From 113d422dd41f0858ece61552d86802342b31c2eb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 31 Jan 2022 17:03:51 +0000 Subject: [PATCH 01/10] added uid discovery and usage Signed-off-by: Mark Bolwell --- defaults/main.yml | 8 ++++++-- tasks/prelim.yml | 23 +++++++++++++++++++++++ tasks/section_5/cis_5.5.x.yml | 4 ++-- tasks/section_6/cis_6.2.x.yml | 6 +++--- templates/audit/99_auditd.rules.j2 | 30 +++++++++++++++--------------- 5 files changed, 49 insertions(+), 22 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index cb2ac8e..9f3df3e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -546,8 +546,12 @@ rhel9cis_pam_password: minlen: "14" minclass: "4" -# Starting GID for interactive users -rhel9cis_int_gid: 1000 +# UID settings for interactive users +# These are discovered via logins.def is set true +discover_int_uid: false +min_int_uid: 1000 +max_int_uid: 65533 + # RHEL-09-5.4.5 # Session timeout setting file (TMOUT setting can be set in multiple files) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c61356c..eadfb56 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -190,3 +190,26 @@ tags: - rule_1.2.2 - skip_ansible_lint + +- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" + block: + - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" + shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' + register: uid_min_id + + - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" + shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' + register: uid_max_id + + - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" + shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' + register: gid_min_id + + - name: "PRELIM | AUDIT | set_facts for interactive uid/gid" + set_fact: + min_int_uid: uid_min_id.stdout + max_int_uid: uid_max_id.stdout + + when: + - not discover_int_uid + diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 0d8cfa0..83f8d7e 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -13,7 +13,7 @@ - item.id != "sync" - item.id != "shutdown" - item.id != "halt" - - item.gid < rhel9cis_int_gid + - item.gid < min_int_uid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" @@ -28,7 +28,7 @@ - item.id != "shutdown" - item.id != "sync" - item.id != "root" - - item.gid < rhel9cis_int_gid + - item.gid < min_int_uid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" when: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index ad51121..7242132 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -134,7 +134,7 @@ - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" stat: path: "{{ item }}" - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid) | selectattr('uid', '!=', max_int_uid) | map(attribute='dir') | list }}" register: rhel_09_6_2_7_audit - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" @@ -204,7 +204,7 @@ loop_control: label: "{{ rhel9cis_passwd_label }}" when: - - item.uid >= rhel9cis_int_gid + - item.uid >= min_int_uid - rhel9cis_rule_6_2_8 tags: - skip_ansible_lint # settings found on 6_2_7 @@ -500,7 +500,7 @@ stat: path: "{{ item }}" register: rhel_09_6_2_20_audit - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid) | selectattr('uid', '!=', max_int_uid) | map(attribute='dir') | list }}" - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist" shell: find -H {{ item.0 | quote }} -not -type l -perm /027 diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index da5664b..43897d7 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -32,18 +32,18 @@ -w /etc/sysconfig/network -p wa -k system-locale {% endif %} {% if rhel9cis_rule_4_1_9 %} --a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod {% endif %} {% if rhel9cis_rule_4_1_10 %} --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access {% endif %} {% if rhel9cis_rule_4_1_11 %} -w /etc/group -p wa -k identity @@ -53,17 +53,17 @@ -w /etc/security/opasswd -p wa -k identity {% endif %} {% if rhel9cis_rule_4_1_12 %} --a always,exit -F arch=b32 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts --a always,exit -F arch=b64 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts +-a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts {% endif %} {% if rhel9cis_rule_4_1_13 %} {% for proc in priv_procs.stdout_lines -%} --a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k privileged +-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=4294967295 -k privileged {% endfor %} {% endif %} {% if rhel9cis_rule_4_1_14 %} --a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete --a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete +-a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete +-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete {% endif %} {% if rhel9cis_rule_4_1_15 %} -w /usr/sbin/insmod -p x -k modules From fa68e035174afa5ee92a5257a3ceda72b990a747 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Feb 2022 09:39:13 +0000 Subject: [PATCH 02/10] Updated OS checks and conditionals Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +++ tasks/main.yml | 23 ++++++++++++----------- vars/main.yml | 2 ++ 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9f3df3e..c9ac20d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -8,6 +8,9 @@ container_vars_file: is_container.yml # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks system_is_ec2: false +# Run the OS validation check +os_check: true + rhel9cis_notauto: false rhel9cis_section1: true rhel9cis_section2: true diff --git a/tasks/main.yml b/tasks/main.yml index d487d0a..3a9426b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,23 +1,24 @@ --- # tasks file for RHEL9-CIS + - name: Check OS version and family assert: - that: - - (ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") - - ansible_distribution_major_version |int >= 8 - fail_msg: "This role can only be run against RHEL 8 or 9. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." - success_msg: "Supported OS release and version" + that: (ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') + fail_msg: "This role can only be run against RHEL8 family OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" + when: + - os_check + - not system_is_ec2 tags: - - always + - always - name: Check ansible version assert: - that: - - "ansible_version.full is version_compare ('2.9', '>=')" - fail_msg: "You must use ansible 2.9 or greater" - success_msg: "Supported ansible_version" + that: ansible_version.full is version_compare(min_ansible_version, '>=') + fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" + success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" tags: - - always + - always - name: Setup rules if container block: diff --git a/vars/main.yml b/vars/main.yml index 83b0489..b18097b 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,7 @@ --- # vars file for RHEL9-CIS + +min_ansible_version: 2.9 rhel9cis_allowed_crypto_policies: - 'FUTURE' - 'FIPS' From 593aca5b02f03456117c68f62a429d93fae96d78 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Feb 2022 11:53:54 +0000 Subject: [PATCH 03/10] fixed empty become Signed-off-by: Mark Bolwell --- tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 3a9426b..0d6ccb0 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -86,7 +86,6 @@ - name: Include preliminary steps import_tasks: prelim.yml - become: tags: - prelim_tasks - always From 44f305c66b72315852f67c05220ea8a94dde13a3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Feb 2022 11:56:46 +0000 Subject: [PATCH 04/10] change audit to include task Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 0d6ccb0..7a09b23 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -91,7 +91,7 @@ - always - name: run pre_remediation audit - import_tasks: pre_remediation_audit.yml + include_tasks: pre_remediation_audit.yml when: - run_audit From 1e7e5e2194951e6106e3b5004a0d167d157455e0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Feb 2022 12:33:41 +0000 Subject: [PATCH 05/10] Added OS_specific vars Signed-off-by: Mark Bolwell --- tasks/main.yml | 6 ++++++ tasks/section_1/cis_1.2.x.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 7a09b23..62c6512 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -84,6 +84,11 @@ tags: - always +- name: Include OS specific variables + include_vars: "{{ ansible_distribution }}.yml" + tags: + - always + - name: Include preliminary steps import_tasks: prelim.yml tags: @@ -105,6 +110,7 @@ include_tasks: parse_etc_password.yml when: rhel9cis_section6 tags: + - rule_5.5.2 - rhel9cis_section6 - name: run Section 1 tasks diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 3780dfc..52372a3 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -37,7 +37,7 @@ - rule_1.2.2 - name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured" - shell: gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release + shell: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}" args: warn: false when: From f7c24530e5b360f409eb3815d4d023604055cdf5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Feb 2022 12:33:53 +0000 Subject: [PATCH 06/10] updated import/include Signed-off-by: Mark Bolwell --- tasks/section_5/main.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 3c5b244..08e5c45 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -1,7 +1,7 @@ --- - name: "SECTION | 5.1 | Configure time-based job schedulers" - include_tasks: cis_5.1.x.yml + import_tasks: cis_5.1.x.yml - name: "SECTION | 5.2 | Configure SSH Server" include_tasks: cis_5.2.x.yml @@ -9,21 +9,21 @@ - "'openssh-server' in ansible_facts.packages" - name: "SECTION | 5.3 | Configure Profiles" - import_tasks: cis_5.3.x.yml + include_tasks: cis_5.3.x.yml when: - - rhel9cis_use_authconfig + - rhel9cis_use_authconfig - name: "SECTION | 5.4 | Configure PAM " - include_tasks: cis_5.4.x.yml + import_tasks: cis_5.4.x.yml - name: "SECTION | 5.5.1.x | Passwords and Accounts" - include_tasks: cis_5.5.1.x.yml + import_tasks: cis_5.5.1.x.yml - name: "SECTION | 5.5.x | System Accounts and User Settings" - include_tasks: cis_5.5.x.yml + import_tasks: cis_5.5.x.yml - name: "SECTION | 5.6 | Root Login" - include_tasks: cis_5.6.yml + import_tasks: cis_5.6.yml - name: Section | 5.7 | su Command Restriction - include_tasks: cis_5.7.yml + import_tasks: cis_5.7.yml From aa8bcecbc7f9b6e11fd17bf07dd96b885bf5490d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Feb 2022 12:34:03 +0000 Subject: [PATCH 07/10] OS Specific vars Signed-off-by: Mark Bolwell --- vars/RedHat.yml | 4 ++++ vars/Rocky.yml | 4 ++++ 2 files changed, 8 insertions(+) create mode 100644 vars/RedHat.yml create mode 100644 vars/Rocky.yml diff --git a/vars/RedHat.yml b/vars/RedHat.yml new file mode 100644 index 0000000..d67cedc --- /dev/null +++ b/vars/RedHat.yml @@ -0,0 +1,4 @@ +--- +# OS Specific Settings + +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-official diff --git a/vars/Rocky.yml b/vars/Rocky.yml new file mode 100644 index 0000000..7c8ae0b --- /dev/null +++ b/vars/Rocky.yml @@ -0,0 +1,4 @@ +--- +# OS Specific Settings + +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial From ad6c88b7f9aee89f407196851c41a99712ae52b0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Feb 2022 17:53:09 +0000 Subject: [PATCH 08/10] updated tags Signed-off-by: Mark Bolwell --- tasks/main.yml | 5 ++++- tasks/section_1/main.yml | 24 ++++++++++++------------ tasks/section_2/main.yml | 8 ++++---- tasks/section_3/main.yml | 20 ++++++++++---------- tasks/section_4/main.yml | 10 +++++----- tasks/section_6/main.yml | 4 ++-- 6 files changed, 37 insertions(+), 34 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 62c6512..47de414 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -108,9 +108,12 @@ - name: capture /etc/password variables include_tasks: parse_etc_password.yml - when: rhel9cis_section6 + when: + - rhel9cis_section6 tags: - rule_5.5.2 + - rule_6.2.7 + - rule_6.2.20 - rhel9cis_section6 - name: run Section 1 tasks diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index b8c8e8e..933804e 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -2,41 +2,41 @@ - name: "SECTION | 1.1 | FileSystem Configurations\n SECTION | 1.1.1.x | Disable unused filesystems" - include_tasks: cis_1.1.1.x.yml -- include_tasks: cis_1.1.x.yml + import_tasks: cis_1.1.1.x.yml +- import_tasks: cis_1.1.x.yml - name: "SECTION | 1.2 | Configure Software Updates" - include_tasks: cis_1.2.x.yml + import_tasks: cis_1.2.x.yml - name: "SECTION | 1.3 | Configure sudo" - include_tasks: cis_1.3.x.yml + import_tasks: cis_1.3.x.yml - name: "SECTION | 1.4 | Filesystem Integrity" - import_tasks: cis_1.4.x.yml + include_tasks: cis_1.4.x.yml when: rhel9cis_config_aide - name: "SECTION | 1.5 | Secure Boot Settings" - include_tasks: cis_1.5.x.yml + import_tasks: cis_1.5.x.yml - name: "SECTION | 1.6 | Additional Process Hardening" - include_tasks: cis_1.6.x.yml + import_tasks: cis_1.6.x.yml - name: "SECTION | 1.7 | bootloader and Mandatory Access Control" - import_tasks: cis_1.7.1.x.yml + include_tasks: cis_1.7.1.x.yml when: not rhel9cis_selinux_disable - name: "SECTION | 1.8 | Warning Banners" - include_tasks: cis_1.8.1.x.yml + import_tasks: cis_1.8.1.x.yml - name: "SECTION | 1.9 | Updated and Patches" - include_tasks: cis_1.9.yml + import_tasks: cis_1.9.yml - name: "SECTION | 1.10 | Crypto policies" - import_tasks: cis_1.10.yml + include_tasks: cis_1.10.yml when: - not system_is_ec2 - name: "SECTION | 1.11 | FIPS/FUTURE Crypto policies" - import_tasks: cis_1.11.yml + include_tasks: cis_1.11.yml when: - not system_is_ec2 diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index f2ed232..2b705ae 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,13 @@ --- - name: "SECTION | 2.1 | xinetd" - include_tasks: cis_2.1.1.yml + import_tasks: cis_2.1.1.yml - name: "SECTION | 2.2.1 | Time Synchronization" - include_tasks: cis_2.2.1.x.yml + import_tasks: cis_2.2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" - include_tasks: cis_2.2.x.yml + import_tasks: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" - include_tasks: cis_2.3.x.yml + import_tasks: cis_2.3.x.yml diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 7d6af68..13b42fc 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,41 +1,41 @@ --- - name: "SECTION | 3.1.x | Packet and IP redirection" - include_tasks: cis_3.1.x.yml + import_tasks: cis_3.1.x.yml - name: "SECTION | 3.2.x | Network Parameters (Host Only)" - include_tasks: cis_3.2.x.yml + import_tasks: cis_3.2.x.yml - name: "SECTION | 3.3.x | Uncommon Network Protocols" - include_tasks: cis_3.3.x.yml + import_tasks: cis_3.3.x.yml - name: "SECTION | 3.4.1.x | firewall defined" - include_tasks: cis_3.4.1.1.yml + import_tasks: cis_3.4.1.1.yml - name: "SECTION | 3.4.2.x | firewalld firewall" - import_tasks: cis_3.4.2.x.yml + include_tasks: cis_3.4.2.x.yml when: - rhel9cis_firewall == "firewalld" - name: "SECTION | 3.4.3.x | Configure nftables firewall" - import_tasks: cis_3.4.3.x.yml + include_tasks: cis_3.4.3.x.yml when: - rhel9cis_firewall == "nftables" - name: "SECTION | 3.4.4.1.x | Configure iptables IPv4" - import_tasks: cis_3.4.4.1.x.yml + include_tasks: cis_3.4.4.1.x.yml when: - rhel9cis_firewall == "iptables" - name: "SECTION | 3.4.4.2.x | Configure iptables IPv6" - import_tasks: cis_3.4.4.2.x.yml + include_tasks: cis_3.4.4.2.x.yml when: - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required ) - name: "SECTION | 3.5 | Configure wireless" - include_tasks: cis_3.5.yml + import_tasks: cis_3.5.yml - name: "SECTION | 3.5 | disable IPv6" - import_tasks: cis_3.5.yml + include_tasks: cis_3.5.yml when: - not rhel9cis_ipv6_required diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index de1643c..8e84241 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -6,20 +6,20 @@ - not system_is_container - name: "SECTION | 4.1.2.x| Configure Data Retention" - include_tasks: cis_4.1.2.x.yml + import_tasks: cis_4.1.2.x.yml - name: "SECTION | 4.1.x| Auditd rules" - include_tasks: cis_4.1.x.yml + import_tasks: cis_4.1.x.yml - name: "SECTION | 4.2.x| Configure Logging" import_tasks: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' - name: "SECTION | 4.2.2.x| Configure journald" - include_tasks: cis_4.2.2.x.yml + import_tasks: cis_4.2.2.x.yml - name: "SECTION | 4.2.3 | Configure logile perms" - include_tasks: cis_4.2.3.yml + import_tasks: cis_4.2.3.yml - name: "SECTION | 4.3 | Configure logrotate" - include_tasks: cis_4.3.yml + import_tasks: cis_4.3.yml diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index 479b9c8..b6acabf 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,7 +1,7 @@ --- - name: "SECTION | 6.1 | System File Permissions" - include_tasks: cis_6.1.x.yml + import_tasks: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - include_tasks: cis_6.2.x.yml + import_tasks: cis_6.2.x.yml From 1345ca0437c92bb3c25c4eadb7f57c4c809d0f33 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Feb 2022 17:53:33 +0000 Subject: [PATCH 09/10] updated changed_when Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index eadfb56..5521a8d 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -195,20 +195,26 @@ block: - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' + changed_when: false register: uid_min_id - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' + changed_when: false register: uid_max_id - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' + changed_when: false register: gid_min_id - name: "PRELIM | AUDIT | set_facts for interactive uid/gid" set_fact: - min_int_uid: uid_min_id.stdout - max_int_uid: uid_max_id.stdout + min_int_uid: "{{ uid_min_id.stdout }}" + max_int_uid: "{{ uid_max_id.stdout }}" + min_int_gid: "{{ gid_min_id.stdout }}" +- debug: + msg: "{{ min_int_uid }} {{ max_int_uid }}" when: - not discover_int_uid From a57c499638f1597d646a08927dbf96f174f412a5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 1 Feb 2022 17:53:46 +0000 Subject: [PATCH 10/10] fixed UID logic Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 4 ++-- tasks/section_6/cis_6.2.x.yml | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 83f8d7e..bf77a52 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -13,7 +13,7 @@ - item.id != "sync" - item.id != "shutdown" - item.id != "halt" - - item.gid < min_int_uid + - item.uid < 1000 - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" @@ -28,7 +28,7 @@ - item.id != "shutdown" - item.id != "sync" - item.id != "root" - - item.gid < min_int_uid + - item.uid < 1000 - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" when: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 7242132..8c0c9aa 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -134,9 +134,12 @@ - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" stat: path: "{{ item }}" - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid) | selectattr('uid', '!=', max_int_uid) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}" register: rhel_09_6_2_7_audit + - debug: + var: rhel_09_6_2_7_audit + - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" shell: find -H {{ item.0 | quote }} -not -type l -perm /027 args: @@ -500,7 +503,7 @@ stat: path: "{{ item }}" register: rhel_09_6_2_20_audit - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid) | selectattr('uid', '!=', max_int_uid) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}" - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist" shell: find -H {{ item.0 | quote }} -not -type l -perm /027