diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index ef3d3b3..7eba300 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -1,366 +1,79 @@ --- -- name: "6.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" - ansible.builtin.file: - path: /etc/passwd - owner: root - group: root - mode: '0644' +- name: "6.1.1 | PATCH | Ensure AIDE is installed" when: - - rhel9cis_rule_6_1_1 + - rhel9cis_config_aide + - rhel9cis_rule_6_1_1 tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.1 - -- name: "6.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" - ansible.builtin.file: - path: /etc/passwd- - owner: root - group: root - mode: '0644' - when: - - rhel9cis_rule_6_1_2 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.2 - -- name: "6.1.3 | PATCH | Ensure permissions on /etc/group are configured" - ansible.builtin.file: - path: /etc/group - owner: root - group: root - mode: '0644' - when: - - rhel9cis_rule_6_1_3 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.3 - -- name: "6.1.4 | PATCH | Ensure permissions on /etc/group- are configured" - ansible.builtin.file: - path: /etc/group- - owner: root - group: root - mode: '0644' - when: - - rhel9cis_rule_6_1_4 - tags: - - level1-server - - level1-workstation - - patch - - permissionss - - rule_6.1.4 - -- name: "6.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" - ansible.builtin.file: - path: /etc/shadow - owner: root - group: root - mode: '0000' - when: - - rhel9cis_rule_6_1_5 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.5 - -- name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" - ansible.builtin.file: - path: /etc/shadow- - owner: root - group: root - mode: '0000' - when: - - rhel9cis_rule_6_1_6 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.6 - -- name: "6.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" - ansible.builtin.file: - path: /etc/gshadow - owner: root - group: root - mode: '0000' - when: - - rhel9cis_rule_6_1_7 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.7 - -- name: "6.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" - ansible.builtin.file: - path: /etc/gshadow- - owner: root - group: root - mode: '0000' - when: - - rhel9cis_rule_6_1_8 - tags: - - level1-server - - level1-workstation - - patch - - permissions - - rule_6.1.8 - -- name: "6.1.9 | PATCH | Ensure no world writable files exist" + - level1-server + - level1-workstation + - aide + - patch + - rule_6.1.1 + - NIST800-53R5_AU-2 block: - - name: "6.1.9 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" - ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 - failed_when: false - changed_when: false - register: rhel_09_6_1_9_perms_results + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Install AIDE" + ansible.builtin.package: + name: aide + state: present - - name: "6.1.9 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" - ansible.builtin.file: - path: '{{ item }}' - mode: o-w - state: touch - loop: "{{ rhel_09_6_1_9_perms_results.stdout_lines }}" - when: - - rhel_09_6_1_9_perms_results.stdout_lines is defined - - rhel9cis_no_world_write_adjust + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB" + when: not ansible_check_mode + ansible.builtin.shell: /usr/sbin/aide --init + args: + + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Wait for file before continuing" + ansible.builtin.wait_for: + path: /var/lib/aide/aide.db.new.gz + + - name: "6.1.1 | PATCH | Ensure AIDE is installed | copy AIDE DB" + ansible.builtin.copy: + src: /var/lib/aide/aide.db.new.gz + dest: /var/lib/aide/aide.db.gz + remote_src: true + +- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked" when: - - rhel9cis_rule_6_1_9 + - rhel9cis_rule_6_1_2 + - not system_is_ec2 tags: - - level1-server - - level1-workstation - - patch - - files - - permissions - - rule_6.1.9 + - level1-server + - level1-workstation + - aide + - file_integrity + - patch + - rule_6.1.2 + - NIST800-53R5_AU-2 + ansible.builtin.cron: + name: Run AIDE integrity check + cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}" + user: "{{ rhel9cis_aide_cron['cron_user'] }}" + minute: "{{ rhel9cis_aide_cron['aide_minute'] | default('0') }}" + hour: "{{ rhel9cis_aide_cron['aide_hour'] | default('5') }}" + day: "{{ rhel9cis_aide_cron['aide_day'] | default('*') }}" + month: "{{ rhel9cis_aide_cron['aide_month'] | default('*') }}" + weekday: "{{ rhel9cis_aide_cron['aide_weekday'] | default('*') }}" + job: "{{ rhel9cis_aide_cron['aide_job'] }}" -- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist" - block: - - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" - ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser - changed_when: false - failed_when: false - check_mode: false - register: rhel_09_6_1_10_audit - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.mount }}" - when: - - item['device'].startswith('/dev') - - not 'bind' in item['options'] - - - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | set fact" - ansible.builtin.set_fact: - rhel_09_6_1_10_unowned_files_found: true - loop: "{{ rhel_09_6_1_10_audit.results }}" - when: - - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - - item.stdout | length > 0 - - - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" - ansible.builtin.debug: - msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit.stdout_lines }}" - when: rhel_09_6_1_10_unowned_files_found - - - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '6.1.10' - when: rhel_09_6_1_10_unowned_files_found - vars: - rhel_09_6_1_10_unowned_files_found: false +- name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" when: - - rhel9cis_rule_6_1_10 + - rhel9cis_rule_6_1_3 + - not system_is_ec2 tags: - - level1-server - - level1-workstation - - audit - - files - - permissions - - rule_6.1.10 - -- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist" - block: - - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" - ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup - check_mode: false - failed_when: false - changed_when: false - register: rhel_09_6_1_11_audit - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.mount }}" - when: - - item['device'].startswith('/dev') - - not 'bind' in item['options'] - - - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | set fact" - ansible.builtin.set_fact: - rhel_09_6_1_11_ungrouped_files_found: true - loop: "{{ rhel_09_6_1_11_audit.results }}" - when: - - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - - item.stdout | length > 0 - - - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" - ansible.builtin.debug: - msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit.stdout_lines }}" - when: rhel_09_6_1_11_ungrouped_files_found - - - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '6.1.11' - when: rhel_09_6_1_11_ungrouped_files_found - vars: - rhel_09_6_1_11_ungrouped_files_found: false - when: - - rhel9cis_rule_6_1_11 - tags: - - level1-server - - level1-workstation - - audit - - files - - permissions - - rule_6.1.11 - -- name: "6.1.12 | PATCH | Ensure sticky bit is set on all world-writable directories" - ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t - changed_when: false - failed_when: false - when: - - rhel9cis_rule_6_1_12 - tags: - - level1-server - - level1-workstation - - patch - - stickybits - - permissons - - rule_6.1.12 - -- name: "6.1.13 | AUDIT | Audit SUID executables" - block: - - name: "6.1.13 | AUDIT | Audit SUID executables | Find all SUID executables" - ansible.builtin.shell: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000" - failed_when: false - changed_when: false - register: rhel_09_6_1_13_suid_perms - - - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" - ansible.builtin.debug: - msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms.stdout_lines }}" - when: - - rhel_09_6_1_13_suid_perms.stdout is defined - - rhel_09_6_1_13_suid_perms.stdout | length > 0 - - - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '6.1.13' - when: - - rhel_09_6_1_13_suid_perms.stdout is defined - - rhel_09_6_1_13_suid_perms.stdout | length > 0 - vars: - rhel9_6_1_13_suid_found: false - when: - - rhel9cis_rule_6_1_13 - tags: - - level1-server - - level1-workstation - - manual - - audit - - files - - rule_6.1.13 - -- name: "6.1.14 | AUDIT | Audit SGID executables" - block: - - name: "6.1.14 | AUDIT | Audit SGID executables | Find all SGID executables" - ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 - failed_when: false - changed_when: false - register: rhel_09_6_1_14_sgid_perms - - - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" - ansible.builtin.debug: - msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms.stdout_lines }}" - when: - - rhel_09_6_1_14_sgid_perms.stdout is defined - - rhel_09_6_1_14_sgid_perms.stdout | length > 0 - - - name: "6.1.14 | AUDIT | Audit SGID executables| warning" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '6.1.14' - when: - - rhel_09_6_1_14_sgid_perms.stdout is defined - - rhel_09_6_1_14_sgid_perms.stdout | length > 0 - vars: - rhel9_6_1_14_sgid_found: false - when: - - rhel9cis_rule_6_1_14 - tags: - - level1-server - - level1-workstation - - manual - - audit - - files - - rule_6.1.14 - -- name: "6.1.15 | AUDIT | Audit system file permissions" - block: - - name: "6.1.15 | AUDIT | Audit system file permissions | Audit the packages" - ansible.builtin.shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto - changed_when: false - failed_when: false - register: rhel9cis_6_1_15_packages_rpm - - - name: "6.1.15 | AUDIT | Audit system file permissions | Create list and warning" - block: - - name: "6.1.15 | AUDIT | Audit system file permissions | Add file discrepancy list to system" - ansible.builtin.copy: - dest: "{{ rhel9cis_rpm_audit_file }}" # noqa template-instead-of-copy - content: "{{ rhel9cis_6_1_15_packages_rpm.stdout }}" - owner: root - group: root - mode: '0640' - - - name: "6.1.15 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" - ansible.builtin.debug: - msg: | - "Warning!! You have some package descrepancies issues. - The file list can be found in {{ rhel9cis_rpm_audit_file }}" - - - name: "6.1.15 | AUDIT | Audit system file permissions | warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '6.1.15' - when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 - when: - - rhel9cis_rule_6_1_15 - tags: - - level2-server - - level2-workstation - - manual - - audit - - permissions - - rule_6.1.15 + - level1-server + - level1-workstation + - aide + - file_integrity + - patch + - rule_6.1.3 + ansible.builtin.blockinfile: + path: /etc/aide.conf + marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown" + block: | + /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 + validate: aide -D --config %s diff --git a/tasks/section_6/cis_6.2.1.x.yml b/tasks/section_6/cis_6.2.1.x.yml new file mode 100644 index 0000000..603e471 --- /dev/null +++ b/tasks/section_6/cis_6.2.1.x.yml @@ -0,0 +1,114 @@ +--- + +- name: "6.2.1.1 | PATCH | Ensure journald service is enabled and active" + when: + - rhel9cis_rule_6_2_1_1 + tags: + - level1-server + - level1-workstation + - audit + - journald + - rule_6.2.1.1 + ansible.builtin.systemd: + name: systemd-journald.service + masked: false + state: started + +- name: "6.2.1.2 | PATCH | Ensure journald log file access is configured" + when: + - rhel9cis_rule_6_2_1_2 + tags: + - level1-server + - level1-workstation + - audit + - journald + - rule_6.2.1.2 + block: + - name: "6.2.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions" + ansible.builtin.file: + path: /usr/lib/tmpfiles.d/systemd.conf + mode: '0640' + + - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file" + ansible.builtin.stat: + path: /etc/tmpfiles.d/systemd.conf + register: tmpfile_override + + - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | If override file check for journal" + when: tmpfile_override.stat.exists + ansible.builtin.shell: grep -E 'z /var/log/journal/%m/system.journal \d*' /usr/lib/tmpfiles.d/systemd.conf + register: journald_fileperms_override + changed_when: false + failed_when: journald_fileperms_override.rc not in [ 0, 1 ] + + - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found" + when: + - tmpfile_override.stat.exists + - journald_fileperms_override.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! - tmpfiles override found /usr/lib/tmpfiles.d/systemd.conf affecting journald files please confirm matches site policy" + + - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found" + when: + - tmpfile_override.stat.exists + - journald_fileperms_override.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '6.2.1.2' + +- name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured" + when: + - rhel9cis_rule_6_2_1_3 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.1.3 + notify: Restart journald + block: + - name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured | Add file" + ansible.builtin.template: + src: etc/systemd/journald.conf.d/rotation.conf.j2 + dest: /etc/systemd/journald.conf.d/rotation.conf + owner: root + group: root + mode: '0640' + + - name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries" + ansible.builtin.replace: + path: /etc/systemd/journald.conf + regexp: "{{ item }}" + replace: '#\1' + loop: + - '^(\s*SystemMaxUse\s*=.*)' + - '^(\s*SystemKeepFree\s*=.*)' + - '^(\s*RuntimeMaxUse\s*=)' + - '^(\s*RuntimeKeepFree\s*=.*)' + - '^(\s*MaxFileSec\s*=.*)' + +- name: "6.2.1.4 | PATCH | Ensure only one logging system is in use" + when: + - rhel9cis_rule_6_2_1_4 + tags: + - level1-server + - level1-workstation + - patch + - journald + - syslog + - rule_6.2.1.4 + block: + - name: "6.2.1.4 | PATCH | Ensure only one logging system is in use | when rsyslog" + when: rhel9cis_syslog == "rsyslog" + ansible.builtin.systemd: + name: systemd-journald + state: stopped + enabled: false + + - name: "6.2.1.4 | PATCH | Ensure only one logging system is in use | when journald" + when: rhel9cis_syslog == "journald" + ansible.builtin.systemd: + name: rsyslog + state: stopped + enabled: false diff --git a/tasks/section_6/cis_6.2.2.1.x.yml b/tasks/section_6/cis_6.2.2.1.x.yml new file mode 100644 index 0000000..4db5c29 --- /dev/null +++ b/tasks/section_6/cis_6.2.2.1.x.yml @@ -0,0 +1,162 @@ +--- + +- name: "6.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed" + when: + - ubtu22cis_rule_6_2_2_1_1 + - not ubtu22cis_system_is_log_server + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.2.1.1 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 + ansible.builtin.package: + name: systemd-journal-remote + state: present + +- name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-remote authentication is configured" + when: + - ubtu22cis_rule_6_2_2_1_2 + - not ubtu22cis_system_is_log_server + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.2.1.2 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + notify: Restart journald + ansible.builtin.lineinfile: + path: /etc/systemd/journal-upload.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: 'URL=', line: 'URL={{ ubtu22cis_remote_log_server }}'} + - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ ubtu22cis_journal_upload_serverkeyfile }}'} + - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ ubtu22cis_journal_servercertificatefile }}'} + - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ ubtu22cis_journal_trustedcertificatefile }}'} + +- name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled and active" + when: + - not ubtu22cis_system_is_log_server + - ubtu22cis_rule_6_2_2_1_3 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.2.1.3 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + ansible.builtin.systemd: + name: systemd-journal-upload + masked: false + enabled: true + +- name: "6.2.2.1.4 | PATCH | Ensure systemd-journal-remote service is not in use" + when: + - not ubtu22cis_system_is_log_server + - ubtu22cis_rule_6_2_2_1_4 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.2.1.4 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 + ansible.builtin.systemd: + name: "{{ item }}" + state: stopped + enabled: false + masked: true + loop: + - systemd-journal-remote.socket + - systemd-journal-remote.service + +- name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled" + when: + - ubtu22cis_rule_6_2_2_2 + tags: + - level1-server + - level2-workstation + - patch + - journald + - rule_6.2.2.2 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-6 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 + notify: Restart journald + block: + - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | Add file" + ansible.builtin.template: + src: etc/systemd/journald.conf.d/forwardtosyslog.conf.j2 + dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf + owner: root + group: root + mode: '0640' + + - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" + ansible.builtin.replace: + path: /etc/systemd/journald.conf + regexp: ^(\s*ForwardToSyslog) + replace: '#\1' + +- name: "6.2.2.3 | PATCH | Ensure journald Compress is configured" + when: + - ubtu22cis_rule_6_2_2_3 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.2.3 + - NIST800-53R5_AU-4 + notify: Restart journald + block: + - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | Add file" + ansible.builtin.template: + src: etc/systemd/journald.conf.d/storage.conf.j2 # Added to the same file as 6.2.1.1.4 + dest: /etc/systemd/journald.conf.d/storage.conf + owner: root + group: root + mode: '0640' + + - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries" + ansible.builtin.replace: + path: /etc/systemd/journald.conf + regexp: ^(?i)(\s*compress=) + replace: '#\1' + +- name: "6.2.2.4 | PATCH | Ensure journald Storage is configured" + when: + - ubtu22cis_rule_6_2_2_4 + tags: + - level1-server + - level1-workstation + - patch + - journald + - rule_6.2.2.4 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + notify: Restart journald + block: + - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | Add file" + ansible.builtin.template: + src: etc/systemd/journald.conf.d/storage.conf.j2 + dest: /etc/systemd/journald.conf.d/storage.conf + owner: root + group: root + mode: '0640' + + - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries" + ansible.builtin.replace: + path: /etc/systemd/journald.conf + regexp: ^(?i)(\s*storage=) + replace: '#\1' diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml new file mode 100644 index 0000000..7e4dadc --- /dev/null +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -0,0 +1,293 @@ +--- + +- name: "6.2.3.1 | PATCH | Ensure rsyslog installed" + when: + - "'rsyslog' not in ansible_facts.packages" + - rhel9cis_rule_6_2_3_1 + tags: + - level1-server + - level1-workstation + - patch + - rsyslog + - rule_6.2.3.1 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + ansible.builtin.package: + name: rsyslog + state: present + +- name: "6.2.3.2 | PATCH | Ensure rsyslog Service is enabled and active" + when: + - rhel9cis_rule_6_2_3_2 + tags: + - level1-server + - level1-workstation + - patch + - rsyslog + - rule_6.2.3.2 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + ansible.builtin.systemd: + name: rsyslog + enabled: true + state: started + +- name: "6.2.3.3 | PATCH | Ensure journald is configured to send logs to rsyslog" + when: + - rhel9cis_rule_6_2_3_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_6.2.3.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-4 + - NIST800-53R5_AU-12 + - NIST800-53R5_MP-2 + ansible.builtin.lineinfile: + path: /etc/systemd/journald.conf + regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" + line: ForwardToSyslog=yes + notify: Restart rsyslog + +- name: "6.2.3.4 | PATCH | Ensure rsyslog log file creation mode is configured" + when: + - rhel9cis_rule_6_2_3_4 + tags: + - level1-server + - level1-workstation + - patch + - rsyslog + - rule_6.2.3.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_AC-6 + - NIST800-53R5_MP-2 + ansible.builtin.lineinfile: + path: /etc/rsyslog.conf + regexp: '^\$FileCreateMode' + line: '$FileCreateMode 0640' + notify: Restart rsyslog + +- name: "6.2.3.5 | PATCH | Ensure logging is configured" + when: + - rhel9cis_rule_6_2_3_5 + tags: + - level1-server + - level1-workstation + - patch + - rsyslog + - rule_6.2.3.5 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 + block: + - name: "6.2.3.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" + ansible.builtin.shell: cat /etc/rsyslog.conf | grep -Ev "^#|^$" + changed_when: false + failed_when: false + check_mode: false + register: rhel_09_6_2_3_5_audit + + - name: "6.2.3.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" + ansible.builtin.debug: + msg: + - "These are the current logging configurations for rsyslog, please review:" + - "{{ rhel_09_4_2_1_5_audit.stdout_lines }}" + + - name: "6.2.3.5 | PATCH | Ensure logging is configured | mail.* log setting" + when: rhel9cis_rsyslog_ansiblemanaged + ansible.builtin.blockinfile: + path: /etc/rsyslog.conf + marker: "# {mark} MAIL LOG SETTINGS - CIS benchmark - Ansible-lockdown" + block: | + # mail logging additions to meet CIS standards + mail.* -/var/log/mail + mail.info -/var/log/mail.info + mail.warning -/var/log/mail.warning + mail.err /var/log/mail.err + insertafter: '# Log all the mail messages in one place.' + notify: Restart rsyslog + + - name: "6.2.3.5 | PATCH | Ensure logging is configured | news.crit log setting" + when: rhel9cis_rsyslog_ansiblemanaged + ansible.builtin.blockinfile: + path: /etc/rsyslog.conf + state: present + marker: "# {mark} NEWS LOG SETTINGS - CIS benchmark - Ansible-lockdown" + block: | + # news logging additions to meet CIS standards + news.crit -/var/log/news/news.crit + news.notice -/var/log/news/news.crit + insertafter: '# Save news errors of level crit and higher in a special file.' + notify: Restart rsyslog + + - name: "6.2.3.5 | PATCH | Ensure logging is configured | Misc. log setting" + when: rhel9cis_rsyslog_ansiblemanaged + ansible.builtin.blockinfile: + path: /etc/rsyslog.conf + state: present + marker: "# {mark} MISC. LOG SETTINGS - CIS benchmark - Ansible-lockdown" + block: | + # misc. logging additions to meet CIS standards + *.=warning;*.=err -/var/log/warn + *.crit /var/log/warn + *.*;mail.none;news.none /var/log/messages + insertafter: '#### RULES ####' + notify: Restart rsyslog + + - name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings" + ansible.builtin.blockinfile: + path: /etc/rsyslog.conf + state: present + marker: "#{mark} LOCAL LOG SETTINGS - CIS benchmark - Ansible-lockdown" + block: | + # local log settings to meet CIS standards + local0,local1.* -/var/log/localmessages + local2,local3.* -/var/log/localmessages + local4,local5.* -/var/log/localmessages + local6,local7.* -/var/log/localmessages + *.emrg :omusrmsg:* + insertafter: '#### RULES ####' + notify: Restart rsyslog + + - name: "6.2.3.5 | PATCH | Ensure logging is configured | Auth Settings" + ansible.builtin.blockinfile: + path: /etc/rsyslog.conf + state: present + marker: "#{mark} Auth SETTINGS - CIS benchmark - Ansible-lockdown" + block: | + # Private settings to meet CIS standards + auth,authpriv.* /var/log/secure + insertafter: '#### RULES ####' + notify: Restart rsyslog + + - name: "6.2.3.5 | PATCH | Ensure logging is configured | Cron Settings" + ansible.builtin.blockinfile: + path: /etc/rsyslog.conf + state: present + marker: "#{mark} Cron SETTINGS - CIS benchmark - Ansible-lockdown" + block: | + # Cron settings to meet CIS standards + cron.* /var/log/cron + insertafter: '#### RULES ####' + notify: Restart rsyslog + +- name: "6.2.3.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" + when: + - rhel9cis_rule_6_2_3_6 + - rhel9cis_remote_log_server + tags: + - level1-server + - level1-workstation + - patch + - rsyslog + - rule_6.2.3.6 + - NIST800-53R5_AU-6 + ansible.builtin.blockinfile: + path: /etc/rsyslog.conf + state: present + block: | + # target can be IP or FQDN + *.* action(type="omfwd" target="{{ rhel9cis_remote_log_host }}" port="{{ rhel9cis_remote_log_port }}" protocol="{{ rhel9cis_remote_log_protocol }}" action.resumeRetryCount="{{ rhel9cis_remote_log_retrycount }}" queue.type="LinkedList" queue.size="{{ rhel9cis_remote_log_queuesize }}") + insertafter: EOF + register: result + failed_when: + - result is failed + - result.rc != 257 + notify: Restart rsyslog + +- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" + when: + - rhel9cis_rule_6_2_3_7 + tags: + - level1-server + - level1-workstation + - patch + - rsyslog + - rule_6.2.3.7 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-7 + - NIST800-53R5_AU-12 + - NIST800-53R5_CM-6 + block: + - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host" + when: not rhel9cis_system_is_log_server + ansible.builtin.replace: + path: /etc/rsyslog.conf + regexp: '{{ item }}' + replace: '#\1' + notify: Restart rsyslog + loop: + - '^(\$ModLoad imtcp)' + - '^(\$InputTCPServerRun)' + - '^(module\(load="imtcp"\))' + - '^(input\(type="imtcp")' + + - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host" + when: rhel9cis_system_is_log_server + ansible.builtin.replace: + path: /etc/rsyslog.conf + regexp: '^#(.*{{ item }}.*)' + replace: '\1' + notify: Restart rsyslog + loop: + - 'ModLoad imtcp' + - 'InputTCPServerRun' + +- name: "6.2.3.8 | PATCH | Ensure logrotate is configured" + when: + - rhel9cis_rule_6_2_3_8 + tags: + - level1-server + - level1-workstation + - manual + - patch + - logrotate + - rule_6.2.3.8 + - NIST800-53R5_AU-8 + block: + - name: "6.2.3.8 | PATCH | Ensure logrotate is configured | installed" + ansible.builtin.package: + name: rsyslog-logrotate + state: present + + - name: "6.2.3.8 | PATCH | Ensure logrotate is configured | scheduled" + ansible.builtin.systemd: + name: logrotate.timer + state: started + enabled: true + + - name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set default conf" + ansible.builtin.replace: + path: "/etc/logrotate.conf" + regexp: '^(\s*)(daily|weekly|monthly|yearly)$' + replace: "\\1{{ rhel9cis_logrotate }}" + + - name: "6.2.3.8 | AUDIT | Ensure logrotate is configured | Get non default logrotate settings" + ansible.builtin.find: + paths: /etc/logrotate.d/ + contains: '^(\s*)(?!{{ rhel9cis_logrotate }})(daily|weekly|monthly|yearly)$' + register: log_rotates + + - name: "6.2.3.8 | AUDIT | Ensure logrotate is configured" + when: log_rotates.matched > 0 + vars: + warn_control_id: '6.2.3.8' + block: + - name: "6.2.3.8 | AUDIT | Ensure logrotate is configured | generate file list" + ansible.builtin.set_fact: + logrotate_non_def_conf: "{{ log_rotates.files | map(attribute='path') | join (', ') }}" + + - name: "6.2.3.8 | AUDIT | Ensure logrotate is configured | List configured files" + ansible.builtin.debug: + msg: | + "Warning!! The following files are not covered by default logrotate settings ensure they match site policy" + "{{ logrotate_non_def_conf }}" + loop: "{{ log_rotates.files }}" + + - name: "6.2.3.8 | AUDIT | Ensure logrotate is configured | Warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml diff --git a/tasks/section_6/cis_6.2.4.1.yml b/tasks/section_6/cis_6.2.4.1.yml new file mode 100644 index 0000000..b86b014 --- /dev/null +++ b/tasks/section_6/cis_6.2.4.1.yml @@ -0,0 +1,62 @@ +--- + +- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured" + when: + - rhel9cis_rule_6_2_4_1 + tags: + - level1-server + - level1-workstation + - patch + - logfiles + - rule_6.2.4.1 + block: + - name: "6.2.4.1 | AUDIT | Ensure access to all logfiles has been configured | find log files" + ansible.builtin.shell: find /var/log/ -type f -exec ls {} \; + changed_when: false + failed_when: false + register: discovered_logfiles + + - name: "6.2.4.1 | AUDIT | Ensure access to all logfiles has been configured | set_fact" + when: + - discovered_logfiles.stdout_lines | length > 0 + - discovered_logfiles is defined + ansible.builtin.set_fact: + discovered_logfiles_flattened: "{{ discovered_logfiles | json_query('stdout_lines[*]') | flatten }}" # noqa: jinja[invalid] + + - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" + when: + - discovered_logfiles_flattened is defined + - item == "/var/log/secure" + - item == "/var/log/auth.log" + - item == "/var/log/syslog" + - "'journal' in item" + ansible.builtin.file: + path: "{{ item }}" + mode: 'u-x,g-wx,o-rwx' + loop: "{{ discovered_logfiles_flattened }}" + + - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" + when: + - discovered_logfiles_flattened is defined + - item == "/var/log/btmp" + - item == "/var/log/utmp" + - item == "/var/log/wtmp" + - item == "/var/log/lastlog" + ansible.builtin.file: + path: "{{ item }}" + mode: 'u-x,g-wx,o-rwx' + owner: root + group: root + loop: "{{ discovered_logfiles_flattened }}" + + - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" + when: + - discovered_logfiles_flattened is defined + - "'sssd' in item" + - item == "/var/log/utmp" + - item == "/var/log/wtmp" + - item == "/var/log/lastlog" + ansible.builtin.file: + path: "{{ item }}" + mode: 'u-x,g-wx,o-rwx' + loop: "{{ discovered_logfiles_flattened }}" diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml deleted file mode 100644 index 7be9ae9..0000000 --- a/tasks/section_6/cis_6.2.x.yml +++ /dev/null @@ -1,455 +0,0 @@ ---- - -- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" - block: - - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | discover" - ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd - changed_when: false - register: shadow_passwd - - - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Output" - ansible.builtin.debug: - msg: | - - "Warning!! Below are the accounts that do not have shadowed passwords set" - - "{{ shadow_passwd.stdout_line }}" - when: shadow_passwd.stdout | length > 0 - - - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '6.2.1' - when: shadow_passwd.stdout | length >= 1 - - when: - - rhel9cis_rule_6_2_1 - tags: - - level1-server - - level1-workstation - - patch - - accounts - - rule_6.2.1 - -- name: "6.2.2 | PATCH | Ensure password fields are not empty" - ansible.builtin.shell: passwd -l {{ item }} - changed_when: false - failed_when: false - loop: "{{ empty_password_accounts.stdout_lines }}" - when: - - empty_password_accounts.rc - - rhel9cis_rule_6_2_2 - tags: - - level1-server - - level1-workstation - - patch - - accounts - - rule_6.2.2 - -- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" - block: - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" - ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_6_2_3_passwd_gid_check - - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" - ansible.builtin.debug: - msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_3_passwd_gid_check.stdout_lines | join (', ') }}" - when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 - - - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '6.2.3' - when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 - when: - - rhel9cis_rule_6_2_3 - tags: - - level1-server - - level1-workstation - - audit - - accounts - - groups - - rule_6.2.3 - -- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist" - block: - - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" - ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" - changed_when: false - failed_when: false - register: rhel9cis_6_2_4_user_uid_check - - - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" - ansible.builtin.debug: - msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_4_user_uid_check.stdout_lines }}" - when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 - - - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 - vars: - warn_control_id: '6.2.4' - when: - - rhel9cis_rule_6_2_4 - tags: - - level1-server - - level1-workstation - - audit - - accounts - - users - - rule_6.2.4 - -- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist" - block: - - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" - ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" - changed_when: false - failed_when: false - register: rhel9cis_6_2_5_user_user_check - - - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" - ansible.builtin.debug: - msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_5_user_user_check.stdout_lines }}" - when: rhel9cis_6_2_5_user_user_check.stdout | length >= 1 - - - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '6.2.5' - when: rhel9cis_6_2_5_user_user_check.stdout_lines | length >= 1 - - when: - - rhel9cis_rule_6_2_5 - tags: - - level1-server - - level1-workstation - - audit - - accounts - - groups - - rule_6.2.5 - -- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist" - block: - - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" - ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" - changed_when: false - failed_when: false - register: rhel9cis_6_2_6_user_username_check - - - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" - ansible.builtin.debug: - msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_6_user_username_check.stdout_lines }}" - when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 - - - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '6.2.6' - when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 - when: - - rhel9cis_rule_6_2_6 - tags: - - level1-server - - level1-workstation - - audit - - accounts - - users - - rule_6.2.6 - -- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist" - block: - - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" - ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_6_2_7_group_group_check - - - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" - ansible.builtin.debug: - msg: "Warning!! The following group names are duplicates: {{ rhel9cis_6_2_7_group_group_check.stdout_lines }}" - when: rhel9cis_6_2_7_group_group_check.stdout is not defined - - - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - vars: - warn_control_id: '6.2.7' - when: rhel9cis_6_2_7_group_group_check.stdout is not defined - when: - - rhel9cis_rule_6_2_7 - tags: - - level1-server - - level1-workstation - - audit - - accounts - - groups - - rule_6.2.7 - -- name: "6.2.8 | PATCH | Ensure root PATH Integrity" - block: - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Get root paths" - ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 - changed_when: false - register: rhel9cis_6_2_8_root_paths - - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Get root paths" - ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2 | tr ":" "\n" - changed_when: false - register: rhel9cis_6_2_8_root_paths_split - - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Set fact" - ansible.builtin.set_fact: - root_paths: "{{ rhel9cis_6_2_8_root_paths.stdout }}" - - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for empty dirs" - ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"' - changed_when: false - failed_when: root_path_empty_dir.rc not in [ 0, 1 ] - register: root_path_empty_dir - - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for trailing ':'" - ansible.builtin.shell: '{{ root_paths }} | cut -d= -f2 | grep -q ":$" && echo "roots path contains a trailing (:)"' - changed_when: false - failed_when: root_path_trailing_colon.rc not in [ 0, 1 ] - register: root_path_trailing_colon - - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" - block: - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions" - ansible.builtin.stat: - path: "{{ item }}" - register: root_path_perms - loop: "{{ rhel9cis_6_2_8_root_paths_split.stdout_lines }}" - - - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Set permissions" - ansible.builtin.file: - path: "{{ item.stat.path }}" - state: directory - owner: root - group: root - mode: '0755' - follow: false - loop: "{{ root_path_perms.results }}" - loop_control: - label: "{{ item }}" - when: - - item.stat.exists - - item.stat.isdir - - item.stat.pw_name != 'root' or item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp - when: - - rhel9cis_rule_6_2_8 - tags: - - level1-server - - level1-workstation - - patch - - paths - - rule_6.2.8 - -- name: "6.2.9 | PATCH | Ensure root is the only UID 0 account" - ansible.builtin.shell: passwd -l {{ item }} - changed_when: false - failed_when: false - loop: "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}" - when: - - rhel9cis_uid_zero_accounts_except_root.rc - - rhel9cis_rule_6_2_9 - tags: - - level1-server - - level1-workstation - - patch - - accounts - - users - - rule_6.2.9 - -- name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" - block: - - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Create dir if absent" - ansible.builtin.file: - path: "{{ item.dir }}" - state: directory - owner: "{{ item.id }}" - group: "{{ item.gid }}" - register: rhel_09_6_2_10_home_dir - loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" - loop_control: - label: "{{ item.id }}" - - # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Set group ACL" - ansible.posix.acl: - path: "{{ item }}" - default: true - etype: group - permissions: rx - state: present - loop: "{{ discovered_interactive_users_home.stdout_lines }}" - when: not system_is_container - - - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Set other ACL" - ansible.posix.acl: - path: "{{ item }}" - default: true - etype: other - permissions: 0 - state: present - loop: "{{ discovered_interactive_users_home.stdout_lines }}" - when: not system_is_container - when: - - rhel9cis_rule_6_2_10 - tags: - - level1-server - - level1-workstation - - patch - - users - - rule_6.2.10 - -- name: "6.2.11 | PATCH | Ensure local interactive users own their home directories" - ansible.builtin.file: - path: "{{ item.dir }}" - owner: "{{ item.id }}" - state: directory - loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" - loop_control: - label: "{{ item.id }}" - when: - - item.id in discovered_interactive_usernames.stdout - - rhel9cis_rule_6_2_11 - tags: - - level1-server - - level1-workstation - - patch - - users - - rule_6.2.11 - -- name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" - block: - - name: "6.2.12 | AUDIT | Ensure local interactive user home directories are mode 750 or more restrictive | get stat" - ansible.builtin.stat: - path: "{{ item }}" - register: rhel_09_6_2_12_home_dir_perms - loop: "{{ discovered_interactive_users_home.stdout_lines }}" - - - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | amend if needed" - ansible.builtin.file: - path: "{{ item.stat.path }}" - state: directory - mode: '0750' - loop: "{{ rhel_09_6_2_12_home_dir_perms.results }}" - loop_control: - label: "{{ item }}" - when: - - item.stat.mode > '0750' - - # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | Set group ACL" - ansible.posix.acl: - path: "{{ item }}" - default: true - etype: group - permissions: rx - state: present - loop: "{{ discovered_interactive_users_home.stdout_lines }}" - when: not system_is_container - - - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | Set other ACL" - ansible.posix.acl: - path: "{{ item }}" - default: true - etype: other - permissions: 0 - state: present - loop: "{{ discovered_interactive_users_home.stdout_lines }}" - when: not system_is_container - when: - - rhel9cis_rule_6_2_12 - tags: - - level1-server - - level1-workstation - - patch - - users - - permissions - - rule_6.2.12 - -- name: "6.2.13 | PATCH | Ensure no local interactive user has .netrc files" - ansible.builtin.file: - path: "{{ item }}/.netrc" - state: absent - loop: "{{ discovered_interactive_users_home.stdout_lines }}" - when: - - rhel9cis_rule_6_2_13 - tags: - - level1-server - - level1-workstation - - patch - - users - - permissions - - rule_6.2.13 - -- name: "6.2.14 | PATCH | Ensure no local interactive user has .forward files" - ansible.builtin.file: - path: "{{ item }}/.forward" - state: absent - loop: "{{ discovered_interactive_users_home.stdout_lines }}" - when: - - rhel9cis_rule_6_2_14 - tags: - - level1-server - - level1-workstation - - patch - - users - - files - - rule_6.2.14 - -- name: "6.2.15 | PATCH | Ensure no local interactive user has .rhosts files" - ansible.builtin.file: - path: "~{{ item }}/.rhosts" - state: absent - loop: "{{ discovered_interactive_users_home.stdout_lines }}" - when: - - rhel9cis_rule_6_2_15 - tags: - - level1-server - - level1-workstation - - patch - - users - - files - - rule_6.2.15 - -- name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable" - block: - - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Check for files" - ansible.builtin.find: - path: /home - depth: 3 - patterns: ".*" - hidden: true - recurse: true - file_type: file - register: user_dot_files - - - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | update permissions" - ansible.builtin.file: - path: "{{ item.path }}" - mode: go-w - follow: "{{ rhel_09_6_2_16_home_follow_symlinks }}" - loop: "{{ user_dot_files.files }}" - loop_control: - label: "{{ item.path }}" - - when: - - rhel9cis_rule_6_2_16 - tags: - - level1-server - - level1-workstation - - patch - - users - - permissions - - rule_6.2.16 diff --git a/tasks/section_6/cis_6.3.1.x.yml b/tasks/section_6/cis_6.3.1.x.yml new file mode 100644 index 0000000..b25ab69 --- /dev/null +++ b/tasks/section_6/cis_6.3.1.x.yml @@ -0,0 +1,111 @@ +--- + +- name: "6.3.1.1 | PATCH | Ensure auditd is installed" + when: + - rhel9cis_rule_6_3_1_1 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.1.1 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-3 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + block: + - name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd packages" + when: '"auditd" not in ansible_facts.packages' + ansible.builtin.package: + name: audit + state: present + + - name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages" + when: '"auditd-lib" not in ansible_facts.packages' + ansible.builtin.package: + name: audit-libs + state: present + +- name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" + when: + - rhel9cis_rule_6_3_1_2 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - grub + - rule_6.3.1.2 + block: + - name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby existence of current value" + ansible.builtin.shell: grubby --info=ALL | grep args | sed -n 's/.*audit=\([[:alnum:]]\+\).*/\1/p' + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_6_3_1_2_grubby_curr_value_audit_linux + + - name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed" + when: + - rhel9cis_6_3_1_2_grubby_curr_value_audit_linux.stdout == '' or + '0' in rhel9cis_6_3_1_2_grubby_curr_value_audit_linux.stdout or + 'off' in rhel9cis_6_3_1_2_grubby_curr_value_audit_linux.stdout|lower + ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" + +- name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" + when: + - rhel9cis_rule_6_3_1_3 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - grub + - rule_6.3.1.3 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + block: + - name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby existence of current value" + ansible.builtin.shell: + cmd: 'grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"' + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux + + - name: "6.3.1.3 | AUDIT | Check to see if limits are set" + when: + - rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux is not defined or + rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux.stdout_lines == [] + ansible.builtin.set_fact: + rhel9cis_6_3_1_3_reset_backlog_limits: true + + - name: "6.3.1.3 | AUDIT | Check to see if any limits are too low" + when: + - (item | int < rhel9cis_audit_back_log_limit) + ansible.builtin.set_fact: + rhel9cis_6_3_1_3_reset_backlog_limits: true + loop: "{{ rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux.stdout_lines }}" + + - name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied" + when: + - rhel9cis_6_3_1_3_reset_backlog_limits is defined + ansible.builtin.shell: + cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' + +- name: "6.3.1.4 | PATCH | Ensure auditd service is enabled and active" + when: + - rhel9cis_rule_6_3_1_4 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.1.4 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + ansible.builtin.systemd: + name: auditd + state: started + enabled: true diff --git a/tasks/section_6/cis_6.3.2.x.yml b/tasks/section_6/cis_6.3.2.x.yml new file mode 100644 index 0000000..dd9df94 --- /dev/null +++ b/tasks/section_6/cis_6.3.2.x.yml @@ -0,0 +1,76 @@ +--- + +- name: "6.3.2.1 | PATCH | Ensure audit log storage size is configured" + when: + - rhel9cis_rule_6_3_2_1 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.2.1 + - NIST800-53R5_AU-8 + ansible.builtin.lineinfile: + path: /etc/audit/auditd.conf + regexp: "^max_log_file( |=)" + line: "max_log_file = {{ rhel9cis_auditd['max_log_file'] }}" + notify: Restart auditd + +- name: "6.3.2.2 | PATCH | Ensure audit logs are not automatically deleted" + when: + - rhel9cis_rule_6_3_2_2 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.2.2 + - NIST800-53R5_AU-8 + ansible.builtin.lineinfile: + path: /etc/audit/auditd.conf + regexp: "^max_log_file_action" + line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" + notify: Restart auditd + +- name: "6.3.2.3 | PATCH | Ensure system is disabled when audit logs are full" + when: + - rhel9cis_rule_6_3_2_3 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.2.3 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-8 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + ansible.builtin.lineinfile: + path: /etc/audit/auditd.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: Restart auditd + loop: + - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' } + - { regexp: '^action_mail_acct', line: 'action_mail_acct = {{ rhel9cis_auditd.action_mail_acct }}' } + - { regexp: '^space_left_action', line: 'space_left_action = {{ rhel9cis_auditd.space_left_action }}' } + +- name: PATCH | Configure other keys for auditd.conf + when: + - rhel9cis_auditd_extra_conf.keys() | length > 0 + - rhel9cis_auditd_extra_conf_usage + tags: + - level2-server + - level2-workstation + - patch + - auditd + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-8 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + ansible.builtin.lineinfile: + path: /etc/audit/auditd.conf + regexp: "^{{ item }}( |=)" + line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}" + loop: "{{ rhel9cis_auditd_extra_conf.keys() }}" + notify: Restart auditd diff --git a/tasks/section_6/cis_6.3.3.x.yml b/tasks/section_6/cis_6.3.3.x.yml new file mode 100644 index 0000000..7e7e479 --- /dev/null +++ b/tasks/section_6/cis_6.3.3.x.yml @@ -0,0 +1,328 @@ +--- + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" + when: + - rhel9cis_rule_6_3_3_1 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.1 + - NIST800-53R5_AU-3 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.2 | PATCH | Ensure actions as another user are always logged" + when: + - rhel9cis_rule_6_3_3_2 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.2 + - NIST800-53R5_AU-3 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.3 | PATCH | Ensure events that modify the sudo log file are collected" + when: + - rhel9cis_rule_6_3_3_3 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.3 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.4 | PATCH | Ensure events that modify date and time information are collected" + when: + - rhel9cis_rule_6_3_3_4 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.4 + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.5 | PATCH | Ensure events that modify the system's network environment are collected" + when: + - rhel9cis_rule_6_3_3_5 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.5 + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" + when: + - rhel9cis_rule_6_3_3_6 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.6 + - NIST800-53R5_AU-3 + block: + - name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" + ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done + changed_when: false + failed_when: false + check_mode: false + register: priv_procs + + - name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" + ansible.builtin.set_fact: + update_audit_template: true + notify: update auditd + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.7 | PATCH | Ensure unsuccessful file access attempts are collected" + when: + - rhel9cis_rule_6_3_3_7 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.7 + - NIST800-53R5_AU-3 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.8 | PATCH | Ensure events that modify user/group information are collected" + when: + - rhel9cis_rule_6_3_3_8 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.8 + - NIST800-53R5_AU-3 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" + when: + - rhel9cis_rule_6_3_3_9 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.9 + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.10 | PATCH | Ensure successful file system mounts are collected" + when: + - rhel9cis_rule_6_3_3_10 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.10 + - NIST800-53R5_CM-6 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.11 | PATCH | Ensure session initiation information is collected" + when: + - rhel9cis_rule_6_3_3_11 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.11 + - NIST800-53R5_AU-3 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.12 | PATCH | Ensure login and logout events are collected" + when: + - rhel9cis_rule_6_3_3_12 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.12 + - NIST800-53R5_AU-3 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.13 | PATCH | Ensure file deletion events by users are collected" + when: + - rhel9cis_rule_6_3_3_13 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.13 + - NIST800-53R5_AU-12 + - NIST800-53R5_SC-7 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" + when: + - rhel9cis_rule_6_3_3_14 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.14 + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" + when: + - rhel9cis_rule_6_3_3_15 + tags: + - level2-server + - level2- workstation + - patch + - auditd + - rule_6.3.3.15 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" + when: + - rhel9cis_rule_6_3_3_16 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.16 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" + when: + - rhel9cis_rule_6_3_3_17 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.17 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" + when: + - rhel9cis_rule_6_3_3_18 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.18 + - NIST800-53R5_AU-2 + - NIST800-53R5_AU-12 + - NIST800-53R5_SI-5 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading and modification is collected" + when: + - rhel9cis_rule_6_3_3_19 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.19 + - NIST800-53R5_AU-3 + - NIST800-53R5_CM-6 + ansible.builtin.set_fact: + update_audit_template: true + +# All changes selected are managed by the POST audit and handlers to update +- name: "6.3.3.20 | PATCH | Ensure the audit configuration is immutable" + when: + - rhel9cis_rule_6_3_3_20 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.3.20 + - NIST800-53R5_AC-3 + - NIST800-53R5_AU-3 + - NIST800-53R5_MP-2 + ansible.builtin.set_fact: + update_audit_template: true + +- name: "6.3.3.21 | AUDIT | Ensure the running and on disk configuration is the same" + when: + - rhel9cis_rule_6_3_3_21 + tags: + - level2-server + - level2-workstation + - manual + - patch + - auditd + - rule_6.3.3.21 + - NIST800-53R5_AU-3 + ansible.builtin.debug: + msg: + - "Please run augenrules --load if you suspect there is a configuration that is not active" + +- name: Auditd | 6.3.3.x | Auditd controls updated + when: + - update_audit_template + ansible.builtin.debug: + msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules" + changed_when: false diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml new file mode 100644 index 0000000..144adec --- /dev/null +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -0,0 +1,167 @@ +--- + +- name: "6.3.4.1 | PATCH | Ensure the audit log file directory mode is configured" + when: + - rhel9cis_rule_6_3_4_1 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.4.1 + - NIST800-53R5_AU-3 + block: + - name: "6.3.4.1 | AUDIT | Ensure the audit log file directory mode is configured | get current permissions" + ansible.builtin.stat: + path: "{{ audit_discovered_logfile.stdout | dirname }}" + register: auditlog_dir + + - name: "6.3.4.1 | PATCH | Ensure the audit log file directory mode is configured | set" + ansible.builtin.file: + path: "{{ audit_discovered_logfile.stdout | dirname }}" + state: directory + mode: 'g-w,o-rwx' + +- name: | + "6.3.4.2 | PATCH | Ensure audit log files mode is configured" + "6.3.4.3 | PATCH | Ensure audit log files owner is configured" + "6.3.4.4 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" + when: + - rhel9cis_rule_6_3_4_2 or + rhel9cis_rule_6_3_4_3 or + rhel9cis_rule_6_3_4_4 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.4.1 + - rule_6.3.4.2 + - rule_6.3.4.3 + - NIST800-53R5_AU-3 + block: + - name: "6.3.4.2 | AUDIT | Ensure audit log files mode is configured | discover file" + ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' + changed_when: false + register: audit_discovered_logfile + + - name: | + "6.3.4.2 | PATCH | Ensure audit log files mode is configured" + "6.3.4.3 | PATCH | Ensure audit log files owner is configured" + "6.3.4.4 | PATCH | Ensure audit log files group owner is configured" + ansible.builtin.file: + path: "{{ audit_discovered_logfile.stdout }}" + mode: 'o-x,g-wx,o-rwx' + owner: root + group: root + +- name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured" + when: + - rhel9cis_rule_6_3_4_5 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.4.5 + ansible.builtin.file: + path: "{{ item.path }}" + mode: 'u-x,g-wx,o-rwx' + loop: "{{ auditd_conf_files.files }}" + loop_control: + label: "{{ item.path }}" + +- name: "6.3.4.6 | PATCH | Ensure audit configuration files owner is configured" + when: + - rhel9cis_rule_6_3_4_6 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.4.6 + ansible.builtin.file: + path: "{{ item.path }}" + owner: root + loop: "{{ auditd_conf_files.files | default([]) }}" + loop_control: + label: "{{ item.path }}" + +- name: "6.3.4.7 | PATCH | Ensure audit configuration files group owner is configured" + when: + - rhel9cis_rule_6_3_4_7 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.4.7 + ansible.builtin.file: + path: "{{ item.path }}" + group: root + loop: "{{ auditd_conf_files.files | default([]) }}" + loop_control: + label: "{{ item.path }}" + +- name: "6.3.4.8 | PATCH | Ensure audit tools mode is configured" + when: + - rhel9cis_rule_6_3_4_8 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.4.8 + - NIST800-53R5_AU-3 + ansible.builtin.file: + path: "{{ item.item }}" + mode: 'go-w' + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + +- name: "6.3.4.9 | PATCH | Ensure audit tools owner is configured" + when: + - rhel9cis_rule_6_3_4_9 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.4.9 + ansible.builtin.file: + path: "{{ item }}" + owner: root + group: root + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules + +- name: "6.3.4.10 | PATCH | Ensure audit tools group owner is configured" + when: + - rhel9cis_rule_6_3_4_10 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.4.10 + - NIST800-53R5_AU-3 + ansible.builtin.file: + path: "{{ item }}" + group: root + loop: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index b194fdc..c75ebed 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,9 +1,39 @@ --- -- name: "SECTION | 6.1 | System File Permissions" +- name: "SECTION | 6.1 | Configure Integrity Checking" ansible.builtin.import_tasks: - file: cis_6.1.x.yml + file: cis_6.1.x.yml -- name: "SECTION | 6.2 | User and Group Settings" +- name: "SECTION | 6.2.1 | Configure systemd-journald service" ansible.builtin.import_tasks: - file: cis_6.2.x.yml + file: cis_6.2.1.x.yml + +- name: "SECTION | 6.2.2 | Configure journald" + when: rhel9cis_syslog == 'journald' + ansible.builtin.import_tasks: + file: cis_6.2.2.1.x.yml + +- name: "SECTION | 6.2.3 | Configure rsyslog" + when: rhel9cis_syslog == 'rsyslog' + ansible.builtin.import_tasks: + file: cis_6.2.3.x.yml + +- name: "SECTION | 6.2.4.1 | Configure Logfiles" + ansible.builtin.import_tasks: + file: cis_6.2.4.1.yml + +- name: "SECTION | 6.3.1 | Configure auditd Service" + ansible.builtin.import_tasks: + file: cis_6.3.1.x.yml + +- name: "SECTION | 6.3.2 | Configure Data Retention" + ansible.builtin.import_tasks: + file: cis_6.3.2.x.yml + +- name: "SECTION | 6.3.3 | Configure auditd Rules" + ansible.builtin.import_tasks: + file: cis_6.3.3.x.yml + +- name: "SECTION | 6.3.4 | Configure auditd File Access" + ansible.builtin.import_tasks: + file: cis_6.3.4.x.yml