" + loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}" register: rhel_09_6_2_12_audit - name: "6.2.12 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" @@ -365,14 +365,14 @@ recurse: true mode: a-st,g-w,o-rwx register: rhel_09_6_2_12_patch - when: - - not ansible_check_mode - - item.1.exists with_together: - "{{ rhel_09_6_2_12_audit.results | map(attribute='item') | list }}" - "{{ rhel_09_6_2_12_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" + when: + - not ansible_check_mode + - item.1.exists # set default ACLs so the homedir has an effective umask of 0027 - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" @@ -407,8 +407,7 @@ ansible.builtin.file: path: "{{ item }}/.netrc" state: absent - with_items: - - "{{ interactive_users_home.stdout_lines }}" + loop: "{{ interactive_users_home.stdout_lines }}" when: - rhel9cis_rule_6_2_13 tags: @@ -423,8 +422,7 @@ ansible.builtin.file: path: "{{ item }}/.forward" state: absent - with_items: - - "{{ interactive_users_home.stdout_lines }}" + loop: "{{ interactive_users_home.stdout_lines }}" when: - rhel9cis_rule_6_2_14 tags: @@ -439,8 +437,7 @@ ansible.builtin.file: path: "~{{ item }}/.rhosts" state: absent - with_items: - - "{{ interactive_users_home.stdout_lines }}" + loop: "{{ interactive_users_home.stdout_lines }}" when: - rhel9cis_rule_6_2_15 tags: From 466e88613e5e1abcd45081840409ebcaf9c512d6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:49:43 +0000 Subject: [PATCH 105/143] with_items to loop Signed-off-by: Mark Bolwell --- tasks/parse_etc_password.yml | 2 +- tasks/section_1/cis_1.1.2.x.yml | 3 +-- tasks/section_1/cis_1.1.3.x.yml | 3 +-- tasks/section_1/cis_1.1.4.x.yml | 3 +-- tasks/section_1/cis_1.1.5.x.yml | 3 +-- tasks/section_1/cis_1.1.6.x.yml | 3 +-- tasks/section_1/cis_1.1.7.x.yml | 3 +-- tasks/section_1/cis_1.8.x.yml | 4 ++-- 8 files changed, 9 insertions(+), 15 deletions(-) diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 76cb085..8ff13fd 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -11,7 +11,7 @@ - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries" ansible.builtin.set_fact: rhel9cis_passwd: "{{ rhel9cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" - with_items: "{{ rhel9cis_passwd_file_audit.stdout_lines }}" + loop: "{{ rhel9cis_passwd_file_audit.stdout_lines }}" vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index d55f5ec..b4e1888 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -33,8 +33,7 @@ state: present opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} notify: Remount tmp - with_items: - - "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" when: diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 84135ae..d873c51 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -31,8 +31,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %} - with_items: - - "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index b8ae48d..f063fbd 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -33,8 +33,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} - with_items: - - "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 9f556ba..1707f30 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -33,8 +33,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} - with_items: - - "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index fcfa92b..274f668 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -32,8 +32,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} - with_items: - - "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 54da358..7f16610 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -32,8 +32,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %} - with_items: - - "{{ ansible_mounts }}" + loop: "{{ ansible_mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index dff2930..6ebe4ae 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -27,7 +27,7 @@ group: root mode: 0644 notify: Reload dconf - with_items: + loop: - { regexp: 'user-db', line: 'user-db:user' } - { regexp: 'system-db', line: 'system-db:gdm' } - { regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } @@ -62,7 +62,7 @@ group: root mode: 0644 notify: Reload dconf - with_items: + loop: - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults'} From 674e0fab1643ada57551cb1da4ac7061d6bad6cf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 09:59:33 +0000 Subject: [PATCH 106/143] with_items to loop Signed-off-by: Mark Bolwell --- tasks/post.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/post.yml b/tasks/post.yml index e482df6..3a2426e 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -16,7 +16,7 @@ mode: 0600 register: sysctl_updated notify: Reload sysctl - with_items: + loop: - 60-kernel_sysctl.conf - 60-disable_ipv6.conf - 60-netipv4_sysctl.conf From 7760f351614acf81199b60d9e0ccbaa9793c619e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 10:01:14 +0000 Subject: [PATCH 107/143] with_items to loop Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 3 +-- tasks/section_3/cis_3.4.1.x.yml | 6 ++---- tasks/section_3/cis_3.4.2.x.yml | 2 +- tasks/section_4/cis_4.3.yml | 2 +- 4 files changed, 5 insertions(+), 8 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 98ca671..3a8e745 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -62,8 +62,7 @@ mode: "0600" owner: root group: root - with_items: - - tipc + loop: tipc # note the item used in the template - name: "3.1.3 | PATCH | Ensure TIPC is disabled | blacklist" ansible.builtin.lineinfile: diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 684d0a5..e028734 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -21,8 +21,7 @@ ansible.builtin.systemd: name: "{{ item }}" masked: true - with_items: - - firewalld + loop: firewalld when: - item in ansible_facts.packages - rhel9cis_firewall == 'nftables' @@ -31,8 +30,7 @@ ansible.builtin.systemd: name: "{{ item }}" masked: true - with_items: - - nftables + loop: nftables when: - item in ansible_facts.packages - rhel9cis_firewall == 'firewalld' diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 60e769a..38c1efa 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -102,7 +102,7 @@ - name: "3.4.2.3 | PATCH | Ensure nftables base chains exist | Create chains if needed" ansible.builtin.shell: "{{ item }}" failed_when: false - with_items: + loop: - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index ac0078c..0038b34 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -23,7 +23,7 @@ path: "{{ item.path }}" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' replace: "\\1{{ rhel9cis_logrotate }}" - with_items: + loop: - "{{ log_rotates.files }}" - { path: "/etc/logrotate.conf" } loop_control: From 9fe177f9cebb5f351efeeb1e43e903d6df0ffa47 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 11:35:47 +0000 Subject: [PATCH 108/143] standardise naming and move items to prelim Signed-off-by: Mark Bolwell --- tasks/main.yml | 18 ------------------ tasks/prelim.yml | 38 ++++++++++++++++++++++++++++---------- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index c72dc5b..47940fc 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -103,24 +103,6 @@ when: - run_audit -- name: Gather the package facts after prelim - ansible.builtin.package_facts: - manager: auto - tags: - - always - -- name: capture /etc/password variables - ansible.builtin.include_tasks: parse_etc_password.yml - tags: - - rule_5.5.2 - - rule_5.6.2 - - rule_6.2.9 - - rule_6.2.10 - - rule_6.2.11 - - rhel9cis_section5 - - rhel9cis_section6 - - level1-server - - name: run Section 1 tasks ansible.builtin.import_tasks: section_1/main.yml when: rhel9cis_section1 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5677f11..18e0c17 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -12,6 +12,18 @@ - level1-workstation - users +- name: "PRELIM | capture /etc/password variables" + ansible.builtin.include_tasks: parse_etc_password.yml + tags: + - rule_5.5.2 + - rule_5.6.2 + - rule_6.2.9 + - rule_6.2.10 + - rule_6.2.11 + - rhel9cis_section5 + - rhel9cis_section6 + - level1-server + - name: "PRELIM | Interactive User accounts" ansible.builtin.shell: 'cat /etc/passwd | grep -Ev "nologin|/sbin" | cut -d: -f6' changed_when: false @@ -95,7 +107,7 @@ path: /sys/firmware/efi register: rhel_09_efi_boot - - name: "PRELIM | AUDIT | set legacy boot and grub path | Bios" + - name: "PRELIM | set legacy boot and grub path | Bios" ansible.builtin.set_fact: rhel9cis_legacy_boot: true grub2_path: /etc/grub2.cfg @@ -197,9 +209,9 @@ - rule_5.3.4 - rule_5.3.5 -- name: Check sugroup exists if used +- name: "PRELIM | Check sugroup exists if used" block: - - name: "Check su group exists if defined" + - name: "PRELIM | Check su group exists if defined" ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group register: sugroup_exists changed_when: false @@ -207,7 +219,7 @@ tags: - skip_ansible_lint - - name: Check sugroup if defined exists before continuing + - name: "PRELIM | Check sugroup if defined exists before continuing" ansible.builtin.assert: that: sugroup_exists.rc == 0 msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" @@ -217,32 +229,38 @@ tags: - rule_5.7 -- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" +- name: "PRELIM | Discover Interactive UID MIN and MIN from logins.def" block: - - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" + - name: "PRELIM | Capture UID_MIN information from logins.def" ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_min_id - - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" + - name: "PRELIM | Capture UID_MAX information from logins.def" ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_max_id - - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" + - name: "PRELIM | Capture GID_MIN information from logins.def" ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: gid_min_id - - name: "PRELIM | AUDIT | set_facts for interactive uid/gid" + - name: "PRELIM | set_facts for interactive uid/gid" ansible.builtin.set_fact: min_int_uid: "{{ uid_min_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}" -- name: Output of uid findings +- name: "PRELIM | Output of uid findings" ansible.builtin.debug: msg: "{{ min_int_uid }} {{ max_int_uid }}" when: - not discover_int_uid + +- name: "PRELIM | Gather the package facts after prelim" + ansible.builtin.package_facts: + manager: auto + tags: + - always From 10a6a2e0dd165c0551909e8a3c19bab1be433739 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 25 Jan 2023 11:36:12 +0000 Subject: [PATCH 109/143] with_items to loop Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 4 +++- tasks/section_3/cis_3.4.1.x.yml | 6 ++++-- tasks/section_4/cis_4.1.2.x.yml | 2 +- tasks/section_4/cis_4.2.2.x.yml | 4 ++-- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 3a8e745..6de9cd7 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -62,7 +62,9 @@ mode: "0600" owner: root group: root - loop: tipc # note the item used in the template + loop: + - tipc + # note the item used in the template - name: "3.1.3 | PATCH | Ensure TIPC is disabled | blacklist" ansible.builtin.lineinfile: diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index e028734..8f3aba9 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -21,7 +21,8 @@ ansible.builtin.systemd: name: "{{ item }}" masked: true - loop: firewalld + loop: + - firewalld when: - item in ansible_facts.packages - rhel9cis_firewall == 'nftables' @@ -30,7 +31,8 @@ ansible.builtin.systemd: name: "{{ item }}" masked: true - loop: nftables + loop: + - nftables when: - item in ansible_facts.packages - rhel9cis_firewall == 'firewalld' diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index e9cee1c..b830b1f 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -36,7 +36,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" notify: Restart auditd - with_items: + loop: - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' } - { regexp: '^action_mail_acct', line: 'action_mail_acct = {{ rhel9cis_auditd.action_mail_acct }}' } - { regexp: '^space_left_action', line: 'space_left_action = {{ rhel9cis_auditd.space_left_action }}' } diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index e22da77..72767a4 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -20,7 +20,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" notify: Restart systemd_journal_upload - with_items: + loop: - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'} - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'} - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'} @@ -154,7 +154,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" notify: Restart systemd_journal_upload - with_items: + loop: - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'} - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' } - { regexp: '^#RuntimeMaxUse=|^RuntimeMaxUse=', line: 'RuntimeMaxUse={{ rhel9cis_journald_runtimemaxuse }}'} From f9267a389b674e7caedadba9996ab2e734f2e209 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 08:29:03 +0000 Subject: [PATCH 110/143] remove state file on file module Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.7.x.yml | 3 --- tasks/section_4/cis_4.1.4.x.yml | 7 ------- tasks/section_5/cis_5.2.x.yml | 7 ++----- 3 files changed, 2 insertions(+), 15 deletions(-) diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index a66cb6c..9848bea 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -50,7 +50,6 @@ - name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" ansible.builtin.file: dest: /etc/motd - state: file owner: root group: root mode: 0644 @@ -66,7 +65,6 @@ - name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" ansible.builtin.file: dest: /etc/issue - state: file owner: root group: root mode: 0644 @@ -82,7 +80,6 @@ - name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" ansible.builtin.file: dest: /etc/issue.net - state: file owner: root group: root mode: 0644 diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 5ee9b55..7139ab6 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -17,7 +17,6 @@ "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" ansible.builtin.file: path: "{{ audit_logfile.stdout }}" - state: file mode: 0640 owner: root group: root @@ -59,7 +58,6 @@ - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" ansible.builtin.file: path: "{{ item.path }}" - state: file mode: 0640 loop: "{{ auditd_conf_files.files }}" loop_control: @@ -77,7 +75,6 @@ - name: "4.1.4.6 | PATCH | Ensure audit configuration files are owned by root" ansible.builtin.file: path: "{{ item.path }}" - state: file owner: root loop: "{{ auditd_conf_files.files }}" loop_control: @@ -94,7 +91,6 @@ - name: "4.1.4.7 | PATCH | Ensure audit configuration files belong to group root" ansible.builtin.file: path: "{{ item.path }}" - state: file group: root loop: "{{ auditd_conf_files.files }}" loop_control: @@ -125,7 +121,6 @@ - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" ansible.builtin.file: path: "{{ item.item }}" - state: file mode: 0750 register: "audit_bins" loop: "{{ audit_bins.results }}" @@ -144,7 +139,6 @@ - name: "4.1.4.9 | PATCH | Ensure audit tools are owned by root" ansible.builtin.file: path: "{{ item }}" - state: file owner: root group: root loop: @@ -166,7 +160,6 @@ - name: "4.1.4.10 | PATCH | Ensure audit tools belong to group root" ansible.builtin.file: path: "{{ item }}" - state: file group: root loop: - /sbin/auditctl diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index f0286d9..b67b018 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -3,7 +3,6 @@ - name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" ansible.builtin.file: dest: /etc/ssh/sshd_config - state: file owner: root group: root mode: 0600 @@ -33,8 +32,7 @@ owner: root group: root mode: 0600 - with_items: - - "{{ rhel9cis_5_2_2_ssh_private_host_key.files }}" + loop: "{{ rhel9cis_5_2_2_ssh_private_host_key.files }}" loop_control: label: "{{ item.path }}" when: @@ -63,8 +61,7 @@ owner: root group: root mode: 0644 - with_items: - - "{{ rhel9cis_5_2_3_ssh_public_host_key.files }}" + loop: "{{ rhel9cis_5_2_3_ssh_public_host_key.files }}" loop_control: label: "{{ item.path }}" when: From e6417801680794641426ab87a9b2f14dfc27d070 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 08:29:30 +0000 Subject: [PATCH 111/143] replace module dest -> path Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.6.1.x.yml | 2 +- tasks/section_4/cis_4.1.1.x.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 6c52535..f05143c 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -14,7 +14,7 @@ - name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" ansible.builtin.replace: - dest: /etc/default/grub + path: /etc/default/grub regexp: '{{ item }}' replace: '' loop: diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index c430f2d..a8be25f 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -33,7 +33,7 @@ - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" ansible.builtin.replace: - dest: /etc/default/grub + path: /etc/default/grub regexp: 'audit=.' replace: 'audit=1' notify: Grub2cfg @@ -67,7 +67,7 @@ - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" ansible.builtin.replace: - dest: /etc/default/grub + path: /etc/default/grub regexp: 'audit_backlog_limit=\d+' replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}' notify: Grub2cfg From 904d7811d428f5324b439c92d08165c14be3827e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 08:29:54 +0000 Subject: [PATCH 112/143] moved when to same line Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.2.x.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 38c1efa..540bda0 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -10,8 +10,7 @@ - name: "3.4.2.1 | AUDIT | Ensure firewalld default zone is set" ansible.builtin.command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" - when: - - firewalld_zone_set.rc != 0 + when: firewalld_zone_set.rc != 0 when: - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_2_1 From 8694bfde756bbe8e79732016e13db95abb70e5ed Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 08:30:26 +0000 Subject: [PATCH 113/143] with_items to loop Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.x.yml | 9 +++------ tasks/section_5/cis_5.5.x.yml | 4 ++-- tasks/section_5/cis_5.6.1.x.yml | 6 ++---- tasks/section_5/cis_5.6.x.yml | 3 +-- 4 files changed, 8 insertions(+), 14 deletions(-) diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 823d142..fc62baf 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -48,8 +48,7 @@ regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' replace: '\1PASSWD\2' validate: '/usr/sbin/visudo -cf %s' - with_items: - - "{{ rhel9cis_sudoers_files.stdout_lines }}" + loop: "{{ rhel9cis_sudoers_files.stdout_lines }}" when: - rhel9cis_rule_5_3_4 tags: @@ -65,8 +64,7 @@ regexp: '^([^#].*)!authenticate(.*)' replace: '\1authenticate\2' validate: '/usr/sbin/visudo -cf %s' - with_items: - - "{{ rhel9cis_sudoers_files.stdout_lines }}" + loop: "{{ rhel9cis_sudoers_files.stdout_lines }}" when: - rhel9cis_rule_5_3_5 tags: @@ -98,8 +96,7 @@ regexp: 'timestamp_timeout=(\d+)' replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" validate: '/usr/sbin/visudo -cf %s' - with_items: - - "{{ rhel9cis_5_3_6_timeout_files.stdout_lines }}" + loop: "{{ rhel9cis_5_3_6_timeout_files.stdout_lines }}" when: rhel9cis_5_3_6_timeout_files.stdout | length > 0 when: - rhel9cis_rule_5_3_6 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 51c18f9..64ecd18 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -7,7 +7,7 @@ path: /etc/security/pwquality.conf regexp: ^{{ item.name }} line: "{{ item.name }} = {{ item.value }}" - with_items: + loop: - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" } - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } @@ -37,7 +37,7 @@ path: /etc/security/faillock.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - with_items: + loop: - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' } - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' } when: diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 1f6b691..141c013 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -63,8 +63,7 @@ - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" - with_items: - - "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}" + loop: "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}" when: - rhel9cis_rule_5_6_1_4 tags: @@ -108,8 +107,7 @@ when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - rhel9cis_futurepwchgdate_autofix - with_items: - - "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + loop: "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" vars: warn_control_id: '5.6.1.5' when: diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 6100b0b..f03e213 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -6,8 +6,7 @@ ansible.builtin.user: name: "{{ item.id }}" shell: /usr/sbin/nologin - with_items: - - "{{ rhel9cis_passwd }}" + loop: "{{ rhel9cis_passwd }}" when: - item.id != "root" - item.id != "sync" From 4b1956508ad894ee5b027bba6e8716d326d0481d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 08:30:43 +0000 Subject: [PATCH 114/143] updates control steps Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.3.yml | 40 ++++++++++++++++++++++++++----------- 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 0038b34..be17c70 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -13,21 +13,37 @@ state: started enabled: true - - name: "4.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" - ansible.builtin.find: - paths: /etc/logrotate.d/ - register: log_rotates - - - name: "4.3 | PATCH | Ensure logrotate is configured" + - name: "4.3 | PATCH | Ensure logrotate is configured | set default conf" ansible.builtin.replace: - path: "{{ item.path }}" + path: "/etc/logrotate.conf" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' replace: "\\1{{ rhel9cis_logrotate }}" - loop: - - "{{ log_rotates.files }}" - - { path: "/etc/logrotate.conf" } - loop_control: - label: "{{ item.path }}" + + - name: "4.3 | AUDIT | Ensure logrotate is configured | Get non default logrotate settings" + ansible.builtin.find: + paths: /etc/logrotate.d/ + contains: '^(\s*)(?!{{ rhel9cis_logrotate }})(daily|weekly|monthly|yearly)$' + register: log_rotates + + - name: "4.3 | AUDIT | Ensure logrotate is configured" + block: + - name: "4.3 | AUDIT | Ensure logrotate is configured | generate file list" + ansible.builtin.set_fact: + logrotate_non_def_conf: "{{ log_rotates.files | map(attribute='path') | join (', ') }}" + + - name: "4.3 | AUDIT | Ensure logrotate is configured | List configured files" + ansible.builtin.debug: + msg: | + "Warning!! The following files are not covered by default logrotate settings ensure they match site policy" + "{{ logrotate_non_def_conf }}" + loop: "{{ log_rotates.files }}" + + - name: "4.3 | AUDIT | Ensure logrotate is configured | Warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '4.3' + when: log_rotates.matched > 0 + when: - rhel9cis_rule_4_3 tags: From 0c460d4b70c0555d6e4a83828e2ed5c013c1a426 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 08:31:12 +0000 Subject: [PATCH 115/143] updated task 6.2.8 Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 99 ++++++++++++++++++++--------------- 1 file changed, 56 insertions(+), 43 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 2a98e90..e9ebed7 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -189,43 +189,56 @@ - name: "6.2.8 | PATCH | Ensure root PATH Integrity" block: - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determine empty value" - ansible.builtin.shell: 'echo $PATH | grep ::' + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Get root paths" + ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 changed_when: false - failed_when: rhel9cis_6_2_8_path_colon.rc == 0 - check_mode: false - register: rhel9cis_6_2_8_path_colon + register: rhel9cis_6_2_8_root_paths - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determin colon end" - ansible.builtin.shell: 'echo $PATH | grep :$' + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Set fact" + ansible.builtin.set_fact: + root_paths: "{{ rhel9cis_6_2_8_root_paths.stdout }}" + + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for empty dirs" + ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"' changed_when: false - failed_when: rhel9cis_6_2_8_path_colon_end.rc == 0 - check_mode: false - register: rhel9cis_6_2_8_path_colon_end + failed_when: root_path_empty_dir.rc not in [ 0, 1 ] + register: root_path_empty_dir - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determine dot in path" - ansible.builtin.shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for trailing ':'" + ansible.builtin.shell: '{{ root_paths }} | cut -d= -f2 | grep -q ":$" && echo "roots path contains a trailing (:)"' changed_when: false - failed_when: '"." in rhel9cis_6_2_8_dot_in_path.stdout_lines' - check_mode: false - register: rhel9cis_6_2_8_dot_in_path + failed_when: root_path_trailing_colon.rc not in [ 0, 1 ] + register: root_path_trailing_colon + + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" + block: + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" + ansible.builtin.stat: + path: "{{ item }}" + register: root_path_perms + loop: "{{ root_paths | split(':') }}" + + - ansible.builtin.debug: + msg: "{{ root_path_perms.results }}" + + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" + ansible.builtin.file: + path: "{{ item.stat.path }}" + state: directory + owner: root + group: root + mode: 0755 + follow: true + loop: "{{ root_path_perms.results }}" + loop_control: + label: "{{ item.stat }}" + when: + - item.stat.pw_name != 'root' or + item.stat.gr_name != 'root' or + item.stat.woth or + item.stat.wgrp - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" - ansible.builtin.debug: - msg: - - "Warning!!" - - "The following paths have an empty value: {{ rhel9cis_6_2_8_path_colon.stdout_lines }}" - - "The following paths have colon end: {{ rhel9cis_6_2_8_path_colon_end.stdout_lines }}" - - "The following paths have a dot in the path: {{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}" - - name: "6.2.8 | PATCH | Ensure root PATH Integrity | Determine rights and owner" - ansible.builtin.file: > - path='{{ item }}' - follow=yes - state=directory - owner=root - mode='o-w,g-w' - loop: "{{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}" when: - rhel9cis_rule_6_2_8 tags: @@ -264,14 +277,14 @@ check_mode: false changed_when: rhel_09_6_2_10_patch_audit.stdout | length > 0 register: rhel_09_6_2_10_patch_audit - when: - - ansible_check_mode - - item.1.exists with_together: - "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}" - "{{ rhel_09_6_2_10_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" + when: + - ansible_check_mode + - item.1.exists - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" ansible.builtin.file: @@ -279,14 +292,14 @@ recurse: true mode: a-st,g-w,o-rwx register: rhel_09_6_2_10_patch - when: - - not ansible_check_mode - - item.1.exists with_together: - "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}" - "{{ rhel_09_6_2_10_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" + when: + - not ansible_check_mode + - item.1.exists # set default ACLs so the homedir has an effective umask of 0027 - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" @@ -297,8 +310,6 @@ recursive: true etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: - - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_09_6_2_10_patch_audit, rhel_09_6_2_10_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" @@ -307,6 +318,8 @@ mode: rx - etype: other mode: '0' + when: + - not system_is_container when: - rhel9cis_rule_6_2_10 tags: @@ -350,14 +363,14 @@ check_mode: false changed_when: rhel_09_6_2_12_patch_audit.stdout | length > 0 register: rhel_09_6_2_12_patch_audit - when: - - ansible_check_mode - - item.1.exists with_together: - "{{ rhel_09_6_2_12_audit.results | map(attribute='item') | list }}" - "{{ rhel_09_6_2_12_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" + when: + - ansible_check_mode + - item.1.exists - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" ansible.builtin.file: @@ -383,8 +396,6 @@ recursive: true etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: - - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_09_6_2_12_patch_audit, rhel_09_6_2_12_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" @@ -393,6 +404,8 @@ mode: rx - etype: other mode: '0' + when: + - not system_is_container when: - rhel9cis_rule_6_2_12 tags: From abd99426b8ebeaff76b81dac13f65bc0607da7c7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 09:31:27 +0000 Subject: [PATCH 116/143] replaced dest for path on file module Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.7.x.yml | 6 +++--- tasks/section_5/cis_5.1.x.yml | 20 ++++++++++---------- tasks/section_6/cis_6.1.x.yml | 16 ++++++++-------- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 9848bea..1c20dca 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -49,7 +49,7 @@ - name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" ansible.builtin.file: - dest: /etc/motd + path: /etc/motd owner: root group: root mode: 0644 @@ -64,7 +64,7 @@ - name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" ansible.builtin.file: - dest: /etc/issue + path: /etc/issue owner: root group: root mode: 0644 @@ -79,7 +79,7 @@ - name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" ansible.builtin.file: - dest: /etc/issue.net + path: /etc/issue.net owner: root group: root mode: 0644 diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 9edc7c7..f897c6c 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -15,7 +15,7 @@ - name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" ansible.builtin.file: - dest: /etc/crontab + path: /etc/crontab owner: root group: root mode: 0600 @@ -30,7 +30,7 @@ - name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" ansible.builtin.file: - dest: /etc/cron.hourly + path: /etc/cron.hourly state: directory owner: root group: root @@ -46,7 +46,7 @@ - name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" ansible.builtin.file: - dest: /etc/cron.daily + path: /etc/cron.daily state: directory owner: root group: root @@ -62,7 +62,7 @@ - name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" ansible.builtin.file: - dest: /etc/cron.weekly + path: /etc/cron.weekly state: directory owner: root group: root @@ -77,7 +77,7 @@ - name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" ansible.builtin.file: - dest: /etc/cron.monthly + path: /etc/cron.monthly state: directory owner: root group: root @@ -92,7 +92,7 @@ - name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" ansible.builtin.file: - dest: /etc/cron.d + path: /etc/cron.d state: directory owner: root group: root @@ -110,7 +110,7 @@ block: - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" ansible.builtin.file: - dest: /etc/cron.deny + path: /etc/cron.deny state: absent - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists" @@ -120,7 +120,7 @@ - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" ansible.builtin.file: - dest: /etc/cron.allow + path: /etc/cron.allow state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root group: root @@ -138,7 +138,7 @@ block: - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" ansible.builtin.file: - dest: /etc/at.deny + path: /etc/at.deny state: absent - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" @@ -148,7 +148,7 @@ - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" ansible.builtin.file: - dest: /etc/at.allow + path: /etc/at.allow state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root group: root diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index a1c638d..f7528d3 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -2,7 +2,7 @@ - name: "6.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" ansible.builtin.file: - dest: /etc/passwd + path: /etc/passwd owner: root group: root mode: 0644 @@ -17,7 +17,7 @@ - name: "6.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" ansible.builtin.file: - dest: /etc/passwd- + path: /etc/passwd- owner: root group: root mode: 0644 @@ -32,7 +32,7 @@ - name: "6.1.3 | PATCH | Ensure permissions on /etc/group are configured" ansible.builtin.file: - dest: /etc/group- + path: /etc/group- owner: root group: root mode: 0644 @@ -47,7 +47,7 @@ - name: "6.1.4 | PATCH | Ensure permissions on /etc/group- are configured" ansible.builtin.file: - dest: /etc/group- + path: /etc/group- owner: root group: root mode: 0644 @@ -62,7 +62,7 @@ - name: "6.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" ansible.builtin.file: - dest: /etc/shadow + path: /etc/shadow owner: root group: root mode: 0000 @@ -77,7 +77,7 @@ - name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" ansible.builtin.file: - dest: /etc/shadow- + path: /etc/shadow- owner: root group: root mode: 0000 @@ -92,7 +92,7 @@ - name: "6.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" ansible.builtin.file: - dest: /etc/gshadow + path: /etc/gshadow owner: root group: root mode: 0000 @@ -107,7 +107,7 @@ - name: "6.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" ansible.builtin.file: - dest: /etc/gshadow- + path: /etc/gshadow- owner: root group: root mode: 0000 From 89e6372648c37b2b7d16bcca8a3f61139186b64c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 09:47:33 +0000 Subject: [PATCH 117/143] 5.6.3 tidy up Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index f03e213..941ec99 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -46,18 +46,18 @@ - name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" ansible.builtin.blockinfile: - create: true - mode: 0644 - dest: "{{ item.dest }}" + path: "{{ item.dest }}" state: "{{ item.state }}" marker: "# {mark} CIS 5.6.3 ANSIBLE MANAGED" + create: true + mode: 0644 block: | TMOUT={{ rhel9cis_shell_session_timeout.timeout }} export TMOUT readonly TMOUT loop: - - { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present } - - { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } + - { path: "{{ rhel9cis_shell_session_timeout.file }}", state: present } + - { path: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } when: - rhel9cis_rule_5_6_3 tags: From e389ac16a0f7dc3dc1fc4cb3b78aedac666ca2c3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 09:47:53 +0000 Subject: [PATCH 118/143] removed blank space Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index f7528d3..298492d 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -335,8 +335,6 @@ vars: warn_control_id: '6.1.15' when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 - - when: - rhel9cis_rule_6_1_15 tags: From e61ef2c1a6838627ddab03c073d170cf0a33db3c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 09:48:10 +0000 Subject: [PATCH 119/143] blank space and tidy Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index e9ebed7..d54f53b 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -237,8 +237,6 @@ item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp - - when: - rhel9cis_rule_6_2_8 tags: @@ -274,8 +272,8 @@ - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 + changed_when: false check_mode: false - changed_when: rhel_09_6_2_10_patch_audit.stdout | length > 0 register: rhel_09_6_2_10_patch_audit with_together: - "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}" @@ -318,8 +316,7 @@ mode: rx - etype: other mode: '0' - when: - - not system_is_container + when: not system_is_container when: - rhel9cis_rule_6_2_10 tags: From e59e72e3d1852c0c5fd4e96c90d6a82cf5978e14 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 12:10:10 +0000 Subject: [PATCH 120/143] lint Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 4 ++-- tasks/section_3/cis_3.4.1.x.yml | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 6de9cd7..e972ae2 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -63,8 +63,8 @@ owner: root group: root loop: - - tipc - # note the item used in the template + - tipc + # note the item used in the template - name: "3.1.3 | PATCH | Ensure TIPC is disabled | blacklist" ansible.builtin.lineinfile: diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 8f3aba9..8a7e721 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -22,7 +22,7 @@ name: "{{ item }}" masked: true loop: - - firewalld + - firewalld when: - item in ansible_facts.packages - rhel9cis_firewall == 'nftables' @@ -32,15 +32,15 @@ name: "{{ item }}" masked: true loop: - - nftables + - nftables when: - item in ansible_facts.packages - rhel9cis_firewall == 'firewalld' - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | package installed" ansible.builtin.package: - name: "{{ rhel9cis_firewall }}" - state: installed + name: "{{ rhel9cis_firewall }}" + state: installed - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" ansible.builtin.systemd: From 60f832f1b27c402a1ea7a59dd790d3508eb1c115 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 12:10:23 +0000 Subject: [PATCH 121/143] control updates and lint Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 144 ++++++++++++---------------------- 1 file changed, 51 insertions(+), 93 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index d54f53b..5d7a6bf 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -218,9 +218,6 @@ register: root_path_perms loop: "{{ root_paths | split(':') }}" - - ansible.builtin.debug: - msg: "{{ root_path_perms.results }}" - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" ansible.builtin.file: path: "{{ item.stat.path }}" @@ -264,58 +261,36 @@ - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" block: - - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" - ansible.builtin.stat: - path: "{{ item }}" - register: rhel_09_6_2_10_audit - loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}" - - - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" - ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 - changed_when: false - check_mode: false - register: rhel_09_6_2_10_patch_audit - with_together: - - "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_10_audit.results | map(attribute='stat') | list }}" - loop_control: - label: "{{ item.0 }}" - when: - - ansible_check_mode - - item.1.exists - - - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Create dir if absent" ansible.builtin.file: - path: "{{ item.0 }}" - recurse: true - mode: a-st,g-w,o-rwx - register: rhel_09_6_2_10_patch - with_together: - - "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_10_audit.results | map(attribute='stat') | list }}" + path: "{{ item.dir }}" + state: directory + owner: "{{ item.id }}" + group: "{{ item.gid }}" + register: rhel_09_6_2_10_home_dir + loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" loop_control: - label: "{{ item.0 }}" - when: - - not ansible_check_mode - - item.1.exists + label: "{{ item.id }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Set group ACL" ansible.posix.acl: - path: "{{ item.0 }}" + path: "{{ item }}" default: true + etype: group + permissions: rx state: present - recursive: true - etype: "{{ item.1.etype }}" - permissions: "{{ item.1.mode }}" - with_nested: - - "{{ (ansible_check_mode | ternary(rhel_09_6_2_10_patch_audit, rhel_09_6_2_10_patch)).results | - rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - - - etype: group - mode: rx - - etype: other - mode: '0' + loop: "{{ interactive_users_home.stdout_lines }}" + when: not system_is_container + + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Set other ACL" + ansible.posix.acl: + path: "{{ item }}" + default: true + etype: other + permissions: 0 + state: present + loop: "{{ interactive_users_home.stdout_lines }}" when: not system_is_container when: - rhel9cis_rule_6_2_10 @@ -331,9 +306,9 @@ path: "{{ item.dir }}" owner: "{{ item.id }}" state: directory - loop: "{{ rhel9cis_passwd }}" + loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" loop_control: - label: "{{ rhel9cis_passwd_label }}" + label: "{{ item.id }}" when: - item.uid >= min_int_uid | int - item.id != 'nobody' @@ -349,60 +324,43 @@ - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" block: - - name: "6.2.12 | AUDIT | Ensure local interactive user home directories are mode 750 or more restrictive" + - name: "6.2.12 | AUDIT | Ensure local interactive user home directories are mode 750 or more restrictive | get stat" ansible.builtin.stat: path: "{{ item }}" - loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}" - register: rhel_09_6_2_12_audit + register: rhel_09_6_2_12_home_dir_perms + loop: "{{ interactive_users_home.stdout_lines }}" - - name: "6.2.12 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" - ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 - check_mode: false - changed_when: rhel_09_6_2_12_patch_audit.stdout | length > 0 - register: rhel_09_6_2_12_patch_audit - with_together: - - "{{ rhel_09_6_2_12_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_12_audit.results | map(attribute='stat') | list }}" - loop_control: - label: "{{ item.0 }}" - when: - - ansible_check_mode - - item.1.exists - - - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" + - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | amend if needed" ansible.builtin.file: - path: "{{ item.0 }}" - recurse: true - mode: a-st,g-w,o-rwx - register: rhel_09_6_2_12_patch - with_together: - - "{{ rhel_09_6_2_12_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_12_audit.results | map(attribute='stat') | list }}" + path: "{{ item.stat.path }}" + state: directory + mode: "0750" + loop: "{{ rhel_09_6_2_12_home_dir_perms.results }}" loop_control: - label: "{{ item.0 }}" + label: "{{ item }}" when: - - not ansible_check_mode - - item.1.exists + - item.stat.mode > '0750' # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" + - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | Set group ACL" ansible.posix.acl: - path: "{{ item.0 }}" + path: "{{ item }}" default: true + etype: group + permissions: rx state: present - recursive: true - etype: "{{ item.1.etype }}" - permissions: "{{ item.1.mode }}" - with_nested: - - "{{ (ansible_check_mode | ternary(rhel_09_6_2_12_patch_audit, rhel_09_6_2_12_patch)).results | - rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - - - etype: group - mode: rx - - etype: other - mode: '0' - when: - - not system_is_container + loop: "{{ interactive_users_home.stdout_lines }}" + when: not system_is_container + + - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | Set other ACL" + ansible.posix.acl: + path: "{{ item }}" + default: true + etype: other + permissions: 0 + state: present + loop: "{{ interactive_users_home.stdout_lines }}" + when: not system_is_container when: - rhel9cis_rule_6_2_12 tags: From 388dbd797cc19218f1692b91b28b4024b62ce11f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 14:17:29 +0000 Subject: [PATCH 122/143] fix typo Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 941ec99..184345b 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -46,7 +46,7 @@ - name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" ansible.builtin.blockinfile: - path: "{{ item.dest }}" + path: "{{ item.path }}" state: "{{ item.state }}" marker: "# {mark} CIS 5.6.3 ANSIBLE MANAGED" create: true From 9cf1f08eec3a54a19907973eab3eda80d2365bc8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 14:59:18 +0000 Subject: [PATCH 123/143] dest to path 5.2.1 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index b67b018..8d0c050 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -2,7 +2,7 @@ - name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" ansible.builtin.file: - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config owner: root group: root mode: 0600 From b5a5d3e9519cbadc97c5e3e212015227fdd9d0c9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 15:00:10 +0000 Subject: [PATCH 124/143] Additional; step to show diff of template Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 6704125..f8d2fe6 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,25 +1,36 @@ --- +- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file + ansible.builtin.stat: + path: /etc/audit/rules.d/99_auditd.rules + register: auditd_file -- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added +- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file ansible.builtin.template: src: audit/99_auditd.rules.j2 dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root mode: 0640 + diff: "{{ auditd_file.stat.exists }}" # Only run diff if not a new file register: audit_rules_updated notify: - Auditd immutable check - Audit immutable fact - Restart auditd -- name: POST | Set up auditd user logging exceptions +- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file + ansible.builtin.stat: + path: /etc/audit/rules.d/98_auditd_exceptions.rules + register: auditd_exception_file + +- name: POST | Set up auditd user logging exceptions | setup file ansible.builtin.template: src: audit/98_auditd_exception.rules.j2 dest: /etc/audit/rules.d/98_auditd_exceptions.rules owner: root group: root - mode: 0600 + mode: 0640 + diff: "{{ auditd_exception_file.stat.exists }}" notify: Restart auditd when: - allow_auditd_uid_user_exclusions From aa5b2c30c4be73f955b7245c89602bbdfa3a02b1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 15:01:12 +0000 Subject: [PATCH 125/143] 6.2.8 rewrite Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 5d7a6bf..557f337 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -216,24 +216,26 @@ ansible.builtin.stat: path: "{{ item }}" register: root_path_perms - loop: "{{ root_paths | split(':') }}" + loop: "{{ rhel9cis_6_2_8_root_paths.stdout | split(':') }}" - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" + - ansible.builtin.debug: + msg: "{{ root_path_perms.results }}" + + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Set permissions" ansible.builtin.file: path: "{{ item.stat.path }}" state: directory owner: root group: root - mode: 0755 - follow: true + mode: "0755" + follow: false loop: "{{ root_path_perms.results }}" loop_control: - label: "{{ item.stat }}" + label: "{{ item }}" when: - - item.stat.pw_name != 'root' or - item.stat.gr_name != 'root' or - item.stat.woth or - item.stat.wgrp + - item.stat.exists + - item.stat.isdir + - item.stat.pw_name != 'root' or item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp when: - rhel9cis_rule_6_2_8 tags: @@ -418,7 +420,6 @@ - name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable" block: - - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Check for files" ansible.builtin.find: path: /home From 849789b867a493b2c1eee5b212ac190c4c6e35c3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 15:03:05 +0000 Subject: [PATCH 126/143] updated Signed-off-by: Mark Bolwell --- Changelog.md | 4 +++- README.md | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 18369bf..65f05f8 100644 --- a/Changelog.md +++ b/Changelog.md @@ -7,6 +7,8 @@ Jan-2023 release - Lint file updates and improvements +- auditd now shows diff ater initial template added +- many control rewritten - Many controls moved ID references - Audit updates aligned - Command warn arg removed @@ -15,7 +17,7 @@ Jan-2023 release - fqcn added to all controls - some controls rewritten using module rather than shell - typo fixes from rhel_08 inheritance -- workfolw update for 5.6.6 to set random root password to allow for testing +- workflow update for 5.6.6 to set random root password to allow for testing - incorporates issues - #23 - #24 diff --git a/README.md b/README.md index fc0376e..67fc2dc 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,7 @@ Below is an example of the tag section from a control within this role. Using th ### Known Issues -CIS 1.2.4 - repo_gpgcheck is not carried out for RedHat hosts as the default repos do not have this function. Rocky and Alma not affected. +CIS 1.2.4 - repo_gpgcheck is not carried out for RedHat hosts as the default repos do not have this function. This also affect EPEL(not covered by var). + - Rocky and Alma not affected. Variable used to unset. rhel9cis_rhel_default_repo: true # to be set to false if using repo that does have this ability From 50429d8278a429b2b53aa520eb740489e77b3a84 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 16:02:12 +0000 Subject: [PATCH 127/143] moved notify to task Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.8.x.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 6ebe4ae..4f6922f 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -39,8 +39,7 @@ owner: root group: root mode: 0644 - - notify: Reload dconf + notify: Reload dconf when: - rhel9cis_rule_1_8_2 - rhel9cis_gui @@ -108,7 +107,7 @@ owner: root group: root mode: '0644' - notify: Reload dconf + notify: Reload dconf when: - rhel9cis_rule_1_8_4 - rhel9cis_gui @@ -136,7 +135,7 @@ owner: root group: root mode: 0644 - notify: Reload dconf + notify: Reload dconf when: - rhel9cis_rule_1_8_5 - rhel9cis_gui From 7d426bd4973638d652551c9fdb79e8215cad1237 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 16:03:17 +0000 Subject: [PATCH 128/143] Added # comment Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8a791b1..d8d6290 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -168,7 +168,7 @@ rhel9cis_rule_2_3_3: true rhel9cis_rule_2_3_4: true rhel9cis_rule_2_4: true - Section 3 rules +# Section 3 rules rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_3: true From 2168a68b4e178ee25f7e7e3456ca259cfab1a9bb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 26 Jan 2023 16:03:29 +0000 Subject: [PATCH 129/143] removed success_msg Signed-off-by: Mark Bolwell --- tasks/pre_remediation_audit.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 96f16fe..c05ddb3 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -50,7 +50,6 @@ ansible.builtin.assert: that: goss_available.stat.exists fail_msg: "Audit binary file {{ audit_bin }} does not exist" - success_msg: "Audit binary file {{ audit_bin }} exists" when: - run_audit From d770c69aca74bacdb7296de440d310092ecc4f69 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 11:01:41 +0000 Subject: [PATCH 130/143] moved 5.6.6 testing to main task Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 184345b..349095a 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -112,16 +112,8 @@ - rule_5.6.5 - name: "5.6.6 | PATCH | Ensure root password is set" - block: - - name: "5.6.6 | PATCH | Ensure root password is set" - ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt" - changed_when: false - register: root_passwd - - - name: "5.6.6 | PATCH | Ensure root password is set" - ansible.builtin.fail: - msg: The root password is not set - when: root_passwd.rc != 0 + ansible.builtin.debug: + msg: "The root password has been set as per the assert in early stages" when: - rhel9cis_rule_5_6_6 tags: From 98feeb1b01e017b1ddbd8a5f3005b96bf15f19fe Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 11:02:01 +0000 Subject: [PATCH 131/143] 5.6.6 test added Signed-off-by: Mark Bolwell --- tasks/main.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index 47940fc..d083319 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -42,6 +42,28 @@ tags: - user_passwd +- name: "Ensure root password is set" + block: + - name: "Ensure root password is set" + ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt" + changed_when: false + register: root_passwd_set + + - name: "Ensure root password is set" + ansible.builtin.assert: + that: root_passwd_set.rc == 0 + fail_msg: "You have rule 5.6.6 enabled this requires that you have a root password set" + success_msg: "You have a root password set" + when: + - rhel9cis_rule_5_6_6 + tags: + - level1-server + - level1-workstation + - patch + - accounts + - root + - rule_5.6.6 + - name: Setup rules if container block: - name: Discover and set container variable if required From a759c38902695db28551e4b150a27f06972942c9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 11:03:23 +0000 Subject: [PATCH 132/143] removed split filter allowing old ansible versions Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.3.x.yml | 2 +- tasks/section_6/cis_6.2.x.yml | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index fc62baf..0443781 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -119,7 +119,7 @@ ansible.builtin.user: name: "{{ item }}" groups: "{{ rhel9cis_sugroup | default('wheel') }}" - loop: "{{ rhel9cis_sugroup_users | split (',') }}" + loop: "{{ rhel9cis_sugroup_users }}" when: - rhel9cis_rule_5_3_7 tags: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 557f337..a8cafff 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -194,6 +194,11 @@ changed_when: false register: rhel9cis_6_2_8_root_paths + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Get root paths" + ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 | tr ":" "\n" + changed_when: false + register: rhel9cis_6_2_8_root_paths_split + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Set fact" ansible.builtin.set_fact: root_paths: "{{ rhel9cis_6_2_8_root_paths.stdout }}" @@ -216,7 +221,7 @@ ansible.builtin.stat: path: "{{ item }}" register: root_path_perms - loop: "{{ rhel9cis_6_2_8_root_paths.stdout | split(':') }}" + loop: "{{ rhel9cis_6_2_8_root_paths_split.stdout_lines }}" - ansible.builtin.debug: msg: "{{ root_path_perms.results }}" From 3c72af6a83513d894a4e4dcfbb5161043f40a185 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 11:03:36 +0000 Subject: [PATCH 133/143] fixed spacing Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 64ecd18..13ac418 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -55,7 +55,7 @@ ansible.builtin.replace: path: /etc/pam.d/system-auth regexp: '^password\s*(sufficient|requisite|sufficient)\s*pam_unix.so.*$' - replace: 'password requisite pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' + replace: 'password requisite pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_3 tags: @@ -88,7 +88,7 @@ ansible.builtin.replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' - replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_4 tags: From c0d25d67cf45f85490c30e13a0447871a835d85b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 11:03:47 +0000 Subject: [PATCH 134/143] updated ansible min version Signed-off-by: Mark Bolwell --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index 165eff5..7b6f842 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,7 +1,7 @@ --- # vars file for RHEL9-CIS -min_ansible_version: 2.9.4 +min_ansible_version: 2.10 rhel9cis_allowed_crypto_policies: - 'DEFAULT' - 'FUTURE' From 56f0618bc3a58a5dec2ccf05c83efb29ad6536af Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 11:04:08 +0000 Subject: [PATCH 135/143] updated Signed-off-by: Mark Bolwell --- README.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 67fc2dc..9513374 100644 --- a/README.md +++ b/README.md @@ -37,8 +37,17 @@ RHEL 9 Almalinux 9 Rocky 9 +ansible 2.10 +jmespath +relevant collections + - Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) +## Tested with + +ansible-base 2.10.17 - python 3.8 +ansible-core 2.13.4 - python 3.10 + - makefile - this is there purely for testing and initial setup purposes. ## General @@ -65,7 +74,7 @@ Rocky 9 ## Role Variables -This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/RHEL9-CIS/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions. +This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done by overriding the required varaibles as found in defaults/main.yml file. e.g. using inventory, group_vars, extra_vars ## Tags From e88b3efbf05d3d6c3d7779a92ff0b7f2bc6eb34a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 11:13:33 +0000 Subject: [PATCH 136/143] Updated as per steps Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.3.x.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index cf20cb9..2c61fc8 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -7,15 +7,21 @@ name: aide state: present - - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - ansible.builtin.shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + - name: "1.3.1 | PATCH | Ensure AIDE is installed | Build AIDE DB" + ansible.builtin.shell: /usr/sbin/aide --init changed_when: false failed_when: false async: 45 poll: 0 args: - creates: /var/lib/aide/aide.db.gz + creates: /var/lib/aide/aide.db.new.gz when: not ansible_check_mode + + - name: "1.3.1 | PATCH | Ensure AIDE is installed | copy AIDE DB" + ansible.builtin.copy: + src: /var/lib/aide/aide.db.new.gz + dest: /var/lib/aide/aide.db.gz + remote_src: true when: - rhel9cis_config_aide - rhel9cis_rule_1_3_1 From bf83a6b84cddffce419ab6ffebd645d997959241 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 12:19:16 +0000 Subject: [PATCH 137/143] Add more safety around control 5.4.2 Signed-off-by: Mark Bolwell --- defaults/main.yml | 8 ++++++++ tasks/section_5/cis_5.4.x.yml | 33 +++++++++++++++++++++++++++++++-- 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d8d6290..b3f73d8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -622,6 +622,14 @@ rhel9cis_sudolog_location: "/var/log/sudo.log" #### 5.3.6 rhel9cis_sudo_timestamp_timeout: 15 +### 5.4.2 authselect and faillock +## This option is used at your own risk it will enable faillock for users +## Only to be used on a new clean system if not using authselect +## THIS CAN BREAK ACCESS EVEN FOR ROOT - UNDERSTAND RISKS ## +rhel9cis_add_faillock_without_authselect: false +# This needs to be set to ACCEPT +rhel9cis_5_4_2_risks: NEVER + # RHEL-09-5.4.5 # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index ac37cf2..939285f 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -28,7 +28,7 @@ - authselect - rule_5.4.1 -- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock" +- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | with auth select profile" block: - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" ansible.builtin.shell: "authselect current | grep with-faillock" @@ -37,7 +37,7 @@ check_mode: false register: rhel9cis_5_4_2_profiles_faillock - - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles" + - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Show profiles" ansible.builtin.debug: msg: - "Below are the current custom profiles" @@ -46,6 +46,35 @@ - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" when: rhel9cis_authselect_custom_profile_select + + - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile" + ansible.builtin.lineinfile: + path: "/etc/pam.d/password-auth" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertbefore: "{{ item.before }}" + loop: + - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'} + - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+required\s+pam_deny.so'} + - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so','before':'^account required pam_unix.so'} + when: + - rhel9cis_add_faillock_without_authselect + - rhel9cis_5_4_2_risks == 'ACCEPT' + + - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile" + ansible.builtin.lineinfile: + path: "/etc/pam.d/system-auth" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + insertbefore: "{{ item.before | default(omit)}}" + insertafter: "{{ item.after | default(omit)}}" + loop: + - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'} + - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+required\s+pam_deny.so'} + - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so','before':'^account required pam_unix.so'} + when: + - rhel9cis_add_faillock_without_authselect + - rhel9cis_5_4_2_risks == 'ACCEPT' when: - rhel9cis_rule_5_4_2 tags: From 3acc909f91f75010540df040c424fad8d68f3522 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 12:19:22 +0000 Subject: [PATCH 138/143] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 65f05f8..35e9e44 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,7 @@ Jan-2023 release +- updated ansible minimum to 2.10 - Lint file updates and improvements - auditd now shows diff ater initial template added - many control rewritten @@ -21,6 +22,7 @@ Jan-2023 release - incorporates issues - #23 - #24 +- New option to add faillock for users without authselect - defaults/main 5.4.2 ## 0.5 From cb0a4e71cd3b42e31b4555510ae59db0bebf0c1d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 12:21:26 +0000 Subject: [PATCH 139/143] fixed version Signed-off-by: Mark Bolwell --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index 7b6f842..9815eea 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,7 +1,7 @@ --- # vars file for RHEL9-CIS -min_ansible_version: 2.10 +min_ansible_version: 2.10.1 rhel9cis_allowed_crypto_policies: - 'DEFAULT' - 'FUTURE' From 42d37955e65ad89b9025112979810cf21702ccd0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 14:03:12 +0000 Subject: [PATCH 140/143] added skip play warning Signed-off-by: Mark Bolwell --- .ansible-lint | 1 + 1 file changed, 1 insertion(+) diff --git a/.ansible-lint b/.ansible-lint index 7ef99f1..e582a58 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -5,6 +5,7 @@ skip_list: - 'no-changed-when' - 'var-spacing' - 'experimental' + - 'name[play]' - 'name[casing]' - 'name[template]' - 'fqcn[action]' From dc41fef086ccdee15e8c3e8ed947310aafdce44d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 14:03:20 +0000 Subject: [PATCH 141/143] updated Signed-off-by: Mark Bolwell --- Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index c8bcd9c..5d7a9b3 100755 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ GALAXY=ansible-galaxy -ANSIBLE_LINT=ansible-lint +ANSIBLE_LINT='/usr/local/bin/ansible-lint' ANSIBLE_FILE=site.yml all: help @@ -20,7 +20,7 @@ galaxy-install: $(GALAXY) install -r ./collections/requirements.yml ansible-lint: - $(ANSIBLE-LINT) $(ANSIBLE_FILE) + $(ANSIBLE_LINT) $(ANSIBLE_FILE) yamllint: git ls-files "*.yml"|xargs yamllint @@ -28,5 +28,5 @@ yamllint: pip-requirements: @echo 'Python dependencies:' @cat requirements.txt - $(ANSIBLE_LINT) install -r requirements.txt + pip3 install -r requirements.txt From 939102430c50209ab5e0e6e164b3376d0c727846 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 27 Jan 2023 14:03:32 +0000 Subject: [PATCH 142/143] lint updates Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 4 ++-- tasks/section_5/cis_5.4.x.yml | 12 ++++++------ tasks/section_6/cis_6.2.x.yml | 3 --- 3 files changed, 8 insertions(+), 11 deletions(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index f8d2fe6..f2dd122 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,7 +1,7 @@ --- - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: - path: /etc/audit/rules.d/99_auditd.rules + path: /etc/audit/rules.d/99_auditd.rules register: auditd_file - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file @@ -20,7 +20,7 @@ - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: - path: /etc/audit/rules.d/98_auditd_exceptions.rules + path: /etc/audit/rules.d/98_auditd_exceptions.rules register: auditd_exception_file - name: POST | Set up auditd user logging exceptions | setup file diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 939285f..cb37024 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -54,9 +54,9 @@ line: "{{ item.line }}" insertbefore: "{{ item.before }}" loop: - - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'} - - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+required\s+pam_deny.so'} - - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so','before':'^account required pam_unix.so'} + - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'} + - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+required\s+pam_deny.so'} + - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so', 'before':'^account required pam_unix.so'} when: - rhel9cis_add_faillock_without_authselect - rhel9cis_5_4_2_risks == 'ACCEPT' @@ -69,9 +69,9 @@ insertbefore: "{{ item.before | default(omit)}}" insertafter: "{{ item.after | default(omit)}}" loop: - - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'} - - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}','before':'^auth\s+required\s+pam_deny.so'} - - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so','before':'^account required pam_unix.so'} + - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line':'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'} + - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+required\s+pam_deny.so'} + - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so', 'before':'^account required pam_unix.so'} when: - rhel9cis_add_faillock_without_authselect - rhel9cis_5_4_2_risks == 'ACCEPT' diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index a8cafff..bfd371a 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -223,9 +223,6 @@ register: root_path_perms loop: "{{ rhel9cis_6_2_8_root_paths_split.stdout_lines }}" - - ansible.builtin.debug: - msg: "{{ root_path_perms.results }}" - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Set permissions" ansible.builtin.file: path: "{{ item.stat.path }}" From e52cc6ca6b97a794a33758ddd64350971800941d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 31 Jan 2023 08:31:12 +0000 Subject: [PATCH 143/143] 4.1.4.8 tidy title remove register not used Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.4.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 7139ab6..9eb2bd5 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -106,7 +106,7 @@ - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive" block: - - name: "PRELIM | 4.1.4.8 | Get audit binary file stat | get current mode" + - name: "4.1.4.8 | AUDIT | Get audit binary file stat | get current mode" ansible.builtin.stat: path: "{{ item }}" register: "audit_bins" @@ -122,7 +122,7 @@ ansible.builtin.file: path: "{{ item.item }}" mode: 0750 - register: "audit_bins" + loop: "{{ audit_bins.results }}" loop_control: label: "{{ item.item }}"