From 646b4decc1750334624bb3053a950352cdf27019 Mon Sep 17 00:00:00 2001 From: Bernd Grobauer Date: Thu, 12 Oct 2023 12:56:20 +0200 Subject: [PATCH 01/14] Adding missing lines to sysctl.d/50-default.conf Signed-off-by: Bernd Grobauer --- tasks/post.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tasks/post.yml b/tasks/post.yml index 3f1f706..724611d 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -26,6 +26,19 @@ - not system_is_container - "'procps-ng' in ansible_facts.packages" +- name: POST | Update usr sysctl + ansible.builtin.lineinfile: + dest: /usr/lib/sysctl.d/50-default.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: '^net.ipv4.conf.default.rp_filter', line: 'net.ipv4.conf.default.rp_filter = 1' } + - { regexp: '^net.ipv4.conf.*.rp_filter', line: 'net.ipv4.conf.*.rp_filter = 1' } + when: + - rhel9cis_sysctl_update + - not system_is_container + - "'procps-ng' in ansible_facts.packages" + - name: Flush handlers ansible.builtin.meta: flush_handlers From 8b875ad228294c8954bca1b647b401e1cb29b4b7 Mon Sep 17 00:00:00 2001 From: Marcin Dulinski Date: Wed, 22 Nov 2023 09:17:15 +0000 Subject: [PATCH 02/14] Fixed chrony configuration options Signed-off-by: Marcin Dulinski --- defaults/main.yml | 3 +++ templates/etc/chrony.conf.j2 | 22 ++++++++++++---------- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0bc0137..ff21216 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -449,6 +449,9 @@ rhel9cis_time_synchronization_servers: - 2.pool.ntp.org - 3.pool.ntp.org rhel9cis_chrony_server_options: "minpoll 8" +rhel9cis_chrony_server_rtcsync: false +rhel9cis_chrony_server_makestep: "1.0 3" +rhel9cis_chrony_server_minsources: 2 ### 2.2 Special Purposes ##### Service configuration booleans set true to keep service diff --git a/templates/etc/chrony.conf.j2 b/templates/etc/chrony.conf.j2 index 54c1b6c..a1837a9 100644 --- a/templates/etc/chrony.conf.j2 +++ b/templates/etc/chrony.conf.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## {{ ansible_managed }} # This the default chrony.conf file for the Debian chrony package. After # editing this file use the command 'invoke-rc.d chrony restart' to make @@ -27,19 +27,21 @@ server {{ server }} {{ rhel9cis_chrony_server_options }} # password is generated by a random process at install time. You may # change it if you wish. -keyfile /etc/chrony/chrony.keys +keyfile /etc/chrony.keys -# Set runtime command key. Note that if you change the key (not the -# password) to anything other than 1 you will need to edit -# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony -# and /etc/cron.weekly/chrony as these scripts use it to get the password. +# Record the rate at which the system clock gains/losses time. +driftfile /var/lib/chrony/drift -commandkey 1 +# Allow the system clock to be stepped in the first three updates +# if its offset is larger than 1 second. +makestep {{ rhel9cis_chrony_server_makestep }} -# I moved the driftfile to /var/lib/chrony to comply with the Debian -# filesystem standard. +# Enable kernel synchronization of the real-time clock (RTC). +{% if not rhel9cis_chrony_server_rtcsync %}#{% endif %}rtcsync -driftfile /var/lib/chrony/chrony.drift +# Increase the minimum number of selectable sources required to adjust +# the system clock. +minsources {{ rhel9cis_chrony_server_minsources }} # Comment this line out to turn off logging. From cce2b25d80a0b3dace4ca5bf27f345d972b86ddb Mon Sep 17 00:00:00 2001 From: Senih <40578755+senihucar@users.noreply.github.com> Date: Thu, 23 Nov 2023 12:02:37 -0800 Subject: [PATCH 03/14] Update cis_5.6.1.x.yml Typo fixed from: - rule_5.5.1.3 to: - rule_5.6.1.3 Signed-off-by: Senih <40578755+senihucar@users.noreply.github.com> --- tasks/section_5/cis_5.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 3d59a16..f7b8136 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -40,7 +40,7 @@ - level1-workstation - patch - password - - rule_5.5.1.3 + - rule_5.6.1.3 - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less" block: From f3726b8908fb4530cd9df2f5225a4e71c6e54074 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:36:20 +0000 Subject: [PATCH 04/14] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v6.22.0 → v6.22.1](https://github.com/ansible-community/ansible-lint/compare/v6.22.0...v6.22.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 68f44f0..a79d4cb 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -43,7 +43,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.0 + rev: v6.22.1 hooks: - id: ansible-lint name: Ansible-lint From 72b503bf46fff97e122982d96098467b50401226 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Tue, 5 Dec 2023 14:42:51 +0200 Subject: [PATCH 05/14] Removing redundant conditional statements Signed-off-by: Ionut Pruteanu --- tasks/section_1/cis_1.6.1.x.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 724fd29..7ca0fd1 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -39,7 +39,6 @@ policy: "{{ rhel9cis_selinux_pol }}" state: "{{ rhel9cis_selinux_enforce }}" when: - - not rhel9cis_selinux_disable - rhel9cis_rule_1_6_1_3 tags: - level1-server @@ -54,7 +53,6 @@ policy: "{{ rhel9cis_selinux_pol }}" state: "{{ rhel9cis_selinux_enforce }}" when: - - not rhel9cis_selinux_disable - rhel9cis_rule_1_6_1_4 tags: - level1-server @@ -69,7 +67,6 @@ policy: "{{ rhel9cis_selinux_pol }}" state: enforcing when: - - not rhel9cis_selinux_disable - rhel9cis_selinux_enforce == 'enforcing' - rhel9cis_rule_1_6_1_5 tags: From 4fe5f95cf7b4167b277b89c074a96cd374c914c7 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Tue, 5 Dec 2023 20:40:50 +0200 Subject: [PATCH 06/14] Timeout value defined in defaults/main.yml file not used Signed-off-by: Ionut Pruteanu --- templates/ansible_vars_goss.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e83dd40..f3b8a98 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -10,7 +10,7 @@ benchmark_version: '1.0.0' host_os_distribution: {{ ansible_facts.distribution | lower }} # timeout for each command to run where set - default = 10seconds/10000ms -timeout_ms: 60000 +timeout_ms: {{ audit_cmd_timeout }} # Taken from LE rhel9-cis rhel9cis_section1: {{ rhel9cis_section1 }} From 9d988b483f6222ac310a1af342ffa9f1745f07e0 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Thu, 7 Dec 2023 18:10:09 +0200 Subject: [PATCH 07/14] Masking service when server package is needed Signed-off-by: Ionut Pruteanu --- tasks/section_2/cis_2.2.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 8c6ccf6..563ec4b 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -274,8 +274,8 @@ masked: true state: stopped when: - - not rhel9cis_use_nfs_server - - rhel9cis_use_nfs_service + - rhel9cis_use_nfs_server + - not rhel9cis_use_nfs_service when: - "'nfs-utils' in ansible_facts.packages" - rhel9cis_rule_2_2_16 From cd04537bf10b9c03228a3ab61b49ca242c7849da Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Thu, 7 Dec 2023 18:58:02 +0200 Subject: [PATCH 08/14] Using correct conditional for ftpd Signed-off-by: Ionut Pruteanu --- tasks/section_2/cis_2.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index 10a0662..c576a65 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -50,7 +50,7 @@ name: ftp state: absent when: - - not rhel9cis_tftp_client + - not rhel9cis_ftp_client - "'ftp' in ansible_facts.packages" - rhel9cis_rule_2_3_4 tags: From 81fd98e2c63bc6ffcedcd77203be6124cf4d8976 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Thu, 7 Dec 2023 20:38:20 +0200 Subject: [PATCH 09/14] Using correct conditional for Task relying on 'firewall-cmd --get-active-zones' cmd Signed-off-by: Ionut Pruteanu --- tasks/section_3/cis_3.4.2.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 73d85f4..ee57e5b 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -194,6 +194,7 @@ - "{{ rhel9cis_3_4_2_5_servicesport.stdout_lines }}" when: - rhel9cis_rule_3_4_2_5 + - rhel9cis_firewall == "firewalld" tags: - level1-server - level1-workstation From d79bba53c6950f317665d586180eae2a7b1d3fe0 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 8 Dec 2023 12:01:10 +0200 Subject: [PATCH 10/14] Rsyslog subsection corrected header(was using 4.2 logging name, instead of 4.2.1. rsyslog name) Signed-off-by: Ionut Pruteanu --- tasks/section_4/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index db729af..d3b6b8d 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -18,7 +18,7 @@ ansible.builtin.import_tasks: file: cis_4.1.4.x.yml -- name: "SECTION | 4.2 | Configure Logging" +- name: "SECTION | 4.2.1 | Configure rsyslog" ansible.builtin.import_tasks: file: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' From e0de491263db91eab4849ad471721a7ec256aadb Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 8 Dec 2023 12:03:00 +0200 Subject: [PATCH 11/14] whole section defined in cis_4.2.1.x.yml gets executed only `when: rhel9cis_syslog == 'rsyslog'`, having same condition is redundant and may confuse users. Signed-off-by: Ionut Pruteanu --- tasks/section_4/cis_4.2.1.x.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 10e0ac2..a3f2a44 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -35,7 +35,6 @@ notify: Restart rsyslog when: - rhel9cis_rule_4_2_1_3 - - rhel9cis_syslog == "rsyslog" tags: - level1-server - level1-workstation From c19e350b7d1bd87fe7a1e30ff53ebeab39897ae4 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 8 Dec 2023 16:44:30 +0200 Subject: [PATCH 12/14] Using rhel9cis_authselect['options'], otherwise not used at all Signed-off-by: Ionut Pruteanu --- tasks/section_5/cis_5.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 52c1f70..69eb090 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -44,7 +44,7 @@ - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}" - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" - ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" + ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }}" when: rhel9cis_authselect_custom_profile_select - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile" From 8d85f178e22a815434be590736222abea90872db Mon Sep 17 00:00:00 2001 From: Corey Reid Date: Thu, 19 Oct 2023 13:19:07 +0100 Subject: [PATCH 13/14] find hidden files in /var/log for 4.3.2 Signed-off-by: Corey Reid --- tasks/section_4/cis_4.2.3.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index 2f2a8a4..19bfce8 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -7,6 +7,7 @@ paths: "/var/log" file_type: file recurse: true + hidden: true register: logfiles - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" From d73f26a7ab9ffd0e99787657fd7c5ea946381ad2 Mon Sep 17 00:00:00 2001 From: Joshua Hemmings Date: Tue, 9 Jan 2024 09:17:00 +0100 Subject: [PATCH 14/14] Remove trailing comma to align with other roles Signed-off-by: Joshua Hemmings --- tasks/section_1/cis_1.1.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 4ff1ccb..3a64a06 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -31,7 +31,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid{% endif %} loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}"