From 4fe4346f35fe2b6d38140c8992d66b8e4a982a48 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:09:14 +0100 Subject: [PATCH 1/9] updated audit filename Signed-off-by: Mark Bolwell --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 510784b..24ca2e7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -673,8 +673,8 @@ audit_files_url: "some url maybe s3?" # Where the goss configs and outputs are stored audit_out_dir: '/opt' audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" ## The following should not need changing goss_file: "{{ audit_conf_dir }}goss.yml" From 249135713612bdfd95465488ad4fd235704b2896 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:09:30 +0100 Subject: [PATCH 2/9] Added login.defs 5.6.5 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 474a378..4064d74 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -87,6 +87,15 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings" + replace: + path: /etc/login.defs + regexp: "{{ item.regexp }}" + replace: "{{ item.replace }}" + loop: + - { regexp: '(UMASK\s+)0[012][0-6]', replace: '\1 027' } + - { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' } + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" replace: path: /etc/bashrc From e764ef55d50d595e9a515d811de0031e2f167944 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:14:03 +0100 Subject: [PATCH 3/9] lint updates Signed-off-by: Mark Bolwell --- .ansible-lint | 4 ++++ meta/main.yml | 1 + tasks/section_1/cis_1.4.x.yml | 2 +- tasks/section_5/cis_5.6.x.yml | 4 ++-- tasks/section_6/cis_6.1.x.yml | 2 +- 5 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index f21e1f4..c3dfee3 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -4,6 +4,10 @@ skip_list: - 'schema' - 'no-changed-when' - 'fqcn-builtins' + - 'experimental' + - 'name[casing]' + - 'name[template]' + - 'jinja[spacing]' - '204' - '305' - '303' diff --git a/meta/main.yml b/meta/main.yml index aac8be8..b4a804e 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -5,6 +5,7 @@ galaxy_info: company: "MindPoint Group" license: MIT role_name: rhel9_cis + namespace: mindpointgroup min_ansible_version: 2.10.0 platforms: - name: EL diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 8ba419e..cdad67f 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -3,7 +3,7 @@ - name: "1.4.1 | PATCH | Ensure bootloader password is set" copy: dest: /boot/grub2/user.cfg - content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" + content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy owner: root group: root mode: 0600 diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 4064d74..f1052c3 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -93,8 +93,8 @@ regexp: "{{ item.regexp }}" replace: "{{ item.replace }}" loop: - - { regexp: '(UMASK\s+)0[012][0-6]', replace: '\1 027' } - - { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' } + - { regexp: '(UMASK\s+)0[012][0-6]', replace: '\1 027' } + - { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' } - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" replace: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 099eb0e..29d98b3 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -14,7 +14,7 @@ block: - name: "6.1.1 | AUDIT | Audit system file permissions | Add file discrepancy list to system" copy: - dest: "{{ rhel9cis_rpm_audit_file }}" + dest: "{{ rhel9cis_rpm_audit_file }}" # noqa template-instead-of-copy content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}" owner: root group: root From acdb56a2770b3d464759b4bfc195db0f444a69c1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:20:05 +0100 Subject: [PATCH 4/9] updated for readthedocs Signed-off-by: Mark Bolwell --- README.md | 57 ++++++------------------------------------------------- 1 file changed, 6 insertions(+), 51 deletions(-) diff --git a/README.md b/README.md index 4c7324b..00d5a39 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, d ## Caution(s) -This role **will make changes to the system** which may have unintended concequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. +This role **will make changes to the system** which may have unintended concequences. This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed. @@ -29,23 +29,11 @@ To use release version please point to main branch ## Documentation +- [Readthedocs](https://ansible-lockdown.readthedocs.io/en/latest/) - [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown) - [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise) - [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration) - [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise) -- [Wiki](https://github.com/ansible-lockdown/RHEL9-CIS/wiki) -- [Repo GitHub Page](https://ansible-lockdown.github.io/RHEL9-CIS/) - -## Auditing (new) - -This can be turned on or off within the defaults/main.yml file with the variable rhel9cis_run_audit. The value is false by default, please refer to the wiki for more details. - -This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings. - -A new form of auditing has been develeoped, by using a small (12MB) go binary called [goss](https://github.com/aelsabbahy/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. -This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. - -Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit). ## Requirements @@ -62,8 +50,10 @@ Rocky 9 - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) + - Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/RHEL9-CIS/wiki/Main-Variables). +- Please read through the tasks in this role to gain an understanding of what each control is doing. + - Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file ## Dependencies @@ -71,6 +61,7 @@ Rocky 9 - Ansible 2.9+ - python-def (should be included in RHEL 9) - libselinux-python +- jmespath ## Role Variables @@ -92,39 +83,3 @@ Below is an example of the tag section from a control within this role. Using th - patch - rule_2.2.4 ``` - -## Example Audit Summary - -This is based on a vagrant image with selections enabled. e.g. No Gui or firewall. -Note: More tests are run during audit as we check config and running state. - -```txt - -ok: [default] => { - "msg": [ - "The pre remediation results are: ['Total Duration: 5.454s', 'Count: 338, Failed: 47, Skipped: 5'].", - "The post remediation results are: ['Total Duration: 5.007s', 'Count: 338, Failed: 46, Skipped: 5'].", - "Full breakdown can be found in /var/tmp", - "" - ] -} - -PLAY RECAP ******************************************************************************************************************************************* -default : ok=270 changed=23 unreachable=0 failed=0 skipped=140 rescued=0 ignored=0 -``` - -## Branches - -- devel - This is the default branch and the working development branch. Community pull requests will pull into this branch -- main - This is the release branch -- reports - This is a protected branch for our scoring reports, no code should ever go here -- all other branches** - Individual community member branches - -## Community Contribution - -We encourage you (the community) to contribute to this role. Please read the rules below. - -- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge. -- All community Pull Requests are pulled into the devel branch -- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved -- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release From 1d96539637f3a395985c4fc5ee4d2177b8b7650d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:29:06 +0100 Subject: [PATCH 5/9] Exentsion to auditd Signed-off-by: Mark Bolwell --- defaults/main.yml | 7 +++++++ tasks/section_4/cis_4.1.2.x.yml | 16 ++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 24ca2e7..2cbbbc8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -508,6 +508,13 @@ update_audit_template: false ## Advanced option found in auditd post allow_auditd_uid_user_exclusions: false + +# This can be used to configure other keys in auditd.conf +rhel9cis_auditd_extra_conf: {} +# Example: +# rhel9cis_auditd_extra_conf: +# admin_space_left: '10%' + ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index 0eec0b2..a3ab990 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -51,3 +51,19 @@ - patch - auditd - rule_4.1.2.3 + +- name: PATCH | Configure other keys for auditd.conf + lineinfile: + path: /etc/audit/auditd.conf + regexp: "^{{ item }}( |=)" + line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}" + loop: "{{ rhel9cis_auditd_extra_conf.keys() }}" + notify: restart auditd + when: + - rhel9cis_auditd_extra_conf.keys() | length > 0 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd From ec04552390268e740fe92606c87cbeee7132c20d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:30:47 +0100 Subject: [PATCH 6/9] updated changes Signed-off-by: Mark Bolwell --- Changelog.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Changelog.md b/Changelog.md index 2fa85d4..07283db 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,19 @@ # Changes to rhel9CIS +## 0.5 + +### Taken from RHEL8-CIS issues and PRs + +- #209 5.6.5 rewrite umask settings +- #220 tidy up and align variables +- #226 Thanks to Thulium-Drake + -Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required fopr auditd to run correctly in some cases) + +- #227 thanks to OscarElits + - chrony files now RH expected locations +- #228 Thanks to benbulll + - audit binary copy var missing + ## 0.4 - Added assertion that ansible_user has password set for rule 5.3.4 From fe8275429d1778ca1d81c3f17509a1887003f390 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:33:32 +0100 Subject: [PATCH 7/9] updated changelog Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 07283db..506b67a 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,8 @@ ## 0.5 +- audit path updated and output file name + ### Taken from RHEL8-CIS issues and PRs - #209 5.6.5 rewrite umask settings From a1b042f11047ae35c05fb02cd86a09b885f17ffd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:49:10 +0100 Subject: [PATCH 8/9] updated to fix error Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 908ea06..2396cc5 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -26,7 +26,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/first-interaction@v1.1.0 + - uses: actions/first-interaction@v1.1.1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- From 4455f2453f47303d8eb1d1a984b7bc6d12f02ab1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 14 Oct 2022 12:57:51 +0100 Subject: [PATCH 9/9] updated link to discord Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 2396cc5..2c972d5 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -31,7 +31,7 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.gg/JFxpSgPFEJ) as well. + Please join in the conversation happening on the [Discord Server](https://discord.io/iansible-lockdown) as well. # This workflow contains a single job called "build" build: # The type of runner that the job will run on