diff --git a/.github/workflows/add_repo_issue_to_gh_project.yml b/.github/workflows/add_repo_issue_to_gh_project.yml index 4a056eb..80d7344 100644 --- a/.github/workflows/add_repo_issue_to_gh_project.yml +++ b/.github/workflows/add_repo_issue_to_gh_project.yml @@ -14,4 +14,4 @@ jobs: - uses: actions/add-to-project@main with: project-url: https://github.com/orgs/ansible-lockdown/projects/1 - github-token: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ secrets.ALD_GH_PROJECT }} diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml deleted file mode 100644 index b6ee6a1..0000000 --- a/.github/workflows/update_galaxy.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - - name: update galaxy - - on: - push: - branches: - - main - jobs: - update_role: - runs-on: ubuntu-latest - steps: - - name: Checkout repo - uses: actions/checkout@v4 - - - name: Action Ansible Galaxy Release ${{ github.ref_name }} - uses: ansible-actions/ansible-galaxy-action@main - with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0091b2a..2ff7b79 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,12 +41,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.28.0 + rev: v8.30.0 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.9.2 + rev: v26.1.1 hooks: - id: ansible-lint name: Ansible-lint @@ -65,7 +65,7 @@ repos: # - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.37.1 # or higher tag + rev: v1.38.0 # or higher tag hooks: - id: yamllint name: Check YAML Lint diff --git a/Changelog.md b/Changelog.md index 737f860..70c3d00 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,8 +1,10 @@ # Changes to rhel9CIS - ## 2.0.4 - Based on CIS v2.0.0 +- addressed issue #419, thank you @aaronk1 +- addressed issue #418 thank you @bbaassssiiee +- addressed issue #416 thank you @georgenalen and @bbaassssiiee - addressed issue #393 thank you to @fragglexarmy - addressed issue #394 thank you to @dbeuker - addressed issues #390 and #391 thanks to @polski-g @@ -11,6 +13,9 @@ - work flow updates - audit logic improvements - auditd template 2.19 compatible +- pre-commit updates +- #410 thanks to @kpi-nourman +- #413 thanks to @bbaassssiiee ## 2.0.3 - Based on CIS v2.0.0 - addressed issue #387, thank you @fragglexarmy diff --git a/LICENSE b/LICENSE index 7e51eb7..bed11b4 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown +Copyright (c) 2026 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/defaults/main.yml b/defaults/main.yml index fbe81eb..014b927 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -602,14 +602,7 @@ rhel9cis_crypto_policy_ansiblemanaged: true # -'FUTURE': conservative security level that is believed to withstand any near-term future attacks # -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' -# This variable contains the value of the crypto policy module(combinations of policies and -# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, -# using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are: -# - 'OSPP' -# - 'AD-SUPPORT' -# - 'AD-SUPPORT-LEGACY' -rhel9cis_crypto_policy_module: '' -## Controls 1.6.x +## Control 1.6 # This variable contains the value of the crypto policy module(combinations of policies and # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, # using those listed in the 'rhel9cis_allowed_crypto_policies_modules' variable. @@ -802,6 +795,8 @@ rhel9cis_tftp_client: false ## Control 3.1.1 - Ensure IPv6 status is identified # This variable governs whether ipv6 is enabled or disabled. rhel9cis_ipv6_required: true +# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel +rhel9cis_ipv6_disable_method: "sysctl" ## Control 3.1.2 - Ensure wireless interfaces are disabled # if wireless adapter found allow network manager to be installed diff --git a/tasks/main.yml b/tasks/main.yml index 760ee1b..4d1887d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -134,7 +134,7 @@ - rule_5.4.2.4 block: - name: "Ensure root password is set" - ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)" + ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Alternate authentication|Password set|Password locked)" changed_when: false failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ] register: prelim_root_passwd_set diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index a20c0e9..ff9ec46 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -16,15 +16,30 @@ - rule_3.1.1 - NIST800-53R5_CM-7 block: - - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | refresh" + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Set vars for sysctl template" + when: "'sysctl' in rhel9cis_ipv6_disable_method" ansible.builtin.set_fact: rhel9cis_sysctl_update: true rhel9cis_flush_ipv6_route: true - - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | disable" + - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Message out implementation info" + when: "'sysctl' in rhel9cis_ipv6_disable_method" ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" + - name: "3.1.1 | AUDIT | Ensure IPv6 status is identified | Find IPv6 status" + when: "'kernel' in rhel9cis_ipv6_disable_method" + ansible.builtin.command: grubby --info=ALL + changed_when: false + failed_when: false + register: discovered_rhel9cis_3_1_1_ipv6_status + + - name: "3.1.1 | PATCH | Ensure IPv6 status is identified | Disable IPV6 via Kernel" + when: + - "'kernel' in rhel9cis_ipv6_disable_method" + - "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout" + ansible.builtin.shell: grubby --update-kernel=ALL --args="ipv6.disable=1" + - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" when: - rhel9cis_rule_3_1_2 diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index dc450ea..9600a1c 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -431,6 +431,8 @@ path: "{{ rhel9cis_sshd_config_file }}" regexp: (?i)^(#|)\s*MaxStartups line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}' + insertbefore: "^Match" + firstmatch: true validate: sshd -t -f %s notify: Restart sshd diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 6e1919c..5dd4352 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -93,10 +93,10 @@ loop: - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth" after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons - line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail" before: "auth\\s+required\\s+pam_deny.so" - line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons - regexp: "account\\s+required\\s+pam_faillock.so" before: "account\\s+required\\s+pam_unix.so" line: "account required pam_faillock.so" # yamllint disable-line rule:colons @@ -112,10 +112,10 @@ loop: - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth" after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons - line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so preauth silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail" before: "auth\\s+required\\s+pam_deny.so" - line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so authfail silent unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons - regexp: "account\\s+required\\s+pam_faillock.so" before: "account\\s+required\\s+pam_unix.so" line: "account required pam_faillock.so" # yamllint disable-line rule:colons diff --git a/tasks/section_6/cis_6.2.2.x.yml b/tasks/section_6/cis_6.2.2.x.yml index fe0f8c4..82302ed 100644 --- a/tasks/section_6/cis_6.2.2.x.yml +++ b/tasks/section_6/cis_6.2.2.x.yml @@ -25,7 +25,7 @@ - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf - regexp: ^(\s*ForwardToSyslog) + regexp: ^(\s*ForwardToSyslog\s*=.*) replace: '#\1' - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured" @@ -50,7 +50,7 @@ - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf - regexp: (?i)(\s*compress=) + regexp: ^(\s*Compress\s*=.*) replace: '#\1' - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured" @@ -76,5 +76,5 @@ - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries" ansible.builtin.replace: path: /etc/systemd/journald.conf - regexp: (?i)(\s*storage=) + regexp: ^(\s*Storage\s*=.*) replace: '#\1' diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index cbaa125..3c53c72 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -206,6 +206,8 @@ rhel9cis_rule_2_4_2_1: {{ rhel9cis_rule_2_4_2_1 }} rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }} rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }} rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }} +rhel9cis_ipv6_disable_method: {{ rhel9cis_ipv6_disable_method }} + ## Network Kernel Modules rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }} rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }} diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 index 901e9e0..ec42bfc 100644 --- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -4,4 +4,4 @@ [org/gnome/login-screen] banner-message-enable=true -banner-message-text="{{ rhel9cis_warning_banner }}" +banner-message-text="{{ rhel9cis_warning_banner | trim | replace("\n", "\\n") }}" diff --git a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index bdded40..b4b5318 100644 --- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -4,4 +4,7 @@ {% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %} net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 +{% for interface in ansible_interfaces %} +net.ipv6.conf.{{ interface }}.disable_ipv6 = 1 +{% endfor %} {% endif %}