ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 22:37:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #19 from ansible-lockdown/live_v2

Browse source 
Live v2
This commit is contained in:
uk-bolly 2025-03-03 14:00:31 +00:00 committed by GitHub
commit 3eaa1b594c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
25 changed files with 451 additions and 248 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.gitignore vendored
View file

@ -46,3 +46,6 @@ benchparse/
# GitHub Action/Workflow files
.github/
# Precommit exclusions
.ansible/

4
.pre-commit-config.yaml
View file

@ -41,12 +41,12 @@ repos:
- id: detect-secrets
- repo: https://github.com/gitleaks/gitleaks
rev: v8.21.2
rev: v8.24.0
hooks:
- id: gitleaks
- repo: https://github.com/ansible-community/ansible-lint
rev: v24.12.2
rev: v25.1.3
hooks:
- id: ansible-lint
name: Ansible-lint

1
README.md
View file

@ -27,6 +27,7 @@
![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues)
![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success)
![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/RHEL9-CIS?label=Pull%20Requests)
[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit)
![License](https://img.shields.io/github/license/ansible-lockdown/RHEL9-CIS?label=License)

141
defaults/main.yml
View file

@ -923,7 +923,7 @@ rhel9cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf
# Options are: minclass or credits
# ensure only one is selected
rhel9cis_passwd_complex_option: minclass # pragma: allowlist secret
rhel9cis_passwd_minclass: 3
rhel9cis_passwd_minclass: 4
# rhel9cis_passwd_complex: credits
rhel9cis_passwd_dcredit: -1
rhel9cis_passwd_ucredit: -2
@ -1100,14 +1100,68 @@ rhel9cis_aide_cron:
#
## Preferred method of logging
## Whether rsyslog or journald preferred method for local logging
## Control 6.2.3 | Configure rsyslog
## Control 6.2.1 | Configure journald
# This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation)
# or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best
## Controls 6.2.1.x | Configure systemd-journald service
## Controls 6.2.2.x | Configured journald
## Controls 6.2.3.x | Configure rsyslog
# This variable governs which logging service should be used, choosing between 'rsyslog'
# or 'journald'(CIS recommendation) will trigger the execution of the associated subsection, as the-best
# practices are written wholly independent of each other.
rhel9cis_syslog: journald
## Control 6.2.2.x & 6.2.3.x - Ensure rsyslog is not configured to receive logs from a remote client
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# Current variable configures the max amount of disk space the logs will use(thus, journal files
# will not grow without bounds)
# The variables below related to journald, please set these to your site specific values
# These variable specifies how much disk space the journal may use up at most
# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes.
# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information.
rhel9cis_journald_systemmaxuse: 10M
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# Current variable configures the amount of disk space to keep free for other uses.
rhel9cis_journald_systemkeepfree: 100G
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# This variable configures how much disk space the journal may use up at most.
# Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space.
rhel9cis_journald_runtimemaxuse: 10M
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# This variable configures the actual amount of disk space to keep free
# Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space.
rhel9cis_journald_runtimekeepfree: 100G
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# Current variable governs the settings for log retention(how long the log files will be kept).
# Thus, it specifies the maximum time to store entries in a single journal
# file before rotating to the next one. Set to 0 to turn off this feature.
# The given values is interpreted as seconds, unless suffixed with the units
# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
# ATTENTION: Uncomment the keyword below when values are set!
rhel9cis_journald_maxfilesec: 1month
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to
# URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port
# number may be specified after a colon (":"), otherwise 19532 will be used by default.
rhel9cis_journal_upload_url: 192.168.50.42
## The paths below have the default paths/files, but allow user to create custom paths/filenames
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# This variable specifies the path to the private key file used by the remote journal
# server to authenticate itself to the client. This key is used alongside the server's
# public certificate to establish secure communication.
rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem"
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# This variable specifies the path to the public certificate file of the remote journal
# server. This certificate is used to verify the authenticity of the remote server.
rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem"
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# This variable specifies the path to a file containing one or more public certificates
# of certificate authorities (CAs) that the client trusts. These trusted certificates are used
# to validate the authenticity of the remote server's certificate.
rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem"
# ATTENTION: Uncomment the keyword below when values are set!
# Control 6.2.3.x - Ensure rsyslog is not configured to receive logs from a remote client
# This variable expresses whether the system is used as a log server or not. If set to:
# - 'false', current system will act as a log CLIENT, thus it should NOT receive data from other hosts.
# - 'true', current system will act as a log SERVER, enabling centralised log management(by protecting log integrity
@ -1155,57 +1209,25 @@ rhel9cis_remote_log_retrycount: 100
# of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true').
rhel9cis_remote_log_queuesize: 1000
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to
# URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port
# number may be specified after a colon (":"), otherwise 19532 will be used by default.
rhel9cis_journal_upload_url: 192.168.50.42
## The paths below have the default paths/files, but allow user to create custom paths/filenames
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# This variable specifies the path to the private key file used by the remote journal
# server to authenticate itself to the client. This key is used alongside the server's
# public certificate to establish secure communication.
rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem"
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# This variable specifies the path to the public certificate file of the remote journal
# server. This certificate is used to verify the authenticity of the remote server.
rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem"
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# This variable specifies the path to a file containing one or more public certificates
# of certificate authorities (CAs) that the client trusts. These trusted certificates are used
# to validate the authenticity of the remote server's certificate.
rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem"
# ATTENTION: Uncomment the keyword below when values are set!
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# Current variable configures the max amount of disk space the logs will use(thus, journal files
# will not grow without bounds)
# The variables below related to journald, please set these to your site specific values
# These variable specifies how much disk space the journal may use up at most
# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes.
# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information.
rhel9cis_journald_systemmaxuse: 10M
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# Current variable configures the amount of disk space to keep free for other uses.
rhel9cis_journald_systemkeepfree: 100G
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# This variable configures how much disk space the journal may use up at most.
# Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space.
rhel9cis_journald_runtimemaxuse: 10M
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# This variable configures the actual amount of disk space to keep free
# Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space.
rhel9cis_journald_runtimekeepfree: 100G
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# Current variable governs the settings for log retention(how long the log files will be kept).
# Thus, it specifies the maximum time to store entries in a single journal
# file before rotating to the next one. Set to 0 to turn off this feature.
# The given values is interpreted as seconds, unless suffixed with the units
# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
# ATTENTION: Uncomment the keyword below when values are set!
rhel9cis_journald_maxfilesec: 1month
## Control 6.2.3.8 rsyslog rotate
# This variable configures whether to set your own rsyslog logrotate setting alternate to logrotate default settings
# Please refer to logrotate options to match your site requirements
# This sets when to rotate
rhel9cis_rsyslog_logrotate_rotated_when: weekly
# This sets how many rotations of the file to keep
rhel9cis_rsyslog_logrotate_rotatation_keep: 4
# This defines whether to set various options or not
# these are taken from logrotate options
# Setting
# true will carry out the setting.
# false will either set no/not or not add the option
rhel9cis_rsyslog_logrotate_compress: true
rhel9cis_rsyslog_logrotate_missingok: true
rhel9cis_rsyslog_logrotate_notifempty: true
rhel9cis_rsyslog_logrotate_create: true
# Extra options that can be added according to rsyslog documentation
# Uncomment and add the required options e.g. mode owner group
# rhel9cis_rsyslog_logrotate_create_opts:
## Control 6.3.2.1 - Ensure audit_backlog_limit is sufficient
# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the
@ -1303,3 +1325,8 @@ rhel9cis_suid_sgid_adjust: false
## Control 7.1.11 - Ensure no world writable files exist
# Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable.
rhel9cis_no_world_write_adjust: true
## Control 7.2.9
# This allows ansible to alter the dot files as per rule if found
# When set to true this will align with benchmark - can impact a running system if not tested sufficiently
rhel9cis_dotperm_ansiblemanaged: false

9
handlers/main.yml
View file

@ -144,6 +144,15 @@
state: remounted
listen: "Remount /var/log/audit"
- name: "Remounting /boot/efi"
vars:
mount_point: '/boot/efi'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
notify: Change_requires_reboot
listen: "Remount /boot/efi"
- name: Reload sysctl
ansible.builtin.command: sysctl --system
changed_when: true

4
tasks/LE_audit_setup.yml
View file

@ -7,7 +7,7 @@
audit_pkg_arch_name: AMD64
- name: Pre Audit Setup | Set audit package name | ARM64
when: ansible_facts.machine == "arm64"
when: (ansible_facts.machine == "arm64" or ansible_facts.machine == "aarch64")
ansible.builtin.set_fact:
audit_pkg_arch_name: ARM64
@ -24,7 +24,7 @@
- name: Pre Audit Setup | Copy audit binary
when: get_audit_binary_method == 'copy'
ansible.builtin.copy:
src: "{{ audit_bin_copy_location }}"
src: "{{ audit_bin_copy_location }}/goss-linux-{{ audit_pkg_arch_name }}"
dest: "{{ audit_bin }}"
owner: root
group: root

19
tasks/auditd.yml
View file

@ -1,17 +1,30 @@
---
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
# Since auditd rules are dependent on syscalls and syscall tables are architecture specific,
# we need to update the auditd rules depending on the architecture of the system.
# This task passed the syscalls table to the auditd template and updates the auditd rules
- name: "POST | AUDITD | Set supported_syscalls variable"
ansible.builtin.shell: ausyscall --dump | awk '{print $2}'
changed_when: false
failed_when: discovered_auditd_syscalls.rc not in [ 0, 1 ]
register: discovered_auditd_syscalls
- name: POST | AUDITD | Apply auditd template will for section 6.3.3 - only required rules will be added | stat file
ansible.builtin.stat:
path: /etc/audit/rules.d/99_auditd.rules
register: discovered_auditd_rules_file
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file
- name: POST | Apply auditd template for section 6.3.3.x
when: update_audit_template
vars:
supported_syscalls: "{{ discovered_auditd_syscalls.stdout_lines }}"
ansible.builtin.template:
src: audit/99_auditd.rules.j2
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
group: root
mode: '0640'
mode: 'u-x,go-wx'
diff: "{{ discovered_auditd_rules_file.stat.exists }}" # Only run diff if not a new file
register: discovered_auditd_rules_template_updated
notify:

8
tasks/main.yml
View file

@ -116,17 +116,11 @@
fail_msg: "You still have the default name for your authselect profile"
- name: "Check authselect profile is selected | Check current profile"
ansible.builtin.shell: authselect current | head -1 | awk '{print $NF}'
ansible.builtin.shell: authselect list
changed_when: false
failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
register: prelim_authselect_current_profile
- name: "Check authselect profile is selected | Ensure profile name is set"
ansible.builtin.assert:
that: prelim_authselect_current_profile is defined
success_msg: "Authselect is running and profile is selected"
fail_msg: Authselect updates have been selected there are issues with profile selection"
- name: "Ensure root password is set"
when: rhel9cis_rule_5_4_2_4
tags:

14
tasks/prelim.yml
View file

@ -177,14 +177,14 @@
ansible.builtin.set_fact:
grub2_path: /etc/grub2-efi.cfg
- name: "PRELIM | Discover Gnome Desktop Environment"
- name: "PRELIM | AUDIT | Discover Gnome Desktop Environment"
tags:
- always
ansible.builtin.stat:
path: /usr/share/gnome/gnome-version.xml
register: prelim_gnome_present
- name: "PRELIM | Install dconf if gui installed"
- name: "PRELIM | PATCH | Install dconf if gui installed"
when:
- rhel9cis_gui
tags:
@ -243,6 +243,14 @@
mode: 'go-rwx'
state: touch
- name: "PRELIM | AUDIT | Capture pam security related files"
tags: always
ansible.builtin.find:
paths:
- /etc/security/pwquality.conf.d/
patterns: '*.conf'
register: prelim_pam_pwquality_confs
- name: "PRELIM | AUDIT | Gather UID 0 accounts other than root"
when: rhel9cis_rule_5_4_2_1
tags:
@ -326,7 +334,7 @@
changed_when: false
register: prelim_uid_max_id
- name: "PRELIM | AUDIT | set_facts for interactive uid/gid"
- name: "PRELIM | AUDIT | Set Fact for interactive uid/gid"
ansible.builtin.set_fact:
prelim_min_int_uid: "{{ prelim_uid_min_id.stdout }}"
prelim_max_int_uid: "{{ prelim_uid_max_id.stdout }}"

34
tasks/section_1/cis_1.4.x.yml
View file

@ -29,7 +29,8 @@
- rule_1.4.2
- NIST800-53R5_AC-3
block:
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | bios based system"
when: rhel9cis_legacy_boot
ansible.builtin.file:
path: "/boot/grub2/{{ item.path }}"
owner: root
@ -39,6 +40,31 @@
modification_time: preserve
access_time: preserve
loop:
- { path: 'grub.cfg', mode: '0700' }
- { path: 'grubenv', mode: 'go-rwx' }
- { path: 'user.cfg', mode: 'go-rwx' }
- { path: 'grub.cfg', mode: 'u-x,go-rwx' }
- { path: 'grubenv', mode: 'u-x,go-rwx' }
- { path: 'user.cfg', mode: 'u-x,go-rwx' }
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system"
when: not rhel9cis_legacy_boot
vars:
efi_mount_options: ['umask=0077', 'fmask=0077', 'uid=0', 'gid=0']
block:
- name: "1.4.2 | AUDIT | Ensure permissions on bootloader config are configured | efi based system | capture current state"
ansible.builtin.shell: grep "^[^#;]" /etc/fstab | grep '/boot/efi' | awk -F" " '{print $4}'
changed_when: false
register: discovered_efi_fstab
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Build Options"
when: item not in discovered_efi_fstab.stdout
ansible.builtin.set_fact:
efi_mount_opts_addition: "{{ efi_mount_opts_addition + ',' + item }}"
loop: "{{ efi_mount_options }}"
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Add mount options"
when: efi_mount_opts_addition | length > 0
ansible.builtin.lineinfile:
path: /etc/fstab
regexp: (.*/boot/efi\s*\w*\s*){{ discovered_efi_fstab.stdout }}(.*)
line: \1{{ discovered_efi_fstab.stdout + efi_mount_opts_addition }}\2
backrefs: true
notify: Remount /boot/efi

72
tasks/section_5/cis_5.3.2.x.yml
View file

@ -14,9 +14,7 @@
- rule_5.3.2.1
block:
- name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles"
when:
- rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or
prelim_authselect_current_profile.stdout is not defined
when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout
ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
changed_when: false
args:
@ -45,7 +43,6 @@
when:
- rhel9cis_rule_5_3_2_2
- rhel9cis_disruption_high
- rhel9cis_allow_authselect_updates
tags:
- level1-server
- level1-workstation
@ -58,19 +55,58 @@
- NIST800-53R5_IA-5
- authselect
- rule_5.3.2.2
notify: Authselect update
block:
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config"
ansible.builtin.shell: |
authselect current | grep faillock
changed_when: false
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: discovered_authselect_current_faillock
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config authselect"
block:
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config authselect"
when: rhel9cis_allow_authselect_updates
ansible.builtin.shell: authselect current | grep faillock
changed_when: false
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: discovered_authselect_current_faillock
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" # noqa syntax-check[specific]"
when: discovered_authselect_current_faillock.rc != 0
ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
changed_when: true
- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add feature if missing authselect" # noqa syntax-check[specific]"
when:
- rhel9cis_allow_authselect_updates
- discovered_authselect_current_faillock.rc != 0
ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
changed_when: true
notify: Authselect update
- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Get current config not authselect"
block:
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | not authselect"
when: not rhel9cis_allow_authselect_updates
ansible.builtin.command: grep -E "(auth|account)\s*required\s*pam_faillock.so" /etc/pam.d/{system,password}-auth
changed_when: false
failed_when: false
register: discovered_faillock_not_authselect
- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled | Add lines system-auth"
when: not rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile:
path: "/etc/pam.d/system-auth"
regexp: "{{ item.regexp }}"
insertbefore: "{{ item.before | default(omit) }}"
insertafter: "{{ item.after | default(omit) }}"
line: "{{ item.line }}"
loop:
- { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
- { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
- { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: "account required pam_faillock.so" }
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add lines password-auth"
when: not rhel9cis_allow_authselect_updates
ansible.builtin.lineinfile:
path: "/etc/pam.d/password-auth"
regexp: "{{ item.regexp }}"
insertbefore: "{{ item.before | default(omit) }}"
insertafter: "{{ item.after | default(omit) }}"
line: "{{ item.line }}"
loop:
- { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
- { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" }
- { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: "account required pam_faillock.so" }
- name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
when:
@ -141,10 +177,10 @@
- rule_5.3.2.5
block:
- name: "5.3.2.5 | AUDIT | Ensure pam_unix module is enabled"
ansible.builtin.command: grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth
ansible.builtin.shell: grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth
changed_when: false
failed_when: discovered_discovered_authselect_pam_unix.rc not in [ 0, 1 ]
register: discovered_discovered_authselect_pam_unix
failed_when: discovered_authselect_pam_unix.rc not in [ 0, 1 ]
register: discovered_authselect_pam_unix
- name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | system-auth"
when: "'system-auth:password' not in discovered_authselect_pam_unix.stdout"

3
tasks/section_5/cis_5.3.3.1.x.yml
View file

@ -24,7 +24,7 @@
ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth"
regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$)
replace: \1\2\3
replace: \1 \2\3
loop:
- password
- system
@ -126,4 +126,3 @@
loop:
- password
- system
notify: Authselect update

78
tasks/section_5/cis_5.3.3.2.x.yml
View file

@ -14,14 +14,15 @@
when:
- item != rhel9cis_passwd_difok_file
- rhel9cis_disruption_high
ansible.builtin.replace:
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: 'difok\s*=\s*\d+\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- /etc/pam.d/*-auth
state: absent
loop:
- /etc/security/pwquality.conf
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}"
- name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Ensure difok file exists"
ansible.builtin.template:
@ -70,14 +71,15 @@
when:
- item != rhel9cis_passwd_minlen_file
- rhel9cis_disruption_high
ansible.builtin.replace:
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: 'minlen\s*=\s*\d+\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- '/etc/pam.d/*-auth'
state: absent
loop:
- /etc/security/pwquality.conf
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}"
- name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Ensure minlen file exists"
ansible.builtin.template:
@ -126,14 +128,15 @@
when:
- item != rhel9cis_passwd_complex_file
- rhel9cis_disruption_high
ansible.builtin.replace:
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: '(minclass|[dulo]credit)\s*=\s*(-\d|\d+)\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- '/etc/pam.d/*-auth'
state: absent
loop:
- /etc/security/pwquality.conf
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}"
- name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Ensure complexity file exists"
ansible.builtin.template:
@ -180,14 +183,15 @@
block:
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file"
when: item != rhel9cis_passwd_maxrepeat_file
ansible.builtin.replace:
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: 'maxrepeat\s*=\s*\d+\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- '/etc/pam.d/*-auth'
state: absent
loop:
- /etc/security/pwquality.conf
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}"
- name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Ensure maxrepeat file exists"
ansible.builtin.template:
@ -236,14 +240,15 @@
when:
- item != rhel9cis_passwd_maxsequence_file
- rhel9cis_disruption_high
ansible.builtin.replace:
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: 'maxsequence\s*=\s*\d+\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- '/etc/pam.d/*-auth'
state: absent
loop:
- /etc/security/pwquality.conf
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}"
- name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Ensure maxsequence file exists"
ansible.builtin.template:
@ -291,14 +296,15 @@
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck settings from conf files except expected file"
when:
- item != rhel9cis_passwd_dictcheck_file
ansible.builtin.replace:
ansible.builtin.lineinfile:
path: "{{ item }}"
regexp: 'dictcheck\s*=\s*\d+\b'
replace: ''
with_fileglob:
- '/etc/security/pwquality.conf'
- '/etc/security/pwquality.conf.d/*.conf'
- '/etc/pam.d/*-auth'
state: absent
loop:
- /etc/security/pwquality.conf
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
- "{{ prelim_pam_pwquality_confs.files | default([]) }}"
- name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Ensure dictcheck file exists"
ansible.builtin.template:

60
tasks/section_5/cis_5.3.3.3.x.yml
View file

@ -54,43 +54,10 @@
- patch
- rule_5.3.3.3.2
- pam
block:
- name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files"
ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?enforce_for_root\b' /etc/pam.d/{system,password}-auth
register: discovered_pwhistory_enforce_for_root
changed_when: false
failed_when: discovered_pwhistory_enforce_for_root.rc not in [0, 1]
- name: "5.3.3.3.2 | PATCH| Ensure password history is enforced for the root user | Ensure enforce_for_root is set pwhistory file"
ansible.builtin.lineinfile:
path: "/etc/security/pwhistory.conf"
regexp: ^\s*(?#)enforce_for_root
line: enforce_for_root
- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set"
when:
- not rhel9cis_allow_authselect_updates
- discovered_pwhistory_enforce_for_root.stdout | length == 0
- rhel9cis_disruption_high
ansible.builtin.lineinfile:
path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(enforce_for_root)
line: '\1\2\3 enforce_for_root'
backrefs: true
- name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set"
when:
- rhel9cis_allow_authselect_updates
- discovered_pwhistory_enforce_for_root.stdout | length == 0
- rhel9cis_disruption_high
ansible.builtin.replace:
path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_pwhistory\.so)(.*)\senforce_for_root(.*$)
replace: \1\2enforce_for_root\3
loop:
- password
- system
notify: Authselect update
ansible.builtin.lineinfile:
path: "/etc/security/pwhistory.conf"
regexp: ^\s*(?#)enforce_for_root
line: enforce_for_root
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok"
when: rhel9cis_rule_5_3_3_3_3
@ -102,27 +69,24 @@
- pam
block:
- name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files"
ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{system,password}-auth
ansible.builtin.shell: grep -Psic -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{system,password}-auth
register: discovered_pwhistory_use_authtok
changed_when: false
failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1]
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Update pwhistory for use_authtok"
ansible.builtin.lineinfile:
path: "/etc/security/pwhistory.conf"
regexp: ^\s*(?#)use_authtok
line: use_authtok
- name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure use_authtok is set"
when:
- not rhel9cis_allow_authselect_updates
- discovered_pwhistory_use_authtok.stdout | length == 0
- rhel9cis_disruption_high
ansible.builtin.lineinfile:
path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}"
regexp: ^(password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+)(.*)(use_authtok)
line: '\1\2 use_authtok'
backrefs: true
path: "{{ item }}"
regexp: ^password\s*pam_pwhistory\.so\s*.*\s(!?use_authtok)
line: password required pam_pwhistory.so use_authtok
insertbefore: ^password.*pam_deny.so
loop:
- /etc/pam.d/password-auth
- /etc/pam.d/system-auth
- name: "PATCH | Ensure pam_pwhistory includes use_authtok | add authtok to pam files AuthSelect"
when:

2
tasks/section_5/cis_5.4.2.x.yml
View file

@ -190,7 +190,7 @@
regexp: \s*umask
line: "umask {{ rhel9cis_root_umask }}"
create: true
mode: 'u+x,go-rwx'
mode: 'u-x,go-rwx'
- name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell"
when:

4
tasks/section_6/cis_6.2.2.1.x.yml
View file

@ -17,7 +17,7 @@
name: systemd-journal-remote
state: present
- name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-remote authentication is configured"
- name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-upload authentication is configured"
when:
- rhel9cis_rule_6_2_2_1_2
- not rhel9cis_system_is_log_server
@ -40,7 +40,7 @@
- { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'}
- { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'}
- name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled and active"
- name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-upload is enabled and active"
when:
- not rhel9cis_system_is_log_server
- rhel9cis_rule_6_2_2_1_3

4
tasks/section_6/cis_6.2.3.x.yml
View file

@ -256,8 +256,8 @@
- name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set rsyslog conf"
ansible.builtin.template:
src: etc/logrotate.d/rsyslog.conf.j2
dest: /etc/logrotate.d/rsyslog.conf
src: etc/logrotate.d/rsyslog_log.j2
dest: /etc/logrotate.d/rsyslog_log
owner: root
group: root
mode: 'g-wx,o-rwx'

42
tasks/section_6/cis_6.2.4.1.yml
View file

@ -8,6 +8,8 @@
- patch
- logfiles
- rule_6.2.4.1
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
block:
- name: "6.2.4.1 | AUDIT | Ensure access to all logfiles has been configured | find log files"
ansible.builtin.shell: find /var/log/ -type f -exec ls {} \;
@ -15,43 +17,35 @@
failed_when: false
register: discovered_logfiles
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions SSSD min 660"
when:
- discovered_logfiles.stdout_lines | length > 0
- ('audit.log' in item or 'journal' in item) or
item == '/var/log/secure' or
item == '/var/log/syslog' or
item == '/var/log/messages' or
item == '/var/log/auth.log'
- item is match("/var/log/(gdm|sssd)")
ansible.builtin.file:
path: "{{ item }}"
mode: 'u-x,g-wx,o-rwx'
mode: 'ug-x,o-rwx'
failed_when: discovered_logfile_list.state not in '[ file, absent ]'
register: discovered_logfile_list
loop: "{{ discovered_logfiles.stdout_lines }}"
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions tmp min 664"
when:
- discovered_logfiles.stdout_lines | length > 0
- ('anaconda' in item or 'dnf' in item or 'secure' in item or 'messages' in item or 'hawkey' in item)
ansible.builtin.file:
path: "{{ item }}"
mode: 'u-x,g-x,o-rwx'
failed_when: discovered_logfile_list.state not in '[ file, absent ]'
register: discovered_logfile_list
loop: "{{ discovered_logfiles.stdout_lines }}"
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
when:
- discovered_logfiles.stdout_lines | length > 0
- ('sssd' in item or 'lastlog' in item) or
item == "/var/log/btmp" or
item == "/var/log/utmp" or
item == "/var/log/wtmp" or
item == "/var/log/lastlog"
- item is match("/var/log/((u|b|w)tmp*|lastlog)")
ansible.builtin.file:
path: "{{ item }}"
mode: 'ug-x,o-wx'
failed_when: discovered_logfile_list.state not in '[ file, absent ]'
register: discovered_logfile_list
loop: "{{ discovered_logfiles.stdout_lines }}"
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions else all 640"
when:
- discovered_logfiles.stdout_lines | length > 0
- item is not match("/var/log/((u|b|w)tmp*|lastlog|sssd)")
ansible.builtin.file:
path: "{{ item }}"
mode: 'u-x,g-wx,o-rwx'
failed_when: discovered_logfile_list.state not in '[ file, absent ]'
register: discovered_logfile_list
loop: "{{ discovered_logfiles.stdout_lines }}"

1
tasks/section_6/main.yml
View file

@ -5,6 +5,7 @@
file: cis_6.1.x.yml
- name: "SECTION | 6.2.1 | Configure systemd-journald service"
when: rhel9cis_syslog == 'journald'
ansible.builtin.import_tasks:
file: cis_6.2.1.x.yml

2
tasks/section_7/cis_7.1.x.yml
View file

@ -169,6 +169,8 @@
owner: root
group: root
mode: 'u-x,go-wx'
failed_when: discovered_file_exists.state not in '[ file, absent ]'
register: discovered_file_exists
- name: "7.1.11 | PATCH | Ensure world writable files and directories are secured"
when:

144
templates/audit/99_auditd.rules.j2
View file

@ -9,20 +9,50 @@
-w /etc/sudoers.d -p wa -k scope
{% endif %}
{% if rhel9cis_rule_6_3_3_2 %}
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
{% set syscalls = ["execve"] %}
{% set arch_syscalls = [] %}
{%- for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor -%}
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation
{% endif %}
{% if rhel9cis_rule_6_3_3_3 %}
-w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file
{% endif %}
{% if rhel9cis_rule_6_3_3_4 %}
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
{% set syscalls = ["adjtimex","settimeofday"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change
{% set syscalls = ["clock_settime"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
{% endif %}
{% endfor %}
-w /etc/localtime -p wa -k time-change
{% endif %}
{% if rhel9cis_rule_6_3_3_5 %}
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
{% set syscalls = ["sethostname","setdomainname"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
@ -35,10 +65,17 @@
{% endfor %}
{% endif %}
{% if rhel9cis_rule_6_3_3_7 %}
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
{% set syscalls = ["creat","open","openat","truncate","ftruncate"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
{% endif %}
{% if rhel9cis_rule_6_3_3_8 %}
-w /etc/group -p wa -k identity
@ -51,16 +88,65 @@
-w /etc/pam.d -p wa -k identity
{% endif %}
{% if rhel9cis_rule_6_3_3_9 %}
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
{% set syscalls = ["chmod","fchmod","fchmodat"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% set syscalls = ["chmod","fchmod","fchmodat"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% set syscalls = ["chown","fchown","lchown","fchownat"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod
{% endif %}
{% if rhel9cis_rule_6_3_3_10 %}
-a always,exit -F arch=b32 -S mount -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
-a always,exit -F arch=b64 -S mount -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
{% set syscalls = ["mount"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
{% endif %}
{% if rhel9cis_rule_6_3_3_11 %}
-w /var/run/utmp -p wa -k session
@ -72,8 +158,15 @@
-w /var/run/faillock -p wa -k logins
{% endif %}
{% if rhel9cis_rule_6_3_3_13 %}
-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=delete
-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=delete
{% set syscalls = ["unlink","unlinkat","rename","renameat"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete
{% endif %}
{% if rhel9cis_rule_6_3_3_14 %}
-w /etc/selinux -p wa -k MAC-policy
@ -86,14 +179,21 @@
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng
{% endif %}
{% if rhel9cis_rule_6_3_3_17 %}
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k priv_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng
{% endif %}
{% if rhel9cis_rule_6_3_3_18 %}
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod
{% endif %}
{% if rhel9cis_rule_6_3_3_19 %}
-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules
-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules
{% set syscalls = ["init_module","finit_module","delete_module","create_module","query_module"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append( syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules
{% endif %}
{% if rhel9cis_rule_6_3_3_20 %}
-e 2

11
templates/etc/logrotate.d/rsyslog.conf.j2
View file

@ -1,11 +0,0 @@
/var/log/rsyslog/*.log {
{{ rhel9cis_rsyslog_logrotate_rotated }}
rotate {{ rhel9cis_rsyslog_logrotate_keep }}
{% if rhel9cis_rsyslog_logrotate_compress %}compress{% else %}nocompress{% endif %}
{% if rhel9cis_rsyslog_logrotate_missingok %}missingok{% else %}missingok{% endif %}
{% if rhel9cis_rsyslog_logrotate_notifempty %}notifempty{% else %}ifempty{% endif %}
{% if rhel9cis_rsyslog_logrotate_create %}create {{ rhel9cis_rsyslog_logrotate_create_opts }}{% endif %}
postrotate
/usr/bin/systemctl reload rsyslog.service >/dev/null || true
endscript
}

26
templates/etc/logrotate.d/rsyslog_log.j2 Normal file
View file

@ -0,0 +1,26 @@
/var/log/rsyslog/*.log {
{{ rhel9cis_rsyslog_logrotate_rotated_when }}
rotate {{ rhel9cis_rsyslog_logrotate_rotatation_keep }}
{% if rhel9cis_rsyslog_logrotate_compress %}
compress
{% else %}
nocompress
{% endif %}
{% if rhel9cis_rsyslog_logrotate_missingok %}
missingok
{% else %}
nomissingok
{% endif %}
{% if rhel9cis_rsyslog_logrotate_notifempty %}
notifempty
{% else %}
ifempty
{% endif %}
{% if rhel9cis_rsyslog_logrotate_create %}
create{% if rhel9cis_rsyslog_logrotate_create_opts is defined %} {{ rhel9cis_rsyslog_logrotate_create_opts }}{% endif %}
{% endif %}
postrotate
/usr/bin/systemctl reload rsyslog.service >/dev/null || true
endscript
}

2
templates/etc/systemd/system/tmp.mount.j2
View file

@ -23,7 +23,7 @@ After=swap.target
What=tmpfs
Where=/tmp
Type=tmpfs
Options=mode=1777,strictatime,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec{% endif %}
Options=mode=1777,strictatime,{% if rhel9cis_rule_1_1_2_1_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_1_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_1_4 %}noexec{% endif %}
# Make 'systemctl enable tmp.mount' work:
[Install]

11
vars/main.yml
View file

@ -22,11 +22,16 @@ rhel9cis_allowed_crypto_policies_modules:
warn_control_list: ""
warn_count: 0
# Default empty values for 1.4.2
efi_mount_opts_addition: ''
gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"
## Control 6.3.3.x - Audit template
# This variable governs if the auditd logic should be executed(if value is true).
# NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules').
## Controls 6.3.3.x - Audit template
# This variable is set to true by tasks 6.3.3.1 to 6.3.3.20. As a result, the
# audit settings are overwritten with the role's template. In order to exclude
# specific rules, you must set the variable of form `ubtu24cis_rule_6_3_3_x` above
# to `false`.
update_audit_template: false
# Defaults