From 3ead0d63ac5e893429c2e5d6822b128785a5b9af Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 11:05:25 +0000 Subject: [PATCH] warn control count updates Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- tasks/post.yml | 7 ++-- tasks/section_1/cis_1.1.2.x.yml | 21 +++------- tasks/section_1/cis_1.1.3.x.yml | 21 ++-------- tasks/section_1/cis_1.1.4.x.yml | 21 ++-------- tasks/section_1/cis_1.1.5.x.yml | 20 ++------- tasks/section_1/cis_1.1.6.x.yml | 22 +++------- tasks/section_1/cis_1.1.7.x.yml | 20 ++------- tasks/section_1/cis_1.1.8.x.yml | 20 ++------- tasks/section_1/cis_1.2.x.yml | 6 +-- tasks/section_1/cis_1.6.1.x.yml | 11 ++--- tasks/section_2/cis_2.4.yml | 6 +-- tasks/section_3/cis_3.4.2.x.yml | 6 +-- tasks/section_4/cis_4.1.4.x.yml | 3 -- tasks/section_4/cis_4.2.2.x.yml | 6 +-- tasks/section_5/cis_5.2.x.yml | 48 +++++++++++----------- tasks/section_5/cis_5.6.1.x.yml | 11 ++--- tasks/section_6/cis_6.1.x.yml | 72 ++++++++++++++++++--------------- tasks/section_6/cis_6.2.x.yml | 14 +------ tasks/warning_facts.yml | 20 +++++++++ 20 files changed, 137 insertions(+), 220 deletions(-) create mode 100644 tasks/warning_facts.yml diff --git a/tasks/main.yml b/tasks/main.yml index d6b026a..d1918d2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -203,7 +203,7 @@ - name: If Warnings found Output count and control IDs affected debug: - msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" + msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" when: warn_count != 0 tags: - always diff --git a/tasks/post.yml b/tasks/post.yml index 3b5c3f2..0d1260d 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -51,13 +51,12 @@ - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'Reboot_required' ]" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml when: - change_requires_reboot - skip_reboot - + vars: + warn_control_id: Reboot_required tags: - grub - level1-server diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index aa67b5c..118f93b 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -4,26 +4,15 @@ block: - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Absent" ansible.builtin.debug: - msg: "Warning!! /tmp is not mounted on a separate partition" - when: - - required_mount not in mount_names + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.2.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - - - name: "1.1.2.1 | AUDIT | Ensure separate partition exists for /var | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_mount_present - when: - - required_mount in mount_names + - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | warning" + ansible.builtin.import_tasks: warning_facts.yml vars: + warn_control_id: '1.1.2.1' required_mount: '/tmp' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_2_1 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 3780e2f..afe1b8c 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -5,27 +5,14 @@ - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_mount_absent - changed_when: var_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - - - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_mount_present - when: - - required_mount in mount_names + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | warning" + ansible.builtin.import_tasks: warning_facts.yml vars: + warn_control_id: '1.1.3.1' required_mount: '/var' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_3_1 tags: - level2-server diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 742a5d7..4a1deb0 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -6,27 +6,14 @@ - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_tmp_mount_absent - changed_when: var_tmp_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - - - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_tmp_mount_present - when: - - required_mount in mount_names + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" + ansible.builtin.import_tasks: warning_facts.yml vars: + warn_control_id: '1.1.4.1' required_mount: '/var/tmp' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_4_1 tags: - level2-server diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 0fa245b..ccaeb5c 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -5,27 +5,15 @@ - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_mount_absent - changed_when: var_log_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_log_mount_present - when: - - required_mount in mount_names + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '1.1.5.1' required_mount: '/var/log' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_5_1 tags: - level2-server diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index a496f43..4191899 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -5,27 +5,15 @@ - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_audit_mount_absent - changed_when: var_log_audit_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_log_audit_mount_present - when: - - required_mount in mount_names + ansible.builtin.import_tasks: warning_facts.yml + vars: - required_mount: '/var/log/audit' + warn_control_id: '1.1.6.1' + required_mount: '/var/log/audit' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_6_1 tags: - level2-server diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index dc9ea6a..60192d7 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -5,27 +5,15 @@ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: home_mount_absent - changed_when: home_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: home_mount_present - when: - - required_mount in mount_names + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '1.1.7.1' vars: required_mount: '/home' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_7_1 tags: - level2-server diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index fdaef15..7703ed4 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -6,27 +6,15 @@ - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - register: home_mount_absent - changed_when: home_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.1.8.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: - - required_mount not in mount_names - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.debug: - msg: "Congratulations: {{ required_mount }} exists." - register: home_mount_present - when: - - required_mount in mount_names + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '1.1.8.1' required_mount: '/dev/shm' when: + - required_mount not in mount_names - rhel9cis_rule_1_1_8_1 tags: - level1-server diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 093e900..dcc8e5c 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -81,9 +81,9 @@ - "{{ dnf_configured.stdout_lines }}" - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + ['rule_1.2.3']" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '1.2.3' when: - rhel9cis_rule_1_2_3 tags: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index bfb9c91..c954f66 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -91,21 +91,16 @@ failed_when: false changed_when: false - - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" - ansible.builtin.debug: - msg: "Good News! There are no services found on your system" - when: rhelcis_1_6_1_6_unconf_services.stdout | length == 0 - - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" ansible.builtin.debug: msg: "Warning!! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_1.6.1.5' ]" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 + vars: + warn_control_id: '1.6.1.6' when: - rhel9cis_rule_1_6_1_6 tags: diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index a59184b..ce02b40 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -25,9 +25,9 @@ - "{{ rhel9cis_2_4_sockets.stdout_lines }}" - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + ['rule_2.4']" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '2.4' when: - rhel9cis_rule_2_4 tags: diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index bbd1ad0..60e769a 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -47,9 +47,7 @@ - not rhel9cis_nft_tables_autonewtable - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_3.4.2.2' ]" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml when: - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable @@ -58,6 +56,8 @@ ansible.builtin.command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" failed_when: false when: rhel9cis_nft_tables_autonewtable + vars: + warn_control_id: '3.4.2.2' when: - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_2 diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index e79b506..ca69e3d 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -122,9 +122,6 @@ - /sbin/auditd - /sbin/augenrules - - debug: - msg: "{{ audit_bins }}" - - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" ansible.builtin.file: path: "{{ item.item }}" diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 474026c..0c53795 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -89,10 +89,10 @@ when: "'static' not in rhel9cis_4_2_2_2_status.stdout" - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml when: "'static' not in rhel9cis_4_2_2_2_status.stdout" + vars: + warn_control_id: '4.2.2.2' when: - rhel9cis_rule_4_2_2_2 tags: diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index a599a4b..9dc785e 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -79,37 +79,37 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited" block: - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^AllowUsers" - line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} + line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}" validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['allowusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^AllowGroups" - line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} + line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}" validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^DenyUsers" - line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} + line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}" validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['denyusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^DenyGroups" - line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} + line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}" validate: sshd -t -f %s notify: restart sshd when: "rhel9cis_sshd['denygroups']|default('') | length > 0" @@ -123,7 +123,7 @@ - rule_5.2.4 - name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' @@ -138,7 +138,7 @@ - rule_5.2.5 - name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' @@ -153,7 +153,7 @@ - rule_5.2.6 - name: "5.2.7 | PATCH | Ensure SSH root login is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' @@ -168,7 +168,7 @@ - rule_5.2.7 - name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' @@ -183,7 +183,7 @@ - rule_5.2.8 - name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' @@ -198,7 +198,7 @@ - rule_5.2.9 - name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' @@ -213,7 +213,7 @@ - rule_5.2.10 - name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#IgnoreRhosts|^IgnoreRhosts" line: 'IgnoreRhosts yes' @@ -228,7 +228,7 @@ - rule_5.2.11 - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' @@ -243,7 +243,7 @@ - rule_5.2.12 - name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' @@ -279,7 +279,7 @@ - rule_5.2.14 - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^Banner' line: 'Banner /etc/issue.net' @@ -293,7 +293,7 @@ - rule_5.2.15 - name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' @@ -308,7 +308,7 @@ - rule_5.2.16 - name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' @@ -323,7 +323,7 @@ - rule_5.2.17 - name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' @@ -338,7 +338,7 @@ - rule_5.2.18 - name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" @@ -355,14 +355,14 @@ - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured" block: - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" - ansible.builtin.linefile: + ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index df3478f..5b4704c 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -90,11 +90,6 @@ check_mode: false register: rhel9cis_5_6_1_5_user_list - - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" - ansible.builtin.debug: - msg: "Good News! All accounts have PW change dates that are in the past" - when: rhel9cis_5_6_1_5_user_list.stdout | length == 0 - - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" ansible.builtin.debug: msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" @@ -103,9 +98,7 @@ - not rhel9cis_futurepwchgdate_autofix - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]" - warn_count: "{{ warn_count | int + 1 }}" + ansible.builtin.import_tasks: warning_facts.yml when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix @@ -117,6 +110,8 @@ - rhel9cis_futurepwchgdate_autofix with_items: - "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + vars: + warn_control_id: '5.6.1.5' when: - rhel9cis_rule_5_6_1_5 tags: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 1457f6e..e2985f8 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -128,12 +128,6 @@ changed_when: false register: rhel_08_6_1_9_perms_results - - name: "6.1.9 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist" - ansible.builtin.debug: - msg: "Good news! We have not found any world-writable files on your system" - when: - - rhel_08_6_1_9_perms_results.stdout is not defined - - name: "6.1.9 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" ansible.builtin.file: path: '{{ item }}' @@ -169,11 +163,20 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: - msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + msg: "Warning !! Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" with_items: "{{ rhel_08_6_1_10_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 + + - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.1.10' + when: + - item.stdout_lines is defined + - item.stdout_lines | length > 0 + when: - rhel9cis_rule_6_1_10 tags: @@ -199,11 +202,19 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: - msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + msg: "Warning !! Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" with_items: "{{ rhel_08_6_1_11_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 + + - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.1.11' + when: + - item.stdout_lines is defined + - item.stdout_lines | length > 0 when: - rhel9cis_rule_6_1_11 tags: @@ -239,20 +250,19 @@ loop_control: label: "{{ item.mount }}" - - name: "6.1.13 | AUDIT | Audit SUID executables | Alert no SUID executables exist" - ansible.builtin.debug: - msg: "Good news! We have not found any SUID executable files on your system" - failed_when: false - changed_when: false - when: - - rhel_08_6_1_13_perms_results.stdout is not defined - - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: - msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" + msg: "Warning!! Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" with_items: "{{ rhel_08_6_1_13_perms_results.stdout_lines }}" when: - rhel_08_6_1_13_perms_results.stdout is defined + + - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.1.13' + when: + - rhel_08_6_1_13_perms_results.stdout is defined when: - rhel9cis_rule_6_1_13 tags: @@ -274,20 +284,19 @@ loop_control: label: "{{ item.mount }}" - - name: "6.1.14 | AUDIT | Audit SGID executables | Alert no SGID executables exist" - ansible.builtin.debug: - msg: "Good news! We have not found any SGID executable files on your system" - failed_when: false - changed_when: false - when: - - rhel_08_6_1_14_perms_results.stdout is not defined - - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}" when: - rhel_08_6_1_14_perms_results.stdout is defined + + - name: "6.1.14 | AUDIT | Audit SGID executables| warning" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.1.14' + when: + - rhel_08_6_1_14_perms_results.stdout is defined when: - rhel9cis_rule_6_1_14 tags: @@ -323,15 +332,12 @@ The file list can be found in {{ rhel9cis_rpm_audit_file }}" - name: "6.1.15 | AUDIT | Audit system file permissions | warning count" - ansible.builtin.set_fact: - control_number: "{{ control_number }} + [ 'rule_6.1.1' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.1.15' + when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 + - - name: "6.1.15 | AUDIT | Audit system file permissions | Message out no package descrepancies" - ansible.builtin.debug: - msg: "Good News! There are no package descrepancies" - when: rhel9cis_6_1_15_packages_rpm.stdout|length == 0 when: - rhel9cis_rule_6_1_15 tags: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index a280cab..30fe5fe 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -86,11 +86,6 @@ failed_when: false register: rhel9cis_6_2_4_user_uid_check - - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" - ansible.builtin.debug: - msg: "Good News! There are no duplicate UID's in the system" - when: rhel9cis_6_2_4_user_uid_check.stdout | length == 0 - - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" ansible.builtin.debug: msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_4_user_uid_check.stdout_lines }}" @@ -98,9 +93,9 @@ - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" ansible.builtin.import_tasks: warning_facts.yml - vars: - warn_control_id: '6.2.4' when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 + vars: + warn_control_id: '6.2.4' when: - rhel9cis_rule_6_2_4 tags: @@ -119,11 +114,6 @@ failed_when: false register: rhel9cis_6_2_5_user_user_check - - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" - ansible.builtin.debug: - msg: "Good News! There are no duplicate GIDs in the system" - when: rhel9cis_6_2_5_user_user_check.stdout | length == 0 - - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" ansible.builtin.debug: msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_5_user_user_check.stdout_lines }}" diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml new file mode 100644 index 0000000..37560bd --- /dev/null +++ b/tasks/warning_facts.yml @@ -0,0 +1,20 @@ +--- + +# This task is used to create variables used in giving a warning summary for manual tasks +# that need attention +# +# The warn_control_list and warn_count vars start life in vars/main.yml but get updated +# as the tasks that have a warning complete +# +# Those two variables are used in the tasks/main.yml to display a list of warnings +# +# warn_control_id is set within the task itself and has the control ID as the value +# +# warn_control_list is the main variable to be used and is a list made up of the warn_control_id’s +# +# warn_count the main variable for the number of warnings and each time a warn_control_id is added +# the count increases by a value of 1 +- name: "NO CONTROL ID | AUDIT | Set fact for manual task warning." + ansible.builtin.set_fact: + warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" + warn_count: "{{ warn_count | int + 1 }}"