Merge pull request #3 from ansible-lockdown/rh8_#148

adaptions of RH8 issues
2025-12-27 15:33:06 +00:00 · 2022-02-02 09:53:09 +00:00 · 2022-02-02 09:53:09 +00:00 · 4c70eb12fe
commit 4c70eb12fe
parent 375847536b a57c499638
16 changed files with 136 additions and 78 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -8,6 +8,9 @@ container_vars_file: is_container.yml
 # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks
 system_is_ec2: false

+# Run the OS validation check
+os_check: true
+
 rhel9cis_notauto: false
 rhel9cis_section1: true
 rhel9cis_section2: true
@ -546,8 +549,12 @@ rhel9cis_pam_password:
    minlen: "14"
    minclass: "4"

-# Starting GID for interactive users
-rhel9cis_int_gid: 1000
+# UID settings for interactive users
+# These are discovered via logins.def is set true
+discover_int_uid: false
+min_int_uid: 1000
+max_int_uid: 65533
+

 # RHEL-09-5.4.5
 # Session timeout setting file (TMOUT setting can be set in multiple files)
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,21 +1,22 @@
 ---
 # tasks file for RHEL9-CIS
+
 - name: Check OS version and family
  assert:
-      that:
-          - (ansible_os_family == 'RedHat' or ansible_os_family == "Rocky")
-          - ansible_distribution_major_version |int >= 8
-      fail_msg: "This role can only be run against RHEL 8 or 9. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
-      success_msg: "Supported OS release and version"
+      that: (ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==')
+      fail_msg: "This role can only be run against RHEL8 family OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
+      success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
+  when: 
+    - os_check
+    - not system_is_ec2
  tags:
      - always

 - name: Check ansible version
  assert:
-      that:
-          - "ansible_version.full is version_compare ('2.9', '>=')"
-      fail_msg: "You must use ansible 2.9 or greater"
-      success_msg: "Supported ansible_version"
+      that: ansible_version.full is version_compare(min_ansible_version, '>=')
+      fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
+      success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
  tags:
      - always

@ -83,15 +84,19 @@
  tags:
  - always

+- name: Include OS specific variables
+  include_vars: "{{ ansible_distribution }}.yml"
+  tags:
+  - always
+
 - name: Include preliminary steps
  import_tasks: prelim.yml
-  become: 
  tags:
  - prelim_tasks
  - always

 - name: run pre_remediation audit
-  import_tasks: pre_remediation_audit.yml
+  include_tasks: pre_remediation_audit.yml
  when:
  - run_audit

@ -103,8 +108,12 @@

 - name: capture /etc/password variables
  include_tasks: parse_etc_password.yml
-  when: rhel9cis_section6
+  when: 
+  - rhel9cis_section6
  tags:
+  - rule_5.5.2
+  - rule_6.2.7
+  - rule_6.2.20
  - rhel9cis_section6

 - name: run Section 1 tasks
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -190,3 +190,32 @@
  tags:
      - rule_1.2.2
      - skip_ansible_lint
+
+- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def"
+  block:
+      - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def"
+        shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
+        changed_when: false
+        register: uid_min_id
+   
+      - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def"
+        shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}'
+        changed_when: false
+        register: uid_max_id
+
+      - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def"
+        shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}'
+        changed_when: false
+        register: gid_min_id
+
+      - name: "PRELIM | AUDIT | set_facts for interactive uid/gid"
+        set_fact:
+            min_int_uid: "{{ uid_min_id.stdout }}"
+            max_int_uid: "{{ uid_max_id.stdout }}"
+            min_int_gid: "{{ gid_min_id.stdout }}"
+- debug:
+    msg: "{{ min_int_uid }} {{ max_int_uid }}"
+
+  when:
+      - not discover_int_uid
+
--- a/tasks/section_1/cis_1.2.x.yml
+++ b/tasks/section_1/cis_1.2.x.yml
@ -37,7 +37,7 @@
      - rule_1.2.2

 - name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured"
-  shell: gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release
+  shell: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}"
  args:
      warn: false
  when:
--- a/tasks/section_1/main.yml
+++ b/tasks/section_1/main.yml
@ -2,41 +2,41 @@

 - name: "SECTION | 1.1 | FileSystem Configurations\n
         SECTION | 1.1.1.x | Disable unused filesystems"
-  include_tasks: cis_1.1.1.x.yml
- include_tasks: cis_1.1.x.yml
+  import_tasks: cis_1.1.1.x.yml
+- import_tasks: cis_1.1.x.yml

 - name: "SECTION | 1.2 | Configure Software Updates"
-  include_tasks: cis_1.2.x.yml
+  import_tasks: cis_1.2.x.yml

 - name: "SECTION | 1.3 | Configure sudo"
-  include_tasks: cis_1.3.x.yml
+  import_tasks: cis_1.3.x.yml

 - name: "SECTION | 1.4 | Filesystem Integrity"
-  import_tasks: cis_1.4.x.yml
+  include_tasks: cis_1.4.x.yml
  when: rhel9cis_config_aide

 - name: "SECTION | 1.5 | Secure Boot Settings"
-  include_tasks: cis_1.5.x.yml
+  import_tasks: cis_1.5.x.yml

 - name: "SECTION | 1.6 | Additional Process Hardening"
-  include_tasks: cis_1.6.x.yml
+  import_tasks: cis_1.6.x.yml

 - name: "SECTION | 1.7 | bootloader and Mandatory Access Control"
-  import_tasks: cis_1.7.1.x.yml
+  include_tasks: cis_1.7.1.x.yml
  when: not rhel9cis_selinux_disable

 - name: "SECTION | 1.8 | Warning Banners"
-  include_tasks: cis_1.8.1.x.yml
+  import_tasks: cis_1.8.1.x.yml

 - name: "SECTION | 1.9 | Updated and Patches"
-  include_tasks: cis_1.9.yml
+  import_tasks: cis_1.9.yml

 - name: "SECTION | 1.10 | Crypto policies"
-  import_tasks: cis_1.10.yml
+  include_tasks: cis_1.10.yml
  when:
  - not system_is_ec2

 - name: "SECTION | 1.11 | FIPS/FUTURE Crypto policies"
-  import_tasks: cis_1.11.yml
+  include_tasks: cis_1.11.yml
  when:
  - not system_is_ec2
--- a/tasks/section_2/main.yml
+++ b/tasks/section_2/main.yml
@ -1,13 +1,13 @@
 ---

 - name: "SECTION | 2.1 | xinetd"
-  include_tasks: cis_2.1.1.yml
+  import_tasks: cis_2.1.1.yml

 - name: "SECTION | 2.2.1 | Time Synchronization"
-  include_tasks: cis_2.2.1.x.yml
+  import_tasks: cis_2.2.1.x.yml

 - name: "SECTION | 2.2 | Special Purpose Services"
-  include_tasks: cis_2.2.x.yml
+  import_tasks: cis_2.2.x.yml

 - name: "SECTION | 2.3 | Service Clients"
-  include_tasks: cis_2.3.x.yml
+  import_tasks: cis_2.3.x.yml
--- a/tasks/section_3/main.yml
+++ b/tasks/section_3/main.yml
@ -1,41 +1,41 @@
 ---

 - name: "SECTION | 3.1.x | Packet and IP redirection"
-  include_tasks: cis_3.1.x.yml
+  import_tasks: cis_3.1.x.yml

 - name: "SECTION | 3.2.x | Network Parameters (Host Only)"
-  include_tasks: cis_3.2.x.yml
+  import_tasks: cis_3.2.x.yml

 - name: "SECTION | 3.3.x | Uncommon Network Protocols"
-  include_tasks: cis_3.3.x.yml
+  import_tasks: cis_3.3.x.yml

 - name: "SECTION | 3.4.1.x | firewall defined"
-  include_tasks: cis_3.4.1.1.yml
+  import_tasks: cis_3.4.1.1.yml

 - name: "SECTION | 3.4.2.x | firewalld firewall"
-  import_tasks: cis_3.4.2.x.yml
+  include_tasks: cis_3.4.2.x.yml
  when:
  - rhel9cis_firewall == "firewalld"

 - name: "SECTION | 3.4.3.x | Configure nftables firewall"
-  import_tasks: cis_3.4.3.x.yml
+  include_tasks: cis_3.4.3.x.yml
  when:
  - rhel9cis_firewall == "nftables"

 - name: "SECTION | 3.4.4.1.x | Configure iptables IPv4"
-  import_tasks: cis_3.4.4.1.x.yml
+  include_tasks: cis_3.4.4.1.x.yml
  when:
  - rhel9cis_firewall == "iptables"

 - name: "SECTION | 3.4.4.2.x | Configure iptables IPv6"
-  import_tasks: cis_3.4.4.2.x.yml
+  include_tasks: cis_3.4.4.2.x.yml
  when:
  - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required )

 - name: "SECTION | 3.5 | Configure wireless"
-  include_tasks: cis_3.5.yml
+  import_tasks: cis_3.5.yml

 - name: "SECTION | 3.5 | disable IPv6"
-  import_tasks: cis_3.5.yml
+  include_tasks: cis_3.5.yml
  when:
  - not rhel9cis_ipv6_required
--- a/tasks/section_4/main.yml
+++ b/tasks/section_4/main.yml
@ -6,20 +6,20 @@
      - not system_is_container

 - name: "SECTION | 4.1.2.x| Configure Data Retention"
-  include_tasks: cis_4.1.2.x.yml
+  import_tasks: cis_4.1.2.x.yml

 - name: "SECTION | 4.1.x| Auditd rules"
-  include_tasks: cis_4.1.x.yml
+  import_tasks: cis_4.1.x.yml

 - name: "SECTION | 4.2.x| Configure Logging"
  import_tasks: cis_4.2.1.x.yml
  when: rhel9cis_syslog == 'rsyslog'

 - name: "SECTION | 4.2.2.x| Configure journald"
-  include_tasks: cis_4.2.2.x.yml
+  import_tasks: cis_4.2.2.x.yml

 - name: "SECTION | 4.2.3 | Configure logile perms"
-  include_tasks: cis_4.2.3.yml
+  import_tasks: cis_4.2.3.yml

 - name: "SECTION | 4.3 | Configure logrotate"
-  include_tasks: cis_4.3.yml
+  import_tasks: cis_4.3.yml
--- a/tasks/section_5/cis_5.5.x.yml
+++ b/tasks/section_5/cis_5.5.x.yml
@ -13,7 +13,7 @@
            - item.id != "sync"
            - item.id != "shutdown"
            - item.id != "halt"
-            - item.gid < rhel9cis_int_gid
+            - item.uid < 1000
            - item.shell != "      /bin/false"
            - item.shell != "      /usr/sbin/nologin"

@ -28,7 +28,7 @@
            - item.id != "shutdown"
            - item.id != "sync"
            - item.id != "root"
-            - item.gid < rhel9cis_int_gid
+            - item.uid < 1000
            - item.shell != "      /bin/false"
            - item.shell != "      /usr/sbin/nologin"
  when:
--- a/tasks/section_5/main.yml
+++ b/tasks/section_5/main.yml
@ -1,7 +1,7 @@
 ---

 - name: "SECTION | 5.1 | Configure time-based job schedulers"
-  include_tasks: cis_5.1.x.yml
+  import_tasks: cis_5.1.x.yml

 - name: "SECTION | 5.2 | Configure SSH Server"
  include_tasks: cis_5.2.x.yml
@ -9,21 +9,21 @@
      - "'openssh-server' in ansible_facts.packages"

 - name: "SECTION | 5.3 | Configure Profiles"
-  import_tasks: cis_5.3.x.yml
+  include_tasks: cis_5.3.x.yml
  when:
      - rhel9cis_use_authconfig

 - name: "SECTION | 5.4 | Configure PAM "
-  include_tasks: cis_5.4.x.yml
+  import_tasks: cis_5.4.x.yml

 - name: "SECTION | 5.5.1.x | Passwords and Accounts"
-  include_tasks: cis_5.5.1.x.yml
+  import_tasks: cis_5.5.1.x.yml

 - name: "SECTION | 5.5.x | System Accounts and User Settings"
-  include_tasks: cis_5.5.x.yml
+  import_tasks: cis_5.5.x.yml

 - name: "SECTION | 5.6 | Root Login"
-  include_tasks: cis_5.6.yml
+  import_tasks: cis_5.6.yml

 - name: Section | 5.7 | su Command Restriction
-  include_tasks: cis_5.7.yml
+  import_tasks: cis_5.7.yml
--- a/tasks/section_6/cis_6.2.x.yml
+++ b/tasks/section_6/cis_6.2.x.yml
@ -134,9 +134,12 @@
      - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
        stat:
            path: "{{ item }}"
-        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
+        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}"
        register: rhel_09_6_2_7_audit

+      - debug:
+          var: rhel_09_6_2_7_audit
+
      - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
        shell: find -H {{ item.0 | quote }} -not -type l -perm /027
        args:
@ -204,7 +207,7 @@
  loop_control:
      label: "{{ rhel9cis_passwd_label }}"
  when:
-      - item.uid >= rhel9cis_int_gid
+      - item.uid >= min_int_uid
      - rhel9cis_rule_6_2_8
  tags:
      - skip_ansible_lint  # settings found on 6_2_7
@ -500,7 +503,7 @@
        stat:
            path: "{{ item }}"
        register: rhel_09_6_2_20_audit
-        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
+        with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}"

      - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist"
        shell: find -H {{ item.0 | quote }} -not -type l -perm /027
--- a/tasks/section_6/main.yml
+++ b/tasks/section_6/main.yml
@ -1,7 +1,7 @@
 ---

 - name: "SECTION | 6.1 | System File Permissions"
-  include_tasks: cis_6.1.x.yml
+  import_tasks: cis_6.1.x.yml

 - name: "SECTION | 6.2 | User and Group Settings"
-  include_tasks: cis_6.2.x.yml
+  import_tasks: cis_6.2.x.yml
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@ -32,18 +32,18 @@
 -w /etc/sysconfig/network -p wa -k system-locale
 {% endif %}
 {% if rhel9cis_rule_4_1_9 %}
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
+-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod
 {% endif %}
 {% if rhel9cis_rule_4_1_10 %}
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access
+-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access
 {% endif %}
 {% if rhel9cis_rule_4_1_11 %}
 -w /etc/group -p wa -k identity
@ -53,17 +53,17 @@
 -w /etc/security/opasswd -p wa -k identity
 {% endif %}
 {% if rhel9cis_rule_4_1_12 %}
-a always,exit -F arch=b32 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts
+-a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts
 {% endif %}
 {% if rhel9cis_rule_4_1_13 %}
 {% for proc in priv_procs.stdout_lines -%}
-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k privileged
+-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=4294967295 -k privileged
 {% endfor %}
 {% endif %}
 {% if rhel9cis_rule_4_1_14 %}
-a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete
-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete
+-a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete
+-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete
 {% endif %}
 {% if rhel9cis_rule_4_1_15 %}
 -w /usr/sbin/insmod -p x -k modules
--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@ -0,0 +1,4 @@
+---
+# OS Specific Settings
+
+rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-official
--- a/vars/Rocky.yml
+++ b/vars/Rocky.yml
@ -0,0 +1,4 @@
+---
+# OS Specific Settings
+
+rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial
--- a/vars/main.yml
+++ b/vars/main.yml
@ -1,5 +1,7 @@
 ---
 # vars file for RHEL9-CIS
+
+min_ansible_version: 2.9
 rhel9cis_allowed_crypto_policies:
    - 'FUTURE'
    - 'FIPS'