From d2de2783a80afc1155b3232c8e78c6ac0665a147 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jun 2025 16:31:37 +0100 Subject: [PATCH 1/5] added ability to fetch audit and update title Signed-off-by: Mark Bolwell --- tasks/audit_only.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index d6f20ea..a33cb94 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -1,10 +1,17 @@ --- +- name: Audit_only | Fetch audit files + when: + - fetch_audit_output + - audit_only + ansible.builtin.import_tasks: + file: fetch_audit_output.yml + - name: Audit_only | Show Audit Summary when: audit_only ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" -- name: Audit_only | Stop Playbook Audit Only selected +- name: Audit_only | Stop task for host as audit_only selected when: audit_only - ansible.builtin.meta: end_play + ansible.builtin.meta: end_host From 379b18455426c5288f3e21e7434576fc9dd68082 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jun 2025 16:32:20 +0100 Subject: [PATCH 2/5] added changed_when to fix false warning errors Signed-off-by: Mark Bolwell --- tasks/fetch_audit_output.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/fetch_audit_output.yml b/tasks/fetch_audit_output.yml index 563b699..e440185 100644 --- a/tasks/fetch_audit_output.yml +++ b/tasks/fetch_audit_output.yml @@ -8,6 +8,7 @@ src: "{{ item }}" dest: "{{ audit_output_destination }}" flat: true + changed_when: true failed_when: false register: discovered_audit_fetch_state loop: From aaea8352de3a8b18fa48808dfa4d6cbd69522197 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Jun 2025 16:33:29 +0100 Subject: [PATCH 3/5] updated Signed-off-by: Mark Bolwell --- Changelog.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Changelog.md b/Changelog.md index 7542aa1..492516a 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,11 @@ # Changes to rhel9CIS +## Based on CIS v2.0.0 + +Update to audit_only to allow fetching results +resolved false warning for fetch audit + ## 2.0.1 - Based on CIS v2.0.0 - Thanks to @polski-g several issues and improvements added From 82cc458d7a215c2b940228c59db3533ddc567b45 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jun 2025 11:32:31 +0100 Subject: [PATCH 4/5] Fix logic and notes for in crypto policy building Signed-off-by: Mark Bolwell --- Changelog.md | 1 + defaults/main.yml | 17 +++++++++-------- handlers/main.yml | 2 +- tasks/main.yml | 5 ++--- vars/main.yml | 6 ++++++ 5 files changed, 19 insertions(+), 12 deletions(-) diff --git a/Changelog.md b/Changelog.md index 492516a..573afd4 100644 --- a/Changelog.md +++ b/Changelog.md @@ -5,6 +5,7 @@ Update to audit_only to allow fetching results resolved false warning for fetch audit +Improved documentation and variable compilation for crypto policies ## 2.0.1 - Based on CIS v2.0.0 diff --git a/defaults/main.yml b/defaults/main.yml index cc49b0a..23312e5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -12,7 +12,7 @@ os_check: true # Disruption is high ## Run tests that are considered higher risk and could have a system impact if not properly tested ## Default false -## Will be fine if clean new un configured build +## Will be fine if clean new un-configured build rhel9cis_disruption_high: false ## Switching on/off specific baseline sections @@ -37,6 +37,7 @@ rhel9cis_level_2: true # Create managed not custom local_facts files create_benchmark_facts: true ansible_facts_path: /etc/ansible/facts.d + ## Section 1.6 - Mandatory Access Control # This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting # 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed. @@ -111,7 +112,7 @@ audit_conf_dest: "/opt" # Where the audit logs are stored audit_log_dir: '/opt' -## Ability to collect and take audit files moving to a centralised location +## Ability to collect and take audit files moving to a centralized location # This enables the collection of the files from the host fetch_audit_output: false @@ -238,7 +239,7 @@ rhel9cis_rule_1_8_8: true rhel9cis_rule_1_8_9: true rhel9cis_rule_1_8_10: true -# Section 2 rules are controlling Services (Special Purpose Services, and service clients) +# Section 2 rules are controling Services (Special Purpose Services, and service clients) ## Configure Server Services rhel9cis_rule_2_1_1: true rhel9cis_rule_2_1_2: true @@ -579,8 +580,8 @@ rhel9cis_crypto_policy: 'DEFAULT' ## Control 1.6 # This variable contains the value of the crypto policy module(combinations of policies and # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, -# using 'rhel9cis_allowed_crypto_policies_modules' variable. -rhel9cis_crypto_policy_module: '' +# using those listed in the 'rhel9cis_allowed_crypto_policies_modules' variable. +rhel9cis_additional_crypto_policy_module: '' ## Controls: # - 1.7.1 - Ensure message of the day is configured properly @@ -816,7 +817,7 @@ rhel9cis_sshd_clientalivecountmax: 3 rhel9cis_sshd_clientaliveinterval: 15 ## Control 5.1.12 - disable forwarding -# By Default this will also disable x11 forwarding +# By Default this will also disablex11 forwarding # set 'yes' if x11 is required this can be changed to run in /etc/ssh/ssh_config.d/50-redhat.conf rhel9cis_sshd_x11forwarding: 'no' @@ -1046,14 +1047,14 @@ rhel9cis_bash_umask: '0027' # 0027 or more restrictive # These are discovered via logins.def if set true rhel9cis_discover_int_uid: true # This variable sets the minimum number from which to search for UID -# Note that the value will be dynamically overwritten if variable `discover_int_uid` has +# Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has # been set to `true`. min_int_uid: 1000 ### Controls: # - Ensure local interactive user home directories exist # - Ensure local interactive users own their home directories # This variable sets the maximum number at which the search stops for UID -# Note that the value will be dynamically overwritten if variable `discover_int_uid` has +# Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has # been set to `true`. max_int_uid: 65533 diff --git a/handlers/main.yml b/handlers/main.yml index 1a3b66e..4bc5a08 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -186,7 +186,7 @@ - name: Update Crypto Policy ansible.builtin.set_fact: - rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}{{ rhel9cis_crypto_policy_module }}{% endif %}" + rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{{ rhel9cis_crypto_policy_module }}:{{ rhel9cis_additional_crypto_policy_module }}" notify: Set Crypto Policy - name: Set Crypto Policy diff --git a/tasks/main.yml b/tasks/main.yml index 43ec09c..9bfcc51 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -61,7 +61,7 @@ - crypto - NIST800-53R5_SC-6 ansible.builtin.assert: - that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules + that: rhel9cis_additional_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules fail_msg: "Crypto policy module is not a permitted version" success_msg: "Crypto policy module is a permitted version" @@ -132,9 +132,8 @@ - rule_5.4.2.4 block: - name: "Ensure root password is set" - ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)" + ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)" changed_when: false - failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ] register: prelim_root_passwd_set - name: "Ensure root password is set" diff --git a/vars/main.yml b/vars/main.yml index 5eed07c..9337d58 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -7,10 +7,16 @@ rhel9cis_allowed_crypto_policies: - 'FUTURE' - 'FIPS' +# Following is left blank for ability to build string +rhel9cis_crypto_policy_module: '' + +# Do not adjust these are recognized as part of the CIS benchmark and used during testing rhel9cis_allowed_crypto_policies_modules: + # Recognized by CIS as possible extra options - 'OSPP' - 'AD-SUPPORT' - 'AD-SUPPORT-LEGACY' + # The following are already included in 1.6.x controls - 'NO-SHA1' - 'NO-SSHCBC' - 'NO-SSHETM' From 9db79097f91ead59e1a1dfa6a038fffad99184d8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 20 Jun 2025 12:14:14 +0100 Subject: [PATCH 5/5] fixed crypto logic Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index 4bc5a08..1894300 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -186,7 +186,7 @@ - name: Update Crypto Policy ansible.builtin.set_fact: - rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{{ rhel9cis_crypto_policy_module }}:{{ rhel9cis_additional_crypto_policy_module }}" + rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{{ rhel9cis_crypto_policy_module }}{% if rhel9cis_additional_crypto_policy_module | length > 0 %}:{{ rhel9cis_additional_crypto_policy_module }}{% endif %}" notify: Set Crypto Policy - name: Set Crypto Policy