From 09c14e2ca808771c39e30b2294dfa55ef3483283 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 16:28:29 +0100 Subject: [PATCH 001/136] updated workflow files Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 9 -- .github/workflows/github_networks.tf | 53 -------- .github/workflows/github_vars.tfvars | 14 -- .github/workflows/linux_benchmark_testing.yml | 122 ++++++++++++------ .github/workflows/main.tf | 83 ------------ .github/workflows/terraform.tfvars | 6 - .github/workflows/variables.tf | 81 ------------ 7 files changed, 80 insertions(+), 288 deletions(-) delete mode 100644 .github/workflows/OS.tfvars delete mode 100644 .github/workflows/github_networks.tf delete mode 100644 .github/workflows/github_vars.tfvars delete mode 100644 .github/workflows/main.tf delete mode 100644 .github/workflows/terraform.tfvars delete mode 100644 .github/workflows/variables.tf diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars deleted file mode 100644 index 634512b..0000000 --- a/.github/workflows/OS.tfvars +++ /dev/null @@ -1,9 +0,0 @@ -#Ami Alma 9 -ami_id = "ami-0845395779540e3cb" -ami_os = "rhel9" -ami_username = "ec2-user" -ami_user_home = "/home/ec2-user" -instance_tags = { - Name = "RHEL9-CIS" - Environment = "lockdown_github_repo_workflow" -} diff --git a/.github/workflows/github_networks.tf b/.github/workflows/github_networks.tf deleted file mode 100644 index ba77764..0000000 --- a/.github/workflows/github_networks.tf +++ /dev/null @@ -1,53 +0,0 @@ -resource "aws_vpc" "Main" { - cidr_block = var.main_vpc_cidr - instance_tenancy = "default" - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-VPC" - } -} - -resource "aws_internet_gateway" "IGW" { - vpc_id = aws_vpc.Main.id - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-IGW" - } -} - -resource "aws_subnet" "publicsubnets" { - vpc_id = aws_vpc.Main.id - cidr_block = var.public_subnets - availability_zone = var.availability_zone - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-pubsub" - } -} - -resource "aws_subnet" "Main" { - vpc_id = aws_vpc.Main.id - cidr_block = var.private_subnets - availability_zone = var.availability_zone - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-prvsub" - } -} - -resource "aws_route_table" "PublicRT" { - vpc_id = aws_vpc.Main.id - route { - cidr_block = "0.0.0.0/0" - gateway_id = aws_internet_gateway.IGW.id - } - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-publicRT" - } -} - -resource "aws_route_table_association" "rt_associate_public" { - subnet_id = aws_subnet.Main.id - route_table_id = aws_route_table.PublicRT.id -} diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars deleted file mode 100644 index 24daeca..0000000 --- a/.github/workflows/github_vars.tfvars +++ /dev/null @@ -1,14 +0,0 @@ -// github_actions variables -// Resourced in github_networks.tf -// Declared in variables.tf -// - -namespace = "github_actions" -environment = "lockdown_github_repo_workflow" - -// Matching pair name found in AWS for keypairs PEM key -ami_key_pair_name = "github_actions" -private_key = ".ssh/github_actions.pem" -main_vpc_cidr = "172.22.0.0/24" -public_subnets = "172.22.0.128/26" -private_subnets = "172.22.0.192/26" diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 9d32ece..d5c5726 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -1,3 +1,5 @@ +--- + # This is a basic workflow to help you get started with Actions name: linux_benchmark_pipeline @@ -6,48 +8,61 @@ name: linux_benchmark_pipeline # Triggers the workflow on push or pull request # events but only for the devel branch on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' # A workflow run is made up of one or more jobs # that can run sequentially or in parallel jobs: # This will create messages for first time contributers and direct them to the Discord server welcome: - runs-on: ubuntu-latest + runs-on: ubuntu-latest - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. # This workflow contains a single job called "build" build: # The type of runner that the job will run on runs-on: ubuntu-latest - env: - ENABLE_DEBUG: false + ENABLE_DEBUG: true + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC # Steps represent a sequence of tasks that will be executed as part of the job steps: - # Checks-out your repository under $GITHUB_WORKSPACE, + # Checks-out your repository under $GITHUB_WORKSPACE, # so your job can access it - - uses: actions/checkout@v3 + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + - name: Add_ssh_key working-directory: .github/workflows env: @@ -58,54 +73,77 @@ jobs: chmod 700 .ssh echo $PRIVATE_KEY > .ssh/github_actions.pem chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} ### Build out the server + - name: Terraform_Init - working-directory: .github/workflows + id: init run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - name: Terraform_Validate - working-directory: .github/workflows + id: validate run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - name: Terraform_Apply - working-directory: .github/workflows + id: apply env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform apply -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false ## Debug Section - name: DEBUG - Show Ansible hostfile if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows run: cat hosts.yml # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds run: sleep 60s - shell: bash # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: - playbook: site.yml - inventory: .github/workflows/hosts.yml - galaxy_file: collections/requirements.yml - private_key: ${{ secrets.SSH_PRV_KEY }} + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} # verbose: 3 env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" # Remove test system - User secrets to keep if necessary - name: Terraform_Destroy - working-directory: .github/workflows - if: always() && env.ENABLE_DEBUG == 'false' + if: always() env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf deleted file mode 100644 index c877665..0000000 --- a/.github/workflows/main.tf +++ /dev/null @@ -1,83 +0,0 @@ -provider "aws" { - profile = "" - region = var.aws_region -} - -// Create a security group with access to port 22 and port 80 open to serve HTTP traffic - -resource "random_id" "server" { - keepers = { - # Generate a new id each time we switch to a new AMI id - ami_id = "${var.ami_id}" - } - - byte_length = 8 -} - -resource "aws_security_group" "github_actions" { - name = "${var.namespace}-${random_id.server.hex}-SG" - vpc_id = aws_vpc.Main.id - - ingress { - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - ingress { - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - tags = { - Environment = "${var.environment}" - Name = "${var.namespace}-SG" - } -} - -// instance setup - -resource "aws_instance" "testing_vm" { - ami = var.ami_id - availability_zone = var.availability_zone - associate_public_ip_address = true - key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs - instance_type = var.instance_type - tags = var.instance_tags - vpc_security_group_ids = [aws_security_group.github_actions.id] - subnet_id = aws_subnet.Main.id - root_block_device { - delete_on_termination = true - } -} - -// generate inventory file -resource "local_file" "inventory" { - filename = "./hosts.yml" - directory_permission = "0755" - file_permission = "0644" - content = < Date: Wed, 26 Jul 2023 16:50:48 +0100 Subject: [PATCH 002/136] lint updates Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 -- tasks/section_3/cis_3.1.x.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 8 ++++---- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index c4b27e7..544dd4b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -3,8 +3,6 @@ - name: Reload sysctl ansible.builtin.shell: sysctl --system - when: - - sysctl_updated.changed - name: Sysctl flush ipv4 route table ansible.posix.sysctl: diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 7ffe31c..52a3f3c 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -44,7 +44,7 @@ ansible.builtin.shell: nmcli radio all off changed_when: false failed_when: false - when: rhel_09_wifi_enabled is changed + when: rhel_09_wifi_enabled is changed # noqa no-handler when: - rhel9cis_rule_3_1_2 tags: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 8a1c4a8..955f83f 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -168,7 +168,7 @@ loop: "{{ rhel_09_6_1_10_audit.results }}" when: - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - item.stdout | length > 0 - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" @@ -214,7 +214,7 @@ loop: "{{ rhel_09_6_1_11_audit.results }}" when: - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - item.stdout | length > 0 - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" @@ -270,7 +270,7 @@ loop: "{{ rhel_09_6_1_13_suid_perms.results }}" when: - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - item.stdout | length > 0 - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" @@ -312,7 +312,7 @@ loop: "{{ rhel_09_6_1_14_sgid_perms.results }}" when: - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties + - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - item.stdout | length > 0 - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" From 2d222fbc49076295d167f2252409f16af397740a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 16:51:03 +0100 Subject: [PATCH 003/136] updated Signed-off-by: Mark Bolwell --- .ansible-lint | 1 + 1 file changed, 1 insertion(+) diff --git a/.ansible-lint b/.ansible-lint index 964eb05..057c65e 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -12,6 +12,7 @@ skip_list: - 'name[casing]' - 'name[template]' - 'fqcn[action]' + - 'key-order[task]' - '204' - '305' - '303' From 495f942b7d26ee82690dc16eb4f231c587a57687 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 16:51:17 +0100 Subject: [PATCH 004/136] added pre-commit files Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 69 ++++++++++++++++ .secrets.baseline | 172 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 241 insertions(+) create mode 100644 .pre-commit-config.yaml create mode 100644 .secrets.baseline diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..561e9e5 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,69 @@ +--- + +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.2.0 + hooks: + # Safety + - id: detect-aws-credentials + - id: detect-private-key + + # git checks + - id: check-merge-conflict + - id: check-added-large-files + - id: check-case-conflict + + # General checks + - id: trailing-whitespace + name: Trim Trailing Whitespace + description: This hook trims trailing whitespace. + entry: trailing-whitespace-fixer + language: python + types: [text] + args: [--markdown-linebreak-ext=md] + - id: end-of-file-fixer + +# Scan for passwords +- repo: https://github.com/Yelp/detect-secrets + rev: v1.4.0 + hooks: + - id: detect-secrets + args: ['--baseline', '.secrets.baseline'] + exclude: package.lock.json + +- repo: https://github.com/ansible-community/ansible-lint + rev: v6.17.2 + hooks: + - id: ansible-lint + name: Ansible-lint + description: This hook runs ansible-lint. + entry: python3 -m ansiblelint --force-color site.yml -c .ansible-lint + language: python + # do not pass files to ansible-lint, see: + # https://github.com/ansible/ansible-lint/issues/611 + pass_filenames: false + always_run: true + additional_dependencies: + # https://github.com/pre-commit/pre-commit/issues/1526 + # If you want to use specific version of ansible-core or ansible, feel + # free to override `additional_dependencies` in your own hook config + # file. + - ansible-core>=2.10.1 + +- repo: https://github.com/adrienverge/yamllint.git + rev: v1.32.0 # or higher tag + hooks: + - id: yamllint + +## To be moved to main link when PR approved - https://github.com/ansible/ansible-sign.git +- repo: https://github.com/ansible-lockdown/ansible-sign.git + rev: v0.1.1b + hooks: + - id: ansible-sign + name: Verify Ansible-sign signature + description: This hook runs ansible-sign. + entry: ansible-sign project gpg-verify . + language: python + # do not pass files as we need to scan the directory with the MANIFEST.in + pass_filenames: false + always_run: true diff --git a/.secrets.baseline b/.secrets.baseline new file mode 100644 index 0000000..521cd47 --- /dev/null +++ b/.secrets.baseline @@ -0,0 +1,172 @@ +{ + "version": "1.4.0", + "plugins_used": [ + { + "name": "ArtifactoryDetector" + }, + { + "name": "AWSKeyDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "name": "Base64HighEntropyString", + "limit": 4.5 + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "CloudantDetector" + }, + { + "name": "DiscordBotTokenDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "name": "HexHighEntropyString", + "limit": 3.0 + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "name": "KeywordDetector", + "keyword_exclude": "" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SendGridDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "filters_used": [ + { + "path": "detect_secrets.filters.allowlist.is_line_allowlisted" + }, + { + "path": "detect_secrets.filters.common.is_baseline_file", + "filename": ".secrets.baseline" + }, + { + "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", + "min_level": 2 + }, + { + "path": "detect_secrets.filters.heuristic.is_indirect_reference" + }, + { + "path": "detect_secrets.filters.heuristic.is_likely_id_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_lock_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_potential_uuid" + }, + { + "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign" + }, + { + "path": "detect_secrets.filters.heuristic.is_sequential_string" + }, + { + "path": "detect_secrets.filters.heuristic.is_swagger_file" + }, + { + "path": "detect_secrets.filters.heuristic.is_templated_secret" + } + ], + "results": { + "defaults/main.yml": [ + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "is_verified": false, + "line_number": 363, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", + "is_verified": false, + "line_number": 374, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "defaults/main.yml", + "hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", + "is_verified": false, + "line_number": 375, + "is_secret": false + } + ], + "tasks/main.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb", + "is_verified": false, + "line_number": 38, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": "tasks/main.yml", + "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "is_verified": false, + "line_number": 109, + "is_secret": false + } + ], + "tasks/parse_etc_password.yml": [ + { + "type": "Secret Keyword", + "filename": "tasks/parse_etc_password.yml", + "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "is_verified": false, + "line_number": 18, + "is_secret": false + } + ] + }, + "generated_at": "2023-07-04T16:02:46Z" +} + From c9db12b603d5f6aafe3f6aa5ff7673b3701c7a02 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 16:58:33 +0100 Subject: [PATCH 005/136] updated lint Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 13 ------------- tasks/auditd.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 8 ++++---- 3 files changed, 5 insertions(+), 18 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 561e9e5..8087b48 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -54,16 +54,3 @@ repos: rev: v1.32.0 # or higher tag hooks: - id: yamllint - -## To be moved to main link when PR approved - https://github.com/ansible/ansible-sign.git -- repo: https://github.com/ansible-lockdown/ansible-sign.git - rev: v0.1.1b - hooks: - - id: ansible-sign - name: Verify Ansible-sign signature - description: This hook runs ansible-sign. - entry: ansible-sign project gpg-verify . - language: python - # do not pass files as we need to scan the directory with the MANIFEST.in - pass_filenames: false - always_run: true diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 486ef31..f578657 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -19,7 +19,7 @@ - Audit immutable fact - Restart auditd -- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa: no-handler +- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'Auditd template updated, see diff output for details' diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 955f83f..76f92be 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -173,7 +173,7 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: - msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | json_query('results[*].stdout_lines[*]') | flatten }}" + msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel_09_6_1_10_unowned_files_found - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" @@ -219,7 +219,7 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: - msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | json_query('results[*].stdout_lines[*]') | flatten }}" + msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel_09_6_1_11_ungrouped_files_found - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" @@ -275,7 +275,7 @@ - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: - msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" + msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel9_6_1_13_suid_found - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" @@ -317,7 +317,7 @@ - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: - msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" + msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel9_6_1_14_sgid_found - name: "6.1.14 | AUDIT | Audit SGID executables| warning" From 66ed22e5eedf04f593b9ea0508c03f9b2925285c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 17:05:18 +0100 Subject: [PATCH 006/136] Added pre-commit manifest file Signed-off-by: Mark Bolwell --- MANIFEST.in | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 MANIFEST.in diff --git a/MANIFEST.in b/MANIFEST.in new file mode 100644 index 0000000..6fc2d89 --- /dev/null +++ b/MANIFEST.in @@ -0,0 +1,20 @@ +# Files for ansible-signing + +include site.yml +include MANIFEST.in +include .secrets.baseline +include *.md *.rst +include ansible.cfg +include .ansible-lint .gitattributes .gitignore .yamllint .pre-commit-config.yaml LICENSE +include requirements.txt Makefile +recursive-exclude .git * +recursive-include .github *.yml *.md *.tf *.tfvars +recursive-include collections *.yml +recursive-include defaults *.yml +recursive-include files * +recursive-include handlers *.yml +recursive-include meta *.yml +recursive-include molecule *.yml +recursive-include tasks *.yml +recursive-include templates *.j2 +recursive-include vars *.yml From 3f6b53f4f31b43bbebd64be333fb85b7eb880ca2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 17:08:17 +0100 Subject: [PATCH 007/136] updated content Signed-off-by: Mark Bolwell --- README.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index a819e4d..d2970e6 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ ![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/RHEL9-CIS/linux_benchmark_testing.yml?label=Devel%20Build%20Status) ![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) -![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) +![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) ![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/RHEL9-CIS/linux_benchmark_testing.yml?label=Build%20Status) ![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS?label=Release%20Date) ![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/RHEL9-CIS?label=Release%20Tag&&color=success) @@ -100,10 +100,6 @@ Almalinux 9 Rocky 9 OracleLinux 9 -ansible 2.10 -jmespath -relevant collections - - Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) **General:** @@ -120,13 +116,15 @@ relevant collections **Technical Dependencies:** - Python3 -- Ansible 2.9+ +- Ansible 2.10+ - python-def (should be included in RHEL 9) - libselinux-python - pip packages - jmespath ( complete list found in requirements.txt) - collections found in collections/requirememnts.yml +pre-commit is available if installed + ## Role Variables This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done by overriding the required varaibles as found in defaults/main.yml file. e.g. using inventory, group_vars, extra_vars From 81b2f06dabb2f6451b4912589a039eacf22e8a4c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 17:17:45 +0100 Subject: [PATCH 008/136] updated 5.6.5 logic Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 527208d..7d6cd1d 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -83,25 +83,21 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings" - ansible.builtin.replace: - path: /etc/login.defs - regexp: "{{ item.regexp }}" - replace: "{{ item.replace }}" - loop: - - { regexp: '(UMASK\s+)0[012][0-6]', replace: '\1 027' } - - { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' } + ansible.builtin.lineinfile: + path: "{{ item.path }}" + regexp: '(?i)(umask\s*)' + line: '{{ item.line }} 027' + with_items: + - { path: '/etc/bash.bashrc', line: 'umask' } + - { path: '/etc/profile', line: 'umask' } + - { path: '/etc/login.defs', line: 'UMASK' } - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" - ansible.builtin.replace: - path: /etc/bashrc - regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' - replace: '\1 027' + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^USERGROUPS_ENAB' + line: USERGROUPS_ENAB no - - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" - ansible.builtin.replace: - path: /etc/profile - regexp: '(?i)(umask)\s0[0-2][0-6]' - replace: '\1 027' when: - rhel9cis_rule_5_6_5 tags: From 1dbe8b2706a7085cbffca650d9e41ae80c6c5890 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 26 Jul 2023 17:21:26 +0100 Subject: [PATCH 009/136] updated Signed-off-by: Mark Bolwell --- Changelog.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Changelog.md b/Changelog.md index 0a98224..04f7d85 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,17 @@ # Changes to rhel9CIS +## 1.1.0 + +- new workflow configuration +- Added pre-commit config - Does not have to be used but can imrpove things + - .pre-commit-config.yaml + - MANIFEST.in + - .secrets.baseline + +- updated to logic in 5.6.5 +- lint updates to 6.1.x +- readme updates + ## 1.0.10 - [#72](https://github.com/ansible-lockdown/RHEL9-CIS/issues/72) From b16d09aa82e7c7a2ea45b43320d6393c6096c716 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 08:41:07 +0100 Subject: [PATCH 010/136] updated Signed-off-by: Mark Bolwell --- README.md | 134 ++++++------------------------------------------------ 1 file changed, 14 insertions(+), 120 deletions(-) diff --git a/README.md b/README.md index d2970e6..6ff9449 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,11 @@ Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. +### Contributing + +Issues and Pull requests are welcome please ensure that all commits are signed-off-by and gpg-signed. +Refer to [Contributing Guide](./CONTRIBUTING.rst) + --- ## Caution(s) @@ -60,10 +65,10 @@ To use release version please point to main branch and relevant release for the It is possible to to only run level 1 or level 2 controls for CIS. This is managed using tags: -- level1_server -- level1_workstation -- level2_server -- level2_workstation +- level1-server +- level1-workstation +- level2-server +- level2-workstation The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. @@ -123,7 +128,7 @@ OracleLinux 9 - jmespath ( complete list found in requirements.txt) - collections found in collections/requirememnts.yml -pre-commit is available if installed +pre-commit is available if installed on your host for pull request testing. ## Role Variables @@ -173,119 +178,8 @@ uses: ## Local Testing -ansible-base 2.10.17 - python 3.8 -ansible-core 2.13.4 - python 3.10 +- ansible-base 2.10.17 - python 3.8 +- ansible-core 2.13.4 - python 3.10 +- ansible-core 2.15.1 - python 3.11 -- makefile - this is there purely for testing and initial setup purposes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -## v1.0.0 - released Dec 2022 - -![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL9-CIS/CommunityToDevel?label=Devel%20Build%20Status&style=plastic) -![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL9-CIS/DevelToMain?label=Main%20Build%20Status&style=plastic) -![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS?style=plastic) - - - -## Join us - -On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users - -## Caution(s) - -This role **will make changes to the system** which may have unintended concequences. - -This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed. - -To use release version please point to main branch - -## Documentation - -- [Readthedocs](https://ansible-lockdown.readthedocs.io/en/latest/) -- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown) -- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise) -- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration) -- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise) - -## Requirements - -RHEL 9 -Almalinux 9 -Rocky 9 -OracleLinux 9 - -ansible 2.10 -jmespath -relevant collections - -- Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) - -## Tested with - -ansible-base 2.10.17 - python 3.8 -ansible-core 2.13.4 - python 3.10 - -- makefile - this is there purely for testing and initial setup purposes. - -## General - -- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible - - [Main Ansible documentation page](https://docs.ansible.com) - - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) - - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) - -- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. - - Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file - -## Dependencies - -- Python3 -- Ansible 2.9+ -- python-def (should be included in RHEL 9) -- libselinux-python -- pip packages - - jmespath ( complete list found in requirements.txt) -- collections found in collections/requirememnts.yml - - - - - -### Known Issues - -CIS 1.2.4 - repo_gpgcheck is not carried out for RedHat hosts as the default repos do not have this function. This also affect EPEL(not covered by var). - - Rocky and Alma not affected. -Variable used to unset. -rhel9cis_rhel_default_repo: true # to be set to false if using repo that does have this ability +makefile - this is there purely for testing and initial setup purposes. From cfee090156da4d04c091fe5896be3a9726f6e5bc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 27 Jul 2023 08:52:41 +0100 Subject: [PATCH 011/136] turned off debug Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index d5c5726..895cd4e 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -39,7 +39,7 @@ jobs: # The type of runner that the job will run on runs-on: ubuntu-latest env: - ENABLE_DEBUG: true + ENABLE_DEBUG: false # Imported as a variable by terraform TF_VAR_repository: ${{ github.event.repository.name }} defaults: @@ -73,7 +73,7 @@ jobs: chmod 700 .ssh echo $PRIVATE_KEY > .ssh/github_actions.pem chmod 600 .ssh/github_actions.pem - + - name: DEBUG - Show IaC files if: env.ENABLE_DEBUG == 'true' run: | From 58e013d0a5476ea13bdcfbcc4e8bcab6fdbae75b Mon Sep 17 00:00:00 2001 From: Luca Berton Date: Fri, 28 Jul 2023 11:54:40 +0100 Subject: [PATCH 012/136] Update README.md Updated audit instructions. Fixed typos. Signed-off-by: Luca Berton --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index a819e4d..7b944d6 100644 --- a/README.md +++ b/README.md @@ -51,13 +51,13 @@ Check Mode is not supported! The role will complete in check mode without errors This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. -To use release version please point to main branch and relevant release for the cis benchmark you wish to work with. +To use the release version, please point to the `main` branch and relevant release for the cis benchmark you wish to work with. --- ## Matching a security Level for CIS -It is possible to to only run level 1 or level 2 controls for CIS. +It is possible to only run level 1 or level 2 controls for CIS. This is managed using tags: - level1_server @@ -65,23 +65,23 @@ This is managed using tags: - level2_server - level2_workstation -The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. +The control found in the `defaults` main also needs to reflect this, as this control is the testing that takes place if you are using the audit component. ## Coming from a previous release -CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release. -This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. +CIS release always contains changes, it is highly recommended to review the new references and available variables. This has changed significantly since the ansible-lockdown initial release. +This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites which configure the system accordingly. Further details can be seen in the [Changelog](./ChangeLog.md) ## Auditing (new) -This can be turned on or off within the defaults/main.yml file with the variable rhel8cis_run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. +This can be turned on or off within the `defaults/main.yml` file with the variables `setup_audit` and `run_audit`. The value is `false` by default. Please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings. -A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. -This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. +A new form of auditing has been developed by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check without the need for infrastructure or other tooling. +This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also try to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit). From b631459e9b3ea43a7849a022a575dc120a13e2fe Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Jul 2023 15:09:52 +0100 Subject: [PATCH 013/136] fix typo in bashrc path Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 7d6cd1d..7379f3f 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -88,7 +88,7 @@ regexp: '(?i)(umask\s*)' line: '{{ item.line }} 027' with_items: - - { path: '/etc/bash.bashrc', line: 'umask' } + - { path: '/etc/bashrc', line: 'umask' } - { path: '/etc/profile', line: 'umask' } - { path: '/etc/login.defs', line: 'UMASK' } From 009c9fc498f37c360d5764f122f213d20fe06520 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Jul 2023 15:16:50 +0100 Subject: [PATCH 014/136] updated audit vars naming, AMD & ARM binaries Signed-off-by: Mark Bolwell --- defaults/main.yml | 11 +-- tasks/LE_audit_setup.yml | 34 ++++---- tasks/post_remediation_audit.yml | 10 ++- tasks/pre_remediation_audit.yml | 132 ++++++++++++++++--------------- 4 files changed, 99 insertions(+), 88 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 81df6a1..2cc4700 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -52,7 +52,7 @@ setup_audit: false # How to retrive goss # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded -get_goss_file: download +get_audit_binary_method: download # how to get audit files onto host options # options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly) @@ -663,15 +663,16 @@ audit_run_script_environment: AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" ### Goss binary settings ### -goss_version: - release: v0.3.21 - checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' +audit_bin_release: v0.3.23 +audit_bin_version: + AMD64_checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' + ARM64_checksum: 'sha256:7b0794fa590857e7d64ef436e1a100ca26f6039f269a6138009aa837d27d7f9e' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json # if get_goss_file == download change accordingly -goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64" +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_release }}/goss-linux-" ## if get_goss_file - copy the following needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index bc929ae..29f8960 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,30 +1,34 @@ --- -- name: Download audit binary +- name: Pre Audit Setup | Set audit package name + block: + - name: Pre Audit Setup | Set audit package name | 64bit + ansible.builtin.set_fact: + audit_pkg_arch_name: AMD64 + when: ansible_machine == "x86_64" + + - name: Pre Audit Setup | Set audit package name | ARM64 + ansible.builtin.set_fact: + audit_pkg_arch_name: ARM64 + when: ansible_machine == "arm64" + +- name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: - url: "{{ goss_url }}" + url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}" dest: "{{ audit_bin }}" owner: root group: root - checksum: "{{ goss_version.checksum }}" + checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" mode: 0555 when: - - get_goss_file == 'download' + - get_audit_binary_method == 'download' -- name: Copy audit binary +- name: Pre Audit Setup | copy audit binary ansible.builtin.copy: - src: + src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" mode: 0555 owner: root group: root when: - - get_goss_file == 'copy' - -- name: Install git if not present - ansible.builtin.package: - name: git - state: present - register: git_installed - when: - - '"git" not in ansible_facts.packages' + - get_audit_binary_method == 'copy' diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 0eb7608..f0a7664 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,9 +2,11 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: audit_run_post_remediation.rc == 0 - register: audit_run_post_remediation + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" - name: Post Audit | ensure audit files readable by users ansible.builtin.file: @@ -17,7 +19,7 @@ - name: Post Audit | Capture audit data if json format block: - - name: "Capture data {{ post_audit_outfile }}" + - name: "capture data {{ post_audit_outfile }}" ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 2947e6a..711f59b 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,109 +1,113 @@ --- -- name: Pre Audit | Setup the audit +- name: Pre Audit Binary Setup | Setup the LE audit ansible.builtin.include_tasks: LE_audit_setup.yml when: - - setup_audit + - setup_audit tags: - - setup_audit + - setup_audit -- name: "Pre Audit | Ensure {{ audit_conf_dir }} exists" +- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' -- name: Pre Audit | retrieve audit content files from git - ansible.builtin.git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" +- name: Pre Audit Setup | If using git for content set up + block: + - name: Pre Audit Setup | Install git + ansible.builtin.package: + name: git + state: present + + - name: Pre Audit Setup | retrieve audit content files from git + ansible.builtin.git: + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" when: - - audit_content == 'git' + - audit_content == 'git' -- name: Pre Audit | confirm audit branch vs benchmark version - ansible.builtin.debug: - msg: "Audit will run the branch {{ audit_git_version }} for this Benchmark {{ benchmark_version }}" - -- name: Pre Audit | copy to audit content files to server +- name: Pre Audit Setup | copy to audit content files to server ansible.builtin.copy: src: "{{ audit_local_copy }}" - dest: "{{ audit_conf_dir }}" - mode: 0644 + dest: "{{ audit_conf_dest }}" + mode: preserve when: - - audit_content == 'copy' + - audit_content == 'copy' -- name: Pre Audit | get audit content from url +- name: Pre Audit Setup | unarchive audit content files on server + ansible.builtin.unarchive: + src: "{{ audit_conf_copy }}" + dest: "{{ audit_conf_dir }}" + when: + - audit_content == 'archived' + +- name: Pre Audit Setup | get audit content from url ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" - owner: root - group: root - mode: 0755 when: - - audit_content == 'get_url' + - audit_content == 'get_url' -- name: Pre Audit | Check Goss is available +- name: Pre Audit Setup | Check Goss is available block: - - name: Pre Audit | Check for goss file - ansible.builtin.stat: - path: "{{ audit_bin }}" - register: goss_available + - name: Pre Audit Setup | Check for goss file + ansible.builtin.stat: + path: "{{ audit_bin }}" + register: goss_available - - name: Pre Audit | Alert if goss not available - ansible.builtin.assert: - that: goss_available.stat.exists - fail_msg: "Audit binary file {{ audit_bin }} does not exist" + - name: Pre Audit Setup | If audit ensure goss is available + ansible.builtin.assert: + msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" + when: + - not goss_available.stat.exists when: - - run_audit + - run_audit -- name: "Pre Audit | Check whether machine is UEFI-based" - ansible.builtin.stat: - path: /sys/firmware/efi - register: rhel9_efi_boot - tags: - - goss_template - -- name: Pre Audit | Copy ansible default vars values to test audit +- name: Pre Audit Setup | Copy ansible default vars values to test audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: 0600 when: - - run_audit + - run_audit tags: - - goss_template + - goss_template + - always - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment | default({}) }}" - changed_when: audit_run_pre_remediation.rc == 0 - register: audit_run_pre_remediation + changed_when: true + environment: + AUDIT_BIN: "{{ audit_bin }}" + AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_FILE: "goss.yml" - name: Pre Audit | Capture audit data if json format block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "cat {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false + - name: "capture data {{ pre_audit_outfile }}" + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false - - name: Pre Audit | Capture pre-audit result - ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" - vars: - summary: 'summary."summary-line"' + - name: Pre Audit | Capture pre-audit result + ansible.builtin.set_fact: + pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" + vars: + summary: 'summary."summary-line"' when: - - audit_format == "json" + - audit_format == "json" - name: Pre Audit | Capture audit data if documentation format block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" - register: pre_audit - changed_when: false + - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format" + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" + register: pre_audit + changed_when: false - - name: Pre Audit | Capture pre-audit result - ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout_lines }}" + - name: Pre Audit | Capture pre-audit result | documentation format + ansible.builtin.set_fact: + pre_audit_summary: "{{ pre_audit.stdout_lines }}" when: - - audit_format == "documentation" + - audit_format == "documentation" From 093c5950d25d8a2073ad4b555ca524d86d21ba44 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 28 Jul 2023 15:31:12 +0100 Subject: [PATCH 015/136] updated changelog Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 04f7d85..f553ad9 100644 --- a/Changelog.md +++ b/Changelog.md @@ -11,6 +11,8 @@ - updated to logic in 5.6.5 - lint updates to 6.1.x - readme updates +- audit control updates and variable name changes + - ability to run audit on arm64(e.g. pi or M1/2) too thanks to @lucab85 #77 ## 1.0.10 From 0f34707b66b979b56eb05a83cd7fba3f60a2df07 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Jul 2023 10:36:51 +0100 Subject: [PATCH 016/136] moved precommit file location Signed-off-by: Mark Bolwell --- .../.pre-commit-config.yaml | 2 +- .secrets.baseline => .precommit/.secrets.baseline | 10 ++++------ 2 files changed, 5 insertions(+), 7 deletions(-) rename .pre-commit-config.yaml => .precommit/.pre-commit-config.yaml (96%) rename .secrets.baseline => .precommit/.secrets.baseline (95%) diff --git a/.pre-commit-config.yaml b/.precommit/.pre-commit-config.yaml similarity index 96% rename from .pre-commit-config.yaml rename to .precommit/.pre-commit-config.yaml index 8087b48..fa1decd 100644 --- a/.pre-commit-config.yaml +++ b/.precommit/.pre-commit-config.yaml @@ -28,7 +28,7 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: ['--baseline', '.secrets.baseline'] + args: ['--baseline', '.precommit/.secrets.baseline'] exclude: package.lock.json - repo: https://github.com/ansible-community/ansible-lint diff --git a/.secrets.baseline b/.precommit/.secrets.baseline similarity index 95% rename from .secrets.baseline rename to .precommit/.secrets.baseline index 521cd47..e393467 100644 --- a/.secrets.baseline +++ b/.precommit/.secrets.baseline @@ -77,7 +77,7 @@ }, { "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".secrets.baseline" + "filename": ".precommit/.secrets.baseline" }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", @@ -152,7 +152,7 @@ "filename": "tasks/main.yml", "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", "is_verified": false, - "line_number": 109, + "line_number": 110, "is_secret": false } ], @@ -162,11 +162,9 @@ "filename": "tasks/parse_etc_password.yml", "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", "is_verified": false, - "line_number": 18, - "is_secret": false + "line_number": 18 } ] }, - "generated_at": "2023-07-04T16:02:46Z" + "generated_at": "2023-07-31T09:36:20Z" } - From b634952569c813d6fd6a26e3296a2b2a4a87319e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Jul 2023 10:37:09 +0100 Subject: [PATCH 017/136] updated file locations Signed-off-by: Mark Bolwell --- MANIFEST.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MANIFEST.in b/MANIFEST.in index 6fc2d89..88214c1 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -2,7 +2,7 @@ include site.yml include MANIFEST.in -include .secrets.baseline +include .precommit/.secrets.baseline include *.md *.rst include ansible.cfg include .ansible-lint .gitattributes .gitignore .yamllint .pre-commit-config.yaml LICENSE From 2fbeae499294f7c442fa92a364ec03b449905862 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Jul 2023 10:37:52 +0100 Subject: [PATCH 018/136] updated with precommit check Signed-off-by: Mark Bolwell --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6ff9449..e98e2a1 100644 --- a/README.md +++ b/README.md @@ -173,7 +173,8 @@ uses: - ansible-core 2.12 - ansible collections - pulls in the latest version based on requirements file -- runs the audit using the devel branch +- Runs the audit using the devel branch +- Runs the pre-commit setup on the PR to ensure everything is in place as expected. - This is an automated test that occurs on pull requests into devel ## Local Testing @@ -183,3 +184,8 @@ uses: - ansible-core 2.15.1 - python 3.11 makefile - this is there purely for testing and initial setup purposes. +pre-commit can be tested with + +```sh +pre-commit run -c .precommit/.precommit-commit-config.yaml +``` From b0f5ea04377d118d716a8e5be8e0c52c4a023421 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Aug 2023 16:41:08 +0100 Subject: [PATCH 019/136] updated with PR #78 Signed-off-by: Mark Bolwell --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index e98e2a1..df0df9f 100644 --- a/README.md +++ b/README.md @@ -56,13 +56,13 @@ Check Mode is not supported! The role will complete in check mode without errors This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. -To use release version please point to main branch and relevant release for the cis benchmark you wish to work with. +To use the release version, please point to the `main` branch and relevant release for the cis benchmark you wish to work with. --- ## Matching a security Level for CIS -It is possible to to only run level 1 or level 2 controls for CIS. +It is possible to only run level 1 or level 2 controls for CIS. This is managed using tags: - level1-server @@ -70,23 +70,23 @@ This is managed using tags: - level2-server - level2-workstation -The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. +The control found in the `defaults` main also needs to reflect this, as this control is the testing that takes place if you are using the audit component. ## Coming from a previous release -CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release. -This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. +CIS release always contains changes, it is highly recommended to review the new references and available variables. This has changed significantly since the ansible-lockdown initial release. +This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites which configure the system accordingly. Further details can be seen in the [Changelog](./ChangeLog.md) ## Auditing (new) -This can be turned on or off within the defaults/main.yml file with the variable rhel8cis_run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. +This can be turned on or off within the `defaults/main.yml` file with the variables `setup_audit` and `run_audit`. The value is `false` by default. Please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings. -A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. -This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. +A new form of auditing has been developed by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check without the need for infrastructure or other tooling. +This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also try to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit). From 81f580c5c026a982427dabdaa7a22da9566a3850 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Aug 2023 16:55:42 +0100 Subject: [PATCH 020/136] added centos wording Signed-off-by: Mark Bolwell --- README.md | 10 ++++++++-- vars/CentOS.yml | 4 ++++ 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 vars/CentOS.yml diff --git a/README.md b/README.md index df0df9f..341467b 100644 --- a/README.md +++ b/README.md @@ -15,11 +15,11 @@ ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61781?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) -![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/RHEL9-CIS/linux_benchmark_testing.yml?label=Devel%20Build%20Status) +[![devel build status](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/devel_pipeline_validation.yml/badge.svg?branch=devel)](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/devel_pipeline_validation.yml) ![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/RHEL9-CIS/linux_benchmark_testing.yml?label=Build%20Status) +[![main build status](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/main_pipeline_validation.yml/badge.svg?branch=main)](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/main_pipeline_validation.yml) ![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS?label=Release%20Date) ![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/RHEL9-CIS?label=Release%20Tag&&color=success) @@ -107,6 +107,12 @@ OracleLinux 9 - Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) +CentOS stream - while this will generally work it is not supported and requires the following variable setting + +```sh +check_os: false +``` + **General:** - Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible diff --git a/vars/CentOS.yml b/vars/CentOS.yml new file mode 100644 index 0000000..08ca326 --- /dev/null +++ b/vars/CentOS.yml @@ -0,0 +1,4 @@ +--- + +os_gpg_key_pubkey_name: centos-gpg-keys +os_gpg_key_pubkey_content: "builder@centos.org 9.0" From 2a38e18864eb856d9660a8ebced6ba14b3229173 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Aug 2023 17:03:45 +0100 Subject: [PATCH 021/136] Added pipelines Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 153 ++++++++++++++++++ ...sting.yml => main_pipeline_validation.yml} | 113 ++++++------- 2 files changed, 206 insertions(+), 60 deletions(-) create mode 100644 .github/workflows/devel_pipeline_validation.yml rename .github/workflows/{linux_benchmark_testing.yml => main_pipeline_validation.yml} (61%) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml new file mode 100644 index 0000000..e51af9b --- /dev/null +++ b/.github/workflows/devel_pipeline_validation.yml @@ -0,0 +1,153 @@ +--- + + name: devel_pipeline_validation + + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + + # Carries out lint tests on the content + linting: + runs-on: ubuntu-latest + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha }} + + - name: Run ansible-lint + uses: ansible/ansible-lint-action@v6 + with: + path: ./site.yml + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + + - name: Add_ssh_key + working-directory: .github/workflows + env: + SSH_AUTH_SOCK: /tmp/ssh_agent.sock + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + run: | + mkdir .ssh + chmod 700 .ssh + echo $PRIVATE_KEY > .ssh/github_actions.pem + chmod 600 .ssh/github_actions.pem + + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + - name: Terraform_Apply + id: apply + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false + + ## Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Aws deployments taking a while to come up insert sleep or playbook fails + + - name: Sleep for 60 seconds + run: sleep 60s + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_linux_IaC/hosts.yml + galaxy_file: collections/requirements.yml + private_key: ${{ secrets.SSH_PRV_KEY }} + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system - User secrets to keep if necessary + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/main_pipeline_validation.yml similarity index 61% rename from .github/workflows/linux_benchmark_testing.yml rename to .github/workflows/main_pipeline_validation.yml index 895cd4e..22d158a 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -1,62 +1,58 @@ --- -# This is a basic workflow to help you get started with Actions + name: main_pipeline_validation -name: linux_benchmark_pipeline + on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' -# Controls when the action will run. -# Triggers the workflow on push or pull request -# events but only for the devel branch -on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' + # A workflow run is made up of one or more jobs + # that can run sequentially or in parallel + jobs: -# A workflow run is made up of one or more jobs -# that can run sequentially or in parallel -jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - env: - ENABLE_DEBUG: false - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, - # so your job can access it + # Carries out lint tests on the content + linting: + runs-on: ubuntu-latest + steps: - name: Clone ${{ github.event.repository.name }} uses: actions/checkout@v3 with: - ref: ${{ github.event.pull_request.head.sha }} + fetch-depth: 0 + ref: ${{ github.event.pull_request.head.sha }} - # Pull in terraform code for linux servers + - name: Run ansible-lint + uses: ansible/ansible-lint-action@v6 + with: + path: ./site.yml + + # This workflow contains a single job which tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: ubuntu-latest + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + + steps: + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull in terraform code for linux servers - name: Clone github IaC plan uses: actions/checkout@v3 with: @@ -81,13 +77,10 @@ jobs: echo "benchmark_type = $benchmark_type" pwd ls - env: - # Imported from github variables this is used to load the relvent OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - -### Build out the server + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} - name: Terraform_Init id: init @@ -114,7 +107,7 @@ jobs: TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false - ## Debug Section + ## Debug Section - name: DEBUG - Show Ansible hostfile if: env.ENABLE_DEBUG == 'true' run: cat hosts.yml @@ -124,7 +117,7 @@ jobs: - name: Sleep for 60 seconds run: sleep 60s - # Run the ansible playbook + # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: @@ -137,10 +130,10 @@ jobs: ANSIBLE_HOST_KEY_CHECKING: "false" ANSIBLE_DEPRECATION_WARNINGS: "false" - # Remove test system - User secrets to keep if necessary + # Remove test system - User secrets to keep if necessary - name: Terraform_Destroy - if: always() + if: always() && env.ENABLE_DEBUG == 'false' env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} From 0713706d4c40dff6842c9779cd8167249b77e8a8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Aug 2023 17:06:00 +0100 Subject: [PATCH 022/136] fixed typo and updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index f553ad9..f6006b5 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,9 +3,10 @@ ## 1.1.0 - new workflow configuration -- Added pre-commit config - Does not have to be used but can imrpove things + - Allowing devel and main configs + - IaC code found in alternate repo for easier mgmt +- Added pre-commit config - Does not have to be used but can improve things - .pre-commit-config.yaml - - MANIFEST.in - .secrets.baseline - updated to logic in 5.6.5 @@ -13,6 +14,8 @@ - readme updates - audit control updates and variable name changes - ability to run audit on arm64(e.g. pi or M1/2) too thanks to @lucab85 #77 +- tidy up README adopted PR #78 thanks to @lucab85 + ## 1.0.10 From 4bbf19b6d1f310ecdc9eed64a423fcae6886baf9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Aug 2023 17:08:05 +0100 Subject: [PATCH 023/136] updated precommit config Signed-off-by: Mark Bolwell --- .../.pre-commit-config.yaml => .pre-commit-config.yaml | 7 ++++++- .precommit/.secrets.baseline => .secrets.baseline | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) rename .precommit/.pre-commit-config.yaml => .pre-commit-config.yaml (88%) rename .precommit/.secrets.baseline => .secrets.baseline (97%) diff --git a/.precommit/.pre-commit-config.yaml b/.pre-commit-config.yaml similarity index 88% rename from .precommit/.pre-commit-config.yaml rename to .pre-commit-config.yaml index fa1decd..e6541d9 100644 --- a/.precommit/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,4 +1,9 @@ --- +##### CI for use by github no need for action to be added +##### Inherited +ci: + autofix_prs: false + skip: [detect-aws-credentials, ansible-lint ] repos: - repo: https://github.com/pre-commit/pre-commit-hooks @@ -28,7 +33,7 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: ['--baseline', '.precommit/.secrets.baseline'] + args: ['--baseline', '.secrets.baseline'] exclude: package.lock.json - repo: https://github.com/ansible-community/ansible-lint diff --git a/.precommit/.secrets.baseline b/.secrets.baseline similarity index 97% rename from .precommit/.secrets.baseline rename to .secrets.baseline index e393467..f4c8d28 100644 --- a/.precommit/.secrets.baseline +++ b/.secrets.baseline @@ -77,7 +77,7 @@ }, { "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".precommit/.secrets.baseline" + "filename": ".secrets.baseline" }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", @@ -166,5 +166,5 @@ } ] }, - "generated_at": "2023-07-31T09:36:20Z" + "generated_at": "2023-08-01T16:07:28Z" } From 2a7d1cef964c37ddb5500f961d0483f63bc76f50 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 2 Aug 2023 15:49:38 +0100 Subject: [PATCH 024/136] updated Readme Signed-off-by: Mark Bolwell --- README.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 341467b..7f82018 100644 --- a/README.md +++ b/README.md @@ -15,13 +15,14 @@ ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61781?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) -[![devel build status](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/devel_pipeline_validation.yml/badge.svg?branch=devel)](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/devel_pipeline_validation.yml) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) - ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -[![main build status](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/main_pipeline_validation.yml/badge.svg?branch=main)](https://github.com/ansible-lockdown/RHEL9-CIS-TEST/actions/workflows/main_pipeline_validation.yml) -![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS?label=Release%20Date) -![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/RHEL9-CIS?label=Release%20Tag&&color=success) +![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS) +![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS) + +[![Main pipeline status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml) + +[![Devel pipeline status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues) ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success) @@ -29,6 +30,7 @@ ![License](https://img.shields.io/github/license/ansible-lockdown/RHEL9-CIS?label=License) + --- ## Looking for support? From 8525b1e31c6862de4fe51e9c03242f837717950c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 2 Aug 2023 16:03:45 +0100 Subject: [PATCH 025/136] updated pipeline workflows Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 4 ++-- .github/workflows/main_pipeline_validation.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index e51af9b..a6c4a90 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -1,6 +1,6 @@ --- - name: devel_pipeline_validation + name: Devel pipeline on: # yamllint disable-line rule:truthy pull_request_target: @@ -30,7 +30,7 @@ Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. # Carries out lint tests on the content - linting: + lint: runs-on: ubuntu-latest steps: - name: Clone ${{ github.event.repository.name }} diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 22d158a..fc7f808 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -1,6 +1,6 @@ --- - name: main_pipeline_validation + name: Main pipeline on: # yamllint disable-line rule:truthy pull_request_target: From 203cc2b68269cb026737715cd6f0181c1c56701e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 2 Aug 2023 16:05:01 +0100 Subject: [PATCH 026/136] removed files Signed-off-by: Mark Bolwell --- MANIFEST.in | 20 -------------------- ansible.cfg | 30 ------------------------------ local.yml | 8 -------- 3 files changed, 58 deletions(-) delete mode 100644 MANIFEST.in delete mode 100644 ansible.cfg delete mode 100644 local.yml diff --git a/MANIFEST.in b/MANIFEST.in deleted file mode 100644 index 88214c1..0000000 --- a/MANIFEST.in +++ /dev/null @@ -1,20 +0,0 @@ -# Files for ansible-signing - -include site.yml -include MANIFEST.in -include .precommit/.secrets.baseline -include *.md *.rst -include ansible.cfg -include .ansible-lint .gitattributes .gitignore .yamllint .pre-commit-config.yaml LICENSE -include requirements.txt Makefile -recursive-exclude .git * -recursive-include .github *.yml *.md *.tf *.tfvars -recursive-include collections *.yml -recursive-include defaults *.yml -recursive-include files * -recursive-include handlers *.yml -recursive-include meta *.yml -recursive-include molecule *.yml -recursive-include tasks *.yml -recursive-include templates *.j2 -recursive-include vars *.yml diff --git a/ansible.cfg b/ansible.cfg deleted file mode 100644 index 1f4e5c4..0000000 --- a/ansible.cfg +++ /dev/null @@ -1,30 +0,0 @@ -[defaults] -host_key_checking=False -display_skipped_hosts=True -system_warnings=False -command_warnings=False -nocows=1 -retry_files_save_path=/dev/null -pipelining=true - -# Use the YAML callback plugin. -#stdout_callback = yaml -# Use the stdout_callback when running ad-hoc commands. -bin_ansible_callbacks = True - -[privilege_escalation] - -[paramiko_connection] -record_host_keys=False - -[ssh_connection] -transfer_method=scp -ssh_args = -o ControlMaster=auto -o ControlPersist=60s - -[accelerate] - -[selinux] - -[colors] - -[diff] diff --git a/local.yml b/local.yml deleted file mode 100644 index 18c2f43..0000000 --- a/local.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -- hosts: localhost - connection: local - become: true - - roles: - - role: "{{ playbook_dir }}" From c631b24a9dcca694887f856611b77923ae2012d0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 2 Aug 2023 16:27:15 +0100 Subject: [PATCH 027/136] updated file locations Signed-off-by: Mark Bolwell --- .secrets.baseline => .config/.secrets.baseline | 4 ++-- requirements.txt => .config/requirements.txt | 0 .pre-commit-config.yaml | 2 +- Makefile | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) rename .secrets.baseline => .config/.secrets.baseline (97%) rename requirements.txt => .config/requirements.txt (100%) diff --git a/.secrets.baseline b/.config/.secrets.baseline similarity index 97% rename from .secrets.baseline rename to .config/.secrets.baseline index f4c8d28..dbcf03d 100644 --- a/.secrets.baseline +++ b/.config/.secrets.baseline @@ -77,7 +77,7 @@ }, { "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".secrets.baseline" + "filename": ".config/.secrets.baseline" }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", @@ -166,5 +166,5 @@ } ] }, - "generated_at": "2023-08-01T16:07:28Z" + "generated_at": "2023-08-02T15:26:59Z" } diff --git a/requirements.txt b/.config/requirements.txt similarity index 100% rename from requirements.txt rename to .config/requirements.txt diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e6541d9..794d35a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,7 +33,7 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: ['--baseline', '.secrets.baseline'] + args: ['--baseline', '.config/.secrets.baseline'] exclude: package.lock.json - repo: https://github.com/ansible-community/ansible-lint diff --git a/Makefile b/Makefile index c39a283..99029ac 100755 --- a/Makefile +++ b/Makefile @@ -25,5 +25,5 @@ yamllint: pip-requirements: @echo 'Python dependencies:' - @cat requirements.txt + @cat .config/requirements.txt pip3 install -r requirements.txt From 2590d8a9553fb0d53f910afd9461e94a1fe667ef Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 2 Aug 2023 16:28:44 +0100 Subject: [PATCH 028/136] updated changelog Signed-off-by: Mark Bolwell --- Changelog.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index f6006b5..4a4c8c7 100644 --- a/Changelog.md +++ b/Changelog.md @@ -15,7 +15,8 @@ - audit control updates and variable name changes - ability to run audit on arm64(e.g. pi or M1/2) too thanks to @lucab85 #77 - tidy up README adopted PR #78 thanks to @lucab85 - +- moved Makefile requirements to .config/ +- removed .ansible.cfg and local.yml ## 1.0.10 From 299cada9885cd45929b4e3c3d1c8e528c73e4522 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 4 Aug 2023 08:08:23 +0100 Subject: [PATCH 029/136] updated github tag labels Signed-off-by: Mark Bolwell --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 7f82018..f0f95ee 100644 --- a/README.md +++ b/README.md @@ -19,9 +19,9 @@ ![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS) ![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS) -[![Main pipeline status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml) +[![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml) -[![Devel pipeline status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml) +[![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml) ![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues) @@ -30,7 +30,6 @@ ![License](https://img.shields.io/github/license/ansible-lockdown/RHEL9-CIS?label=License) - --- ## Looking for support? @@ -192,8 +191,9 @@ uses: - ansible-core 2.15.1 - python 3.11 makefile - this is there purely for testing and initial setup purposes. -pre-commit can be tested with +pre-commit can be tested +Is run from with the directory ```sh -pre-commit run -c .precommit/.precommit-commit-config.yaml +pre-commit run ``` From b314be45ef2d0f13eb6f9dbce5055f494a12035d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 4 Aug 2023 17:45:55 +0100 Subject: [PATCH 030/136] removed separate lint task Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 15 --------------- .github/workflows/main_pipeline_validation.yml | 15 --------------- 2 files changed, 30 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index a6c4a90..a4e7d48 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -29,21 +29,6 @@ Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. - # Carries out lint tests on the content - lint: - runs-on: ubuntu-latest - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Run ansible-lint - uses: ansible/ansible-lint-action@v6 - with: - path: ./site.yml - # This workflow contains a single job which tests the playbook playbook-test: # The type of runner that the job will run on diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index fc7f808..0b149fb 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -18,21 +18,6 @@ # that can run sequentially or in parallel jobs: - # Carries out lint tests on the content - linting: - runs-on: ubuntu-latest - steps: - - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 - with: - fetch-depth: 0 - ref: ${{ github.event.pull_request.head.sha }} - - - name: Run ansible-lint - uses: ansible/ansible-lint-action@v6 - with: - path: ./site.yml - # This workflow contains a single job which tests the playbook playbook-test: # The type of runner that the job will run on From c5cd1a84878f439459aa91fa93a6689479ac0753 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 7 Aug 2023 16:39:23 +0100 Subject: [PATCH 031/136] Added secerts baselines Signed-off-by: Mark Bolwell --- .config/.gitleaks-report.json | 322 ++++++++++++++++++++++++++++++++++ .config/.secrets.baseline | 2 +- 2 files changed, 323 insertions(+), 1 deletion(-) create mode 100644 .config/.gitleaks-report.json diff --git a/.config/.gitleaks-report.json b/.config/.gitleaks-report.json new file mode 100644 index 0000000..fbdde5d --- /dev/null +++ b/.config/.gitleaks-report.json @@ -0,0 +1,322 @@ +[ + { + "Description": "Generic API Key", + "StartLine": 119, + "EndLine": 119, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8\"", + "Secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.853056, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:119" + }, + { + "Description": "Generic API Key", + "StartLine": 127, + "EndLine": 127, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"fe96f7cfa2ab2224e7d015067a6f6cc713f7012e\"", + "Secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.6568441, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:127" + }, + { + "Description": "Generic API Key", + "StartLine": 135, + "EndLine": 135, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"a415ab5cc17c8c093c015ccdb7e552aee7911aa4\"", + "Secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.5221736, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:135" + }, + { + "Description": "Generic API Key", + "StartLine": 145, + "EndLine": 145, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2478fefdceefe2847c3aa36dc731aaad5b3cc2fb\"", + "Secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.6348295, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:145" + }, + { + "Description": "Generic API Key", + "StartLine": 153, + "EndLine": 153, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", + "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.646039, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:153" + }, + { + "Description": "Generic API Key", + "StartLine": 163, + "EndLine": 163, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", + "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687", + "Entropy": 3.8439426, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-26T15:51:17Z", + "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:163" + }, + { + "Description": "Generic API Key", + "StartLine": 119, + "EndLine": 119, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8\"", + "Secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.853056, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:119" + }, + { + "Description": "Generic API Key", + "StartLine": 127, + "EndLine": 127, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"fe96f7cfa2ab2224e7d015067a6f6cc713f7012e\"", + "Secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.6568441, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:127" + }, + { + "Description": "Generic API Key", + "StartLine": 135, + "EndLine": 135, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"a415ab5cc17c8c093c015ccdb7e552aee7911aa4\"", + "Secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.5221736, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:135" + }, + { + "Description": "Generic API Key", + "StartLine": 145, + "EndLine": 145, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2478fefdceefe2847c3aa36dc731aaad5b3cc2fb\"", + "Secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.6348295, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:145" + }, + { + "Description": "Generic API Key", + "StartLine": 153, + "EndLine": 153, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"", + "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.646039, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:153" + }, + { + "Description": "Generic API Key", + "StartLine": 163, + "EndLine": 163, + "StartColumn": 18, + "EndColumn": 68, + "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"", + "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", + "File": ".secrets.baseline", + "SymlinkFile": "", + "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389", + "Entropy": 3.8439426, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-07-04T16:08:02Z", + "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:163" + }, + { + "Description": "Generic API Key", + "StartLine": 3, + "EndLine": 4, + "StartColumn": 9, + "EndColumn": 1, + "Match": "key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec", + "Secret": "gpg-pubkey-8d8b756f-629e59ec", + "File": "vars/OracleLinux.yml", + "SymlinkFile": "", + "Commit": "e04da88df42da0108d489f359513c574fbe5c87a", + "Entropy": 3.96772, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2023-03-06T11:22:08Z", + "Message": "Added OracleLinux support\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "e04da88df42da0108d489f359513c574fbe5c87a:vars/OracleLinux.yml:generic-api-key:3" + }, + { + "Description": "Generic API Key", + "StartLine": 4, + "EndLine": 5, + "StartColumn": 8, + "EndColumn": 1, + "Match": "key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b", + "Secret": "gpg-pubkey-fd431d51-4ae0493b", + "File": "vars/RedHat.yml", + "SymlinkFile": "", + "Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a", + "Entropy": 3.96772, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2022-07-25T10:26:27Z", + "Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/RedHat.yml:generic-api-key:4" + }, + { + "Description": "Generic API Key", + "StartLine": 4, + "EndLine": 5, + "StartColumn": 8, + "EndColumn": 1, + "Match": "key_pubkey_name: gpg-pubkey-b86b3716-61e69f29", + "Secret": "gpg-pubkey-b86b3716-61e69f29", + "File": "vars/AlmaLinux.yml", + "SymlinkFile": "", + "Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a", + "Entropy": 3.824863, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2022-07-25T10:26:27Z", + "Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/AlmaLinux.yml:generic-api-key:4" + }, + { + "Description": "Generic API Key", + "StartLine": 4, + "EndLine": 5, + "StartColumn": 8, + "EndColumn": 1, + "Match": "key_pubkey_name: gpg-pubkey-350d275d-6279464b", + "Secret": "gpg-pubkey-350d275d-6279464b", + "File": "vars/Rocky.yml", + "SymlinkFile": "", + "Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a", + "Entropy": 3.9946804, + "Author": "Mark Bolwell", + "Email": "mark.bollyuk@gmail.com", + "Date": "2022-07-25T10:26:27Z", + "Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e", + "Tags": [], + "RuleID": "generic-api-key", + "Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/Rocky.yml:generic-api-key:4" + } +] diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index dbcf03d..26e9634 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -166,5 +166,5 @@ } ] }, - "generated_at": "2023-08-02T15:26:59Z" + "generated_at": "2023-08-07T15:38:18Z" } From 05f8889aaef696e403677fe0252e06a666a39320 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 7 Aug 2023 16:39:44 +0100 Subject: [PATCH 032/136] added gitleaks plugin Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 794d35a..f044df5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,6 +36,13 @@ repos: args: ['--baseline', '.config/.secrets.baseline'] exclude: package.lock.json + +- repo: https://github.com/gitleaks/gitleaks + rev: v8.17.0 + hooks: + - id: gitleaks + args: ['--baseline-path','.config/.gitleaks-report.json'] + - repo: https://github.com/ansible-community/ansible-lint rev: v6.17.2 hooks: From c53cc86db0e9721de358871780e77b86970b176f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 7 Aug 2023 16:40:32 +0100 Subject: [PATCH 033/136] updated for gitleaks Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 4a4c8c7..e3b0e82 100644 --- a/Changelog.md +++ b/Changelog.md @@ -8,6 +8,7 @@ - Added pre-commit config - Does not have to be used but can improve things - .pre-commit-config.yaml - .secrets.baseline + - gitleaks and secrets detection - updated to logic in 5.6.5 - lint updates to 6.1.x From 4878eff7a7e6c6548fe587816f574b2894529511 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 18:04:36 +0100 Subject: [PATCH 034/136] removed templates to inherit from org Signed-off-by: Mark Bolwell --- .github/ISSUE_TEMPLATE/bug_report.md | 34 ------------------- .../feature-request-or-enhancement.md | 22 ------------ .github/ISSUE_TEMPLATE/question.md | 18 ---------- .github/pull_request_template.md | 12 ------- 4 files changed, 86 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.md delete mode 100644 .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md delete mode 100644 .github/ISSUE_TEMPLATE/question.md delete mode 100644 .github/pull_request_template.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index d3828ea..0000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -name: Report Issue -about: Create a bug issue ticket to help us improve -title: '' -labels: bug -assignees: '' - ---- - -**Describe the Issue** -A clear and concise description of what the bug is. - -**Expected Behavior** -A clear and concise description of what you expected to happen. - -**Actual Behavior** -A clear and concise description of what's happening. - -**Control(s) Affected** -What controls are being affected by the issue - -**Environment (please complete the following information):** - -- branch being used: [e.g. devel] -- Ansible Version: [e.g. 2.10] -- Host Python Version: [e.g. Python 3.7.6] -- Ansible Server Python Version: [e.g. Python 3.7.6] -- Additional Details: - -**Additional Notes** -Anything additional goes here - -**Possible Solution** -Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md deleted file mode 100644 index 3908075..0000000 --- a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -name: Feature Request or Enhancement -about: Suggest an idea for this project -title: '' -labels: enhancement -assignees: '' - ---- - -## Feature Request or Enhancement - -- Feature [] -- Enhancement [] - -**Summary of Request** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Suggested Code** -Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md deleted file mode 100644 index ad0629e..0000000 --- a/.github/ISSUE_TEMPLATE/question.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -name: Question -about: Ask away....... -title: '' -labels: question -assignees: '' - ---- - -**Question** -Pose question here. - -**Environment (please complete the following information):** - -- Ansible Version: [e.g. 2.10] -- Host Python Version: [e.g. Python 3.7.6] -- Ansible Server Python Version: [e.g. Python 3.7.6] -- Additional Details: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index 05dadb6..0000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,12 +0,0 @@ -**Overall Review of Changes:** -A general description of the changes made that are being requested for merge - -**Issue Fixes:** -Please list (using linking) any open issues this PR addresses - -**Enhancements:** -Please list any enhancements/features that are not open issue tickets - -**How has this been tested?:** -Please give an overview of how these changes were tested. If they were not please use N/A - From 0b6bb8afd7979a128ff3097980f0b7f9bd8a4204 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 18:53:23 +0100 Subject: [PATCH 035/136] update EOL spacing Signed-off-by: Mark Bolwell --- .gitignore | 2 +- templates/ansible_vars_goss.yml.j2 | 2 +- templates/audit/98_auditd_exception.rules.j2 | 4 ++-- templates/audit/99_auditd.rules.j2 | 2 +- templates/etc/dconf/db/00-automount_lock.j2 | 2 +- templates/etc/dconf/db/00-autorun_lock.j2 | 4 ++-- templates/etc/dconf/db/00-media-automount.j2 | 2 +- templates/etc/dconf/db/00-media-autorun.j2 | 2 +- templates/etc/dconf/db/00-screensaver.j2 | 2 +- templates/etc/dconf/db/00-screensaver_lock.j2 | 2 +- templates/etc/dconf/db/gdm.d/01-banner-message.j2 | 2 +- templates/etc/sysctl.d/60-disable_ipv6.conf.j2 | 2 +- 12 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.gitignore b/.gitignore index 8dd29c6..f67408e 100644 --- a/.gitignore +++ b/.gitignore @@ -12,7 +12,7 @@ delete* ignore* test_inv # temp remove doc while this is built up -doc/ +doc/ # VSCode .vscode diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 04a8284..e862c1d 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -486,7 +486,7 @@ rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile # 5.5.1 ## PAM -rhel9cis_pam_password: +rhel9cis_pam_password: minlen: {{ rhel9cis_pam_password['minlen'] }} minclass: {{ rhel9cis_pam_password['minclass'] }} rhel9cis_pam_passwd_retry: "3" diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index 2f76269..0f4a4f9 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,10 +1,10 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC ### YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd -{% if rhel9cis_allow_auditd_uid_user_exclusions %} +{% if rhel9cis_allow_auditd_uid_user_exclusions %} {% for user in rhel9cis_auditd_uid_exclude %} -a never,user -F uid!={{ user }} -F auid!={{ user }} {% endfor %} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index c48782c..6f7c388 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC ### YOUR CHANGES WILL BE LOST! diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 index d92c56b..efebeac 100644 --- a/templates/etc/dconf/db/00-automount_lock.j2 +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC # Lock desktop media-handling automount setting diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 index 503069c..4506f4f 100644 --- a/templates/etc/dconf/db/00-autorun_lock.j2 +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC -# Lock desktop media-handling settings +# Lock desktop media-handling settings /org/gnome/desktop/media-handling/autorun-never diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 index 32192c3..78ad883 100644 --- a/templates/etc/dconf/db/00-media-automount.j2 +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC [org/gnome/desktop/media-handling] diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 index 16ded9d..81bdfea 100644 --- a/templates/etc/dconf/db/00-media-autorun.j2 +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC [org/gnome/desktop/media-handling] diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index 822b33d..acfeaee 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC # Specify the dconf path diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 index fae6e82..d6c5d70 100644 --- a/templates/etc/dconf/db/00-screensaver_lock.j2 +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC # Lock desktop screensaver idle-delay setting diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 index 73b4505..c7ae76e 100644 --- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -1,5 +1,5 @@ ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC [org/gnome/login-screen] diff --git a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index 732cbcc..599103e 100644 --- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -2,6 +2,6 @@ # IPv6 disable {% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} -net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 {% endif %} From 65c111177e9772f1414e43107a2b0fc100e47bfc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 18:56:05 +0100 Subject: [PATCH 036/136] tidy up spacing Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f044df5..350509c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -36,7 +36,6 @@ repos: args: ['--baseline', '.config/.secrets.baseline'] exclude: package.lock.json - - repo: https://github.com/gitleaks/gitleaks rev: v8.17.0 hooks: From ec5217c309acfaee3f3ea5117c5d9a947da20208 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 18:58:35 +0100 Subject: [PATCH 037/136] updated secets for gitleaks Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 164 +++++++++++++++++++++++++++++++++++++- 1 file changed, 163 insertions(+), 1 deletion(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 26e9634..8f7ab01 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -112,6 +112,168 @@ } ], "results": { + ".config/.gitleaks-report.json": [ + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", + "is_verified": false, + "line_number": 9, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", + "is_verified": false, + "line_number": 9, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "cd6f8dc4b799af818fedddd7c83e5df8bf770555", + "is_verified": false, + "line_number": 12, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", + "is_verified": false, + "line_number": 29, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", + "is_verified": false, + "line_number": 29, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", + "is_verified": false, + "line_number": 49, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", + "is_verified": false, + "line_number": 49, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", + "is_verified": false, + "line_number": 69, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", + "is_verified": false, + "line_number": 69, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", + "is_verified": false, + "line_number": 89, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", + "is_verified": false, + "line_number": 89, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", + "is_verified": false, + "line_number": 109, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", + "is_verified": false, + "line_number": 109, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "cb5e191d260065309ce16cd3675837069c8734c8", + "is_verified": false, + "line_number": 132, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "976b057e0978bf8956e05b173f070cd7757c38c6", + "is_verified": false, + "line_number": 249, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "bdb4ffe72f980b517d691e83c9eb50219a63fe91", + "is_verified": false, + "line_number": 252, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "95f603d65dd6aec15f75185df59f92e90737da49", + "is_verified": false, + "line_number": 269, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "72172e3578dc29c275e5a39bdf7a1a038bdc03c4", + "is_verified": false, + "line_number": 272, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "08f0ac7a7bbbb1819417e5a47aa0eebbd5fe4e86", + "is_verified": false, + "line_number": 289, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "23fdd48a76e5b32e85c6698062f1489d6fbac450", + "is_verified": false, + "line_number": 309, + "is_secret": false + } + ], "defaults/main.yml": [ { "type": "Secret Keyword", @@ -166,5 +328,5 @@ } ] }, - "generated_at": "2023-08-07T15:38:18Z" + "generated_at": "2023-08-08T17:57:54Z" } From 08bbc99903111a148f4909363c6e001c570947a6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 19:02:11 +0100 Subject: [PATCH 038/136] tidy up spacing Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 2 +- templates/etc/cron.d/aide.cron.j2 | 4 ++-- templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 350509c..00725c6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -40,7 +40,7 @@ repos: rev: v8.17.0 hooks: - id: gitleaks - args: ['--baseline-path','.config/.gitleaks-report.json'] + args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint rev: v6.17.2 diff --git a/templates/etc/cron.d/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 index 21270eb..db93323 100644 --- a/templates/etc/cron.d/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,6 +1,6 @@ -# Run AIDE integrity check +# Run AIDE integrity check ## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline +# Added as part of ansible-lockdown CIS baseline # provided by MindPointGroup LLC ### YOUR CHANGES WILL BE LOST! # CIS 1.3.2 diff --git a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 index e85fae9..5e63a01 100644 --- a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 @@ -18,4 +18,4 @@ net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 {% endif %} -{% endif %} \ No newline at end of file +{% endif %} From afd4cd01ba8dc23d1cb2df3bfa08a8d5b938aeb1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 8 Aug 2023 19:31:16 +0100 Subject: [PATCH 039/136] updated lable for badge Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f0f95ee..b41aa4d 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ [![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml) [![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits) ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues) ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success) From d79fe8fa049e4ab88273ef8e88a358643346bef7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 09:18:57 +0100 Subject: [PATCH 040/136] updated secrets Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 170 ++------------------------------------ 1 file changed, 7 insertions(+), 163 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 8f7ab01..aedca92 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -109,171 +109,15 @@ }, { "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + ".config/.gitleaks-report.json" + ] } ], "results": { - ".config/.gitleaks-report.json": [ - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", - "is_verified": false, - "line_number": 9, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", - "is_verified": false, - "line_number": 9, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "cd6f8dc4b799af818fedddd7c83e5df8bf770555", - "is_verified": false, - "line_number": 12, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", - "is_verified": false, - "line_number": 29, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", - "is_verified": false, - "line_number": 29, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", - "is_verified": false, - "line_number": 49, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", - "is_verified": false, - "line_number": 49, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", - "is_verified": false, - "line_number": 69, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", - "is_verified": false, - "line_number": 69, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", - "is_verified": false, - "line_number": 89, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", - "is_verified": false, - "line_number": 89, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", - "is_verified": false, - "line_number": 109, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", - "is_verified": false, - "line_number": 109, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "cb5e191d260065309ce16cd3675837069c8734c8", - "is_verified": false, - "line_number": 132, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "976b057e0978bf8956e05b173f070cd7757c38c6", - "is_verified": false, - "line_number": 249, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "bdb4ffe72f980b517d691e83c9eb50219a63fe91", - "is_verified": false, - "line_number": 252, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "95f603d65dd6aec15f75185df59f92e90737da49", - "is_verified": false, - "line_number": 269, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "72172e3578dc29c275e5a39bdf7a1a038bdc03c4", - "is_verified": false, - "line_number": 272, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "08f0ac7a7bbbb1819417e5a47aa0eebbd5fe4e86", - "is_verified": false, - "line_number": 289, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "23fdd48a76e5b32e85c6698062f1489d6fbac450", - "is_verified": false, - "line_number": 309, - "is_secret": false - } - ], "defaults/main.yml": [ { "type": "Secret Keyword", @@ -328,5 +172,5 @@ } ] }, - "generated_at": "2023-08-08T17:57:54Z" + "generated_at": "2023-08-09T08:11:03Z" } From ae640608685cbcd1d0e7dd7c6bc56c9c533c0926 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 09:19:18 +0100 Subject: [PATCH 041/136] updated secrets check Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 00725c6..97c7943 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -33,8 +33,8 @@ repos: rev: v1.4.0 hooks: - id: detect-secrets - args: ['--baseline', '.config/.secrets.baseline'] - exclude: package.lock.json + args: [ '--baseline', '.config/.secrets.baseline' ] + exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks rev: v8.17.0 From dadeeab2c76d20dadbd1a5602810687c19dcedf2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 11:47:54 +0100 Subject: [PATCH 042/136] updated comment on rule 1.2.1 Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 2501732..9d732bb 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -17,7 +17,7 @@ - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail" ansible.builtin.fail: - msg: Installed GPG Keys do not meet expected values or keys installed that are not expected + msg: Installed GPG Keys do not meet expected values or expected keys are not installed when: - os_installed_pub_keys.rc == 1 or os_gpg_key_check.rc == 1 From f9fae45de3fbc5e0c3d2ebf87be0dbe985996475 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 9 Aug 2023 13:35:48 +0100 Subject: [PATCH 043/136] updated layout Signed-off-by: Mark Bolwell --- README.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index b41aa4d..fe6352d 100644 --- a/README.md +++ b/README.md @@ -186,13 +186,16 @@ uses: ## Local Testing -- ansible-base 2.10.17 - python 3.8 -- ansible-core 2.13.4 - python 3.10 -- ansible-core 2.15.1 - python 3.11 +- Ansible -makefile - this is there purely for testing and initial setup purposes. -pre-commit can be tested -Is run from with the directory + - ansible-base 2.10.17 - python 3.8 + - ansible-core 2.13.4 - python 3.10 + - ansible-core 2.15.1 - python 3.11 + +## Added Extras + +- makefile - this is there purely for testing and initial setup purposes. +- [pre-commit](https://pre-commit.com) can be tested and can be run from within the directory ```sh pre-commit run From 576c03fb78a01e18b5b43d50e895fde58510172e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 10 Aug 2023 08:23:09 +0100 Subject: [PATCH 044/136] fixed typo Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fe6352d..8d75217 100644 --- a/README.md +++ b/README.md @@ -111,7 +111,7 @@ OracleLinux 9 CentOS stream - while this will generally work it is not supported and requires the following variable setting ```sh -check_os: false +os_check: false ``` **General:** From 73cf599e48417b45cca6371a42133d2090f200f4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 10 Aug 2023 08:28:43 +0100 Subject: [PATCH 045/136] removed quotes not required Signed-off-by: Mark Bolwell --- tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 277e43f..e8f72f4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -44,14 +44,14 @@ - user_passwd - rule_5.3.4 -- name: "Ensure root password is set" +- name: Ensure root password is set block: - - name: "Ensure root password is set" + - name: Ensure root password is set ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt" changed_when: false register: root_passwd_set - - name: "Ensure root password is set" + - name: Ensure root password is set ansible.builtin.assert: that: root_passwd_set.rc == 0 fail_msg: "You have rule 5.6.6 enabled this requires that you have a root password set" From 1f00849f3c63fd3a650b73fe2d90b9b4d6776e32 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 10 Aug 2023 13:55:02 +0100 Subject: [PATCH 046/136] secrets update Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index aedca92..6edc284 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -124,7 +124,7 @@ "filename": "defaults/main.yml", "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", "is_verified": false, - "line_number": 363, + "line_number": 364, "is_secret": false }, { @@ -132,7 +132,7 @@ "filename": "defaults/main.yml", "hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", "is_verified": false, - "line_number": 374, + "line_number": 375, "is_secret": false }, { @@ -140,7 +140,7 @@ "filename": "defaults/main.yml", "hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", "is_verified": false, - "line_number": 375, + "line_number": 376, "is_secret": false } ], @@ -172,5 +172,5 @@ } ] }, - "generated_at": "2023-08-09T08:11:03Z" + "generated_at": "2023-08-10T12:54:13Z" } From 60e2ec5795c404bd59ba6b701453e0ec1ffb9605 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 10 Aug 2023 13:55:18 +0100 Subject: [PATCH 047/136] Added comment for os_check var Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index 2cc4700..f7cef1c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -8,6 +8,7 @@ container_vars_file: is_container.yml system_is_ec2: false # Run the OS validation check +# Supported OSs will not need for this to be changed - see README e.g. CentOS os_check: true rhel9cis_section1: true From 8f3150e6c9bd8741bc8a121ba1e46a25d64e400f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 08:27:34 +0100 Subject: [PATCH 048/136] #60 addressed for ipb6 Signed-off-by: Mark Bolwell --- templates/etc/sysctl.d/60-disable_ipv6.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index 599103e..bdded40 100644 --- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -1,7 +1,7 @@ ## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # IPv6 disable -{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} +{% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %} net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 {% endif %} From 04cb2e0f1d4a6692a8951f6278afc44af523ad80 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 08:44:23 +0100 Subject: [PATCH 049/136] #54 merged into new layout Signed-off-by: Mark Bolwell --- tasks/main.yml | 8 ++++---- tasks/prelim.yml | 4 ++-- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.1.3.x.yml | 2 +- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 2 +- tasks/section_1/cis_1.1.7.x.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 10 +++++----- tasks/section_6/cis_6.1.x.yml | 8 ++++---- templates/ansible_vars_goss.yml.j2 | 2 +- 11 files changed, 22 insertions(+), 22 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index e8f72f4..f13a39b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,9 +3,9 @@ - name: Check OS version and family ansible.builtin.assert: - that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==') - fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." - success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" + that: (ansible_facts.distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==') + fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." + success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}" when: - os_check - not system_is_ec2 @@ -122,7 +122,7 @@ - always - name: Include OS specific variables - ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" + ansible.builtin.include_vars: "{{ ansible_facts.distribution }}.yml" tags: - always diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 65d4be4..f26c794 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -133,8 +133,8 @@ state: latest when: - rhel9cis_rule_1_2_4 - - ansible_distribution != 'RedHat' - - ansible_distribution != 'OracleLinux' + - ansible_facts.distribution != 'RedHat' + - ansible_facts.distribution != 'OracleLinux' - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" ansible.builtin.package: diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 780d7da..5df0ba9 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -33,7 +33,7 @@ state: present opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} notify: Remount tmp - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" when: diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index d873c51..4a98729 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -31,7 +31,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %} - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index f063fbd..0b043e5 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -33,7 +33,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 1707f30..d1ae159 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -33,7 +33,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 274f668..4d7ff28 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -32,7 +32,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 7f16610..3ba95ce 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -32,7 +32,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %} - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 9d732bb..1317cc7 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -23,9 +23,9 @@ os_gpg_key_check.rc == 1 when: - rhel9cis_rule_1_2_1 - - ansible_distribution == "RedHat" or - ansible_distribution == "Rocky" or - ansible_distribution == "AlmaLinux" + - ansible_facts.distribution == "RedHat" or + ansible_facts.distribution == "Rocky" or + ansible_facts.distribution == "AlmaLinux" tags: - level1-server - level1-workstation @@ -111,8 +111,8 @@ when: - rhel9cis_rule_1_2_4 - - not rhel9cis_rhel_default_repo or ansible_distribution != 'RedHat' - - ansible_distribution != 'OracleLinux' + - not rhel9cis_rhel_default_repo or ansible_facts.distribution != 'RedHat' + - ansible_facts.distribution != 'OracleLinux' tags: - level1-server - level1-workstation diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 76f92be..1361083 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -155,7 +155,7 @@ failed_when: false check_mode: false register: rhel_09_6_1_10_audit - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" when: @@ -201,7 +201,7 @@ failed_when: false changed_when: false register: rhel_09_6_1_11_audit - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" when: @@ -260,7 +260,7 @@ failed_when: false changed_when: false register: rhel_09_6_1_13_suid_perms - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" @@ -302,7 +302,7 @@ failed_when: false changed_when: false register: rhel_09_6_1_14_sgid_perms - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e862c1d..8b21441 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -7,7 +7,7 @@ benchmark_version: '1.0.0' # Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS # If run via script this is discovered and set -host_os_distribution: {{ ansible_distribution | lower }} +host_os_distribution: {{ ansible_facts.distribution | lower }} # timeout for each command to run where set - default = 10seconds/10000ms timeout_ms: 60000 From 7c7902772fa85f21446525b22314b654bb14ad86 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 09:50:22 +0100 Subject: [PATCH 050/136] updated Signed-off-by: Mark Bolwell --- Changelog.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index e3b0e82..c807008 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,13 @@ # Changes to rhel9CIS +## 1.1.1 - Based on CIS v1.0.0 + +- thanks to @agbrowne + - [#90](https://github.com/ansible-lockdown/RHEL9-CIS/issues/90) + +- thanks to @mnasiadka + - [#54](https://github.com/ansible-lockdown/RHEL9-CIS/pull/54) + ## 1.1.0 - new workflow configuration @@ -81,7 +89,7 @@ Aligned benchmark audit version with remediate release ## 1.0.1 -Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 +Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 Will not follow ynlink in hoe directoris and amend permissions. - rhel_09_6_2_16_home_follow_symlink: false From 18e59d32f1a0236d1c174409a9ab3b9162440859 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 09:55:27 +0100 Subject: [PATCH 051/136] more ansible_facst referenced #54 Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f7cef1c..72857c0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -696,12 +696,12 @@ audit_files_url: "some url maybe s3?" # Where the goss configs and outputs are stored audit_out_dir: '/opt' audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" ## The following should not need changing goss_file: "{{ audit_conf_dir }}goss.yml" -audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml" +audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | The pre remediation results are: {{ pre_audit_summary }}. The post remediation results are: {{ post_audit_summary }}. From 3f32f9c58c0e47e970ef4ed5cd3b32b1f121470d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 12:42:30 +0100 Subject: [PATCH 052/136] updated typos Signed-off-by: Mark Bolwell --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index c807008..baddb61 100644 --- a/Changelog.md +++ b/Changelog.md @@ -90,7 +90,7 @@ Aligned benchmark audit version with remediate release ## 1.0.1 Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 -Will not follow ynlink in hoe directoris and amend permissions. +Will not follow symlink in home directoris and amend permissions. - rhel_09_6_2_16_home_follow_symlink: false From 8bd176757778312aaa1901a52cf4d4873e7007ee Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 12:46:40 +0100 Subject: [PATCH 053/136] updated typos Signed-off-by: Mark Bolwell --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index baddb61..42c40d4 100644 --- a/Changelog.md +++ b/Changelog.md @@ -90,7 +90,7 @@ Aligned benchmark audit version with remediate release ## 1.0.1 Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 -Will not follow symlink in home directoris and amend permissions. +Will not follow symlink in home directories and amend permissions. - rhel_09_6_2_16_home_follow_symlink: false From 95140d32477eba538fea165d777817dc5258cb84 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 7 Sep 2023 14:19:48 +0100 Subject: [PATCH 054/136] updated due to changes Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 174 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 165 insertions(+), 9 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 6edc284..fcb806d 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -109,15 +109,171 @@ }, { "path": "detect_secrets.filters.heuristic.is_templated_secret" - }, - { - "path": "detect_secrets.filters.regex.should_exclude_file", - "pattern": [ - ".config/.gitleaks-report.json" - ] } ], "results": { + ".config/.gitleaks-report.json": [ + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", + "is_verified": false, + "line_number": 9, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", + "is_verified": false, + "line_number": 9, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "cd6f8dc4b799af818fedddd7c83e5df8bf770555", + "is_verified": false, + "line_number": 12, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", + "is_verified": false, + "line_number": 29, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", + "is_verified": false, + "line_number": 29, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", + "is_verified": false, + "line_number": 49, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", + "is_verified": false, + "line_number": 49, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", + "is_verified": false, + "line_number": 69, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", + "is_verified": false, + "line_number": 69, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", + "is_verified": false, + "line_number": 89, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", + "is_verified": false, + "line_number": 89, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", + "is_verified": false, + "line_number": 109, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", + "is_verified": false, + "line_number": 109, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "cb5e191d260065309ce16cd3675837069c8734c8", + "is_verified": false, + "line_number": 132, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "976b057e0978bf8956e05b173f070cd7757c38c6", + "is_verified": false, + "line_number": 249, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "bdb4ffe72f980b517d691e83c9eb50219a63fe91", + "is_verified": false, + "line_number": 252, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "95f603d65dd6aec15f75185df59f92e90737da49", + "is_verified": false, + "line_number": 269, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "72172e3578dc29c275e5a39bdf7a1a038bdc03c4", + "is_verified": false, + "line_number": 272, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "08f0ac7a7bbbb1819417e5a47aa0eebbd5fe4e86", + "is_verified": false, + "line_number": 289, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "23fdd48a76e5b32e85c6698062f1489d6fbac450", + "is_verified": false, + "line_number": 309, + "is_secret": false + } + ], "defaults/main.yml": [ { "type": "Secret Keyword", @@ -132,7 +288,7 @@ "filename": "defaults/main.yml", "hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", "is_verified": false, - "line_number": 375, + "line_number": 376, "is_secret": false }, { @@ -140,7 +296,7 @@ "filename": "defaults/main.yml", "hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", "is_verified": false, - "line_number": 376, + "line_number": 377, "is_secret": false } ], @@ -172,5 +328,5 @@ } ] }, - "generated_at": "2023-08-10T12:54:13Z" + "generated_at": "2023-09-07T13:18:00Z" } From 43a339c74fe6b9038f694829921090c03a692d57 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 7 Sep 2023 14:23:12 +0100 Subject: [PATCH 055/136] new var rhel9cis_rhel_default_repo Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + tasks/section_1/cis_1.2.x.yml | 4 ++-- vars/AlmaLinux.yml | 2 ++ vars/OracleLinux.yml | 2 ++ vars/RedHat.yml | 3 +++ 5 files changed, 10 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 72857c0..2ace2f9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -370,6 +370,7 @@ rhel9cis_rhnsd_required: false # 1.2.4 repo_gpgcheck rhel9cis_rhel_default_repo: true +rhel9cis_rule_enable_repogpg: true # 1.4.1 Bootloader password rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 1317cc7..fc2d992 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -111,8 +111,8 @@ when: - rhel9cis_rule_1_2_4 - - not rhel9cis_rhel_default_repo or ansible_facts.distribution != 'RedHat' - - ansible_facts.distribution != 'OracleLinux' + - rhel9cis_rule_enable_repogpg + - not rhel9cis_rhel_default_repo tags: - level1-server - level1-workstation diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index c460fb0..b0eb3d9 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -3,3 +3,5 @@ os_gpg_key_pubkey_name: gpg-pubkey-b86b3716-61e69f29 os_gpg_key_pubkey_content: "AlmaLinux OS 9 b86b3716" +# disable repo_gpgcheck due to OS default repos +rhel9cis_rule_enable_repogpg: false diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml index d916178..64927cc 100644 --- a/vars/OracleLinux.yml +++ b/vars/OracleLinux.yml @@ -2,3 +2,5 @@ # OS Specific Settings os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec os_gpg_key_pubkey_content: "Oracle Linux (release key 1) " +# disable repo_gpgcheck due to OS default repos +rhel9cis_rule_enable_repogpg: false diff --git a/vars/RedHat.yml b/vars/RedHat.yml index d33b0bc..c5833a4 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -3,3 +3,6 @@ os_gpg_key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) fd431d51" + +# disable repo_gpgcheck due to OS default repos +rhel9cis_rule_enable_repogpg: false From 279023d02658411e5c7d31b55bf3838954f108dd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 15:31:35 +0100 Subject: [PATCH 056/136] updated Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8d75217..22bcd92 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ ### Community -Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. +Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. ### Contributing From d64414ce9b4379a254ce74fd423b790149d51223 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Sep 2023 09:51:56 +0100 Subject: [PATCH 057/136] updated test and control Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.8.x.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 2bf9fc1..089ca28 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -3,18 +3,23 @@ # Skips if mount is absent - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition" block: - - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists" + ansible.builtin.shell: mount -l | grep -w /dev/shm + changed_when: false + register: rhel9cis_1_8_1_1_mount_check - - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.import_tasks: warning_facts.yml + - block: + - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + + - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" + ansible.builtin.import_tasks: warning_facts.yml + when: rhel9cis_1_8_1_1_mount_check.rc == 1 vars: warn_control_id: '1.1.8.1' - required_mount: '/dev/shm' when: - - required_mount not in mount_names - rhel9cis_rule_1_1_8_1 tags: - level1-server From 64416d59b7ec4db0c5707acf527f97835521257a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Sep 2023 09:58:01 +0100 Subject: [PATCH 058/136] updated discord link Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index a4e7d48..dba39dc 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,7 +27,7 @@ repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. # This workflow contains a single job which tests the playbook playbook-test: From f6fd7e02d3d9d252d51ad354de86be1412f7c95e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Sep 2023 14:02:44 +0100 Subject: [PATCH 059/136] git audit binary version updated Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2ace2f9..3b8cd4a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -665,10 +665,10 @@ audit_run_script_environment: AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" ### Goss binary settings ### -audit_bin_release: v0.3.23 +audit_bin_release: v0.4.2 audit_bin_version: - AMD64_checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' - ARM64_checksum: 'sha256:7b0794fa590857e7d64ef436e1a100ca26f6039f269a6138009aa837d27d7f9e' + AMD64_checksum: 'sha256:e50e43d75c47c731f5fdff176f5abeb8aca35f17aea60f85ebc28f6110cb6945' + ARM64_checksum: 'sha256:6da14a98f12d1929ea719d4cfe96087c8e3a37b29d91b72fbe6edc7f8a580784 ' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json From 9c84884357ee423e8e17f932ac7c26b531715422 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Sep 2023 14:02:50 +0100 Subject: [PATCH 060/136] updated Signed-off-by: Mark Bolwell --- Changelog.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Changelog.md b/Changelog.md index 42c40d4..7d2352f 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,9 @@ # Changes to rhel9CIS +## 1.1.2 - Based on CIS v1.0.0 + +- updated audit binary versions - aligned with rhel9-cis-audit + ## 1.1.1 - Based on CIS v1.0.0 - thanks to @agbrowne From e202d4bd6800671ca0662b93dc682b85a9d89015 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 14:55:00 +0100 Subject: [PATCH 061/136] lint updates Signed-off-by: Mark Bolwell --- .ansible-lint | 2 -- .yamllint | 2 +- tasks/main.yml | 33 ++++++++++++++++++++++----------- tasks/section_1/cis_1.1.8.x.yml | 3 ++- 4 files changed, 25 insertions(+), 15 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 057c65e..b717f67 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,12 +6,10 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' - - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' - 'name[template]' - - 'fqcn[action]' - 'key-order[task]' - '204' - '305' diff --git a/.yamllint b/.yamllint index ec46929..65faae6 100644 --- a/.yamllint +++ b/.yamllint @@ -30,4 +30,4 @@ rules: trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: false + check-keys: true diff --git a/tasks/main.yml b/tasks/main.yml index f13a39b..e1cd780 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -127,66 +127,77 @@ - always - name: Include preliminary steps - ansible.builtin.import_tasks: prelim.yml + ansible.builtin.import_tasks: + file: prelim.yml tags: - prelim_tasks - always - name: run pre_remediation audit - ansible.builtin.include_tasks: pre_remediation_audit.yml + ansible.builtin.include_tasks: + file: pre_remediation_audit.yml when: - run_audit - name: run Section 1 tasks - ansible.builtin.import_tasks: section_1/main.yml + ansible.builtin.import_tasks: + file: section_1/main.yml when: rhel9cis_section1 tags: - rhel9cis_section1 - name: run Section 2 tasks - ansible.builtin.import_tasks: section_2/main.yml + ansible.builtin.import_tasks: + file: section_2/main.yml when: rhel9cis_section2 tags: - rhel9cis_section2 - name: run Section 3 tasks - ansible.builtin.import_tasks: section_3/main.yml + ansible.builtin.import_tasks: + file: section_3/main.yml when: rhel9cis_section3 tags: - rhel9cis_section3 - name: run Section 4 tasks - ansible.builtin.import_tasks: section_4/main.yml + ansible.builtin.import_tasks: + file: section_4/main.yml when: rhel9cis_section4 tags: - rhel9cis_section4 - name: run Section 5 tasks - ansible.builtin.import_tasks: section_5/main.yml + ansible.builtin.import_tasks: + file: section_5/main.yml when: rhel9cis_section5 tags: - rhel9cis_section5 - name: run Section 6 tasks - ansible.builtin.import_tasks: section_6/main.yml + ansible.builtin.import_tasks: + file: section_6/main.yml when: rhel9cis_section6 tags: - rhel9cis_section6 - name: run auditd logic - ansible.builtin.import_tasks: auditd.yml + ansible.builtin.import_tasks: + file: auditd.yml when: update_audit_template tags: - always - name: run post remediation tasks - ansible.builtin.import_tasks: post.yml + ansible.builtin.import_tasks: + file: post.yml tags: - post_tasks - always - name: run post_remediation audit - ansible.builtin.import_tasks: post_remediation_audit.yml + ansible.builtin.import_tasks: + file: post_remediation_audit.yml when: - run_audit diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 089ca28..441006b 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -8,7 +8,8 @@ changed_when: false register: rhel9cis_1_8_1_1_mount_check - - block: + - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition" + block: - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" From a67a484971bd41ab53bbee286fec5cce32790bae Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 14:55:55 +0100 Subject: [PATCH 062/136] import_tasks file added Signed-off-by: Mark Bolwell --- tasks/section_1/main.yml | 54 ++++++++++++++++++++++++++-------------- tasks/section_2/main.yml | 12 ++++++--- tasks/section_3/main.yml | 15 +++++++---- tasks/section_4/main.yml | 24 ++++++++++++------ tasks/section_5/main.yml | 21 ++++++++++------ tasks/section_6/main.yml | 6 +++-- 6 files changed, 88 insertions(+), 44 deletions(-) diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index d9bc3b5..ccc1e04 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,59 +1,77 @@ --- - name: "SECTION | 1.1.1.x | Disable unused filesystems" - ansible.builtin.import_tasks: cis_1.1.1.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.1.x.yml - name: "SECTION | 1.1.2.x | Configure /tmp" - ansible.builtin.import_tasks: cis_1.1.2.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.2.x.yml - name: "SECTION | 1.1.3.x | Configure /var" - ansible.builtin.import_tasks: cis_1.1.3.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.3.x.yml - name: "SECTION | 1.1.4.x | Configure /var/tmp" - ansible.builtin.import_tasks: cis_1.1.4.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.4.x.yml - name: "SECTION | 1.1.5.x | Configure /var/log" - ansible.builtin.import_tasks: cis_1.1.5.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.5.x.yml - name: "SECTION | 1.1.6.x | Configure /var/log/audit" - ansible.builtin.import_tasks: cis_1.1.6.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.6.x.yml - name: "SECTION | 1.1.7.x | Configure /home" - ansible.builtin.import_tasks: cis_1.1.7.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.7.x.yml - name: "SECTION | 1.1.8.x | Configure /dev/shm" - ansible.builtin.import_tasks: cis_1.1.8.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.8.x.yml - name: "SECTION | 1.1.x | Disable various mounting" - ansible.builtin.import_tasks: cis_1.1.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.x.yml - name: "SECTION | 1.2 | Configure Software Updates" - ansible.builtin.import_tasks: cis_1.2.x.yml + ansible.builtin.import_tasks: + file: cis_1.2.x.yml - name: "SECTION | 1.3 | Filesystem Integrity Checking" - ansible.builtin.import_tasks: cis_1.3.x.yml + ansible.builtin.import_tasks: + file: cis_1.3.x.yml when: rhel9cis_config_aide - name: "SECTION | 1.4 | Secure Boot Settings" - ansible.builtin.import_tasks: cis_1.4.x.yml + ansible.builtin.import_tasks: + file: cis_1.4.x.yml - name: "SECTION | 1.5 | Additional Process Hardening" - ansible.builtin.import_tasks: cis_1.5.x.yml + ansible.builtin.import_tasks: + file: cis_1.5.x.yml - name: "SECTION | 1.6 | Mandatory Access Control" - include_tasks: cis_1.6.1.x.yml + ansible.builtin.include_tasks: + file: cis_1.6.1.x.yml when: not rhel9cis_selinux_disable - name: "SECTION | 1.7 | Command Line Warning Banners" - ansible.builtin.import_tasks: cis_1.7.x.yml + ansible.builtin.import_tasks: + file: cis_1.7.x.yml - name: "SECTION | 1.8 | Gnome Display Manager" - ansible.builtin.import_tasks: cis_1.8.x.yml + ansible.builtin.import_tasks: + file: cis_1.8.x.yml - name: "SECTION | 1.9 | Updates and Patches" - ansible.builtin.import_tasks: cis_1.9.yml + ansible.builtin.import_tasks: + file: cis_1.9.yml - name: "SECTION | 1.10 | Crypto policies" - include_tasks: cis_1.10.yml + ansible.builtin.include_tasks: + file: cis_1.10.yml when: - not system_is_ec2 diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 39b912d..3e8996a 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,17 @@ --- - name: "SECTION | 2.1 | Time Synchronization" - ansible.builtin.import_tasks: cis_2.1.x.yml + ansible.builtin.import_tasks: + file: cis_2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" - ansible.builtin.import_tasks: cis_2.2.x.yml + ansible.builtin.import_tasks: + file: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" - ansible.builtin.import_tasks: cis_2.3.x.yml + ansible.builtin.import_tasks: + file: cis_2.3.x.yml - name: "SECTION | 2.4 | Nonessential services removed" - ansible.builtin.import_tasks: cis_2.4.yml + ansible.builtin.import_tasks: + file: cis_2.4.yml diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 535aba9..34553d7 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,16 +1,21 @@ --- - name: "SECTION | 3.1.x | Disable unused network protocols and devices" - ansible.builtin.import_tasks: cis_3.1.x.yml + ansible.builtin.import_tasks: + file: cis_3.1.x.yml - name: "SECTION | 3.2.x | Network Parameters (Host Only)" - ansible.builtin.import_tasks: cis_3.2.x.yml + ansible.builtin.import_tasks: + file: cis_3.2.x.yml - name: "SECTION | 3.3.x | Network Parameters (host and Router)" - ansible.builtin.import_tasks: cis_3.3.x.yml + ansible.builtin.import_tasks: + file: cis_3.3.x.yml - name: "SECTION | 3.4.1.x | Firewall configuration" - ansible.builtin.import_tasks: cis_3.4.1.x.yml + ansible.builtin.import_tasks: + file: cis_3.4.1.x.yml - name: "SECTION | 3.4.2.x | Configure firewall" - ansible.builtin.import_tasks: cis_3.4.2.x.yml + ansible.builtin.import_tasks: + file: cis_3.4.2.x.yml diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index 285a2f3..db729af 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,29 +1,37 @@ --- - name: "SECTION | 4.1 | Configure System Accounting (auditd)" - ansible.builtin.import_tasks: cis_4.1.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.1.x.yml when: - not system_is_container - name: "SECTION | 4.1.2 | Configure Data Retention" - ansible.builtin.import_tasks: cis_4.1.2.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.2.x.yml - name: "SECTION | 4.1.3 | Configure Auditd rules" - ansible.builtin.import_tasks: cis_4.1.3.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.3.x.yml - name: "SECTION | 4.1.4 | Configure Audit files" - ansible.builtin.import_tasks: cis_4.1.4.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.4.x.yml - name: "SECTION | 4.2 | Configure Logging" - ansible.builtin.import_tasks: cis_4.2.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' - name: "SECTION | 4.2.2 | Configure journald" - ansible.builtin.import_tasks: cis_4.2.2.x.yml + ansible.builtin.import_tasks: + file: cis_4.2.2.x.yml when: rhel9cis_syslog == 'journald' - name: "SECTION | 4.2.3 | Configure logile perms" - ansible.builtin.import_tasks: cis_4.2.3.yml + ansible.builtin.import_tasks: + file: cis_4.2.3.yml - name: "SECTION | 4.3 | Configure logrotate" - ansible.builtin.import_tasks: cis_4.3.yml + ansible.builtin.import_tasks: + file: cis_4.3.yml diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 5aed1c1..ed06b5a 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -3,24 +3,31 @@ # Access, Authentication, and Authorization - name: "SECTION | 5.1 | Configure time-based job schedulers" - ansible.builtin.import_tasks: cis_5.1.x.yml + ansible.builtin.import_tasks: + file: cis_5.1.x.yml - name: "SECTION | 5.2 | Configure SSH Server" - ansible.builtin.import_tasks: cis_5.2.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.x.yml when: - "'openssh-server' in ansible_facts.packages" - name: "SECTION | 5.3 | Configure privilege escalation" - ansible.builtin.import_tasks: cis_5.3.x.yml + ansible.builtin.import_tasks: + file: cis_5.3.x.yml - name: "SECTION | 5.4 | Configure authselect" - ansible.builtin.import_tasks: cis_5.4.x.yml + ansible.builtin.import_tasks: + file: cis_5.4.x.yml - name: "SECTION | 5.5 | Configure PAM " - ansible.builtin.import_tasks: cis_5.5.x.yml + ansible.builtin.import_tasks: + file: cis_5.5.x.yml - name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters" - ansible.builtin.import_tasks: cis_5.6.1.x.yml + ansible.builtin.import_tasks: + file: cis_5.6.1.x.yml - name: "SECTION | 5.6.x | Misc. User Account Settings" - ansible.builtin.import_tasks: cis_5.6.x.yml + ansible.builtin.import_tasks: + file: cis_5.6.x.yml diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index 35328e5..b194fdc 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,7 +1,9 @@ --- - name: "SECTION | 6.1 | System File Permissions" - ansible.builtin.import_tasks: cis_6.1.x.yml + ansible.builtin.import_tasks: + file: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - ansible.builtin.import_tasks: cis_6.2.x.yml + ansible.builtin.import_tasks: + file: cis_6.2.x.yml From af20f70f24c10bfa8c9ac8ba41a83fb1e51babc1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 14:57:25 +0100 Subject: [PATCH 063/136] updated test Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 52a3f3c..dad3fe9 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -26,7 +26,7 @@ - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" block: - - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" + - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available | if wlan exists" ansible.builtin.shell: rpm -q NetworkManager changed_when: false failed_when: false @@ -47,6 +47,7 @@ when: rhel_09_wifi_enabled is changed # noqa no-handler when: - rhel9cis_rule_3_1_2 + - "'wlan' in ansible_facts.interfaces" tags: - level1-server - patch From c5ed197e039738f4a630863a995940f5da812414 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:07:52 +0100 Subject: [PATCH 064/136] import_tasks file added Signed-off-by: Mark Bolwell --- site.yml | 6 +++--- tasks/auditd.yml | 3 ++- tasks/post.yml | 3 ++- tasks/section_1/cis_1.1.2.x.yml | 3 ++- tasks/section_1/cis_1.1.3.x.yml | 3 ++- tasks/section_1/cis_1.1.4.x.yml | 3 ++- tasks/section_1/cis_1.1.5.x.yml | 3 ++- tasks/section_1/cis_1.1.6.x.yml | 3 ++- tasks/section_1/cis_1.1.7.x.yml | 3 ++- tasks/section_1/cis_1.1.8.x.yml | 3 ++- tasks/section_1/cis_1.2.x.yml | 3 ++- tasks/section_1/cis_1.6.1.x.yml | 3 ++- tasks/section_2/cis_2.4.yml | 3 ++- tasks/section_3/cis_3.4.2.x.yml | 3 ++- tasks/section_4/cis_4.2.2.x.yml | 3 ++- tasks/section_4/cis_4.3.yml | 3 ++- tasks/section_5/cis_5.6.1.x.yml | 3 ++- tasks/section_6/cis_6.1.x.yml | 15 ++++++++++----- tasks/section_6/cis_6.2.x.yml | 18 ++++++++++++------ 19 files changed, 57 insertions(+), 30 deletions(-) diff --git a/site.yml b/site.yml index c56b473..16fe8c6 100644 --- a/site.yml +++ b/site.yml @@ -1,7 +1,7 @@ --- -- hosts: all # noqa: name[play] + +- name: Apply RHEL9 CIS hardening + hosts: all become: true - roles: - - role: "{{ playbook_dir }}" diff --git a/tasks/auditd.yml b/tasks/auditd.yml index f578657..fb761b9 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -20,7 +20,8 @@ - Restart auditd - name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'Auditd template updated, see diff output for details' when: diff --git a/tasks/post.yml b/tasks/post.yml index 8e8fea7..ccb4181 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -46,7 +46,8 @@ - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: - change_requires_reboot - skip_reboot diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 5df0ba9..ab8c264 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.2.1' required_mount: '/tmp' diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 4a98729..8dea033 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.1.3.1' required_mount: '/var' diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 0b043e5..2d6dcb2 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -8,7 +8,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.1.4.1' required_mount: '/var/tmp' diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index d1ae159..2ebb828 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.1.5.1' diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 4d7ff28..b41b13d 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.1.6.1' diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 3ba95ce..4abb548 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.1.7.1' diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 441006b..41e2de8 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -15,7 +15,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: rhel9cis_1_8_1_1_mount_check.rc == 1 vars: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index fc2d992..6f2506f 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -73,7 +73,8 @@ - "{{ dnf_configured.stdout_lines }}" - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.2.3' when: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index f05143c..76a30a6 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -93,7 +93,8 @@ when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 vars: warn_control_id: '1.6.1.6' diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index ce02b40..388edcc 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -25,7 +25,8 @@ - "{{ rhel9cis_2_4_sockets.stdout_lines }}" - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yamlfacts.yml vars: warn_control_id: '2.4' when: diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 16644c5..37de476 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -46,7 +46,8 @@ - not rhel9cis_nft_tables_autonewtable - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yamlfacts.yml when: - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 84513b2..767fb79 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -88,7 +88,8 @@ when: "'static' not in rhel9cis_4_2_2_2_status.stdout" - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: "'static' not in rhel9cis_4_2_2_2_status.stdout" vars: warn_control_id: '4.2.2.2' diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index be17c70..7631d8b 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -39,7 +39,8 @@ loop: "{{ log_rotates.files }}" - name: "4.3 | AUDIT | Ensure logrotate is configured | Warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '4.3' when: log_rotates.matched > 0 diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 141c013..1c96511 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -97,7 +97,8 @@ - not rhel9cis_futurepwchgdate_autofix - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 1361083..e92eca6 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -177,7 +177,8 @@ when: rhel_09_6_1_10_unowned_files_found - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.1.10' when: rhel_09_6_1_10_unowned_files_found @@ -223,7 +224,8 @@ when: rhel_09_6_1_11_ungrouped_files_found - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.1.11' when: rhel_09_6_1_11_ungrouped_files_found @@ -279,7 +281,8 @@ when: rhel9_6_1_13_suid_found - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.1.13' when: rhel9_6_1_13_suid_found @@ -321,7 +324,8 @@ when: rhel9_6_1_14_sgid_found - name: "6.1.14 | AUDIT | Audit SGID executables| warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.1.14' when: rhel9_6_1_14_sgid_found @@ -362,7 +366,8 @@ The file list can be found in {{ rhel9cis_rpm_audit_file }}" - name: "6.1.15 | AUDIT | Audit system file permissions | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.1.15' when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 618cadb..57deacd 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -15,7 +15,8 @@ when: shadow_passwd.stdout | length > 0 - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.2.1' when: shadow_passwd.stdout | length >= 1 @@ -59,7 +60,8 @@ when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.2.3' when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 @@ -87,7 +89,8 @@ when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 vars: warn_control_id: '6.2.4' @@ -115,7 +118,8 @@ when: rhel9cis_6_2_5_user_user_check.stdout | length >= 1 - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.2.5' when: rhel9cis_6_2_5_user_user_check.stdout_lines | length >= 1 @@ -144,7 +148,8 @@ when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.2.6' when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 @@ -173,7 +178,8 @@ when: rhel9cis_6_2_7_group_group_check.stdout is not defined - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.2.7' when: rhel9cis_6_2_7_group_group_check.stdout is not defined From e5d17f74ca435c68a587017d84b6588dcfe22f07 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:08:37 +0100 Subject: [PATCH 065/136] import_tasks file added Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index e92eca6..25b6e45 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -367,7 +367,7 @@ - name: "6.1.15 | AUDIT | Audit system file permissions | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yaml vars: warn_control_id: '6.1.15' when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 From 061483f15eb128a76737659ca32e2e239a953785 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:11:24 +0100 Subject: [PATCH 066/136] updated Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 231 ++------------------------------------ 1 file changed, 9 insertions(+), 222 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index fcb806d..7707be7 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -75,10 +75,6 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".config/.secrets.baseline" - }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -109,224 +105,15 @@ }, { "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + ".config/.gitleaks-report.json", + "tasks/parse_etc_password.yml" + ] } ], - "results": { - ".config/.gitleaks-report.json": [ - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", - "is_verified": false, - "line_number": 9, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", - "is_verified": false, - "line_number": 9, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "cd6f8dc4b799af818fedddd7c83e5df8bf770555", - "is_verified": false, - "line_number": 12, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", - "is_verified": false, - "line_number": 29, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", - "is_verified": false, - "line_number": 29, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", - "is_verified": false, - "line_number": 49, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", - "is_verified": false, - "line_number": 49, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", - "is_verified": false, - "line_number": 69, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", - "is_verified": false, - "line_number": 69, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", - "is_verified": false, - "line_number": 89, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", - "is_verified": false, - "line_number": 89, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", - "is_verified": false, - "line_number": 109, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", - "is_verified": false, - "line_number": 109, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "cb5e191d260065309ce16cd3675837069c8734c8", - "is_verified": false, - "line_number": 132, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "976b057e0978bf8956e05b173f070cd7757c38c6", - "is_verified": false, - "line_number": 249, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "bdb4ffe72f980b517d691e83c9eb50219a63fe91", - "is_verified": false, - "line_number": 252, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "95f603d65dd6aec15f75185df59f92e90737da49", - "is_verified": false, - "line_number": 269, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "72172e3578dc29c275e5a39bdf7a1a038bdc03c4", - "is_verified": false, - "line_number": 272, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "08f0ac7a7bbbb1819417e5a47aa0eebbd5fe4e86", - "is_verified": false, - "line_number": 289, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "23fdd48a76e5b32e85c6698062f1489d6fbac450", - "is_verified": false, - "line_number": 309, - "is_secret": false - } - ], - "defaults/main.yml": [ - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", - "is_verified": false, - "line_number": 364, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", - "is_verified": false, - "line_number": 376, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", - "is_verified": false, - "line_number": 377, - "is_secret": false - } - ], - "tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb", - "is_verified": false, - "line_number": 38, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 110, - "is_secret": false - } - ], - "tasks/parse_etc_password.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_password.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ] - }, - "generated_at": "2023-09-07T13:18:00Z" + "results": {}, + "generated_at": "2023-09-21T14:11:05Z" } From 580ee762eea482444d91d8ac7372f58ec38c68cb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:35:35 +0100 Subject: [PATCH 067/136] fix filename Signed-off-by: Mark Bolwell --- tasks/post.yml | 2 +- tasks/section_1/cis_1.1.3.x.yml | 2 +- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 2 +- tasks/section_1/cis_1.1.7.x.yml | 2 +- tasks/section_1/cis_1.1.8.x.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 2 +- tasks/section_1/cis_1.6.1.x.yml | 2 +- tasks/section_2/cis_2.4.yml | 2 +- tasks/section_3/cis_3.4.2.x.yml | 2 +- tasks/section_4/cis_4.2.2.x.yml | 2 +- tasks/section_4/cis_4.3.yml | 2 +- tasks/section_5/cis_5.6.1.x.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 10 +++++----- tasks/section_6/cis_6.2.x.yml | 12 ++++++------ 16 files changed, 25 insertions(+), 25 deletions(-) diff --git a/tasks/post.yml b/tasks/post.yml index ccb4181..1888940 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -47,7 +47,7 @@ - name: "POST | Warning a reboot required but skip option set | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: - change_requires_reboot - skip_reboot diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 8dea033..4ff1ccb 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -8,7 +8,7 @@ - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.1.3.1' required_mount: '/var' diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 2d6dcb2..713dba6 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -9,7 +9,7 @@ - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.1.4.1' required_mount: '/var/tmp' diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 2ebb828..ac8b827 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -8,7 +8,7 @@ - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.1.5.1' diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index b41b13d..5a7c8f4 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -8,7 +8,7 @@ - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.1.6.1' diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 4abb548..ee922b3 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -8,7 +8,7 @@ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.1.7.1' diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 41e2de8..6a50de8 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -16,7 +16,7 @@ - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: rhel9cis_1_8_1_1_mount_check.rc == 1 vars: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 6f2506f..fc0bf27 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -74,7 +74,7 @@ - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.2.3' when: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 76a30a6..724fd29 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -94,7 +94,7 @@ - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 vars: warn_control_id: '1.6.1.6' diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 388edcc..ac56312 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -26,7 +26,7 @@ - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count" ansible.builtin.import_tasks: - file: warning_facts.yamlfacts.yml + file: warning_facts.yml vars: warn_control_id: '2.4' when: diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 37de476..73d85f4 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -47,7 +47,7 @@ - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" ansible.builtin.import_tasks: - file: warning_facts.yamlfacts.yml + file: warning_facts.yml when: - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 767fb79..cf4b011 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -89,7 +89,7 @@ - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: "'static' not in rhel9cis_4_2_2_2_status.stdout" vars: warn_control_id: '4.2.2.2' diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 7631d8b..7da565e 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -40,7 +40,7 @@ - name: "4.3 | AUDIT | Ensure logrotate is configured | Warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '4.3' when: log_rotates.matched > 0 diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 1c96511..3d59a16 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -98,7 +98,7 @@ - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 25b6e45..c6a8375 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -178,7 +178,7 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.1.10' when: rhel_09_6_1_10_unowned_files_found @@ -225,7 +225,7 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.1.11' when: rhel_09_6_1_11_ungrouped_files_found @@ -282,7 +282,7 @@ - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.1.13' when: rhel9_6_1_13_suid_found @@ -325,7 +325,7 @@ - name: "6.1.14 | AUDIT | Audit SGID executables| warning" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.1.14' when: rhel9_6_1_14_sgid_found @@ -367,7 +367,7 @@ - name: "6.1.15 | AUDIT | Audit system file permissions | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.1.15' when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 57deacd..2f3141b 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -16,7 +16,7 @@ - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.2.1' when: shadow_passwd.stdout | length >= 1 @@ -61,7 +61,7 @@ - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.2.3' when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 @@ -90,7 +90,7 @@ - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 vars: warn_control_id: '6.2.4' @@ -119,7 +119,7 @@ - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.2.5' when: rhel9cis_6_2_5_user_user_check.stdout_lines | length >= 1 @@ -149,7 +149,7 @@ - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.2.6' when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 @@ -179,7 +179,7 @@ - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.2.7' when: rhel9cis_6_2_7_group_group_check.stdout is not defined From 11071a66ab242ee9ec317bd65791f23b3d04814f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:36:05 +0100 Subject: [PATCH 068/136] added pragma allowed Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- tasks/main.yml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3b8cd4a..3fe96c1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -361,7 +361,7 @@ rhel9cis_allow_autofs: false # DO NOT USE PLAIN TEXT PASSWORDS!!!!! # The intent here is to use a password utility like Ansible Vault here rhel9cis_rh_sub_user: user -rhel9cis_rh_sub_password: password +rhel9cis_rh_sub_password: password # pragma: allowlist secret # 1.2.2 # Do you require rhnsd @@ -373,8 +373,8 @@ rhel9cis_rhel_default_repo: true rhel9cis_rule_enable_repogpg: true # 1.4.1 Bootloader password -rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' -rhel9cis_bootloader_password: random +rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' # pragma: allowlist secret +rhel9cis_bootloader_password: random # pragma: allowlist secret rhel9cis_set_boot_pass: true # 1.8 Gnome Desktop diff --git a/tasks/main.yml b/tasks/main.yml index e1cd780..60f4fbc 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -35,7 +35,7 @@ fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" vars: - sudo_password_rule: rhel9cis_rule_5_3_4 + sudo_password_rule: rhel9cis_rule_5_3_4 # pragma: allowlist secret when: - rhel9cis_rule_5_3_4 - ansible_env.SUDO_USER is defined @@ -107,7 +107,7 @@ - name: Check rhel9cis_bootloader_password_hash variable has been changed ansible.builtin.assert: - that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' + that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" when: - rhel9cis_set_boot_pass From 35dfa8770a3ca0b481055bd3fa64b243d5b5a346 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:45:49 +0100 Subject: [PATCH 069/136] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 7d2352f..2185343 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,6 +3,8 @@ ## 1.1.2 - Based on CIS v1.0.0 - updated audit binary versions - aligned with rhel9-cis-audit +- lint updates +- .secrets updated ## 1.1.1 - Based on CIS v1.0.0 From e82b2cefacb6e721565d497acb0b467a59fb115a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 16:25:59 +0100 Subject: [PATCH 070/136] quoted file mode Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 4 ++-- tasks/auditd.yml | 4 ++-- tasks/post.yml | 2 +- tasks/post_remediation_audit.yml | 2 +- tasks/pre_remediation_audit.yml | 2 +- tasks/prelim.yml | 2 +- tasks/section_1/cis_1.1.1.x.yml | 8 ++++---- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.1.x.yml | 4 ++-- tasks/section_1/cis_1.4.x.yml | 2 +- tasks/section_1/cis_1.7.x.yml | 12 ++++++------ tasks/section_1/cis_1.8.x.yml | 24 ++++++++++++------------ tasks/section_2/cis_2.1.x.yml | 4 ++-- tasks/section_3/cis_3.1.x.yml | 2 +- tasks/section_4/cis_4.1.4.x.yml | 6 +++--- tasks/section_4/cis_4.2.3.yml | 2 +- tasks/section_5/cis_5.1.x.yml | 16 ++++++++-------- tasks/section_5/cis_5.2.x.yml | 6 +++--- tasks/section_5/cis_5.6.x.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 20 ++++++++++---------- 20 files changed, 63 insertions(+), 63 deletions(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 29f8960..7a7fb0d 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -19,7 +19,7 @@ owner: root group: root checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" - mode: 0555 + mode: '0555' when: - get_audit_binary_method == 'download' @@ -27,7 +27,7 @@ ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" - mode: 0555 + mode: '0555' owner: root group: root when: diff --git a/tasks/auditd.yml b/tasks/auditd.yml index fb761b9..62f2794 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -11,7 +11,7 @@ dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: 0640 + mode: '0640' diff: "{{ rhel9cis_auditd_file.stat.exists }}" # Only run diff if not a new file register: rhel9cis_auditd_template_updated notify: @@ -39,7 +39,7 @@ dest: /etc/audit/rules.d/98_auditd_exceptions.rules owner: root group: root - mode: 0640 + mode: '0640' diff: "{{ rhel9cis_auditd_exception_file.stat.exists }}" notify: Restart auditd when: diff --git a/tasks/post.yml b/tasks/post.yml index 1888940..3f1f706 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -13,7 +13,7 @@ dest: "/etc/sysctl.d/{{ item }}" owner: root group: root - mode: 0600 + mode: '0600' register: sysctl_updated notify: Reload sysctl loop: diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index f0a7664..a5dc34b 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -11,7 +11,7 @@ - name: Post Audit | ensure audit files readable by users ansible.builtin.file: path: "{{ item }}" - mode: 0644 + mode: '0644' state: file loop: - "{{ post_audit_outfile }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 711f59b..35ada1f 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -69,7 +69,7 @@ ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" - mode: 0600 + mode: '0600' when: - run_audit tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f26c794..a564a29 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -191,7 +191,7 @@ path: "{{ rhel9_cis_sshd_config_file }}" owner: root group: root - mode: 0600 + mode: '0600' state: touch when: - rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config' diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 7a88f6f..263fc50 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -8,7 +8,7 @@ regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: true - mode: 0600 + mode: '0600' - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -16,7 +16,7 @@ regexp: "^(#)?blacklist squashfs(\\s|$)" line: "blacklist squashfs" create: true - mode: 0600 + mode: '0600' - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" community.general.modprobe: @@ -41,7 +41,7 @@ regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: true - mode: 0600 + mode: '0600' - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -49,7 +49,7 @@ regexp: "^(#)?blacklist udf(\\s|$)" line: "blacklist udf" create: true - mode: 0600 + mode: '0600' - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" community.general.modprobe: diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index ab8c264..10d6d2d 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -63,7 +63,7 @@ dest: /etc/systemd/system/tmp.mount owner: root group: root - mode: 0644 + mode: '0644' notify: Systemd restart tmp.mount when: - rhel9cis_tmp_svc diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index bf76b5c..c6cde83 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -10,7 +10,7 @@ create: true owner: root group: root - mode: 0600 + mode: '0600' - name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config" community.general.modprobe: @@ -24,7 +24,7 @@ regexp: "^(#)?blacklist usb-storage(\\s|$)" line: "blacklist usb-storage" create: true - mode: 0600 + mode: '0600' when: - rhel9cis_rule_1_1_9 tags: diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index ec27fa6..dd8d83f 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -6,7 +6,7 @@ content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy owner: root group: root - mode: 0600 + mode: '0600' notify: Grub2cfg when: - rhel9cis_set_boot_pass diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 1c20dca..883b35b 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -6,7 +6,7 @@ dest: /etc/motd owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_1 tags: @@ -22,7 +22,7 @@ dest: /etc/issue owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_2 tags: @@ -37,7 +37,7 @@ dest: /etc/issue.net owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_3 tags: @@ -52,7 +52,7 @@ path: /etc/motd owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_4 tags: @@ -67,7 +67,7 @@ path: /etc/issue owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_5 tags: @@ -82,7 +82,7 @@ path: /etc/issue.net owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_6 tags: diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 4f6922f..20e56c4 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -25,7 +25,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf loop: - { regexp: 'user-db', line: 'user-db:user' } @@ -38,7 +38,7 @@ dest: /etc/dconf/db/gdm.d/01-banner-message owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf when: - rhel9cis_rule_1_8_2 @@ -59,7 +59,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf loop: - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } @@ -87,7 +87,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' loop: - { regexp: '^user-db', line: 'user-db: user' } - { regexp: '^system-db', line: 'system-db: local' } @@ -97,7 +97,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d" owner: root group: root - mode: 0755 + mode: '0755' state: directory - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make conf file" @@ -125,7 +125,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: 0755 + mode: '0755' state: directory - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file" @@ -134,7 +134,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf when: - rhel9cis_rule_1_8_5 @@ -171,7 +171,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: 0755 + mode: '0755' state: directory - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock file" @@ -180,7 +180,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-automount_lock" owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf when: - rhel9cis_rule_1_8_7 @@ -199,7 +199,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d" owner: root group: root - mode: 0755 + mode: '0755' state: directory - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make conf file" @@ -227,7 +227,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: 0755 + mode: '0755' state: directory - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile" @@ -236,7 +236,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock" owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf when: - rhel9cis_rule_1_8_9 diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 43cc226..3312843 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -21,7 +21,7 @@ dest: /etc/chrony.conf owner: root group: root - mode: 0644 + mode: '0644' - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" ansible.builtin.lineinfile: @@ -29,7 +29,7 @@ regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u chrony\"" create: true - mode: 0644 + mode: '0644' when: - rhel9cis_rule_2_1_2 - not system_is_container diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index dad3fe9..2a13574 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -73,7 +73,7 @@ regexp: "^(#)?blacklist tipc(\\s|$)" line: "blacklist tipc" create: true - mode: 0600 + mode: '0600' when: - rhel9cis_rule_3_1_3 tags: diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index ec3eebd..60b4e9b 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -50,7 +50,7 @@ ansible.builtin.file: path: "{{ audit_discovered_logfile.stdout | dirname }}" state: directory - mode: 0750 + mode: '0750' when: not auditlog_dir.stat.mode is match('07(0|5)0') when: - rhel9cis_rule_4_1_4_4 @@ -64,7 +64,7 @@ - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" ansible.builtin.file: path: "{{ item.path }}" - mode: 0640 + mode: '0640' loop: "{{ auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -127,7 +127,7 @@ - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" ansible.builtin.file: path: "{{ item.item }}" - mode: 0750 + mode: '0750' loop: "{{ audit_bins.results }}" loop_control: diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index a391254..2f2a8a4 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -12,7 +12,7 @@ - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" ansible.builtin.file: path: "{{ item.path }}" - mode: 0640 + mode: '0640' loop: "{{ logfiles.files }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index f897c6c..ce8bb58 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -18,7 +18,7 @@ path: /etc/crontab owner: root group: root - mode: 0600 + mode: '0600' when: - rhel9cis_rule_5_1_2 tags: @@ -34,7 +34,7 @@ state: directory owner: root group: root - mode: 0700 + mode: '0700' when: - rhel9cis_rule_5_1_3 tags: @@ -50,7 +50,7 @@ state: directory owner: root group: root - mode: 0700 + mode: '0700' when: - rhel9cis_rule_5_1_4 tags: @@ -66,7 +66,7 @@ state: directory owner: root group: root - mode: 0700 + mode: '0700' when: - rhel9cis_rule_5_1_5 tags: @@ -81,7 +81,7 @@ state: directory owner: root group: root - mode: 0700 + mode: '0700' when: - rhel9cis_rule_5_1_6 tags: @@ -96,7 +96,7 @@ state: directory owner: root group: root - mode: 0700 + mode: '0700' when: - rhel9cis_rule_5_1_7 tags: @@ -124,7 +124,7 @@ state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root group: root - mode: 0600 + mode: '0600' when: - rhel9cis_rule_5_1_8 tags: @@ -152,7 +152,7 @@ state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root group: root - mode: 0600 + mode: '0600' when: - rhel9cis_rule_5_1_9 tags: diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 9054afd..5451cff 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -5,7 +5,7 @@ path: "/etc/ssh/sshd_config" owner: root group: root - mode: 0600 + mode: '0600' when: - rhel9cis_rule_5_2_1 tags: @@ -31,7 +31,7 @@ path: "{{ item.path }}" owner: root group: root - mode: 0600 + mode: '0600' loop: "{{ rhel9cis_5_2_2_ssh_private_host_key.files }}" loop_control: label: "{{ item.path }}" @@ -60,7 +60,7 @@ path: "{{ item.path }}" owner: root group: root - mode: 0644 + mode: '0644' loop: "{{ rhel9cis_5_2_3_ssh_public_host_key.files }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 7379f3f..a529290 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -50,7 +50,7 @@ state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true - mode: 0644 + mode: '0644' block: | TMOUT={{ rhel9cis_shell_session_timeout.timeout }} export TMOUT diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index c6a8375..4cc5cbd 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -5,7 +5,7 @@ path: /etc/passwd owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_6_1_1 tags: @@ -20,7 +20,7 @@ path: /etc/passwd- owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_6_1_2 tags: @@ -32,10 +32,10 @@ - name: "6.1.3 | PATCH | Ensure permissions on /etc/group are configured" ansible.builtin.file: - path: /etc/group- + path: /etc/group owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_6_1_3 tags: @@ -50,7 +50,7 @@ path: /etc/group- owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_6_1_4 tags: @@ -65,7 +65,7 @@ path: /etc/shadow owner: root group: root - mode: 0000 + mode: '0000' when: - rhel9cis_rule_6_1_5 tags: @@ -80,7 +80,7 @@ path: /etc/shadow- owner: root group: root - mode: 0000 + mode: '0000' when: - rhel9cis_rule_6_1_6 tags: @@ -95,7 +95,7 @@ path: /etc/gshadow owner: root group: root - mode: 0000 + mode: '0000' when: - rhel9cis_rule_6_1_7 tags: @@ -110,7 +110,7 @@ path: /etc/gshadow- owner: root group: root - mode: 0000 + mode: '0000' when: - rhel9cis_rule_6_1_8 tags: @@ -357,7 +357,7 @@ content: "{{ rhel9cis_6_1_15_packages_rpm.stdout }}" owner: root group: root - mode: 0640 + mode: '0640' - name: "6.1.15 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" ansible.builtin.debug: From 076c02ea92058309bcf91e76a27cd4263fde5cb3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 16:26:28 +0100 Subject: [PATCH 071/136] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 2185343..77c96c0 100644 --- a/Changelog.md +++ b/Changelog.md @@ -5,6 +5,7 @@ - updated audit binary versions - aligned with rhel9-cis-audit - lint updates - .secrets updated +- file mode quoted ## 1.1.1 - Based on CIS v1.0.0 From 729fac35805154823053088317e4a7edbdd729e9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 22 Sep 2023 08:44:43 +0100 Subject: [PATCH 072/136] updated 5.6.5 Signed-off-by: Mark Bolwell --- Changelog.md | 1 + tasks/section_5/cis_5.6.x.yml | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index 77c96c0..3b4f9e9 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,7 @@ - lint updates - .secrets updated - file mode quoted +- updated 5.6.5 thansk to feedback from S!ghs on discord community ## 1.1.1 - Based on CIS v1.0.0 diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index a529290..e5565b4 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -83,10 +83,10 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings" - ansible.builtin.lineinfile: + ansible.builtin.replace: path: "{{ item.path }}" - regexp: '(?i)(umask\s*)' - line: '{{ item.line }} 027' + regexp: (?i)(umask\s+\d\d\d) + replace: '{{ item.line }} 027' with_items: - { path: '/etc/bashrc', line: 'umask' } - { path: '/etc/profile', line: 'umask' } From c4714f58074a27f30bdc2e413db4018ffd9c53db Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 6 Oct 2023 22:02:41 +0100 Subject: [PATCH 073/136] updated collections Signed-off-by: Mark Bolwell --- collections/requirements.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/collections/requirements.yml b/collections/requirements.yml index 3f594d0..8ebc618 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,5 +1,14 @@ --- + collections: - name: community.general + source: https://github.com/ansible-collections/community.general + type: git + - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git + - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git From 646b4decc1750334624bb3053a950352cdf27019 Mon Sep 17 00:00:00 2001 From: Bernd Grobauer Date: Thu, 12 Oct 2023 12:56:20 +0200 Subject: [PATCH 074/136] Adding missing lines to sysctl.d/50-default.conf Signed-off-by: Bernd Grobauer --- tasks/post.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tasks/post.yml b/tasks/post.yml index 3f1f706..724611d 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -26,6 +26,19 @@ - not system_is_container - "'procps-ng' in ansible_facts.packages" +- name: POST | Update usr sysctl + ansible.builtin.lineinfile: + dest: /usr/lib/sysctl.d/50-default.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: '^net.ipv4.conf.default.rp_filter', line: 'net.ipv4.conf.default.rp_filter = 1' } + - { regexp: '^net.ipv4.conf.*.rp_filter', line: 'net.ipv4.conf.*.rp_filter = 1' } + when: + - rhel9cis_sysctl_update + - not system_is_container + - "'procps-ng' in ansible_facts.packages" + - name: Flush handlers ansible.builtin.meta: flush_handlers From df36a1e7af3d5544562a020bea3a5d0df90d8a44 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 31 Oct 2023 15:21:19 +0000 Subject: [PATCH 075/136] updated workflow for galaxy and versions Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/main_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/update_galaxy.yml | 14 ++++++-------- 3 files changed, 24 insertions(+), 26 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index dba39dc..9fbe7aa 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -29,7 +29,7 @@ Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -44,13 +44,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -74,7 +74,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -82,7 +82,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -90,7 +90,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -111,9 +111,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 0b149fb..67ee9d9 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -18,7 +18,7 @@ # that can run sequentially or in parallel jobs: - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -33,13 +33,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -63,7 +63,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -71,7 +71,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -79,7 +79,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -100,9 +100,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 951a53c..f935280 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,11 +1,7 @@ --- -# This is a basic workflow to help you get started with Actions - name: update galaxy -# Controls when the action will run. -# Triggers the workflow on merge request events to the main branch on: push: branches: @@ -14,8 +10,10 @@ jobs: update_role: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: robertdebock/galaxy-action@master + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} - git_branch: main + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} From c6a51ad38a1d4c77075ffe8788f0ba171314aea1 Mon Sep 17 00:00:00 2001 From: "root@DERVISHx" Date: Fri, 10 Nov 2023 15:28:12 +0000 Subject: [PATCH 076/136] Adding new entry in /etc/pam.d/system-auth Signed-off-by: root@DERVISHx --- tasks/section_5/cis_5.6.x.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index e5565b4..a2c0219 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -98,6 +98,11 @@ regexp: '^USERGROUPS_ENAB' line: USERGROUPS_ENAB no + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth" + ansible.builtin.lineinfile: + path: /etc/pam.d/system-auth + line: 'session required pam_umask.so' + insertafter: EOF when: - rhel9cis_rule_5_6_5 tags: From d51efffd500b8b2969d447534a4da722be07df0e Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 17:46:18 +0000 Subject: [PATCH 077/136] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v3.2.0 → v4.5.0](https://github.com/pre-commit/pre-commit-hooks/compare/v3.2.0...v4.5.0) - [github.com/gitleaks/gitleaks: v8.17.0 → v8.18.0](https://github.com/gitleaks/gitleaks/compare/v8.17.0...v8.18.0) - [github.com/ansible-community/ansible-lint: v6.17.2 → v6.22.0](https://github.com/ansible-community/ansible-lint/compare/v6.17.2...v6.22.0) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) --- .pre-commit-config.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 97c7943..33fd6ed 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.2.0 + rev: v4.5.0 hooks: # Safety - id: detect-aws-credentials @@ -37,13 +37,13 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.17.0 + rev: v8.18.0 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.17.2 + rev: v6.22.0 hooks: - id: ansible-lint name: Ansible-lint @@ -62,6 +62,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.32.0 # or higher tag + rev: v1.33.0 # or higher tag hooks: - id: yamllint From 7d64ebbca03fb3c3e4f4e5947770bba2bbee4c3a Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 20 Nov 2023 17:35:48 +0000 Subject: [PATCH 078/136] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](https://github.com/gitleaks/gitleaks/compare/v8.18.0...v8.18.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 33fd6ed..68f44f0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,7 +37,7 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.0 + rev: v8.18.1 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From 8784941179651c0dffb5cac8453a1e1a7b676202 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 09:48:49 +0000 Subject: [PATCH 079/136] audit variables seperated Signed-off-by: Mark Bolwell --- defaults/main.yml | 89 +++++++++++++++++--------------------------- tasks/audit_only.yml | 30 +++++++++++++++ 2 files changed, 65 insertions(+), 54 deletions(-) create mode 100644 tasks/audit_only.yml diff --git a/defaults/main.yml b/defaults/main.yml index 3fe96c1..0bc0137 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -45,28 +45,53 @@ skip_reboot: true # default value will change to true but wont reboot if not enabled but will error change_requires_reboot: false -#### Basic external goss audit enablement settings #### -#### Precise details - per setting can be found at the bottom of this file #### +########################################## +### Goss is required on the remote host ### +## Refer to vars/auditd.yml for any other settings ## -### Goss is required on the remote host +# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false -# How to retrive goss + +# enable audits to run - this runs the audit and get the latest content +run_audit: false + +# Only run Audit do not remediate +audit_only: false +# As part of audit_only +# This will enable files to be copied back to control node +fetch_audit_files: false +# Path to copy the files to will create dir structure +audit_capture_files_dir: /some/location to copy to on control node + +# How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded get_audit_binary_method: download +## if get_audit_binary_method - copy the following needs to be updated for your environment +## it is expected that it will be copied from somewhere accessible to the control node +## e.g copy from ansible control node to remote host +audit_bin_copy_location: /some/accessible/path + # how to get audit files onto host options -# options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly) +# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# enable audits to run - this runs the audit and get the latest content -run_audit: false +# archive or copy: +audit_conf_copy: "some path to copy from" -# Timeout for those cmds that take longer to run where timeout set -audit_cmd_timeout: 60000 +# get_url: +audit_files_url: "some url maybe s3?" + +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true + +# This variable specifies the timeout (in ms) for audit commands that +# take a very long time: if a command takes too long to complete, +# it will be forcefully terminated after the specified duration. +audit_cmd_timeout: 120000 ### End Goss enablements #### -#### Detailed settings found at the end of this document #### # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. @@ -663,47 +688,3 @@ audit_run_script_environment: AUDIT_BIN: "{{ audit_bin }}" AUDIT_FILE: 'goss.yml' AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - -### Goss binary settings ### -audit_bin_release: v0.4.2 -audit_bin_version: - AMD64_checksum: 'sha256:e50e43d75c47c731f5fdff176f5abeb8aca35f17aea60f85ebc28f6110cb6945' - ARM64_checksum: 'sha256:6da14a98f12d1929ea719d4cfe96087c8e3a37b29d91b72fbe6edc7f8a580784 ' -audit_bin_path: /usr/local/bin/ -audit_bin: "{{ audit_bin_path }}goss" -audit_format: json - -# if get_goss_file == download change accordingly -audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_release }}/goss-linux-" - -## if get_goss_file - copy the following needs to be updated for your environment -## it is expected that it will be copied from somewhere accessible to the control node -## e.g copy from ansible control node to remote host -copy_goss_from_path: /some/accessible/path - -### Goss Audit Benchmark file ### -## managed by the control audit_content -# git -audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: "benchmark_{{ benchmark_version }}" - -# copy: -audit_local_copy: "some path to copy from" - -# get_url: -audit_files_url: "some url maybe s3?" - -## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" - -## The following should not need changing -goss_file: "{{ audit_conf_dir }}goss.yml" -audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" -audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml new file mode 100644 index 0000000..864f5bb --- /dev/null +++ b/tasks/audit_only.yml @@ -0,0 +1,30 @@ +--- + +- name: Audit_Only | Create local Directories for hosts + ansible.builtin.file: + mode: '0755' + path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" + recurse: true + state: directory + when: fetch_audit_files + delegate_to: localhost + become: false + +- name: Audit_only | Get audits from systems and put in group dir + ansible.builtin.fetch: + dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" + flat: true + mode: '0644' + src: "{{ pre_audit_outfile }}" + when: fetch_audit_files + +- name: Audit_only | Show Audit Summary + when: + - audit_only + ansible.builtin.debug: + msg: "The Audit results are: {{ pre_audit_summary }}." + +- name: Audit_only | Stop Playbook Audit Only selected + when: + - audit_only + ansible.builtin.meta: end_play From 23a4386e953db5bf86ebeca237d2a8ee17ec3c2a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 09:49:36 +0000 Subject: [PATCH 080/136] addition of audit_only config Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 2 +- tasks/main.yml | 17 ++++++-- tasks/post_remediation_audit.yml | 22 +++++----- tasks/pre_remediation_audit.yml | 73 +++++++++++++++++--------------- vars/audit.yml | 38 +++++++++++++++++ 5 files changed, 103 insertions(+), 49 deletions(-) create mode 100644 vars/audit.yml diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 7a7fb0d..56ffbd6 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -23,7 +23,7 @@ when: - get_audit_binary_method == 'download' -- name: Pre Audit Setup | copy audit binary +- name: Pre Audit Setup | Copy audit binary ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" diff --git a/tasks/main.yml b/tasks/main.yml index 60f4fbc..858755b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -133,11 +133,22 @@ - prelim_tasks - always -- name: run pre_remediation audit - ansible.builtin.include_tasks: - file: pre_remediation_audit.yml +- name: Include audit specific variables when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit - run_audit + ansible.builtin.include_vars: audit.yml + +- name: Include pre-remediation audit tasks + when: + - run_audit or audit_only + - setup_audit + tags: + - run_audit + ansible.builtin.import_tasks: pre_remediation_audit.yml - name: run Section 1 tasks ansible.builtin.import_tasks: diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index a5dc34b..eb01bc7 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,12 +1,12 @@ --- -- name: "Post Audit | Run post_remediation {{ benchmark }} audit" +- name: Post Audit | Run post_remediation {{ benchmark }} audit ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" + AUDIT_FILE: goss.yml - name: Post Audit | ensure audit files readable by users ansible.builtin.file: @@ -18,9 +18,11 @@ - "{{ pre_audit_outfile }}" - name: Post Audit | Capture audit data if json format + when: + - audit_format == "json" block: - - name: "capture data {{ post_audit_outfile }}" - ansible.builtin.shell: "cat {{ post_audit_outfile }}" + - name: capture data {{ post_audit_outfile }} + ansible.builtin.shell: cat {{ post_audit_outfile }} register: post_audit changed_when: false @@ -28,19 +30,17 @@ ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + summary: summary."summary-line" - name: Post Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - name: "Post Audit | capture data {{ post_audit_outfile }}" - ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" + - name: Post Audit | capture data {{ post_audit_outfile }} + ansible.builtin.shell: tail -2 {{ post_audit_outfile }} register: post_audit changed_when: false - name: Post Audit | Capture post-audit result ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout_lines }}" - when: - - audit_format == "documentation" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 35ada1f..258171a 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,56 +1,58 @@ --- -- name: Pre Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: LE_audit_setup.yml +- name: Pre Audit Setup | Setup the LE audit when: - setup_audit tags: - setup_audit + ansible.builtin.include_tasks: LE_audit_setup.yml -- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" +- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' - name: Pre Audit Setup | If using git for content set up + when: + - audit_content == 'git' block: - name: Pre Audit Setup | Install git ansible.builtin.package: name: git state: present - - name: Pre Audit Setup | retrieve audit content files from git + - name: Pre Audit Setup | Retrieve audit content files from git ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" version: "{{ audit_git_version }}" - when: - - audit_content == 'git' -- name: Pre Audit Setup | copy to audit content files to server +- name: Pre Audit Setup | Copy to audit content files to server + when: + - audit_content == 'copy' ansible.builtin.copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dest }}" mode: preserve - when: - - audit_content == 'copy' -- name: Pre Audit Setup | unarchive audit content files on server +- name: Pre Audit Setup | Unarchive audit content files on server + when: + - audit_content == 'archived' ansible.builtin.unarchive: src: "{{ audit_conf_copy }}" dest: "{{ audit_conf_dir }}" - when: - - audit_content == 'archived' -- name: Pre Audit Setup | get audit content from url +- name: Pre Audit Setup | Get audit content from url + when: + - audit_content == 'get_url' ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" - when: - - audit_content == 'get_url' - name: Pre Audit Setup | Check Goss is available + when: + - run_audit block: - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: @@ -58,36 +60,36 @@ register: goss_available - name: Pre Audit Setup | If audit ensure goss is available - ansible.builtin.assert: - msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" when: - not goss_available.stat.exists - when: - - run_audit + ansible.builtin.assert: + msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit + tags: + - goss_template + - run_audit + when: + - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: '0600' - when: - - run_audit - tags: - - goss_template - - always -- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" +- name: Pre Audit | Run pre_remediation {{ benchmark }} audit ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" + AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format + when: + - audit_format == "json" block: - - name: "capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "cat {{ pre_audit_outfile }}" + - name: capture data {{ pre_audit_outfile }} + ansible.builtin.shell: cat {{ pre_audit_outfile }} register: pre_audit changed_when: false @@ -95,19 +97,22 @@ ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + summary: summary."summary-line" - name: Pre Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format" - ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" + - name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format + ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} register: pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result | documentation format ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" + +- name: Audit_Only | Run Audit Only when: - - audit_format == "documentation" + - audit_only + ansible.builtin.import_tasks: audit_only.yml diff --git a/vars/audit.yml b/vars/audit.yml new file mode 100644 index 0000000..e5ca959 --- /dev/null +++ b/vars/audit.yml @@ -0,0 +1,38 @@ +--- + +#### Audit Configuration Settings #### + +# if get_audit_binary_method == download change accordingly +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-" + +### Goss Audit Benchmark file ### +## managed by the control audit_content +# git +audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" +audit_git_version: "benchmark-{{ benchmark_version }}" + +## Goss configuration information +# Where the goss configs and outputs are stored +audit_out_dir: '/opt' +# Where the goss audit configuration will be stored +audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" + +# If changed these can affect other products +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" + +## The following should not need changing + +### Audit binary settings ### +audit_bin_version: + release: v0.4.4 + AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' +audit_bin_path: /usr/local/bin/ +audit_bin: "{{ audit_bin_path }}goss" +audit_format: json + +audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" +audit_results: | + The pre remediation results are: {{ pre_audit_summary }}. + The post remediation results are: {{ post_audit_summary }}. + Full breakdown can be found in {{ audit_out_dir }} From 2c152b3ae5d86bd07785af8d19f0f7635f1a7df6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 09:50:11 +0000 Subject: [PATCH 081/136] removed dupe line Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 8b21441..e83dd40 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -239,7 +239,6 @@ rhel9cis_rule_4_1_4_10: {{ rhel9cis_rule_4_1_4_10 }} # 4.2.1 Configure rsyslog rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }} rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }} -rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_3 }} rhel9cis_rule_4_2_1_3: {{ rhel9cis_rule_4_2_1_3 }} rhel9cis_rule_4_2_1_4: {{ rhel9cis_rule_4_2_1_4 }} rhel9cis_rule_4_2_1_5: {{ rhel9cis_rule_4_2_1_5 }} From 41520312e61d64f9fd65fd86b6a2d77aafd68a66 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 10:00:27 +0000 Subject: [PATCH 082/136] updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog.md b/Changelog.md index 3b4f9e9..baa0d44 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,12 @@ # Changes to rhel9CIS +## 1.1.3 - Based on CIS v1.0.0 + +- updated goss binary to 0.4.4 +- moved majority of audit variables to vars/audit.yml +- new function to enable audit_only using remediation +- removed some dupes in audit config + ## 1.1.2 - Based on CIS v1.0.0 - updated audit binary versions - aligned with rhel9-cis-audit From afd1c2ff01b7c7f4b694cd73543fc4116086fa16 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 10:11:08 +0000 Subject: [PATCH 083/136] fixed benchmark_name Signed-off-by: Mark Bolwell --- vars/audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/audit.yml b/vars/audit.yml index e5ca959..dd61b8a 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -15,7 +15,7 @@ audit_git_version: "benchmark-{{ benchmark_version }}" # Where the goss configs and outputs are stored audit_out_dir: '/opt' # Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" +audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}_Audit" # If changed these can affect other products pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" From 669f5352257f12edaf0e2cf0e622ab3f94f5c129 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 12:28:06 +0000 Subject: [PATCH 084/136] updated benchmark name Signed-off-by: Mark Bolwell --- vars/audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/audit.yml b/vars/audit.yml index dd61b8a..74a7093 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -9,7 +9,7 @@ audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_ ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: "benchmark-{{ benchmark_version }}" +audit_git_version: "benchmark_{{ benchmark_version }}" ## Goss configuration information # Where the goss configs and outputs are stored From dc7da70b611f1f621c1c2ff18e2d1d3093fe839d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 12:37:09 +0000 Subject: [PATCH 085/136] fixed typo Signed-off-by: Mark Bolwell --- vars/audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/audit.yml b/vars/audit.yml index 74a7093..26e2b87 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -15,7 +15,7 @@ audit_git_version: "benchmark_{{ benchmark_version }}" # Where the goss configs and outputs are stored audit_out_dir: '/opt' # Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}_Audit" +audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" # If changed these can affect other products pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" From 8b875ad228294c8954bca1b647b401e1cb29b4b7 Mon Sep 17 00:00:00 2001 From: Marcin Dulinski Date: Wed, 22 Nov 2023 09:17:15 +0000 Subject: [PATCH 086/136] Fixed chrony configuration options Signed-off-by: Marcin Dulinski --- defaults/main.yml | 3 +++ templates/etc/chrony.conf.j2 | 22 ++++++++++++---------- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0bc0137..ff21216 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -449,6 +449,9 @@ rhel9cis_time_synchronization_servers: - 2.pool.ntp.org - 3.pool.ntp.org rhel9cis_chrony_server_options: "minpoll 8" +rhel9cis_chrony_server_rtcsync: false +rhel9cis_chrony_server_makestep: "1.0 3" +rhel9cis_chrony_server_minsources: 2 ### 2.2 Special Purposes ##### Service configuration booleans set true to keep service diff --git a/templates/etc/chrony.conf.j2 b/templates/etc/chrony.conf.j2 index 54c1b6c..a1837a9 100644 --- a/templates/etc/chrony.conf.j2 +++ b/templates/etc/chrony.conf.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## {{ ansible_managed }} # This the default chrony.conf file for the Debian chrony package. After # editing this file use the command 'invoke-rc.d chrony restart' to make @@ -27,19 +27,21 @@ server {{ server }} {{ rhel9cis_chrony_server_options }} # password is generated by a random process at install time. You may # change it if you wish. -keyfile /etc/chrony/chrony.keys +keyfile /etc/chrony.keys -# Set runtime command key. Note that if you change the key (not the -# password) to anything other than 1 you will need to edit -# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony -# and /etc/cron.weekly/chrony as these scripts use it to get the password. +# Record the rate at which the system clock gains/losses time. +driftfile /var/lib/chrony/drift -commandkey 1 +# Allow the system clock to be stepped in the first three updates +# if its offset is larger than 1 second. +makestep {{ rhel9cis_chrony_server_makestep }} -# I moved the driftfile to /var/lib/chrony to comply with the Debian -# filesystem standard. +# Enable kernel synchronization of the real-time clock (RTC). +{% if not rhel9cis_chrony_server_rtcsync %}#{% endif %}rtcsync -driftfile /var/lib/chrony/chrony.drift +# Increase the minimum number of selectable sources required to adjust +# the system clock. +minsources {{ rhel9cis_chrony_server_minsources }} # Comment this line out to turn off logging. From cce2b25d80a0b3dace4ca5bf27f345d972b86ddb Mon Sep 17 00:00:00 2001 From: Senih <40578755+senihucar@users.noreply.github.com> Date: Thu, 23 Nov 2023 12:02:37 -0800 Subject: [PATCH 087/136] Update cis_5.6.1.x.yml Typo fixed from: - rule_5.5.1.3 to: - rule_5.6.1.3 Signed-off-by: Senih <40578755+senihucar@users.noreply.github.com> --- tasks/section_5/cis_5.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 3d59a16..f7b8136 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -40,7 +40,7 @@ - level1-workstation - patch - password - - rule_5.5.1.3 + - rule_5.6.1.3 - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less" block: From a2162dbd1b6255ebaa46bbf5ce662b065f8b4cc5 Mon Sep 17 00:00:00 2001 From: "root@DERVISHx" Date: Fri, 24 Nov 2023 15:38:40 +0000 Subject: [PATCH 088/136] Document variables in defaults/main.yml, Fix 2. Signed-off-by: root@DERVISHx --- defaults/main.yml | 321 ++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 281 insertions(+), 40 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3fe96c1..c515d69 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,6 +11,10 @@ system_is_ec2: false # Supported OSs will not need for this to be changed - see README e.g. CentOS os_check: true +## Switching on/off specific baseline sections +# These variables govern whether the tasks of a particular section are to be executed when running the role. +# E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true. +# to "true". If you do not want the tasks from that section to get executed you simply set the variable to "false". rhel9cis_section1: true rhel9cis_section2: true rhel9cis_section3: true @@ -22,6 +26,7 @@ rhel9cis_section6: true # e.g. # - level1-server # - level2-workstation +# Used for audit rhel9cis_level_1: true rhel9cis_level_2: true @@ -39,7 +44,8 @@ benchmark_version: 'v1.0.0' benchmark: RHEL9-CIS -# Whether to skip the reboot +# Whether to skip the system reboot before audit +# System will reboot if false, can give better audit results skip_reboot: true # default value will change to true but wont reboot if not enabled but will error @@ -48,21 +54,39 @@ change_requires_reboot: false #### Basic external goss audit enablement settings #### #### Precise details - per setting can be found at the bottom of this file #### -### Goss is required on the remote host +## Audit setup +# Audits are carried out using Goss. This variable +# determines whether execution of the role prepares for auditing +# by installing the required binary. setup_audit: false -# How to retrive goss +## How to retrive goss # Options are copy or download - detailed settings at the bottom of this file +# provided in variable `audit_conf_copy` for copying or +# the url given in variable `audit_files_url` for downloading. # you will need to access to either github or the file already dowmloaded get_audit_binary_method: download -# how to get audit files onto host options +## How to retrieve the audit role +# The role for auditing is maintained separately. +# This variable specifies the method of how to get the audit role # options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly) +# onto the system. The options are as follows: +# - git: clone from git repository as specified in variable `audit_file_git` in +# the version specified by variable `audit_git_version` +# - copy: copy from path as specified in variable `audit_conf_copy` +# - get_url: Download from url as specified in variable `audit_files_url` audit_content: git -# enable audits to run - this runs the audit and get the latest content +## Enable audits to run +# This variable governs whether the audit using the +# separately maintained audit role using Goss +# is carried out. run_audit: false # Timeout for those cmds that take longer to run where timeout set +# This variable specifies the timeout (in ms) for audit commands that +# take a very long time: if a command takes too long to complete, +# it will be forcefully terminated after the specified duration. audit_cmd_timeout: 60000 ### End Goss enablements #### @@ -72,7 +96,9 @@ audit_cmd_timeout: 60000 # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. -# Section 1 rules + +# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, +# Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) rhel9cis_rule_1_1_1_1: true rhel9cis_rule_1_1_1_2: true rhel9cis_rule_1_1_2_1: true @@ -145,7 +171,7 @@ rhel9cis_rule_1_8_10: true rhel9cis_rule_1_9: true rhel9cis_rule_1_10: true -# Section 2 rules +# Section 2 rules are controling Services (Special Purpose Services, and service clients) rhel9cis_rule_2_1_1: true rhel9cis_rule_2_1_2: true rhel9cis_rule_2_2_1: true @@ -173,6 +199,7 @@ rhel9cis_rule_2_3_4: true rhel9cis_rule_2_4: true # Section 3 rules +# Network Configuration rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_3: true @@ -197,7 +224,8 @@ rhel9cis_rule_3_4_2_5: true rhel9cis_rule_3_4_2_6: true rhel9cis_rule_3_4_2_7: true -# Section 4 rules +# Section 4 rules are Logging and Auditing (Configure System Accounting (auditd), +# Configure Data Retention, and Configure Logging) rhel9cis_rule_4_1_1_1: true rhel9cis_rule_4_1_1_2: true rhel9cis_rule_4_1_1_3: true @@ -256,7 +284,8 @@ rhel9cis_rule_4_2_2_7: true rhel9cis_rule_4_2_3: true rhel9cis_rule_4_3: true -# Section 5 rules +# Section 5 rules control Access, Authentication, and Authorization (Configure time-based job schedulers, +# Configure sudo, Configure SSH Server, Configure PAM and User Accounts and Environment) rhel9cis_rule_5_1_1: true rhel9cis_rule_5_1_2: true rhel9cis_rule_5_1_3: true @@ -311,7 +340,8 @@ rhel9cis_rule_5_6_4: true rhel9cis_rule_5_6_5: true rhel9cis_rule_5_6_6: true -# Section 6 rules +# Section 6 rules controls System Maintenance (System File Permissions and User and Group Settings) +rhel9cis_rule_6_1_1: true rhel9cis_rule_6_1_1: true rhel9cis_rule_6_1_2: true rhel9cis_rule_6_1_3: true @@ -377,10 +407,18 @@ rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF4 rhel9cis_bootloader_password: random # pragma: allowlist secret rhel9cis_set_boot_pass: true -# 1.8 Gnome Desktop + +## Controls 1.8.x - Settings for GDM +# This variable specifies the GNOME configuration database file to which configurations are written. +# (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) +# The default database is `local` rhel9cis_dconf_db_name: local -rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) -rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) +# This variable governs the number of seconds of inactivity before the screen goes blank. +# Set max value for idle-delay in seconds (between 1 and 900) +rhel9cis_screensaver_idle_delay: 900 +# This variable governs the number of seconds the screen remains blank before it is locked. +# Set max value for lock-delay in seconds (between 0 and 5) +rhel9cis_screensaver_lock_delay: 5 # 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) # Control 1.10 states do not use LEGACY and control 1.11 says to use FUTURE or FIPS. @@ -389,27 +427,67 @@ rhel9cis_crypto_policy: 'DEFAULT' rhel9cis_crypto_policy_module: '' # System network parameters (host only OR host and router) +# This variable governs whether specific CIS rules +# concerned with acceptance and routing of packages are skipped. rhel9cis_is_router: false -# IPv6 required +## IPv6 requirement toggle +# This variable governs whether ipv6 is enabled or disabled. rhel9cis_ipv6_required: true -# AIDE +## Control 1.3.1 - allow aide to be configured +# AIDE is a file integrity checking tool, similar in nature to Tripwire. +# While it cannot prevent intrusions, it can detect unauthorized changes +# to configuration files by alerting when the files are changed. Review +# the AIDE quick start guide and AIDE documentation before proceeding. +# By setting this variable to `true`, all of the settings related to AIDE will be applied! rhel9cis_config_aide: true -# AIDE cron settings + +## Control 1.3.2 AIDE cron settings +# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. +# The sub-settings of this variable provide the parameters required to configure +# the cron job on the target system. +# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled +# and executed automatically at a certain point in time. rhel9cis_aide_cron: + # This variable represents the user account under which the cron job for AIDE will run. cron_user: root + # This variable represents the path to the AIDE crontab file. cron_file: /etc/cron.d/aide_cron + # This variable represents the actual command or script that the cron job + # will execute for running AIDE. aide_job: '/usr/sbin/aide --check' + # These variables define the schedule for the cron job + # This variable governs the minute of the time of day when the AIDE cronjob is run. + # It must be in the range `0-59`. aide_minute: 0 + # This variable governs the hour of the time of day when the AIDE cronjob is run. + # It must be in the range `0-23`. aide_hour: 5 + # This variable governs the day of the month when the AIDE cronjob is run. + # `*` signifies that the job is run on all days; furthermore, specific days + # can be given in the range `1-31`; several days can be concatenated with a comma. + # The specified day(s) can must be in the range `1-31`. aide_day: '*' - aide_month: '*' + # This variable governs months when the AIDE cronjob is run. + # `*` signifies that the job is run in every month; furthermore, specific months + # can be given in the range `1-12`; several months can be concatenated with commas. + # The specified month(s) can must be in the range `1-12`. + aide_month: '*' + # This variable governs the weekdays, when the AIDE cronjob is run. + # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays + # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays + # can be concatenated with commas. aide_weekday: '*' # SELinux policy +# This selects type of policy; targeted or mls ( multilevel ) +# mls should not be used, since it will disable unconfined policy module +# and may prevent some services from running. rhel9cis_selinux_pol: targeted # chose onf or enfocing or permissive +# CIS expects enforcing since permissive allows operations thet might compromise the system. +# Even though logging still occurs. rhel9cis_selinux_enforce: enforcing # Whether or not to run tasks related to auditing/patching the desktop environment @@ -418,6 +496,11 @@ rhel9cis_selinux_enforce: enforcing ### 2.1 Time Synchronization #### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 +# The following variable represents a list of of time servers used +# for configuring chrony, timesyncd, and ntp. +# Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. +# The default setting for the `options` is `minpoll` but `iburst` can be used, please refer to the documentation +# of the time synchronization mechanism you are using. rhel9cis_time_synchronization_servers: - 0.pool.ntp.org - 1.pool.ntp.org @@ -426,7 +509,9 @@ rhel9cis_time_synchronization_servers: rhel9cis_chrony_server_options: "minpoll 8" ### 2.2 Special Purposes -##### Service configuration booleans set true to keep service +# Service configuration variables (boolean). +# Set the respective variable to true to keep the service. +# otherwise the service is stopped and disabled rhel9cis_gui: false rhel9cis_avahi_server: false rhel9cis_cups_server: false @@ -444,10 +529,12 @@ rhel9cis_squid_server: false rhel9cis_snmp_server: false rhel9cis_telnet_server: false rhel9cis_is_mail_server: false -# Note the options -# Packages are used for client services and Server- only remove if you dont use the client service -# +# Note the options +# Client package configuration variables. +# Packages are used for client services and Server, only remove if you dont use the client service +# Set the respective variable to `true` to keep the +# client package, otherwise it is uninstalled (false). rhel9cis_use_nfs_server: false rhel9cis_use_nfs_service: false @@ -463,8 +550,7 @@ rhel9cis_openldap_clients_required: false rhel9cis_tftp_client: false rhel9cis_ftp_client: false -## Section3 vars -## Sysctl +## Section 3 vars for Sysctl rhel9cis_sysctl_update: false rhel9cis_flush_ipv4_route: false rhel9cis_flush_ipv6_route: false @@ -484,7 +570,11 @@ rhel9cis_firewalld_ports: - number: 80 protocol: tcp -#### nftables +## Controls 3.5.2.x - nftables +# The default nftables table name is "filter". This variable name will be the one all +# "rhel9cis_nft_tables_tablename" is the name of the table in nftables you want to create. +# nftables configs are applied to. +# options are: inet filter rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true @@ -496,23 +586,60 @@ rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and ## Section4 vars ### 4.1 Configure System Accounting #### 4.1.2 Configure Data Retention +## Controls what actions, when log files fill up +# This variable controls how the audit system behaves when +# log files are getting too full and space is getting too low. rhel9cis_auditd: space_left_action: email action_mail_acct: root + # This variable determines the action the audit system should take when disk + # space runs low. + # The options for setting this variable are as follows: + # - `ignore`: the system does nothing when presented with the aforementioned issue; + # - `syslog`: a message is sent to the system log about disk space running low; + # - `suspend`: the system suspends recording audit events until more space is available; + # - `halt`: the system is halted when disk space is critically low. + # - `single`: the audit daemon will put the computer system in single user mode + # CIS prescribes either `halt` or `single`. admin_space_left_action: halt + # This variable determines what action the audit system should take when the maximum + # size of a log file is reached. + # The options for setting this variable are as follows: + # - `ignore`: the system does nothing when the size of a log file is full; + # - `syslog`: a message is sent to the system log indicating the problem; + # - `suspend`: the system suspends recording audit events until the log file is cleared or rotated; + # - `rotate`: the log file is rotated (archived) and a new empty log file is created; + # - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints. + # CIS prescribes the value `keep_logs`. max_log_file_action: keep_logs -# The audit_back_log_limit value should never be below 8192 +## Control 4.1.1.4 - Ensure rhel9cis_audit_back_log_limit is sufficient +# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the +# system can buffer in memory, if the audit subsystem is unable to process them in real-time. +# Buffering in memory is useful in situations, where the audit system is overwhelmed +# with incoming audit events, and needs to temporarily store them until they can be processed. +# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value. rhel9cis_audit_back_log_limit: 8192 -# The max_log_file parameter should be based on your sites policy +## Control 4.1.2.1 - Ensure audit log storage size is configured +# This variable specifies the maximum size in MB that an audit log file can reach +# before it is archived or deleted to make space for the new audit data. +# This should be set based on your sites policy. CIS does not provide a specific value. rhel9cis_max_log_file_size: 10 -### 4.1.3.x audit template +## 4.1.3.x - Audit template +# This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the +# audit settings are overwritten with the role's template. In order to exclude +# specific rules, you must set the variable of form `rhel9cis_rule_4_1_3_x` above +# to `false`. update_audit_template: false ## Advanced option found in auditd post +# users whose actions are not logged by auditd rhel9cis_allow_auditd_uid_user_exclusions: false +# add a list of uids to be excluded. +rhel9cis_auditd_uid_exclude: + - 1999 # This can be used to configure other keys in auditd.conf rhel9cis_auditd_extra_conf: {} @@ -528,35 +655,63 @@ rhel9cis_rsyslog_ansiblemanaged: true #### 4.2.1.6 remote and destation log server name rhel9cis_remote_log_server: false -rhel9cis_remote_log_host: logagg.example.com +rhel9cis_remote_log_host: 192.168.2.100 rhel9cis_remote_log_port: 514 rhel9cis_remote_log_protocol: tcp rhel9cis_remote_log_retrycount: 100 rhel9cis_remote_log_queuesize: 1000 #### 4.2.1.7 +# This variable expresses whether the system is used as a log server or not. +# If set to `true`, controls that interfere with log server functionality or +# require that own system logs be sent to some other log server are skipped. rhel9cis_system_is_log_server: false # 4.2.2.1.2 # rhel9cis_journal_upload_url is the ip address to upload the journal entries to rhel9cis_journal_upload_url: 192.168.50.42 -# The paths below have the default paths/files, but allow user to create custom paths/filenames + +## The paths below have the default paths/files, but allow user to create custom paths/filenames +# This variable specifies the path to the private key file used by the remote journal +# server to authenticate itself to the client. This key is used alongside the server's +# public certificate to establish secure communication. rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +# This variable specifies the path to the public certificate file of the remote journal +# server. This certificate is used to verify the authenticity of the remote server. rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +# This variable specifies the path to a file containing one or more public certificates +# of certificate authorities (CAs) that the client trusts. These trusted certificates are used +# to validate the authenticity of the remote server's certificate. rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" # 4.2.2.1 # The variables below related to journald, please set these to your site specific values +# These variable specifies how much disk space the journal may use up at most +# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. +# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. +# ATTENTION: Uncomment the keyword below when values are set! # rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use rhel9cis_journald_systemmaxuse: 10M # rhel9cis_journald_systemkeepfree is the amount of disk space to keep free rhel9cis_journald_systemkeepfree: 100G +# rhel9cis_journald_runtimemaxuse control how much disk space the journal may use up at most. +# same as rhel9cis_journald_systemmaxuse. rhel9cis_journald_runtimemaxuse: 10M +# rhel9cis_journald_runtimekeepfree is the amount of disk space to keep free +# same as rhel9cis_journald_systemkeepfree. rhel9cis_journald_runtimekeepfree: 100G -# rhel9cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +# rhel9cis_journald_MaxFileSec is how long in time to keep log files. +# This variable specifies, the maximum time to store entries in a single journal +# file before rotating to the next one. Set to 0 to turn off this feature. +# The given values is interpreted as seconds, unless suffixed with the units +# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. +# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +# ATTENTION: Uncomment the keyword below when values are set! rhel9cis_journald_maxfilesec: 1month #### 4.3 +# This variable defines the log file rotation period. +# Options are: daily, monthly, yearly. rhel9cis_logrotate: "daily" ## Section5 vars @@ -565,20 +720,61 @@ rhel9cis_logrotate: "daily" rhel9_cis_sshd_config_file: /etc/ssh/sshd_config rhel9cis_sshd: - clientalivecountmax: 0 - clientaliveinterval: 900 + # This variable sets the maximum number of unresponsive "keep-alive" messages + # that can be sent from the server to the client before the connection is considered + # inactive and thus, closed. + clientalivecountmax: 3 + # This variable sets the time interval in seconds between sending "keep-alive" + # messages from the server to the client. These types of messages are intended to + # keep the connection alive and prevent it being terminated due to inactivity. + clientaliveinterval: 300 + # This variable specifies the amount of seconds allowed for successful authentication to + # the SSH server. logingracetime: 60 - # WARNING: make sure you understand the precedence when working with these values!! - # allowusers: - # allowgroups: systems dba - # denyusers: - # denygroups: + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH + # access for users whose user name matches one of the patterns. This is done + # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + allow_users: "" + # (String) This variable, if spcieifed, configures a list of GROUP name patterns, separated by spaces, to allow SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, https://linux.die.net/man/5/sshd_config + allow_groups: wheel + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access + # for users whose user name matches one of the patterns. This is done + # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_users: nobody + # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_groups: "" -# 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE +# 5.2.5 SSH LogLevel setting. +# This variable is used to control the verbosity of the logging produced by the SSH server. +# The options for setting it are as follows: +# - `QUIET`: Minimal logging; +# - `FATAL`: logs only fatal errors; +# - `ERROR`: logs error messages; +# - `INFO`: logs informational messages in addition to errors; +# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; +# - `DEBUG`: generates very detailed debugging information including sensitive information. +# - `DEBUG(x)`: Whereas x = debug level 1 to 3, DEBUG=DEBUG1. rhel9cis_ssh_loglevel: INFO # 5.2.19 SSH MaxSessions setting. Must be 4 our less rhel9cis_ssh_maxsessions: 4 +## Control 5.5.1.4 +# This variable specifies the number of days of inactivity before an account will be locked. +# CIS requires a value of 30 days or less. rhel9cis_inactivelock: lock_days: 30 @@ -596,32 +792,65 @@ rhel9cis_authselect_custom_profile_create: false # 5.3.2 Enable automation to select custom profile options, using the settings above rhel9cis_authselect_custom_profile_select: false +## Controls 5.5.1.x - Password settings rhel9cis_pass: + ## Control 5.5.1.2 + # This variable governs after how many days a password expires. + # CIS requires a value of 365 or less. max_days: 365 + ## Control 5.5.1.1 + # This variable specifies the minimum number of days allowed between changing passwords. + # CIS requires a value of at least 1. min_days: 7 + ## Control 5.5.1.3 + # This variable governs, how many days before a password expires, the user will be warned. + # CIS requires a value of at least 7. warn_age: 7 # 5.5.1 ## PAM rhel9cis_pam_password: + # This variable sets the minimum chars a password needs to be set. minlen: 14 + # This variable set password complexity,the minimum number of + # character types that must be used (i.e., uppercase, lowercase, digits, other) + # Set to 2, passwords cannot have all lower/upper case. + # Set to 3, passwords needs numbers. + # set to 4, passwords will have to include all four types of characters. minclass: 4 rhel9cis_pam_faillock: + # This variable sets the amount of time a user will be unlocked after + # the max amount of password failures. unlock_time: 900 + # This variable sets the amount of tries a password can be entered, before a user is locked. deny: 5 + # This variable represents the number of password change cycles, after which + # a user can re-use a password. + # CIS requires a value of 5 or more. remember: 5 # UID settings for interactive users # These are discovered via logins.def if set true discover_int_uid: false +# This variable sets the minimum number from which to search for UID +# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# been set to `true`. min_int_uid: 1000 +# This variable sets the maximum number at which the search stops for UID +# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# been set to `true`. max_int_uid: 65533 # 5.3.3 var log location variable +# This variable defines the path and file name of the sudo log file. rhel9cis_sudolog_location: "/var/log/sudo.log" #### 5.3.6 +# This variable sets the duration (in minutes) during which a user's authentication credentials +# are cached after successfully authenticating using "sudo". This allows the user to execute +# multiple commands with elevated privileges without needing to re-enter their password for each +# command within the specified time period. CIS requires a value of at most 15 minutes. rhel9cis_sudo_timestamp_timeout: 15 ### 5.4.2 authselect and faillock @@ -636,12 +865,24 @@ rhel9cis_5_4_2_risks: NEVER # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) rhel9cis_shell_session_timeout: + # This variable specifies the path of the timeout setting file. + # (TMOUT setting can be set in multiple files, but only one is required for the + # rule to pass. Options are: + # - a file in `/etc/profile.d/` ending in `.s`, + # - `/etc/profile`, or + # - `/etc/bash.bashrc`. file: /etc/profile.d/tmout.sh + # This variable represents the amount of seconds a command or process is allowed to + # run before being forcefully terminated. + # CIS requires a value of at most 900 seconds. timeout: 600 # RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords rhel9cis_futurepwchgdate_autofix: true -# 5.3.7 +## 5.3.7 +# This variable determines the group of users that are allowed to use the su command. +# one to specify a user group that is allowed to use the "su" command. +# CIS requires that such a group be created (named according to site policy) and be kept empty. rhel9cis_sugroup: nosugroup ## Section6 vars @@ -654,7 +895,7 @@ rhel9cis_no_world_write_adjust: true rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" # 6.2.16 -## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj +## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and community for rhel8-cis reedbacj rhel_09_6_2_16_home_follow_symlinks: false #### Goss Configuration Settings #### From 34b052196cf14c2609eac3d92076b746c4d1e1ed Mon Sep 17 00:00:00 2001 From: "root@DERVISHx" Date: Wed, 29 Nov 2023 15:50:23 +0000 Subject: [PATCH 089/136] Document variables in defaults/main.yml, Fix 5 from devel Signed-off-by: root@DERVISHx --- defaults/main.yml | 313 ++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 277 insertions(+), 36 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0bc0137..bf059d1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,6 +11,10 @@ system_is_ec2: false # Supported OSs will not need for this to be changed - see README e.g. CentOS os_check: true +## Switching on/off specific baseline sections +# These variables govern whether the tasks of a particular section are to be executed when running the role. +# E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true. +# to "true". If you do not want the tasks from that section to get executed you simply set the variable to "false". rhel9cis_section1: true rhel9cis_section2: true rhel9cis_section3: true @@ -22,6 +26,7 @@ rhel9cis_section6: true # e.g. # - level1-server # - level2-workstation +# Used for audit rhel9cis_level_1: true rhel9cis_level_2: true @@ -39,7 +44,8 @@ benchmark_version: 'v1.0.0' benchmark: RHEL9-CIS -# Whether to skip the reboot +# Whether to skip the system reboot before audit +# System will reboot if false, can give better audit results skip_reboot: true # default value will change to true but wont reboot if not enabled but will error @@ -48,11 +54,20 @@ change_requires_reboot: false ########################################## ### Goss is required on the remote host ### ## Refer to vars/auditd.yml for any other settings ## +#### Basic external goss audit enablement settings #### +#### Precise details - per setting can be found at the bottom of this file #### -# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) +## Audit setup +# Audits are carried out using Goss. This variable +# determines whether execution of the role prepares for auditing +# by installing the required binary. setup_audit: false -# enable audits to run - this runs the audit and get the latest content +## Enable audits to run +# This variable governs whether the audit using the +# separately maintained audit role using Goss +# is carried out. +# This runs the audit and get the latest content run_audit: false # Only run Audit do not remediate @@ -63,8 +78,10 @@ fetch_audit_files: false # Path to copy the files to will create dir structure audit_capture_files_dir: /some/location to copy to on control node -# How to retrieve audit binary +## How to retrive goss # Options are copy or download - detailed settings at the bottom of this file +# provided in variable `audit_conf_copy` for copying or +# the url given in variable `audit_files_url` for downloading. # you will need to access to either github or the file already dowmloaded get_audit_binary_method: download @@ -73,8 +90,15 @@ get_audit_binary_method: download ## e.g copy from ansible control node to remote host audit_bin_copy_location: /some/accessible/path -# how to get audit files onto host options +## How to retrieve the audit role +# The role for auditing is maintained separately. +# This variable specifies the method of how to get the audit role # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf +# onto the system. The options are as follows: +# - git: clone from git repository as specified in variable `audit_file_git` in +# the version specified by variable `audit_git_version` +# - copy: copy from path as specified in variable `audit_conf_copy` +# - get_url: Download from url as specified in variable `audit_files_url` audit_content: git # archive or copy: @@ -86,10 +110,11 @@ audit_files_url: "some url maybe s3?" # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system audit_run_heavy_tests: true +# Timeout for those cmds that take longer to run where timeout set # This variable specifies the timeout (in ms) for audit commands that # take a very long time: if a command takes too long to complete, # it will be forcefully terminated after the specified duration. -audit_cmd_timeout: 120000 +audit_cmd_timeout: 60000 ### End Goss enablements #### @@ -97,7 +122,8 @@ audit_cmd_timeout: 120000 # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. -# Section 1 rules +# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, +# Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) rhel9cis_rule_1_1_1_1: true rhel9cis_rule_1_1_1_2: true rhel9cis_rule_1_1_2_1: true @@ -170,7 +196,7 @@ rhel9cis_rule_1_8_10: true rhel9cis_rule_1_9: true rhel9cis_rule_1_10: true -# Section 2 rules +# Section 2 rules are controling Services (Special Purpose Services, and service clients) rhel9cis_rule_2_1_1: true rhel9cis_rule_2_1_2: true rhel9cis_rule_2_2_1: true @@ -198,6 +224,7 @@ rhel9cis_rule_2_3_4: true rhel9cis_rule_2_4: true # Section 3 rules +# Network Configuration rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_3: true @@ -222,7 +249,8 @@ rhel9cis_rule_3_4_2_5: true rhel9cis_rule_3_4_2_6: true rhel9cis_rule_3_4_2_7: true -# Section 4 rules +# Section 4 rules are Logging and Auditing (Configure System Accounting (auditd), +# Configure Data Retention, and Configure Logging) rhel9cis_rule_4_1_1_1: true rhel9cis_rule_4_1_1_2: true rhel9cis_rule_4_1_1_3: true @@ -281,7 +309,8 @@ rhel9cis_rule_4_2_2_7: true rhel9cis_rule_4_2_3: true rhel9cis_rule_4_3: true -# Section 5 rules +# Section 5 rules control Access, Authentication, and Authorization (Configure time-based job schedulers, +# Configure sudo, Configure SSH Server, Configure PAM and User Accounts and Environment) rhel9cis_rule_5_1_1: true rhel9cis_rule_5_1_2: true rhel9cis_rule_5_1_3: true @@ -336,7 +365,8 @@ rhel9cis_rule_5_6_4: true rhel9cis_rule_5_6_5: true rhel9cis_rule_5_6_6: true -# Section 6 rules +# Section 6 rules controls System Maintenance (System File Permissions and User and Group Settings) +rhel9cis_rule_6_1_1: true rhel9cis_rule_6_1_1: true rhel9cis_rule_6_1_2: true rhel9cis_rule_6_1_3: true @@ -402,9 +432,16 @@ rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF4 rhel9cis_bootloader_password: random # pragma: allowlist secret rhel9cis_set_boot_pass: true -# 1.8 Gnome Desktop +## Controls 1.8.x - Settings for GDM +# This variable specifies the GNOME configuration database file to which configurations are written. +# (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) +# The default database is `local` rhel9cis_dconf_db_name: local + +# This variable governs the number of seconds of inactivity before the screen goes blank. rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) + +# This variable governs the number of seconds the screen remains blank before it is locked. rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) # 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) @@ -414,27 +451,67 @@ rhel9cis_crypto_policy: 'DEFAULT' rhel9cis_crypto_policy_module: '' # System network parameters (host only OR host and router) +# This variable governs whether specific CIS rules +# concerned with acceptance and routing of packages are skipped. rhel9cis_is_router: false -# IPv6 required +## IPv6 requirement toggle +# This variable governs whether ipv6 is enabled or disabled. rhel9cis_ipv6_required: true -# AIDE +## Control 1.3.1 - allow aide to be configured +# AIDE is a file integrity checking tool, similar in nature to Tripwire. +# While it cannot prevent intrusions, it can detect unauthorized changes +# to configuration files by alerting when the files are changed. Review +# the AIDE quick start guide and AIDE documentation before proceeding. +# By setting this variable to `true`, all of the settings related to AIDE will be applied! rhel9cis_config_aide: true -# AIDE cron settings + +## Control 1.3.2 AIDE cron settings +# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. +# The sub-settings of this variable provide the parameters required to configure +# the cron job on the target system. +# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled +# and executed automatically at a certain point in time. rhel9cis_aide_cron: + # This variable represents the user account under which the cron job for AIDE will run. cron_user: root + # This variable represents the path to the AIDE crontab file. cron_file: /etc/cron.d/aide_cron + # This variable represents the actual command or script that the cron job + # will execute for running AIDE. aide_job: '/usr/sbin/aide --check' + # These variables define the schedule for the cron job + # This variable governs the minute of the time of day when the AIDE cronjob is run. + # It must be in the range `0-59`. aide_minute: 0 + # This variable governs the hour of the time of day when the AIDE cronjob is run. + # It must be in the range `0-23`. aide_hour: 5 + # This variable governs the day of the month when the AIDE cronjob is run. + # `*` signifies that the job is run on all days; furthermore, specific days + # can be given in the range `1-31`; several days can be concatenated with a comma. + # The specified day(s) can must be in the range `1-31`. aide_day: '*' + # This variable governs months when the AIDE cronjob is run. + # `*` signifies that the job is run in every month; furthermore, specific months + # can be given in the range `1-12`; several months can be concatenated with commas. + # The specified month(s) can must be in the range `1-12`. aide_month: '*' + # This variable governs the weekdays, when the AIDE cronjob is run. + # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays + # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays + # can be concatenated with commas. aide_weekday: '*' # SELinux policy +# This selects type of policy; targeted or mls ( multilevel ) +# mls should not be used, since it will disable unconfined policy module +# and may prevent some services from running. rhel9cis_selinux_pol: targeted # chose onf or enfocing or permissive +# CIS expects enforcing since permissive allows operations thet might compromise the system. +# Even though logging still occurs. rhel9cis_selinux_enforce: enforcing # Whether or not to run tasks related to auditing/patching the desktop environment @@ -443,6 +520,11 @@ rhel9cis_selinux_enforce: enforcing ### 2.1 Time Synchronization #### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 +# The following variable represents a list of of time servers used +# for configuring chrony, timesyncd, and ntp. +# Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. +# The default setting for the `options` is `minpoll` but `iburst` can be used, please refer to the documentation +# of the time synchronization mechanism you are using. rhel9cis_time_synchronization_servers: - 0.pool.ntp.org - 1.pool.ntp.org @@ -451,7 +533,9 @@ rhel9cis_time_synchronization_servers: rhel9cis_chrony_server_options: "minpoll 8" ### 2.2 Special Purposes -##### Service configuration booleans set true to keep service +# Service configuration variables (boolean). +# Set the respective variable to true to keep the service. +# otherwise the service is stopped and disabled rhel9cis_gui: false rhel9cis_avahi_server: false rhel9cis_cups_server: false @@ -469,10 +553,12 @@ rhel9cis_squid_server: false rhel9cis_snmp_server: false rhel9cis_telnet_server: false rhel9cis_is_mail_server: false -# Note the options -# Packages are used for client services and Server- only remove if you dont use the client service -# +# Note the options +# Client package configuration variables. +# Packages are used for client services and Server- only remove if you dont use the client service +# Set the respective variable to `true` to keep the +# client package, otherwise it is uninstalled (false). rhel9cis_use_nfs_server: false rhel9cis_use_nfs_service: false @@ -488,7 +574,7 @@ rhel9cis_openldap_clients_required: false rhel9cis_tftp_client: false rhel9cis_ftp_client: false -## Section3 vars +## Section 3 vars for ## Sysctl rhel9cis_sysctl_update: false rhel9cis_flush_ipv4_route: false @@ -509,7 +595,11 @@ rhel9cis_firewalld_ports: - number: 80 protocol: tcp -#### nftables +## Controls 3.5.2.x - nftables +# The default nftables table name is "filter". This variable name will be the one all +# "rhel9cis_nft_tables_tablename" is the name of the table in nftables you want to create. +# nftables configs are applied to. +# options are: inet filter rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true @@ -521,23 +611,60 @@ rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and ## Section4 vars ### 4.1 Configure System Accounting #### 4.1.2 Configure Data Retention +## Controls what actions, when log files fill up +# This variable controls how the audit system behaves when +# log files are getting too full and space is getting too low. rhel9cis_auditd: space_left_action: email action_mail_acct: root + # This variable determines the action the audit system should take when disk + # space runs low. + # The options for setting this variable are as follows: + # - `ignore`: the system does nothing when presented with the aforementioned issue; + # - `syslog`: a message is sent to the system log about disk space running low; + # - `suspend`: the system suspends recording audit events until more space is available; + # - `halt`: the system is halted when disk space is critically low. + # - `single`: the audit daemon will put the computer system in single user mode + # CIS prescribes either `halt` or `single`. admin_space_left_action: halt + # This variable determines what action the audit system should take when the maximum + # size of a log file is reached. + # The options for setting this variable are as follows: + # - `ignore`: the system does nothing when the size of a log file is full; + # - `syslog`: a message is sent to the system log indicating the problem; + # - `suspend`: the system suspends recording audit events until the log file is cleared or rotated; + # - `rotate`: the log file is rotated (archived) and a new empty log file is created; + # - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints. + # CIS prescribes the value `keep_logs`. max_log_file_action: keep_logs -# The audit_back_log_limit value should never be below 8192 +## Control 4.1.1.4 - Ensure rhel9cis_audit_back_log_limit is sufficient +# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the +# system can buffer in memory, if the audit subsystem is unable to process them in real-time. +# Buffering in memory is useful in situations, where the audit system is overwhelmed +# with incoming audit events, and needs to temporarily store them until they can be processed. +# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value. rhel9cis_audit_back_log_limit: 8192 -# The max_log_file parameter should be based on your sites policy +## Control 4.1.2.1 - Ensure audit log storage size is configured +# This variable specifies the maximum size in MB that an audit log file can reach +# before it is archived or deleted to make space for the new audit data. +# This should be set based on your sites policy. CIS does not provide a specific value. rhel9cis_max_log_file_size: 10 -### 4.1.3.x audit template +## 4.1.3.x - Audit template +# This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the +# audit settings are overwritten with the role's template. In order to exclude +# specific rules, you must set the variable of form `rhel9cis_rule_4_1_3_x` above +# to `false`. update_audit_template: false ## Advanced option found in auditd post +# users whose actions are not logged by auditd rhel9cis_allow_auditd_uid_user_exclusions: false +# add a list of uids to be excluded. +rhel9cis_auditd_uid_exclude: + - 1999 # This can be used to configure other keys in auditd.conf rhel9cis_auditd_extra_conf: {} @@ -553,35 +680,63 @@ rhel9cis_rsyslog_ansiblemanaged: true #### 4.2.1.6 remote and destation log server name rhel9cis_remote_log_server: false -rhel9cis_remote_log_host: logagg.example.com +rhel9cis_remote_log_host: 192.168.2.100 rhel9cis_remote_log_port: 514 rhel9cis_remote_log_protocol: tcp rhel9cis_remote_log_retrycount: 100 rhel9cis_remote_log_queuesize: 1000 #### 4.2.1.7 +# This variable expresses whether the system is used as a log server or not. +# If set to `true`, controls that interfere with log server functionality or +# require that own system logs be sent to some other log server are skipped. rhel9cis_system_is_log_server: false # 4.2.2.1.2 # rhel9cis_journal_upload_url is the ip address to upload the journal entries to rhel9cis_journal_upload_url: 192.168.50.42 -# The paths below have the default paths/files, but allow user to create custom paths/filenames + +## The paths below have the default paths/files, but allow user to create custom paths/filenames +# This variable specifies the path to the private key file used by the remote journal +# server to authenticate itself to the client. This key is used alongside the server's +# public certificate to establish secure communication. rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +# This variable specifies the path to the public certificate file of the remote journal +# server. This certificate is used to verify the authenticity of the remote server. rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +# This variable specifies the path to a file containing one or more public certificates +# of certificate authorities (CAs) that the client trusts. These trusted certificates are used +# to validate the authenticity of the remote server's certificate. rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" # 4.2.2.1 # The variables below related to journald, please set these to your site specific values +# These variable specifies how much disk space the journal may use up at most +# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. +# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. +# ATTENTION: Uncomment the keyword below when values are set! # rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use rhel9cis_journald_systemmaxuse: 10M # rhel9cis_journald_systemkeepfree is the amount of disk space to keep free rhel9cis_journald_systemkeepfree: 100G +# rhel9cis_journald_runtimemaxuse control how much disk space the journal may use up at most. +# same as rhel9cis_journald_systemmaxuse. rhel9cis_journald_runtimemaxuse: 10M +# rhel9cis_journald_runtimekeepfree is the amount of disk space to keep free +# same as rhel9cis_journald_systemkeepfree. rhel9cis_journald_runtimekeepfree: 100G -# rhel9cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +# rhel9cis_journald_MaxFileSec is how long in time to keep log files. +# This variable specifies, the maximum time to store entries in a single journal +# file before rotating to the next one. Set to 0 to turn off this feature. +# The given values is interpreted as seconds, unless suffixed with the units +# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. +# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +# ATTENTION: Uncomment the keyword below when values are set! rhel9cis_journald_maxfilesec: 1month #### 4.3 +# This variable defines the log file rotation period. +# Options are: daily, monthly, yearly. rhel9cis_logrotate: "daily" ## Section5 vars @@ -590,20 +745,61 @@ rhel9cis_logrotate: "daily" rhel9_cis_sshd_config_file: /etc/ssh/sshd_config rhel9cis_sshd: - clientalivecountmax: 0 - clientaliveinterval: 900 + # This variable sets the maximum number of unresponsive "keep-alive" messages + # that can be sent from the server to the client before the connection is considered + # inactive and thus, closed. + clientalivecountmax: 3 + # This variable sets the time interval in seconds between sending "keep-alive" + # messages from the server to the client. These types of messages are intended to + # keep the connection alive and prevent it being terminated due to inactivity. + clientaliveinterval: 300 + # This variable specifies the amount of seconds allowed for successful authentication to + # the SSH server. logingracetime: 60 - # WARNING: make sure you understand the precedence when working with these values!! - # allowusers: - # allowgroups: systems dba - # denyusers: - # denygroups: + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH + # access for users whose user name matches one of the patterns. This is done + # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + allow_users: "" + # (String) This variable, if spcieifed, configures a list of GROUP name patterns, separated by spaces, to allow SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, https://linux.die.net/man/5/sshd_config + allow_groups: "wheel" + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access + # for users whose user name matches one of the patterns. This is done + # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_users: "nobody" + # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_groups: "" -# 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE +# 5.2.5 SSH LogLevel setting. +# This variable is used to control the verbosity of the logging produced by the SSH server. +# The options for setting it are as follows: +# - `QUIET`: Minimal logging; +# - `FATAL`: logs only fatal errors; +# - `ERROR`: logs error messages; +# - `INFO`: logs informational messages in addition to errors; +# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; +# - `DEBUG`: generates very detailed debugging information including sensitive information. +# - `DEBUG(x)`: Whereas x = debug level 1 to 3, DEBUG=DEBUG1. rhel9cis_ssh_loglevel: INFO # 5.2.19 SSH MaxSessions setting. Must be 4 our less rhel9cis_ssh_maxsessions: 4 +## Control 5.5.1.4 +# This variable specifies the number of days of inactivity before an account will be locked. +# CIS requires a value of 30 days or less. rhel9cis_inactivelock: lock_days: 30 @@ -621,32 +817,65 @@ rhel9cis_authselect_custom_profile_create: false # 5.3.2 Enable automation to select custom profile options, using the settings above rhel9cis_authselect_custom_profile_select: false +## Controls 5.5.1.x - Password settings rhel9cis_pass: + ## Control 5.5.1.2 + # This variable governs after how many days a password expires. + # CIS requires a value of 365 or less. max_days: 365 + ## Control 5.5.1.1 + # This variable specifies the minimum number of days allowed between changing passwords. + # CIS requires a value of at least 1. min_days: 7 + ## Control 5.5.1.3 + # This variable governs, how many days before a password expires, the user will be warned. + # CIS requires a value of at least 7. warn_age: 7 # 5.5.1 ## PAM rhel9cis_pam_password: + # This variable sets the minimum chars a password needs to be set. minlen: 14 + # This variable set password complexity,the minimum number of + # character types that must be used (i.e., uppercase, lowercase, digits, other) + # Set to 2, passwords cannot have all lower/upper case. + # Set to 3, passwords needs numbers. + # set to 4, passwords will have to include all four types of characters. minclass: 4 rhel9cis_pam_faillock: + # This variable sets the amount of time a user will be unlocked after + # the max amount of password failures. unlock_time: 900 + # This variable sets the amount of tries a password can be entered, before a user is locked. deny: 5 + # This variable represents the number of password change cycles, after which + # a user can re-use a password. + # CIS requires a value of 5 or more. remember: 5 # UID settings for interactive users # These are discovered via logins.def if set true discover_int_uid: false +# This variable sets the minimum number from which to search for UID +# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# been set to `true`. min_int_uid: 1000 +# This variable sets the maximum number at which the search stops for UID +# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# been set to `true`. max_int_uid: 65533 # 5.3.3 var log location variable +# This variable defines the path and file name of the sudo log file. rhel9cis_sudolog_location: "/var/log/sudo.log" #### 5.3.6 +# This variable sets the duration (in minutes) during which a user's authentication credentials +# are cached after successfully authenticating using "sudo". This allows the user to execute +# multiple commands with elevated privileges without needing to re-enter their password for each +# command within the specified time period. CIS requires a value of at most 15 minutes. rhel9cis_sudo_timestamp_timeout: 15 ### 5.4.2 authselect and faillock @@ -661,12 +890,24 @@ rhel9cis_5_4_2_risks: NEVER # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) rhel9cis_shell_session_timeout: + # This variable specifies the path of the timeout setting file. + # (TMOUT setting can be set in multiple files, but only one is required for the + # rule to pass. Options are: + # - a file in `/etc/profile.d/` ending in `.s`, + # - `/etc/profile`, or + # - `/etc/bash.bashrc`. file: /etc/profile.d/tmout.sh + # This variable represents the amount of seconds a command or process is allowed to + # run before being forcefully terminated. + # CIS requires a value of at most 900 seconds. timeout: 600 # RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords rhel9cis_futurepwchgdate_autofix: true # 5.3.7 +# This variable determines the group of users that are allowed to use the su command. +# one to specify a user group that is allowed to use the "su" command. +# CIS requires that such a group be created (named according to site policy) and be kept empty. rhel9cis_sugroup: nosugroup ## Section6 vars @@ -679,7 +920,7 @@ rhel9cis_no_world_write_adjust: true rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" # 6.2.16 -## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj +## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and community for rhel8-cis reedback. rhel_09_6_2_16_home_follow_symlinks: false #### Goss Configuration Settings #### From f3726b8908fb4530cd9df2f5225a4e71c6e54074 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:36:20 +0000 Subject: [PATCH 090/136] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v6.22.0 → v6.22.1](https://github.com/ansible-community/ansible-lint/compare/v6.22.0...v6.22.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 68f44f0..a79d4cb 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -43,7 +43,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.0 + rev: v6.22.1 hooks: - id: ansible-lint name: Ansible-lint From 72b503bf46fff97e122982d96098467b50401226 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Tue, 5 Dec 2023 14:42:51 +0200 Subject: [PATCH 091/136] Removing redundant conditional statements Signed-off-by: Ionut Pruteanu --- tasks/section_1/cis_1.6.1.x.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 724fd29..7ca0fd1 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -39,7 +39,6 @@ policy: "{{ rhel9cis_selinux_pol }}" state: "{{ rhel9cis_selinux_enforce }}" when: - - not rhel9cis_selinux_disable - rhel9cis_rule_1_6_1_3 tags: - level1-server @@ -54,7 +53,6 @@ policy: "{{ rhel9cis_selinux_pol }}" state: "{{ rhel9cis_selinux_enforce }}" when: - - not rhel9cis_selinux_disable - rhel9cis_rule_1_6_1_4 tags: - level1-server @@ -69,7 +67,6 @@ policy: "{{ rhel9cis_selinux_pol }}" state: enforcing when: - - not rhel9cis_selinux_disable - rhel9cis_selinux_enforce == 'enforcing' - rhel9cis_rule_1_6_1_5 tags: From 4fe5f95cf7b4167b277b89c074a96cd374c914c7 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Tue, 5 Dec 2023 20:40:50 +0200 Subject: [PATCH 092/136] Timeout value defined in defaults/main.yml file not used Signed-off-by: Ionut Pruteanu --- templates/ansible_vars_goss.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e83dd40..f3b8a98 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -10,7 +10,7 @@ benchmark_version: '1.0.0' host_os_distribution: {{ ansible_facts.distribution | lower }} # timeout for each command to run where set - default = 10seconds/10000ms -timeout_ms: 60000 +timeout_ms: {{ audit_cmd_timeout }} # Taken from LE rhel9-cis rhel9cis_section1: {{ rhel9cis_section1 }} From dc59c320c831de88f774417c6227ad706b56006c Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Tue, 5 Dec 2023 21:01:06 +0200 Subject: [PATCH 093/136] Small additions to first part of documentation. Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 62 ++++++++++++++++++++++++++++++----------------- 1 file changed, 40 insertions(+), 22 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index bf059d1..4ff25a7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,19 @@ --- # defaults file for rhel9-cis +# WARNING: +# These values may be overriden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here: +# https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable +## Usage on containerized images +# The role discovers dynamically (in tasks/main.yml) whether it +# is executed on a container image and sets the variable +# system_is_container the true. Otherwise, the default value +# 'false' is left unchanged. system_is_container: false +# The filename of the existing yml file in role's 'vars/' sub-directory +# to be used for managing the role-behavior when a container was detected: +# (de)activating rules or for other tasks(e.g. disabling Selinux or a specific +# firewall-type). container_vars_file: is_container.yml # rhel9cis is left off the front of this var for consistency in testing pipeline # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks @@ -14,7 +26,7 @@ os_check: true ## Switching on/off specific baseline sections # These variables govern whether the tasks of a particular section are to be executed when running the role. # E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true. -# to "true". If you do not want the tasks from that section to get executed you simply set the variable to "false". +# If you do not want the tasks from that section to get executed you simply set the variable to "false". rhel9cis_section1: true rhel9cis_section2: true rhel9cis_section3: true @@ -30,7 +42,12 @@ rhel9cis_section6: true rhel9cis_level_1: true rhel9cis_level_2: true +## 1.6 SubSection - Mandatory Access Control +# This variable governs if SELinux is disabled or not. If SELinux is NOT DISABLED by setting +# 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed. rhel9cis_selinux_disable: false +# This variable is used in a preliminary task, handling grub2 paths either in case of +# UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg'). rhel9cis_legacy_boot: false ## Python Binary @@ -63,29 +80,28 @@ change_requires_reboot: false # by installing the required binary. setup_audit: false -## Enable audits to run +## Enable audits to run - this runs the audit and get the latest content # This variable governs whether the audit using the # separately maintained audit role using Goss # is carried out. -# This runs the audit and get the latest content run_audit: false # Only run Audit do not remediate audit_only: false -# As part of audit_only -# This will enable files to be copied back to control node +# This will enable files to be copied back to control node(part of audit_only) fetch_audit_files: false -# Path to copy the files to will create dir structure +# Path to copy the files to will create dir structure(part of audit_only) audit_capture_files_dir: /some/location to copy to on control node -## How to retrive goss -# Options are copy or download - detailed settings at the bottom of this file -# provided in variable `audit_conf_copy` for copying or -# the url given in variable `audit_files_url` for downloading. -# you will need to access to either github or the file already dowmloaded +## How to retrieve audit binary(Goss) +# Options are 'copy' or 'download' - detailed settings at the bottom of this file +# - if 'copy': +# - the filepath mentioned via the below 'audit_bin_copy_location' var will be used to access already downloaded Goss +# - if 'download': +# - the GitHub Goss-releases URL will be used for a fresh-download, via 'audit_bin_url' and 'audit_pkg_arch_name' vars get_audit_binary_method: download -## if get_audit_binary_method - copy the following needs to be updated for your environment +## if get_audit_binary_method is 'copy', the following var needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node ## e.g copy from ansible control node to remote host audit_bin_copy_location: /some/accessible/path @@ -95,16 +111,19 @@ audit_bin_copy_location: /some/accessible/path # This variable specifies the method of how to get the audit role # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf # onto the system. The options are as follows: -# - git: clone from git repository as specified in variable `audit_file_git` in -# the version specified by variable `audit_git_version` -# - copy: copy from path as specified in variable `audit_conf_copy` -# - get_url: Download from url as specified in variable `audit_files_url` +# - 'git': clone audit content from GitHub REPOSITORY, set up via `audit_file_git` var, and +# VERSION(e.g. branch, tag name), set up via `audit_git_version` var. +# - 'copy': copy from path as specified in variable `audit_conf_copy`. +# - 'archive': same as 'copy', only that the specified filepath needs to be unpacked. +# - 'get_url': Download from url as specified in variable `audit_files_url` audit_content: git -# archive or copy: +# This variable(only used when 'audit_content' is 'copy' or 'archive') should +# contain the filepath with audit-content to be copied/unarchived on server: audit_conf_copy: "some path to copy from" -# get_url: +# This variable(only used when 'audit_content' is 'get_url') should +# contain the URL from where the audit-content must be downloaded on server: audit_files_url: "some url maybe s3?" # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system @@ -114,7 +133,7 @@ audit_run_heavy_tests: true # This variable specifies the timeout (in ms) for audit commands that # take a very long time: if a command takes too long to complete, # it will be forcefully terminated after the specified duration. -audit_cmd_timeout: 60000 +audit_cmd_timeout: 120000 ### End Goss enablements #### @@ -122,6 +141,7 @@ audit_cmd_timeout: 60000 # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. + # Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, # Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) rhel9cis_rule_1_1_1_1: true @@ -223,8 +243,7 @@ rhel9cis_rule_2_3_3: true rhel9cis_rule_2_3_4: true rhel9cis_rule_2_4: true -# Section 3 rules -# Network Configuration +# Section 3 rules are used for securely configuring the network configuration(kernel params, ACL, Firewall settings) rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_3: true @@ -367,7 +386,6 @@ rhel9cis_rule_5_6_6: true # Section 6 rules controls System Maintenance (System File Permissions and User and Group Settings) rhel9cis_rule_6_1_1: true -rhel9cis_rule_6_1_1: true rhel9cis_rule_6_1_2: true rhel9cis_rule_6_1_3: true rhel9cis_rule_6_1_4: true From 06489db6a8f60f647c2323d4d227527610a4cbf7 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Wed, 6 Dec 2023 22:20:32 +0200 Subject: [PATCH 094/136] Doc additions for: - Yum repos, - bootloader, - crypto policies, - SELinux - NTP Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 51 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 37 insertions(+), 14 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4ff25a7..e1ef0ce 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -43,7 +43,7 @@ rhel9cis_level_1: true rhel9cis_level_2: true ## 1.6 SubSection - Mandatory Access Control -# This variable governs if SELinux is disabled or not. If SELinux is NOT DISABLED by setting +# This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting # 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed. rhel9cis_selinux_disable: false # This variable is used in a preliminary task, handling grub2 paths either in case of @@ -441,13 +441,21 @@ rhel9cis_rh_sub_password: password # pragma: allowlist secret # RedHat Satellite Subscription items rhel9cis_rhnsd_required: false -# 1.2.4 repo_gpgcheck +# Control 1.2.4 - When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM +# repo('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks +# which check the GPG signatures for all the individual YUM repositories. rhel9cis_rhel_default_repo: true +# Control 1.2.4 - When 'rhel9cis_rule_enable_repogpg' is set to 'true'(in conjunction with 'rhel9cis_rhel_default_repo':'false'), conditions are met for +# enabling the GPG signatures-check for all the individual YUM repositories. If GPG signatures-check is enabled on repositories which do not +# support it(like RedHat), installation of packages will fail. rhel9cis_rule_enable_repogpg: true -# 1.4.1 Bootloader password +# Control 1.4.1 - This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value +# must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with +# this format: 'grub.pbkdf2.sha512...' rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' # pragma: allowlist secret rhel9cis_bootloader_password: random # pragma: allowlist secret +# Control 1.4.1 - This variable governs whether a bootloader password should be set in /boot/grub2/user.cfg file. rhel9cis_set_boot_pass: true ## Controls 1.8.x - Settings for GDM @@ -455,17 +463,21 @@ rhel9cis_set_boot_pass: true # (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) # The default database is `local` rhel9cis_dconf_db_name: local - # This variable governs the number of seconds of inactivity before the screen goes blank. rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) - # This variable governs the number of seconds the screen remains blank before it is locked. rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) -# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) -# Control 1.10 states do not use LEGACY and control 1.11 says to use FUTURE or FIPS. +# Control 1.10 - This variable contains the value to be set as the system-wide crypto policy. Rule 1.10 enforces +# NOT using 'LEGACY' value(as it is less secure, it just ensures compatibility with legacy systems), therefore +# possible values for this variable are, as explained by RedHat docs: +# -'DEFAULT': reasonable default policy for today's standards(balances usability and security) +# -'FUTURE': conservative security level that is believed to withstand any near-term future attacks +# -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' -# Added module to be allowed as default setting (Allowed options in vars/main.yml) +# Control 1.10 - This variable contains the value of the crypto policy module(combinations of policies and +# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, +# using 'rhel9cis_allowed_crypto_policies_modules' variable. rhel9cis_crypto_policy_module: '' # System network parameters (host only OR host and router) @@ -522,13 +534,21 @@ rhel9cis_aide_cron: # can be concatenated with commas. aide_weekday: '*' -# SELinux policy -# This selects type of policy; targeted or mls ( multilevel ) +## Control 1.6.1.3|4|5 - SELinux policy settings +# This selects type of policy; targeted or mls( multilevel ) # mls should not be used, since it will disable unconfined policy module -# and may prevent some services from running. +# and may prevent some services from running. Requires SELinux not being disabled(by +# having 'rhel9cis_selinux_disable' var set as 'true'), otherwise setting will be ignored. rhel9cis_selinux_pol: targeted -# chose onf or enfocing or permissive -# CIS expects enforcing since permissive allows operations thet might compromise the system. +## Control 1.6.1.3|4 - SELinux configured and not disabled +# This variable contains a specific SELinux mode, respectively: +# - 'enforcing': SELinux policy IS enforced, therefore denies operations based on SELinux policy +# rules. If system was installed with SELinux, this is enabled by default. +# - 'permissive': SELinux policy IS NOT enforced, therefore does NOT deny any operation, only +# logs AVC(Access Vector Cache) messages. RedHat docs suggest it "can be used +# briefly to check if SELinux is the culprit in preventing your application +# from working". +# CIS expects enforcing since permissive allows operations that might compromise the system. # Even though logging still occurs. rhel9cis_selinux_enforce: enforcing @@ -538,7 +558,7 @@ rhel9cis_selinux_enforce: enforcing ### 2.1 Time Synchronization #### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 -# The following variable represents a list of of time servers used +# The following variable represents a list of time servers used # for configuring chrony, timesyncd, and ntp. # Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. # The default setting for the `options` is `minpoll` but `iburst` can be used, please refer to the documentation @@ -548,6 +568,9 @@ rhel9cis_time_synchronization_servers: - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org +#### 2.1.2 - Time Synchronization servers +# This variable should contain the default options to be used for every NTP server hostname defined +# within the 'rhel9cis_time_synchronization_servers' var. rhel9cis_chrony_server_options: "minpoll 8" ### 2.2 Special Purposes From 9d988b483f6222ac310a1af342ffa9f1745f07e0 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Thu, 7 Dec 2023 18:10:09 +0200 Subject: [PATCH 095/136] Masking service when server package is needed Signed-off-by: Ionut Pruteanu --- tasks/section_2/cis_2.2.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 8c6ccf6..563ec4b 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -274,8 +274,8 @@ masked: true state: stopped when: - - not rhel9cis_use_nfs_server - - rhel9cis_use_nfs_service + - rhel9cis_use_nfs_server + - not rhel9cis_use_nfs_service when: - "'nfs-utils' in ansible_facts.packages" - rhel9cis_rule_2_2_16 From cd04537bf10b9c03228a3ab61b49ca242c7849da Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Thu, 7 Dec 2023 18:58:02 +0200 Subject: [PATCH 096/136] Using correct conditional for ftpd Signed-off-by: Ionut Pruteanu --- tasks/section_2/cis_2.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index 10a0662..c576a65 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -50,7 +50,7 @@ name: ftp state: absent when: - - not rhel9cis_tftp_client + - not rhel9cis_ftp_client - "'ftp' in ansible_facts.packages" - rhel9cis_rule_2_3_4 tags: From 81fd98e2c63bc6ffcedcd77203be6124cf4d8976 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Thu, 7 Dec 2023 20:38:20 +0200 Subject: [PATCH 097/136] Using correct conditional for Task relying on 'firewall-cmd --get-active-zones' cmd Signed-off-by: Ionut Pruteanu --- tasks/section_3/cis_3.4.2.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 73d85f4..ee57e5b 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -194,6 +194,7 @@ - "{{ rhel9cis_3_4_2_5_servicesport.stdout_lines }}" when: - rhel9cis_rule_3_4_2_5 + - rhel9cis_firewall == "firewalld" tags: - level1-server - level1-workstation From 6dfbe18612160de80a232a53978fb226dcf8b342 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Thu, 7 Dec 2023 22:53:01 +0200 Subject: [PATCH 098/136] Doc additions for: - Sections 2.2 && 2.3 - Section 3 - Section 4.1 Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 152 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 148 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e1ef0ce..1ae5261 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -577,22 +577,60 @@ rhel9cis_chrony_server_options: "minpoll 8" # Service configuration variables (boolean). # Set the respective variable to true to keep the service. # otherwise the service is stopped and disabled + +# This variable governs whether rules dealing with GUI specific packages(and/or their settings) should +# be executed either to: +# - secure GDM(Control 1.8.2-1.8.10), if GUI is needed('rhel9cis_gui: true') +# - or remove GDM(Control 1.8.1) and X-Windows-system(2.2.1), if no GUI is needed('rhel9cis_gui: false') rhel9cis_gui: false +# Control 2.2.2 - Ensure Avahi Server is not installed +# This variable, when set to false, will specify that Avahi Server packages should be uninstalled. rhel9cis_avahi_server: false +# Control 2.2.3 - Ensure CUPS is not installed +# This variable, when set to false, will specify that CUPS(Common UNIX Printing System) package should be uninstalled. rhel9cis_cups_server: false +# Control 2.2.4 - Ensure DHCP Server is not installed +# This variable, when set to false, will specify that DHCP server package should be uninstalled. rhel9cis_dhcp_server: false +# Control 2.2.5 - Ensure DNS Server is not installed +# This variable, when set to false, will specify that DNS server package should be uninstalled. rhel9cis_dns_server: false +# Control 2.2.14 - Ensure dnsmasq is not installed +# This variable, when set to false, will specify that dnsmasq package should be uninstalled. rhel9cis_dnsmasq_server: false +# Control 2.2.6 - Ensure VSFTP Server is not installed +# This variable, when set to false, will specify that VSFTP server package should be uninstalled. rhel9cis_vsftpd_server: false +# Control 2.2.7 - Ensure TFTP Server is not installed +# This variable, when set to false, will specify that TFTP server package should be uninstalled. rhel9cis_tftp_server: false +# Control 2.2.8 - Ensure a web server is not installed - HTTPD +# This variable, when set to false, will specify that webserver packages(HTTPD) should be uninstalled. rhel9cis_httpd_server: false +# Control 2.2.8 - Ensure a web server is not installed - NGINX +# This variable, when set to false, will specify that webserver packages(NGINX) should be uninstalled. rhel9cis_nginx_server: false +# Control 2.2.9 - Ensure IMAP and POP3 server is not installed - dovecot +# This variable, when set to false, will specify that IMAP and POP3 servers(dovecot) should be uninstalled. rhel9cis_dovecot_server: false +# Control 2.2.9 - Ensure IMAP and POP3 server is not installed - cyrus-imapd +# This variable, when set to false, will specify that IMAP and POP3 servers(cyrus-imapd) should be uninstalled. rhel9cis_imap_server: false +# Control 2.2.10 - Ensure Samba is not enabled +# This variable, when set to false, will specify that 'samba' package should be uninstalled. rhel9cis_samba_server: false +# Control 2.2.11 - Ensure HTTP Proxy Server is not installed +# This variable, when set to false, will specify that 'squid' package should be uninstalled. rhel9cis_squid_server: false +# Control 2.2.12 - Ensure net-snmp is not installed +# This variable, when set to false, will specify that 'net-snmp' package should be uninstalled. rhel9cis_snmp_server: false +# Control 2.2.13 - Ensure telnet-server is not installed +# This variable, when set to false, will specify that 'telnet-server' package should be uninstalled. rhel9cis_telnet_server: false +# Control 2.2.15 - Ensure mail transfer agent is configured for local-only mode +# This variable, when system is NOT a mailserver, will configure Postfix to listen only on the loopback interface(the virtual +# network interface that the server uses to communicate internally. rhel9cis_is_mail_server: false # Note the options @@ -600,35 +638,121 @@ rhel9cis_is_mail_server: false # Packages are used for client services and Server- only remove if you dont use the client service # Set the respective variable to `true` to keep the # client package, otherwise it is uninstalled (false). + +# Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked" +# This variable specifies if the usage of NFS SERVER is needed. The behavior of 2.2.16 will depend on +# the var used in conjunction('rhel9cis_use_nfs_service') with current one, respectively: +# - if Server IS NOT needed('false') and: +# - Service IS NOT needed('rhel9cis_use_nfs_service: false'): 'nfs-utils' package will be removed +# - Service IS needed('rhel9cis_use_nfs_service: true'): impossible to need the service without the server +# - if Server IS needed('true') and: +# - Service IS NOT needed('rhel9cis_use_nfs_service: false'): 'nfs-server' service will be masked +# - Service IS needed('rhel9cis_use_nfs_service: true'): Rule 2.2.16 will be SKIPPED. +# | Server | Service | Result | +# |---------|---------|-----------------------------------------------------------| +# | false | false | Remove package | +# | false | true | Needing 'service' without needing 'server' makes no sense | +# | true | false | Mask 'service' | +# | true | true | SKIP RULE, BOTH 'service' and 'server' are required | rhel9cis_use_nfs_server: false +# Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked. +# This variable specifies if the usage of NFS SERVICE is needed. If it's: +# - needed('true'): rule 2.2.16 will not be executed at all +# - not needed('false'): rule 2.2.16 will be executed, its behavior being controlled by the var +# used in conjunction with current one: +# - removing 'nfs-utils' package('rhel9cis_use_nfs_server' set to 'false') +# - masking the 'nfs-server' service('rhel9cis_use_nfs_server' set to 'true') rhel9cis_use_nfs_service: false +# Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked +# This variable specifies if the usage of RPC SERVER is needed. The behavior of 2.2.17 will depend on +# the var used in conjunction('rhel9cis_use_rpc_service') with current one, respectively: +# - if Server IS NOT needed('false') and: +# - Service IS NOT needed('rhel9cis_use_rpc_service: false'): 'rpcbind' package will be removed +# - Service IS needed('rhel9cis_use_rpc_service: true'): impossible to need the service without the server +# - if Server IS needed('true') and: +# - Service IS NOT needed('rhel9cis_use_rpc_service: false'): 'rpcbind.socket' service will be masked +# - Service IS needed('rhel9cis_use_rpc_service: true'): Rule 2.2.17 will be SKIPPED. +# | Server | Service | Result | +# |---------|---------|-----------------------------------------------------------| +# | false | false | Remove package | +# | false | true | Needing 'service' without needing 'server' makes no sense | +# | true | false | Mask 'service' | +# | true | true | SKIP RULE, BOTH 'service' and 'server' are required | rhel9cis_use_rpc_server: false +# Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked +# This variable specifies if the usage of RPC SERVICE is needed. If it's: +# - needed('true'): rule 2.2.17 will not be executed at all +# - not needed('false'): rule 2.2.17 will be executed, its behavior being controlled by the var +# used in conjunction with current one: +# - removing 'rpcbind' package('rhel9cis_use_rpc_server' set to 'false') +# - masking the 'rpcbind.socket' service('rhel9cis_use_rpc_server' set to 'true') rhel9cis_use_rpc_service: false + +# Control 2.2.18 - Ensure rsync service is not enabled +# This variable specifies if the usage of RSYNC SERVER is needed. The behavior of 2.2.18 will depend on +# the var used in conjunction('rhel9cis_use_rsync_service') with current one, respectively: +# - if Server IS NOT needed('false') and: +# - Service IS NOT needed('rhel9cis_use_rsync_service: false'): 'rsync-daemon' package will be removed +# - Service IS needed('rhel9cis_use_rsync_service: true'): impossible to need the service without the server +# - if Server IS needed('true') and: +# - Service IS NOT needed('rhel9cis_use_rsync_service: false'): 'rsyncd' service will be masked +# - Service IS needed('rhel9cis_use_rsync_service: true'): Rule 2.2.18 will be SKIPPED. +# | Server | Service | Result | +# |---------|---------|-----------------------------------------------------------| +# | false | false | Remove package | +# | false | true | Needing 'service' without needing 'server' makes no sense | +# | true | false | Mask 'service' | +# | true | true | SKIP RULE, BOTH 'service' and 'server' are required | rhel9cis_use_rsync_server: false +# Control 2.2.18 - Ensure rsync service is not enabled +# This variable specifies if the usage of RSYNC SERVICE is needed. If it's: +# - needed('true'): rule 2.2.18 will not be executed at all +# - not needed('false'): rule 2.2.18 will be executed, its behavior being controlled by the var +# used in conjunction with current one: +# - removing 'rsync-daemon' package('rhel9cis_use_rsync_server' set to 'false') +# - masking the 'rsyncd' service('rhel9cis_use_rsync_server' set to 'true') rhel9cis_use_rsync_service: false #### 2.3 Service clients +# Control - 2.3.1 - Ensure telnet client is not installed +# Set this variable to `true` to keep package `telnet`; otherwise, the package is uninstalled. rhel9cis_telnet_required: false +# Control - 2.3.2 - Ensure LDAP client is not installed +# Set this variable to `true` to keep package `openldap-clients`; otherwise, the package is uninstalled. rhel9cis_openldap_clients_required: false +# Control - 2.3.3 - Ensure FTP client is not installed +# Set this variable to `true` to keep package `tftp`; otherwise, the package is uninstalled. rhel9cis_tftp_client: false +# Control - 2.3.4 - Ensure FTP client is not installed +# Set this variable to `true` to keep package `ftp`; otherwise, the package is uninstalled. rhel9cis_ftp_client: false ## Section 3 vars for ## Sysctl +# This variable governs if the task which updates sysctl(including sysctl reload) is executed, but current +# default value can be overriden by other tasks(1.5.3, 3.1.1, 3.2.1, 3.2.2, 3.3.1-3.3.9). rhel9cis_sysctl_update: false +# This variable governs if the task which flushes the IPv4 routing table is executed(forcing subsequent connections to +# use the new configuration). Current default value can be overriden by other tasks(3.2.1, 3.2.2, 3.3.1-3.3.8). rhel9cis_flush_ipv4_route: false +# This variable governs if the task which flushes the IPv6 routing table is executed(forcing subsequent connections to +# use the new configuration). Current default value can be overriden by other tasks(3.1.1, 3.2.1, 3.3.1, 3.3.2, 3.3.9). rhel9cis_flush_ipv6_route: false -### Firewall Service - either firewalld, iptables, or nftables +### Firewall Service to install and configure - Option is: +# 1) either 'firewalld'(Controls 3.4.1.2, 3.4.2.1, 3.4.2.4) +# 2) or 'nftables'(Controls ) #### Some control allow for services to be removed or masked #### The options are under each heading #### absent = remove the package #### masked = leave package if installed and mask the service rhel9cis_firewall: firewalld -##### firewalld +# Control 3.4.2.1 - Ensure firewalld default zone is set +# This variable will set the firewalld default zone(that is used for everything that is not explicitly bound/assigned +# to another zone): if there is no zone assigned to a connection, interface or source, only the default zone is used. rhel9cis_default_zone: public # These settings are added to demonstrate how this update can be done (eventually will require a new control) @@ -641,10 +765,26 @@ rhel9cis_firewalld_ports: # "rhel9cis_nft_tables_tablename" is the name of the table in nftables you want to create. # nftables configs are applied to. # options are: inet filter + +# Control 3.4.2.2 - Ensure at least one nftables table exists +# This variable governs if a table will be automatically created in nftables. Without a table (no default one), nftables +# will not filter network traffic, so if this variable is set to 'false' and no tables exist, an alarm will be triggered! rhel9cis_nft_tables_autonewtable: true +# Controls 3.4.2.{2|3|4|6|7} nftables +# This variable stores the name of the table to be used when configuring nftables(creating chains, configuring loopback +# traffic, established connections, default deny). If 'rhel9cis_nft_tables_autonewtable' is set as true, a new table will +# be created using as name the value stored by this variable. rhel9cis_nft_tables_tablename: filter +# Control 3.4.2.3 - Ensure nftables base chains exist +# This variable governs if a nftables base chain(entry point for packets from the networking stack) will be automatically +# created, if needed. Without a chain, a hook for input, forward, and delete, packets that would flow through those +#chains will not be touched by nftables rhel9cis_nft_tables_autochaincreate: true +## Controls: +# - 1.7.1 - Ensure message of the day is configured properly +# - 1.7.2 - Ensure local login warning banner is configured properly +# - 1.7.3 - Ensure remote login warning banner is configured properly # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and reported. # End Banner @@ -656,7 +796,11 @@ rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and # This variable controls how the audit system behaves when # log files are getting too full and space is getting too low. rhel9cis_auditd: + # This variable tells the system what action to take when the system has detected + #that it is starting to get low on disk space. Options are the same as for `admin_space_left_action` space_left_action: email + # This variable should contain a valid email address or alias(default value is root), + # which will be used to send a warning when configured action is 'email'. action_mail_acct: root # This variable determines the action the audit system should take when disk # space runs low. @@ -701,9 +845,9 @@ rhel9cis_max_log_file_size: 10 update_audit_template: false ## Advanced option found in auditd post -# users whose actions are not logged by auditd +# This variable governs if defining user exceptions for auditd logging is acceptable. rhel9cis_allow_auditd_uid_user_exclusions: false -# add a list of uids to be excluded. +# This variable contains a list of uids to be excluded(users whose actions are not logged by auditd) rhel9cis_auditd_uid_exclude: - 1999 From d79bba53c6950f317665d586180eae2a7b1d3fe0 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 8 Dec 2023 12:01:10 +0200 Subject: [PATCH 099/136] Rsyslog subsection corrected header(was using 4.2 logging name, instead of 4.2.1. rsyslog name) Signed-off-by: Ionut Pruteanu --- tasks/section_4/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index db729af..d3b6b8d 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -18,7 +18,7 @@ ansible.builtin.import_tasks: file: cis_4.1.4.x.yml -- name: "SECTION | 4.2 | Configure Logging" +- name: "SECTION | 4.2.1 | Configure rsyslog" ansible.builtin.import_tasks: file: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' From e0de491263db91eab4849ad471721a7ec256aadb Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 8 Dec 2023 12:03:00 +0200 Subject: [PATCH 100/136] whole section defined in cis_4.2.1.x.yml gets executed only `when: rhel9cis_syslog == 'rsyslog'`, having same condition is redundant and may confuse users. Signed-off-by: Ionut Pruteanu --- tasks/section_4/cis_4.2.1.x.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 10e0ac2..a3f2a44 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -35,7 +35,6 @@ notify: Restart rsyslog when: - rhel9cis_rule_4_2_1_3 - - rhel9cis_syslog == "rsyslog" tags: - level1-server - level1-workstation From c19e350b7d1bd87fe7a1e30ff53ebeab39897ae4 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 8 Dec 2023 16:44:30 +0200 Subject: [PATCH 101/136] Using rhel9cis_authselect['options'], otherwise not used at all Signed-off-by: Ionut Pruteanu --- tasks/section_5/cis_5.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 52c1f70..69eb090 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -44,7 +44,7 @@ - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}" - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" - ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" + ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }}" when: rhel9cis_authselect_custom_profile_select - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile" From 28a61fa71dc7b0b56c7d07b0e61346e82de280a5 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 8 Dec 2023 20:17:43 +0200 Subject: [PATCH 102/136] Last docs part - additions Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 196 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 147 insertions(+), 49 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 1ae5261..617b692 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -851,65 +851,113 @@ rhel9cis_allow_auditd_uid_user_exclusions: false rhel9cis_auditd_uid_exclude: - 1999 -# This can be used to configure other keys in auditd.conf +## Control 'Configure other keys for auditd.conf' in 4.1.2.x section +# The default auditd configuration should be suitable for most environments, but if your environment must +# meet strict security policies, the extra configuration pairs used for securing auditd(by modifying +# '/etc/audit/auditd.conf' file) can be stored within current variable. rhel9cis_auditd_extra_conf: {} # Example: # rhel9cis_auditd_extra_conf: # admin_space_left: '10%' -## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging -## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 +## 4.2.1 | Configure rsyslog +## 4.2.2 | Configure journald +# This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation) +# or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best +# practices are written wholly independent of each other. rhel9cis_syslog: rsyslog +## Control 4.2.1.5 | PATCH | Ensure logging is configured +# This variable governs if current Ansible role should manage syslog settings +# in /etc/rsyslog.conf file, namely mail, news and misc(warn, messages) rhel9cis_rsyslog_ansiblemanaged: true -#### 4.2.1.6 remote and destation log server name +#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable governs if 'rsyslog' service should be automatically configured to forward messages to a +# remote log server. If set to 'false', the configuration of the 'omfwd' plugin, used to provide forwarding +# over UDP or TCP, will not be performed. rhel9cis_remote_log_server: false -rhel9cis_remote_log_host: 192.168.2.100 +#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable configures the value of the 'target' parameter to be configured when enabling +# forwarding syslog messages to a remote log server, thus configuring the actual FQDN/IP address of the +# destination server. For this value to be reflected in the configuration, the variable which enables the +# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). +rhel9cis_remote_log_host: logagg.example.com +#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable configures the value of the 'port' parameter to be configured when enabling +# forwarding syslog messages to a remote log server. The default value for this destination port is 514. +# For this value to be reflected in the configuration, the variable which enables the +# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_port: 514 +#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable configures the value("TCP"/"UDP") of the 'protocol' parameter to be configured when enabling +# forwarding syslog messages to a remote log server. The default value for the 'omfwd' plug-in is UDP. +# For this value to be reflected in the configuration, the variable which enables the +# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_protocol: tcp +#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable governs how often an action is retried(value is passed to 'action.resumeRetryCount' parameter) before +# it is considered to have failed(that roughly translates to discarded messages). The default value is 0, but +# when set to "-1"(eternal), this setting would prevent rsyslog from dropping messages when retrying to connect +# if server is not responding. For this value to be reflected in the configuration, the variable which enables the +# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_retrycount: 100 +#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable configures the maximum number of messages that can be hold(value is passed to 'queue.size' parameter). +# For this value to be reflected in the configuration, the variable which enables the automatic configuration +# of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_queuesize: 1000 -#### 4.2.1.7 -# This variable expresses whether the system is used as a log server or not. -# If set to `true`, controls that interfere with log server functionality or -# require that own system logs be sent to some other log server are skipped. +#### Control 4.2.1.7 - Ensure rsyslog is not configured to receive logs from a remote client +# This variable expresses whether the system is used as a log server or not. If set to: +# - 'false', current system will act as a log CLIENT, thus it should NOT receive data from other hosts. +# - 'true', current system will act as a log SERVER, enabling centralised log management(by protecting log integrity +# from local attacks on remote clients) rhel9cis_system_is_log_server: false -# 4.2.2.1.2 -# rhel9cis_journal_upload_url is the ip address to upload the journal entries to +#### Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured +# 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to +# URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port +# number may be specified after a colon (":"), otherwise 19532 will be used by default. rhel9cis_journal_upload_url: 192.168.50.42 - ## The paths below have the default paths/files, but allow user to create custom paths/filenames +#### Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured # This variable specifies the path to the private key file used by the remote journal # server to authenticate itself to the client. This key is used alongside the server's # public certificate to establish secure communication. rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +#### Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured # This variable specifies the path to the public certificate file of the remote journal # server. This certificate is used to verify the authenticity of the remote server. rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +#### Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured # This variable specifies the path to a file containing one or more public certificates # of certificate authorities (CAs) that the client trusts. These trusted certificates are used # to validate the authenticity of the remote server's certificate. rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" -# 4.2.2.1 +# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy # The variables below related to journald, please set these to your site specific values # These variable specifies how much disk space the journal may use up at most # Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. # See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. # ATTENTION: Uncomment the keyword below when values are set! + +# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy # rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use rhel9cis_journald_systemmaxuse: 10M +# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy # rhel9cis_journald_systemkeepfree is the amount of disk space to keep free rhel9cis_journald_systemkeepfree: 100G +# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy # rhel9cis_journald_runtimemaxuse control how much disk space the journal may use up at most. # same as rhel9cis_journald_systemmaxuse. rhel9cis_journald_runtimemaxuse: 10M +# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy # rhel9cis_journald_runtimekeepfree is the amount of disk space to keep free -# same as rhel9cis_journald_systemkeepfree. +# same as rhel9cis_journald_systemkeepfree, but related to runtime space. rhel9cis_journald_runtimekeepfree: 100G +# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy # rhel9cis_journald_MaxFileSec is how long in time to keep log files. # This variable specifies, the maximum time to store entries in a single journal # file before rotating to the next one. Set to 0 to turn off this feature. @@ -919,16 +967,23 @@ rhel9cis_journald_runtimekeepfree: 100G # ATTENTION: Uncomment the keyword below when values are set! rhel9cis_journald_maxfilesec: 1month -#### 4.3 +#### Control 4.3 - Ensure logrotate is configured # This variable defines the log file rotation period. -# Options are: daily, monthly, yearly. +# Options are: daily, weekly, monthly, yearly. rhel9cis_logrotate: "daily" ## Section5 vars -# This will allow use of drop in files when CIS adopts them. +# Section 5.2 - SSH +# This value, containing the absolute filepath of the produced 'sshd' config file, allows usage of +# drop-in files('/etc/ssh/ssh_config.d/{ssh_drop_in_name}.conf', supported by RHEL9) when CIS adopts them. +# Otherwise, the default value is '/etc/ssh/ssh_config'. rhel9_cis_sshd_config_file: /etc/ssh/sshd_config +#### Controls: +## 5.2.4 - Ensure SSH access is limited +## 5.2.19 - Ensure SSH LoginGraceTime is set to one minute or less +## 5.2.20 - Ensure SSH Idle Timeout Interval is configured rhel9cis_sshd: # This variable sets the maximum number of unresponsive "keep-alive" messages # that can be sent from the server to the client before the connection is considered @@ -968,7 +1023,7 @@ rhel9cis_sshd: # For more info, see https://linux.die.net/man/5/sshd_config deny_groups: "" -# 5.2.5 SSH LogLevel setting. +# Control 5.2.5 - Ensure SSH LogLevel is appropriate # This variable is used to control the verbosity of the logging produced by the SSH server. # The options for setting it are as follows: # - `QUIET`: Minimal logging; @@ -980,45 +1035,59 @@ rhel9cis_sshd: # - `DEBUG(x)`: Whereas x = debug level 1 to 3, DEBUG=DEBUG1. rhel9cis_ssh_loglevel: INFO -# 5.2.19 SSH MaxSessions setting. Must be 4 our less +# Control 5.2.18 - Ensure SSH MaxSessions is set to 10 or less +# This variable value specifies the maximum number of open sessions that are permitted from +# a given location rhel9cis_ssh_maxsessions: 4 -## Control 5.5.1.4 + +## Control 5.6.1.4 - Ensure inactive password lock is 30 days or less # This variable specifies the number of days of inactivity before an account will be locked. # CIS requires a value of 30 days or less. rhel9cis_inactivelock: lock_days: 30 - +# This variable governs if authconfig package should be installed. This package provides a simple method of +# configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used +# for shadow password support. Basic LDAP, Kerberos 5, and Winbind client configuration is also provided. rhel9cis_use_authconfig: false -# 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example -# Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk + +#### Controls +# SECTION 5.4 - Configure authselect: Custom authselect profile settings(name, profile to customize, options) +# 5.4.1 - Ensure custom authselect profile is used('custom_profile_name', 'default_file_to_copy' subsettings) +# 5.4.2 - Ensure authselect includes with-faillock | with auth select profile('custom_profile_name') +# Settings in place now will fail, they are place holders from the control example. Due to the way many multiple +# options and ways to configure this control needs to be enabled and settings adjusted to minimise risk. rhel9cis_authselect: custom_profile_name: custom-profile default_file_to_copy: "sssd --symlink-meta" options: with-sudo with-faillock without-nullok -# 5.3.1 Enable automation to create custom profile settings, using the settings above +# Control 5.4.1 - Ensure custom authselect profile is used +# This variable governs if an authselect custom profile should be automatically created, by copying and +# customizing one of the default profiles. The default profiles include: sssd, winbind, or the nis. This profile can then be +# customized to follow site specific requirements. rhel9cis_authselect_custom_profile_create: false -# 5.3.2 Enable automation to select custom profile options, using the settings above +# Control 5.4.2 - Ensure authselect includes with-faillock | Create custom profiles +# This variable governs if the existing custom profile should be selected(Note: please keep in mind that all future updates +# to the PAM templates and meta files in the original profile will be reflected in your custom profile, too.) rhel9cis_authselect_custom_profile_select: false -## Controls 5.5.1.x - Password settings +## Section 5.6.1.x: Shadow Password Suite Parameters rhel9cis_pass: - ## Control 5.5.1.2 - # This variable governs after how many days a password expires. + ## Control 5.6.1.1 - Ensure password expiration is 365 days or less + # This variable governs after how many days a password expires. # CIS requires a value of 365 or less. max_days: 365 - ## Control 5.5.1.1 - # This variable specifies the minimum number of days allowed between changing passwords. - # CIS requires a value of at least 1. + ## Control 5.6.1.2 - Ensure minimum days between password changes is 7 or more + # This variable specifies the minimum number of days allowed between changing + # passwords. CIS requires a value of at least 1. min_days: 7 - ## Control 5.5.1.3 + ## Control 5.6.1.3 - Ensure password expiration warning days is 7 or more # This variable governs, how many days before a password expires, the user will be warned. # CIS requires a value of at least 7. warn_age: 7 -# 5.5.1 -## PAM +## Control 5.5.1 - Ensure password creation requirements are configured - PAM rhel9cis_pam_password: # This variable sets the minimum chars a password needs to be set. minlen: 14 @@ -1029,9 +1098,14 @@ rhel9cis_pam_password: # set to 4, passwords will have to include all four types of characters. minclass: 4 +## Controls +# 5.5.2 - Ensure lockout for failed password attempts is configured +# 5.5.3 - Ensure password reuse is limited +# 5.5.4 - Ensure password hashing algorithm is SHA-512 +# 5.4.2 - Ensure authselect includes with-faillock rhel9cis_pam_faillock: - # This variable sets the amount of time a user will be unlocked after - # the max amount of password failures. + # This variable sets the amount of time a user will be unlocked after the max amount of + # password failures. unlock_time: 900 # This variable sets the amount of tries a password can be entered, before a user is locked. deny: 5 @@ -1043,20 +1117,29 @@ rhel9cis_pam_faillock: # UID settings for interactive users # These are discovered via logins.def if set true discover_int_uid: false +### Controls: +# 5.6.2 - Ensure system accounts are secured +# 6.2.10 - Ensure local interactive user home directories exist +# 6.2.11 - Ensure local interactive users own their home directories # This variable sets the minimum number from which to search for UID # Note that the value will be dynamically overwritten if variable `dicover_int_uid` has # been set to `true`. min_int_uid: 1000 +### Controls: +# 6.2.10 - Ensure local interactive user home directories exist +# 6.2.11 - Ensure local interactive users own their home directories # This variable sets the maximum number at which the search stops for UID # Note that the value will be dynamically overwritten if variable `dicover_int_uid` has # been set to `true`. max_int_uid: 65533 -# 5.3.3 var log location variable +### Control 5.3.3 - Ensure sudo log file exists +# By default, sudo logs through syslog(3). However, to specify a custom log file, the +# 'logfile' parameter will be used, setting it with current variable's value. # This variable defines the path and file name of the sudo log file. rhel9cis_sudolog_location: "/var/log/sudo.log" -#### 5.3.6 +#### Control 5.3.6 -Ensure sudo authentication timeout is configured correctly # This variable sets the duration (in minutes) during which a user's authentication credentials # are cached after successfully authenticating using "sudo". This allows the user to execute # multiple commands with elevated privileges without needing to re-enter their password for each @@ -1068,10 +1151,11 @@ rhel9cis_sudo_timestamp_timeout: 15 ## Only to be used on a new clean system if not using authselect ## THIS CAN BREAK ACCESS EVEN FOR ROOT - UNDERSTAND RISKS ## rhel9cis_add_faillock_without_authselect: false -# This needs to be set to ACCEPT +# This needs to be set to 'ACCEPT'(string), besides setting 'rhel9cis_add_faillock_without_authselect' +# to 'true', in order to execute the 5.4.2 sub-tasks dealing with not authselect profile rhel9cis_5_4_2_risks: NEVER -# RHEL-09-5.4.5 +### Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) rhel9cis_shell_session_timeout: @@ -1086,27 +1170,41 @@ rhel9cis_shell_session_timeout: # run before being forcefully terminated. # CIS requires a value of at most 900 seconds. timeout: 600 -# RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords + +### Control 5.6.1.5 - Ensure all users last password change date is in the past +# Allow ansible to expire password for account with a last changed date in the future. Setting it +# to 'false' will just display users in violation, while 'true' will expire those users passwords. rhel9cis_futurepwchgdate_autofix: true -# 5.3.7 -# This variable determines the group of users that are allowed to use the su command. -# one to specify a user group that is allowed to use the "su" command. -# CIS requires that such a group be created (named according to site policy) and be kept empty. +### Control 5.3.7 - Ensure access to the 'su' command is restricted +# This variable determines the name of the group of users that are allowed to use the su command. +# CIS requires that such a group be CREATED(named according to site policy) and be kept EMPTY. rhel9cis_sugroup: nosugroup ## Section6 vars -# RHEL-09_6.1.1 +### Control 6.1.15 - Audit system file permissions | Create list and warning +# The RPM package-manager has many useful options. For example, using option: +# - '-V': RPM can automatically check if system packages are correctly installed +# - '-qf': RPM can be used to determine which package a particular file belongs to +# Rule 6.1.15 takes advantage of the combination of those two options and, therefore, is able to +# detect any discrepancy regarding installed packages, redirecting the output of this combined +# command into a specific file. If no output is returned, the package is installed correctly. +# Current variable stores the preferred absolute filepath such a file, therefore if this file +# contains any lines, an alert message will be generated to warn about each discrepancy. rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check -# RHEL-09_6.1.10 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable +### Control 6.1.9 - Ensure no world writable files exist +# Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable. rhel9cis_no_world_write_adjust: true + rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" -# 6.2.16 -## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and community for rhel8-cis reedback. +### Control 6.2.16 - Ensure local interactive user dot files are not group or world writable +# This boolean variable governs if current role should follow filesystem links for changes to +# user home directory. rhel_09_6_2_16_home_follow_symlinks: false +# thanks to @dulin-gnet and community for rhel8-cis feedback. #### Goss Configuration Settings #### # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" From 8d85f178e22a815434be590736222abea90872db Mon Sep 17 00:00:00 2001 From: Corey Reid Date: Thu, 19 Oct 2023 13:19:07 +0100 Subject: [PATCH 103/136] find hidden files in /var/log for 4.3.2 Signed-off-by: Corey Reid --- tasks/section_4/cis_4.2.3.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index 2f2a8a4..19bfce8 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -7,6 +7,7 @@ paths: "/var/log" file_type: file recurse: true + hidden: true register: logfiles - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" From 88ffe32137c841e4c1d63f9d7020aaa81026edc3 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Wed, 20 Dec 2023 21:58:49 +0200 Subject: [PATCH 104/136] Storing max_log_file under `rhel9cis_auditd` dict variable. Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 11 ++--------- tasks/section_4/cis_4.1.2.x.yml | 2 +- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0bc0137..39d8691 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -525,26 +525,19 @@ rhel9cis_auditd: space_left_action: email action_mail_acct: root admin_space_left_action: halt + # The max_log_file parameter should be based on your sites policy. + max_log_file: 10 max_log_file_action: keep_logs # The audit_back_log_limit value should never be below 8192 rhel9cis_audit_back_log_limit: 8192 -# The max_log_file parameter should be based on your sites policy -rhel9cis_max_log_file_size: 10 - ### 4.1.3.x audit template update_audit_template: false ## Advanced option found in auditd post rhel9cis_allow_auditd_uid_user_exclusions: false -# This can be used to configure other keys in auditd.conf -rhel9cis_auditd_extra_conf: {} -# Example: -# rhel9cis_auditd_extra_conf: -# admin_space_left: '10%' - ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index b830b1f..f235493 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -4,7 +4,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" - line: "max_log_file = {{ rhel9cis_max_log_file_size }}" + line: "max_log_file = {{ rhel9cis_auditd['max_log_file'] }}" notify: Restart auditd when: - rhel9cis_rule_4_1_2_1 From ca41b128cd895410dab925c4db7694ce24ef7907 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Wed, 20 Dec 2023 22:21:14 +0200 Subject: [PATCH 105/136] Defining some threshold for (audit_)space_left vars, as well as a bool which governs if extra params will be configured Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 11 +++++++++++ tasks/section_4/cis_4.1.2.x.yml | 1 + 2 files changed, 12 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 39d8691..58c84d7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -529,6 +529,17 @@ rhel9cis_auditd: max_log_file: 10 max_log_file_action: keep_logs +# This value governs if the below extra-vars for auditd should be used by the role +rhel9cis_auditd_extra_conf_usage: false + +# This can be used to configure other keys in auditd.conf +# Example: +# rhel9cis_auditd_extra_conf: +# admin_space_left: '10%' +rhel9cis_auditd_extra_conf: + admin_space_left: 50 + space_left: 75 + # The audit_back_log_limit value should never be below 8192 rhel9cis_audit_back_log_limit: 8192 diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index f235493..8370114 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -58,6 +58,7 @@ notify: Restart auditd when: - rhel9cis_auditd_extra_conf.keys() | length > 0 + - rhel9cis_auditd_extra_conf_usage tags: - level2-server - level2-workstation From a57333dcf1d8230e4d4a9d84ed1aa10b430bb64b Mon Sep 17 00:00:00 2001 From: "root@DERVISHx" Date: Wed, 27 Dec 2023 15:39:46 +0000 Subject: [PATCH 106/136] Added vars for streams. Signed-off-by: root@DERVISHx --- defaults/main.yml | 2 +- vars/AlmaLinux.yml | 6 ++++++ vars/Rocky.yml | 6 ++++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 617b692..1ff7a5f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -866,7 +866,7 @@ rhel9cis_auditd_extra_conf: {} # This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation) # or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best # practices are written wholly independent of each other. -rhel9cis_syslog: rsyslog +rhel9cis_syslog: journald ## Control 4.2.1.5 | PATCH | Ensure logging is configured # This variable governs if current Ansible role should manage syslog settings # in /etc/rsyslog.conf file, namely mail, news and misc(warn, messages) diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index b0eb3d9..a0fa6ba 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -5,3 +5,9 @@ os_gpg_key_pubkey_name: gpg-pubkey-b86b3716-61e69f29 os_gpg_key_pubkey_content: "AlmaLinux OS 9 b86b3716" # disable repo_gpgcheck due to OS default repos rhel9cis_rule_enable_repogpg: false + +rhel9cis_sshd: + # This variable sets the maximum number of unresponsive "keep-alive" messages + # that can be sent from the server to the client before the connection is considered + # inactive and thus, closed. + clientalivecountmax: 3 \ No newline at end of file diff --git a/vars/Rocky.yml b/vars/Rocky.yml index 77af29c..7d9f014 100644 --- a/vars/Rocky.yml +++ b/vars/Rocky.yml @@ -3,3 +3,9 @@ os_gpg_key_pubkey_name: gpg-pubkey-350d275d-6279464b os_gpg_key_pubkey_content: "Rocky Enterprise Software Foundation - Release key 2022 350d275d" + +rhel9cis_sshd: + # This variable sets the maximum number of unresponsive "keep-alive" messages + # that can be sent from the server to the client before the connection is considered + # inactive and thus, closed. + clientalivecountmax: 3 \ No newline at end of file From 1e55d8600190706d9a42f54901030dfb4d4d1cfa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?= <14360383+sickbock@users.noreply.github.com> Date: Wed, 3 Jan 2024 11:12:06 +0100 Subject: [PATCH 107/136] Update cis_1.3.x.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Correction to "when": 1_3_3 Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com> --- tasks/section_1/cis_1.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 7a5e544..dda9c66 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -67,7 +67,7 @@ /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 validate: aide -D --config %s when: - - rhel9cis_rule_1_3_2 + - rhel9cis_rule_1_3_3 - not system_is_ec2 tags: - level1-server From 4d749d988d87c6bbd281f2efe40fbd92ee3c291a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?= <14360383+sickbock@users.noreply.github.com> Date: Wed, 3 Jan 2024 11:13:32 +0100 Subject: [PATCH 108/136] Update cis_1.8.x.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Corrected tag rule_1.8.10 Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com> --- tasks/section_1/cis_1.8.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 20e56c4..e6f4b0c 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -261,4 +261,4 @@ - level1-workstation - patch - gui - - rule_1.8.4 + - rule_1.8.10 From 712b8b6ecd3b6dbd120934adfbdcdc0a287eba53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?= <14360383+sickbock@users.noreply.github.com> Date: Wed, 3 Jan 2024 11:15:11 +0100 Subject: [PATCH 109/136] Update cis_5.6.1.x.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Corrected tag: rule_5.6.1.1 Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com> --- tasks/section_5/cis_5.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index f7b8136..d1f488f 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -12,7 +12,7 @@ - level1-workstation - patch - password - - rule_5.5.1.1 + - rule_5.6.1.1 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" ansible.builtin.lineinfile: From 3b256ff8311f65c527c69334d65a7f7bf32e5ed9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?= <14360383+sickbock@users.noreply.github.com> Date: Wed, 3 Jan 2024 11:16:20 +0100 Subject: [PATCH 110/136] Update cis_5.6.1.x.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Corrected tag: rule_5.6.1.5 Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com> --- tasks/section_5/cis_5.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index d1f488f..8d082bc 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -117,4 +117,4 @@ - level1-server - level1-workstation - patch - - rule_5.5.1.5 + - rule_5.6.1.5 From d6b44aac70db771be180954191a4809831480b2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?= <14360383+sickbock@users.noreply.github.com> Date: Wed, 3 Jan 2024 11:18:52 +0100 Subject: [PATCH 111/136] Update cis_6.1.x.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Corrected tags: rule_6.1.8 & rule_6.1.12 Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com> --- tasks/section_6/cis_6.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 4cc5cbd..7bce9c5 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -118,7 +118,7 @@ - level1-workstation - patch - permissions - - rule_6.1.10 + - rule_6.1.8 - name: "6.1.9 | PATCH | Ensure no world writable files exist" block: @@ -253,7 +253,7 @@ - patch - stickybits - permissons - - rule_1.1.21 + - rule_6.1.12 - name: "6.1.13 | AUDIT | Audit SUID executables" block: From e0491ccb8f7fd4e0b85335eeb4795790ea773172 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?= <14360383+sickbock@users.noreply.github.com> Date: Wed, 3 Jan 2024 11:20:08 +0100 Subject: [PATCH 112/136] Update cis_6.2.x.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Corrected tag: rule_6.2.3 Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com> --- tasks/section_6/cis_6.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 2f3141b..6ab91cd 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -73,7 +73,7 @@ - audit - accounts - groups - - rule_6.2.2 + - rule_6.2.3 - name: "6.2.4 | AUDIT Ensure no duplicate UIDs exist" block: From d73f26a7ab9ffd0e99787657fd7c5ea946381ad2 Mon Sep 17 00:00:00 2001 From: Joshua Hemmings Date: Tue, 9 Jan 2024 09:17:00 +0100 Subject: [PATCH 113/136] Remove trailing comma to align with other roles Signed-off-by: Joshua Hemmings --- tasks/section_1/cis_1.1.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 4ff1ccb..3a64a06 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -31,7 +31,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid{% endif %} loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" From 87d2685f4ec2586c5792b500d9e0a4b0e8a2dfaf Mon Sep 17 00:00:00 2001 From: Joshua Hemmings Date: Wed, 10 Jan 2024 16:11:27 +0100 Subject: [PATCH 114/136] Update cis_1.1.7.x.yml Signed-off-by: Joshua Hemmings --- tasks/section_1/cis_1.1.7.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index ee922b3..ef16988 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -32,7 +32,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid{% endif %} loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" From 560475ea4e1c34b806ddceb0034b6df74e6f5513 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Wed, 17 Jan 2024 20:17:21 +0200 Subject: [PATCH 115/136] Finalising the docs content & syntax Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 351 ++++++++++++++++++++++++---------------------- 1 file changed, 183 insertions(+), 168 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 617b692..2481e75 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -42,7 +42,7 @@ rhel9cis_section6: true rhel9cis_level_1: true rhel9cis_level_2: true -## 1.6 SubSection - Mandatory Access Control +## Section 1.6 - Mandatory Access Control # This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting # 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed. rhel9cis_selinux_disable: false @@ -74,6 +74,7 @@ change_requires_reboot: false #### Basic external goss audit enablement settings #### #### Precise details - per setting can be found at the bottom of this file #### + ## Audit setup # Audits are carried out using Goss. This variable # determines whether execution of the role prepares for auditing @@ -419,63 +420,70 @@ rhel9cis_rule_6_2_16: true ## Section 1 vars -#### 1.1.2 -# These settings go into the /etc/fstab file for the /tmp mount settings -# The value must contain nosuid,nodev,noexec to conform to CIS standards -# rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0" -# If set true uses the tmp.mount service else using fstab configuration +## Control 1.1.2 +# If set to `true`, rule will be implemented using the `tmp.mount` systemd-service, +# otherwise fstab configuration will be used. +# These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards. rhel9cis_tmp_svc: false -#### 1.1.9 +## Control 1.1.9 rhel9cis_allow_autofs: false -# 1.2.1 +## Control 1.2.1 # This is the login information for your RedHat Subscription # DO NOT USE PLAIN TEXT PASSWORDS!!!!! # The intent here is to use a password utility like Ansible Vault here rhel9cis_rh_sub_user: user rhel9cis_rh_sub_password: password # pragma: allowlist secret -# 1.2.2 +## Control 1.2.2 # Do you require rhnsd # RedHat Satellite Subscription items rhel9cis_rhnsd_required: false -# Control 1.2.4 - When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM -# repo('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks +## Control 1.2.4 +# When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM +# repo ('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks # which check the GPG signatures for all the individual YUM repositories. rhel9cis_rhel_default_repo: true -# Control 1.2.4 - When 'rhel9cis_rule_enable_repogpg' is set to 'true'(in conjunction with 'rhel9cis_rhel_default_repo':'false'), conditions are met for +## Control 1.2.4 +# When 'rhel9cis_rule_enable_repogpg' is set to 'true'(in conjunction with 'rhel9cis_rhel_default_repo':'false'), conditions are met for # enabling the GPG signatures-check for all the individual YUM repositories. If GPG signatures-check is enabled on repositories which do not # support it(like RedHat), installation of packages will fail. rhel9cis_rule_enable_repogpg: true -# Control 1.4.1 - This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value +## Control 1.4.1 +# This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value # must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with # this format: 'grub.pbkdf2.sha512...' rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' # pragma: allowlist secret rhel9cis_bootloader_password: random # pragma: allowlist secret -# Control 1.4.1 - This variable governs whether a bootloader password should be set in /boot/grub2/user.cfg file. +## Control 1.4.1 +# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. rhel9cis_set_boot_pass: true -## Controls 1.8.x - Settings for GDM +## Control 1.8.x - Settings for GDM # This variable specifies the GNOME configuration database file to which configurations are written. -# (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) -# The default database is `local` +# (See "https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en") +# The default database is 'local'. rhel9cis_dconf_db_name: local # This variable governs the number of seconds of inactivity before the screen goes blank. -rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) +# Set max value for idle-delay in seconds (between 1 and 900) +rhel9cis_screensaver_idle_delay: 900 # This variable governs the number of seconds the screen remains blank before it is locked. -rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) +# Set max value for lock-delay in seconds (between 0 and 5) +rhel9cis_screensaver_lock_delay: 5 -# Control 1.10 - This variable contains the value to be set as the system-wide crypto policy. Rule 1.10 enforces -# NOT using 'LEGACY' value(as it is less secure, it just ensures compatibility with legacy systems), therefore +## Control 1.10 +# This variable contains the value to be set as the system-wide crypto policy. Current rule enforces NOT USING +# 'LEGACY' value(as it is less secure, it just ensures compatibility with legacy systems), therefore # possible values for this variable are, as explained by RedHat docs: -# -'DEFAULT': reasonable default policy for today's standards(balances usability and security) +# -'DEFAULT': reasonable default policy for today's standards (balances usability and security) # -'FUTURE': conservative security level that is believed to withstand any near-term future attacks # -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' -# Control 1.10 - This variable contains the value of the crypto policy module(combinations of policies and +## Control 1.10 +# This variable contains the value of the crypto policy module(combinations of policies and # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, # using 'rhel9cis_allowed_crypto_policies_modules' variable. rhel9cis_crypto_policy_module: '' @@ -537,27 +545,29 @@ rhel9cis_aide_cron: ## Control 1.6.1.3|4|5 - SELinux policy settings # This selects type of policy; targeted or mls( multilevel ) # mls should not be used, since it will disable unconfined policy module -# and may prevent some services from running. Requires SELinux not being disabled(by +# and may prevent some services from running. Requires SELinux not being disabled (by # having 'rhel9cis_selinux_disable' var set as 'true'), otherwise setting will be ignored. rhel9cis_selinux_pol: targeted ## Control 1.6.1.3|4 - SELinux configured and not disabled # This variable contains a specific SELinux mode, respectively: # - 'enforcing': SELinux policy IS enforced, therefore denies operations based on SELinux policy -# rules. If system was installed with SELinux, this is enabled by default. +# rules. If system was installed with SELinux, this is enabled by default. # - 'permissive': SELinux policy IS NOT enforced, therefore does NOT deny any operation, only -# logs AVC(Access Vector Cache) messages. RedHat docs suggest it "can be used -# briefly to check if SELinux is the culprit in preventing your application -# from working". +# logs AVC(Access Vector Cache) messages. RedHat docs suggest it "can be used +# briefly to check if SELinux is the culprit in preventing your application +# from working". # CIS expects enforcing since permissive allows operations that might compromise the system. # Even though logging still occurs. rhel9cis_selinux_enforce: enforcing # Whether or not to run tasks related to auditing/patching the desktop environment -## 2. Services +## Section 2. Services ### 2.1 Time Synchronization -#### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 + + +## Control 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 # The following variable represents a list of time servers used # for configuring chrony, timesyncd, and ntp. # Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. @@ -568,67 +578,70 @@ rhel9cis_time_synchronization_servers: - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org -#### 2.1.2 - Time Synchronization servers +## Control 2.1.2 - Time Synchronization servers # This variable should contain the default options to be used for every NTP server hostname defined # within the 'rhel9cis_time_synchronization_servers' var. rhel9cis_chrony_server_options: "minpoll 8" + ### 2.2 Special Purposes + # Service configuration variables (boolean). # Set the respective variable to true to keep the service. # otherwise the service is stopped and disabled + # This variable governs whether rules dealing with GUI specific packages(and/or their settings) should # be executed either to: -# - secure GDM(Control 1.8.2-1.8.10), if GUI is needed('rhel9cis_gui: true') -# - or remove GDM(Control 1.8.1) and X-Windows-system(2.2.1), if no GUI is needed('rhel9cis_gui: false') +# - secure GDM, if GUI is needed('rhel9cis_gui: true') +# - or remove GDM and X-Windows-system, if no GUI is needed('rhel9cis_gui: false') rhel9cis_gui: false -# Control 2.2.2 - Ensure Avahi Server is not installed +## Control 2.2.2 - Ensure Avahi Server is not installed # This variable, when set to false, will specify that Avahi Server packages should be uninstalled. rhel9cis_avahi_server: false -# Control 2.2.3 - Ensure CUPS is not installed +## Control 2.2.3 - Ensure CUPS is not installed # This variable, when set to false, will specify that CUPS(Common UNIX Printing System) package should be uninstalled. rhel9cis_cups_server: false -# Control 2.2.4 - Ensure DHCP Server is not installed +## Control 2.2.4 - Ensure DHCP Server is not installed # This variable, when set to false, will specify that DHCP server package should be uninstalled. rhel9cis_dhcp_server: false -# Control 2.2.5 - Ensure DNS Server is not installed +## Control 2.2.5 - Ensure DNS Server is not installed # This variable, when set to false, will specify that DNS server package should be uninstalled. rhel9cis_dns_server: false -# Control 2.2.14 - Ensure dnsmasq is not installed +## Control 2.2.14 - Ensure dnsmasq is not installed # This variable, when set to false, will specify that dnsmasq package should be uninstalled. rhel9cis_dnsmasq_server: false -# Control 2.2.6 - Ensure VSFTP Server is not installed +## Control 2.2.6 - Ensure VSFTP Server is not installed # This variable, when set to false, will specify that VSFTP server package should be uninstalled. rhel9cis_vsftpd_server: false -# Control 2.2.7 - Ensure TFTP Server is not installed +## Control 2.2.7 - Ensure TFTP Server is not installed # This variable, when set to false, will specify that TFTP server package should be uninstalled. rhel9cis_tftp_server: false -# Control 2.2.8 - Ensure a web server is not installed - HTTPD +## Control 2.2.8 - Ensure a web server is not installed - HTTPD # This variable, when set to false, will specify that webserver packages(HTTPD) should be uninstalled. rhel9cis_httpd_server: false -# Control 2.2.8 - Ensure a web server is not installed - NGINX +## Control 2.2.8 - Ensure a web server is not installed - NGINX # This variable, when set to false, will specify that webserver packages(NGINX) should be uninstalled. rhel9cis_nginx_server: false -# Control 2.2.9 - Ensure IMAP and POP3 server is not installed - dovecot +## Control 2.2.9 - Ensure IMAP and POP3 server is not installed - dovecot # This variable, when set to false, will specify that IMAP and POP3 servers(dovecot) should be uninstalled. rhel9cis_dovecot_server: false -# Control 2.2.9 - Ensure IMAP and POP3 server is not installed - cyrus-imapd +## Control 2.2.9 - Ensure IMAP and POP3 server is not installed - cyrus-imapd # This variable, when set to false, will specify that IMAP and POP3 servers(cyrus-imapd) should be uninstalled. rhel9cis_imap_server: false -# Control 2.2.10 - Ensure Samba is not enabled +## Control 2.2.10 - Ensure Samba is not enabled # This variable, when set to false, will specify that 'samba' package should be uninstalled. rhel9cis_samba_server: false -# Control 2.2.11 - Ensure HTTP Proxy Server is not installed +## Control 2.2.11 - Ensure HTTP Proxy Server is not installed # This variable, when set to false, will specify that 'squid' package should be uninstalled. rhel9cis_squid_server: false -# Control 2.2.12 - Ensure net-snmp is not installed +## Control 2.2.12 - Ensure net-snmp is not installed # This variable, when set to false, will specify that 'net-snmp' package should be uninstalled. rhel9cis_snmp_server: false -# Control 2.2.13 - Ensure telnet-server is not installed +## Control 2.2.13 - Ensure telnet-server is not installed # This variable, when set to false, will specify that 'telnet-server' package should be uninstalled. rhel9cis_telnet_server: false -# Control 2.2.15 - Ensure mail transfer agent is configured for local-only mode +## Control 2.2.15 - Ensure mail transfer agent is configured for local-only mode # This variable, when system is NOT a mailserver, will configure Postfix to listen only on the loopback interface(the virtual # network interface that the server uses to communicate internally. rhel9cis_is_mail_server: false @@ -639,15 +652,15 @@ rhel9cis_is_mail_server: false # Set the respective variable to `true` to keep the # client package, otherwise it is uninstalled (false). -# Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked" -# This variable specifies if the usage of NFS SERVER is needed. The behavior of 2.2.16 will depend on -# the var used in conjunction('rhel9cis_use_nfs_service') with current one, respectively: +## Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked" +# This variable specifies if the usage of NFS SERVER is needed. Execution of the rule which secures (by uninstalling or masking service) +# NFS(if it's NOT needed) will depend on the var used in conjunction('rhel9cis_use_nfs_service') with current one, respectively: # - if Server IS NOT needed('false') and: # - Service IS NOT needed('rhel9cis_use_nfs_service: false'): 'nfs-utils' package will be removed # - Service IS needed('rhel9cis_use_nfs_service: true'): impossible to need the service without the server # - if Server IS needed('true') and: # - Service IS NOT needed('rhel9cis_use_nfs_service: false'): 'nfs-server' service will be masked -# - Service IS needed('rhel9cis_use_nfs_service: true'): Rule 2.2.16 will be SKIPPED. +# - Service IS needed('rhel9cis_use_nfs_service: true'): Rule will be SKIPPED. # | Server | Service | Result | # |---------|---------|-----------------------------------------------------------| # | false | false | Remove package | @@ -655,24 +668,24 @@ rhel9cis_is_mail_server: false # | true | false | Mask 'service' | # | true | true | SKIP RULE, BOTH 'service' and 'server' are required | rhel9cis_use_nfs_server: false -# Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked. +## Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked. # This variable specifies if the usage of NFS SERVICE is needed. If it's: -# - needed('true'): rule 2.2.16 will not be executed at all -# - not needed('false'): rule 2.2.16 will be executed, its behavior being controlled by the var -# used in conjunction with current one: +# - needed('true'): rule which uninstalls/masks-service WILL NOT be executed at all +# - not needed('false'): rule which uninstalls/masks-service WILL be executed, its behavior being +# controlled by the var used in conjunction with current one: # - removing 'nfs-utils' package('rhel9cis_use_nfs_server' set to 'false') # - masking the 'nfs-server' service('rhel9cis_use_nfs_server' set to 'true') rhel9cis_use_nfs_service: false -# Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked -# This variable specifies if the usage of RPC SERVER is needed. The behavior of 2.2.17 will depend on -# the var used in conjunction('rhel9cis_use_rpc_service') with current one, respectively: +## Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked +# This variable specifies if the usage of RPC SERVER is needed. Execution of the rule which secures (by uninstalling or masking service) +# RPC(if it's NOT needed) will depend on the var used in conjunction('rhel9cis_use_rpc_service') with current one, respectively: # - if Server IS NOT needed('false') and: # - Service IS NOT needed('rhel9cis_use_rpc_service: false'): 'rpcbind' package will be removed # - Service IS needed('rhel9cis_use_rpc_service: true'): impossible to need the service without the server # - if Server IS needed('true') and: # - Service IS NOT needed('rhel9cis_use_rpc_service: false'): 'rpcbind.socket' service will be masked -# - Service IS needed('rhel9cis_use_rpc_service: true'): Rule 2.2.17 will be SKIPPED. +# - Service IS needed('rhel9cis_use_rpc_service: true'): Rule will be SKIPPED. # | Server | Service | Result | # |---------|---------|-----------------------------------------------------------| # | false | false | Remove package | @@ -680,25 +693,24 @@ rhel9cis_use_nfs_service: false # | true | false | Mask 'service' | # | true | true | SKIP RULE, BOTH 'service' and 'server' are required | rhel9cis_use_rpc_server: false -# Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked +## Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked # This variable specifies if the usage of RPC SERVICE is needed. If it's: -# - needed('true'): rule 2.2.17 will not be executed at all -# - not needed('false'): rule 2.2.17 will be executed, its behavior being controlled by the var +# - needed('true'): rule which uninstalls/masks-service WILL NOT be executed at all +# - not needed('false'): rule which uninstalls/masks-service WILL be executed, its behavior being controlled by the var # used in conjunction with current one: # - removing 'rpcbind' package('rhel9cis_use_rpc_server' set to 'false') # - masking the 'rpcbind.socket' service('rhel9cis_use_rpc_server' set to 'true') rhel9cis_use_rpc_service: false - -# Control 2.2.18 - Ensure rsync service is not enabled -# This variable specifies if the usage of RSYNC SERVER is needed. The behavior of 2.2.18 will depend on -# the var used in conjunction('rhel9cis_use_rsync_service') with current one, respectively: +## Control 2.2.18 - Ensure rsync service is not enabled +# This variable specifies if the usage of RSYNC SERVER is needed. Execution of the rule which secures (by uninstalling or masking service) +# RSYNC(if it's NOT needed) will depend on the var used in conjunction('rhel9cis_use_rsync_service') with current one, respectively: # - if Server IS NOT needed('false') and: # - Service IS NOT needed('rhel9cis_use_rsync_service: false'): 'rsync-daemon' package will be removed # - Service IS needed('rhel9cis_use_rsync_service: true'): impossible to need the service without the server # - if Server IS needed('true') and: # - Service IS NOT needed('rhel9cis_use_rsync_service: false'): 'rsyncd' service will be masked -# - Service IS needed('rhel9cis_use_rsync_service: true'): Rule 2.2.18 will be SKIPPED. +# - Service IS needed('rhel9cis_use_rsync_service: true'): Rule will be SKIPPED. # | Server | Service | Result | # |---------|---------|-----------------------------------------------------------| # | false | false | Remove package | @@ -706,51 +718,57 @@ rhel9cis_use_rpc_service: false # | true | false | Mask 'service' | # | true | true | SKIP RULE, BOTH 'service' and 'server' are required | rhel9cis_use_rsync_server: false -# Control 2.2.18 - Ensure rsync service is not enabled +## Control 2.2.18 - Ensure rsync service is not enabled # This variable specifies if the usage of RSYNC SERVICE is needed. If it's: -# - needed('true'): rule 2.2.18 will not be executed at all -# - not needed('false'): rule 2.2.18 will be executed, its behavior being controlled by the var +# - needed('true'): rule which uninstalls/masks-service WILL NOT be executed at all +# - not needed('false'): rule which uninstalls/masks-service WILL be executed, its behavior being controlled by the var # used in conjunction with current one: # - removing 'rsync-daemon' package('rhel9cis_use_rsync_server' set to 'false') # - masking the 'rsyncd' service('rhel9cis_use_rsync_server' set to 'true') rhel9cis_use_rsync_service: false #### 2.3 Service clients -# Control - 2.3.1 - Ensure telnet client is not installed + + +## Control - 2.3.1 - Ensure telnet client is not installed # Set this variable to `true` to keep package `telnet`; otherwise, the package is uninstalled. rhel9cis_telnet_required: false -# Control - 2.3.2 - Ensure LDAP client is not installed +## Control - 2.3.2 - Ensure LDAP client is not installed # Set this variable to `true` to keep package `openldap-clients`; otherwise, the package is uninstalled. rhel9cis_openldap_clients_required: false -# Control - 2.3.3 - Ensure FTP client is not installed +## Control - 2.3.3 - Ensure FTP client is not installed # Set this variable to `true` to keep package `tftp`; otherwise, the package is uninstalled. rhel9cis_tftp_client: false -# Control - 2.3.4 - Ensure FTP client is not installed +## Control - 2.3.4 - Ensure FTP client is not installed # Set this variable to `true` to keep package `ftp`; otherwise, the package is uninstalled. rhel9cis_ftp_client: false ## Section 3 vars for ## Sysctl -# This variable governs if the task which updates sysctl(including sysctl reload) is executed, but current -# default value can be overriden by other tasks(1.5.3, 3.1.1, 3.2.1, 3.2.2, 3.3.1-3.3.9). + + +# This variable governs if the task which updates sysctl(including sysctl reload) is executed. +# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). rhel9cis_sysctl_update: false # This variable governs if the task which flushes the IPv4 routing table is executed(forcing subsequent connections to -# use the new configuration). Current default value can be overriden by other tasks(3.2.1, 3.2.2, 3.3.1-3.3.8). +# use the new configuration). +# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). rhel9cis_flush_ipv4_route: false # This variable governs if the task which flushes the IPv6 routing table is executed(forcing subsequent connections to -# use the new configuration). Current default value can be overriden by other tasks(3.1.1, 3.2.1, 3.3.1, 3.3.2, 3.3.9). +# use the new configuration). +# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). rhel9cis_flush_ipv6_route: false -### Firewall Service to install and configure - Option is: -# 1) either 'firewalld'(Controls 3.4.1.2, 3.4.2.1, 3.4.2.4) -# 2) or 'nftables'(Controls ) +### Firewall Service to install and configure - Options are: +# 1) either 'firewalld' +# 2) or 'nftables' #### Some control allow for services to be removed or masked #### The options are under each heading #### absent = remove the package #### masked = leave package if installed and mask the service rhel9cis_firewall: firewalld -# Control 3.4.2.1 - Ensure firewalld default zone is set +## Control 3.4.2.1 - Ensure firewalld default zone is set # This variable will set the firewalld default zone(that is used for everything that is not explicitly bound/assigned # to another zone): if there is no zone assigned to a connection, interface or source, only the default zone is used. rhel9cis_default_zone: public @@ -761,31 +779,28 @@ rhel9cis_firewalld_ports: protocol: tcp ## Controls 3.5.2.x - nftables -# The default nftables table name is "filter". This variable name will be the one all -# "rhel9cis_nft_tables_tablename" is the name of the table in nftables you want to create. -# nftables configs are applied to. -# options are: inet filter -# Control 3.4.2.2 - Ensure at least one nftables table exists + +## Control 3.4.2.2 - Ensure at least one nftables table exists # This variable governs if a table will be automatically created in nftables. Without a table (no default one), nftables # will not filter network traffic, so if this variable is set to 'false' and no tables exist, an alarm will be triggered! rhel9cis_nft_tables_autonewtable: true -# Controls 3.4.2.{2|3|4|6|7} nftables +## Controls 3.4.2.{2|3|4|6|7} nftables # This variable stores the name of the table to be used when configuring nftables(creating chains, configuring loopback # traffic, established connections, default deny). If 'rhel9cis_nft_tables_autonewtable' is set as true, a new table will # be created using as name the value stored by this variable. rhel9cis_nft_tables_tablename: filter -# Control 3.4.2.3 - Ensure nftables base chains exist +## Control 3.4.2.3 - Ensure nftables base chains exist # This variable governs if a nftables base chain(entry point for packets from the networking stack) will be automatically # created, if needed. Without a chain, a hook for input, forward, and delete, packets that would flow through those -#chains will not be touched by nftables +# chains will not be touched by nftables. rhel9cis_nft_tables_autochaincreate: true ## Controls: # - 1.7.1 - Ensure message of the day is configured properly # - 1.7.2 - Ensure local login warning banner is configured properly # - 1.7.3 - Ensure remote login warning banner is configured properly -# Warning Banner Content (issue, issue.net, motd) +# This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd). rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and reported. # End Banner @@ -797,7 +812,7 @@ rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and # log files are getting too full and space is getting too low. rhel9cis_auditd: # This variable tells the system what action to take when the system has detected - #that it is starting to get low on disk space. Options are the same as for `admin_space_left_action` + # that it is starting to get low on disk space. Options are the same as for `admin_space_left_action`. space_left_action: email # This variable should contain a valid email address or alias(default value is root), # which will be used to send a warning when configured action is 'email'. @@ -837,11 +852,9 @@ rhel9cis_audit_back_log_limit: 8192 # This should be set based on your sites policy. CIS does not provide a specific value. rhel9cis_max_log_file_size: 10 -## 4.1.3.x - Audit template -# This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the -# audit settings are overwritten with the role's template. In order to exclude -# specific rules, you must set the variable of form `rhel9cis_rule_4_1_3_x` above -# to `false`. +## Control 4.1.3.x - Audit template +# This variable governs if the auditd logic should be executed(if value is true). +# NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules'). update_audit_template: false ## Advanced option found in auditd post @@ -857,12 +870,12 @@ rhel9cis_auditd_uid_exclude: # '/etc/audit/auditd.conf' file) can be stored within current variable. rhel9cis_auditd_extra_conf: {} # Example: -# rhel9cis_auditd_extra_conf: +#rhel9cis_auditd_extra_conf: # admin_space_left: '10%' ## Whether rsyslog or journald preferred method for local logging -## 4.2.1 | Configure rsyslog -## 4.2.2 | Configure journald +## Control 4.2.1 | Configure rsyslog +## Control 4.2.2 | Configure journald # This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation) # or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best # practices are written wholly independent of each other. @@ -872,93 +885,92 @@ rhel9cis_syslog: rsyslog # in /etc/rsyslog.conf file, namely mail, news and misc(warn, messages) rhel9cis_rsyslog_ansiblemanaged: true -#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable governs if 'rsyslog' service should be automatically configured to forward messages to a # remote log server. If set to 'false', the configuration of the 'omfwd' plugin, used to provide forwarding # over UDP or TCP, will not be performed. rhel9cis_remote_log_server: false -#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable configures the value of the 'target' parameter to be configured when enabling # forwarding syslog messages to a remote log server, thus configuring the actual FQDN/IP address of the # destination server. For this value to be reflected in the configuration, the variable which enables the # automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_host: logagg.example.com -#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable configures the value of the 'port' parameter to be configured when enabling # forwarding syslog messages to a remote log server. The default value for this destination port is 514. # For this value to be reflected in the configuration, the variable which enables the # automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_port: 514 -#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable configures the value("TCP"/"UDP") of the 'protocol' parameter to be configured when enabling # forwarding syslog messages to a remote log server. The default value for the 'omfwd' plug-in is UDP. # For this value to be reflected in the configuration, the variable which enables the # automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_protocol: tcp -#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable governs how often an action is retried(value is passed to 'action.resumeRetryCount' parameter) before # it is considered to have failed(that roughly translates to discarded messages). The default value is 0, but # when set to "-1"(eternal), this setting would prevent rsyslog from dropping messages when retrying to connect # if server is not responding. For this value to be reflected in the configuration, the variable which enables the # automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_retrycount: 100 -#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable configures the maximum number of messages that can be hold(value is passed to 'queue.size' parameter). # For this value to be reflected in the configuration, the variable which enables the automatic configuration # of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_queuesize: 1000 -#### Control 4.2.1.7 - Ensure rsyslog is not configured to receive logs from a remote client +## Control 4.2.1.7 - Ensure rsyslog is not configured to receive logs from a remote client # This variable expresses whether the system is used as a log server or not. If set to: # - 'false', current system will act as a log CLIENT, thus it should NOT receive data from other hosts. # - 'true', current system will act as a log SERVER, enabling centralised log management(by protecting log integrity -# from local attacks on remote clients) +# from local attacks on remote clients) rhel9cis_system_is_log_server: false -#### Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured +## Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured # 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to # URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port # number may be specified after a colon (":"), otherwise 19532 will be used by default. rhel9cis_journal_upload_url: 192.168.50.42 ## The paths below have the default paths/files, but allow user to create custom paths/filenames -#### Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured +## Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured # This variable specifies the path to the private key file used by the remote journal # server to authenticate itself to the client. This key is used alongside the server's # public certificate to establish secure communication. rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" -#### Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured +## Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured # This variable specifies the path to the public certificate file of the remote journal # server. This certificate is used to verify the authenticity of the remote server. rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" -#### Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured +## Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured # This variable specifies the path to a file containing one or more public certificates # of certificate authorities (CAs) that the client trusts. These trusted certificates are used # to validate the authenticity of the remote server's certificate. rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" -# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy # The variables below related to journald, please set these to your site specific values # These variable specifies how much disk space the journal may use up at most # Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. # See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. # ATTENTION: Uncomment the keyword below when values are set! -# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# 'rhel9cis_journald_systemmaxuse' is the max amount of disk space the logs will use rhel9cis_journald_systemmaxuse: 10M -# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# rhel9cis_journald_systemkeepfree is the amount of disk space to keep free +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# 'rhel9cis_journald_systemkeepfree' is the amount of disk space to keep free rhel9cis_journald_systemkeepfree: 100G -# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# rhel9cis_journald_runtimemaxuse control how much disk space the journal may use up at most. -# same as rhel9cis_journald_systemmaxuse. +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# 'rhel9cis_journald_runtimemaxuse' control how much disk space the journal may use up at most. +# same as 'rhel9cis_journald_systemmaxuse'. rhel9cis_journald_runtimemaxuse: 10M -# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# rhel9cis_journald_runtimekeepfree is the amount of disk space to keep free -# same as rhel9cis_journald_systemkeepfree, but related to runtime space. +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# 'rhel9cis_journald_runtimekeepfree' is the amount of disk space to keep free +# same as 'rhel9cis_journald_systemkeepfree', but related to runtime space. rhel9cis_journald_runtimekeepfree: 100G -# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# rhel9cis_journald_MaxFileSec is how long in time to keep log files. +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# 'rhel9cis_journald_MaxFileSec' is how long in time to keep log files. # This variable specifies, the maximum time to store entries in a single journal # file before rotating to the next one. Set to 0 to turn off this feature. # The given values is interpreted as seconds, unless suffixed with the units @@ -967,23 +979,24 @@ rhel9cis_journald_runtimekeepfree: 100G # ATTENTION: Uncomment the keyword below when values are set! rhel9cis_journald_maxfilesec: 1month -#### Control 4.3 - Ensure logrotate is configured +## Control 4.3 - Ensure logrotate is configured # This variable defines the log file rotation period. # Options are: daily, weekly, monthly, yearly. rhel9cis_logrotate: "daily" ## Section5 vars -# Section 5.2 - SSH +## Section 5.2 - SSH + # This value, containing the absolute filepath of the produced 'sshd' config file, allows usage of # drop-in files('/etc/ssh/ssh_config.d/{ssh_drop_in_name}.conf', supported by RHEL9) when CIS adopts them. # Otherwise, the default value is '/etc/ssh/ssh_config'. rhel9_cis_sshd_config_file: /etc/ssh/sshd_config -#### Controls: -## 5.2.4 - Ensure SSH access is limited -## 5.2.19 - Ensure SSH LoginGraceTime is set to one minute or less -## 5.2.20 - Ensure SSH Idle Timeout Interval is configured +## Controls: +## - 5.2.4 - Ensure SSH access is limited +## - 5.2.19 - Ensure SSH LoginGraceTime is set to one minute or less +## - 5.2.20 - Ensure SSH Idle Timeout Interval is configured rhel9cis_sshd: # This variable sets the maximum number of unresponsive "keep-alive" messages # that can be sent from the server to the client before the connection is considered @@ -1023,7 +1036,7 @@ rhel9cis_sshd: # For more info, see https://linux.die.net/man/5/sshd_config deny_groups: "" -# Control 5.2.5 - Ensure SSH LogLevel is appropriate +## Control 5.2.5 - Ensure SSH LogLevel is appropriate # This variable is used to control the verbosity of the logging produced by the SSH server. # The options for setting it are as follows: # - `QUIET`: Minimal logging; @@ -1035,39 +1048,41 @@ rhel9cis_sshd: # - `DEBUG(x)`: Whereas x = debug level 1 to 3, DEBUG=DEBUG1. rhel9cis_ssh_loglevel: INFO -# Control 5.2.18 - Ensure SSH MaxSessions is set to 10 or less +## Control 5.2.18 - Ensure SSH MaxSessions is set to 10 or less # This variable value specifies the maximum number of open sessions that are permitted from # a given location rhel9cis_ssh_maxsessions: 4 ## Control 5.6.1.4 - Ensure inactive password lock is 30 days or less +rhel9cis_inactivelock: # This variable specifies the number of days of inactivity before an account will be locked. # CIS requires a value of 30 days or less. -rhel9cis_inactivelock: lock_days: 30 # This variable governs if authconfig package should be installed. This package provides a simple method of # configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used # for shadow password support. Basic LDAP, Kerberos 5, and Winbind client configuration is also provided. rhel9cis_use_authconfig: false -#### Controls -# SECTION 5.4 - Configure authselect: Custom authselect profile settings(name, profile to customize, options) -# 5.4.1 - Ensure custom authselect profile is used('custom_profile_name', 'default_file_to_copy' subsettings) -# 5.4.2 - Ensure authselect includes with-faillock | with auth select profile('custom_profile_name') -# Settings in place now will fail, they are place holders from the control example. Due to the way many multiple +## Section 5.4 - Configure authselect: Custom authselect profile settings(name, profile to customize, options) +## Controls: +# - 5.4.1 - Ensure custom authselect profile is used('custom_profile_name', 'default_file_to_copy' subsettings) +# - 5.4.2 - Ensure authselect includes with-faillock | with auth select profile('custom_profile_name') +# Settings in place now will fail, they are placeholders from the control example. Due to the way many multiple # options and ways to configure this control needs to be enabled and settings adjusted to minimise risk. rhel9cis_authselect: + # This variable configures the name of the custom profile to be created and selected. custom_profile_name: custom-profile + # This variable configures the ID of the existing profile that should be used as a base for the new profile. default_file_to_copy: "sssd --symlink-meta" options: with-sudo with-faillock without-nullok -# Control 5.4.1 - Ensure custom authselect profile is used +## Control 5.4.1 - Ensure custom authselect profile is used # This variable governs if an authselect custom profile should be automatically created, by copying and # customizing one of the default profiles. The default profiles include: sssd, winbind, or the nis. This profile can then be # customized to follow site specific requirements. rhel9cis_authselect_custom_profile_create: false -# Control 5.4.2 - Ensure authselect includes with-faillock | Create custom profiles +## Control 5.4.2 - Ensure authselect includes with-faillock | Create custom profiles # This variable governs if the existing custom profile should be selected(Note: please keep in mind that all future updates # to the PAM templates and meta files in the original profile will be reflected in your custom profile, too.) rhel9cis_authselect_custom_profile_select: false @@ -1098,11 +1113,11 @@ rhel9cis_pam_password: # set to 4, passwords will have to include all four types of characters. minclass: 4 -## Controls -# 5.5.2 - Ensure lockout for failed password attempts is configured -# 5.5.3 - Ensure password reuse is limited -# 5.5.4 - Ensure password hashing algorithm is SHA-512 -# 5.4.2 - Ensure authselect includes with-faillock +## Controls +# - 5.5.2 - Ensure lockout for failed password attempts is configured +# - 5.5.3 - Ensure password reuse is limited +# - 5.5.4 - Ensure password hashing algorithm is SHA-512 +# - 5.4.2 - Ensure authselect includes with-faillock rhel9cis_pam_faillock: # This variable sets the amount of time a user will be unlocked after the max amount of # password failures. @@ -1110,7 +1125,7 @@ rhel9cis_pam_faillock: # This variable sets the amount of tries a password can be entered, before a user is locked. deny: 5 # This variable represents the number of password change cycles, after which - # a user can re-use a password. + # an user can re-use a password. # CIS requires a value of 5 or more. remember: 5 @@ -1118,44 +1133,44 @@ rhel9cis_pam_faillock: # These are discovered via logins.def if set true discover_int_uid: false ### Controls: -# 5.6.2 - Ensure system accounts are secured -# 6.2.10 - Ensure local interactive user home directories exist -# 6.2.11 - Ensure local interactive users own their home directories +# - 5.6.2 - Ensure system accounts are secured +# - 6.2.10 - Ensure local interactive user home directories exist +# - 6.2.11 - Ensure local interactive users own their home directories # This variable sets the minimum number from which to search for UID # Note that the value will be dynamically overwritten if variable `dicover_int_uid` has # been set to `true`. min_int_uid: 1000 ### Controls: -# 6.2.10 - Ensure local interactive user home directories exist -# 6.2.11 - Ensure local interactive users own their home directories +# - 6.2.10 - Ensure local interactive user home directories exist +# - 6.2.11 - Ensure local interactive users own their home directories # This variable sets the maximum number at which the search stops for UID # Note that the value will be dynamically overwritten if variable `dicover_int_uid` has # been set to `true`. max_int_uid: 65533 -### Control 5.3.3 - Ensure sudo log file exists +## Control 5.3.3 - Ensure sudo log file exists # By default, sudo logs through syslog(3). However, to specify a custom log file, the # 'logfile' parameter will be used, setting it with current variable's value. # This variable defines the path and file name of the sudo log file. rhel9cis_sudolog_location: "/var/log/sudo.log" -#### Control 5.3.6 -Ensure sudo authentication timeout is configured correctly +## Control 5.3.6 -Ensure sudo authentication timeout is configured correctly # This variable sets the duration (in minutes) during which a user's authentication credentials # are cached after successfully authenticating using "sudo". This allows the user to execute # multiple commands with elevated privileges without needing to re-enter their password for each # command within the specified time period. CIS requires a value of at most 15 minutes. rhel9cis_sudo_timestamp_timeout: 15 -### 5.4.2 authselect and faillock +## Control 5.4.2 - authselect and faillock ## This option is used at your own risk it will enable faillock for users ## Only to be used on a new clean system if not using authselect -## THIS CAN BREAK ACCESS EVEN FOR ROOT - UNDERSTAND RISKS ## +## THIS CAN BREAK ACCESS EVEN FOR ROOT - PLEASE UNDERSTAND RISKS ! rhel9cis_add_faillock_without_authselect: false -# This needs to be set to 'ACCEPT'(string), besides setting 'rhel9cis_add_faillock_without_authselect' -# to 'true', in order to execute the 5.4.2 sub-tasks dealing with not authselect profile +# This needs to be set to 'ACCEPT'(as string), besides setting 'rhel9cis_add_faillock_without_authselect' +# to 'true', in order to include the 'with-failock' option to the current authselect profile. rhel9cis_5_4_2_risks: NEVER -### Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less +## Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) rhel9cis_shell_session_timeout: @@ -1171,36 +1186,36 @@ rhel9cis_shell_session_timeout: # CIS requires a value of at most 900 seconds. timeout: 600 -### Control 5.6.1.5 - Ensure all users last password change date is in the past +## Control 5.6.1.5 - Ensure all users last password change date is in the past # Allow ansible to expire password for account with a last changed date in the future. Setting it # to 'false' will just display users in violation, while 'true' will expire those users passwords. rhel9cis_futurepwchgdate_autofix: true -### Control 5.3.7 - Ensure access to the 'su' command is restricted +## Control 5.3.7 - Ensure access to the 'su' command is restricted # This variable determines the name of the group of users that are allowed to use the su command. # CIS requires that such a group be CREATED(named according to site policy) and be kept EMPTY. rhel9cis_sugroup: nosugroup ## Section6 vars -### Control 6.1.15 - Audit system file permissions | Create list and warning +## Control 6.1.15 - Audit system file permissions | Create list and warning # The RPM package-manager has many useful options. For example, using option: # - '-V': RPM can automatically check if system packages are correctly installed # - '-qf': RPM can be used to determine which package a particular file belongs to -# Rule 6.1.15 takes advantage of the combination of those two options and, therefore, is able to +# Auditing system file-permissions takes advantage of the combination of those two options and, therefore, is able to # detect any discrepancy regarding installed packages, redirecting the output of this combined # command into a specific file. If no output is returned, the package is installed correctly. -# Current variable stores the preferred absolute filepath such a file, therefore if this file +# Current variable stores the preferred absolute filepath for such a file, therefore if this file # contains any lines, an alert message will be generated to warn about each discrepancy. rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check -### Control 6.1.9 - Ensure no world writable files exist +## Control 6.1.9 - Ensure no world writable files exist # Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable. rhel9cis_no_world_write_adjust: true rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" -### Control 6.2.16 - Ensure local interactive user dot files are not group or world writable +## Control 6.2.16 - Ensure local interactive user dot files are not group or world writable # This boolean variable governs if current role should follow filesystem links for changes to # user home directory. rhel_09_6_2_16_home_follow_symlinks: false From b4bef292ca8a86cf1090b3deaa4b03be037556c2 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 19 Jan 2024 15:37:44 +0200 Subject: [PATCH 116/136] Improving doc for journald log parameters. Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 18b30b0..e398dcb 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -963,30 +963,30 @@ rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" # of certificate authorities (CAs) that the client trusts. These trusted certificates are used # to validate the authenticity of the remote server's certificate. rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" +# ATTENTION: Uncomment the keyword below when values are set! +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# Current variable configures the max amount of disk space the logs will use(thus, journal files +# will not grow without bounds) # The variables below related to journald, please set these to your site specific values # These variable specifies how much disk space the journal may use up at most # Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. # See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. -# ATTENTION: Uncomment the keyword below when values are set! - -## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# 'rhel9cis_journald_systemmaxuse' is the max amount of disk space the logs will use rhel9cis_journald_systemmaxuse: 10M ## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# 'rhel9cis_journald_systemkeepfree' is the amount of disk space to keep free +# Current variable configures the amount of disk space to keep free for other uses. rhel9cis_journald_systemkeepfree: 100G ## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# 'rhel9cis_journald_runtimemaxuse' control how much disk space the journal may use up at most. -# same as 'rhel9cis_journald_systemmaxuse'. +# This variable configures how much disk space the journal may use up at most. +# Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space. rhel9cis_journald_runtimemaxuse: 10M ## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# 'rhel9cis_journald_runtimekeepfree' is the amount of disk space to keep free -# same as 'rhel9cis_journald_systemkeepfree', but related to runtime space. +# This variable configures the actual amount of disk space to keep free +# Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space. rhel9cis_journald_runtimekeepfree: 100G ## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# 'rhel9cis_journald_MaxFileSec' is how long in time to keep log files. -# This variable specifies, the maximum time to store entries in a single journal +# Current variable governs the settings for log retention(how long the log files will be kept). +# Thus, it specifies the maximum time to store entries in a single journal # file before rotating to the next one. Set to 0 to turn off this feature. # The given values is interpreted as seconds, unless suffixed with the units # `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. From 073f6b71928d449ac9c3910e68ecaf1f0aecc233 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 19 Jan 2024 15:55:42 +0200 Subject: [PATCH 117/136] Revert "Added vars for streams." [IP] I see no benefit to duplicate vars in defaults/main.yml in other files like specific vars for Alma/Rocky, especially since we're using the same values for those vars. Also, replacing rsyslog with journald is not fine for this current doc-extension proposal. This reverts commit a57333dcf1d8230e4d4a9d84ed1aa10b430bb64b. --- defaults/main.yml | 2 +- vars/AlmaLinux.yml | 6 ------ vars/Rocky.yml | 6 ------ 3 files changed, 1 insertion(+), 13 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e398dcb..4ffa634 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -894,7 +894,7 @@ rhel9cis_auditd_extra_conf: {} # This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation) # or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best # practices are written wholly independent of each other. -rhel9cis_syslog: journald +rhel9cis_syslog: rsyslog ## Control 4.2.1.5 | PATCH | Ensure logging is configured # This variable governs if current Ansible role should manage syslog settings # in /etc/rsyslog.conf file, namely mail, news and misc(warn, messages) diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index a0fa6ba..b0eb3d9 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -5,9 +5,3 @@ os_gpg_key_pubkey_name: gpg-pubkey-b86b3716-61e69f29 os_gpg_key_pubkey_content: "AlmaLinux OS 9 b86b3716" # disable repo_gpgcheck due to OS default repos rhel9cis_rule_enable_repogpg: false - -rhel9cis_sshd: - # This variable sets the maximum number of unresponsive "keep-alive" messages - # that can be sent from the server to the client before the connection is considered - # inactive and thus, closed. - clientalivecountmax: 3 \ No newline at end of file diff --git a/vars/Rocky.yml b/vars/Rocky.yml index 7d9f014..77af29c 100644 --- a/vars/Rocky.yml +++ b/vars/Rocky.yml @@ -3,9 +3,3 @@ os_gpg_key_pubkey_name: gpg-pubkey-350d275d-6279464b os_gpg_key_pubkey_content: "Rocky Enterprise Software Foundation - Release key 2022 350d275d" - -rhel9cis_sshd: - # This variable sets the maximum number of unresponsive "keep-alive" messages - # that can be sent from the server to the client before the connection is considered - # inactive and thus, closed. - clientalivecountmax: 3 \ No newline at end of file From 48f0c7db53f8a2856f1a081a721c721599a6e800 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 19 Jan 2024 16:11:02 +0200 Subject: [PATCH 118/136] Using again the default values used by Lockdown for sshd vars, as they shouldn't be altered Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 4ffa634..888fdd8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1016,11 +1016,11 @@ rhel9cis_sshd: # This variable sets the maximum number of unresponsive "keep-alive" messages # that can be sent from the server to the client before the connection is considered # inactive and thus, closed. - clientalivecountmax: 3 + clientalivecountmax: 0 # This variable sets the time interval in seconds between sending "keep-alive" # messages from the server to the client. These types of messages are intended to # keep the connection alive and prevent it being terminated due to inactivity. - clientaliveinterval: 300 + clientaliveinterval: 900 # This variable specifies the amount of seconds allowed for successful authentication to # the SSH server. logingracetime: 60 From 36ab51d60028e96f215122d1918a53f559191f17 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 19 Jan 2024 16:16:18 +0200 Subject: [PATCH 119/136] Removing not useful line from docs Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 888fdd8..75a5167 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1234,7 +1234,6 @@ rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | de # This boolean variable governs if current role should follow filesystem links for changes to # user home directory. rhel_09_6_2_16_home_follow_symlinks: false -# thanks to @dulin-gnet and community for rhel8-cis feedback. #### Goss Configuration Settings #### # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" From 9ce1fb65564a686804d6713df734df3c6b391a5b Mon Sep 17 00:00:00 2001 From: Marcin Dulinski Date: Wed, 22 Nov 2023 09:17:15 +0000 Subject: [PATCH 120/136] Solved minor conflicts in defaults/main.yml file, when re-basing Signed-off-by: Marcin Dulinski --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index 75a5167..888fdd8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1234,6 +1234,7 @@ rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | de # This boolean variable governs if current role should follow filesystem links for changes to # user home directory. rhel_09_6_2_16_home_follow_symlinks: false +# thanks to @dulin-gnet and community for rhel8-cis feedback. #### Goss Configuration Settings #### # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" From da62626a9d582e747dca984cc4fc8b35c5b95eee Mon Sep 17 00:00:00 2001 From: "root@DERVISHx" Date: Fri, 24 Nov 2023 15:38:40 +0000 Subject: [PATCH 121/136] Fixing conflicts after rebasing current feature branch onto 'devel' --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 888fdd8..3828ab2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -137,6 +137,7 @@ audit_run_heavy_tests: true audit_cmd_timeout: 120000 ### End Goss enablements #### +#### Detailed settings found at the end of this document #### # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. @@ -660,7 +661,6 @@ rhel9cis_telnet_server: false # This variable, when system is NOT a mailserver, will configure Postfix to listen only on the loopback interface(the virtual # network interface that the server uses to communicate internally. rhel9cis_is_mail_server: false - # Note the options # Client package configuration variables. # Packages are used for client services and Server- only remove if you dont use the client service @@ -885,7 +885,7 @@ rhel9cis_auditd_uid_exclude: # '/etc/audit/auditd.conf' file) can be stored within current variable. rhel9cis_auditd_extra_conf: {} # Example: -#rhel9cis_auditd_extra_conf: +# rhel9cis_auditd_extra_conf: # admin_space_left: '10%' ## Whether rsyslog or journald preferred method for local logging From aa8a60b4ee5e10aafdf45399b223298bca325db3 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 22 Jan 2024 17:33:49 +0000 Subject: [PATCH 122/136] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v6.22.1 → v6.22.2](https://github.com/ansible-community/ansible-lint/compare/v6.22.1...v6.22.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a79d4cb..25fbc9e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -43,7 +43,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.1 + rev: v6.22.2 hooks: - id: ansible-lint name: Ansible-lint From 778110e7d6ad100a2349a943ec12229dad240568 Mon Sep 17 00:00:00 2001 From: "root@DERVISHx" Date: Wed, 29 Nov 2023 15:50:23 +0000 Subject: [PATCH 123/136] Document variables in defaults/main.yml, Fix 5 from devel Signed-off-by: root@DERVISHx --- defaults/main.yml | 291 ++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 268 insertions(+), 23 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index decf352..f1bfe1c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,6 +11,10 @@ system_is_ec2: false # Supported OSs will not need for this to be changed - see README e.g. CentOS os_check: true +## Switching on/off specific baseline sections +# These variables govern whether the tasks of a particular section are to be executed when running the role. +# E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true. +# to "true". If you do not want the tasks from that section to get executed you simply set the variable to "false". rhel9cis_section1: true rhel9cis_section2: true rhel9cis_section3: true @@ -39,7 +43,8 @@ benchmark_version: 'v1.0.0' benchmark: RHEL9-CIS -# Whether to skip the reboot +# Whether to skip the system reboot before audit +# System will reboot if false, can give better audit results skip_reboot: true # default value will change to true but wont reboot if not enabled but will error @@ -48,11 +53,20 @@ change_requires_reboot: false ########################################## ### Goss is required on the remote host ### ## Refer to vars/auditd.yml for any other settings ## +#### Basic external goss audit enablement settings #### +#### Precise details - per setting can be found at the bottom of this file #### -# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) +## Audit setup +# Audits are carried out using Goss. This variable +# determines whether execution of the role prepares for auditing +# by installing the required binary. setup_audit: false -# enable audits to run - this runs the audit and get the latest content +## Enable audits to run +# This variable governs whether the audit using the +# separately maintained audit role using Goss +# is carried out. +# This runs the audit and get the latest content run_audit: false # Only run Audit do not remediate @@ -65,6 +79,8 @@ audit_capture_files_dir: /some/location to copy to on control node # How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file +# provided in variable `audit_conf_copy` for copying or +# the url given in variable `audit_files_url` for downloading. # you will need to access to either github or the file already dowmloaded get_audit_binary_method: download @@ -73,8 +89,15 @@ get_audit_binary_method: download ## e.g copy from ansible control node to remote host audit_bin_copy_location: /some/accessible/path -# how to get audit files onto host options +## How to retrieve the audit role +# The role for auditing is maintained separately. +# This variable specifies the method of how to get the audit role # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf +# onto the system. The options are as follows: +# - git: clone from git repository as specified in variable `audit_file_git` in +# the version specified by variable `audit_git_version` +# - copy: copy from path as specified in variable `audit_conf_copy` +# - get_url: Download from url as specified in variable `audit_files_url` audit_content: git # archive or copy: @@ -97,7 +120,8 @@ audit_cmd_timeout: 120000 # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. -# Section 1 rules +# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, +# Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) rhel9cis_rule_1_1_1_1: true rhel9cis_rule_1_1_1_2: true rhel9cis_rule_1_1_2_1: true @@ -170,7 +194,7 @@ rhel9cis_rule_1_8_10: true rhel9cis_rule_1_9: true rhel9cis_rule_1_10: true -# Section 2 rules +# Section 2 rules are controling Services (Special Purpose Services, and service clients) rhel9cis_rule_2_1_1: true rhel9cis_rule_2_1_2: true rhel9cis_rule_2_2_1: true @@ -222,7 +246,8 @@ rhel9cis_rule_3_4_2_5: true rhel9cis_rule_3_4_2_6: true rhel9cis_rule_3_4_2_7: true -# Section 4 rules +# Section 4 rules are Logging and Auditing (Configure System Accounting (auditd), +# Configure Data Retention, and Configure Logging) rhel9cis_rule_4_1_1_1: true rhel9cis_rule_4_1_1_2: true rhel9cis_rule_4_1_1_3: true @@ -281,7 +306,8 @@ rhel9cis_rule_4_2_2_7: true rhel9cis_rule_4_2_3: true rhel9cis_rule_4_3: true -# Section 5 rules +# Section 5 rules control Access, Authentication, and Authorization (Configure time-based job schedulers, +# Configure sudo, Configure SSH Server, Configure PAM and User Accounts and Environment) rhel9cis_rule_5_1_1: true rhel9cis_rule_5_1_2: true rhel9cis_rule_5_1_3: true @@ -336,7 +362,7 @@ rhel9cis_rule_5_6_4: true rhel9cis_rule_5_6_5: true rhel9cis_rule_5_6_6: true -# Section 6 rules +# Section 6 rules controls System Maintenance (System File Permissions and User and Group Settings) rhel9cis_rule_6_1_1: true rhel9cis_rule_6_1_2: true rhel9cis_rule_6_1_3: true @@ -402,9 +428,16 @@ rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF4 rhel9cis_bootloader_password: random # pragma: allowlist secret rhel9cis_set_boot_pass: true -# 1.8 Gnome Desktop +## Controls 1.8.x - Settings for GDM +# This variable specifies the GNOME configuration database file to which configurations are written. +# (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) +# The default database is `local` rhel9cis_dconf_db_name: local + +# This variable governs the number of seconds of inactivity before the screen goes blank. rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) + +# This variable governs the number of seconds the screen remains blank before it is locked. rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) # 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) @@ -414,27 +447,67 @@ rhel9cis_crypto_policy: 'DEFAULT' rhel9cis_crypto_policy_module: '' # System network parameters (host only OR host and router) +# This variable governs whether specific CIS rules +# concerned with acceptance and routing of packages are skipped. rhel9cis_is_router: false -# IPv6 required +## IPv6 requirement toggle +# This variable governs whether ipv6 is enabled or disabled. rhel9cis_ipv6_required: true -# AIDE +## Control 1.3.1 - allow aide to be configured +# AIDE is a file integrity checking tool, similar in nature to Tripwire. +# While it cannot prevent intrusions, it can detect unauthorized changes +# to configuration files by alerting when the files are changed. Review +# the AIDE quick start guide and AIDE documentation before proceeding. +# By setting this variable to `true`, all of the settings related to AIDE will be applied! rhel9cis_config_aide: true -# AIDE cron settings + +## Control 1.3.2 AIDE cron settings +# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. +# The sub-settings of this variable provide the parameters required to configure +# the cron job on the target system. +# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled +# and executed automatically at a certain point in time. rhel9cis_aide_cron: + # This variable represents the user account under which the cron job for AIDE will run. cron_user: root + # This variable represents the path to the AIDE crontab file. cron_file: /etc/cron.d/aide_cron + # This variable represents the actual command or script that the cron job + # will execute for running AIDE. aide_job: '/usr/sbin/aide --check' + # These variables define the schedule for the cron job + # This variable governs the minute of the time of day when the AIDE cronjob is run. + # It must be in the range `0-59`. aide_minute: 0 + # This variable governs the hour of the time of day when the AIDE cronjob is run. + # It must be in the range `0-23`. aide_hour: 5 + # This variable governs the day of the month when the AIDE cronjob is run. + # `*` signifies that the job is run on all days; furthermore, specific days + # can be given in the range `1-31`; several days can be concatenated with a comma. + # The specified day(s) can must be in the range `1-31`. aide_day: '*' + # This variable governs months when the AIDE cronjob is run. + # `*` signifies that the job is run in every month; furthermore, specific months + # can be given in the range `1-12`; several months can be concatenated with commas. + # The specified month(s) can must be in the range `1-12`. aide_month: '*' + # This variable governs the weekdays, when the AIDE cronjob is run. + # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays + # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays + # can be concatenated with commas. aide_weekday: '*' # SELinux policy +# This selects type of policy; targeted or mls ( multilevel ) +# mls should not be used, since it will disable unconfined policy module +# and may prevent some services from running. rhel9cis_selinux_pol: targeted # chose onf or enfocing or permissive +# CIS expects enforcing since permissive allows operations thet might compromise the system. +# Even though logging still occurs. rhel9cis_selinux_enforce: enforcing # Whether or not to run tasks related to auditing/patching the desktop environment @@ -443,6 +516,11 @@ rhel9cis_selinux_enforce: enforcing ### 2.1 Time Synchronization #### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 +# The following variable represents a list of of time servers used +# for configuring chrony, timesyncd, and ntp. +# Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. +# The default setting for the `options` is `minpoll` but `iburst` can be used, please refer to the documentation +# of the time synchronization mechanism you are using. rhel9cis_time_synchronization_servers: - 0.pool.ntp.org - 1.pool.ntp.org @@ -454,7 +532,9 @@ rhel9cis_chrony_server_makestep: "1.0 3" rhel9cis_chrony_server_minsources: 2 ### 2.2 Special Purposes -##### Service configuration booleans set true to keep service +# Service configuration variables (boolean). +# Set the respective variable to true to keep the service. +# otherwise the service is stopped and disabled rhel9cis_gui: false rhel9cis_avahi_server: false rhel9cis_cups_server: false @@ -472,10 +552,12 @@ rhel9cis_squid_server: false rhel9cis_snmp_server: false rhel9cis_telnet_server: false rhel9cis_is_mail_server: false -# Note the options -# Packages are used for client services and Server- only remove if you dont use the client service -# +# Note the options +# Client package configuration variables. +# Packages are used for client services and Server- only remove if you dont use the client service +# Set the respective variable to `true` to keep the +# client package, otherwise it is uninstalled (false). rhel9cis_use_nfs_server: false rhel9cis_use_nfs_service: false @@ -512,7 +594,11 @@ rhel9cis_firewalld_ports: - number: 80 protocol: tcp -#### nftables +## Controls 3.5.2.x - nftables +# The default nftables table name is "filter". This variable name will be the one all +# "rhel9cis_nft_tables_tablename" is the name of the table in nftables you want to create. +# nftables configs are applied to. +# options are: inet filter rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true @@ -524,12 +610,33 @@ rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and ## Section4 vars ### 4.1 Configure System Accounting #### 4.1.2 Configure Data Retention +## Controls what actions, when log files fill up +# This variable controls how the audit system behaves when +# log files are getting too full and space is getting too low. rhel9cis_auditd: space_left_action: email action_mail_acct: root + # This variable determines the action the audit system should take when disk + # space runs low. + # The options for setting this variable are as follows: + # - `ignore`: the system does nothing when presented with the aforementioned issue; + # - `syslog`: a message is sent to the system log about disk space running low; + # - `suspend`: the system suspends recording audit events until more space is available; + # - `halt`: the system is halted when disk space is critically low. + # - `single`: the audit daemon will put the computer system in single user mode + # CIS prescribes either `halt` or `single`. admin_space_left_action: halt # The max_log_file parameter should be based on your sites policy. max_log_file: 10 + # This variable determines what action the audit system should take when the maximum + # size of a log file is reached. + # The options for setting this variable are as follows: + # - `ignore`: the system does nothing when the size of a log file is full; + # - `syslog`: a message is sent to the system log indicating the problem; + # - `suspend`: the system suspends recording audit events until the log file is cleared or rotated; + # - `rotate`: the log file is rotated (archived) and a new empty log file is created; + # - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints. + # CIS prescribes the value `keep_logs`. max_log_file_action: keep_logs # This value governs if the below extra-vars for auditd should be used by the role @@ -543,14 +650,33 @@ rhel9cis_auditd_extra_conf: admin_space_left: 50 space_left: 75 -# The audit_back_log_limit value should never be below 8192 +## Control 4.1.1.4 - Ensure rhel9cis_audit_back_log_limit is sufficient +# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the +# system can buffer in memory, if the audit subsystem is unable to process them in real-time. +# Buffering in memory is useful in situations, where the audit system is overwhelmed +# with incoming audit events, and needs to temporarily store them until they can be processed. +# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value. rhel9cis_audit_back_log_limit: 8192 -### 4.1.3.x audit template +## Control 4.1.2.1 - Ensure audit log storage size is configured +# This variable specifies the maximum size in MB that an audit log file can reach +# before it is archived or deleted to make space for the new audit data. +# This should be set based on your sites policy. CIS does not provide a specific value. +rhel9cis_max_log_file_size: 10 + +## 4.1.3.x - Audit template +# This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the +# audit settings are overwritten with the role's template. In order to exclude +# specific rules, you must set the variable of form `rhel9cis_rule_4_1_3_x` above +# to `false`. update_audit_template: false ## Advanced option found in auditd post +# users whose actions are not logged by auditd rhel9cis_allow_auditd_uid_user_exclusions: false +# add a list of uids to be excluded. +rhel9cis_auditd_uid_exclude: + - 1999 ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging @@ -567,28 +693,56 @@ rhel9cis_remote_log_retrycount: 100 rhel9cis_remote_log_queuesize: 1000 #### 4.2.1.7 +# This variable expresses whether the system is used as a log server or not. +# If set to `true`, controls that interfere with log server functionality or +# require that own system logs be sent to some other log server are skipped. rhel9cis_system_is_log_server: false # 4.2.2.1.2 # rhel9cis_journal_upload_url is the ip address to upload the journal entries to rhel9cis_journal_upload_url: 192.168.50.42 -# The paths below have the default paths/files, but allow user to create custom paths/filenames + +## The paths below have the default paths/files, but allow user to create custom paths/filenames +# This variable specifies the path to the private key file used by the remote journal +# server to authenticate itself to the client. This key is used alongside the server's +# public certificate to establish secure communication. rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +# This variable specifies the path to the public certificate file of the remote journal +# server. This certificate is used to verify the authenticity of the remote server. rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +# This variable specifies the path to a file containing one or more public certificates +# of certificate authorities (CAs) that the client trusts. These trusted certificates are used +# to validate the authenticity of the remote server's certificate. rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" # 4.2.2.1 # The variables below related to journald, please set these to your site specific values +# These variable specifies how much disk space the journal may use up at most +# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. +# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. +# ATTENTION: Uncomment the keyword below when values are set! # rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use rhel9cis_journald_systemmaxuse: 10M # rhel9cis_journald_systemkeepfree is the amount of disk space to keep free rhel9cis_journald_systemkeepfree: 100G +# rhel9cis_journald_runtimemaxuse control how much disk space the journal may use up at most. +# same as rhel9cis_journald_systemmaxuse. rhel9cis_journald_runtimemaxuse: 10M +# rhel9cis_journald_runtimekeepfree is the amount of disk space to keep free +# same as rhel9cis_journald_systemkeepfree. rhel9cis_journald_runtimekeepfree: 100G -# rhel9cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +# rhel9cis_journald_MaxFileSec is how long in time to keep log files. +# This variable specifies, the maximum time to store entries in a single journal +# file before rotating to the next one. Set to 0 to turn off this feature. +# The given values is interpreted as seconds, unless suffixed with the units +# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. +# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +# ATTENTION: Uncomment the keyword below when values are set! rhel9cis_journald_maxfilesec: 1month #### 4.3 +# This variable defines the log file rotation period. +# Options are: daily, monthly, yearly. rhel9cis_logrotate: "daily" ## Section5 vars @@ -597,20 +751,66 @@ rhel9cis_logrotate: "daily" rhel9_cis_sshd_config_file: /etc/ssh/sshd_config rhel9cis_sshd: + # This variable sets the maximum number of unresponsive "keep-alive" messages + # that can be sent from the server to the client before the connection is considered + # inactive and thus, closed. clientalivecountmax: 0 + # This variable sets the time interval in seconds between sending "keep-alive" + # messages from the server to the client. These types of messages are intended to + # keep the connection alive and prevent it being terminated due to inactivity. clientaliveinterval: 900 + # This variable specifies the amount of seconds allowed for successful authentication to + # the SSH server. logingracetime: 60 # WARNING: make sure you understand the precedence when working with these values!! # allowusers: # allowgroups: systems dba # denyusers: # denygroups: + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH + # access for users whose user name matches one of the patterns. This is done + # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + allow_users: "" + # (String) This variable, if spcieifed, configures a list of GROUP name patterns, separated by spaces, to allow SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, https://linux.die.net/man/5/sshd_config + allow_groups: "wheel" + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access + # for users whose user name matches one of the patterns. This is done + # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_users: "nobody" + # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_groups: "" -# 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE +# 5.2.5 SSH LogLevel setting. +# This variable is used to control the verbosity of the logging produced by the SSH server. +# The options for setting it are as follows: +# - `QUIET`: Minimal logging; +# - `FATAL`: logs only fatal errors; +# - `ERROR`: logs error messages; +# - `INFO`: logs informational messages in addition to errors; +# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; +# - `DEBUG`: generates very detailed debugging information including sensitive information. +# - `DEBUG(x)`: Whereas x = debug level 1 to 3, DEBUG=DEBUG1. rhel9cis_ssh_loglevel: INFO # 5.2.19 SSH MaxSessions setting. Must be 4 our less rhel9cis_ssh_maxsessions: 4 +## Control 5.5.1.4 +# This variable specifies the number of days of inactivity before an account will be locked. +# CIS requires a value of 30 days or less. rhel9cis_inactivelock: lock_days: 30 @@ -628,32 +828,65 @@ rhel9cis_authselect_custom_profile_create: false # 5.3.2 Enable automation to select custom profile options, using the settings above rhel9cis_authselect_custom_profile_select: false +## Controls 5.5.1.x - Password settings rhel9cis_pass: + ## Control 5.5.1.2 + # This variable governs after how many days a password expires. + # CIS requires a value of 365 or less. max_days: 365 + ## Control 5.5.1.1 + # This variable specifies the minimum number of days allowed between changing passwords. + # CIS requires a value of at least 1. min_days: 7 + ## Control 5.5.1.3 + # This variable governs, how many days before a password expires, the user will be warned. + # CIS requires a value of at least 7. warn_age: 7 # 5.5.1 ## PAM rhel9cis_pam_password: + # This variable sets the minimum chars a password needs to be set. minlen: 14 + # This variable set password complexity,the minimum number of + # character types that must be used (i.e., uppercase, lowercase, digits, other) + # Set to 2, passwords cannot have all lower/upper case. + # Set to 3, passwords needs numbers. + # set to 4, passwords will have to include all four types of characters. minclass: 4 rhel9cis_pam_faillock: + # This variable sets the amount of time a user will be unlocked after + # the max amount of password failures. unlock_time: 900 + # This variable sets the amount of tries a password can be entered, before a user is locked. deny: 5 + # This variable represents the number of password change cycles, after which + # a user can re-use a password. + # CIS requires a value of 5 or more. remember: 5 # UID settings for interactive users # These are discovered via logins.def if set true discover_int_uid: false +# This variable sets the minimum number from which to search for UID +# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# been set to `true`. min_int_uid: 1000 +# This variable sets the maximum number at which the search stops for UID +# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# been set to `true`. max_int_uid: 65533 # 5.3.3 var log location variable +# This variable defines the path and file name of the sudo log file. rhel9cis_sudolog_location: "/var/log/sudo.log" #### 5.3.6 +# This variable sets the duration (in minutes) during which a user's authentication credentials +# are cached after successfully authenticating using "sudo". This allows the user to execute +# multiple commands with elevated privileges without needing to re-enter their password for each +# command within the specified time period. CIS requires a value of at most 15 minutes. rhel9cis_sudo_timestamp_timeout: 15 ### 5.4.2 authselect and faillock @@ -668,12 +901,24 @@ rhel9cis_5_4_2_risks: NEVER # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) rhel9cis_shell_session_timeout: + # This variable specifies the path of the timeout setting file. + # (TMOUT setting can be set in multiple files, but only one is required for the + # rule to pass. Options are: + # - a file in `/etc/profile.d/` ending in `.s`, + # - `/etc/profile`, or + # - `/etc/bash.bashrc`. file: /etc/profile.d/tmout.sh + # This variable represents the amount of seconds a command or process is allowed to + # run before being forcefully terminated. + # CIS requires a value of at most 900 seconds. timeout: 600 # RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords rhel9cis_futurepwchgdate_autofix: true # 5.3.7 +# This variable determines the group of users that are allowed to use the su command. +# one to specify a user group that is allowed to use the "su" command. +# CIS requires that such a group be created (named according to site policy) and be kept empty. rhel9cis_sugroup: nosugroup ## Section6 vars From 1682ff18b5657965ab666d344d1e71fc37e8a210 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Tue, 5 Dec 2023 21:01:06 +0200 Subject: [PATCH 124/136] Rebasing after: ~~~ Small additions to first part of documentation. Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 59 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 40 insertions(+), 19 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f1bfe1c..de93174 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,19 @@ --- # defaults file for rhel9-cis +# WARNING: +# These values may be overriden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here: +# https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable +## Usage on containerized images +# The role discovers dynamically (in tasks/main.yml) whether it +# is executed on a container image and sets the variable +# system_is_container the true. Otherwise, the default value +# 'false' is left unchanged. system_is_container: false +# The filename of the existing yml file in role's 'vars/' sub-directory +# to be used for managing the role-behavior when a container was detected: +# (de)activating rules or for other tasks(e.g. disabling Selinux or a specific +# firewall-type). container_vars_file: is_container.yml # rhel9cis is left off the front of this var for consistency in testing pipeline # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks @@ -14,7 +26,7 @@ os_check: true ## Switching on/off specific baseline sections # These variables govern whether the tasks of a particular section are to be executed when running the role. # E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true. -# to "true". If you do not want the tasks from that section to get executed you simply set the variable to "false". +# If you do not want the tasks from that section to get executed you simply set the variable to "false". rhel9cis_section1: true rhel9cis_section2: true rhel9cis_section3: true @@ -29,7 +41,12 @@ rhel9cis_section6: true rhel9cis_level_1: true rhel9cis_level_2: true +## 1.6 SubSection - Mandatory Access Control +# This variable governs if SELinux is disabled or not. If SELinux is NOT DISABLED by setting +# 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed. rhel9cis_selinux_disable: false +# This variable is used in a preliminary task, handling grub2 paths either in case of +# UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg'). rhel9cis_legacy_boot: false ## Python Binary @@ -62,29 +79,28 @@ change_requires_reboot: false # by installing the required binary. setup_audit: false -## Enable audits to run +## Enable audits to run - this runs the audit and get the latest content # This variable governs whether the audit using the # separately maintained audit role using Goss # is carried out. -# This runs the audit and get the latest content run_audit: false # Only run Audit do not remediate audit_only: false -# As part of audit_only -# This will enable files to be copied back to control node +# This will enable files to be copied back to control node(part of audit_only) fetch_audit_files: false -# Path to copy the files to will create dir structure +# Path to copy the files to will create dir structure(part of audit_only) audit_capture_files_dir: /some/location to copy to on control node -# How to retrieve audit binary -# Options are copy or download - detailed settings at the bottom of this file -# provided in variable `audit_conf_copy` for copying or -# the url given in variable `audit_files_url` for downloading. -# you will need to access to either github or the file already dowmloaded +## How to retrieve audit binary(Goss) +# Options are 'copy' or 'download' - detailed settings at the bottom of this file +# - if 'copy': +# - the filepath mentioned via the below 'audit_bin_copy_location' var will be used to access already downloaded Goss +# - if 'download': +# - the GitHub Goss-releases URL will be used for a fresh-download, via 'audit_bin_url' and 'audit_pkg_arch_name' vars get_audit_binary_method: download -## if get_audit_binary_method - copy the following needs to be updated for your environment +## if get_audit_binary_method is 'copy', the following var needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node ## e.g copy from ansible control node to remote host audit_bin_copy_location: /some/accessible/path @@ -94,21 +110,25 @@ audit_bin_copy_location: /some/accessible/path # This variable specifies the method of how to get the audit role # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf # onto the system. The options are as follows: -# - git: clone from git repository as specified in variable `audit_file_git` in -# the version specified by variable `audit_git_version` -# - copy: copy from path as specified in variable `audit_conf_copy` -# - get_url: Download from url as specified in variable `audit_files_url` +# - 'git': clone audit content from GitHub REPOSITORY, set up via `audit_file_git` var, and +# VERSION(e.g. branch, tag name), set up via `audit_git_version` var. +# - 'copy': copy from path as specified in variable `audit_conf_copy`. +# - 'archive': same as 'copy', only that the specified filepath needs to be unpacked. +# - 'get_url': Download from url as specified in variable `audit_files_url` audit_content: git -# archive or copy: +# This variable(only used when 'audit_content' is 'copy' or 'archive') should +# contain the filepath with audit-content to be copied/unarchived on server: audit_conf_copy: "some path to copy from" -# get_url: +# This variable(only used when 'audit_content' is 'get_url') should +# contain the URL from where the audit-content must be downloaded on server: audit_files_url: "some url maybe s3?" # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system audit_run_heavy_tests: true +# Timeout for those cmds that take longer to run where timeout set # This variable specifies the timeout (in ms) for audit commands that # take a very long time: if a command takes too long to complete, # it will be forcefully terminated after the specified duration. @@ -120,6 +140,7 @@ audit_cmd_timeout: 120000 # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. + # Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, # Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) rhel9cis_rule_1_1_1_1: true @@ -221,7 +242,7 @@ rhel9cis_rule_2_3_3: true rhel9cis_rule_2_3_4: true rhel9cis_rule_2_4: true -# Section 3 rules +# Section 3 rules are used for securely configuring the network configuration(kernel params, ACL, Firewall settings) rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_3: true From f7f494f7b864f2e2e68f278e7b7866b863acd597 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Wed, 6 Dec 2023 22:20:32 +0200 Subject: [PATCH 125/136] Doc additions for: - Yum repos, - bootloader, - crypto policies, - SELinux - NTP Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 51 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 37 insertions(+), 14 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index de93174..e5a78c2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -42,7 +42,7 @@ rhel9cis_level_1: true rhel9cis_level_2: true ## 1.6 SubSection - Mandatory Access Control -# This variable governs if SELinux is disabled or not. If SELinux is NOT DISABLED by setting +# This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting # 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed. rhel9cis_selinux_disable: false # This variable is used in a preliminary task, handling grub2 paths either in case of @@ -440,13 +440,21 @@ rhel9cis_rh_sub_password: password # pragma: allowlist secret # RedHat Satellite Subscription items rhel9cis_rhnsd_required: false -# 1.2.4 repo_gpgcheck +# Control 1.2.4 - When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM +# repo('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks +# which check the GPG signatures for all the individual YUM repositories. rhel9cis_rhel_default_repo: true +# Control 1.2.4 - When 'rhel9cis_rule_enable_repogpg' is set to 'true'(in conjunction with 'rhel9cis_rhel_default_repo':'false'), conditions are met for +# enabling the GPG signatures-check for all the individual YUM repositories. If GPG signatures-check is enabled on repositories which do not +# support it(like RedHat), installation of packages will fail. rhel9cis_rule_enable_repogpg: true -# 1.4.1 Bootloader password +# Control 1.4.1 - This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value +# must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with +# this format: 'grub.pbkdf2.sha512...' rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' # pragma: allowlist secret rhel9cis_bootloader_password: random # pragma: allowlist secret +# Control 1.4.1 - This variable governs whether a bootloader password should be set in /boot/grub2/user.cfg file. rhel9cis_set_boot_pass: true ## Controls 1.8.x - Settings for GDM @@ -454,17 +462,21 @@ rhel9cis_set_boot_pass: true # (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) # The default database is `local` rhel9cis_dconf_db_name: local - # This variable governs the number of seconds of inactivity before the screen goes blank. rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) - # This variable governs the number of seconds the screen remains blank before it is locked. rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) -# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) -# Control 1.10 states do not use LEGACY and control 1.11 says to use FUTURE or FIPS. +# Control 1.10 - This variable contains the value to be set as the system-wide crypto policy. Rule 1.10 enforces +# NOT using 'LEGACY' value(as it is less secure, it just ensures compatibility with legacy systems), therefore +# possible values for this variable are, as explained by RedHat docs: +# -'DEFAULT': reasonable default policy for today's standards(balances usability and security) +# -'FUTURE': conservative security level that is believed to withstand any near-term future attacks +# -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' -# Added module to be allowed as default setting (Allowed options in vars/main.yml) +# Control 1.10 - This variable contains the value of the crypto policy module(combinations of policies and +# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, +# using 'rhel9cis_allowed_crypto_policies_modules' variable. rhel9cis_crypto_policy_module: '' # System network parameters (host only OR host and router) @@ -521,13 +533,21 @@ rhel9cis_aide_cron: # can be concatenated with commas. aide_weekday: '*' -# SELinux policy -# This selects type of policy; targeted or mls ( multilevel ) +## Control 1.6.1.3|4|5 - SELinux policy settings +# This selects type of policy; targeted or mls( multilevel ) # mls should not be used, since it will disable unconfined policy module -# and may prevent some services from running. +# and may prevent some services from running. Requires SELinux not being disabled(by +# having 'rhel9cis_selinux_disable' var set as 'true'), otherwise setting will be ignored. rhel9cis_selinux_pol: targeted -# chose onf or enfocing or permissive -# CIS expects enforcing since permissive allows operations thet might compromise the system. +## Control 1.6.1.3|4 - SELinux configured and not disabled +# This variable contains a specific SELinux mode, respectively: +# - 'enforcing': SELinux policy IS enforced, therefore denies operations based on SELinux policy +# rules. If system was installed with SELinux, this is enabled by default. +# - 'permissive': SELinux policy IS NOT enforced, therefore does NOT deny any operation, only +# logs AVC(Access Vector Cache) messages. RedHat docs suggest it "can be used +# briefly to check if SELinux is the culprit in preventing your application +# from working". +# CIS expects enforcing since permissive allows operations that might compromise the system. # Even though logging still occurs. rhel9cis_selinux_enforce: enforcing @@ -537,7 +557,7 @@ rhel9cis_selinux_enforce: enforcing ### 2.1 Time Synchronization #### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 -# The following variable represents a list of of time servers used +# The following variable represents a list of time servers used # for configuring chrony, timesyncd, and ntp. # Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. # The default setting for the `options` is `minpoll` but `iburst` can be used, please refer to the documentation @@ -547,6 +567,9 @@ rhel9cis_time_synchronization_servers: - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org +#### 2.1.2 - Time Synchronization servers +# This variable should contain the default options to be used for every NTP server hostname defined +# within the 'rhel9cis_time_synchronization_servers' var. rhel9cis_chrony_server_options: "minpoll 8" rhel9cis_chrony_server_rtcsync: false rhel9cis_chrony_server_makestep: "1.0 3" From 80d622e9b72d6507bc0b0a3318cc26f6acf51583 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Thu, 7 Dec 2023 22:53:01 +0200 Subject: [PATCH 126/136] Doc additions for: - Sections 2.2 && 2.3 - Section 3 - Section 4.1 Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 152 ++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 148 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e5a78c2..dd14c9e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -579,22 +579,60 @@ rhel9cis_chrony_server_minsources: 2 # Service configuration variables (boolean). # Set the respective variable to true to keep the service. # otherwise the service is stopped and disabled + +# This variable governs whether rules dealing with GUI specific packages(and/or their settings) should +# be executed either to: +# - secure GDM(Control 1.8.2-1.8.10), if GUI is needed('rhel9cis_gui: true') +# - or remove GDM(Control 1.8.1) and X-Windows-system(2.2.1), if no GUI is needed('rhel9cis_gui: false') rhel9cis_gui: false +# Control 2.2.2 - Ensure Avahi Server is not installed +# This variable, when set to false, will specify that Avahi Server packages should be uninstalled. rhel9cis_avahi_server: false +# Control 2.2.3 - Ensure CUPS is not installed +# This variable, when set to false, will specify that CUPS(Common UNIX Printing System) package should be uninstalled. rhel9cis_cups_server: false +# Control 2.2.4 - Ensure DHCP Server is not installed +# This variable, when set to false, will specify that DHCP server package should be uninstalled. rhel9cis_dhcp_server: false +# Control 2.2.5 - Ensure DNS Server is not installed +# This variable, when set to false, will specify that DNS server package should be uninstalled. rhel9cis_dns_server: false +# Control 2.2.14 - Ensure dnsmasq is not installed +# This variable, when set to false, will specify that dnsmasq package should be uninstalled. rhel9cis_dnsmasq_server: false +# Control 2.2.6 - Ensure VSFTP Server is not installed +# This variable, when set to false, will specify that VSFTP server package should be uninstalled. rhel9cis_vsftpd_server: false +# Control 2.2.7 - Ensure TFTP Server is not installed +# This variable, when set to false, will specify that TFTP server package should be uninstalled. rhel9cis_tftp_server: false +# Control 2.2.8 - Ensure a web server is not installed - HTTPD +# This variable, when set to false, will specify that webserver packages(HTTPD) should be uninstalled. rhel9cis_httpd_server: false +# Control 2.2.8 - Ensure a web server is not installed - NGINX +# This variable, when set to false, will specify that webserver packages(NGINX) should be uninstalled. rhel9cis_nginx_server: false +# Control 2.2.9 - Ensure IMAP and POP3 server is not installed - dovecot +# This variable, when set to false, will specify that IMAP and POP3 servers(dovecot) should be uninstalled. rhel9cis_dovecot_server: false +# Control 2.2.9 - Ensure IMAP and POP3 server is not installed - cyrus-imapd +# This variable, when set to false, will specify that IMAP and POP3 servers(cyrus-imapd) should be uninstalled. rhel9cis_imap_server: false +# Control 2.2.10 - Ensure Samba is not enabled +# This variable, when set to false, will specify that 'samba' package should be uninstalled. rhel9cis_samba_server: false +# Control 2.2.11 - Ensure HTTP Proxy Server is not installed +# This variable, when set to false, will specify that 'squid' package should be uninstalled. rhel9cis_squid_server: false +# Control 2.2.12 - Ensure net-snmp is not installed +# This variable, when set to false, will specify that 'net-snmp' package should be uninstalled. rhel9cis_snmp_server: false +# Control 2.2.13 - Ensure telnet-server is not installed +# This variable, when set to false, will specify that 'telnet-server' package should be uninstalled. rhel9cis_telnet_server: false +# Control 2.2.15 - Ensure mail transfer agent is configured for local-only mode +# This variable, when system is NOT a mailserver, will configure Postfix to listen only on the loopback interface(the virtual +# network interface that the server uses to communicate internally. rhel9cis_is_mail_server: false # Note the options @@ -602,35 +640,121 @@ rhel9cis_is_mail_server: false # Packages are used for client services and Server- only remove if you dont use the client service # Set the respective variable to `true` to keep the # client package, otherwise it is uninstalled (false). + +# Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked" +# This variable specifies if the usage of NFS SERVER is needed. The behavior of 2.2.16 will depend on +# the var used in conjunction('rhel9cis_use_nfs_service') with current one, respectively: +# - if Server IS NOT needed('false') and: +# - Service IS NOT needed('rhel9cis_use_nfs_service: false'): 'nfs-utils' package will be removed +# - Service IS needed('rhel9cis_use_nfs_service: true'): impossible to need the service without the server +# - if Server IS needed('true') and: +# - Service IS NOT needed('rhel9cis_use_nfs_service: false'): 'nfs-server' service will be masked +# - Service IS needed('rhel9cis_use_nfs_service: true'): Rule 2.2.16 will be SKIPPED. +# | Server | Service | Result | +# |---------|---------|-----------------------------------------------------------| +# | false | false | Remove package | +# | false | true | Needing 'service' without needing 'server' makes no sense | +# | true | false | Mask 'service' | +# | true | true | SKIP RULE, BOTH 'service' and 'server' are required | rhel9cis_use_nfs_server: false +# Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked. +# This variable specifies if the usage of NFS SERVICE is needed. If it's: +# - needed('true'): rule 2.2.16 will not be executed at all +# - not needed('false'): rule 2.2.16 will be executed, its behavior being controlled by the var +# used in conjunction with current one: +# - removing 'nfs-utils' package('rhel9cis_use_nfs_server' set to 'false') +# - masking the 'nfs-server' service('rhel9cis_use_nfs_server' set to 'true') rhel9cis_use_nfs_service: false +# Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked +# This variable specifies if the usage of RPC SERVER is needed. The behavior of 2.2.17 will depend on +# the var used in conjunction('rhel9cis_use_rpc_service') with current one, respectively: +# - if Server IS NOT needed('false') and: +# - Service IS NOT needed('rhel9cis_use_rpc_service: false'): 'rpcbind' package will be removed +# - Service IS needed('rhel9cis_use_rpc_service: true'): impossible to need the service without the server +# - if Server IS needed('true') and: +# - Service IS NOT needed('rhel9cis_use_rpc_service: false'): 'rpcbind.socket' service will be masked +# - Service IS needed('rhel9cis_use_rpc_service: true'): Rule 2.2.17 will be SKIPPED. +# | Server | Service | Result | +# |---------|---------|-----------------------------------------------------------| +# | false | false | Remove package | +# | false | true | Needing 'service' without needing 'server' makes no sense | +# | true | false | Mask 'service' | +# | true | true | SKIP RULE, BOTH 'service' and 'server' are required | rhel9cis_use_rpc_server: false +# Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked +# This variable specifies if the usage of RPC SERVICE is needed. If it's: +# - needed('true'): rule 2.2.17 will not be executed at all +# - not needed('false'): rule 2.2.17 will be executed, its behavior being controlled by the var +# used in conjunction with current one: +# - removing 'rpcbind' package('rhel9cis_use_rpc_server' set to 'false') +# - masking the 'rpcbind.socket' service('rhel9cis_use_rpc_server' set to 'true') rhel9cis_use_rpc_service: false + +# Control 2.2.18 - Ensure rsync service is not enabled +# This variable specifies if the usage of RSYNC SERVER is needed. The behavior of 2.2.18 will depend on +# the var used in conjunction('rhel9cis_use_rsync_service') with current one, respectively: +# - if Server IS NOT needed('false') and: +# - Service IS NOT needed('rhel9cis_use_rsync_service: false'): 'rsync-daemon' package will be removed +# - Service IS needed('rhel9cis_use_rsync_service: true'): impossible to need the service without the server +# - if Server IS needed('true') and: +# - Service IS NOT needed('rhel9cis_use_rsync_service: false'): 'rsyncd' service will be masked +# - Service IS needed('rhel9cis_use_rsync_service: true'): Rule 2.2.18 will be SKIPPED. +# | Server | Service | Result | +# |---------|---------|-----------------------------------------------------------| +# | false | false | Remove package | +# | false | true | Needing 'service' without needing 'server' makes no sense | +# | true | false | Mask 'service' | +# | true | true | SKIP RULE, BOTH 'service' and 'server' are required | rhel9cis_use_rsync_server: false +# Control 2.2.18 - Ensure rsync service is not enabled +# This variable specifies if the usage of RSYNC SERVICE is needed. If it's: +# - needed('true'): rule 2.2.18 will not be executed at all +# - not needed('false'): rule 2.2.18 will be executed, its behavior being controlled by the var +# used in conjunction with current one: +# - removing 'rsync-daemon' package('rhel9cis_use_rsync_server' set to 'false') +# - masking the 'rsyncd' service('rhel9cis_use_rsync_server' set to 'true') rhel9cis_use_rsync_service: false #### 2.3 Service clients +# Control - 2.3.1 - Ensure telnet client is not installed +# Set this variable to `true` to keep package `telnet`; otherwise, the package is uninstalled. rhel9cis_telnet_required: false +# Control - 2.3.2 - Ensure LDAP client is not installed +# Set this variable to `true` to keep package `openldap-clients`; otherwise, the package is uninstalled. rhel9cis_openldap_clients_required: false +# Control - 2.3.3 - Ensure FTP client is not installed +# Set this variable to `true` to keep package `tftp`; otherwise, the package is uninstalled. rhel9cis_tftp_client: false +# Control - 2.3.4 - Ensure FTP client is not installed +# Set this variable to `true` to keep package `ftp`; otherwise, the package is uninstalled. rhel9cis_ftp_client: false ## Section3 vars ## Sysctl +# This variable governs if the task which updates sysctl(including sysctl reload) is executed, but current +# default value can be overriden by other tasks(1.5.3, 3.1.1, 3.2.1, 3.2.2, 3.3.1-3.3.9). rhel9cis_sysctl_update: false +# This variable governs if the task which flushes the IPv4 routing table is executed(forcing subsequent connections to +# use the new configuration). Current default value can be overriden by other tasks(3.2.1, 3.2.2, 3.3.1-3.3.8). rhel9cis_flush_ipv4_route: false +# This variable governs if the task which flushes the IPv6 routing table is executed(forcing subsequent connections to +# use the new configuration). Current default value can be overriden by other tasks(3.1.1, 3.2.1, 3.3.1, 3.3.2, 3.3.9). rhel9cis_flush_ipv6_route: false -### Firewall Service - either firewalld, iptables, or nftables +### Firewall Service to install and configure - Option is: +# 1) either 'firewalld'(Controls 3.4.1.2, 3.4.2.1, 3.4.2.4) +# 2) or 'nftables'(Controls ) #### Some control allow for services to be removed or masked #### The options are under each heading #### absent = remove the package #### masked = leave package if installed and mask the service rhel9cis_firewall: firewalld -##### firewalld +# Control 3.4.2.1 - Ensure firewalld default zone is set +# This variable will set the firewalld default zone(that is used for everything that is not explicitly bound/assigned +# to another zone): if there is no zone assigned to a connection, interface or source, only the default zone is used. rhel9cis_default_zone: public # These settings are added to demonstrate how this update can be done (eventually will require a new control) @@ -643,10 +767,26 @@ rhel9cis_firewalld_ports: # "rhel9cis_nft_tables_tablename" is the name of the table in nftables you want to create. # nftables configs are applied to. # options are: inet filter + +# Control 3.4.2.2 - Ensure at least one nftables table exists +# This variable governs if a table will be automatically created in nftables. Without a table (no default one), nftables +# will not filter network traffic, so if this variable is set to 'false' and no tables exist, an alarm will be triggered! rhel9cis_nft_tables_autonewtable: true +# Controls 3.4.2.{2|3|4|6|7} nftables +# This variable stores the name of the table to be used when configuring nftables(creating chains, configuring loopback +# traffic, established connections, default deny). If 'rhel9cis_nft_tables_autonewtable' is set as true, a new table will +# be created using as name the value stored by this variable. rhel9cis_nft_tables_tablename: filter +# Control 3.4.2.3 - Ensure nftables base chains exist +# This variable governs if a nftables base chain(entry point for packets from the networking stack) will be automatically +# created, if needed. Without a chain, a hook for input, forward, and delete, packets that would flow through those +#chains will not be touched by nftables rhel9cis_nft_tables_autochaincreate: true +## Controls: +# - 1.7.1 - Ensure message of the day is configured properly +# - 1.7.2 - Ensure local login warning banner is configured properly +# - 1.7.3 - Ensure remote login warning banner is configured properly # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and reported. # End Banner @@ -658,7 +798,11 @@ rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and # This variable controls how the audit system behaves when # log files are getting too full and space is getting too low. rhel9cis_auditd: + # This variable tells the system what action to take when the system has detected + #that it is starting to get low on disk space. Options are the same as for `admin_space_left_action` space_left_action: email + # This variable should contain a valid email address or alias(default value is root), + # which will be used to send a warning when configured action is 'email'. action_mail_acct: root # This variable determines the action the audit system should take when disk # space runs low. @@ -716,9 +860,9 @@ rhel9cis_max_log_file_size: 10 update_audit_template: false ## Advanced option found in auditd post -# users whose actions are not logged by auditd +# This variable governs if defining user exceptions for auditd logging is acceptable. rhel9cis_allow_auditd_uid_user_exclusions: false -# add a list of uids to be excluded. +# This variable contains a list of uids to be excluded(users whose actions are not logged by auditd) rhel9cis_auditd_uid_exclude: - 1999 From 15ef9675043d219342eb635f8397aeddda8c1d1f Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Tue, 30 Jan 2024 23:49:27 +0200 Subject: [PATCH 127/136] Changes after rebasing. --- defaults/main.yml | 183 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 137 insertions(+), 46 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index dd14c9e..cf33926 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -868,57 +868,98 @@ rhel9cis_auditd_uid_exclude: ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging -## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 +## 4.2.1 | Configure rsyslog +## 4.2.2 | Configure journald +# This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation) +# or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best +# practices are written wholly independent of each other. rhel9cis_syslog: rsyslog +## Control 4.2.1.5 | PATCH | Ensure logging is configured +# This variable governs if current Ansible role should manage syslog settings +# in /etc/rsyslog.conf file, namely mail, news and misc(warn, messages) rhel9cis_rsyslog_ansiblemanaged: true -#### 4.2.1.6 remote and destation log server name +#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable governs if 'rsyslog' service should be automatically configured to forward messages to a +# remote log server. If set to 'false', the configuration of the 'omfwd' plugin, used to provide forwarding +# over UDP or TCP, will not be performed. rhel9cis_remote_log_server: false rhel9cis_remote_log_host: logagg.example.com +#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable configures the value of the 'target' parameter to be configured when enabling +# forwarding syslog messages to a remote log server, thus configuring the actual FQDN/IP address of the +# destination server. For this value to be reflected in the configuration, the variable which enables the +# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_port: 514 +#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable configures the value("TCP"/"UDP") of the 'protocol' parameter to be configured when enabling +# forwarding syslog messages to a remote log server. The default value for the 'omfwd' plug-in is UDP. +# For this value to be reflected in the configuration, the variable which enables the +# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_protocol: tcp +#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable governs how often an action is retried(value is passed to 'action.resumeRetryCount' parameter) before +# it is considered to have failed(that roughly translates to discarded messages). The default value is 0, but +# when set to "-1"(eternal), this setting would prevent rsyslog from dropping messages when retrying to connect +# if server is not responding. For this value to be reflected in the configuration, the variable which enables the +# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_retrycount: 100 +#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable configures the maximum number of messages that can be hold(value is passed to 'queue.size' parameter). +# For this value to be reflected in the configuration, the variable which enables the automatic configuration +# of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_queuesize: 1000 -#### 4.2.1.7 -# This variable expresses whether the system is used as a log server or not. -# If set to `true`, controls that interfere with log server functionality or -# require that own system logs be sent to some other log server are skipped. +#### Control 4.2.1.7 - Ensure rsyslog is not configured to receive logs from a remote client +# This variable expresses whether the system is used as a log server or not. If set to: +# - 'false', current system will act as a log CLIENT, thus it should NOT receive data from other hosts. +# - 'true', current system will act as a log SERVER, enabling centralised log management(by protecting log integrity +# from local attacks on remote clients) rhel9cis_system_is_log_server: false -# 4.2.2.1.2 -# rhel9cis_journal_upload_url is the ip address to upload the journal entries to +#### Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured +# 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to +# URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port +# number may be specified after a colon (":"), otherwise 19532 will be used by default. rhel9cis_journal_upload_url: 192.168.50.42 - ## The paths below have the default paths/files, but allow user to create custom paths/filenames +#### Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured # This variable specifies the path to the private key file used by the remote journal # server to authenticate itself to the client. This key is used alongside the server's # public certificate to establish secure communication. rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +#### Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured # This variable specifies the path to the public certificate file of the remote journal # server. This certificate is used to verify the authenticity of the remote server. rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +#### Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured # This variable specifies the path to a file containing one or more public certificates # of certificate authorities (CAs) that the client trusts. These trusted certificates are used # to validate the authenticity of the remote server's certificate. rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" -# 4.2.2.1 +# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy # The variables below related to journald, please set these to your site specific values # These variable specifies how much disk space the journal may use up at most # Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. # See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. # ATTENTION: Uncomment the keyword below when values are set! + +# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy # rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use rhel9cis_journald_systemmaxuse: 10M +# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy # rhel9cis_journald_systemkeepfree is the amount of disk space to keep free rhel9cis_journald_systemkeepfree: 100G +# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy # rhel9cis_journald_runtimemaxuse control how much disk space the journal may use up at most. # same as rhel9cis_journald_systemmaxuse. rhel9cis_journald_runtimemaxuse: 10M +# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy # rhel9cis_journald_runtimekeepfree is the amount of disk space to keep free -# same as rhel9cis_journald_systemkeepfree. +# same as rhel9cis_journald_systemkeepfree, but related to runtime space. rhel9cis_journald_runtimekeepfree: 100G +# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy # rhel9cis_journald_MaxFileSec is how long in time to keep log files. # This variable specifies, the maximum time to store entries in a single journal # file before rotating to the next one. Set to 0 to turn off this feature. @@ -928,16 +969,23 @@ rhel9cis_journald_runtimekeepfree: 100G # ATTENTION: Uncomment the keyword below when values are set! rhel9cis_journald_maxfilesec: 1month -#### 4.3 +#### Control 4.3 - Ensure logrotate is configured # This variable defines the log file rotation period. -# Options are: daily, monthly, yearly. +# Options are: daily, weekly, monthly, yearly. rhel9cis_logrotate: "daily" ## Section5 vars -# This will allow use of drop in files when CIS adopts them. +# Section 5.2 - SSH +# This value, containing the absolute filepath of the produced 'sshd' config file, allows usage of +# drop-in files('/etc/ssh/ssh_config.d/{ssh_drop_in_name}.conf', supported by RHEL9) when CIS adopts them. +# Otherwise, the default value is '/etc/ssh/ssh_config'. rhel9_cis_sshd_config_file: /etc/ssh/sshd_config +#### Controls: +## 5.2.4 - Ensure SSH access is limited +## 5.2.19 - Ensure SSH LoginGraceTime is set to one minute or less +## 5.2.20 - Ensure SSH Idle Timeout Interval is configured rhel9cis_sshd: # This variable sets the maximum number of unresponsive "keep-alive" messages # that can be sent from the server to the client before the connection is considered @@ -982,7 +1030,7 @@ rhel9cis_sshd: # For more info, see https://linux.die.net/man/5/sshd_config deny_groups: "" -# 5.2.5 SSH LogLevel setting. +# Control 5.2.5 - Ensure SSH LogLevel is appropriate # This variable is used to control the verbosity of the logging produced by the SSH server. # The options for setting it are as follows: # - `QUIET`: Minimal logging; @@ -994,45 +1042,59 @@ rhel9cis_sshd: # - `DEBUG(x)`: Whereas x = debug level 1 to 3, DEBUG=DEBUG1. rhel9cis_ssh_loglevel: INFO -# 5.2.19 SSH MaxSessions setting. Must be 4 our less +# Control 5.2.18 - Ensure SSH MaxSessions is set to 10 or less +# This variable value specifies the maximum number of open sessions that are permitted from +# a given location rhel9cis_ssh_maxsessions: 4 -## Control 5.5.1.4 + +## Control 5.6.1.4 - Ensure inactive password lock is 30 days or less # This variable specifies the number of days of inactivity before an account will be locked. # CIS requires a value of 30 days or less. rhel9cis_inactivelock: lock_days: 30 - +# This variable governs if authconfig package should be installed. This package provides a simple method of +# configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used +# for shadow password support. Basic LDAP, Kerberos 5, and Winbind client configuration is also provided. rhel9cis_use_authconfig: false -# 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example -# Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk + +#### Controls +# SECTION 5.4 - Configure authselect: Custom authselect profile settings(name, profile to customize, options) +# 5.4.1 - Ensure custom authselect profile is used('custom_profile_name', 'default_file_to_copy' subsettings) +# 5.4.2 - Ensure authselect includes with-faillock | with auth select profile('custom_profile_name') +# Settings in place now will fail, they are place holders from the control example. Due to the way many multiple +# options and ways to configure this control needs to be enabled and settings adjusted to minimise risk. rhel9cis_authselect: custom_profile_name: custom-profile default_file_to_copy: "sssd --symlink-meta" options: with-sudo with-faillock without-nullok -# 5.3.1 Enable automation to create custom profile settings, using the settings above +# Control 5.4.1 - Ensure custom authselect profile is used +# This variable governs if an authselect custom profile should be automatically created, by copying and +# customizing one of the default profiles. The default profiles include: sssd, winbind, or the nis. This profile can then be +# customized to follow site specific requirements. rhel9cis_authselect_custom_profile_create: false -# 5.3.2 Enable automation to select custom profile options, using the settings above +# Control 5.4.2 - Ensure authselect includes with-faillock | Create custom profiles +# This variable governs if the existing custom profile should be selected(Note: please keep in mind that all future updates +# to the PAM templates and meta files in the original profile will be reflected in your custom profile, too.) rhel9cis_authselect_custom_profile_select: false -## Controls 5.5.1.x - Password settings +## Section 5.6.1.x: Shadow Password Suite Parameters rhel9cis_pass: - ## Control 5.5.1.2 - # This variable governs after how many days a password expires. + ## Control 5.6.1.1 - Ensure password expiration is 365 days or less + # This variable governs after how many days a password expires. # CIS requires a value of 365 or less. max_days: 365 - ## Control 5.5.1.1 - # This variable specifies the minimum number of days allowed between changing passwords. - # CIS requires a value of at least 1. + ## Control 5.6.1.2 - Ensure minimum days between password changes is 7 or more + # This variable specifies the minimum number of days allowed between changing + # passwords. CIS requires a value of at least 1. min_days: 7 - ## Control 5.5.1.3 + ## Control 5.6.1.3 - Ensure password expiration warning days is 7 or more # This variable governs, how many days before a password expires, the user will be warned. # CIS requires a value of at least 7. warn_age: 7 -# 5.5.1 -## PAM +## Control 5.5.1 - Ensure password creation requirements are configured - PAM rhel9cis_pam_password: # This variable sets the minimum chars a password needs to be set. minlen: 14 @@ -1043,9 +1105,14 @@ rhel9cis_pam_password: # set to 4, passwords will have to include all four types of characters. minclass: 4 +## Controls +# 5.5.2 - Ensure lockout for failed password attempts is configured +# 5.5.3 - Ensure password reuse is limited +# 5.5.4 - Ensure password hashing algorithm is SHA-512 +# 5.4.2 - Ensure authselect includes with-faillock rhel9cis_pam_faillock: - # This variable sets the amount of time a user will be unlocked after - # the max amount of password failures. + # This variable sets the amount of time a user will be unlocked after the max amount of + # password failures. unlock_time: 900 # This variable sets the amount of tries a password can be entered, before a user is locked. deny: 5 @@ -1057,20 +1124,29 @@ rhel9cis_pam_faillock: # UID settings for interactive users # These are discovered via logins.def if set true discover_int_uid: false +### Controls: +# 5.6.2 - Ensure system accounts are secured +# 6.2.10 - Ensure local interactive user home directories exist +# 6.2.11 - Ensure local interactive users own their home directories # This variable sets the minimum number from which to search for UID # Note that the value will be dynamically overwritten if variable `dicover_int_uid` has # been set to `true`. min_int_uid: 1000 +### Controls: +# 6.2.10 - Ensure local interactive user home directories exist +# 6.2.11 - Ensure local interactive users own their home directories # This variable sets the maximum number at which the search stops for UID # Note that the value will be dynamically overwritten if variable `dicover_int_uid` has # been set to `true`. max_int_uid: 65533 -# 5.3.3 var log location variable +### Control 5.3.3 - Ensure sudo log file exists +# By default, sudo logs through syslog(3). However, to specify a custom log file, the +# 'logfile' parameter will be used, setting it with current variable's value. # This variable defines the path and file name of the sudo log file. rhel9cis_sudolog_location: "/var/log/sudo.log" -#### 5.3.6 +#### Control 5.3.6 -Ensure sudo authentication timeout is configured correctly # This variable sets the duration (in minutes) during which a user's authentication credentials # are cached after successfully authenticating using "sudo". This allows the user to execute # multiple commands with elevated privileges without needing to re-enter their password for each @@ -1082,10 +1158,11 @@ rhel9cis_sudo_timestamp_timeout: 15 ## Only to be used on a new clean system if not using authselect ## THIS CAN BREAK ACCESS EVEN FOR ROOT - UNDERSTAND RISKS ## rhel9cis_add_faillock_without_authselect: false -# This needs to be set to ACCEPT +# This needs to be set to 'ACCEPT'(string), besides setting 'rhel9cis_add_faillock_without_authselect' +# to 'true', in order to execute the 5.4.2 sub-tasks dealing with not authselect profile rhel9cis_5_4_2_risks: NEVER -# RHEL-09-5.4.5 +### Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) rhel9cis_shell_session_timeout: @@ -1100,27 +1177,41 @@ rhel9cis_shell_session_timeout: # run before being forcefully terminated. # CIS requires a value of at most 900 seconds. timeout: 600 -# RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords + +### Control 5.6.1.5 - Ensure all users last password change date is in the past +# Allow ansible to expire password for account with a last changed date in the future. Setting it +# to 'false' will just display users in violation, while 'true' will expire those users passwords. rhel9cis_futurepwchgdate_autofix: true -# 5.3.7 -# This variable determines the group of users that are allowed to use the su command. -# one to specify a user group that is allowed to use the "su" command. -# CIS requires that such a group be created (named according to site policy) and be kept empty. +### Control 5.3.7 - Ensure access to the 'su' command is restricted +# This variable determines the name of the group of users that are allowed to use the su command. +# CIS requires that such a group be CREATED(named according to site policy) and be kept EMPTY. rhel9cis_sugroup: nosugroup ## Section6 vars -# RHEL-09_6.1.1 +### Control 6.1.15 - Audit system file permissions | Create list and warning +# The RPM package-manager has many useful options. For example, using option: +# - '-V': RPM can automatically check if system packages are correctly installed +# - '-qf': RPM can be used to determine which package a particular file belongs to +# Rule 6.1.15 takes advantage of the combination of those two options and, therefore, is able to +# detect any discrepancy regarding installed packages, redirecting the output of this combined +# command into a specific file. If no output is returned, the package is installed correctly. +# Current variable stores the preferred absolute filepath such a file, therefore if this file +# contains any lines, an alert message will be generated to warn about each discrepancy. rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check -# RHEL-09_6.1.10 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable +### Control 6.1.9 - Ensure no world writable files exist +# Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable. rhel9cis_no_world_write_adjust: true + rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" -# 6.2.16 -## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj +### Control 6.2.16 - Ensure local interactive user dot files are not group or world writable +# This boolean variable governs if current role should follow filesystem links for changes to +# user home directory. rhel_09_6_2_16_home_follow_symlinks: false +# thanks to @dulin-gnet and community for rhel8-cis feedback. #### Goss Configuration Settings #### # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" From c2c581ecff53fb301f12af4a22cdc6cdbc9b0e03 Mon Sep 17 00:00:00 2001 From: "root@DERVISHx" Date: Wed, 27 Dec 2023 15:39:46 +0000 Subject: [PATCH 128/136] Added vars for streams. Signed-off-by: root@DERVISHx --- defaults/main.yml | 2 +- vars/AlmaLinux.yml | 6 ++++++ vars/Rocky.yml | 6 ++++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index cf33926..c314756 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -873,7 +873,7 @@ rhel9cis_auditd_uid_exclude: # This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation) # or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best # practices are written wholly independent of each other. -rhel9cis_syslog: rsyslog +rhel9cis_syslog: journald ## Control 4.2.1.5 | PATCH | Ensure logging is configured # This variable governs if current Ansible role should manage syslog settings # in /etc/rsyslog.conf file, namely mail, news and misc(warn, messages) diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index b0eb3d9..a0fa6ba 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -5,3 +5,9 @@ os_gpg_key_pubkey_name: gpg-pubkey-b86b3716-61e69f29 os_gpg_key_pubkey_content: "AlmaLinux OS 9 b86b3716" # disable repo_gpgcheck due to OS default repos rhel9cis_rule_enable_repogpg: false + +rhel9cis_sshd: + # This variable sets the maximum number of unresponsive "keep-alive" messages + # that can be sent from the server to the client before the connection is considered + # inactive and thus, closed. + clientalivecountmax: 3 \ No newline at end of file diff --git a/vars/Rocky.yml b/vars/Rocky.yml index 77af29c..7d9f014 100644 --- a/vars/Rocky.yml +++ b/vars/Rocky.yml @@ -3,3 +3,9 @@ os_gpg_key_pubkey_name: gpg-pubkey-350d275d-6279464b os_gpg_key_pubkey_content: "Rocky Enterprise Software Foundation - Release key 2022 350d275d" + +rhel9cis_sshd: + # This variable sets the maximum number of unresponsive "keep-alive" messages + # that can be sent from the server to the client before the connection is considered + # inactive and thus, closed. + clientalivecountmax: 3 \ No newline at end of file From d97e42e414e3f5c3f4dbcdd66ad3c224c00827fb Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Wed, 31 Jan 2024 00:10:24 +0200 Subject: [PATCH 129/136] Changes after rebasing, 2 --- defaults/main.yml | 320 +++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 285 insertions(+), 35 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index decf352..9dce24d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,6 +11,10 @@ system_is_ec2: false # Supported OSs will not need for this to be changed - see README e.g. CentOS os_check: true +## Switching on/off specific baseline sections +# These variables govern whether the tasks of a particular section are to be executed when running the role. +# E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true. +# to "true". If you do not want the tasks from that section to get executed you simply set the variable to "false". rhel9cis_section1: true rhel9cis_section2: true rhel9cis_section3: true @@ -22,6 +26,7 @@ rhel9cis_section6: true # e.g. # - level1-server # - level2-workstation +# Used for audit rhel9cis_level_1: true rhel9cis_level_2: true @@ -39,7 +44,8 @@ benchmark_version: 'v1.0.0' benchmark: RHEL9-CIS -# Whether to skip the reboot +# Whether to skip the system reboot before audit +# System will reboot if false, can give better audit results skip_reboot: true # default value will change to true but wont reboot if not enabled but will error @@ -49,12 +55,13 @@ change_requires_reboot: false ### Goss is required on the remote host ### ## Refer to vars/auditd.yml for any other settings ## +## Audit setup +# Audits are carried out using Goss. This variable +# determines whether execution of the role prepares for auditing +# by installing the required binary. # Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false -# enable audits to run - this runs the audit and get the latest content -run_audit: false - # Only run Audit do not remediate audit_only: false # As part of audit_only @@ -64,7 +71,10 @@ fetch_audit_files: false audit_capture_files_dir: /some/location to copy to on control node # How to retrieve audit binary +## How to retrive goss # Options are copy or download - detailed settings at the bottom of this file +# provided in variable `audit_conf_copy` for copying or +# the url given in variable `audit_files_url` for downloading. # you will need to access to either github or the file already dowmloaded get_audit_binary_method: download @@ -75,6 +85,15 @@ audit_bin_copy_location: /some/accessible/path # how to get audit files onto host options # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf +## How to retrieve the audit role +# The role for auditing is maintained separately. +# This variable specifies the method of how to get the audit role +# options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly) +# onto the system. The options are as follows: +# - git: clone from git repository as specified in variable `audit_file_git` in +# the version specified by variable `audit_git_version` +# - copy: copy from path as specified in variable `audit_conf_copy` +# - get_url: Download from url as specified in variable `audit_files_url` audit_content: git # archive or copy: @@ -82,6 +101,11 @@ audit_conf_copy: "some path to copy from" # get_url: audit_files_url: "some url maybe s3?" +## Enable audits to run +# This variable governs whether the audit using the +# separately maintained audit role using Goss +# is carried out. +run_audit: false # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system audit_run_heavy_tests: true @@ -92,12 +116,15 @@ audit_run_heavy_tests: true audit_cmd_timeout: 120000 ### End Goss enablements #### +#### Detailed settings found at the end of this document #### # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. -# Section 1 rules + +# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, +# Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) rhel9cis_rule_1_1_1_1: true rhel9cis_rule_1_1_1_2: true rhel9cis_rule_1_1_2_1: true @@ -170,7 +197,7 @@ rhel9cis_rule_1_8_10: true rhel9cis_rule_1_9: true rhel9cis_rule_1_10: true -# Section 2 rules +# Section 2 rules are controling Services (Special Purpose Services, and service clients) rhel9cis_rule_2_1_1: true rhel9cis_rule_2_1_2: true rhel9cis_rule_2_2_1: true @@ -198,6 +225,7 @@ rhel9cis_rule_2_3_4: true rhel9cis_rule_2_4: true # Section 3 rules +# Network Configuration rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_3: true @@ -222,7 +250,8 @@ rhel9cis_rule_3_4_2_5: true rhel9cis_rule_3_4_2_6: true rhel9cis_rule_3_4_2_7: true -# Section 4 rules +# Section 4 rules are Logging and Auditing (Configure System Accounting (auditd), +# Configure Data Retention, and Configure Logging) rhel9cis_rule_4_1_1_1: true rhel9cis_rule_4_1_1_2: true rhel9cis_rule_4_1_1_3: true @@ -281,7 +310,8 @@ rhel9cis_rule_4_2_2_7: true rhel9cis_rule_4_2_3: true rhel9cis_rule_4_3: true -# Section 5 rules +# Section 5 rules control Access, Authentication, and Authorization (Configure time-based job schedulers, +# Configure sudo, Configure SSH Server, Configure PAM and User Accounts and Environment) rhel9cis_rule_5_1_1: true rhel9cis_rule_5_1_2: true rhel9cis_rule_5_1_3: true @@ -336,7 +366,7 @@ rhel9cis_rule_5_6_4: true rhel9cis_rule_5_6_5: true rhel9cis_rule_5_6_6: true -# Section 6 rules +# Section 6 rules controls System Maintenance (System File Permissions and User and Group Settings) rhel9cis_rule_6_1_1: true rhel9cis_rule_6_1_2: true rhel9cis_rule_6_1_3: true @@ -402,10 +432,18 @@ rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF4 rhel9cis_bootloader_password: random # pragma: allowlist secret rhel9cis_set_boot_pass: true -# 1.8 Gnome Desktop + +## Controls 1.8.x - Settings for GDM +# This variable specifies the GNOME configuration database file to which configurations are written. +# (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) +# The default database is `local` rhel9cis_dconf_db_name: local -rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) -rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) +# This variable governs the number of seconds of inactivity before the screen goes blank. +# Set max value for idle-delay in seconds (between 1 and 900) +rhel9cis_screensaver_idle_delay: 900 +# This variable governs the number of seconds the screen remains blank before it is locked. +# Set max value for lock-delay in seconds (between 0 and 5) +rhel9cis_screensaver_lock_delay: 5 # 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) # Control 1.10 states do not use LEGACY and control 1.11 says to use FUTURE or FIPS. @@ -414,27 +452,67 @@ rhel9cis_crypto_policy: 'DEFAULT' rhel9cis_crypto_policy_module: '' # System network parameters (host only OR host and router) +# This variable governs whether specific CIS rules +# concerned with acceptance and routing of packages are skipped. rhel9cis_is_router: false -# IPv6 required +## IPv6 requirement toggle +# This variable governs whether ipv6 is enabled or disabled. rhel9cis_ipv6_required: true -# AIDE +## Control 1.3.1 - allow aide to be configured +# AIDE is a file integrity checking tool, similar in nature to Tripwire. +# While it cannot prevent intrusions, it can detect unauthorized changes +# to configuration files by alerting when the files are changed. Review +# the AIDE quick start guide and AIDE documentation before proceeding. +# By setting this variable to `true`, all of the settings related to AIDE will be applied! rhel9cis_config_aide: true -# AIDE cron settings + +## Control 1.3.2 AIDE cron settings +# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. +# The sub-settings of this variable provide the parameters required to configure +# the cron job on the target system. +# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled +# and executed automatically at a certain point in time. rhel9cis_aide_cron: + # This variable represents the user account under which the cron job for AIDE will run. cron_user: root + # This variable represents the path to the AIDE crontab file. cron_file: /etc/cron.d/aide_cron + # This variable represents the actual command or script that the cron job + # will execute for running AIDE. aide_job: '/usr/sbin/aide --check' + # These variables define the schedule for the cron job + # This variable governs the minute of the time of day when the AIDE cronjob is run. + # It must be in the range `0-59`. aide_minute: 0 + # This variable governs the hour of the time of day when the AIDE cronjob is run. + # It must be in the range `0-23`. aide_hour: 5 + # This variable governs the day of the month when the AIDE cronjob is run. + # `*` signifies that the job is run on all days; furthermore, specific days + # can be given in the range `1-31`; several days can be concatenated with a comma. + # The specified day(s) can must be in the range `1-31`. aide_day: '*' + # This variable governs months when the AIDE cronjob is run. + # `*` signifies that the job is run in every month; furthermore, specific months + # can be given in the range `1-12`; several months can be concatenated with commas. + # The specified month(s) can must be in the range `1-12`. aide_month: '*' + # This variable governs the weekdays, when the AIDE cronjob is run. + # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays + # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays + # can be concatenated with commas. aide_weekday: '*' # SELinux policy +# This selects type of policy; targeted or mls ( multilevel ) +# mls should not be used, since it will disable unconfined policy module +# and may prevent some services from running. rhel9cis_selinux_pol: targeted # chose onf or enfocing or permissive +# CIS expects enforcing since permissive allows operations thet might compromise the system. +# Even though logging still occurs. rhel9cis_selinux_enforce: enforcing # Whether or not to run tasks related to auditing/patching the desktop environment @@ -443,6 +521,11 @@ rhel9cis_selinux_enforce: enforcing ### 2.1 Time Synchronization #### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 +# The following variable represents a list of of time servers used +# for configuring chrony, timesyncd, and ntp. +# Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. +# The default setting for the `options` is `minpoll` but `iburst` can be used, please refer to the documentation +# of the time synchronization mechanism you are using. rhel9cis_time_synchronization_servers: - 0.pool.ntp.org - 1.pool.ntp.org @@ -454,7 +537,9 @@ rhel9cis_chrony_server_makestep: "1.0 3" rhel9cis_chrony_server_minsources: 2 ### 2.2 Special Purposes -##### Service configuration booleans set true to keep service +# Service configuration variables (boolean). +# Set the respective variable to true to keep the service. +# otherwise the service is stopped and disabled rhel9cis_gui: false rhel9cis_avahi_server: false rhel9cis_cups_server: false @@ -472,10 +557,12 @@ rhel9cis_squid_server: false rhel9cis_snmp_server: false rhel9cis_telnet_server: false rhel9cis_is_mail_server: false -# Note the options -# Packages are used for client services and Server- only remove if you dont use the client service -# +# Note the options +# Client package configuration variables. +# Packages are used for client services and Server, only remove if you dont use the client service +# Set the respective variable to `true` to keep the +# client package, otherwise it is uninstalled (false). rhel9cis_use_nfs_server: false rhel9cis_use_nfs_service: false @@ -491,8 +578,7 @@ rhel9cis_openldap_clients_required: false rhel9cis_tftp_client: false rhel9cis_ftp_client: false -## Section3 vars -## Sysctl +## Section 3 vars for Sysctl rhel9cis_sysctl_update: false rhel9cis_flush_ipv4_route: false rhel9cis_flush_ipv6_route: false @@ -512,7 +598,11 @@ rhel9cis_firewalld_ports: - number: 80 protocol: tcp -#### nftables +## Controls 3.5.2.x - nftables +# The default nftables table name is "filter". This variable name will be the one all +# "rhel9cis_nft_tables_tablename" is the name of the table in nftables you want to create. +# nftables configs are applied to. +# options are: inet filter rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_autochaincreate: true @@ -524,14 +614,41 @@ rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and ## Section4 vars ### 4.1 Configure System Accounting #### 4.1.2 Configure Data Retention +## Controls what actions, when log files fill up +# This variable controls how the audit system behaves when +# log files are getting too full and space is getting too low. rhel9cis_auditd: space_left_action: email action_mail_acct: root + # This variable determines the action the audit system should take when disk + # space runs low. + # The options for setting this variable are as follows: + # - `ignore`: the system does nothing when presented with the aforementioned issue; + # - `syslog`: a message is sent to the system log about disk space running low; + # - `suspend`: the system suspends recording audit events until more space is available; + # - `halt`: the system is halted when disk space is critically low. + # - `single`: the audit daemon will put the computer system in single user mode + # CIS prescribes either `halt` or `single`. admin_space_left_action: halt + # This variable determines what action the audit system should take when the maximum + # size of a log file is reached. + # The options for setting this variable are as follows: + # - `ignore`: the system does nothing when the size of a log file is full; + # - `syslog`: a message is sent to the system log indicating the problem; + # - `suspend`: the system suspends recording audit events until the log file is cleared or rotated; + # - `rotate`: the log file is rotated (archived) and a new empty log file is created; + # - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints. + # CIS prescribes the value `keep_logs`. + max_log_file_action: keep_logs # The max_log_file parameter should be based on your sites policy. max_log_file: 10 - max_log_file_action: keep_logs +## Control 4.1.1.4 - Ensure rhel9cis_audit_back_log_limit is sufficient +# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the +# system can buffer in memory, if the audit subsystem is unable to process them in real-time. +# Buffering in memory is useful in situations, where the audit system is overwhelmed +# with incoming audit events, and needs to temporarily store them until they can be processed. +# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value. # This value governs if the below extra-vars for auditd should be used by the role rhel9cis_auditd_extra_conf_usage: false @@ -543,14 +660,33 @@ rhel9cis_auditd_extra_conf: admin_space_left: 50 space_left: 75 -# The audit_back_log_limit value should never be below 8192 +## Control 4.1.1.4 - Ensure rhel9cis_audit_back_log_limit is sufficient +# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the +# system can buffer in memory, if the audit subsystem is unable to process them in real-time. +# Buffering in memory is useful in situations, where the audit system is overwhelmed +# with incoming audit events, and needs to temporarily store them until they can be processed. +# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value. rhel9cis_audit_back_log_limit: 8192 -### 4.1.3.x audit template +## Control 4.1.2.1 - Ensure audit log storage size is configured +# This variable specifies the maximum size in MB that an audit log file can reach +# before it is archived or deleted to make space for the new audit data. +# This should be set based on your sites policy. CIS does not provide a specific value. +rhel9cis_max_log_file_size: 10 + +## 4.1.3.x - Audit template +# This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the +# audit settings are overwritten with the role's template. In order to exclude +# specific rules, you must set the variable of form `rhel9cis_rule_4_1_3_x` above +# to `false`. update_audit_template: false ## Advanced option found in auditd post +# users whose actions are not logged by auditd rhel9cis_allow_auditd_uid_user_exclusions: false +# add a list of uids to be excluded. +rhel9cis_auditd_uid_exclude: + - 1999 ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging @@ -567,28 +703,56 @@ rhel9cis_remote_log_retrycount: 100 rhel9cis_remote_log_queuesize: 1000 #### 4.2.1.7 +# This variable expresses whether the system is used as a log server or not. +# If set to `true`, controls that interfere with log server functionality or +# require that own system logs be sent to some other log server are skipped. rhel9cis_system_is_log_server: false # 4.2.2.1.2 # rhel9cis_journal_upload_url is the ip address to upload the journal entries to rhel9cis_journal_upload_url: 192.168.50.42 -# The paths below have the default paths/files, but allow user to create custom paths/filenames + +## The paths below have the default paths/files, but allow user to create custom paths/filenames +# This variable specifies the path to the private key file used by the remote journal +# server to authenticate itself to the client. This key is used alongside the server's +# public certificate to establish secure communication. rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +# This variable specifies the path to the public certificate file of the remote journal +# server. This certificate is used to verify the authenticity of the remote server. rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +# This variable specifies the path to a file containing one or more public certificates +# of certificate authorities (CAs) that the client trusts. These trusted certificates are used +# to validate the authenticity of the remote server's certificate. rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" # 4.2.2.1 # The variables below related to journald, please set these to your site specific values +# These variable specifies how much disk space the journal may use up at most +# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. +# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. +# ATTENTION: Uncomment the keyword below when values are set! # rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use rhel9cis_journald_systemmaxuse: 10M # rhel9cis_journald_systemkeepfree is the amount of disk space to keep free rhel9cis_journald_systemkeepfree: 100G +# rhel9cis_journald_runtimemaxuse control how much disk space the journal may use up at most. +# same as rhel9cis_journald_systemmaxuse. rhel9cis_journald_runtimemaxuse: 10M +# rhel9cis_journald_runtimekeepfree is the amount of disk space to keep free +# same as rhel9cis_journald_systemkeepfree. rhel9cis_journald_runtimekeepfree: 100G -# rhel9cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +# rhel9cis_journald_MaxFileSec is how long in time to keep log files. +# This variable specifies, the maximum time to store entries in a single journal +# file before rotating to the next one. Set to 0 to turn off this feature. +# The given values is interpreted as seconds, unless suffixed with the units +# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. +# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +# ATTENTION: Uncomment the keyword below when values are set! rhel9cis_journald_maxfilesec: 1month #### 4.3 +# This variable defines the log file rotation period. +# Options are: daily, monthly, yearly. rhel9cis_logrotate: "daily" ## Section5 vars @@ -597,20 +761,61 @@ rhel9cis_logrotate: "daily" rhel9_cis_sshd_config_file: /etc/ssh/sshd_config rhel9cis_sshd: + # This variable sets the maximum number of unresponsive "keep-alive" messages + # that can be sent from the server to the client before the connection is considered + # inactive and thus, closed. clientalivecountmax: 0 + # This variable sets the time interval in seconds between sending "keep-alive" + # messages from the server to the client. These types of messages are intended to + # keep the connection alive and prevent it being terminated due to inactivity. clientaliveinterval: 900 + # This variable specifies the amount of seconds allowed for successful authentication to + # the SSH server. logingracetime: 60 - # WARNING: make sure you understand the precedence when working with these values!! - # allowusers: - # allowgroups: systems dba - # denyusers: - # denygroups: + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH + # access for users whose user name matches one of the patterns. This is done + # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + allow_users: "" + # (String) This variable, if spcieifed, configures a list of GROUP name patterns, separated by spaces, to allow SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, https://linux.die.net/man/5/sshd_config + allow_groups: wheel + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access + # for users whose user name matches one of the patterns. This is done + # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_users: nobody + # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_groups: "" -# 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE +# 5.2.5 SSH LogLevel setting. +# This variable is used to control the verbosity of the logging produced by the SSH server. +# The options for setting it are as follows: +# - `QUIET`: Minimal logging; +# - `FATAL`: logs only fatal errors; +# - `ERROR`: logs error messages; +# - `INFO`: logs informational messages in addition to errors; +# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; +# - `DEBUG`: generates very detailed debugging information including sensitive information. +# - `DEBUG(x)`: Whereas x = debug level 1 to 3, DEBUG=DEBUG1. rhel9cis_ssh_loglevel: INFO # 5.2.19 SSH MaxSessions setting. Must be 4 our less rhel9cis_ssh_maxsessions: 4 +## Control 5.5.1.4 +# This variable specifies the number of days of inactivity before an account will be locked. +# CIS requires a value of 30 days or less. rhel9cis_inactivelock: lock_days: 30 @@ -628,32 +833,65 @@ rhel9cis_authselect_custom_profile_create: false # 5.3.2 Enable automation to select custom profile options, using the settings above rhel9cis_authselect_custom_profile_select: false +## Controls 5.5.1.x - Password settings rhel9cis_pass: + ## Control 5.5.1.2 + # This variable governs after how many days a password expires. + # CIS requires a value of 365 or less. max_days: 365 + ## Control 5.5.1.1 + # This variable specifies the minimum number of days allowed between changing passwords. + # CIS requires a value of at least 1. min_days: 7 + ## Control 5.5.1.3 + # This variable governs, how many days before a password expires, the user will be warned. + # CIS requires a value of at least 7. warn_age: 7 # 5.5.1 ## PAM rhel9cis_pam_password: + # This variable sets the minimum chars a password needs to be set. minlen: 14 + # This variable set password complexity,the minimum number of + # character types that must be used (i.e., uppercase, lowercase, digits, other) + # Set to 2, passwords cannot have all lower/upper case. + # Set to 3, passwords needs numbers. + # set to 4, passwords will have to include all four types of characters. minclass: 4 rhel9cis_pam_faillock: + # This variable sets the amount of time a user will be unlocked after + # the max amount of password failures. unlock_time: 900 + # This variable sets the amount of tries a password can be entered, before a user is locked. deny: 5 + # This variable represents the number of password change cycles, after which + # a user can re-use a password. + # CIS requires a value of 5 or more. remember: 5 # UID settings for interactive users # These are discovered via logins.def if set true discover_int_uid: false +# This variable sets the minimum number from which to search for UID +# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# been set to `true`. min_int_uid: 1000 +# This variable sets the maximum number at which the search stops for UID +# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# been set to `true`. max_int_uid: 65533 # 5.3.3 var log location variable +# This variable defines the path and file name of the sudo log file. rhel9cis_sudolog_location: "/var/log/sudo.log" #### 5.3.6 +# This variable sets the duration (in minutes) during which a user's authentication credentials +# are cached after successfully authenticating using "sudo". This allows the user to execute +# multiple commands with elevated privileges without needing to re-enter their password for each +# command within the specified time period. CIS requires a value of at most 15 minutes. rhel9cis_sudo_timestamp_timeout: 15 ### 5.4.2 authselect and faillock @@ -668,12 +906,24 @@ rhel9cis_5_4_2_risks: NEVER # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) rhel9cis_shell_session_timeout: + # This variable specifies the path of the timeout setting file. + # (TMOUT setting can be set in multiple files, but only one is required for the + # rule to pass. Options are: + # - a file in `/etc/profile.d/` ending in `.s`, + # - `/etc/profile`, or + # - `/etc/bash.bashrc`. file: /etc/profile.d/tmout.sh + # This variable represents the amount of seconds a command or process is allowed to + # run before being forcefully terminated. + # CIS requires a value of at most 900 seconds. timeout: 600 # RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords rhel9cis_futurepwchgdate_autofix: true -# 5.3.7 +## 5.3.7 +# This variable determines the group of users that are allowed to use the su command. +# one to specify a user group that is allowed to use the "su" command. +# CIS requires that such a group be created (named according to site policy) and be kept empty. rhel9cis_sugroup: nosugroup ## Section6 vars @@ -686,7 +936,7 @@ rhel9cis_no_world_write_adjust: true rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" # 6.2.16 -## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj +## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and community for rhel8-cis reedbacj rhel_09_6_2_16_home_follow_symlinks: false #### Goss Configuration Settings #### From 7b379fdb8cc4fab0245fe6ba99db8c5470373d1f Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Wed, 17 Jan 2024 20:17:21 +0200 Subject: [PATCH 130/136] Finalising the docs content & syntax Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 354 ++++++++++++++++++++++++---------------------- 1 file changed, 187 insertions(+), 167 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index cf33926..c3032cc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -41,7 +41,7 @@ rhel9cis_section6: true rhel9cis_level_1: true rhel9cis_level_2: true -## 1.6 SubSection - Mandatory Access Control +## Section 1.6 - Mandatory Access Control # This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting # 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed. rhel9cis_selinux_disable: false @@ -73,6 +73,7 @@ change_requires_reboot: false #### Basic external goss audit enablement settings #### #### Precise details - per setting can be found at the bottom of this file #### + ## Audit setup # Audits are carried out using Goss. This variable # determines whether execution of the role prepares for auditing @@ -418,63 +419,70 @@ rhel9cis_rule_6_2_16: true ## Section 1 vars -#### 1.1.2 -# These settings go into the /etc/fstab file for the /tmp mount settings -# The value must contain nosuid,nodev,noexec to conform to CIS standards -# rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0" -# If set true uses the tmp.mount service else using fstab configuration +## Control 1.1.2 +# If set to `true`, rule will be implemented using the `tmp.mount` systemd-service, +# otherwise fstab configuration will be used. +# These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards. rhel9cis_tmp_svc: false -#### 1.1.9 +## Control 1.1.9 rhel9cis_allow_autofs: false -# 1.2.1 +## Control 1.2.1 # This is the login information for your RedHat Subscription # DO NOT USE PLAIN TEXT PASSWORDS!!!!! # The intent here is to use a password utility like Ansible Vault here rhel9cis_rh_sub_user: user rhel9cis_rh_sub_password: password # pragma: allowlist secret -# 1.2.2 +## Control 1.2.2 # Do you require rhnsd # RedHat Satellite Subscription items rhel9cis_rhnsd_required: false -# Control 1.2.4 - When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM -# repo('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks +## Control 1.2.4 +# When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM +# repo ('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks # which check the GPG signatures for all the individual YUM repositories. rhel9cis_rhel_default_repo: true -# Control 1.2.4 - When 'rhel9cis_rule_enable_repogpg' is set to 'true'(in conjunction with 'rhel9cis_rhel_default_repo':'false'), conditions are met for +## Control 1.2.4 +# When 'rhel9cis_rule_enable_repogpg' is set to 'true'(in conjunction with 'rhel9cis_rhel_default_repo':'false'), conditions are met for # enabling the GPG signatures-check for all the individual YUM repositories. If GPG signatures-check is enabled on repositories which do not # support it(like RedHat), installation of packages will fail. rhel9cis_rule_enable_repogpg: true -# Control 1.4.1 - This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value +## Control 1.4.1 +# This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value # must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with # this format: 'grub.pbkdf2.sha512...' rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' # pragma: allowlist secret rhel9cis_bootloader_password: random # pragma: allowlist secret -# Control 1.4.1 - This variable governs whether a bootloader password should be set in /boot/grub2/user.cfg file. +## Control 1.4.1 +# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. rhel9cis_set_boot_pass: true -## Controls 1.8.x - Settings for GDM +## Control 1.8.x - Settings for GDM # This variable specifies the GNOME configuration database file to which configurations are written. -# (See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en) -# The default database is `local` +# (See "https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en") +# The default database is 'local'. rhel9cis_dconf_db_name: local # This variable governs the number of seconds of inactivity before the screen goes blank. -rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) +# Set max value for idle-delay in seconds (between 1 and 900) +rhel9cis_screensaver_idle_delay: 900 # This variable governs the number of seconds the screen remains blank before it is locked. -rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) +# Set max value for lock-delay in seconds (between 0 and 5) +rhel9cis_screensaver_lock_delay: 5 -# Control 1.10 - This variable contains the value to be set as the system-wide crypto policy. Rule 1.10 enforces -# NOT using 'LEGACY' value(as it is less secure, it just ensures compatibility with legacy systems), therefore +## Control 1.10 +# This variable contains the value to be set as the system-wide crypto policy. Current rule enforces NOT USING +# 'LEGACY' value(as it is less secure, it just ensures compatibility with legacy systems), therefore # possible values for this variable are, as explained by RedHat docs: -# -'DEFAULT': reasonable default policy for today's standards(balances usability and security) +# -'DEFAULT': reasonable default policy for today's standards (balances usability and security) # -'FUTURE': conservative security level that is believed to withstand any near-term future attacks # -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' -# Control 1.10 - This variable contains the value of the crypto policy module(combinations of policies and +## Control 1.10 +# This variable contains the value of the crypto policy module(combinations of policies and # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, # using 'rhel9cis_allowed_crypto_policies_modules' variable. rhel9cis_crypto_policy_module: '' @@ -536,27 +544,29 @@ rhel9cis_aide_cron: ## Control 1.6.1.3|4|5 - SELinux policy settings # This selects type of policy; targeted or mls( multilevel ) # mls should not be used, since it will disable unconfined policy module -# and may prevent some services from running. Requires SELinux not being disabled(by +# and may prevent some services from running. Requires SELinux not being disabled (by # having 'rhel9cis_selinux_disable' var set as 'true'), otherwise setting will be ignored. rhel9cis_selinux_pol: targeted ## Control 1.6.1.3|4 - SELinux configured and not disabled # This variable contains a specific SELinux mode, respectively: # - 'enforcing': SELinux policy IS enforced, therefore denies operations based on SELinux policy -# rules. If system was installed with SELinux, this is enabled by default. +# rules. If system was installed with SELinux, this is enabled by default. # - 'permissive': SELinux policy IS NOT enforced, therefore does NOT deny any operation, only -# logs AVC(Access Vector Cache) messages. RedHat docs suggest it "can be used -# briefly to check if SELinux is the culprit in preventing your application -# from working". +# logs AVC(Access Vector Cache) messages. RedHat docs suggest it "can be used +# briefly to check if SELinux is the culprit in preventing your application +# from working". # CIS expects enforcing since permissive allows operations that might compromise the system. # Even though logging still occurs. rhel9cis_selinux_enforce: enforcing # Whether or not to run tasks related to auditing/patching the desktop environment -## 2. Services +## Section 2. Services ### 2.1 Time Synchronization -#### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 + + +## Control 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 # The following variable represents a list of time servers used # for configuring chrony, timesyncd, and ntp. # Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. @@ -567,7 +577,7 @@ rhel9cis_time_synchronization_servers: - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org -#### 2.1.2 - Time Synchronization servers +## Control 2.1.2 - Time Synchronization servers # This variable should contain the default options to be used for every NTP server hostname defined # within the 'rhel9cis_time_synchronization_servers' var. rhel9cis_chrony_server_options: "minpoll 8" @@ -575,62 +585,65 @@ rhel9cis_chrony_server_rtcsync: false rhel9cis_chrony_server_makestep: "1.0 3" rhel9cis_chrony_server_minsources: 2 + ### 2.2 Special Purposes + # Service configuration variables (boolean). # Set the respective variable to true to keep the service. # otherwise the service is stopped and disabled + # This variable governs whether rules dealing with GUI specific packages(and/or their settings) should # be executed either to: -# - secure GDM(Control 1.8.2-1.8.10), if GUI is needed('rhel9cis_gui: true') -# - or remove GDM(Control 1.8.1) and X-Windows-system(2.2.1), if no GUI is needed('rhel9cis_gui: false') +# - secure GDM, if GUI is needed('rhel9cis_gui: true') +# - or remove GDM and X-Windows-system, if no GUI is needed('rhel9cis_gui: false') rhel9cis_gui: false -# Control 2.2.2 - Ensure Avahi Server is not installed +## Control 2.2.2 - Ensure Avahi Server is not installed # This variable, when set to false, will specify that Avahi Server packages should be uninstalled. rhel9cis_avahi_server: false -# Control 2.2.3 - Ensure CUPS is not installed +## Control 2.2.3 - Ensure CUPS is not installed # This variable, when set to false, will specify that CUPS(Common UNIX Printing System) package should be uninstalled. rhel9cis_cups_server: false -# Control 2.2.4 - Ensure DHCP Server is not installed +## Control 2.2.4 - Ensure DHCP Server is not installed # This variable, when set to false, will specify that DHCP server package should be uninstalled. rhel9cis_dhcp_server: false -# Control 2.2.5 - Ensure DNS Server is not installed +## Control 2.2.5 - Ensure DNS Server is not installed # This variable, when set to false, will specify that DNS server package should be uninstalled. rhel9cis_dns_server: false -# Control 2.2.14 - Ensure dnsmasq is not installed +## Control 2.2.14 - Ensure dnsmasq is not installed # This variable, when set to false, will specify that dnsmasq package should be uninstalled. rhel9cis_dnsmasq_server: false -# Control 2.2.6 - Ensure VSFTP Server is not installed +## Control 2.2.6 - Ensure VSFTP Server is not installed # This variable, when set to false, will specify that VSFTP server package should be uninstalled. rhel9cis_vsftpd_server: false -# Control 2.2.7 - Ensure TFTP Server is not installed +## Control 2.2.7 - Ensure TFTP Server is not installed # This variable, when set to false, will specify that TFTP server package should be uninstalled. rhel9cis_tftp_server: false -# Control 2.2.8 - Ensure a web server is not installed - HTTPD +## Control 2.2.8 - Ensure a web server is not installed - HTTPD # This variable, when set to false, will specify that webserver packages(HTTPD) should be uninstalled. rhel9cis_httpd_server: false -# Control 2.2.8 - Ensure a web server is not installed - NGINX +## Control 2.2.8 - Ensure a web server is not installed - NGINX # This variable, when set to false, will specify that webserver packages(NGINX) should be uninstalled. rhel9cis_nginx_server: false -# Control 2.2.9 - Ensure IMAP and POP3 server is not installed - dovecot +## Control 2.2.9 - Ensure IMAP and POP3 server is not installed - dovecot # This variable, when set to false, will specify that IMAP and POP3 servers(dovecot) should be uninstalled. rhel9cis_dovecot_server: false -# Control 2.2.9 - Ensure IMAP and POP3 server is not installed - cyrus-imapd +## Control 2.2.9 - Ensure IMAP and POP3 server is not installed - cyrus-imapd # This variable, when set to false, will specify that IMAP and POP3 servers(cyrus-imapd) should be uninstalled. rhel9cis_imap_server: false -# Control 2.2.10 - Ensure Samba is not enabled +## Control 2.2.10 - Ensure Samba is not enabled # This variable, when set to false, will specify that 'samba' package should be uninstalled. rhel9cis_samba_server: false -# Control 2.2.11 - Ensure HTTP Proxy Server is not installed +## Control 2.2.11 - Ensure HTTP Proxy Server is not installed # This variable, when set to false, will specify that 'squid' package should be uninstalled. rhel9cis_squid_server: false -# Control 2.2.12 - Ensure net-snmp is not installed +## Control 2.2.12 - Ensure net-snmp is not installed # This variable, when set to false, will specify that 'net-snmp' package should be uninstalled. rhel9cis_snmp_server: false -# Control 2.2.13 - Ensure telnet-server is not installed +## Control 2.2.13 - Ensure telnet-server is not installed # This variable, when set to false, will specify that 'telnet-server' package should be uninstalled. rhel9cis_telnet_server: false -# Control 2.2.15 - Ensure mail transfer agent is configured for local-only mode +## Control 2.2.15 - Ensure mail transfer agent is configured for local-only mode # This variable, when system is NOT a mailserver, will configure Postfix to listen only on the loopback interface(the virtual # network interface that the server uses to communicate internally. rhel9cis_is_mail_server: false @@ -641,15 +654,15 @@ rhel9cis_is_mail_server: false # Set the respective variable to `true` to keep the # client package, otherwise it is uninstalled (false). -# Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked" -# This variable specifies if the usage of NFS SERVER is needed. The behavior of 2.2.16 will depend on -# the var used in conjunction('rhel9cis_use_nfs_service') with current one, respectively: +## Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked" +# This variable specifies if the usage of NFS SERVER is needed. Execution of the rule which secures (by uninstalling or masking service) +# NFS(if it's NOT needed) will depend on the var used in conjunction('rhel9cis_use_nfs_service') with current one, respectively: # - if Server IS NOT needed('false') and: # - Service IS NOT needed('rhel9cis_use_nfs_service: false'): 'nfs-utils' package will be removed # - Service IS needed('rhel9cis_use_nfs_service: true'): impossible to need the service without the server # - if Server IS needed('true') and: # - Service IS NOT needed('rhel9cis_use_nfs_service: false'): 'nfs-server' service will be masked -# - Service IS needed('rhel9cis_use_nfs_service: true'): Rule 2.2.16 will be SKIPPED. +# - Service IS needed('rhel9cis_use_nfs_service: true'): Rule will be SKIPPED. # | Server | Service | Result | # |---------|---------|-----------------------------------------------------------| # | false | false | Remove package | @@ -657,24 +670,24 @@ rhel9cis_is_mail_server: false # | true | false | Mask 'service' | # | true | true | SKIP RULE, BOTH 'service' and 'server' are required | rhel9cis_use_nfs_server: false -# Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked. +## Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked. # This variable specifies if the usage of NFS SERVICE is needed. If it's: -# - needed('true'): rule 2.2.16 will not be executed at all -# - not needed('false'): rule 2.2.16 will be executed, its behavior being controlled by the var -# used in conjunction with current one: +# - needed('true'): rule which uninstalls/masks-service WILL NOT be executed at all +# - not needed('false'): rule which uninstalls/masks-service WILL be executed, its behavior being +# controlled by the var used in conjunction with current one: # - removing 'nfs-utils' package('rhel9cis_use_nfs_server' set to 'false') # - masking the 'nfs-server' service('rhel9cis_use_nfs_server' set to 'true') rhel9cis_use_nfs_service: false -# Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked -# This variable specifies if the usage of RPC SERVER is needed. The behavior of 2.2.17 will depend on -# the var used in conjunction('rhel9cis_use_rpc_service') with current one, respectively: +## Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked +# This variable specifies if the usage of RPC SERVER is needed. Execution of the rule which secures (by uninstalling or masking service) +# RPC(if it's NOT needed) will depend on the var used in conjunction('rhel9cis_use_rpc_service') with current one, respectively: # - if Server IS NOT needed('false') and: # - Service IS NOT needed('rhel9cis_use_rpc_service: false'): 'rpcbind' package will be removed # - Service IS needed('rhel9cis_use_rpc_service: true'): impossible to need the service without the server # - if Server IS needed('true') and: # - Service IS NOT needed('rhel9cis_use_rpc_service: false'): 'rpcbind.socket' service will be masked -# - Service IS needed('rhel9cis_use_rpc_service: true'): Rule 2.2.17 will be SKIPPED. +# - Service IS needed('rhel9cis_use_rpc_service: true'): Rule will be SKIPPED. # | Server | Service | Result | # |---------|---------|-----------------------------------------------------------| # | false | false | Remove package | @@ -682,25 +695,24 @@ rhel9cis_use_nfs_service: false # | true | false | Mask 'service' | # | true | true | SKIP RULE, BOTH 'service' and 'server' are required | rhel9cis_use_rpc_server: false -# Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked +## Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked # This variable specifies if the usage of RPC SERVICE is needed. If it's: -# - needed('true'): rule 2.2.17 will not be executed at all -# - not needed('false'): rule 2.2.17 will be executed, its behavior being controlled by the var +# - needed('true'): rule which uninstalls/masks-service WILL NOT be executed at all +# - not needed('false'): rule which uninstalls/masks-service WILL be executed, its behavior being controlled by the var # used in conjunction with current one: # - removing 'rpcbind' package('rhel9cis_use_rpc_server' set to 'false') # - masking the 'rpcbind.socket' service('rhel9cis_use_rpc_server' set to 'true') rhel9cis_use_rpc_service: false - -# Control 2.2.18 - Ensure rsync service is not enabled -# This variable specifies if the usage of RSYNC SERVER is needed. The behavior of 2.2.18 will depend on -# the var used in conjunction('rhel9cis_use_rsync_service') with current one, respectively: +## Control 2.2.18 - Ensure rsync service is not enabled +# This variable specifies if the usage of RSYNC SERVER is needed. Execution of the rule which secures (by uninstalling or masking service) +# RSYNC(if it's NOT needed) will depend on the var used in conjunction('rhel9cis_use_rsync_service') with current one, respectively: # - if Server IS NOT needed('false') and: # - Service IS NOT needed('rhel9cis_use_rsync_service: false'): 'rsync-daemon' package will be removed # - Service IS needed('rhel9cis_use_rsync_service: true'): impossible to need the service without the server # - if Server IS needed('true') and: # - Service IS NOT needed('rhel9cis_use_rsync_service: false'): 'rsyncd' service will be masked -# - Service IS needed('rhel9cis_use_rsync_service: true'): Rule 2.2.18 will be SKIPPED. +# - Service IS needed('rhel9cis_use_rsync_service: true'): Rule will be SKIPPED. # | Server | Service | Result | # |---------|---------|-----------------------------------------------------------| # | false | false | Remove package | @@ -708,51 +720,57 @@ rhel9cis_use_rpc_service: false # | true | false | Mask 'service' | # | true | true | SKIP RULE, BOTH 'service' and 'server' are required | rhel9cis_use_rsync_server: false -# Control 2.2.18 - Ensure rsync service is not enabled +## Control 2.2.18 - Ensure rsync service is not enabled # This variable specifies if the usage of RSYNC SERVICE is needed. If it's: -# - needed('true'): rule 2.2.18 will not be executed at all -# - not needed('false'): rule 2.2.18 will be executed, its behavior being controlled by the var +# - needed('true'): rule which uninstalls/masks-service WILL NOT be executed at all +# - not needed('false'): rule which uninstalls/masks-service WILL be executed, its behavior being controlled by the var # used in conjunction with current one: # - removing 'rsync-daemon' package('rhel9cis_use_rsync_server' set to 'false') # - masking the 'rsyncd' service('rhel9cis_use_rsync_server' set to 'true') rhel9cis_use_rsync_service: false #### 2.3 Service clients -# Control - 2.3.1 - Ensure telnet client is not installed + + +## Control - 2.3.1 - Ensure telnet client is not installed # Set this variable to `true` to keep package `telnet`; otherwise, the package is uninstalled. rhel9cis_telnet_required: false -# Control - 2.3.2 - Ensure LDAP client is not installed +## Control - 2.3.2 - Ensure LDAP client is not installed # Set this variable to `true` to keep package `openldap-clients`; otherwise, the package is uninstalled. rhel9cis_openldap_clients_required: false -# Control - 2.3.3 - Ensure FTP client is not installed +## Control - 2.3.3 - Ensure FTP client is not installed # Set this variable to `true` to keep package `tftp`; otherwise, the package is uninstalled. rhel9cis_tftp_client: false -# Control - 2.3.4 - Ensure FTP client is not installed +## Control - 2.3.4 - Ensure FTP client is not installed # Set this variable to `true` to keep package `ftp`; otherwise, the package is uninstalled. rhel9cis_ftp_client: false ## Section3 vars ## Sysctl -# This variable governs if the task which updates sysctl(including sysctl reload) is executed, but current -# default value can be overriden by other tasks(1.5.3, 3.1.1, 3.2.1, 3.2.2, 3.3.1-3.3.9). + + +# This variable governs if the task which updates sysctl(including sysctl reload) is executed. +# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). rhel9cis_sysctl_update: false # This variable governs if the task which flushes the IPv4 routing table is executed(forcing subsequent connections to -# use the new configuration). Current default value can be overriden by other tasks(3.2.1, 3.2.2, 3.3.1-3.3.8). +# use the new configuration). +# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). rhel9cis_flush_ipv4_route: false # This variable governs if the task which flushes the IPv6 routing table is executed(forcing subsequent connections to -# use the new configuration). Current default value can be overriden by other tasks(3.1.1, 3.2.1, 3.3.1, 3.3.2, 3.3.9). +# use the new configuration). +# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). rhel9cis_flush_ipv6_route: false -### Firewall Service to install and configure - Option is: -# 1) either 'firewalld'(Controls 3.4.1.2, 3.4.2.1, 3.4.2.4) -# 2) or 'nftables'(Controls ) +### Firewall Service to install and configure - Options are: +# 1) either 'firewalld' +# 2) or 'nftables' #### Some control allow for services to be removed or masked #### The options are under each heading #### absent = remove the package #### masked = leave package if installed and mask the service rhel9cis_firewall: firewalld -# Control 3.4.2.1 - Ensure firewalld default zone is set +## Control 3.4.2.1 - Ensure firewalld default zone is set # This variable will set the firewalld default zone(that is used for everything that is not explicitly bound/assigned # to another zone): if there is no zone assigned to a connection, interface or source, only the default zone is used. rhel9cis_default_zone: public @@ -763,31 +781,28 @@ rhel9cis_firewalld_ports: protocol: tcp ## Controls 3.5.2.x - nftables -# The default nftables table name is "filter". This variable name will be the one all -# "rhel9cis_nft_tables_tablename" is the name of the table in nftables you want to create. -# nftables configs are applied to. -# options are: inet filter -# Control 3.4.2.2 - Ensure at least one nftables table exists + +## Control 3.4.2.2 - Ensure at least one nftables table exists # This variable governs if a table will be automatically created in nftables. Without a table (no default one), nftables # will not filter network traffic, so if this variable is set to 'false' and no tables exist, an alarm will be triggered! rhel9cis_nft_tables_autonewtable: true -# Controls 3.4.2.{2|3|4|6|7} nftables +## Controls 3.4.2.{2|3|4|6|7} nftables # This variable stores the name of the table to be used when configuring nftables(creating chains, configuring loopback # traffic, established connections, default deny). If 'rhel9cis_nft_tables_autonewtable' is set as true, a new table will # be created using as name the value stored by this variable. rhel9cis_nft_tables_tablename: filter -# Control 3.4.2.3 - Ensure nftables base chains exist +## Control 3.4.2.3 - Ensure nftables base chains exist # This variable governs if a nftables base chain(entry point for packets from the networking stack) will be automatically # created, if needed. Without a chain, a hook for input, forward, and delete, packets that would flow through those -#chains will not be touched by nftables +# chains will not be touched by nftables. rhel9cis_nft_tables_autochaincreate: true ## Controls: # - 1.7.1 - Ensure message of the day is configured properly # - 1.7.2 - Ensure local login warning banner is configured properly # - 1.7.3 - Ensure remote login warning banner is configured properly -# Warning Banner Content (issue, issue.net, motd) +# This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd). rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and reported. # End Banner @@ -799,7 +814,7 @@ rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and # log files are getting too full and space is getting too low. rhel9cis_auditd: # This variable tells the system what action to take when the system has detected - #that it is starting to get low on disk space. Options are the same as for `admin_space_left_action` + # that it is starting to get low on disk space. Options are the same as for `admin_space_left_action`. space_left_action: email # This variable should contain a valid email address or alias(default value is root), # which will be used to send a warning when configured action is 'email'. @@ -852,11 +867,9 @@ rhel9cis_audit_back_log_limit: 8192 # This should be set based on your sites policy. CIS does not provide a specific value. rhel9cis_max_log_file_size: 10 -## 4.1.3.x - Audit template -# This variable is set to true by tasks 4.1.3.1 to 4.1.3.20. As a result, the -# audit settings are overwritten with the role's template. In order to exclude -# specific rules, you must set the variable of form `rhel9cis_rule_4_1_3_x` above -# to `false`. +## Control 4.1.3.x - Audit template +# This variable governs if the auditd logic should be executed(if value is true). +# NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules'). update_audit_template: false ## Advanced option found in auditd post @@ -868,8 +881,8 @@ rhel9cis_auditd_uid_exclude: ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging -## 4.2.1 | Configure rsyslog -## 4.2.2 | Configure journald +## Control 4.2.1 | Configure rsyslog +## Control 4.2.2 | Configure journald # This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation) # or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best # practices are written wholly independent of each other. @@ -879,88 +892,92 @@ rhel9cis_syslog: rsyslog # in /etc/rsyslog.conf file, namely mail, news and misc(warn, messages) rhel9cis_rsyslog_ansiblemanaged: true -#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable governs if 'rsyslog' service should be automatically configured to forward messages to a # remote log server. If set to 'false', the configuration of the 'omfwd' plugin, used to provide forwarding # over UDP or TCP, will not be performed. rhel9cis_remote_log_server: false -rhel9cis_remote_log_host: logagg.example.com -#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable configures the value of the 'target' parameter to be configured when enabling # forwarding syslog messages to a remote log server, thus configuring the actual FQDN/IP address of the # destination server. For this value to be reflected in the configuration, the variable which enables the # automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). +rhel9cis_remote_log_host: logagg.example.com +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable configures the value of the 'port' parameter to be configured when enabling +# forwarding syslog messages to a remote log server. The default value for this destination port is 514. +# For this value to be reflected in the configuration, the variable which enables the +# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_port: 514 -#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable configures the value("TCP"/"UDP") of the 'protocol' parameter to be configured when enabling # forwarding syslog messages to a remote log server. The default value for the 'omfwd' plug-in is UDP. # For this value to be reflected in the configuration, the variable which enables the # automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_protocol: tcp -#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable governs how often an action is retried(value is passed to 'action.resumeRetryCount' parameter) before # it is considered to have failed(that roughly translates to discarded messages). The default value is 0, but # when set to "-1"(eternal), this setting would prevent rsyslog from dropping messages when retrying to connect # if server is not responding. For this value to be reflected in the configuration, the variable which enables the # automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_retrycount: 100 -#### Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host # This variable configures the maximum number of messages that can be hold(value is passed to 'queue.size' parameter). # For this value to be reflected in the configuration, the variable which enables the automatic configuration # of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_queuesize: 1000 -#### Control 4.2.1.7 - Ensure rsyslog is not configured to receive logs from a remote client +## Control 4.2.1.7 - Ensure rsyslog is not configured to receive logs from a remote client # This variable expresses whether the system is used as a log server or not. If set to: # - 'false', current system will act as a log CLIENT, thus it should NOT receive data from other hosts. # - 'true', current system will act as a log SERVER, enabling centralised log management(by protecting log integrity -# from local attacks on remote clients) +# from local attacks on remote clients) rhel9cis_system_is_log_server: false -#### Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured +## Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured # 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to # URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port # number may be specified after a colon (":"), otherwise 19532 will be used by default. rhel9cis_journal_upload_url: 192.168.50.42 ## The paths below have the default paths/files, but allow user to create custom paths/filenames -#### Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured +## Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured # This variable specifies the path to the private key file used by the remote journal # server to authenticate itself to the client. This key is used alongside the server's # public certificate to establish secure communication. rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" -#### Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured +## Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured # This variable specifies the path to the public certificate file of the remote journal # server. This certificate is used to verify the authenticity of the remote server. rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" -#### Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured +## Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured # This variable specifies the path to a file containing one or more public certificates # of certificate authorities (CAs) that the client trusts. These trusted certificates are used # to validate the authenticity of the remote server's certificate. rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" -# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy # The variables below related to journald, please set these to your site specific values # These variable specifies how much disk space the journal may use up at most # Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. # See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. # ATTENTION: Uncomment the keyword below when values are set! -# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# 'rhel9cis_journald_systemmaxuse' is the max amount of disk space the logs will use rhel9cis_journald_systemmaxuse: 10M -# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# rhel9cis_journald_systemkeepfree is the amount of disk space to keep free +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# 'rhel9cis_journald_systemkeepfree' is the amount of disk space to keep free rhel9cis_journald_systemkeepfree: 100G -# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# rhel9cis_journald_runtimemaxuse control how much disk space the journal may use up at most. -# same as rhel9cis_journald_systemmaxuse. +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# 'rhel9cis_journald_runtimemaxuse' control how much disk space the journal may use up at most. +# same as 'rhel9cis_journald_systemmaxuse'. rhel9cis_journald_runtimemaxuse: 10M -# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# rhel9cis_journald_runtimekeepfree is the amount of disk space to keep free -# same as rhel9cis_journald_systemkeepfree, but related to runtime space. +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# 'rhel9cis_journald_runtimekeepfree' is the amount of disk space to keep free +# same as 'rhel9cis_journald_systemkeepfree', but related to runtime space. rhel9cis_journald_runtimekeepfree: 100G -# Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# rhel9cis_journald_MaxFileSec is how long in time to keep log files. +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# 'rhel9cis_journald_MaxFileSec' is how long in time to keep log files. # This variable specifies, the maximum time to store entries in a single journal # file before rotating to the next one. Set to 0 to turn off this feature. # The given values is interpreted as seconds, unless suffixed with the units @@ -969,23 +986,24 @@ rhel9cis_journald_runtimekeepfree: 100G # ATTENTION: Uncomment the keyword below when values are set! rhel9cis_journald_maxfilesec: 1month -#### Control 4.3 - Ensure logrotate is configured +## Control 4.3 - Ensure logrotate is configured # This variable defines the log file rotation period. # Options are: daily, weekly, monthly, yearly. rhel9cis_logrotate: "daily" ## Section5 vars -# Section 5.2 - SSH +## Section 5.2 - SSH + # This value, containing the absolute filepath of the produced 'sshd' config file, allows usage of # drop-in files('/etc/ssh/ssh_config.d/{ssh_drop_in_name}.conf', supported by RHEL9) when CIS adopts them. # Otherwise, the default value is '/etc/ssh/ssh_config'. rhel9_cis_sshd_config_file: /etc/ssh/sshd_config -#### Controls: -## 5.2.4 - Ensure SSH access is limited -## 5.2.19 - Ensure SSH LoginGraceTime is set to one minute or less -## 5.2.20 - Ensure SSH Idle Timeout Interval is configured +## Controls: +## - 5.2.4 - Ensure SSH access is limited +## - 5.2.19 - Ensure SSH LoginGraceTime is set to one minute or less +## - 5.2.20 - Ensure SSH Idle Timeout Interval is configured rhel9cis_sshd: # This variable sets the maximum number of unresponsive "keep-alive" messages # that can be sent from the server to the client before the connection is considered @@ -1030,7 +1048,7 @@ rhel9cis_sshd: # For more info, see https://linux.die.net/man/5/sshd_config deny_groups: "" -# Control 5.2.5 - Ensure SSH LogLevel is appropriate +## Control 5.2.5 - Ensure SSH LogLevel is appropriate # This variable is used to control the verbosity of the logging produced by the SSH server. # The options for setting it are as follows: # - `QUIET`: Minimal logging; @@ -1042,39 +1060,41 @@ rhel9cis_sshd: # - `DEBUG(x)`: Whereas x = debug level 1 to 3, DEBUG=DEBUG1. rhel9cis_ssh_loglevel: INFO -# Control 5.2.18 - Ensure SSH MaxSessions is set to 10 or less +## Control 5.2.18 - Ensure SSH MaxSessions is set to 10 or less # This variable value specifies the maximum number of open sessions that are permitted from # a given location rhel9cis_ssh_maxsessions: 4 ## Control 5.6.1.4 - Ensure inactive password lock is 30 days or less +rhel9cis_inactivelock: # This variable specifies the number of days of inactivity before an account will be locked. # CIS requires a value of 30 days or less. -rhel9cis_inactivelock: lock_days: 30 # This variable governs if authconfig package should be installed. This package provides a simple method of # configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used # for shadow password support. Basic LDAP, Kerberos 5, and Winbind client configuration is also provided. rhel9cis_use_authconfig: false -#### Controls -# SECTION 5.4 - Configure authselect: Custom authselect profile settings(name, profile to customize, options) -# 5.4.1 - Ensure custom authselect profile is used('custom_profile_name', 'default_file_to_copy' subsettings) -# 5.4.2 - Ensure authselect includes with-faillock | with auth select profile('custom_profile_name') -# Settings in place now will fail, they are place holders from the control example. Due to the way many multiple +## Section 5.4 - Configure authselect: Custom authselect profile settings(name, profile to customize, options) +## Controls: +# - 5.4.1 - Ensure custom authselect profile is used('custom_profile_name', 'default_file_to_copy' subsettings) +# - 5.4.2 - Ensure authselect includes with-faillock | with auth select profile('custom_profile_name') +# Settings in place now will fail, they are placeholders from the control example. Due to the way many multiple # options and ways to configure this control needs to be enabled and settings adjusted to minimise risk. rhel9cis_authselect: + # This variable configures the name of the custom profile to be created and selected. custom_profile_name: custom-profile + # This variable configures the ID of the existing profile that should be used as a base for the new profile. default_file_to_copy: "sssd --symlink-meta" options: with-sudo with-faillock without-nullok -# Control 5.4.1 - Ensure custom authselect profile is used +## Control 5.4.1 - Ensure custom authselect profile is used # This variable governs if an authselect custom profile should be automatically created, by copying and # customizing one of the default profiles. The default profiles include: sssd, winbind, or the nis. This profile can then be # customized to follow site specific requirements. rhel9cis_authselect_custom_profile_create: false -# Control 5.4.2 - Ensure authselect includes with-faillock | Create custom profiles +## Control 5.4.2 - Ensure authselect includes with-faillock | Create custom profiles # This variable governs if the existing custom profile should be selected(Note: please keep in mind that all future updates # to the PAM templates and meta files in the original profile will be reflected in your custom profile, too.) rhel9cis_authselect_custom_profile_select: false @@ -1105,11 +1125,11 @@ rhel9cis_pam_password: # set to 4, passwords will have to include all four types of characters. minclass: 4 -## Controls -# 5.5.2 - Ensure lockout for failed password attempts is configured -# 5.5.3 - Ensure password reuse is limited -# 5.5.4 - Ensure password hashing algorithm is SHA-512 -# 5.4.2 - Ensure authselect includes with-faillock +## Controls +# - 5.5.2 - Ensure lockout for failed password attempts is configured +# - 5.5.3 - Ensure password reuse is limited +# - 5.5.4 - Ensure password hashing algorithm is SHA-512 +# - 5.4.2 - Ensure authselect includes with-faillock rhel9cis_pam_faillock: # This variable sets the amount of time a user will be unlocked after the max amount of # password failures. @@ -1117,7 +1137,7 @@ rhel9cis_pam_faillock: # This variable sets the amount of tries a password can be entered, before a user is locked. deny: 5 # This variable represents the number of password change cycles, after which - # a user can re-use a password. + # an user can re-use a password. # CIS requires a value of 5 or more. remember: 5 @@ -1125,44 +1145,44 @@ rhel9cis_pam_faillock: # These are discovered via logins.def if set true discover_int_uid: false ### Controls: -# 5.6.2 - Ensure system accounts are secured -# 6.2.10 - Ensure local interactive user home directories exist -# 6.2.11 - Ensure local interactive users own their home directories +# - 5.6.2 - Ensure system accounts are secured +# - 6.2.10 - Ensure local interactive user home directories exist +# - 6.2.11 - Ensure local interactive users own their home directories # This variable sets the minimum number from which to search for UID # Note that the value will be dynamically overwritten if variable `dicover_int_uid` has # been set to `true`. min_int_uid: 1000 ### Controls: -# 6.2.10 - Ensure local interactive user home directories exist -# 6.2.11 - Ensure local interactive users own their home directories +# - 6.2.10 - Ensure local interactive user home directories exist +# - 6.2.11 - Ensure local interactive users own their home directories # This variable sets the maximum number at which the search stops for UID # Note that the value will be dynamically overwritten if variable `dicover_int_uid` has # been set to `true`. max_int_uid: 65533 -### Control 5.3.3 - Ensure sudo log file exists +## Control 5.3.3 - Ensure sudo log file exists # By default, sudo logs through syslog(3). However, to specify a custom log file, the # 'logfile' parameter will be used, setting it with current variable's value. # This variable defines the path and file name of the sudo log file. rhel9cis_sudolog_location: "/var/log/sudo.log" -#### Control 5.3.6 -Ensure sudo authentication timeout is configured correctly +## Control 5.3.6 -Ensure sudo authentication timeout is configured correctly # This variable sets the duration (in minutes) during which a user's authentication credentials # are cached after successfully authenticating using "sudo". This allows the user to execute # multiple commands with elevated privileges without needing to re-enter their password for each # command within the specified time period. CIS requires a value of at most 15 minutes. rhel9cis_sudo_timestamp_timeout: 15 -### 5.4.2 authselect and faillock +## Control 5.4.2 - authselect and faillock ## This option is used at your own risk it will enable faillock for users ## Only to be used on a new clean system if not using authselect -## THIS CAN BREAK ACCESS EVEN FOR ROOT - UNDERSTAND RISKS ## +## THIS CAN BREAK ACCESS EVEN FOR ROOT - PLEASE UNDERSTAND RISKS ! rhel9cis_add_faillock_without_authselect: false -# This needs to be set to 'ACCEPT'(string), besides setting 'rhel9cis_add_faillock_without_authselect' -# to 'true', in order to execute the 5.4.2 sub-tasks dealing with not authselect profile +# This needs to be set to 'ACCEPT'(as string), besides setting 'rhel9cis_add_faillock_without_authselect' +# to 'true', in order to include the 'with-failock' option to the current authselect profile. rhel9cis_5_4_2_risks: NEVER -### Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less +## Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) rhel9cis_shell_session_timeout: @@ -1178,36 +1198,36 @@ rhel9cis_shell_session_timeout: # CIS requires a value of at most 900 seconds. timeout: 600 -### Control 5.6.1.5 - Ensure all users last password change date is in the past +## Control 5.6.1.5 - Ensure all users last password change date is in the past # Allow ansible to expire password for account with a last changed date in the future. Setting it # to 'false' will just display users in violation, while 'true' will expire those users passwords. rhel9cis_futurepwchgdate_autofix: true -### Control 5.3.7 - Ensure access to the 'su' command is restricted +## Control 5.3.7 - Ensure access to the 'su' command is restricted # This variable determines the name of the group of users that are allowed to use the su command. # CIS requires that such a group be CREATED(named according to site policy) and be kept EMPTY. rhel9cis_sugroup: nosugroup ## Section6 vars -### Control 6.1.15 - Audit system file permissions | Create list and warning +## Control 6.1.15 - Audit system file permissions | Create list and warning # The RPM package-manager has many useful options. For example, using option: # - '-V': RPM can automatically check if system packages are correctly installed # - '-qf': RPM can be used to determine which package a particular file belongs to -# Rule 6.1.15 takes advantage of the combination of those two options and, therefore, is able to +# Auditing system file-permissions takes advantage of the combination of those two options and, therefore, is able to # detect any discrepancy regarding installed packages, redirecting the output of this combined # command into a specific file. If no output is returned, the package is installed correctly. -# Current variable stores the preferred absolute filepath such a file, therefore if this file +# Current variable stores the preferred absolute filepath for such a file, therefore if this file # contains any lines, an alert message will be generated to warn about each discrepancy. rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check -### Control 6.1.9 - Ensure no world writable files exist +## Control 6.1.9 - Ensure no world writable files exist # Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable. rhel9cis_no_world_write_adjust: true rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" -### Control 6.2.16 - Ensure local interactive user dot files are not group or world writable +## Control 6.2.16 - Ensure local interactive user dot files are not group or world writable # This boolean variable governs if current role should follow filesystem links for changes to # user home directory. rhel_09_6_2_16_home_follow_symlinks: false From ddb528935698cb29b7838d4771d275ef028b26f6 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Wed, 31 Jan 2024 00:47:46 +0200 Subject: [PATCH 131/136] Changes after rebasing, 2 --- defaults/main.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 78e1b01..a3e1ae0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -38,7 +38,6 @@ rhel9cis_section6: true # e.g. # - level1-server # - level2-workstation -# Used for audit rhel9cis_level_1: true rhel9cis_level_2: true @@ -137,7 +136,6 @@ audit_run_heavy_tests: true audit_cmd_timeout: 120000 ### End Goss enablements #### -#### Detailed settings found at the end of this document #### # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. @@ -831,6 +829,8 @@ rhel9cis_auditd: # - `single`: the audit daemon will put the computer system in single user mode # CIS prescribes either `halt` or `single`. admin_space_left_action: halt + # The max_log_file parameter should be based on your sites policy. + max_log_file: 10 # This variable determines what action the audit system should take when the maximum # size of a log file is reached. # The options for setting this variable are as follows: @@ -841,8 +841,6 @@ rhel9cis_auditd: # - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints. # CIS prescribes the value `keep_logs`. max_log_file_action: keep_logs - # The max_log_file parameter should be based on your sites policy. - max_log_file: 10 # This value governs if the below extra-vars for auditd should be used by the role rhel9cis_auditd_extra_conf_usage: false From f1dde22aaf42536cd50c8740d27a078333281bb4 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 19 Jan 2024 15:37:44 +0200 Subject: [PATCH 132/136] Improving doc for journald log parameters. Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a3e1ae0..f3c3d2b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -955,30 +955,30 @@ rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" # of certificate authorities (CAs) that the client trusts. These trusted certificates are used # to validate the authenticity of the remote server's certificate. rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" +# ATTENTION: Uncomment the keyword below when values are set! +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# Current variable configures the max amount of disk space the logs will use(thus, journal files +# will not grow without bounds) # The variables below related to journald, please set these to your site specific values # These variable specifies how much disk space the journal may use up at most # Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. # See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. -# ATTENTION: Uncomment the keyword below when values are set! - -## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# 'rhel9cis_journald_systemmaxuse' is the max amount of disk space the logs will use rhel9cis_journald_systemmaxuse: 10M ## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# 'rhel9cis_journald_systemkeepfree' is the amount of disk space to keep free +# Current variable configures the amount of disk space to keep free for other uses. rhel9cis_journald_systemkeepfree: 100G ## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# 'rhel9cis_journald_runtimemaxuse' control how much disk space the journal may use up at most. -# same as 'rhel9cis_journald_systemmaxuse'. +# This variable configures how much disk space the journal may use up at most. +# Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space. rhel9cis_journald_runtimemaxuse: 10M ## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# 'rhel9cis_journald_runtimekeepfree' is the amount of disk space to keep free -# same as 'rhel9cis_journald_systemkeepfree', but related to runtime space. +# This variable configures the actual amount of disk space to keep free +# Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space. rhel9cis_journald_runtimekeepfree: 100G ## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy -# 'rhel9cis_journald_MaxFileSec' is how long in time to keep log files. -# This variable specifies, the maximum time to store entries in a single journal +# Current variable governs the settings for log retention(how long the log files will be kept). +# Thus, it specifies the maximum time to store entries in a single journal # file before rotating to the next one. Set to 0 to turn off this feature. # The given values is interpreted as seconds, unless suffixed with the units # `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. From 0ed60c583fd114e41813e8c0716baaa17f90061b Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 19 Jan 2024 15:55:42 +0200 Subject: [PATCH 133/136] Revert "Added vars for streams." [IP] I see no benefit to duplicate vars in defaults/main.yml in other files like specific vars for Alma/Rocky, especially since we're using the same values for those vars. Also, replacing rsyslog with journald is not fine for this current doc-extension proposal. This reverts commit a57333dcf1d8230e4d4a9d84ed1aa10b430bb64b. --- defaults/main.yml | 2 +- vars/AlmaLinux.yml | 6 ------ vars/Rocky.yml | 6 ------ 3 files changed, 1 insertion(+), 13 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f3c3d2b..0202525 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -886,7 +886,7 @@ rhel9cis_auditd_uid_exclude: # This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation) # or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best # practices are written wholly independent of each other. -rhel9cis_syslog: journald +rhel9cis_syslog: rsyslog ## Control 4.2.1.5 | PATCH | Ensure logging is configured # This variable governs if current Ansible role should manage syslog settings # in /etc/rsyslog.conf file, namely mail, news and misc(warn, messages) diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index a0fa6ba..b0eb3d9 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -5,9 +5,3 @@ os_gpg_key_pubkey_name: gpg-pubkey-b86b3716-61e69f29 os_gpg_key_pubkey_content: "AlmaLinux OS 9 b86b3716" # disable repo_gpgcheck due to OS default repos rhel9cis_rule_enable_repogpg: false - -rhel9cis_sshd: - # This variable sets the maximum number of unresponsive "keep-alive" messages - # that can be sent from the server to the client before the connection is considered - # inactive and thus, closed. - clientalivecountmax: 3 \ No newline at end of file diff --git a/vars/Rocky.yml b/vars/Rocky.yml index 7d9f014..77af29c 100644 --- a/vars/Rocky.yml +++ b/vars/Rocky.yml @@ -3,9 +3,3 @@ os_gpg_key_pubkey_name: gpg-pubkey-350d275d-6279464b os_gpg_key_pubkey_content: "Rocky Enterprise Software Foundation - Release key 2022 350d275d" - -rhel9cis_sshd: - # This variable sets the maximum number of unresponsive "keep-alive" messages - # that can be sent from the server to the client before the connection is considered - # inactive and thus, closed. - clientalivecountmax: 3 \ No newline at end of file From c2f7bbf7deaa3cd4d1d507c0d4cf0b8c41d285dc Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 19 Jan 2024 16:16:18 +0200 Subject: [PATCH 134/136] Removing not useful line from docs Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0202525..81c46d3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1231,7 +1231,6 @@ rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | de # This boolean variable governs if current role should follow filesystem links for changes to # user home directory. rhel_09_6_2_16_home_follow_symlinks: false -# thanks to @dulin-gnet and community for rhel8-cis feedback. #### Goss Configuration Settings #### # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" From 200ca1b299200be1f69b3aea12bc94210390e7e6 Mon Sep 17 00:00:00 2001 From: Marcin Dulinski Date: Wed, 22 Nov 2023 09:17:15 +0000 Subject: [PATCH 135/136] Solved minor conflicts in defaults/main.yml file, when re-basing Signed-off-by: Marcin Dulinski --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index 81c46d3..0202525 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1231,6 +1231,7 @@ rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | de # This boolean variable governs if current role should follow filesystem links for changes to # user home directory. rhel_09_6_2_16_home_follow_symlinks: false +# thanks to @dulin-gnet and community for rhel8-cis feedback. #### Goss Configuration Settings #### # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" From 917db277f8eba838b1af2caf322f5347c6077b7c Mon Sep 17 00:00:00 2001 From: "root@DERVISHx" Date: Fri, 24 Nov 2023 15:38:40 +0000 Subject: [PATCH 136/136] Rebase ~~~ Fixing conflicts after rebasing current feature branch onto 'devel' --- defaults/main.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 0202525..6ae4b24 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -581,8 +581,20 @@ rhel9cis_time_synchronization_servers: # This variable should contain the default options to be used for every NTP server hostname defined # within the 'rhel9cis_time_synchronization_servers' var. rhel9cis_chrony_server_options: "minpoll 8" +# This variable, if set to 'true'(default), will inform the kernel the system clock is kept synchronized +# and the kernel will update the real-time clock every 11 minutes. Otherwise, if 'rtcsync' option is +# disabled, chronyd will not be in sync(kernel discipline is disabled, 11 minutes mode will be off). rhel9cis_chrony_server_rtcsync: false +# This variable configures the values to be used by chronyd to gradually correct any time offset, +# by slowing down/speeding up the clock. An example of this directive usage would be: +# 'makestep 1000 10'. +# Step the system clock: +# - IF the adjustment is larger than 1000 seconds +# - but ONLY IN the first ten clock updates rhel9cis_chrony_server_makestep: "1.0 3" +# This variable configures the minimum number of sources that need to be considered as selectable in the source +# selection algorithm before the local clock is updated. Setting minsources to a larger number can be used to +# improve the reliability, because multiple sources will need to correspond with each other. rhel9cis_chrony_server_minsources: 2