improvments v2

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

tasks/section_1/cis_1.6.x.yml

@@ -13,7 +13,6 @@
     - NIST800-53R5_SC-6
   ansible.builtin.debug:
     msg: "Captured in prelim to ensure not LEGACY. Runs handler to update"
-  changed_when: true
   notify:
     - Update Crypto Policy
     - Set Crypto Policy
@@ -135,8 +134,8 @@
   block:
     - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion"
       ansible.builtin.template:
-        src: etc/crypto-policies/policies/modules/NO-SSHWEAKMAC.pmod.j2
+        src: etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
-        dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMAC.pmod
+        dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
         owner: root
         group: root
         mode: '0640'
@@ -146,7 +145,7 @@
 
     - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
       ansible.builtin.set_fact:
-        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SSHWEAKMAC' }}"
+        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':NO-SSHWEAKCIPHERS' }}"
 
 - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh"
   when:

tasks/section_6/cis_6.1.x.yml

@@ -12,25 +12,27 @@
     - rule_6.1.1
     - NIST800-53R5_AU-2
   block:
-    - name: "6.1.1 | PATCH | Ensure AIDE is installed | Install AIDE"
+    - name: "6.1.1 | PATCH | Ensure AIDE is installed"
       ansible.builtin.package:
         name: aide
         state: present
+      register: aide_installed
 
-    - name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB"
+    - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB"
-      when: not ansible_check_mode
+      when: aide_installed.changed  # noqa: no-handler
-      ansible.builtin.shell: /usr/sbin/aide --init
+      block:
-      args:
+        - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB"
+          ansible.builtin.shell: /usr/sbin/aide --init
 
-    - name: "6.1.1 | PATCH | Ensure AIDE is installed | Wait for file before continuing"
+        - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB | Wait for file before continuing"
-      ansible.builtin.wait_for:
+          ansible.builtin.wait_for:
-        path: /var/lib/aide/aide.db.new.gz
+            path: /var/lib/aide/aide.db.new.gz
 
-    - name: "6.1.1 | PATCH | Ensure AIDE is installed | copy AIDE DB"
+        - name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB |copy AIDE DB"
-      ansible.builtin.copy:
+          ansible.builtin.copy:
-        src: /var/lib/aide/aide.db.new.gz
+            src: /var/lib/aide/aide.db.new.gz
-        dest: /var/lib/aide/aide.db.gz
+            dest: /var/lib/aide/aide.db.gz
-        remote_src: true
+            remote_src: true
 
 - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked"
   when:

templates/audit/99_auditd.rules.j2

@@ -4,23 +4,23 @@
 ### YOUR CHANGES WILL BE LOST!
 
 # This template will set all of the auditd configurations via a handler in the role in one task instead of individually
-{% if rhel9cis_rule_4_1_3_1 %}
+{% if rhel9cis_rule_6_3_3_1 %}
 -w /etc/sudoers -p wa -k scope
 -w /etc/sudoers.d -p wa -k scope
 {% endif %}
-{% if rhel9cis_rule_4_1_3_2 %}
+{% if rhel9cis_rule_6_3_3_2 %}
 -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
 -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
 {% endif %}
-{% if rhel9cis_rule_4_1_3_3 %}
+{% if rhel9cis_rule_6_3_3_3 %}
 -w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file
 {% endif %}
-{% if rhel9cis_rule_4_1_3_4 %}
+{% if rhel9cis_rule_6_3_3_4 %}
 -a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change
 -a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change
 -w /etc/localtime -p wa -k time-change
 {% endif %}
-{% if rhel9cis_rule_4_1_3_5 %}
+{% if rhel9cis_rule_6_3_3_5 %}
 -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
 -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
 -w /etc/issue -p wa -k system-locale
@@ -29,70 +29,70 @@
 -w /etc/sysconfig/network -p wa -k system-locale
 -w /etc/sysconfig/network-scripts -p wa -k system-locale
 {% endif %}
-{% if rhel9cis_rule_4_1_3_6 %}
+{% if rhel9cis_rule_6_3_3_6 %}
 {% for proc in priv_procs.stdout_lines -%}
--a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k privileged
+-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k privileged
 {% endfor %}
 {% endif %}
-{% if rhel9cis_rule_4_1_3_7 %}
+{% if rhel9cis_rule_6_3_3_7 %}
--a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -k access
+-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
--a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -k access
+-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
--a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -k access
+-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
--a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -k access
+-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access
 {% endif %}
-{% if rhel9cis_rule_4_1_3_8 %}
+{% if rhel9cis_rule_6_3_3_8 %}
 -w /etc/group -p wa -k identity
 -w /etc/passwd -p wa -k identity
 -w /etc/gshadow -p wa -k identity
 -w /etc/shadow -p wa -k identity
 -w /etc/security/opasswd -p wa -k identity
 {% endif %}
-{% if rhel9cis_rule_4_1_3_9 %}
+{% if rhel9cis_rule_6_3_3_9 %}
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
--a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod
+-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=perm_mod
 {% endif %}
-{% if rhel9cis_rule_4_1_3_10 %}
+{% if rhel9cis_rule_6_3_3_10 %}
--a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts
+-a always,exit -F arch=b32 -S mount -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
--a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts
+-a always,exit -F arch=b64 -S mount -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts
 {% endif %}
-{% if rhel9cis_rule_4_1_3_11 %}
+{% if rhel9cis_rule_6_3_3_11 %}
 -w /var/run/utmp -p wa -k session
 -w /var/log/wtmp -p wa -k session
 -w /var/log/btmp -p wa -k session
 {% endif %}
-{% if rhel9cis_rule_4_1_3_12 %}
+{% if rhel9cis_rule_6_3_3_12 %}
 -w /var/log/lastlog -p wa -k logins
 -w /var/run/faillock -p wa -k logins
 {% endif %}
-{% if rhel9cis_rule_4_1_3_13 %}
+{% if rhel9cis_rule_6_3_3_13 %}
--a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete
+-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=delete
--a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete
+-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ prelim_min_int_uid }} -F auid!=unset -F key=delete
 {% endif %}
-{% if rhel9cis_rule_4_1_3_14 %}
+{% if rhel9cis_rule_6_3_3_14 %}
 -w /etc/selinux -p wa -k MAC-policy
 -w /usr/share/selinux -p wa -k MAC-policy
 {% endif %}
-{% if rhel9cis_rule_4_1_3_15 %}
+{% if rhel9cis_rule_6_3_3_15 %}
--a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng
+-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng
 {% endif %}
-{% if rhel9cis_rule_4_1_3_16 %}
+{% if rhel9cis_rule_6_3_3_16 %}
--a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng
+-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng
 {% endif %}
-{% if rhel9cis_rule_4_1_3_17 %}
+{% if rhel9cis_rule_6_3_3_17 %}
--a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k priv_cmd
+-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k priv_cmd
 {% endif %}
-{% if rhel9cis_rule_4_1_3_18 %}
+{% if rhel9cis_rule_6_3_3_18 %}
--a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k usermod
+-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod
 {% endif %}
-{% if rhel9cis_rule_4_1_3_19 %}
+{% if rhel9cis_rule_6_3_3_19 %}
--a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules
+-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules
--a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules
+-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules
 {% endif %}
-{% if rhel9cis_rule_4_1_3_20 %}
+{% if rhel9cis_rule_6_3_3_20 %}
 -e 2
 
 {% endif %}

templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2

@@ -0,0 +1,7 @@
+# CIS Configurations
+# 5.3.3.2.3 Ensure password complexity is configured
+minclass = {{ rhel9cis_passwd_minclass }}
+dcredit = {{rhel9cis_passwd_dcredit }}
+ucredit = {{ rhel9cis_passwd_ucredit }}
+ocredit = {{ rhel9cis_passwd_ocredit }}
+lcredit = {{ rhel9cis_passwd_lcredit }}

templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2

@@ -0,0 +1,3 @@
+# CIS Configurations
+# 5.3.3.2.6 Ensure password dictionary check is enabled
+dictcheck = {{ rhel9cis_passwd_dictcheck_value }}

templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2

@@ -0,0 +1,3 @@
+# CIS Configurations
+# 5.3.3.2.1 Ensure password number of changed characters is configured
+difok = {{ rhel9cis_passwd_difok_value }}

templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2

@@ -0,0 +1,3 @@
+# CIS Configurations
+# 5.3.3.2.2 Ensure minimum password length is configured
+minlen = {{ rhel9cis_passwd_minlen_value }}

templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2

@@ -0,0 +1,3 @@
+# CIS Configurations
+# 5.3.3.2.5 Ensure password maximum sequential characters is configured
+maxsequence = {{ rhel9cis_passwd_maxsequence_value }}

templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2

@@ -0,0 +1,3 @@
+# CIS Configurations
+# 5.3.3.2.7 Ensure password quality checking is enforced
+enforcing = {{ rhel9cis_passwd_quality_enforce_value }}

templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2

@@ -0,0 +1,3 @@
+# CIS Configurations
+# 5.3.3.2.4 Ensure password same consecutive characters is configured
+maxrepeat = {{ rhel9cis_passwd_maxrepeat_value }}

templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2

@@ -0,0 +1,3 @@
+# CIS Configurations
+# 5.3.3.2.8 Ensure password quality is enforced for the root user
+{{ rhel9cis_passwd_quality_enforce_root_value }}

templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2

@@ -0,0 +1,4 @@
+# File created for CIS benchmark
+# CIS rule 6_2_2_2
+[Journal]
+ForwardToSyslog=no

templates/etc/systemd/journald.conf.d/rotation.conf.j2

@@ -0,0 +1,8 @@
+# File created for CIS benchmark
+# CIS rule 6_2_1_3
+[Journal]
+SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}
+SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}
+RuntimeMaxUse={{ rhel9cis_journald_runtimemaxuse }}
+RuntimeKeepFree={{ rhel9cis_journald_runtimekeepfree }}
+MaxFileSec={{ rhel9cis_journald_maxfilesec }}

templates/etc/systemd/journald.conf.d/storage.conf.j2

@@ -0,0 +1,11 @@
+# File created for CIS benchmark
+[Journal]
+{% if rhel9cis_rule_6_2_2_3 %}
+# Set compress CIS rule 6_2_2_3
+Compress=yes
+{% endif %}
+
+{% if rhel9cis_rule_6_2_2_4 %}
+# Set persistent storage CIS rule 6_2_2_4
+Storage=persistent
+{% endif %}