From 193fded908b508939532cee83f238ed4da0b4960 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 13 Jun 2022 17:04:43 +0100 Subject: [PATCH 01/98] removed tfstate files Signed-off-by: Mark Bolwell --- .github/workflows/terraform.tfstate | 8 - .github/workflows/terraform.tfstate.backup | 370 --------------------- 2 files changed, 378 deletions(-) delete mode 100644 .github/workflows/terraform.tfstate delete mode 100644 .github/workflows/terraform.tfstate.backup diff --git a/.github/workflows/terraform.tfstate b/.github/workflows/terraform.tfstate deleted file mode 100644 index 6a8982d..0000000 --- a/.github/workflows/terraform.tfstate +++ /dev/null @@ -1,8 +0,0 @@ -{ - "version": 4, - "terraform_version": "1.2.2", - "serial": 15, - "lineage": "826bcba6-7d74-b65e-f687-a6f4945dd69e", - "outputs": {}, - "resources": [] -} diff --git a/.github/workflows/terraform.tfstate.backup b/.github/workflows/terraform.tfstate.backup deleted file mode 100644 index ffbb4b0..0000000 --- a/.github/workflows/terraform.tfstate.backup +++ /dev/null @@ -1,370 +0,0 @@ -{ - "version": 4, - "terraform_version": "1.2.2", - "serial": 7, - "lineage": "826bcba6-7d74-b65e-f687-a6f4945dd69e", - "outputs": {}, - "resources": [ - { - "mode": "data", - "type": "aws_vpc", - "name": "default", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:vpc/vpc-05ef27c517862c3b1", - "cidr_block": "172.31.0.0/16", - "cidr_block_associations": [ - { - "association_id": "vpc-cidr-assoc-0a0f361027d9f91f3", - "cidr_block": "172.31.0.0/16", - "state": "associated" - } - ], - "default": true, - "dhcp_options_id": "dopt-c5dfccbe", - "enable_dns_hostnames": true, - "enable_dns_support": true, - "filter": null, - "id": "vpc-05ef27c517862c3b1", - "instance_tenancy": "default", - "ipv6_association_id": "", - "ipv6_cidr_block": "", - "main_route_table_id": "rtb-0a40eb856c7d79f1d", - "owner_id": "817651307868", - "state": null, - "tags": { - "Name": "Default VPC" - } - }, - "sensitive_attributes": [] - } - ] - }, - { - "mode": "managed", - "type": "aws_instance", - "name": "testing_vm", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 1, - "attributes": { - "ami": "ami-0c41531b8d18cc72b", - "arn": "arn:aws:ec2:us-east-1:817651307868:instance/i-0d997714170ce8898", - "associate_public_ip_address": true, - "availability_zone": "us-east-1a", - "capacity_reservation_specification": [ - { - "capacity_reservation_preference": "open", - "capacity_reservation_target": [] - } - ], - "cpu_core_count": 1, - "cpu_threads_per_core": 2, - "credit_specification": [ - { - "cpu_credits": "unlimited" - } - ], - "disable_api_termination": false, - "ebs_block_device": [], - "ebs_optimized": false, - "enclave_options": [ - { - "enabled": false - } - ], - "ephemeral_block_device": [], - "get_password_data": false, - "hibernation": false, - "host_id": null, - "iam_instance_profile": "", - "id": "i-0d997714170ce8898", - "instance_initiated_shutdown_behavior": "stop", - "instance_state": "running", - "instance_type": "t3.micro", - "ipv6_address_count": 0, - "ipv6_addresses": [], - "key_name": "github_actions", - "launch_template": [], - "maintenance_options": [ - { - "auto_recovery": "default" - } - ], - "metadata_options": [ - { - "http_endpoint": "enabled", - "http_put_response_hop_limit": 1, - "http_tokens": "optional", - "instance_metadata_tags": "disabled" - } - ], - "monitoring": false, - "network_interface": [], - "outpost_arn": "", - "password_data": "", - "placement_group": "", - "placement_partition_number": null, - "primary_network_interface_id": "eni-0417127dc77918518", - "private_dns": "ip-172-31-8-170.ec2.internal", - "private_ip": "172.31.8.170", - "public_dns": "ec2-3-238-53-150.compute-1.amazonaws.com", - "public_ip": "3.238.53.150", - "root_block_device": [ - { - "delete_on_termination": true, - "device_name": "/dev/sda1", - "encrypted": false, - "iops": 100, - "kms_key_id": "", - "tags": null, - "throughput": 0, - "volume_id": "vol-0392840b878024a68", - "volume_size": 10, - "volume_type": "gp2" - } - ], - "secondary_private_ips": [], - "security_groups": [ - "github_actions-5eb7d7f8d9c46a1c" - ], - "source_dest_check": true, - "subnet_id": "subnet-0ad8888b9fd53204f", - "tags": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - }, - "tags_all": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - }, - "tenancy": "default", - "timeouts": null, - "user_data": null, - "user_data_base64": null, - "user_data_replace_on_change": false, - "volume_tags": null, - "vpc_security_group_ids": [ - "sg-054e3f94c98fc64f2" - ] - }, - "sensitive_attributes": [], - "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6MTIwMDAwMDAwMDAwMCwidXBkYXRlIjo2MDAwMDAwMDAwMDB9LCJzY2hlbWFfdmVyc2lvbiI6IjEifQ==", - "dependencies": [ - "aws_security_group.github_actions", - "data.aws_vpc.default", - "random_id.server" - ] - } - ] - }, - { - "mode": "managed", - "type": "aws_internet_gateway", - "name": "IGW", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:internet-gateway/igw-0ef39abda6f14481d", - "id": "igw-0ef39abda6f14481d", - "owner_id": "817651307868", - "tags": { - "Name": "github_actions-IGW" - }, - "tags_all": { - "Name": "github_actions-IGW" - }, - "vpc_id": "vpc-068452c798d98b17f" - }, - "sensitive_attributes": [], - "private": "bnVsbA==", - "dependencies": [ - "aws_vpc.Main" - ] - } - ] - }, - { - "mode": "managed", - "type": "aws_security_group", - "name": "github_actions", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 1, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:security-group/sg-054e3f94c98fc64f2", - "description": "Managed by Terraform", - "egress": [ - { - "cidr_blocks": [ - "0.0.0.0/0" - ], - "description": "", - "from_port": 0, - "ipv6_cidr_blocks": [], - "prefix_list_ids": [], - "protocol": "-1", - "security_groups": [], - "self": false, - "to_port": 0 - } - ], - "id": "sg-054e3f94c98fc64f2", - "ingress": [ - { - "cidr_blocks": [ - "0.0.0.0/0" - ], - "description": "", - "from_port": 22, - "ipv6_cidr_blocks": [], - "prefix_list_ids": [], - "protocol": "tcp", - "security_groups": [], - "self": false, - "to_port": 22 - }, - { - "cidr_blocks": [ - "0.0.0.0/0" - ], - "description": "", - "from_port": 80, - "ipv6_cidr_blocks": [], - "prefix_list_ids": [], - "protocol": "tcp", - "security_groups": [], - "self": false, - "to_port": 80 - } - ], - "name": "github_actions-5eb7d7f8d9c46a1c", - "name_prefix": "", - "owner_id": "817651307868", - "revoke_rules_on_delete": false, - "tags": { - "Name": "github_actions-SG" - }, - "tags_all": { - "Name": "github_actions-SG" - }, - "timeouts": null, - "vpc_id": "vpc-05ef27c517862c3b1" - }, - "sensitive_attributes": [], - "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjo2MDAwMDAwMDAwMDAsImRlbGV0ZSI6OTAwMDAwMDAwMDAwfSwic2NoZW1hX3ZlcnNpb24iOiIxIn0=", - "dependencies": [ - "data.aws_vpc.default", - "random_id.server" - ] - } - ] - }, - { - "mode": "managed", - "type": "aws_vpc", - "name": "Main", - "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]", - "instances": [ - { - "schema_version": 1, - "attributes": { - "arn": "arn:aws:ec2:us-east-1:817651307868:vpc/vpc-068452c798d98b17f", - "assign_generated_ipv6_cidr_block": false, - "cidr_block": "172.22.0.0/24", - "default_network_acl_id": "acl-08a831aefd0ff6f65", - "default_route_table_id": "rtb-09ae50e860e80fb1f", - "default_security_group_id": "sg-01ff3ec71f0cd3115", - "dhcp_options_id": "dopt-c5dfccbe", - "enable_classiclink": false, - "enable_classiclink_dns_support": false, - "enable_dns_hostnames": false, - "enable_dns_support": true, - "id": "vpc-068452c798d98b17f", - "instance_tenancy": "default", - "ipv4_ipam_pool_id": null, - "ipv4_netmask_length": null, - "ipv6_association_id": "", - "ipv6_cidr_block": "", - "ipv6_cidr_block_network_border_group": "", - "ipv6_ipam_pool_id": "", - "ipv6_netmask_length": 0, - "main_route_table_id": "rtb-09ae50e860e80fb1f", - "owner_id": "817651307868", - "tags": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - }, - "tags_all": { - "Environment": "lockdown_github_repo_workflow", - "Name": "RHEL9-CIS" - } - }, - "sensitive_attributes": [], - "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjEifQ==" - } - ] - }, - { - "mode": "managed", - "type": "local_file", - "name": "inventory", - "provider": "provider[\"registry.terraform.io/hashicorp/local\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "content": " # benchmark host\n all:\n hosts:\n rhel9:\n ansible_host: 3.238.53.150\n ansible_user: ec2-user\n vars:\n setup_audit: true\n run_audit: true\n system_is_ec2: true\n audit_git_version: devel\n", - "content_base64": null, - "directory_permission": "0755", - "file_permission": "0644", - "filename": "./hosts.yml", - "id": "697bfe9ff397a4b5e3f46caf3c48481a3d485375", - "sensitive_content": null, - "source": null - }, - "sensitive_attributes": [], - "private": "bnVsbA==", - "dependencies": [ - "aws_instance.testing_vm", - "aws_security_group.github_actions", - "data.aws_vpc.default", - "random_id.server" - ] - } - ] - }, - { - "mode": "managed", - "type": "random_id", - "name": "server", - "provider": "provider[\"registry.terraform.io/hashicorp/random\"]", - "instances": [ - { - "schema_version": 0, - "attributes": { - "b64_std": "XrfX+NnEahw=", - "b64_url": "XrfX-NnEahw", - "byte_length": 8, - "dec": "6825161224108665372", - "hex": "5eb7d7f8d9c46a1c", - "id": "XrfX-NnEahw", - "keepers": { - "ami_id": "ami-0c41531b8d18cc72b" - }, - "prefix": null - }, - "sensitive_attributes": [], - "private": "bnVsbA==" - } - ] - } - ] -} From 70942f45ea7cd97f73c5231e75b8492a245b06a6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 13 Jun 2022 17:05:20 +0100 Subject: [PATCH 02/98] updated to use almalinux image Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index 5baddfc..f9dc528 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -1,5 +1,5 @@ #Ami Rocky 85 -ami_id = "ami-0c41531b8d18cc72b" +ami_id = "ami-0d824d9c499f27c8a" ami_os = "rhel9" ami_username = "ec2-user" ami_user_home = "/home/ec2-user" From c0c24ec8efc17cea0ab9aba16c88c000307ea0db Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 17 Jun 2022 11:23:44 +0100 Subject: [PATCH 03/98] improved test with idempotency Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.4.1.x.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index caabdb5..cef70de 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -83,10 +83,20 @@ - patch - firewalld - rule_3_4_1_4 - - name: "3.4.1.5 | PATCH | Ensure firewalld default zone is set" - command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" + block: + - name: "3.4.1.5 | AUDIT | Ensure firewalld default zone is set" + shell: "firewall-cmd --get-default-zone | grep {{ rhel9cis_default_zone }}" + changed_when: false + failed_when: ( firewalld_zone_set.rc not in [ 0, 1 ] ) + register: firewalld_zone_set + + - name: "3.4.1.5 | AUDIT | Ensure firewalld default zone is set" + command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" + when: + - firewalld_zone_set.rc != 0 when: + - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_1_5 tags: - level1-server From 91da6ffaa245d0be1f5c78d6924c86769c9d4f0b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 17 Jun 2022 11:23:57 +0100 Subject: [PATCH 04/98] updated testing Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index c728d90..d8ea214 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -59,7 +59,7 @@ when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0 - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1' + shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false check_mode: no register: rhel_8_5_6_1_4_user_list From fb1c6e923268e7a9306c6cce313d635c6ed405e1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 17 Jun 2022 11:24:14 +0100 Subject: [PATCH 05/98] added libselinux requirement Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index eb17d00..53b1350 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -82,6 +82,14 @@ - level1-server - level1-workstation +- name: "PRELIM | Ensure python3-libselinux is installed" + package: + name: python3-libselinux + state: present + become: true + when: + - '"python3-libselinux" not in ansible_facts.packages' + - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" package: name: audit From 33ebfea653915a12acf75eb8a564d17fe592ca30 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:03:18 +0100 Subject: [PATCH 06/98] sysctl control improvements Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.5.x.yml | 11 +-- tasks/section_3/cis_3.1.x.yml | 14 ++-- tasks/section_3/cis_3.2.x.yml | 34 +++++---- tasks/section_3/cis_3.3.x.yml | 131 +++++++++++++++++++++------------- 4 files changed, 118 insertions(+), 72 deletions(-) diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 6573e51..031ba5c 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -32,10 +32,13 @@ - rule_1.5.2 - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" - notify: - - update sysctl + block: + - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" + set_fact: + sysctl_update: true + - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" when: - rhel9cis_rule_1_5_3 tags: diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index db3c0fd..bb6d09c 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -3,11 +3,15 @@ # The CIS Control wants IPv6 disabled if not in use. # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" - notify: - - update sysctl - - sysctl flush ipv6 route table + block: + - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" + set_fact: + sysctl_update: true + flush_ipv6_route: true + + - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" when: - not rhel9cis_ipv6_required - rhel9cis_rule_3_1_1 diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 46295ec..36a4628 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -2,19 +2,22 @@ - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled" block: + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table + - block: + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" + set_fact: + flush_ipv6_route: true - - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv6 route table + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + when: rhel9cis_ipv6_required when: - not rhel9cis_is_router @@ -28,11 +31,14 @@ - rule_3.2.1 - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table + block: + - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + - name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - not rhel9cis_is_router - rhel9cis_rule_3_2_2 diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 139ca65..42cd4fb 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -2,19 +2,23 @@ - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" block: - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4 | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv4" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl + - block: + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact" + set_fact: + flush_ipv6_route: true + + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + when: rhel9cis_ipv6_required when: - rhel9cis_rule_3_3_1 @@ -27,19 +31,23 @@ - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" block: - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4 | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv4" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl + - block: + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" + set_fact: + flush_ipv6_route: true + + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" when: rhel9cis_ipv6_required when: - rhel9cis_rule_3_3_2 @@ -51,9 +59,14 @@ - rule_3.3.2 - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: update sysctl + block: + - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_3 tags: @@ -64,9 +77,14 @@ - rule_3.3.3 - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: update sysctl + block: + - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_4 tags: @@ -77,9 +95,14 @@ - rule_3.3.4 - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: update sysctl + block: + - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + - name: 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_5 tags: @@ -90,9 +113,15 @@ - rule_3.3.5 - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: update sysctl + block: + - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + + - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_6 tags: @@ -103,9 +132,14 @@ - rule_3.3.6 - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: update sysctl + block: + - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_7 tags: @@ -116,9 +150,14 @@ - rule_3.3.7 - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: update sysctl + block: + - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled | Set Fact" + set_fact: + sysctl_update: true + flush_ipv4_route: true + - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" when: - rhel9cis_rule_3_3_8 tags: @@ -130,20 +169,14 @@ - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" block: - - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table + - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6 | Set Fact" + set_fact: + sysctl_update: true + flush_ipv6_route: true - - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" + - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted | IPv6" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required when: - rhel9cis_ipv6_required - rhel9cis_rule_3_3_9 From b0e038bd453b5a6d5a5c3b0f4b03a01dbf2ce394 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:03:45 +0100 Subject: [PATCH 07/98] container var usage improvement Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index f687901..d0a9eaa 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -14,7 +14,7 @@ modprobe: name: cramfs state: absent - when: ansible_connection != 'docker' + when: not system_is_container when: - rhel9cis_rule_1_1_1_1 tags: @@ -39,7 +39,7 @@ modprobe: name: squashfs state: absent - when: ansible_connection != 'docker' + when: not system_is_container when: - rhel9cis_rule_1_1_1_2 tags: @@ -64,7 +64,7 @@ modprobe: name: udf state: absent - when: ansible_connection != 'docker' + when: not system_is_container when: - rhel9cis_rule_1_1_1_3 tags: From c3c668bb8eca2df8ef52f9dcca00be943a9960fb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:04:44 +0100 Subject: [PATCH 08/98] crypto idempotency Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.2.x.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 7234da6..73b804f 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -271,10 +271,21 @@ - rule_5.2.13 - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" - shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd - args: - warn: no - notify: restart sshd + block: + - name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden" + shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd + args: + warn: no + changed_when: false + failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] ) + register: ssh_crypto_discovery + + - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" + shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd + args: + warn: no + notify: restart sshd + when: ssh_crypto_discovery.stdout | length > 0 when: - rhel9cis_rule_5_2_14 tags: From d2684c1e9d060229d0ce01d352edea41291396dd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:05:23 +0100 Subject: [PATCH 09/98] auditd, sysctl vars goss version update Signed-off-by: Mark Bolwell --- defaults/main.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6dfa404..2a5a490 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -460,6 +460,11 @@ rhel9cis_tftp_client: false ## Section3 vars +## Sysctl +sysctl_update: false +flush_ipv4_route: false +flush_ipv6_route: false + ### Firewall Service - either firewalld, iptables, or nftables #### Some control allow for services to be removed or masked #### The options are under each heading @@ -498,6 +503,9 @@ rhel9cis_audit_back_log_limit: 8192 # The max_log_file parameter should be based on your sites policy rhel9cis_max_log_file_size: 10 +### 4.1.3.x audit template +update_audit_template: false + ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 @@ -633,8 +641,8 @@ audit_run_script_environment: ### Goss binary settings ### goss_version: - release: v0.3.16 - checksum: 'sha256:827e354b48f93bce933f5efcd1f00dc82569c42a179cf2d384b040d8a80bfbfb' + release: v0.3.18 + checksum: 'sha256:432308ebca0caf8165d45bd27e3262126aad9d15572ac8cb3149b3c91f75aace' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json From 02c843f11067e516476bbab77c40eddeedfc3385 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:05:59 +0100 Subject: [PATCH 10/98] sysctl improvements, become usage Signed-off-by: Mark Bolwell --- handlers/main.yml | 56 +++++++++++++++-------------------------------- 1 file changed, 18 insertions(+), 38 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 08c8026..7ff5ea2 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,6 +1,11 @@ --- # handlers file for RHEL9-CIS +- name: reload sysctl + shell: sysctl --system + args: + warn: false + - name: sysctl flush ipv4 route table become: true sysctl: @@ -8,7 +13,9 @@ value: '1' sysctl_set: true ignore_errors: true - when: ansible_virtualization_type != "docker" + when: + - flush_ipv4_route + - not system_is_container tags: - skip_ansible_lint @@ -18,35 +25,9 @@ name: net.ipv6.route.flush value: '1' sysctl_set: true - when: ansible_virtualization_type != "docker" - -- name: update sysctl - template: - src: "etc/sysctl.d/{{ item }}.j2" - dest: "/etc/sysctl.d/{{ item }}" - owner: root - group: root - mode: 0600 - notify: reload sysctl - with_items: - - 60-kernel_sysctl.conf - - 60-disable_ipv6.conf - - 60-netipv4_sysctl.conf - - 60-netipv6_sysctl.conf - when: - - ansible_virtualization_type != "docker" - - "'procps-ng' in ansible_facts.packages" - -- name: reload sysctl - sysctl: - name: net.ipv4.route.flush - value: '1' - state: present - reload: true - ignoreerrors: true - when: - - ansible_virtualization_type != "docker" - - "'systemd' in ansible_facts.packages" + when: + - flush_ipv6_route + - not system_is_container - name: systemd restart tmp.mount become: true @@ -72,25 +53,21 @@ warn: false - name: restart firewalld - become: true service: name: firewalld state: restarted - name: restart sshd - become: true service: name: sshd state: restarted - name: restart postfix - become: true service: name: postfix state: restarted - name: reload dconf - become: true shell: dconf update args: warn: false @@ -102,15 +79,18 @@ owner: root group: root mode: 0600 + register: auditd_template_update notify: restart auditd - name: restart auditd - shell: /sbin/service auditd restart - changed_when: false - check_mode: false - failed_when: false + shell: service auditd restart args: warn: false + when: + - audit_rules_updated.changed or + rule_4_1_2_1.changed or + rule_4_1_2_2.changed or + rule_4_1_2_3.changed tags: - skip_ansible_lint From 97a6a6199722e2404aef0b41dbd5ef216135ecf4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:06:16 +0100 Subject: [PATCH 11/98] container var usage Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.1.x.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index c78be9b..ffe7205 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -30,7 +30,6 @@ enabled: yes when: - rhel9cis_rule_4_1_1_2 - - ansible_connection != 'docker' tags: - level2-server - level2-workstation From 1dd2b46be604f77d85c8a744369feeed0ca4e4ca Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:06:41 +0100 Subject: [PATCH 12/98] logrotate process update Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 959fd62..2283d6a 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -16,7 +16,7 @@ - name: "4.3.2 | PATCH | Ensure logrotate is running and enabled" systemd: - name: logrotate + name: logrotate.timer state: started enabled: true when: From b934cbef3f259500f920b9729274e6cfbadd4775 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:06:56 +0100 Subject: [PATCH 13/98] suditd improvements Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.2.x.yml | 3 + tasks/section_4/cis_4.1.3.x.yml | 126 ++++++++++++-------------------- 2 files changed, 50 insertions(+), 79 deletions(-) diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index 0eec0b2..afad08b 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -5,6 +5,7 @@ path: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ rhel9cis_max_log_file_size }}" + register: rule_4_1_2_1 notify: restart auditd when: - rhel9cis_rule_4_1_2_1 @@ -21,6 +22,7 @@ path: /etc/audit/auditd.conf regexp: "^max_log_file_action" line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" + register: rule_4_1_2_2 notify: restart auditd when: - rhel9cis_rule_4_1_2_2 @@ -37,6 +39,7 @@ path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" + register: rule_4_1_2_3 notify: restart auditd with_items: - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' } diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index 0c39267..c05b93c 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -1,10 +1,8 @@ --- - name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_1 tags: @@ -16,10 +14,8 @@ - rule_4.1.3.1 - name: "4.1.3.2 | PATCH | Ensure actions as another user are always logged" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_2 tags: @@ -31,10 +27,8 @@ - rule_4.1.3.2 - name: "4.1.3.3 | PATCH | Ensure events that modify the sudo log file are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_3 tags: @@ -46,10 +40,8 @@ - rule_4.1.3.3 - name: "4.1.3.4 | PATCH | Ensure events that modify date and time information are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_4 tags: @@ -61,10 +53,8 @@ - rule_4.1.3.4 - name: "4.1.3.5 | PATCH | Ensure events that modify the system's network environment are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_5 tags: @@ -85,9 +75,8 @@ register: priv_procs - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true + set_fact: + update_audit_template: true notify: update auditd when: - rhel9cis_rule_4_1_3_6 @@ -100,10 +89,8 @@ - rule_4.1.3.6 - name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_7 tags: @@ -115,10 +102,8 @@ - rule_4.1.3_7 - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_8 tags: @@ -130,10 +115,8 @@ - rule_4.1.3.8 - name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_9 tags: @@ -145,10 +128,8 @@ - rule_4.1.3.9 - name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_10 tags: @@ -160,10 +141,8 @@ - rule_4.1.3.10 - name: "4.1.3.11 | PATCH | Ensure session initiation information is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_11 tags: @@ -175,10 +154,8 @@ - rule_4.1.3.11 - name: "4.1.3.12 | PATCH | Ensure login and logout events are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_12 tags: @@ -190,10 +167,8 @@ - rule_4.1.3.12 - name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_13 tags: @@ -204,10 +179,8 @@ - rule_4.1.3.13 - name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_14 tags: @@ -219,10 +192,8 @@ - rule_4.1.3.14 - name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_15 tags: @@ -234,10 +205,8 @@ - rule_4.1.3.15 - name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_16 tags: @@ -249,10 +218,8 @@ - rule_4.1.3.16 - name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_17 tags: @@ -264,10 +231,8 @@ - rule_4.1.3.17 - name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_18 tags: @@ -279,10 +244,8 @@ - rule_4.1.3.18 - name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_19 tags: @@ -294,10 +257,8 @@ - rule_4.1.3.19 - name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - changed_when: true - notify: update auditd + set_fact: + update_audit_template: true when: - rhel9cis_rule_4_1_3_20 tags: @@ -321,3 +282,10 @@ - patch - auditd - rule_4.1.3.21 + +- name: Auditd | 4.1.3 | Auditd controls updated + debug: + msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules" + changed_when: false + when: + - update_audit_template From 4336bbf6b627302b7a9880b1e14d54000e5d6326 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:07:39 +0100 Subject: [PATCH 14/98] auditd, sysctl, become tidy up Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 25 ++++++++++++++++++ tasks/main.yml | 14 +++++----- tasks/post.yml | 67 ++++++++++++------------------------------------ 3 files changed, 49 insertions(+), 57 deletions(-) create mode 100644 tasks/auditd.yml diff --git a/tasks/auditd.yml b/tasks/auditd.yml new file mode 100644 index 0000000..f3fc1fd --- /dev/null +++ b/tasks/auditd.yml @@ -0,0 +1,25 @@ +- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added + template: + src: audit/99_auditd.rules.j2 + dest: /etc/audit/rules.d/99_auditd.rules + owner: root + group: root + mode: 0600 + register: audit_rules_updated + notify: restart auditd + +- name: POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable + block: + - name: POST | AUDITD | Discover if auditd immutable - will require reboot if auditd template applied + shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules + changed_when: false + register: auditd_immutable_check + + - name: POST | AUDITD | Set reboot required if auditd immutable + debug: + msg: "Reboot required for auditd to apply new rules as immutable set" + notify: change_requires_reboot + when: + - auditd_immutable_check.stdout == '1' + when: + - audit_rules_updated.changed \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 1b240f7..9a6ee31 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -123,49 +123,49 @@ - name: run Section 1 tasks import_tasks: section_1/main.yml - become: true when: rhel9cis_section1 tags: - rhel9cis_section1 - name: run Section 2 tasks import_tasks: section_2/main.yml - become: true when: rhel9cis_section2 tags: - rhel9cis_section2 - name: run Section 3 tasks import_tasks: section_3/main.yml - become: true when: rhel9cis_section3 tags: - rhel9cis_section3 - name: run Section 4 tasks import_tasks: section_4/main.yml - become: true when: rhel9cis_section4 tags: - rhel9cis_section4 - name: run Section 5 tasks import_tasks: section_5/main.yml - become: true when: rhel9cis_section5 tags: - rhel9cis_section5 - name: run Section 6 tasks import_tasks: section_6/main.yml - become: true when: rhel9cis_section6 tags: - rhel9cis_section6 +- name: run auditd logic + import_tasks: auditd.yml + when: + - update_audit_template + tags: + - always + - name: run post remediation tasks import_tasks: post.yml - become: true tags: - post_tasks - always diff --git a/tasks/post.yml b/tasks/post.yml index c0f6be8..bca18ae 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -12,57 +12,24 @@ tags: - always -- name: trigger update sysctl - shell: /bin/true - args: - warn: false - changed_when: true - check_mode: false - notify: update sysctl +- name: update sysctl + template: + src: "etc/sysctl.d/{{ item }}.j2" + dest: "/etc/sysctl.d/{{ item }}" + owner: root + group: root + mode: 0600 + register: sysctl_updated + notify: reload sysctl + with_items: + - 60-kernel_sysctl.conf + - 60-disable_ipv6.conf + - 60-netipv4_sysctl.conf + - 60-netipv6_sysctl.conf when: - - rhel9cis_rule_3_1_1 or - rhel9cis_rule_3_1_2 or - rhel9cis_rule_3_1_3 or - rhel9cis_rule_3_2_1 or - rhel9cis_rule_3_2_2 or - rhel9cis_rule_3_3_1 or - rhel9cis_rule_3_3_2 or - rhel9cis_rule_3_3_3 or - rhel9cis_rule_3_3_4 or - rhel9cis_rule_3_3_5 or - rhel9cis_rule_3_3_6 or - rhel9cis_rule_3_3_7 or - rhel9cis_rule_3_3_8 or - rhel9cis_rule_3_3_9 - tags: - - sysctl - -- name: trigger update auditd - shell: /bin/true - args: - warn: false - notify: update auditd - changed_when: true - check_mode: false - when: - - rhel9cis_rule_4_1_1_1 or - rhel9cis_rule_4_1_1_2 or - rhel9cis_rule_4_1_1_3 or - rhel9cis_rule_4_1_2_1 or - rhel9cis_rule_4_1_2_2 or - rhel9cis_rule_4_1_2_3 or - rhel9cis_rule_4_1_3 or - rhel9cis_rule_4_1_4 or - rhel9cis_rule_4_1_5 or - rhel9cis_rule_4_1_6 or - rhel9cis_rule_4_1_7 or - rhel9cis_rule_4_1_8 or - rhel9cis_rule_4_1_9 or - rhel9cis_rule_4_1_10 or - rhel9cis_rule_4_1_11 or - rhel9cis_rule_4_1_12 - tags: - - auditd + - sysctl_update + - not system_is_container + - "'procps-ng' in ansible_facts.packages" - name: flush handlers meta: flush_handlers From 6165191c085bac0300340857ae8a952d84b968bf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:08:14 +0100 Subject: [PATCH 15/98] updates Signed-off-by: Mark Bolwell --- Changelog.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Changelog.md b/Changelog.md index b120eee..90329ca 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,18 @@ # Changes to rhel9CIS +## 0.3 + +- update to auditd template + - uses facts and template new variable + - update_audit_template (default false) +- sysctl template updates and idempotency improvements +- container discovery usage improvements +- 3.4.1.5 discovery improvement +- 5.6.1.4 discovery improvement +- logrotate process logrotate.timer +- tidy up become: +- logic improvements + ## 0.2 - not all controls work with rhel8 releases any longer From 1ab63c73d6e24f7d0a6bb836fbc5f03e835090a8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Jun 2022 17:33:06 +0100 Subject: [PATCH 16/98] added pause for rhel9 aswell Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 3c4cf3f..229becd 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -83,16 +83,16 @@ jobs: # Centos 7 images take a while to come up insert sleep or playbook fails - - name: Check if test os is rhel7 + - name: Check if test os is rhel7 or rhel9 working-directory: .github/workflows id: test_os run: >- - echo "::set-output name=RHEL7::$( - grep -c RHEL7 OS.tfvars + echo "::set-output name=Pause::$( + grep -c "RHEL\(7\|9\)" OS.tfvars )" - - name: if RHEL7 - Sleep for 60 seconds - if: steps.test_os.outputs.RHEL7 >= 1 + - name: if RHEL(7|9) - Sleep for 60 seconds + if: steps.test_os.outputs.Pause >= 1 run: sleep 60s shell: bash From c02024ef6947f025838e900f047c85894bdd1513 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Jun 2022 09:01:14 +0100 Subject: [PATCH 17/98] changed to check ssh for all hosts Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 229becd..c375c7e 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -81,20 +81,14 @@ jobs: working-directory: .github/workflows run: cat hosts.yml -# Centos 7 images take a while to come up insert sleep or playbook fails +# Ensure system is up for connections before continuing - - name: Check if test os is rhel7 or rhel9 + - name: Check system is up and runnimn working-directory: .github/workflows id: test_os run: >- - echo "::set-output name=Pause::$( - grep -c "RHEL\(7\|9\)" OS.tfvars - )" + ansible all -i hosts.yml -m wait_for -a "host='{{ (ansible_ssh_host|default(ansible_host) }}' port=22 delay=10" - - name: if RHEL(7|9) - Sleep for 60 seconds - if: steps.test_os.outputs.Pause >= 1 - run: sleep 60s - shell: bash # Run the ansible playbook - name: Run_Ansible_Playbook From 1836ae14d79666db4190dc51aa2a7a0be53363b1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Jun 2022 09:15:26 +0100 Subject: [PATCH 18/98] fix typo Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index c375c7e..b4c7df4 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -83,13 +83,12 @@ jobs: # Ensure system is up for connections before continuing - - name: Check system is up and runnimn + - name: Check system is up and running working-directory: .github/workflows id: test_os run: >- ansible all -i hosts.yml -m wait_for -a "host='{{ (ansible_ssh_host|default(ansible_host) }}' port=22 delay=10" - # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master From a8ec3e343ac31f56c4f37fff13c144ff3dd124ad Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Jun 2022 13:23:34 +0100 Subject: [PATCH 19/98] updated timeout test Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index b4c7df4..8a9805c 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for -a "host='{{ (ansible_ssh_host|default(ansible_host) }}' port=22 delay=10" + ansible all -i hosts.yml -m ping -e retries=20 -e delay=20 # Run the ansible playbook - name: Run_Ansible_Playbook From cf6e08c3903e881c1a555ef8505659fe424913c0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Jun 2022 14:16:58 +0100 Subject: [PATCH 20/98] added legacy mount check again Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 53b1350..2646e98 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -90,6 +90,24 @@ when: - '"python3-libselinux" not in ansible_facts.packages' +- name: "PRELIM | Set facts based on boot type" + block: + - name: "PRELIM | Check whether machine is UEFI-based" + stat: + path: /sys/firmware/efi + register: rhel_09_efi_boot + + - name: "PRELIM | AUDIT | set legacy boot and grub path | Bios" + set_fact: + rhel9cis_legacy_boot: true + grub2_path: /etc/grub2.cfg + when: not rhel_09_efi_boot.stat.exists + + - name: "PRELIM | set grub fact | UEFI" + set_fact: + grub2_path: /etc/grub2-efi.cfg + when: rhel_09_efi_boot.stat.exists + - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" package: name: audit From b68e8a3cddaa14a0cf20d3ec5d862714ce8108b3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 22 Jun 2022 09:53:27 +0100 Subject: [PATCH 21/98] Added Managed by Ansible Changes will be lost Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 2 ++ templates/audit/99_auditd.rules.j2 | 2 ++ templates/etc/chrony.conf.j2 | 2 ++ templates/etc/modprobe.d/modprobe.conf.j2 | 1 + templates/etc/sysctl.d/60-disable_ipv6.conf.j2 | 2 +- templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 | 2 +- templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 | 2 +- templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 | 2 +- templates/etc/systemd/system/tmp.mount.j2 | 2 ++ 9 files changed, 13 insertions(+), 4 deletions(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 6654add..f5a7921 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,3 +1,5 @@ + +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! ## metadata for benchmark ## metadata for Audit benchmark diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 7abe895..2d270cc 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,3 +1,5 @@ +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! + # This template will set all of the auditd configurations via a handler in the role in one task instead of individually {% if rhel9cis_rule_4_1_3_1 %} -w /etc/sudoers -p wa -k scope diff --git a/templates/etc/chrony.conf.j2 b/templates/etc/chrony.conf.j2 index 6513faa..54c1b6c 100644 --- a/templates/etc/chrony.conf.j2 +++ b/templates/etc/chrony.conf.j2 @@ -1,3 +1,5 @@ +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! + # This the default chrony.conf file for the Debian chrony package. After # editing this file use the command 'invoke-rc.d chrony restart' to make # your changes take effect. John Hasler 1998-2008 diff --git a/templates/etc/modprobe.d/modprobe.conf.j2 b/templates/etc/modprobe.d/modprobe.conf.j2 index 1a1a48d..a4d9d3d 100644 --- a/templates/etc/modprobe.d/modprobe.conf.j2 +++ b/templates/etc/modprobe.d/modprobe.conf.j2 @@ -1,5 +1,6 @@ # Disable usage of protocol {{ item }} # Set by ansible {{ benchmark }} remediation role # https://github.com/ansible-lockdown +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! install {{ item }} /bin/true \ No newline at end of file diff --git a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index 34ee10c..b172b97 100644 --- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -1,4 +1,4 @@ -# Setting added via ansible CIS remediation playbook +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! # IPv6 disable {% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} diff --git a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 index cbfffed..bf8e858 100644 --- a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 @@ -1,4 +1,4 @@ -# Setting added via ansible CIS remediation playbook +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! {% if rhel9cis_rule_1_5_3 %} diff --git a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 index 308b914..4b2dabc 100644 --- a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 @@ -1,4 +1,4 @@ -# Setting added via ansible CIS remediation playbook +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! # IPv4 Network sysctl {% if rhel9cis_rule_3_2_1 %} diff --git a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 index 0b23c55..895f23e 100644 --- a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 @@ -1,4 +1,4 @@ -# Setting added via ansible CIS remediation playbook +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! # IPv6 Network sysctl {% if rhel9cis_ipv6_required %} diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2 index 2a97a56..f2c4fe2 100644 --- a/templates/etc/systemd/system/tmp.mount.j2 +++ b/templates/etc/systemd/system/tmp.mount.j2 @@ -7,6 +7,8 @@ # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! + [Unit] Description=Temporary Directory (/tmp) Documentation=man:hier(7) From c4945598829b95215e8b63a333f6a5e3c3058b9d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Jul 2022 17:12:41 +0100 Subject: [PATCH 22/98] updated handler conditional Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/handlers/main.yml b/handlers/main.yml index 7ff5ea2..d983840 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -5,6 +5,8 @@ shell: sysctl --system args: warn: false + when: + - sysctl_updated.changed - name: sysctl flush ipv4 route table become: true From 6b6a4a32c876f78c4e8de9dbccdd09113b91868f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Jul 2022 17:13:33 +0100 Subject: [PATCH 23/98] added warning count Signed-off-by: Mark Bolwell --- tasks/main.yml | 6 +++ tasks/section_1/cis_1.1.2.x.yml | 26 +++++++++-- tasks/section_1/cis_1.1.3.x.yml | 11 ++++- tasks/section_1/cis_1.1.4.x.yml | 13 ++++-- tasks/section_1/cis_1.1.5.x.yml | 12 ++++- tasks/section_1/cis_1.1.6.x.yml | 12 ++++- tasks/section_1/cis_1.1.7.x.yml | 10 ++++- tasks/section_1/cis_1.1.8.x.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 12 +++-- tasks/section_1/cis_1.6.1.x.yml | 8 +++- tasks/section_2/cis_2.4.yml | 9 +++- tasks/section_3/cis_3.4.2.x.yml | 41 ++++++++++------- tasks/section_4/cis_4.2.2.x.yml | 21 ++++++--- tasks/section_5/cis_5.6.1.x.yml | 12 ++++- tasks/section_6/cis_6.1.x.yml | 9 +++- tasks/section_6/cis_6.2.x.yml | 80 +++++++++++++++++++++++---------- vars/main.yml | 6 ++- 17 files changed, 219 insertions(+), 71 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 9a6ee31..a55063a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -180,3 +180,9 @@ msg: "{{ audit_results.split('\n') }}" when: - run_audit + +- name: Output Warning count and control IDs affected + debug: + msg: "You have {{ warn_count }} warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" + tags: + - always diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index a50797d..d43d768 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -1,11 +1,30 @@ --- - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition" - debug: - msg: "Warning! /tmp is not mounted on a separate partition" + block: + - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Absent" + debug: + msg: "Warning!! /tmp is not mounted on a separate partition" + when: + - required_mount not in mount_names + + - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.2.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: var_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/tmp' when: - rhel9cis_rule_1_1_2_1 - - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 tags: - level1-server - level1-workstation @@ -68,7 +87,6 @@ tags: - level1-server - level1-workstation - - scored - patch - mounts - rule_1.1.2.1 diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 8fa9e4b..6dbc1d2 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -4,12 +4,19 @@ block: - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent" debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_mount_absent changed_when: var_mount_absent.skipped is undefined when: - required_mount not in mount_names + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" debug: msg: "Congratulations: {{ required_mount }} exists." @@ -38,7 +45,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index c780013..62c4306 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -5,12 +5,19 @@ block: - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_tmp_mount_absent changed_when: var_tmp_mount_absent.skipped is undefined when: - required_mount not in mount_names + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" debug: msg: "Congratulations: {{ required_mount }} exists." @@ -39,7 +46,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -61,4 +68,4 @@ - skip_ansible_lint - rule_1.1.4.2 - rule_1.1.4.3 - - rule_1.1.4.4 + - rule_1.1.4.4 \ No newline at end of file diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index c9343c4..985b3d8 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -4,11 +4,19 @@ block: - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_log_mount_absent changed_when: var_log_mount_absent.skipped is undefined when: - required_mount not in mount_names + + - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" debug: msg: "Congratulations: {{ required_mount }} exists." @@ -37,7 +45,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 1df3e84..47bcba7 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -4,11 +4,19 @@ block: - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_log_audit_mount_absent changed_when: var_log_audit_mount_absent.skipped is undefined when: - required_mount not in mount_names + + - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" debug: msg: "Congratulations: {{ required_mount }} exists." @@ -58,4 +66,4 @@ - skip_ansible_lint - rule_1.1.6.2 - rule_1.1.6.3 - - rule_1.1.6.4 + - rule_1.1.6.4 \ No newline at end of file diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 453fef5..6ba442d 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -4,11 +4,19 @@ block: - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: home_mount_absent changed_when: home_mount_absent.skipped is undefined when: - required_mount not in mount_names + + - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" debug: msg: "Congratulations: {{ required_mount }} exists." diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 75bdabb..a61a6af 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -25,7 +25,7 @@ src: tmpfs fstype: tmpfs state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" notify: change_requires_reboot when: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 960815f..4ad09df 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -25,7 +25,8 @@ when: - rhel9cis_rule_1_2_2 - ansible_distribution == "RedHat" or - ansible_distribution == "Rocky" + ansible_distribution == "Rocky" or + ansible_distribution == "AlmaLinux" tags: - level1-server - level1-workstation @@ -45,7 +46,7 @@ - name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" replace: name: "{{ item.path }}" - regexp: '^gpgcheck\s+=\s+0' + regexp: "^gpgcheck=0" replace: "gpgcheck=1" with_items: - "{{ yum_repos.files }}" @@ -74,8 +75,13 @@ - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" debug: msg: - - "Warning! Below are the configured repos. Please review and make sure all align with site policy" + - "Warning!! Below are the configured repos. Please review and make sure all align with site policy" - "{{ dnf_configured.stdout_lines }}" + + - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Warn Count" + set_fact: + control_number: "{{ control_number }} + ['rule_1.2.4']" + warn_count: "{{ warn_count|int + 1 }}" when: - rhel9cis_rule_1_2_4 tags: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index f917a99..f0ea11a 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -80,6 +80,12 @@ debug: msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 + + - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.6.1.5 ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 when: - rhel9cis_rule_1_6_1_5 tags: @@ -115,4 +121,4 @@ - level1-workstation - automated - patch - - rule_1.6.1.7 + - rule_1.6.1.7 \ No newline at end of file diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index e17ab76..14b86ed 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -12,9 +12,14 @@ - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" debug: msg: - - "Warning! Below are the list of services, both active and inactive" + - "Warning!! Below are the list of services, both active and inactive" - "Please review to make sure all are essential" - "{{ rhel9cis_2_4_services.stdout_lines }}" + + - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Warn Count" + set_fact: + control_number: "{{ control_number }} + ['rule_2.4']" + warn_count: "{{ warn_count|int + 1 }}" when: - rhel9cis_rule_2_4 tags: @@ -23,4 +28,4 @@ - manual - audit - services - - rule_2.4 + - rule_2.4 \ No newline at end of file diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index a9284c5..b74eda1 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -5,6 +5,7 @@ name: nftables state: present when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_1 tags: - level1-server @@ -17,22 +18,11 @@ # The control allows the service it be masked or not installed # We have chosen not installed - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables" - block: - - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | mask service" - systemd: - name: firewalld - masked: true - state: stopped - when: - - rhel9cis_nftables_firewalld_state == "masked" - - - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | pkg removed" - package: - name: firewalld - state: absent - when: - - rhel9cis_nftables_firewalld_state == "absent" + package: + name: firewalld + state: absent when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_2 tags: - level1-server @@ -59,6 +49,7 @@ name: iptables-service state: absent when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_3 tags: - level1-server @@ -105,17 +96,26 @@ - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables" debug: msg: - - "Warning! You currently have no nft tables, please review your setup" + - "Warning!! You currently have no nft tables, please review your setup" - 'Use the command "nft create table inet " to create a new table' when: - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable + - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_3.4.2.5' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0 + - not rhel9cis_nft_tables_autonewtable + - name: "3.4.2.5 | PATCH | Ensure a table exists | Create table if needed" command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" failed_when: no when: rhel9cis_nft_tables_autonewtable when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_5 tags: - level1-server @@ -167,11 +167,12 @@ - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } when: rhel9cis_nft_tables_autochaincreate when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_6 tags: - level1-server - level1-workstation - - automated + - automate - patch - nftables - rule_3.4.2.6 @@ -208,6 +209,7 @@ command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ip6saddr.stdout' when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_7 tags: - level1-server @@ -255,6 +257,7 @@ command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_8 tags: - level1-server @@ -306,6 +309,7 @@ command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_9_outputpolicy.stdout' when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_9 tags: - level1-server @@ -320,6 +324,7 @@ name: nftables enabled: yes when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_10 tags: - level1-server @@ -332,9 +337,11 @@ - name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent" lineinfile: path: /etc/sysconfig/nftables.conf + state: present insertafter: EOF line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_11 tags: - level1-server diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 9660670..7a35d8f 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -41,6 +41,7 @@ state: started enabled: yes when: + - rhel9cis_system_is_log_server - rhel9cis_rule_4_2_2_1_3 tags: - level1-server @@ -52,11 +53,12 @@ - name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" systemd: - name: systemd-journal-remote + name: systemd-journal-remote.socket state: stopped enabled: no masked: yes when: + - not rhel9cis_system_is_log_server - rhel9cis_rule_4_2_2_1_4 tags: - level1-server @@ -83,7 +85,13 @@ - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" debug: msg: - - "Warning! The status of systemd-journald should be static and it is not. Please investigate" + - "Warning!! The status of systemd-journald should be static and it is not. Please investigate" + when: "'static' not in rhel9cis_4_2_2_2_status.stdout" + + - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]" + warn_count: "{{ warn_count|int + 1 }}" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" when: - rhel9cis_rule_4_2_2_2 @@ -134,7 +142,6 @@ notify: restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_5 - - rhel9cis_preferred_log_capture == "journald" tags: - level1-server - level2-workstation @@ -190,9 +197,13 @@ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings" debug: msg: - - "Warning! Below are the current default settings for journald, please confirm they align with your site policies" - # - "{{ rhel9cis_4_2_2_7_override_settings.stdout_lines }}" + - "Warning!! Below are the current default settings for journald, please confirm they align with your site policies" - "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}" + + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_4.2.2.7' ]" + warn_count: "{{ warn_count|int + 1 }}" when: - rhel9cis_rule_4_2_2_7 tags: diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index d8ea214..790e876 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -78,7 +78,7 @@ - password - rule_5.6.1.4 -- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" +- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" block: - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" shell: echo $(($(date --utc --date "$1" +%s)/86400)) @@ -101,7 +101,15 @@ - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" debug: - msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + when: + - rhel9cis_5_6_1_5_user_list.stdout | length > 0 + - not rhel9cis_futurepwchgdate_autofix + + - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]" + warn_count: "{{ warn_count|int + 1 }}" when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index c169d4b..c61b51e 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -12,7 +12,7 @@ - name: "6.1.1 | AUDIT | Audit system file permissions | Create list and warning" block: - - name: "6.1.1 | Audit system file permissions | Add file discrepancy list to system" + - name: "6.1.1 | AUDIT | Audit system file permissions | Add file discrepancy list to system" copy: dest: "{{ rhel9cis_rpm_audit_file }}" content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}" @@ -20,8 +20,13 @@ - name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" debug: msg: | - "Warning! You have some package descrepancies issues. + "Warning!! You have some package descrepancies issues. The file list can be found in {{ rhel9cis_rpm_audit_file }}" + + - name: "6.1.1 | AUDIT | Audit system file permissions | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.1.1' ]" + warn_count: "{{ warn_count|int + 1 }}" when: rhel9cis_6_1_1_packages_rpm.stdout|length > 0 - name: "6.1.1 | AUDIT | Audit system file permissions | Message out no package descrepancies" diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 31dafa8..6675488 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -29,12 +29,18 @@ - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" debug: msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: rhel9cis_6_2_2_passwd_gid_check.stdout | length == 0 + when: rhel9cis_6_2_2_passwd_gid_check.stdout is not defined - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" debug: - msg: "Warning! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" - when: rhel9cis_6_2_2_passwd_gid_check.stdout | length > 0 + msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" + when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined + + - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.2.2' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined when: - rhel9cis_rule_6_2_2 tags: @@ -57,12 +63,18 @@ - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" debug: msg: "Good News! There are no duplicate UID's in the system" - when: rhel9cis_6_2_3_user_uid_check.stdout | length == 0 + when: rhel9cis_6_2_3_user_uid_check.stdout is not defined - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" debug: - msg: "Warning! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" - when: rhel9cis_6_2_3_user_uid_check.stdout | length > 0 + msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" + when: rhel9cis_6_2_3_user_uid_check.stdout is defined + + - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.2.3' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhel9cis_6_2_3_user_uid_check.stdout is defined when: - rhel9cis_rule_6_2_3 tags: @@ -85,12 +97,19 @@ - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" debug: msg: "Good News! There are no duplicate GIDs in the system" - when: rhel9cis_6_2_4_user_user_check.stdout | length == 0 + when: rhel9cis_6_2_4_user_user_check.stdout is not defined - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" debug: - msg: "Warning! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" - when: rhel9cis_6_2_4_user_user_check.stdout | length > 0 + msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" + when: rhel9cis_6_2_4_user_user_check.stdout is defined + + - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.2.4' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhel9cis_6_2_4_user_user_check.stdout is defined + when: - rhel9cis_rule_6_2_4 tags: @@ -113,12 +132,18 @@ - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" debug: msg: "Good News! There are no duplicate user names in the system" - when: rhel9cis_6_2_5_user_username_check.stdout | length == 0 + when: rhel9cis_6_2_5_user_username_check.stdout is not defined - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" debug: - msg: "Warning! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" - when: rhel9cis_6_2_5_user_username_check.stdout | length > 0 + msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" + when: rhel9cis_6_2_5_user_username_check.stdout is defined + + - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.2.5' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhel9cis_6_2_5_user_username_check.stdout is defined when: - rhel9cis_rule_6_2_5 tags: @@ -142,12 +167,18 @@ - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" debug: msg: "Good News! There are no duplicate group names in the system" - when: rhel9cis_6_2_6_group_group_check.stdout | length == 0 + when: rhel9cis_6_2_6_group_group_check.stdout is defined - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" debug: - msg: "Warning! The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}" - when: rhel9cis_6_2_6_group_group_check.stdout | length > 0 + msg: "Warning!! The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}" + when: rhel9cis_6_2_6_group_group_check.stdout is not defined + + - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.2.6' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhel9cis_6_2_6_group_group_check.stdout is not defined when: - rhel9cis_rule_6_2_6 tags: @@ -230,7 +261,7 @@ stat: path: "{{ item }}" register: rhel_08_6_2_9_audit - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<', max_int_uid | int ) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}" - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" command: find -H {{ item.0 | quote }} -not -type l -perm /027 @@ -270,7 +301,8 @@ recursive: yes etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: not system_is_container + when: + - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" @@ -299,7 +331,8 @@ loop_control: label: "{{ rhel9cis_passwd_label }}" when: - - min_int_uid | int <= item.uid + - item.uid >= min_int_uid | int + - item.id != 'nobody' - rhel9cis_rule_6_2_10 tags: - skip_ansible_lint # settings found on 6_2_7 @@ -315,7 +348,7 @@ - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" stat: path: "{{ item }}" - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<', max_int_uid | int ) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}" register: rhel_08_6_2_11_audit - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" @@ -356,7 +389,8 @@ recursive: yes etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: not system_is_container + when: + - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" @@ -427,8 +461,8 @@ - name: "6.2.14 | PATCH | Ensure no users have .forward files" file: + path: "~{{ item }}/.forward" state: absent - dest: "~{{ item }}/.forward" with_items: - "{{ users.stdout_lines }}" when: @@ -444,8 +478,8 @@ - name: "6.2.15 | PATCH | Ensure no users have .netrc files" file: + path: "~{{ item }}/.netrc" state: absent - dest: "~{{ item }}/.netrc" with_items: - "{{ users.stdout_lines }}" when: @@ -461,8 +495,8 @@ - name: "6.2.16 | PATCH | Ensure no users have .rhosts files" file: + path: "~{{ item }}/.rhosts" state: absent - dest: "~{{ item }}/.rhosts" with_items: "{{ users.stdout_lines }}" when: - rhel9cis_rule_6_2_16 diff --git a/vars/main.yml b/vars/main.yml index dbbc71f..9b13f43 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,8 +1,12 @@ --- # vars file for RHEL9-CIS -min_ansible_version: 2.10 +min_ansible_version: 2.9.4 rhel9cis_allowed_crypto_policies: - 'DEFAULT' - 'FUTURE' - 'FIPS' + +# Used to control warning summary +control_number: "" +warn_count: 0 \ No newline at end of file From ba791f549496816889cb60646a7940fa210e8f1b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Jul 2022 17:13:47 +0100 Subject: [PATCH 24/98] added jounald to syslog type Signed-off-by: Mark Bolwell --- tasks/section_4/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index d28e3ce..6128f16 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -17,6 +17,7 @@ - name: "SECTION | 4.2.2 Configure journald" import_tasks: cis_4.2.2.x.yml + when: rhel9cis_syslog == 'journald' - name: "SECTION | 4.2.3 | Configure logile perms" import_tasks: cis_4.2.3.yml From df1477199393371960129da4cda33fe909787830 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Jul 2022 17:13:57 +0100 Subject: [PATCH 25/98] updated with alma vars Signed-off-by: Mark Bolwell --- vars/AlmaLinux.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index 69e5994..61bf39b 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -1,4 +1,6 @@ --- # OS Specific Settings -rpm_gpg_key: RPM-GPG-KEY-AlmaLinux +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9 +rpm_packager: "AlmaLinux Packaging Team " +rpm_key: "d36cb86cb86b3716" From de4a7c5bf2efa027a79415ef6781cdcffc153694 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 11:24:07 +0100 Subject: [PATCH 26/98] removed empty row Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2a5a490..870f070 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -369,7 +369,6 @@ rhel9cis_rh_sub_password: password # RedHat Satellite Subscription items rhel9cis_rhnsd_required: false - # 1.4.2 Bootloader password rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' rhel9cis_bootloader_password: random From 22326c5de66280f9d4526b1c93d68b9592cec9e7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 11:24:50 +0100 Subject: [PATCH 27/98] Add blank row Signed-off-by: Mark Bolwell --- vars/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/main.yml b/vars/main.yml index 9b13f43..2ba64a1 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -9,4 +9,4 @@ rhel9cis_allowed_crypto_policies: # Used to control warning summary control_number: "" -warn_count: 0 \ No newline at end of file +warn_count: 0 From 28bbc2ff5f832d150452e9dc4cb6667b876ed09a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 11:26:27 +0100 Subject: [PATCH 28/98] 1.2.2 rpm gpg key check Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 32 ++++++++++++++++++++++++++++++-- vars/AlmaLinux.yml | 5 ++--- vars/RedHat.yml | 5 ++--- vars/Rocky.yml | 3 ++- 4 files changed, 36 insertions(+), 9 deletions(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 4ad09df..4d8cd68 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -20,8 +20,36 @@ - skip_ansible_lint # Added as no_log still errors on ansuible-lint - name: "1.2.2 | AUDIT | Ensure GPG keys are configured" - shell: "PKG=`rpm -qf {{ rpm_gpg_key }}` && rpm -q --queryformat \"%{PACKAGER} %{SIGPGP:pgpsig}\\n\" \"${PKG}\" | grep \"^{{ rpm_packager }}.*Key.ID.{{ rpm_key }}\"" - changed_when: false + block: + - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" + shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" + changed_when: false + failed_when: false + register: os_installed_pub_keys + + #- debug: + # msg: "{{ os_installed_pub_keys }}" + + - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Query found keys" + shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\"" + register: os_gpg_key_check + changed_when: false + failed_when: false + when: os_installed_pub_keys.rc == 0 + + - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys pass" + debug: + msg: "Congratulations !! - The installed gpg keys match expected values" + when: + - os_installed_pub_keys.rc == 0 + - os_gpg_key_check.rc == 0 + + - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys fail" + fail: + msg: Installed GPG Keys do not meet expected values or keys installed that are not expected + when: + - os_installed_pub_keys.rc == 1 or + os_gpg_key_check.rc == 1 when: - rhel9cis_rule_1_2_2 - ansible_distribution == "RedHat" or diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index 61bf39b..c460fb0 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -1,6 +1,5 @@ --- # OS Specific Settings -rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-AlmaLinux-9 -rpm_packager: "AlmaLinux Packaging Team " -rpm_key: "d36cb86cb86b3716" +os_gpg_key_pubkey_name: gpg-pubkey-b86b3716-61e69f29 +os_gpg_key_pubkey_content: "AlmaLinux OS 9 b86b3716" diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 0b1c2cc..d33b0bc 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,6 +1,5 @@ --- # OS Specific Settings -rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release -rpm_packager: "Red Hat, Inc" -rpm_key: "199e2f91fd431d51" # found on https://access.redhat.com/security/team/key/ +os_gpg_key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b +os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) fd431d51" diff --git a/vars/Rocky.yml b/vars/Rocky.yml index 7c8ae0b..77af29c 100644 --- a/vars/Rocky.yml +++ b/vars/Rocky.yml @@ -1,4 +1,5 @@ --- # OS Specific Settings -rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial +os_gpg_key_pubkey_name: gpg-pubkey-350d275d-6279464b +os_gpg_key_pubkey_content: "Rocky Enterprise Software Foundation - Release key 2022 350d275d" From 77a73ddcae8ab4cc6e7440c650d5d7d868bd6064 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 11:28:50 +0100 Subject: [PATCH 29/98] tidy up warning message Signed-off-by: Mark Bolwell --- tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index a55063a..62875c2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -181,8 +181,9 @@ when: - run_audit -- name: Output Warning count and control IDs affected +- name: If Warnings found Output count and control IDs affected debug: msg: "You have {{ warn_count }} warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" + when: warn_count > 0 tags: - always From e6191de7edf4a8566c3dc283fa62faec1c284d8d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 13:26:29 +0100 Subject: [PATCH 30/98] fix logic in warning Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 62875c2..b42abf2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -184,6 +184,6 @@ - name: If Warnings found Output count and control IDs affected debug: msg: "You have {{ warn_count }} warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" - when: warn_count > 0 + when: warn_count != 0 tags: - always From 6777a887194096f07a4aed1c3aee7e8e5bccc617 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 14:52:26 +0100 Subject: [PATCH 31/98] fix logic in warning Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 6675488..3225895 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -29,18 +29,18 @@ - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" debug: msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: rhel9cis_6_2_2_passwd_gid_check.stdout is not defined + when: rhel9cis_6_2_2_passwd_gid_check.stdout | length == 0 - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" debug: msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" - when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined + when: rhel9cis_6_2_2_passwd_gid_check.stdout | length >= 1 - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.2' ]" warn_count: "{{ warn_count|int + 1 }}" - when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined + when: rhel9cis_6_2_2_passwd_gid_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_2 tags: @@ -63,18 +63,18 @@ - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" debug: msg: "Good News! There are no duplicate UID's in the system" - when: rhel9cis_6_2_3_user_uid_check.stdout is not defined + when: rhel9cis_6_2_3_user_uid_check.stdout | length == 0 - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" debug: msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" - when: rhel9cis_6_2_3_user_uid_check.stdout is defined + when: rhel9cis_6_2_3_user_uid_check.stdout | length >= 1 - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.3' ]" warn_count: "{{ warn_count|int + 1 }}" - when: rhel9cis_6_2_3_user_uid_check.stdout is defined + when: rhel9cis_6_2_3_user_uid_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_3 tags: @@ -97,18 +97,18 @@ - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" debug: msg: "Good News! There are no duplicate GIDs in the system" - when: rhel9cis_6_2_4_user_user_check.stdout is not defined + when: rhel9cis_6_2_4_user_user_check.stdout | length == 0 - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" debug: msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" - when: rhel9cis_6_2_4_user_user_check.stdout is defined + when: rhel9cis_6_2_4_user_user_check.stdout | length >= 1 - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.4' ]" warn_count: "{{ warn_count|int + 1 }}" - when: rhel9cis_6_2_4_user_user_check.stdout is defined + when: rhel9cis_6_2_4_user_user_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_4 @@ -132,18 +132,18 @@ - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" debug: msg: "Good News! There are no duplicate user names in the system" - when: rhel9cis_6_2_5_user_username_check.stdout is not defined + when: rhel9cis_6_2_5_user_username_check.stdout | length == 0 - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" debug: msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" - when: rhel9cis_6_2_5_user_username_check.stdout is defined + when: rhel9cis_6_2_5_user_username_check.stdout | length >= 1 - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.5' ]" warn_count: "{{ warn_count|int + 1 }}" - when: rhel9cis_6_2_5_user_username_check.stdout is defined + when: rhel9cis_6_2_5_user_username_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_5 tags: From 595b952089172ae8d0fc25edbdd40cd129811e88 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 14:52:48 +0100 Subject: [PATCH 32/98] tidy up ttle Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index b42abf2..e2c9261 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -183,7 +183,7 @@ - name: If Warnings found Output count and control IDs affected debug: - msg: "You have {{ warn_count }} warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" + msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" when: warn_count != 0 tags: - always From d3f2677fd56f12298ca0f8d7492b0771a1c6d330 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 14:53:05 +0100 Subject: [PATCH 33/98] new control option due to space on auditing Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 11 +++++++++++ templates/audit/98_auditd_exception.rules.j2 | 8 ++++++++ 2 files changed, 19 insertions(+) create mode 100644 templates/audit/98_auditd_exception.rules.j2 diff --git a/tasks/auditd.yml b/tasks/auditd.yml index f3fc1fd..7d9e937 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -8,6 +8,17 @@ register: audit_rules_updated notify: restart auditd + +- name: POST | Set up auditd user logging exceptions + template: + src: audit/98_auditd_exception.rules.j2 + dest: /etc/audit/rules.d/98_auditd_exceptions.rules + owner: root + group: root + mode: 0600 + notify: restart auditd + when: allow_auditd_uid_user_exclusions + - name: POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable block: - name: POST | AUDITD | Discover if auditd immutable - will require reboot if auditd template applied diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 new file mode 100644 index 0000000..b3bace1 --- /dev/null +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -0,0 +1,8 @@ +## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! + +# This file contains users whose actions are not logged by auditd +{% if allow_auditd_uid_user_exclusions %} +{% for user in rhel8cis_auditd_uid_exclude %} +-F uid!={{ user }} +{% endfor %} +{% endif %} \ No newline at end of file From 3c66b3f83c6ba757d25b7d509d0449afa714404c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 15:25:39 +0100 Subject: [PATCH 34/98] updated rule Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 5 +++-- templates/audit/98_auditd_exception.rules.j2 | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 7d9e937..837c7e1 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -8,7 +8,6 @@ register: audit_rules_updated notify: restart auditd - - name: POST | Set up auditd user logging exceptions template: src: audit/98_auditd_exception.rules.j2 @@ -17,7 +16,9 @@ group: root mode: 0600 notify: restart auditd - when: allow_auditd_uid_user_exclusions + when: + - allow_auditd_uid_user_exclusions + - rhel9cis_auditd_uid_exclude | length > 0 - name: POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable block: diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index b3bace1..4bc8909 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,8 +1,8 @@ ## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! # This file contains users whose actions are not logged by auditd -{% if allow_auditd_uid_user_exclusions %} -{% for user in rhel8cis_auditd_uid_exclude %} +{% if allow_auditd_uid_user_exclusions %} +{% for user in rhel9cis_auditd_uid_exclude %} -F uid!={{ user }} {% endfor %} {% endif %} \ No newline at end of file From 9c2fead5fc21931a0e49debeab2b33f568cac2a3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 25 Jul 2022 16:41:57 +0100 Subject: [PATCH 35/98] updated rule Signed-off-by: Mark Bolwell --- templates/audit/98_auditd_exception.rules.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index 4bc8909..a453f3b 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -3,6 +3,6 @@ # This file contains users whose actions are not logged by auditd {% if allow_auditd_uid_user_exclusions %} {% for user in rhel9cis_auditd_uid_exclude %} --F uid!={{ user }} +-a never,user -F uid!={{ user }} -F auid!={{ user }} {% endfor %} {% endif %} \ No newline at end of file From 69f453902fd465a2c0a92611fad8d931d07f2cea Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 10:03:44 +0100 Subject: [PATCH 36/98] updated 1.6.1.2 Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index f0ea11a..672316c 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -16,7 +16,7 @@ - name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" replace: dest: /etc/default/grub - regexp: '(selinux|enforcing)\s*=(\s0|0).*' + regexp: 'selinux=0' replace: '' register: selinux_grub_patch ignore_errors: yes From 5ba2c41851b06cddc18944343707c56bcdb798ad Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 11:13:29 +0100 Subject: [PATCH 37/98] updated Signed-off-by: Mark Bolwell --- Changelog.md | 8 ++++++++ defaults/main.yml | 3 +++ 2 files changed, 11 insertions(+) diff --git a/Changelog.md b/Changelog.md index 90329ca..0ac9017 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,13 @@ # Changes to rhel9CIS +## 0.4 + +- RockyLinux now supported +- workflow updates +- selinux regexp improvements +- warning summary now at end of play +- advanced auditd options to exclude users in POST section + ## 0.3 - update to auditd template diff --git a/defaults/main.yml b/defaults/main.yml index 870f070..c605f92 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -505,6 +505,9 @@ rhel9cis_max_log_file_size: 10 ### 4.1.3.x audit template update_audit_template: false +## Advanced option found in auditd post +allow_auditd_uid_user_exclusions: false + ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 From 11132b7a4a532a8c66a02697c68aa7eb18d77561 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 11:34:35 +0100 Subject: [PATCH 38/98] updated ansible test connect Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 8a9805c..f30c263 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m ping -e retries=20 -e delay=20 + ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=120 delay=10 timeout=10 sleep=5" # Run the ansible playbook - name: Run_Ansible_Playbook From 9f00bee0bea76278f17db62977b4165e4ddafebe Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 11:50:37 +0100 Subject: [PATCH 39/98] updated to 5min timeout Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index f30c263..74b38cf 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=120 delay=10 timeout=10 sleep=5" + ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=300 delay=10 timeout=10 sleep=5" # Run the ansible playbook - name: Run_Ansible_Playbook From 35e3a27776442456715bfddd869c4e428ebd3f81 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 12:04:07 +0100 Subject: [PATCH 40/98] fixed correct value Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 74b38cf..91ee722 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=300 delay=10 timeout=10 sleep=5" + ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=10 delay=10 timeout=300 sleep=5" # Run the ansible playbook - name: Run_Ansible_Playbook From faf48726f433c281bd3747748845807dd93cd52d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 12:08:52 +0100 Subject: [PATCH 41/98] extended timeout Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 91ee722..551630d 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=10 delay=10 timeout=300 sleep=5" + ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=10 delay=10 timeout=600 sleep=5" # Run the ansible playbook - name: Run_Ansible_Playbook From 5985d8948848587b16d77a075acde34201fcbd91 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 12:31:53 +0100 Subject: [PATCH 42/98] updated ami version Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index f9dc528..96c19c4 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -1,5 +1,5 @@ #Ami Rocky 85 -ami_id = "ami-0d824d9c499f27c8a" +ami_id = "ami-02881bd671eb4ac61" ami_os = "rhel9" ami_username = "ec2-user" ami_user_home = "/home/ec2-user" From 1c0714b3fb32b3aef232a0297882986a3a1b2332 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 12:43:32 +0100 Subject: [PATCH 43/98] changed to wait_for module Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 551630d..631f8de 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for_connection -a "connect_timeout=10 delay=10 timeout=600 sleep=5" + ansible all -i hosts.yml -m wait_for -a "port=22 connect_timeout=10 delay=10 timeout=600 sleep=5" # Run the ansible playbook - name: Run_Ansible_Playbook From 14b5001f8e22add1cb6bd82640cee20cc8de070d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 12:49:23 +0100 Subject: [PATCH 44/98] added private key Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 631f8de..1a5cce1 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for -a "port=22 connect_timeout=10 delay=10 timeout=600 sleep=5" + ansible all -i hosts.yml -m wait_for -a "port=22 connect_timeout=10 delay=10 timeout=600 sleep=5" --private-key=.ssh/github_actions.pem # Run the ansible playbook - name: Run_Ansible_Playbook From 363fe9b0c600792d6d68b53d6fa8bc2559f7ea0e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 13:25:40 +0100 Subject: [PATCH 45/98] added user Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 343c887..0fdfabf 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for -a "port=22 connect_timeout=10 delay=10 timeout=600 sleep=5" --private-key=.ssh/github_actions.pem + ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600 " --private-key=.ssh/github_actions.pem -u ec2-user # Run the ansible playbook From 125566fcf2f1aba9adf43c27176373703f593653 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 15:12:02 +0100 Subject: [PATCH 46/98] added debug Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 0fdfabf..6964d19 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -87,7 +87,7 @@ jobs: working-directory: .github/workflows id: test_os run: >- - ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600 " --private-key=.ssh/github_actions.pem -u ec2-user + ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -vvv # Run the ansible playbook From 15a46f25a82679d3ec900e36bd63f0dbc72918a0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 16:28:57 +0100 Subject: [PATCH 47/98] added new connection and provate key vars Signed-off-by: Mark Bolwell --- .github/workflows/github_vars.tfvars | 1 + .github/workflows/main.tf | 14 ++++++++++++++ 2 files changed, 15 insertions(+) diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index 4d40f72..1bf4f3e 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -7,6 +7,7 @@ namespace = "github_actions" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" +private_key = ".ssh/github_actions.pem" main_vpc_cidr = "172.22.0.0/24" public_subnets = "172.22.0.128/26" private_subnets = "172.22.0.192/26" \ No newline at end of file diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 29fd6f3..3019f1b 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -59,6 +59,20 @@ resource "aws_instance" "testing_vm" { root_block_device { delete_on_termination = true } + # SSH into instance - will ensure server is up before next step in workflows + connection { + # Host name + host = self.public_ip + # The default username for our AMI + user = var.ami_username + # Private key for connection + private_key = "${file(var.private_key)}" + # Type of connection + type = "ssh" + } + provisioner "remote-exec" { + inline = [ "echo hello_world"] + } } // generate inventory file From f93f584f40f40c4087716dcae1a724b72a53dafd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 16:32:34 +0100 Subject: [PATCH 48/98] added private_key Signed-off-by: Mark Bolwell --- .github/workflows/variables.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/variables.tf b/.github/workflows/variables.tf index 58544fc..d3ddbf8 100644 --- a/.github/workflows/variables.tf +++ b/.github/workflows/variables.tf @@ -22,6 +22,11 @@ variable "ami_key_pair_name" { type = string } +variable "private_key" { + description = "path to private key for ssh" + type = string +} + variable "ami_os" { description = "AMI OS Type" type = string From 80d0deb80dd2f2ba6b475cae3a801c2a867e0061 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 16:40:12 +0100 Subject: [PATCH 49/98] updated local-exec Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 3019f1b..5039480 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -71,7 +71,7 @@ resource "aws_instance" "testing_vm" { type = "ssh" } provisioner "remote-exec" { - inline = [ "echo hello_world"] + command = "echo 'hello_world'" } } From 0c9a88ea1a7cc8edfe012a054b40fac82d821fd7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 16:51:36 +0100 Subject: [PATCH 50/98] updated remote-exec Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 5039480..5a7751a 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -71,7 +71,9 @@ resource "aws_instance" "testing_vm" { type = "ssh" } provisioner "remote-exec" { - command = "echo 'hello_world'" + inline = [ + "echo 'hello_world'", + ] } } From 02c0c64cf8225be09ab2e29e7ec6563bcd499426 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 17:32:58 +0100 Subject: [PATCH 51/98] added debug Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 6964d19..70fabc6 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -38,7 +38,7 @@ jobs: runs-on: ubuntu-latest env: - ENABLE_DEBUG: false + ENABLE_DEBUG: true # Steps represent a sequence of tasks that will be executed as part of the job steps: @@ -68,6 +68,11 @@ jobs: working-directory: .github/workflows run: terraform validate + - name: Validate path contents + if: env.ENABLE_DEBUG == 'true' + working-directory: .github/workflows + run: pwd && ls -laR + - name: Terraform_Apply working-directory: .github/workflows env: From 1a8861e4fdbb11bf4875e4da4853abbdc5fad4aa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 17:37:17 +0100 Subject: [PATCH 52/98] updated path Signed-off-by: Mark Bolwell --- .github/workflows/github_vars.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index 59d5d14..c3ac76b 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -7,7 +7,7 @@ namespace = "github_actions" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" -private_key = ".ssh/github_actions.pem" +private_key = "'.ssh/github_actions.pem'" main_vpc_cidr = "172.22.0.0/24" public_subnets = "172.22.0.128/26" private_subnets = "172.22.0.192/26" From 5c0bc4137a37ada4e0eb518253f3eb10fdd2f0ac Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 17:38:39 +0100 Subject: [PATCH 53/98] fix merge error Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 9496bd2..a4a83ac 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -93,10 +93,6 @@ jobs: id: test_os run: >- ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -vvv -<<<<<<< HEAD - -======= ->>>>>>> df2d812e6a15a5330198cd77a57fbc2019ea040e # Run the ansible playbook - name: Run_Ansible_Playbook From 0c6feb1b67dc88825c6dddb8b97bc0321f3a518b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 17:54:28 +0100 Subject: [PATCH 54/98] added local file option Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 5a7751a..985aa8a 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -3,6 +3,11 @@ provider "aws" { region = var.aws_region } +// Read local file not created via terraform +data "local_file" "github_actions" { + filename = "${path.module}/${var.private_key}" +} + // Create a security group with access to port 22 and port 80 open to serve HTTP traffic data "aws_vpc" "default" { @@ -66,7 +71,7 @@ resource "aws_instance" "testing_vm" { # The default username for our AMI user = var.ami_username # Private key for connection - private_key = "${file(var.private_key)}" + private_key = data.local_file.github_actions # Type of connection type = "ssh" } From 5e93716ecb0230f44a4690573ee4d1e66b49b0db Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 26 Jul 2022 17:54:56 +0100 Subject: [PATCH 55/98] revert Signed-off-by: Mark Bolwell --- .github/workflows/github_vars.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/github_vars.tfvars b/.github/workflows/github_vars.tfvars index c3ac76b..59d5d14 100644 --- a/.github/workflows/github_vars.tfvars +++ b/.github/workflows/github_vars.tfvars @@ -7,7 +7,7 @@ namespace = "github_actions" // Matching pair name found in AWS for keypairs PEM key ami_key_pair_name = "github_actions" -private_key = "'.ssh/github_actions.pem'" +private_key = ".ssh/github_actions.pem" main_vpc_cidr = "172.22.0.0/24" public_subnets = "172.22.0.128/26" private_subnets = "172.22.0.192/26" From 5a81497a263b6fc495fc8b4bc05760d2df22f135 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 27 Jul 2022 10:08:27 +0100 Subject: [PATCH 56/98] added content to object Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 985aa8a..81e1e98 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -71,7 +71,7 @@ resource "aws_instance" "testing_vm" { # The default username for our AMI user = var.ami_username # Private key for connection - private_key = data.local_file.github_actions + private_key = data.local_file.github_actions.content # Type of connection type = "ssh" } From a8488de4d9af007af43c51505042328c959611fc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 27 Jul 2022 11:40:20 +0100 Subject: [PATCH 57/98] updated lint Signed-off-by: Mark Bolwell --- .github/workflows/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index 81e1e98..d322cda 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -101,4 +101,3 @@ resource "local_file" "inventory" { audit_git_version: devel EOF } - From f15f8c921c74960a49ee1c843b6c3a860abb0152 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 27 Jul 2022 15:43:26 +0100 Subject: [PATCH 58/98] removed audit template handler Signed-off-by: Mark Bolwell --- handlers/main.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index d983840..8c3c79c 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -74,16 +74,6 @@ args: warn: false -- name: update auditd - template: - src: audit/99_auditd.rules.j2 - dest: /etc/audit/rules.d/99_auditd.rules - owner: root - group: root - mode: 0600 - register: auditd_template_update - notify: restart auditd - - name: restart auditd shell: service auditd restart args: From a5d62ea30ab8fcdd044fc2cdab1f779b379f3a8a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 27 Jul 2022 15:47:26 +0100 Subject: [PATCH 59/98] added a test key output Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index a4a83ac..4149768 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -58,6 +58,7 @@ jobs: chmod 700 .ssh echo $PRIVATE_KEY > .ssh/github_actions.pem chmod 600 .ssh/github_actions.pem + file .ssh/github_actions.pem && cat .ssh/github_actions.pem ### Build out the server - name: Terraform_Init From d0023ce6611fa1836b6d5ea458474e79a3656158 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 27 Jul 2022 16:32:55 +0100 Subject: [PATCH 60/98] turned off debug Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 4149768..b35264f 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -38,7 +38,7 @@ jobs: runs-on: ubuntu-latest env: - ENABLE_DEBUG: true + ENABLE_DEBUG: false # Steps represent a sequence of tasks that will be executed as part of the job steps: From 340da3ef226e07e8c18efbdbf73258d674a557bb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 27 Jul 2022 16:57:13 +0100 Subject: [PATCH 61/98] removed excess line Signed-off-by: Mark Bolwell --- site.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/site.yml b/site.yml index 379549f..4446d3e 100644 --- a/site.yml +++ b/site.yml @@ -1,7 +1,6 @@ --- - hosts: all become: true - roles: - role: "{{ playbook_dir }}" From dbf5484f73bd7f38e9a24e8cea7c1e3a39a850e6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 28 Jul 2022 17:18:56 +0100 Subject: [PATCH 62/98] reverted settings Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 1 - .github/workflows/main.tf | 21 ------------------- 2 files changed, 22 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index b35264f..fcaa943 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -58,7 +58,6 @@ jobs: chmod 700 .ssh echo $PRIVATE_KEY > .ssh/github_actions.pem chmod 600 .ssh/github_actions.pem - file .ssh/github_actions.pem && cat .ssh/github_actions.pem ### Build out the server - name: Terraform_Init diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index d322cda..b231d2a 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -3,11 +3,6 @@ provider "aws" { region = var.aws_region } -// Read local file not created via terraform -data "local_file" "github_actions" { - filename = "${path.module}/${var.private_key}" -} - // Create a security group with access to port 22 and port 80 open to serve HTTP traffic data "aws_vpc" "default" { @@ -64,22 +59,6 @@ resource "aws_instance" "testing_vm" { root_block_device { delete_on_termination = true } - # SSH into instance - will ensure server is up before next step in workflows - connection { - # Host name - host = self.public_ip - # The default username for our AMI - user = var.ami_username - # Private key for connection - private_key = data.local_file.github_actions.content - # Type of connection - type = "ssh" - } - provisioner "remote-exec" { - inline = [ - "echo 'hello_world'", - ] - } } // generate inventory file From 0c3c26e11b4fd169362d0738c2d07e42ace7da3b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 28 Jul 2022 17:19:46 +0100 Subject: [PATCH 63/98] removed system check Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index fcaa943..f116ee8 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -86,14 +86,6 @@ jobs: working-directory: .github/workflows run: cat hosts.yml -# Ensure system is up for connections before continuing - - - name: Check system is up and running - working-directory: .github/workflows - id: test_os - run: >- - ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -vvv - # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master From a2945a6d3ad9fccfb3e2dcfa9193279f685f5d43 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 09:50:39 +0100 Subject: [PATCH 64/98] changed way key is loaded Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index f116ee8..6adb2c1 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -86,6 +86,16 @@ jobs: working-directory: .github/workflows run: cat hosts.yml +# Ensure system is up for connections before continuing + + - name: Check system is up and running + working-directory: .github/workflows + env: + PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + id: test_os + run: >- + ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' + # Run the ansible playbook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master From a74f8ee3be95a5bfab87bf8e84af017cbae8831d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 09:57:39 +0100 Subject: [PATCH 65/98] changed spacing Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 6adb2c1..e6154f7 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -93,8 +93,7 @@ jobs: env: PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" id: test_os - run: >- - ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' + run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' # Run the ansible playbook - name: Run_Ansible_Playbook From d87812bab459a03c64db24e0cc9018fbef06da8f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 10:02:17 +0100 Subject: [PATCH 66/98] testing Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index e6154f7..d133652 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -93,7 +93,7 @@ jobs: env: PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" id: test_os - run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" --private-key=.ssh/github_actions.pem -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' + run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' # Run the ansible playbook - name: Run_Ansible_Playbook From 54aa47c9313c8210cba0f1d988f3ccbc699edc91 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 10:05:27 +0100 Subject: [PATCH 67/98] testing Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index d133652..4a6a742 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -88,12 +88,12 @@ jobs: # Ensure system is up for connections before continuing - - name: Check system is up and running - working-directory: .github/workflows - env: - PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - id: test_os - run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' + # - name: Check system is up and running + # working-directory: .github/workflows + # env: + # PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" + # id: test_os + # run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' # Run the ansible playbook - name: Run_Ansible_Playbook From 6bce83d2a14c3f4386d1bfc0b48386ddcc946300 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 10:23:01 +0100 Subject: [PATCH 68/98] revert Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 27 ++++++++++--------- .github/workflows/main.tf | 2 +- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 4a6a742..5c8da2b 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -68,11 +68,6 @@ jobs: working-directory: .github/workflows run: terraform validate - - name: Validate path contents - if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows - run: pwd && ls -laR - - name: Terraform_Apply working-directory: .github/workflows env: @@ -86,14 +81,20 @@ jobs: working-directory: .github/workflows run: cat hosts.yml -# Ensure system is up for connections before continuing +# Centos 7 images take a while to come up insert sleep or playbook fails - # - name: Check system is up and running - # working-directory: .github/workflows - # env: - # PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}" - # id: test_os - # run: ansible all -i hosts.yml -m wait_for -a "port=22 delay=10 timeout=600" -u ec2-user -e ansible_ssh_private_key_file='{{ lookup("env", "PRIVATE_KEY") }}' + - name: Check if test os is rhel7 + working-directory: .github/workflows + id: test_os + run: >- + echo "::set-output name=RHEL7::$( + grep -c RHEL7 OS.tfvars + )" + + - name: if RHEL7 - Sleep for 60 seconds + if: steps.test_os.outputs.RHEL7 >= 1 + run: sleep 60s + shell: bash # Run the ansible playbook - name: Run_Ansible_Playbook @@ -116,4 +117,4 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false + run: terraform destroy -var-file "OS.tfvars" -var-file "github_vars.tfvars" --auto-approve -input=false \ No newline at end of file diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf index b231d2a..3c3954f 100644 --- a/.github/workflows/main.tf +++ b/.github/workflows/main.tf @@ -79,4 +79,4 @@ resource "local_file" "inventory" { system_is_ec2: true audit_git_version: devel EOF -} +} \ No newline at end of file From bb1c167922ec4d4cee10de7e4f13f47984720b9c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 10:47:25 +0100 Subject: [PATCH 69/98] updated comment Signed-off-by: Mark Bolwell --- .github/workflows/OS.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars index 96c19c4..a5e2fda 100644 --- a/.github/workflows/OS.tfvars +++ b/.github/workflows/OS.tfvars @@ -1,4 +1,4 @@ -#Ami Rocky 85 +#Ami Alma 9 ami_id = "ami-02881bd671eb4ac61" ami_os = "rhel9" ami_username = "ec2-user" From 4f68cf1f92f0d1dc41b2fc3e3c5ac580430eb118 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 11:16:00 +0100 Subject: [PATCH 70/98] sleep 60 anyway Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 5c8da2b..9f96e84 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -92,7 +92,7 @@ jobs: )" - name: if RHEL7 - Sleep for 60 seconds - if: steps.test_os.outputs.RHEL7 >= 1 + #if: steps.test_os.outputs.RHEL7 >= 1 run: sleep 60s shell: bash From 084e6c67601a96aede12d15032e07d4880762854 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 17:08:38 +0100 Subject: [PATCH 71/98] moved some controls to handlers Signed-off-by: Mark Bolwell --- handlers/main.yml | 40 +++++++++++++++++++++++++++------------- tasks/auditd.yml | 21 ++++----------------- 2 files changed, 31 insertions(+), 30 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 8c3c79c..9264a42 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -74,18 +74,6 @@ args: warn: false -- name: restart auditd - shell: service auditd restart - args: - warn: false - when: - - audit_rules_updated.changed or - rule_4_1_2_1.changed or - rule_4_1_2_2.changed or - rule_4_1_2_3.changed - tags: - - skip_ansible_lint - - name: grub2cfg shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" args: @@ -114,6 +102,32 @@ systemd: daemon-reload: true +## Auditd tasks note order for handlers to run + +- name: auditd_immutable_check + shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules + changed_when: false + register: auditd_immutable_check + +- name: audit_immutable_fact + debug: + msg: "Reboot required for auditd to apply new rules as immutable set" + notify: change_requires_reboot + when: + - auditd_immutable_check.stdout == '1' + +- name: restart auditd + shell: service auditd restart + args: + warn: false + when: + - audit_rules_updated.changed or + rule_4_1_2_1.changed or + rule_4_1_2_2.changed or + rule_4_1_2_3.changed + tags: + - skip_ansible_lint + - name: change_requires_reboot set_fact: - change_requires_reboot: true + change_requires_reboot: true \ No newline at end of file diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 837c7e1..9c5a14e 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -6,7 +6,10 @@ group: root mode: 0600 register: audit_rules_updated - notify: restart auditd + notify: + - auditd_immutable_check + - audit_immutable_fact + - restart auditd - name: POST | Set up auditd user logging exceptions template: @@ -19,19 +22,3 @@ when: - allow_auditd_uid_user_exclusions - rhel9cis_auditd_uid_exclude | length > 0 - -- name: POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable - block: - - name: POST | AUDITD | Discover if auditd immutable - will require reboot if auditd template applied - shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules - changed_when: false - register: auditd_immutable_check - - - name: POST | AUDITD | Set reboot required if auditd immutable - debug: - msg: "Reboot required for auditd to apply new rules as immutable set" - notify: change_requires_reboot - when: - - auditd_immutable_check.stdout == '1' - when: - - audit_rules_updated.changed \ No newline at end of file From c0ece7f57f31f45bb2085ba4b17145ffce458c81 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 18:27:24 +0100 Subject: [PATCH 72/98] fix warn consistent missing ' Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.6.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 672316c..494176d 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -78,12 +78,12 @@ - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" debug: - msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" + msg: "Warning!! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | warning count" set_fact: - control_number: "{{ control_number }} + [ 'rule_1.6.1.5 ]" + control_number: "{{ control_number }} + [ 'rule_1.6.1.5' ]" warn_count: "{{ warn_count|int + 1 }}" when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 when: From b842c47cd28d1a7a8a7eccf43e0e6dd4f6b641e4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 18:27:55 +0100 Subject: [PATCH 73/98] line spacing fixed Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.3.x.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 42cd4fb..2559925 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -18,7 +18,6 @@ - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - when: rhel9cis_ipv6_required when: - rhel9cis_rule_3_3_1 @@ -82,6 +81,7 @@ set_fact: sysctl_update: true flush_ipv4_route: true + - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" @@ -100,6 +100,7 @@ set_fact: sysctl_update: true flush_ipv4_route: true + - name: 3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" @@ -155,6 +156,7 @@ set_fact: sysctl_update: true flush_ipv4_route: true + - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" From 866eafc5932afcb6851db3275aa1c3f786e21853 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 18:28:17 +0100 Subject: [PATCH 74/98] Added warning to reboot required Signed-off-by: Mark Bolwell --- tasks/post.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tasks/post.yml b/tasks/post.yml index bca18ae..3a8a0ed 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -44,11 +44,20 @@ - name: POST | Warning a reboot required but skip option set debug: - msg: "Warning! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" + msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" changed_when: true when: - change_requires_reboot - skip_reboot + + - name: "POST | Warning a reboot required but skip option set | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'Reboot_required' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - change_requires_reboot + - skip_reboot + tags: - grub - level1-server From 6d350170590db182adc44c817a65d24937897670 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 18:33:00 +0100 Subject: [PATCH 75/98] fix typo Signed-off-by: Mark Bolwell --- templates/audit/98_auditd_exception.rules.j2 | 2 +- templates/audit/99_auditd.rules.j2 | 2 +- templates/etc/cron.d/aide.cron.j2 | 2 +- templates/etc/modprobe.d/modprobe.conf.j2 | 2 +- templates/etc/sysctl.d/60-disable_ipv6.conf.j2 | 2 +- templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 | 2 +- templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 | 2 +- templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index a453f3b..3dcc355 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd {% if allow_auditd_uid_user_exclusions %} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 2d270cc..050de20 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually {% if rhel9cis_rule_4_1_3_1 %} diff --git a/templates/etc/cron.d/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 index f9014fa..781fdd4 100644 --- a/templates/etc/cron.d/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,5 +1,5 @@ # Run AIDE integrity check -# added via ansible-lockdown remediation +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # CIS 1.3.2 {{ rhel9cis_aide_cron['aide_minute'] }} {{ rhel9cis_aide_cron['aide_hour'] }} {{ rhel9cis_aide_cron['aide_month'] }} {{ rhel9cis_aide_cron['aide_weekday'] }} {{ rhel9cis_aide_cron['aide_job'] }} diff --git a/templates/etc/modprobe.d/modprobe.conf.j2 b/templates/etc/modprobe.d/modprobe.conf.j2 index a4d9d3d..081bbae 100644 --- a/templates/etc/modprobe.d/modprobe.conf.j2 +++ b/templates/etc/modprobe.d/modprobe.conf.j2 @@ -1,6 +1,6 @@ # Disable usage of protocol {{ item }} # Set by ansible {{ benchmark }} remediation role # https://github.com/ansible-lockdown -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! install {{ item }} /bin/true \ No newline at end of file diff --git a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index b172b97..732cbcc 100644 --- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # IPv6 disable {% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} diff --git a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 index bf8e858..8bd0157 100644 --- a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! {% if rhel9cis_rule_1_5_3 %} diff --git a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 index 4b2dabc..8bafbf9 100644 --- a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # IPv4 Network sysctl {% if rhel9cis_rule_3_2_1 %} diff --git a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 index 895f23e..e85fae9 100644 --- a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # IPv6 Network sysctl {% if rhel9cis_ipv6_required %} From c697431c0075c6ea1fb2dd7423e9fa1b4047892c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 29 Jul 2022 18:35:54 +0100 Subject: [PATCH 76/98] Aded comments to each control for auditd Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.3.x.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index c05b93c..40a7517 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -1,5 +1,6 @@ --- +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" set_fact: update_audit_template: true @@ -13,6 +14,7 @@ - auditd - rule_4.1.3.1 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.2 | PATCH | Ensure actions as another user are always logged" set_fact: update_audit_template: true @@ -26,6 +28,7 @@ - auditd - rule_4.1.3.2 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.3 | PATCH | Ensure events that modify the sudo log file are collected" set_fact: update_audit_template: true @@ -39,6 +42,7 @@ - auditd - rule_4.1.3.3 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.4 | PATCH | Ensure events that modify date and time information are collected" set_fact: update_audit_template: true @@ -52,6 +56,7 @@ - auditd - rule_4.1.3.4 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.5 | PATCH | Ensure events that modify the system's network environment are collected" set_fact: update_audit_template: true @@ -65,6 +70,7 @@ - auditd - rule_4.1.3.5 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" block: - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" @@ -88,6 +94,7 @@ - auditd - rule_4.1.3.6 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" set_fact: update_audit_template: true @@ -101,6 +108,7 @@ - auditd - rule_4.1.3_7 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" set_fact: update_audit_template: true @@ -114,6 +122,7 @@ - auditd - rule_4.1.3.8 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" set_fact: update_audit_template: true @@ -127,6 +136,7 @@ - auditd - rule_4.1.3.9 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected" set_fact: update_audit_template: true @@ -140,6 +150,7 @@ - auditd - rule_4.1.3.10 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.11 | PATCH | Ensure session initiation information is collected" set_fact: update_audit_template: true @@ -153,6 +164,7 @@ - auditd - rule_4.1.3.11 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.12 | PATCH | Ensure login and logout events are collected" set_fact: update_audit_template: true @@ -166,6 +178,7 @@ - auditd - rule_4.1.3.12 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected" set_fact: update_audit_template: true @@ -178,6 +191,7 @@ - patch - rule_4.1.3.13 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" set_fact: update_audit_template: true @@ -191,6 +205,7 @@ - auditd - rule_4.1.3.14 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" set_fact: update_audit_template: true @@ -204,6 +219,7 @@ - auditd - rule_4.1.3.15 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" set_fact: update_audit_template: true @@ -217,6 +233,7 @@ - auditd - rule_4.1.3.16 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" set_fact: update_audit_template: true @@ -230,6 +247,7 @@ - auditd - rule_4.1.3.17 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" set_fact: update_audit_template: true @@ -243,6 +261,7 @@ - auditd - rule_4.1.3.18 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected" set_fact: update_audit_template: true @@ -256,6 +275,7 @@ - auditd - rule_4.1.3.19 +# All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable" set_fact: update_audit_template: true From f45bbd6ee82f15ab32c2804d695618b40ceadaff Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 23 Aug 2022 12:21:11 +0100 Subject: [PATCH 77/98] #21 user accts locked during user exec Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 0541f9b..14b4a50 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -32,7 +32,7 @@ - item.id != "sync" - item.id != "root" - item.id != "nfsnobody" - - min_int_uid | int < item.gid + - item.gid < min_int_uid | int - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" loop_control: From 4705e361bff2340f390a10685a85df78739a78f0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 23 Aug 2022 12:21:39 +0100 Subject: [PATCH 78/98] All passwords are expired during hardening #22 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 790e876..4addbc5 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -117,7 +117,7 @@ - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" command: passwd --expire {{ item }} when: - - rhel9cis_5_6_1_5_user_list | length > 0 + - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - rhel9cis_futurepwchgdate_autofix with_items: - "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" From 2f8f58d4bb0d939329b08e9732a6af6c7a860c11 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 23 Aug 2022 12:22:46 +0100 Subject: [PATCH 79/98] update Signed-off-by: Mark Bolwell --- Changelog.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Changelog.md b/Changelog.md index 0ac9017..7221083 100644 --- a/Changelog.md +++ b/Changelog.md @@ -7,6 +7,9 @@ - selinux regexp improvements - warning summary now at end of play - advanced auditd options to exclude users in POST section +- Issues fixed thanks to fgierlinger + - [#21](https://github.com/ansible-lockdown/RHEL9-CIS/issues/21) + - [#22](https://github.com/ansible-lockdown/RHEL9-CIS/issues/22) ## 0.3 From 90500ceccfb2f8c1055ada31ad9e934fcf2501af Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 23 Aug 2022 12:25:28 +0100 Subject: [PATCH 80/98] updates Signed-off-by: Mark Bolwell --- Changelog.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 7221083..07d5eff 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,7 +2,8 @@ ## 0.4 -- RockyLinux now supported +- RockyLinux now supported - release since initial branches +- gpg check updates - workflow updates - selinux regexp improvements - warning summary now at end of play From 410074f7263580963c3ab4d453a9e7481ce21384 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 23 Aug 2022 16:45:01 +0100 Subject: [PATCH 81/98] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 1e2297a..cb11899 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,7 +4,7 @@ - RockyLinux now supported - release since initial branches - gpg check updates -- workflow updates +- workflow updates and improvements moved to rocky image - selinux regexp improvements - warning summary now at end of play - advanced auditd options to exclude users in POST section From 571f2f70e37c98332a164d544867732a24322eea Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 23 Aug 2022 16:47:21 +0100 Subject: [PATCH 82/98] updated for rocky an dnow beta Signed-off-by: Mark Bolwell --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 048c85f..4c7324b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Development Only -## RHEL 9 CIS (predicted) - ALPHA - CIS baselines or OS not yet GA +## RHEL 9 CIS (predicted) - Beta - CIS baselines or OS not yet GA ## Testing if you have access to the RH developer branches @@ -17,7 +17,7 @@ Based on [CIS RedHat Enterprise Linux 8 Benchmark v2.0.0. - 02-23-2022 ](https:/ ## Join us -On our [Discord Server](https://discord.gg/JFxpSgPFEJ) to ask questions, discuss features, or just chat with other Ansible-Lockdown users +On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users ## Caution(s) @@ -49,7 +49,9 @@ Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit). ## Requirements -RHEL 9 - Other versions are not supported. +RHEL 9 +Almalinux 9 +Rocky 9 - Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) From e4bf188383ad8d06566da1713c47fa0fb0755584 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 7 Sep 2022 13:35:36 +0100 Subject: [PATCH 83/98] Added Assertion for passwd set on ansible user Signed-off-by: Mark Bolwell --- tasks/main.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index e2c9261..ecddbaa 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -20,6 +20,28 @@ tags: - always +- name: "Check password set for {{ ansible_user }}" + block: + - name: Capture current password state of "{{ ansible_user }}" + shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" + changed_when: false + failed_when: false + check_mode: false + register: ansible_user_password_set + + - name: "Assert that password set for {{ ansible_user }} and account not locked" + assert: + that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" + success_msg: "You a password set for the {{ ansible_user }}" + vars: + sudo_password_rule: rhel9cis_rule_5_3_4 + when: + - rhel9cis_rule_5_3_4 + - not system_is_ec2 + tags: + - user_passwd + - name: Setup rules if container block: - name: Discover and set container variable if required From 32907dc7c6e9ab85d006aa52199ca9cd1c7a887f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 7 Sep 2022 13:36:11 +0100 Subject: [PATCH 84/98] Added Assertion update Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index cb11899..740fa1c 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,6 +2,7 @@ ## 0.4 +- Added assertion that ansible_user has password set for rule 5.3.4 - RockyLinux now supported - release since initial branches - gpg check updates - workflow updates and improvements moved to rocky image From 2974fa5385e3a29a30eacdea3b9a7c17ad6bee51 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 11:04:12 +0100 Subject: [PATCH 85/98] lint updates Signed-off-by: Mark Bolwell --- .ansible-lint | 3 +++ .yamllint | 38 +++++++++++++++++++++++++------------- 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index f2a7e7c..f21e1f4 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,6 +1,9 @@ parseable: true quiet: true skip_list: + - 'schema' + - 'no-changed-when' + - 'fqcn-builtins' - '204' - '305' - '303' diff --git a/.yamllint b/.yamllint index fdea629..693eec6 100644 --- a/.yamllint +++ b/.yamllint @@ -2,22 +2,34 @@ ignore: | tests/ molecule/ + .github/ .gitlab-ci.yml *molecule.yml extends: default rules: - indentation: - # Requiring 4 space indentation - spaces: 4 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent - truthy: disable - braces: - max-spaces-inside: 1 - level: error - brackets: - max-spaces-inside: 1 - level: error - line-length: disable + indentation: + # Requiring 4 space indentation + spaces: 4 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + truthy: disable + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + indentation: + indent-sequences: consistent + level: error + line-length: disable + key-duplicates: enable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: false From 1e22c1379400ab4d3da111c4929fdc0b48747b0c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 11:04:19 +0100 Subject: [PATCH 86/98] linting Signed-off-by: Mark Bolwell --- handlers/main.yml | 8 ++++---- tasks/LE_audit_setup.yml | 2 +- tasks/auditd.yml | 14 ++++++++------ tasks/main.yml | 28 ++++++++++++++-------------- tasks/post.yml | 2 +- tasks/post_remediation_audit.yml | 4 ++-- tasks/pre_remediation_audit.yml | 7 +++++-- tasks/prelim.yml | 4 +++- 8 files changed, 38 insertions(+), 31 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 9264a42..533660d 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -15,7 +15,7 @@ value: '1' sysctl_set: true ignore_errors: true - when: + when: - flush_ipv4_route - not system_is_container tags: @@ -27,7 +27,7 @@ name: net.ipv6.route.flush value: '1' sysctl_set: true - when: + when: - flush_ipv6_route - not system_is_container @@ -78,7 +78,7 @@ shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" args: warn: false - ignore_errors: True + ignore_errors: true tags: - skip_ansible_lint @@ -130,4 +130,4 @@ - name: change_requires_reboot set_fact: - change_requires_reboot: true \ No newline at end of file + change_requires_reboot: true diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index e4cac49..98f3855 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -22,7 +22,7 @@ - get_goss_file == 'copy' - name: install git if not present - package: + package: name: git state: present register: git_installed diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 9c5a14e..74830ca 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -1,3 +1,5 @@ +--- + - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added template: src: audit/99_auditd.rules.j2 @@ -6,18 +8,18 @@ group: root mode: 0600 register: audit_rules_updated - notify: + notify: - auditd_immutable_check - audit_immutable_fact - restart auditd - name: POST | Set up auditd user logging exceptions template: - src: audit/98_auditd_exception.rules.j2 - dest: /etc/audit/rules.d/98_auditd_exceptions.rules - owner: root - group: root - mode: 0600 + src: audit/98_auditd_exception.rules.j2 + dest: /etc/audit/rules.d/98_auditd_exceptions.rules + owner: root + group: root + mode: 0600 notify: restart auditd when: - allow_auditd_uid_user_exclusions diff --git a/tasks/main.yml b/tasks/main.yml index ecddbaa..0d272b1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -22,20 +22,20 @@ - name: "Check password set for {{ ansible_user }}" block: - - name: Capture current password state of "{{ ansible_user }}" - shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" - changed_when: false - failed_when: false - check_mode: false - register: ansible_user_password_set + - name: Capture current password state of "{{ ansible_user }}" + shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" + changed_when: false + failed_when: false + check_mode: false + register: ansible_user_password_set - - name: "Assert that password set for {{ ansible_user }} and account not locked" - assert: - that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" - success_msg: "You a password set for the {{ ansible_user }}" - vars: - sudo_password_rule: rhel9cis_rule_5_3_4 + - name: "Assert that password set for {{ ansible_user }} and account not locked" + assert: + that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" + success_msg: "You a password set for the {{ ansible_user }}" + vars: + sudo_password_rule: rhel9cis_rule_5_3_4 when: - rhel9cis_rule_5_3_4 - not system_is_ec2 @@ -205,7 +205,7 @@ - name: If Warnings found Output count and control IDs affected debug: - msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" + msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" when: warn_count != 0 tags: - always diff --git a/tasks/post.yml b/tasks/post.yml index 3a8a0ed..3b5c3f2 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -53,7 +53,7 @@ - name: "POST | Warning a reboot required but skip option set | warning count" set_fact: control_number: "{{ control_number }} + [ 'Reboot_required' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - change_requires_reboot - skip_reboot diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 0ab61b2..4429b7e 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -2,7 +2,7 @@ - name: "Post Audit | Run post_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment|default({}) }}" + environment: "{{ audit_run_script_environment | default({}) }}" changed_when: audit_run_post_remediation.rc == 0 register: audit_run_post_remediation args: @@ -28,7 +28,7 @@ - name: Capture post-audit result set_fact: - post_audit_summary: "{{ post_audit.stdout | from_json |json_query(summary) }}" + post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' when: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index bb9344a..93c4985 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -33,6 +33,9 @@ get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" + owner: root + group: root + mode: 0755 when: - audit_content == 'get_url' @@ -70,7 +73,7 @@ - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" - environment: "{{ audit_run_script_environment|default({}) }}" + environment: "{{ audit_run_script_environment | default({}) }}" changed_when: audit_run_pre_remediation.rc == 0 register: audit_run_pre_remediation args: @@ -87,7 +90,7 @@ - name: Pre Audit | Capture pre-audit result set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}" + pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: summary: 'summary."summary-line"' when: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 2646e98..55546d1 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -217,7 +217,9 @@ min_int_uid: "{{ uid_min_id.stdout }}" max_int_uid: "{{ uid_max_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}" -- debug: + +- name: Output of uid findings + debug: msg: "{{ min_int_uid }} {{ max_int_uid }}" when: From 33340c7487e181787e2fff9a09789936797432f9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 11:10:31 +0100 Subject: [PATCH 87/98] lint updates Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 6 +++--- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.1.3.x.yml | 2 +- tasks/section_1/cis_1.1.4.x.yml | 4 ++-- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 4 ++-- tasks/section_1/cis_1.1.7.x.yml | 2 +- tasks/section_1/cis_1.1.8.x.yml | 2 +- tasks/section_1/cis_1.1.x.yml | 4 ++-- tasks/section_1/cis_1.2.x.yml | 8 ++++---- tasks/section_1/cis_1.4.x.yml | 2 +- tasks/section_1/cis_1.6.1.x.yml | 4 ++-- tasks/section_1/cis_1.8.x.yml | 9 ++++++--- 13 files changed, 27 insertions(+), 24 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index d0a9eaa..1c99b62 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -7,7 +7,7 @@ path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" @@ -32,7 +32,7 @@ path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" @@ -57,7 +57,7 @@ path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" - create: yes + create: true mode: 0600 - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index d43d768..d7db5a6 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -11,7 +11,7 @@ - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.2.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 6dbc1d2..9e4feb8 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -13,7 +13,7 @@ - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 62c4306..d05db6a 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -14,7 +14,7 @@ - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names @@ -68,4 +68,4 @@ - skip_ansible_lint - rule_1.1.4.2 - rule_1.1.4.3 - - rule_1.1.4.4 \ No newline at end of file + - rule_1.1.4.4 diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 985b3d8..dd4ab9f 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -13,7 +13,7 @@ - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 47bcba7..afbe41a 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -13,7 +13,7 @@ - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names @@ -66,4 +66,4 @@ - skip_ansible_lint - rule_1.1.6.2 - rule_1.1.6.3 - - rule_1.1.6.4 \ No newline at end of file + - rule_1.1.6.4 diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 6ba442d..59f28ba 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -13,7 +13,7 @@ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index a61a6af..26ae877 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -13,7 +13,7 @@ shell: mount -l | grep -E '\s/dev/shm\s' changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_1_1_8_x_dev_shm_status - name: | diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index a77e524..ea5c862 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -3,7 +3,7 @@ - name: "1.1.9 | PATCH | Disable Automounting" service: name: autofs - enabled: no + enabled: false when: - not rhel9cis_allow_autofs - "'autofs' in ansible_facts.packages" @@ -24,7 +24,7 @@ path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" - create: yes + create: true owner: root group: root mode: 0600 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 4d8cd68..81e996d 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -27,7 +27,7 @@ failed_when: false register: os_installed_pub_keys - #- debug: + # - debug: # msg: "{{ os_installed_pub_keys }}" - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Query found keys" @@ -40,7 +40,7 @@ - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys pass" debug: msg: "Congratulations !! - The installed gpg keys match expected values" - when: + when: - os_installed_pub_keys.rc == 0 - os_gpg_key_check.rc == 0 @@ -96,7 +96,7 @@ changed_when: false failed_when: false register: dnf_configured - check_mode: no + check_mode: false args: warn: false @@ -109,7 +109,7 @@ - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Warn Count" set_fact: control_number: "{{ control_number }} + ['rule_1.2.4']" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_rule_1_2_4 tags: diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 6ac4979..8ba419e 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -58,7 +58,7 @@ path: /etc/systemd/system/rescue.service.d/00-require-auth.conf regexp: '^ExecStart=' line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" - create: yes + create: true owner: root group: root mode: 0644 diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 494176d..f2b231e 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -84,7 +84,7 @@ - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_1.6.1.5' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 when: - rhel9cis_rule_1_6_1_5 @@ -121,4 +121,4 @@ - level1-workstation - automated - patch - - rule_1.6.1.7 \ No newline at end of file + - rule_1.6.1.7 diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index a126a0a..f47d2a1 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -21,7 +21,7 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present - create: yes + create: true owner: root group: root mode: 0644 @@ -50,7 +50,7 @@ path: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" - create: yes + create: true owner: root group: root mode: 0644 @@ -93,7 +93,10 @@ path: /etc/dconf/db/local.d/00-media-automount regexp: "{{ item.regex }}" line: "{{ item.line }}" - create: yes + create: true + owner: root + group: root + mode: 0644 notify: reload dconf with_items: - { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' } From 1992eea6dab1d56cc58a3265df61c9d0cb4b2358 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 11:19:01 +0100 Subject: [PATCH 88/98] lint updates Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 2 +- tasks/section_2/cis_2.4.yml | 8 ++++---- tasks/section_3/cis_3.1.x.yml | 6 +++--- tasks/section_3/cis_3.2.x.yml | 19 +++++++++++-------- tasks/section_3/cis_3.3.x.yml | 30 ++++++++++++++++-------------- tasks/section_3/cis_3.4.1.x.yml | 10 +++++----- tasks/section_3/cis_3.4.2.x.yml | 10 +++++----- 7 files changed, 45 insertions(+), 40 deletions(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index effe806..1db8179 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -29,7 +29,7 @@ path: /etc/sysconfig/chronyd regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u chrony\"" - create: yes + create: true mode: 0644 when: - rhel9cis_rule_2_1_2 diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 14b86ed..3373e54 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -6,7 +6,7 @@ shell: systemctl list-units --type=service changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_2_4_services - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" @@ -16,10 +16,10 @@ - "Please review to make sure all are essential" - "{{ rhel9cis_2_4_services.stdout_lines }}" - - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Warn Count" + - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Warn Count" set_fact: control_number: "{{ control_number }} + ['rule_2.4']" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_rule_2_4 tags: @@ -28,4 +28,4 @@ - manual - audit - services - - rule_2.4 \ No newline at end of file + - rule_2.4 diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index bb6d09c..6eaf58f 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -10,7 +10,7 @@ flush_ipv6_route: true - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" - debug: + debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" when: - not rhel9cis_ipv6_required @@ -68,9 +68,9 @@ command: rpm -q NetworkManager changed_when: false failed_when: false - check_mode: no + check_mode: false args: - warn: no + warn: false register: rhel_08_nmcli_available - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 36a4628..6e07c55 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -6,18 +6,21 @@ set_fact: sysctl_update: true flush_ipv4_route: true + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - - block: - - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" - set_fact: - flush_ipv6_route: true - - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | IPv6" + block: + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding | Set Fact" + set_fact: + flush_ipv6_route: true + + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + when: rhel9cis_ipv6_required when: - not rhel9cis_is_router diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 2559925..5a1454e 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -10,14 +10,15 @@ debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - - block: - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact" - set_fact: - flush_ipv6_route: true + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" + block: + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6 | Set Fact" + set_fact: + flush_ipv6_route: true - - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted | IPv6" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" when: rhel9cis_ipv6_required when: - rhel9cis_rule_3_3_1 @@ -39,14 +40,15 @@ debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - - block: - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" - set_fact: - flush_ipv6_route: true + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" + block: + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6 | Set Fact" + set_fact: + flush_ipv6_route: true - - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted | IPv6" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" when: rhel9cis_ipv6_required when: - rhel9cis_rule_3_3_2 diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index cef70de..d43dfe6 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -49,7 +49,7 @@ systemd: name: nftables state: stopped - masked: yes + masked: true when: - rhel9cis_firewalld_nftables_state == "masked" @@ -73,7 +73,7 @@ systemd: name: firewalld state: started - enabled: yes + enabled: true when: - rhel9cis_rule_3_4_1_4 tags: @@ -90,7 +90,7 @@ changed_when: false failed_when: ( firewalld_zone_set.rc not in [ 0, 1 ] ) register: firewalld_zone_set - + - name: "3.4.1.5 | AUDIT | Ensure firewalld default zone is set" command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" when: @@ -112,7 +112,7 @@ shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_3_4_1_6_interfacepolicy - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy" @@ -135,7 +135,7 @@ shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_3_4_1_7_servicesport - name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index b74eda1..7169fb3 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -105,14 +105,14 @@ - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_3.4.2.5' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable - name: "3.4.2.5 | PATCH | Ensure a table exists | Create table if needed" command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" - failed_when: no + failed_when: false when: rhel9cis_nft_tables_autonewtable when: - rhel9cis_firewall == "nftables" @@ -159,8 +159,8 @@ - name: "3.4.2.6 | PATCH | Ensure nftables base chains exist | Create chains if needed" shell: "{{ item }}" args: - warn: no - failed_when: no + warn: false + failed_when: false with_items: - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } @@ -322,7 +322,7 @@ - name: "3.4.2.10 | PATCH | Ensure nftables service is enabled" service: name: nftables - enabled: yes + enabled: true when: - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_10 From 3df35e03a08e49d0f01f7903ed7122de2b88863d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 11:34:42 +0100 Subject: [PATCH 89/98] lint updates Signed-off-by: Mark Bolwell --- handlers/main.yml | 4 ++-- tasks/section_1/cis_1.6.1.x.yml | 2 +- tasks/section_3/cis_3.4.2.x.yml | 2 +- tasks/section_4/cis_4.1.1.x.yml | 6 ++--- tasks/section_4/cis_4.1.3.x.yml | 2 +- tasks/section_4/cis_4.2.1.x.yml | 8 +++---- tasks/section_4/cis_4.2.2.x.yml | 12 +++++----- tasks/section_5/cis_5.1.x.yml | 2 +- tasks/section_5/cis_5.2.x.yml | 6 ++--- tasks/section_5/cis_5.4.x.yml | 8 +++---- tasks/section_5/cis_5.6.1.x.yml | 10 ++++----- tasks/section_5/cis_5.6.x.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 9 +++++--- tasks/section_6/cis_6.2.x.yml | 40 ++++++++++++++++----------------- 14 files changed, 58 insertions(+), 55 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 533660d..f96d9fb 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -14,7 +14,7 @@ name: net.ipv4.route.flush value: '1' sysctl_set: true - ignore_errors: true + ignore_errors: true # noqa ignore-errors when: - flush_ipv4_route - not system_is_container @@ -78,7 +78,7 @@ shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" args: warn: false - ignore_errors: true + ignore_errors: true # noqa ignore-errors tags: - skip_ansible_lint diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index f2b231e..9a8d134 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -19,7 +19,7 @@ regexp: 'selinux=0' replace: '' register: selinux_grub_patch - ignore_errors: yes + ignore_errors: true # noqa ignore-errors notify: grub2cfg when: - rhel9cis_rule_1_6_1_2 diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 7169fb3..81fe733 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -39,7 +39,7 @@ name: "{{ item }}" enabled: false masked: true - ignore_errors: true + ignore_errors: true # noqa ignore-errors with_items: - iptables - ip6tables diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index ffe7205..258b64f 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -27,7 +27,7 @@ service: name: auditd state: started - enabled: yes + enabled: true when: - rhel9cis_rule_4_1_1_2 tags: @@ -44,7 +44,7 @@ shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_4_1_1_3_grub_cmdline_linux - name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" @@ -79,7 +79,7 @@ shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_4_1_1_4_grub_cmdline_linux - name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index 40a7517..8272b7e 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -77,7 +77,7 @@ shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done changed_when: false failed_when: false - check_mode: no + check_mode: false register: priv_procs - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 7e70a02..99e253a 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -18,7 +18,7 @@ - name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" service: name: rsyslog - enabled: yes + enabled: true when: - rhel9cis_rule_4_2_1_2 tags: @@ -65,10 +65,10 @@ block: - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" command: cat /etc/rsyslog.conf - become: yes + become: true changed_when: false - failed_when: no - check_mode: no + failed_when: false + check_mode: false register: rhel_08_4_2_1_5_audit - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 7a35d8f..f172f96 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -39,7 +39,7 @@ systemd: name: systemd-journal-upload state: started - enabled: yes + enabled: true when: - rhel9cis_system_is_log_server - rhel9cis_rule_4_2_2_1_3 @@ -55,8 +55,8 @@ systemd: name: systemd-journal-remote.socket state: stopped - enabled: no - masked: yes + enabled: false + masked: true when: - not rhel9cis_system_is_log_server - rhel9cis_rule_4_2_2_1_4 @@ -74,7 +74,7 @@ systemd: name: systemd-journald state: started - enabled: yes + enabled: true - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status" shell: systemctl is-enabled systemd-journald.service @@ -91,7 +91,7 @@ - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" when: - rhel9cis_rule_4_2_2_2 @@ -203,7 +203,7 @@ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_4.2.2.7' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_rule_4_2_2_7 tags: diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 734b434..ef82f98 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -3,7 +3,7 @@ - name: "5.1.1 | PATCH | Ensure cron daemon is enabled" service: name: crond - enabled: yes + enabled: true when: - rhel9cis_rule_5_1_1 tags: diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 73b804f..202ee8c 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -275,15 +275,15 @@ - name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden" shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd args: - warn: no + warn: false changed_when: false failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] ) register: ssh_crypto_discovery - + - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd args: - warn: no + warn: false notify: restart sshd when: ssh_crypto_discovery.stdout | length > 0 when: diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 501af41..11ddbbd 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -6,7 +6,7 @@ shell: 'authselect current | grep "Profile ID: custom/"' failed_when: false changed_when: false - check_mode: no + check_mode: false register: rhel9cis_5_4_1_profiles - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles" @@ -18,7 +18,7 @@ - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles" shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} args: - warn: no + warn: false when: rhel9cis_authselect_custom_profile_create when: - rhel9cis_rule_5_4_1 @@ -36,7 +36,7 @@ shell: "authselect current | grep with-faillock" failed_when: false changed_when: false - check_mode: no + check_mode: false register: rhel9cis_5_4_2_profiles_faillock - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles" @@ -48,7 +48,7 @@ - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" args: - warn: no + warn: false when: rhel9cis_authselect_custom_profile_select when: - rhel9cis_rule_5_4_2 diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 4addbc5..1163abb 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -51,7 +51,7 @@ shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_5_6_1_4_inactive_settings - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" @@ -61,7 +61,7 @@ - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false - check_mode: no + check_mode: false register: rhel_8_5_6_1_4_user_list - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" @@ -84,14 +84,14 @@ shell: echo $(($(date --utc --date "$1" +%s)/86400)) changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_5_6_1_5_currentut - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'" changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_5_6_1_5_user_list - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" @@ -109,7 +109,7 @@ - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 14b4a50..474a378 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -49,7 +49,7 @@ - name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" blockinfile: - create: yes + create: true mode: 0644 dest: "{{ item.dest }}" state: "{{ item.state }}" diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index c61b51e..2cef0f7 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -5,7 +5,7 @@ - name: "6.1.1 | AUDIT | Audit system file permissions | Audit the packages" shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto args: - warn: no + warn: false changed_when: false failed_when: false register: rhel9cis_6_1_1_packages_rpm @@ -16,6 +16,9 @@ copy: dest: "{{ rhel9cis_rpm_audit_file }}" content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}" + owner: root + group: root + mode: 0640 - name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" debug: @@ -26,7 +29,7 @@ - name: "6.1.1 | AUDIT | Audit system file permissions | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.1.1' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_1_1_packages_rpm.stdout|length > 0 - name: "6.1.1 | AUDIT | Audit system file permissions | Message out no package descrepancies" @@ -46,7 +49,7 @@ - name: "6.1.2 | PATCH | Ensure sticky bit is set on all world-writable directories" shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t args: - warn: no + warn: false changed_when: false failed_when: false when: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 3225895..eb4bcde 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -39,7 +39,7 @@ - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.2' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_2_2_passwd_gid_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_2 @@ -73,7 +73,7 @@ - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.3' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_2_3_user_uid_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_3 @@ -107,7 +107,7 @@ - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.4' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_2_4_user_user_check.stdout | length >= 1 when: @@ -142,7 +142,7 @@ - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.5' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_2_5_user_username_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_5 @@ -161,7 +161,7 @@ shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' changed_when: false failed_when: false - check_mode: no + check_mode: false register: rhel9cis_6_2_6_group_group_check - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" @@ -177,7 +177,7 @@ - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | warning count" set_fact: control_number: "{{ control_number }} + [ 'rule_6.2.6' ]" - warn_count: "{{ warn_count|int + 1 }}" + warn_count: "{{ warn_count | int + 1 }}" when: rhel9cis_6_2_6_group_group_check.stdout is not defined when: - rhel9cis_rule_6_2_6 @@ -194,23 +194,23 @@ block: - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine empty value" shell: 'echo $PATH | grep ::' - changed_when: False + changed_when: false failed_when: rhel9cis_6_2_7_path_colon.rc == 0 - check_mode: no + check_mode: false register: rhel9cis_6_2_7_path_colon - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determin colon end" shell: 'echo $PATH | grep :$' - changed_when: False + changed_when: false failed_when: rhel9cis_6_2_7_path_colon_end.rc == 0 - check_mode: no + check_mode: false register: rhel9cis_6_2_7_path_colon_end - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine dot in path" shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" - changed_when: False + changed_when: false failed_when: '"." in rhel9cis_6_2_7_dot_in_path.stdout_lines' - check_mode: no + check_mode: false register: rhel9cis_6_2_7_dot_in_path - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" @@ -280,7 +280,7 @@ - name: "6.2.9 | PATCH | Ensure all users' home directories exist" file: path: "{{ item.0 }}" - recurse: yes + recurse: true mode: a-st,g-w,o-rwx register: rhel_08_6_2_9_patch when: @@ -296,12 +296,12 @@ - name: "6.2.9 | PATCH | Ensure all users' home directories exist" acl: path: "{{ item.0 }}" - default: yes + default: true state: present - recursive: yes + recursive: true etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: + when: - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results | @@ -368,7 +368,7 @@ - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" file: path: "{{ item.0 }}" - recurse: yes + recurse: true mode: a-st,g-w,o-rwx register: rhel_08_6_2_11_patch when: @@ -384,12 +384,12 @@ - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" acl: path: "{{ item.0 }}" - default: yes + default: true state: present - recursive: yes + recursive: true etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: + when: - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results | From 962319fcce00af508f5d443f6320f8d42d3b3203 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 11:52:55 +0100 Subject: [PATCH 90/98] changed audit dir to opt Signed-off-by: Mark Bolwell --- defaults/main.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c605f92..8942455 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -669,12 +669,9 @@ audit_local_copy: "some path to copy from" # get_url: audit_files_url: "some url maybe s3?" -# Where the goss audit configuration will be stored -audit_files: "/var/tmp/{{ benchmark }}-Audit/" - ## Goss configuration information # Where the goss configs and outputs are stored -audit_out_dir: '/var/tmp' +audit_out_dir: '/opt' audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" From a1d0130909d2613a9a7c0c4f2bfa40fcde04f177 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 11:53:52 +0100 Subject: [PATCH 91/98] updates Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 740fa1c..2fa85d4 100644 --- a/Changelog.md +++ b/Changelog.md @@ -5,6 +5,8 @@ - Added assertion that ansible_user has password set for rule 5.3.4 - RockyLinux now supported - release since initial branches - gpg check updates +- audit out dir now /opt +- lint updates and improvements - workflow updates and improvements moved to rocky image - selinux regexp improvements - warning summary now at end of play From 0d155c418258e09c9256b409b1b7577886c149c1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 14:08:16 +0100 Subject: [PATCH 92/98] lint updates Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.3.x.yml | 2 ++ tasks/section_3/cis_3.4.2.x.yml | 2 +- tasks/section_4/cis_4.2.1.x.yml | 1 - templates/audit/98_auditd_exception.rules.j2 | 2 +- templates/etc/modprobe.d/modprobe.conf.j2 | 2 +- 5 files changed, 5 insertions(+), 4 deletions(-) diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 5a1454e..b78593e 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -65,6 +65,7 @@ set_fact: sysctl_update: true flush_ipv4_route: true + - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" @@ -140,6 +141,7 @@ set_fact: sysctl_update: true flush_ipv4_route: true + - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 81fe733..ebb3631 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -172,7 +172,7 @@ tags: - level1-server - level1-workstation - - automate + - automated - patch - nftables - rule_3.4.2.6 diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 99e253a..12afac1 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -65,7 +65,6 @@ block: - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" command: cat /etc/rsyslog.conf - become: true changed_when: false failed_when: false check_mode: false diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index 3dcc355..d8a0b8d 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -5,4 +5,4 @@ {% for user in rhel9cis_auditd_uid_exclude %} -a never,user -F uid!={{ user }} -F auid!={{ user }} {% endfor %} -{% endif %} \ No newline at end of file +{% endif %} diff --git a/templates/etc/modprobe.d/modprobe.conf.j2 b/templates/etc/modprobe.d/modprobe.conf.j2 index 081bbae..77b8cd5 100644 --- a/templates/etc/modprobe.d/modprobe.conf.j2 +++ b/templates/etc/modprobe.d/modprobe.conf.j2 @@ -3,4 +3,4 @@ # https://github.com/ansible-lockdown ## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! -install {{ item }} /bin/true \ No newline at end of file +install {{ item }} /bin/true From 5c2211f99b29fb1dd3845325ec82cdf99c9babff Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 14:23:33 +0100 Subject: [PATCH 93/98] aligned with audit Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index f5a7921..1431ed4 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -159,6 +159,7 @@ rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }} rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }} rhel9cis_rule_2_3_4: {{ rhel9cis_rule_2_3_4 }} rhel9cis_rule_2_3_5: {{ rhel9cis_rule_2_3_5 }} +rhel9cis_rule_2_3_6: {{ rhel9cis_rule_2_3_6 }} rhel9cis_rule_2_4: true # todo @@ -276,6 +277,7 @@ rhel9cis_rule_5_1_5: {{ rhel9cis_rule_5_1_5 }} rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }} rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }} rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }} +rhel9cis_rule_5_1_9: {{ rhel9cis_rule_5_1_9 }} # 5.2 Configure SSH Server rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }} @@ -494,4 +496,4 @@ rhel9cis_pass: rhel9cis_sugroup: {% if rhel9cis_sugroup is undefined %}wheel{% else %}{{ rhel9cis_sugroup }}{% endif %} ## 5.3.7 sugroup users list -rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} \ No newline at end of file +rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} From d3d819b0a03972bcafa9106ff36f2dbe62119f82 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 14:24:31 +0100 Subject: [PATCH 94/98] changed default git_branch to devel Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8942455..510784b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -661,7 +661,7 @@ copy_goss_from_path: /some/accessible/path ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: main +audit_git_version: devel # copy: audit_local_copy: "some path to copy from" From 19a8103be4fb7164b6416c358c352adb7ba70039 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 14:47:01 +0100 Subject: [PATCH 95/98] removed unnecessary when statement Signed-off-by: Mark Bolwell --- handlers/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index f96d9fb..0fae419 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -120,11 +120,6 @@ shell: service auditd restart args: warn: false - when: - - audit_rules_updated.changed or - rule_4_1_2_1.changed or - rule_4_1_2_2.changed or - rule_4_1_2_3.changed tags: - skip_ansible_lint From 226f2bc9b9f3aec00e8d6e94db4987d1dbf0e45e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 15:47:38 +0100 Subject: [PATCH 96/98] removed unnecessary become Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 55546d1..80a273b 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -86,7 +86,6 @@ package: name: python3-libselinux state: present - become: true when: - '"python3-libselinux" not in ansible_facts.packages' From cc2f734d5705e5b3028d3f31ae1aa463361a56b9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 15:47:55 +0100 Subject: [PATCH 97/98] line tidy up Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 81e996d..9445d15 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -27,14 +27,11 @@ failed_when: false register: os_installed_pub_keys - # - debug: - # msg: "{{ os_installed_pub_keys }}" - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Query found keys" shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\"" - register: os_gpg_key_check changed_when: false failed_when: false + register: os_gpg_key_check when: os_installed_pub_keys.rc == 0 - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys pass" From cdf8bab1ed2f52b90021031461509e2a705ee037 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 16 Sep 2022 15:48:13 +0100 Subject: [PATCH 98/98] removed unnecessary register Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.2.x.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index afad08b..0eec0b2 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -5,7 +5,6 @@ path: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ rhel9cis_max_log_file_size }}" - register: rule_4_1_2_1 notify: restart auditd when: - rhel9cis_rule_4_1_2_1 @@ -22,7 +21,6 @@ path: /etc/audit/auditd.conf regexp: "^max_log_file_action" line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" - register: rule_4_1_2_2 notify: restart auditd when: - rhel9cis_rule_4_1_2_2 @@ -39,7 +37,6 @@ path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - register: rule_4_1_2_3 notify: restart auditd with_items: - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' }