From 674d3417ff03377963e858d120ee6bd3436d5dff Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 6 Jun 2023 14:36:38 +0100 Subject: [PATCH 1/5] rule_1.10 updates Signed-off-by: Mark Bolwell --- defaults/main.yml | 8 +++++--- tasks/main.yml | 21 ++++++++++++++++----- tasks/prelim.yml | 11 ++++++++++- tasks/section_1/cis_1.10.yml | 19 ++++++++++++++----- vars/main.yml | 5 +++++ 5 files changed, 50 insertions(+), 14 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ee4f51b..9d3c003 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -380,9 +380,11 @@ rhel9cis_dconf_db_name: local rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) -# 1.10 Set crypto policy DEFAULT -# Control 1.10 states not to use LEGACY -rhel9cis_crypto_policy: "DEFAULT" +# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) +# Control 1.10 states do not use LEGACY and control 1.11 says to use FUTURE or FIPS. +rhel9cis_crypto_policy: 'DEFAULT' +# Added module to be allowed as default setting (Allowed options in vars/main.yml) +rhel9cis_crypto_policy_module: '' # System network parameters (host only OR host and router) rhel9cis_is_router: false diff --git a/tasks/main.yml b/tasks/main.yml index 2bb0f3f..2bab3f6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -22,18 +22,18 @@ - name: "Check password set for {{ ansible_user }}" block: - - name: Capture current password state of "{{ ansible_user }}" - ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" + - name: Capture current password state of connecting user" + ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: ansible_user_password_set - - name: "Assert that password set for {{ ansible_user }} and account not locked" + - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" ansible.builtin.assert: that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" - success_msg: "You a password set for the {{ ansible_user }}" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" + success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" vars: sudo_password_rule: rhel9cis_rule_5_3_4 when: @@ -92,6 +92,17 @@ fail_msg: "Crypto policy is not a permitted version" success_msg: "Crypto policy is a permitted version" +- name: Check crypto-policy module input + ansible.builtin.assert: + that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules + fail_msg: "Crypto policy module is not a permitted version" + success_msg: "Crypto policy module is a permitted version" + when: + - rhel9cis_rule_1_10 + - rhel9cis_crypto_policy_module | length > 0 + tags: + - rule_1.10 + - name: Check rhel9cis_bootloader_password_hash variable has been changed ansible.builtin.assert: that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f555337..47d1750 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -62,10 +62,19 @@ state: present - name: "PRELIM | Gather system-wide crypto-policy" - ansible.builtin.shell: update-crypto-policies --show + ansible.builtin.shell: 'update-crypto-policies --show' changed_when: false check_mode: false register: system_wide_crypto_policy + + - name: "PRELIM | Gather system-wide crypto-policy" + ansible.builtin.set_fact: + current_crypto_policy: "{{ system_wide_crypto_policy.stdout.split(':')[0] }}" + + - name: "PRELIM | Gather system-wide crypto-policy module" + ansible.builtin.set_fact: + current_crypto_module: "{{ system_wide_crypto_policy.stdout.split(':')[1] }}" + when: "':' in system_wide_crypto_policy.stdout" when: - rhel9cis_rule_1_10 tags: diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index c43e445..e61e367 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -1,16 +1,25 @@ --- - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" - ansible.builtin.shell: | - update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" - update-crypto-policies - notify: Change_requires_reboot + block: + - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy | set_fact" + ansible.builtin.set_fact: + rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}:{{ rhel9cis_crypto_policy_module }}{% endif %}" + + - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" + ansible.builtin.shell: | + update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" + update-crypto-policies + notify: change_requires_reboot + when: + - system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy when: - rhel9cis_rule_1_10 - - system_wide_crypto_policy['stdout'] == 'LEGACY' + tags: - level1-server - level1-workstation + - automated - no system_is_ec2 - patch - rule_1.10 diff --git a/vars/main.yml b/vars/main.yml index 2a93184..6b9fcea 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -7,6 +7,11 @@ rhel9cis_allowed_crypto_policies: - 'FUTURE' - 'FIPS' +rhel9cis_allowed_crypto_policies_modules: + - 'OSPP' + - 'AD-Support' + - 'AD-Support-LEGACY' + # Used to control warning summary warn_control_list: "" warn_count: 0 From cc9e04719648f2923f0d47f5b3dc8cb56227f925 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 6 Jun 2023 14:36:51 +0100 Subject: [PATCH 2/5] lint Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index c4826c9..bf76b5c 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -16,7 +16,7 @@ community.general.modprobe: name: usb-storage state: absent - when: not system_is_container + when: not system_is_container - name: "1.1.9 | PATCH | Disable USB Storage | blacklist" ansible.builtin.lineinfile: From faf12de1df62ca321133d7c6843e546e70822ab1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 6 Jun 2023 14:36:58 +0100 Subject: [PATCH 3/5] updated Signed-off-by: Mark Bolwell --- Changelog.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index ef5157b..34b805a 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,9 @@ # Changes to rhel9CIS +## 1.0.8 + +rule_1.10 improvements allowing for module checking (useful for AD) + ## 1.0.7 lint and yaml updates @@ -8,7 +12,7 @@ improvements to 6.1.10, 6.1.11, 6.1.13, 6.1.14 ## 1.0.6 -updated ymlalint as galaxy doenst honouyr local settings +updated yamllint as galaxy doesn't honour local settings removed empty lines in files ## 1.0.5 From 82eedb0edf069681196f6d4bc5f82141f4b327cc Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 6 Jun 2023 18:40:11 +0100 Subject: [PATCH 4/5] updated case for module Signed-off-by: Mark Bolwell --- vars/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vars/main.yml b/vars/main.yml index 6b9fcea..022c230 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -9,8 +9,8 @@ rhel9cis_allowed_crypto_policies: rhel9cis_allowed_crypto_policies_modules: - 'OSPP' - - 'AD-Support' - - 'AD-Support-LEGACY' + - 'AD-SUPPORT' + - 'AD-SUPPORT-LEGACY' # Used to control warning summary warn_control_list: "" From 194925be2faf5facf5544d85e9b9be130677081a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 7 Jun 2023 09:24:32 +0100 Subject: [PATCH 5/5] consistent vars and names Signed-off-by: Mark Bolwell --- tasks/main.yml | 11 ++++++----- tasks/prelim.yml | 14 +++++++------- tasks/section_1/cis_1.10.yml | 2 +- 3 files changed, 14 insertions(+), 13 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 2bab3f6..f30753b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -20,18 +20,18 @@ tags: - always -- name: "Check password set for {{ ansible_user }}" +- name: "Check password set for {{ ansible_env.SUDO_USER }}" block: - - name: Capture current password state of connecting user" + - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state" ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false - register: ansible_user_password_set + register: rhel9cis_ansible_user_password_set - - name: "Assert that password set for {{ ansible_env.SUDO_USER }} and account not locked" + - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert password set and not locked" ansible.builtin.assert: - that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" + that: ansible_user_password_set.stdout | length != 0 and rhel9cis_ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" vars: @@ -41,6 +41,7 @@ - not system_is_ec2 tags: - user_passwd + - rule_5.3.4 - name: "Ensure root password is set" block: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 47d1750..65d4be4 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -54,7 +54,7 @@ - name: "PRELIM | Setup crypto-policy" block: - - name: "PRELIM | Install crypto-policies" + - name: "PRELIM | Install crypto-policies | pkgs present" ansible.builtin.package: name: - crypto-policies @@ -65,16 +65,16 @@ ansible.builtin.shell: 'update-crypto-policies --show' changed_when: false check_mode: false - register: system_wide_crypto_policy + register: rhel9cis_system_wide_crypto_policy - - name: "PRELIM | Gather system-wide crypto-policy" + - name: "PRELIM | Gather system-wide crypto-policy | set fact system policy" ansible.builtin.set_fact: - current_crypto_policy: "{{ system_wide_crypto_policy.stdout.split(':')[0] }}" + current_crypto_policy: "{{ rhel9cis_system_wide_crypto_policy.stdout.split(':')[0] }}" - - name: "PRELIM | Gather system-wide crypto-policy module" + - name: "PRELIM | Gather system-wide crypto-policy module | set fact system policy submodule" ansible.builtin.set_fact: - current_crypto_module: "{{ system_wide_crypto_policy.stdout.split(':')[1] }}" - when: "':' in system_wide_crypto_policy.stdout" + current_crypto_module: "{{ rhel9cis_system_wide_crypto_policy.stdout.split(':')[1] }}" + when: "':' in rhel9cis_system_wide_crypto_policy.stdout" when: - rhel9cis_rule_1_10 tags: diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index e61e367..ed6774d 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -12,7 +12,7 @@ update-crypto-policies notify: change_requires_reboot when: - - system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy + - rhel9cis_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy when: - rhel9cis_rule_1_10