From 8f3150e6c9bd8741bc8a121ba1e46a25d64e400f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 08:27:34 +0100 Subject: [PATCH 01/90] #60 addressed for ipb6 Signed-off-by: Mark Bolwell --- templates/etc/sysctl.d/60-disable_ipv6.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index 599103e..bdded40 100644 --- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -1,7 +1,7 @@ ## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # IPv6 disable -{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} +{% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %} net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 {% endif %} From 04cb2e0f1d4a6692a8951f6278afc44af523ad80 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 08:44:23 +0100 Subject: [PATCH 02/90] #54 merged into new layout Signed-off-by: Mark Bolwell --- tasks/main.yml | 8 ++++---- tasks/prelim.yml | 4 ++-- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.1.3.x.yml | 2 +- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 2 +- tasks/section_1/cis_1.1.7.x.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 10 +++++----- tasks/section_6/cis_6.1.x.yml | 8 ++++---- templates/ansible_vars_goss.yml.j2 | 2 +- 11 files changed, 22 insertions(+), 22 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index e8f72f4..f13a39b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,9 +3,9 @@ - name: Check OS version and family ansible.builtin.assert: - that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==') - fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." - success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" + that: (ansible_facts.distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==') + fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." + success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}" when: - os_check - not system_is_ec2 @@ -122,7 +122,7 @@ - always - name: Include OS specific variables - ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" + ansible.builtin.include_vars: "{{ ansible_facts.distribution }}.yml" tags: - always diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 65d4be4..f26c794 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -133,8 +133,8 @@ state: latest when: - rhel9cis_rule_1_2_4 - - ansible_distribution != 'RedHat' - - ansible_distribution != 'OracleLinux' + - ansible_facts.distribution != 'RedHat' + - ansible_facts.distribution != 'OracleLinux' - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" ansible.builtin.package: diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 780d7da..5df0ba9 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -33,7 +33,7 @@ state: present opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} notify: Remount tmp - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" when: diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index d873c51..4a98729 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -31,7 +31,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %} - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index f063fbd..0b043e5 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -33,7 +33,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 1707f30..d1ae159 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -33,7 +33,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 274f668..4d7ff28 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -32,7 +32,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 7f16610..3ba95ce 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -32,7 +32,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %} - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 9d732bb..1317cc7 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -23,9 +23,9 @@ os_gpg_key_check.rc == 1 when: - rhel9cis_rule_1_2_1 - - ansible_distribution == "RedHat" or - ansible_distribution == "Rocky" or - ansible_distribution == "AlmaLinux" + - ansible_facts.distribution == "RedHat" or + ansible_facts.distribution == "Rocky" or + ansible_facts.distribution == "AlmaLinux" tags: - level1-server - level1-workstation @@ -111,8 +111,8 @@ when: - rhel9cis_rule_1_2_4 - - not rhel9cis_rhel_default_repo or ansible_distribution != 'RedHat' - - ansible_distribution != 'OracleLinux' + - not rhel9cis_rhel_default_repo or ansible_facts.distribution != 'RedHat' + - ansible_facts.distribution != 'OracleLinux' tags: - level1-server - level1-workstation diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 76f92be..1361083 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -155,7 +155,7 @@ failed_when: false check_mode: false register: rhel_09_6_1_10_audit - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" when: @@ -201,7 +201,7 @@ failed_when: false changed_when: false register: rhel_09_6_1_11_audit - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" when: @@ -260,7 +260,7 @@ failed_when: false changed_when: false register: rhel_09_6_1_13_suid_perms - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" @@ -302,7 +302,7 @@ failed_when: false changed_when: false register: rhel_09_6_1_14_sgid_perms - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e862c1d..8b21441 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -7,7 +7,7 @@ benchmark_version: '1.0.0' # Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS # If run via script this is discovered and set -host_os_distribution: {{ ansible_distribution | lower }} +host_os_distribution: {{ ansible_facts.distribution | lower }} # timeout for each command to run where set - default = 10seconds/10000ms timeout_ms: 60000 From 7c7902772fa85f21446525b22314b654bb14ad86 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 09:50:22 +0100 Subject: [PATCH 03/90] updated Signed-off-by: Mark Bolwell --- Changelog.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index e3b0e82..c807008 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,13 @@ # Changes to rhel9CIS +## 1.1.1 - Based on CIS v1.0.0 + +- thanks to @agbrowne + - [#90](https://github.com/ansible-lockdown/RHEL9-CIS/issues/90) + +- thanks to @mnasiadka + - [#54](https://github.com/ansible-lockdown/RHEL9-CIS/pull/54) + ## 1.1.0 - new workflow configuration @@ -81,7 +89,7 @@ Aligned benchmark audit version with remediate release ## 1.0.1 -Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 +Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 Will not follow ynlink in hoe directoris and amend permissions. - rhel_09_6_2_16_home_follow_symlink: false From 18e59d32f1a0236d1c174409a9ab3b9162440859 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 09:55:27 +0100 Subject: [PATCH 04/90] more ansible_facst referenced #54 Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f7cef1c..72857c0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -696,12 +696,12 @@ audit_files_url: "some url maybe s3?" # Where the goss configs and outputs are stored audit_out_dir: '/opt' audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" ## The following should not need changing goss_file: "{{ audit_conf_dir }}goss.yml" -audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml" +audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | The pre remediation results are: {{ pre_audit_summary }}. The post remediation results are: {{ post_audit_summary }}. From 3f32f9c58c0e47e970ef4ed5cd3b32b1f121470d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 12:42:30 +0100 Subject: [PATCH 05/90] updated typos Signed-off-by: Mark Bolwell --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index c807008..baddb61 100644 --- a/Changelog.md +++ b/Changelog.md @@ -90,7 +90,7 @@ Aligned benchmark audit version with remediate release ## 1.0.1 Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 -Will not follow ynlink in hoe directoris and amend permissions. +Will not follow symlink in home directoris and amend permissions. - rhel_09_6_2_16_home_follow_symlink: false From 8bd176757778312aaa1901a52cf4d4873e7007ee Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 12:46:40 +0100 Subject: [PATCH 06/90] updated typos Signed-off-by: Mark Bolwell --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index baddb61..42c40d4 100644 --- a/Changelog.md +++ b/Changelog.md @@ -90,7 +90,7 @@ Aligned benchmark audit version with remediate release ## 1.0.1 Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 -Will not follow symlink in home directoris and amend permissions. +Will not follow symlink in home directories and amend permissions. - rhel_09_6_2_16_home_follow_symlink: false From 95140d32477eba538fea165d777817dc5258cb84 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 7 Sep 2023 14:19:48 +0100 Subject: [PATCH 07/90] updated due to changes Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 174 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 165 insertions(+), 9 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 6edc284..fcb806d 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -109,15 +109,171 @@ }, { "path": "detect_secrets.filters.heuristic.is_templated_secret" - }, - { - "path": "detect_secrets.filters.regex.should_exclude_file", - "pattern": [ - ".config/.gitleaks-report.json" - ] } ], "results": { + ".config/.gitleaks-report.json": [ + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", + "is_verified": false, + "line_number": 9, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", + "is_verified": false, + "line_number": 9, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "cd6f8dc4b799af818fedddd7c83e5df8bf770555", + "is_verified": false, + "line_number": 12, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", + "is_verified": false, + "line_number": 29, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", + "is_verified": false, + "line_number": 29, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", + "is_verified": false, + "line_number": 49, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", + "is_verified": false, + "line_number": 49, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", + "is_verified": false, + "line_number": 69, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", + "is_verified": false, + "line_number": 69, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", + "is_verified": false, + "line_number": 89, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", + "is_verified": false, + "line_number": 89, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", + "is_verified": false, + "line_number": 109, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", + "is_verified": false, + "line_number": 109, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "cb5e191d260065309ce16cd3675837069c8734c8", + "is_verified": false, + "line_number": 132, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "976b057e0978bf8956e05b173f070cd7757c38c6", + "is_verified": false, + "line_number": 249, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "bdb4ffe72f980b517d691e83c9eb50219a63fe91", + "is_verified": false, + "line_number": 252, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "95f603d65dd6aec15f75185df59f92e90737da49", + "is_verified": false, + "line_number": 269, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "72172e3578dc29c275e5a39bdf7a1a038bdc03c4", + "is_verified": false, + "line_number": 272, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "08f0ac7a7bbbb1819417e5a47aa0eebbd5fe4e86", + "is_verified": false, + "line_number": 289, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "23fdd48a76e5b32e85c6698062f1489d6fbac450", + "is_verified": false, + "line_number": 309, + "is_secret": false + } + ], "defaults/main.yml": [ { "type": "Secret Keyword", @@ -132,7 +288,7 @@ "filename": "defaults/main.yml", "hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", "is_verified": false, - "line_number": 375, + "line_number": 376, "is_secret": false }, { @@ -140,7 +296,7 @@ "filename": "defaults/main.yml", "hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", "is_verified": false, - "line_number": 376, + "line_number": 377, "is_secret": false } ], @@ -172,5 +328,5 @@ } ] }, - "generated_at": "2023-08-10T12:54:13Z" + "generated_at": "2023-09-07T13:18:00Z" } From 43a339c74fe6b9038f694829921090c03a692d57 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 7 Sep 2023 14:23:12 +0100 Subject: [PATCH 08/90] new var rhel9cis_rhel_default_repo Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + tasks/section_1/cis_1.2.x.yml | 4 ++-- vars/AlmaLinux.yml | 2 ++ vars/OracleLinux.yml | 2 ++ vars/RedHat.yml | 3 +++ 5 files changed, 10 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 72857c0..2ace2f9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -370,6 +370,7 @@ rhel9cis_rhnsd_required: false # 1.2.4 repo_gpgcheck rhel9cis_rhel_default_repo: true +rhel9cis_rule_enable_repogpg: true # 1.4.1 Bootloader password rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 1317cc7..fc2d992 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -111,8 +111,8 @@ when: - rhel9cis_rule_1_2_4 - - not rhel9cis_rhel_default_repo or ansible_facts.distribution != 'RedHat' - - ansible_facts.distribution != 'OracleLinux' + - rhel9cis_rule_enable_repogpg + - not rhel9cis_rhel_default_repo tags: - level1-server - level1-workstation diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index c460fb0..b0eb3d9 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -3,3 +3,5 @@ os_gpg_key_pubkey_name: gpg-pubkey-b86b3716-61e69f29 os_gpg_key_pubkey_content: "AlmaLinux OS 9 b86b3716" +# disable repo_gpgcheck due to OS default repos +rhel9cis_rule_enable_repogpg: false diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml index d916178..64927cc 100644 --- a/vars/OracleLinux.yml +++ b/vars/OracleLinux.yml @@ -2,3 +2,5 @@ # OS Specific Settings os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec os_gpg_key_pubkey_content: "Oracle Linux (release key 1) " +# disable repo_gpgcheck due to OS default repos +rhel9cis_rule_enable_repogpg: false diff --git a/vars/RedHat.yml b/vars/RedHat.yml index d33b0bc..c5833a4 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -3,3 +3,6 @@ os_gpg_key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) fd431d51" + +# disable repo_gpgcheck due to OS default repos +rhel9cis_rule_enable_repogpg: false From 279023d02658411e5c7d31b55bf3838954f108dd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 15:31:35 +0100 Subject: [PATCH 09/90] updated Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8d75217..22bcd92 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ ### Community -Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. +Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. ### Contributing From d64414ce9b4379a254ce74fd423b790149d51223 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Sep 2023 09:51:56 +0100 Subject: [PATCH 10/90] updated test and control Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.8.x.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 2bf9fc1..089ca28 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -3,18 +3,23 @@ # Skips if mount is absent - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition" block: - - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists" + ansible.builtin.shell: mount -l | grep -w /dev/shm + changed_when: false + register: rhel9cis_1_8_1_1_mount_check - - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.import_tasks: warning_facts.yml + - block: + - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + + - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" + ansible.builtin.import_tasks: warning_facts.yml + when: rhel9cis_1_8_1_1_mount_check.rc == 1 vars: warn_control_id: '1.1.8.1' - required_mount: '/dev/shm' when: - - required_mount not in mount_names - rhel9cis_rule_1_1_8_1 tags: - level1-server From 64416d59b7ec4db0c5707acf527f97835521257a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Sep 2023 09:58:01 +0100 Subject: [PATCH 11/90] updated discord link Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index a4e7d48..dba39dc 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,7 +27,7 @@ repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. # This workflow contains a single job which tests the playbook playbook-test: From f6fd7e02d3d9d252d51ad354de86be1412f7c95e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Sep 2023 14:02:44 +0100 Subject: [PATCH 12/90] git audit binary version updated Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2ace2f9..3b8cd4a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -665,10 +665,10 @@ audit_run_script_environment: AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" ### Goss binary settings ### -audit_bin_release: v0.3.23 +audit_bin_release: v0.4.2 audit_bin_version: - AMD64_checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' - ARM64_checksum: 'sha256:7b0794fa590857e7d64ef436e1a100ca26f6039f269a6138009aa837d27d7f9e' + AMD64_checksum: 'sha256:e50e43d75c47c731f5fdff176f5abeb8aca35f17aea60f85ebc28f6110cb6945' + ARM64_checksum: 'sha256:6da14a98f12d1929ea719d4cfe96087c8e3a37b29d91b72fbe6edc7f8a580784 ' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json From 9c84884357ee423e8e17f932ac7c26b531715422 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Sep 2023 14:02:50 +0100 Subject: [PATCH 13/90] updated Signed-off-by: Mark Bolwell --- Changelog.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Changelog.md b/Changelog.md index 42c40d4..7d2352f 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,9 @@ # Changes to rhel9CIS +## 1.1.2 - Based on CIS v1.0.0 + +- updated audit binary versions - aligned with rhel9-cis-audit + ## 1.1.1 - Based on CIS v1.0.0 - thanks to @agbrowne From e202d4bd6800671ca0662b93dc682b85a9d89015 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 14:55:00 +0100 Subject: [PATCH 14/90] lint updates Signed-off-by: Mark Bolwell --- .ansible-lint | 2 -- .yamllint | 2 +- tasks/main.yml | 33 ++++++++++++++++++++++----------- tasks/section_1/cis_1.1.8.x.yml | 3 ++- 4 files changed, 25 insertions(+), 15 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 057c65e..b717f67 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,12 +6,10 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' - - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' - 'name[template]' - - 'fqcn[action]' - 'key-order[task]' - '204' - '305' diff --git a/.yamllint b/.yamllint index ec46929..65faae6 100644 --- a/.yamllint +++ b/.yamllint @@ -30,4 +30,4 @@ rules: trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: false + check-keys: true diff --git a/tasks/main.yml b/tasks/main.yml index f13a39b..e1cd780 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -127,66 +127,77 @@ - always - name: Include preliminary steps - ansible.builtin.import_tasks: prelim.yml + ansible.builtin.import_tasks: + file: prelim.yml tags: - prelim_tasks - always - name: run pre_remediation audit - ansible.builtin.include_tasks: pre_remediation_audit.yml + ansible.builtin.include_tasks: + file: pre_remediation_audit.yml when: - run_audit - name: run Section 1 tasks - ansible.builtin.import_tasks: section_1/main.yml + ansible.builtin.import_tasks: + file: section_1/main.yml when: rhel9cis_section1 tags: - rhel9cis_section1 - name: run Section 2 tasks - ansible.builtin.import_tasks: section_2/main.yml + ansible.builtin.import_tasks: + file: section_2/main.yml when: rhel9cis_section2 tags: - rhel9cis_section2 - name: run Section 3 tasks - ansible.builtin.import_tasks: section_3/main.yml + ansible.builtin.import_tasks: + file: section_3/main.yml when: rhel9cis_section3 tags: - rhel9cis_section3 - name: run Section 4 tasks - ansible.builtin.import_tasks: section_4/main.yml + ansible.builtin.import_tasks: + file: section_4/main.yml when: rhel9cis_section4 tags: - rhel9cis_section4 - name: run Section 5 tasks - ansible.builtin.import_tasks: section_5/main.yml + ansible.builtin.import_tasks: + file: section_5/main.yml when: rhel9cis_section5 tags: - rhel9cis_section5 - name: run Section 6 tasks - ansible.builtin.import_tasks: section_6/main.yml + ansible.builtin.import_tasks: + file: section_6/main.yml when: rhel9cis_section6 tags: - rhel9cis_section6 - name: run auditd logic - ansible.builtin.import_tasks: auditd.yml + ansible.builtin.import_tasks: + file: auditd.yml when: update_audit_template tags: - always - name: run post remediation tasks - ansible.builtin.import_tasks: post.yml + ansible.builtin.import_tasks: + file: post.yml tags: - post_tasks - always - name: run post_remediation audit - ansible.builtin.import_tasks: post_remediation_audit.yml + ansible.builtin.import_tasks: + file: post_remediation_audit.yml when: - run_audit diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 089ca28..441006b 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -8,7 +8,8 @@ changed_when: false register: rhel9cis_1_8_1_1_mount_check - - block: + - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition" + block: - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" From a67a484971bd41ab53bbee286fec5cce32790bae Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 14:55:55 +0100 Subject: [PATCH 15/90] import_tasks file added Signed-off-by: Mark Bolwell --- tasks/section_1/main.yml | 54 ++++++++++++++++++++++++++-------------- tasks/section_2/main.yml | 12 ++++++--- tasks/section_3/main.yml | 15 +++++++---- tasks/section_4/main.yml | 24 ++++++++++++------ tasks/section_5/main.yml | 21 ++++++++++------ tasks/section_6/main.yml | 6 +++-- 6 files changed, 88 insertions(+), 44 deletions(-) diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index d9bc3b5..ccc1e04 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,59 +1,77 @@ --- - name: "SECTION | 1.1.1.x | Disable unused filesystems" - ansible.builtin.import_tasks: cis_1.1.1.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.1.x.yml - name: "SECTION | 1.1.2.x | Configure /tmp" - ansible.builtin.import_tasks: cis_1.1.2.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.2.x.yml - name: "SECTION | 1.1.3.x | Configure /var" - ansible.builtin.import_tasks: cis_1.1.3.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.3.x.yml - name: "SECTION | 1.1.4.x | Configure /var/tmp" - ansible.builtin.import_tasks: cis_1.1.4.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.4.x.yml - name: "SECTION | 1.1.5.x | Configure /var/log" - ansible.builtin.import_tasks: cis_1.1.5.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.5.x.yml - name: "SECTION | 1.1.6.x | Configure /var/log/audit" - ansible.builtin.import_tasks: cis_1.1.6.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.6.x.yml - name: "SECTION | 1.1.7.x | Configure /home" - ansible.builtin.import_tasks: cis_1.1.7.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.7.x.yml - name: "SECTION | 1.1.8.x | Configure /dev/shm" - ansible.builtin.import_tasks: cis_1.1.8.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.8.x.yml - name: "SECTION | 1.1.x | Disable various mounting" - ansible.builtin.import_tasks: cis_1.1.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.x.yml - name: "SECTION | 1.2 | Configure Software Updates" - ansible.builtin.import_tasks: cis_1.2.x.yml + ansible.builtin.import_tasks: + file: cis_1.2.x.yml - name: "SECTION | 1.3 | Filesystem Integrity Checking" - ansible.builtin.import_tasks: cis_1.3.x.yml + ansible.builtin.import_tasks: + file: cis_1.3.x.yml when: rhel9cis_config_aide - name: "SECTION | 1.4 | Secure Boot Settings" - ansible.builtin.import_tasks: cis_1.4.x.yml + ansible.builtin.import_tasks: + file: cis_1.4.x.yml - name: "SECTION | 1.5 | Additional Process Hardening" - ansible.builtin.import_tasks: cis_1.5.x.yml + ansible.builtin.import_tasks: + file: cis_1.5.x.yml - name: "SECTION | 1.6 | Mandatory Access Control" - include_tasks: cis_1.6.1.x.yml + ansible.builtin.include_tasks: + file: cis_1.6.1.x.yml when: not rhel9cis_selinux_disable - name: "SECTION | 1.7 | Command Line Warning Banners" - ansible.builtin.import_tasks: cis_1.7.x.yml + ansible.builtin.import_tasks: + file: cis_1.7.x.yml - name: "SECTION | 1.8 | Gnome Display Manager" - ansible.builtin.import_tasks: cis_1.8.x.yml + ansible.builtin.import_tasks: + file: cis_1.8.x.yml - name: "SECTION | 1.9 | Updates and Patches" - ansible.builtin.import_tasks: cis_1.9.yml + ansible.builtin.import_tasks: + file: cis_1.9.yml - name: "SECTION | 1.10 | Crypto policies" - include_tasks: cis_1.10.yml + ansible.builtin.include_tasks: + file: cis_1.10.yml when: - not system_is_ec2 diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 39b912d..3e8996a 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,17 @@ --- - name: "SECTION | 2.1 | Time Synchronization" - ansible.builtin.import_tasks: cis_2.1.x.yml + ansible.builtin.import_tasks: + file: cis_2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" - ansible.builtin.import_tasks: cis_2.2.x.yml + ansible.builtin.import_tasks: + file: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" - ansible.builtin.import_tasks: cis_2.3.x.yml + ansible.builtin.import_tasks: + file: cis_2.3.x.yml - name: "SECTION | 2.4 | Nonessential services removed" - ansible.builtin.import_tasks: cis_2.4.yml + ansible.builtin.import_tasks: + file: cis_2.4.yml diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 535aba9..34553d7 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,16 +1,21 @@ --- - name: "SECTION | 3.1.x | Disable unused network protocols and devices" - ansible.builtin.import_tasks: cis_3.1.x.yml + ansible.builtin.import_tasks: + file: cis_3.1.x.yml - name: "SECTION | 3.2.x | Network Parameters (Host Only)" - ansible.builtin.import_tasks: cis_3.2.x.yml + ansible.builtin.import_tasks: + file: cis_3.2.x.yml - name: "SECTION | 3.3.x | Network Parameters (host and Router)" - ansible.builtin.import_tasks: cis_3.3.x.yml + ansible.builtin.import_tasks: + file: cis_3.3.x.yml - name: "SECTION | 3.4.1.x | Firewall configuration" - ansible.builtin.import_tasks: cis_3.4.1.x.yml + ansible.builtin.import_tasks: + file: cis_3.4.1.x.yml - name: "SECTION | 3.4.2.x | Configure firewall" - ansible.builtin.import_tasks: cis_3.4.2.x.yml + ansible.builtin.import_tasks: + file: cis_3.4.2.x.yml diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index 285a2f3..db729af 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,29 +1,37 @@ --- - name: "SECTION | 4.1 | Configure System Accounting (auditd)" - ansible.builtin.import_tasks: cis_4.1.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.1.x.yml when: - not system_is_container - name: "SECTION | 4.1.2 | Configure Data Retention" - ansible.builtin.import_tasks: cis_4.1.2.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.2.x.yml - name: "SECTION | 4.1.3 | Configure Auditd rules" - ansible.builtin.import_tasks: cis_4.1.3.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.3.x.yml - name: "SECTION | 4.1.4 | Configure Audit files" - ansible.builtin.import_tasks: cis_4.1.4.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.4.x.yml - name: "SECTION | 4.2 | Configure Logging" - ansible.builtin.import_tasks: cis_4.2.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' - name: "SECTION | 4.2.2 | Configure journald" - ansible.builtin.import_tasks: cis_4.2.2.x.yml + ansible.builtin.import_tasks: + file: cis_4.2.2.x.yml when: rhel9cis_syslog == 'journald' - name: "SECTION | 4.2.3 | Configure logile perms" - ansible.builtin.import_tasks: cis_4.2.3.yml + ansible.builtin.import_tasks: + file: cis_4.2.3.yml - name: "SECTION | 4.3 | Configure logrotate" - ansible.builtin.import_tasks: cis_4.3.yml + ansible.builtin.import_tasks: + file: cis_4.3.yml diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 5aed1c1..ed06b5a 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -3,24 +3,31 @@ # Access, Authentication, and Authorization - name: "SECTION | 5.1 | Configure time-based job schedulers" - ansible.builtin.import_tasks: cis_5.1.x.yml + ansible.builtin.import_tasks: + file: cis_5.1.x.yml - name: "SECTION | 5.2 | Configure SSH Server" - ansible.builtin.import_tasks: cis_5.2.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.x.yml when: - "'openssh-server' in ansible_facts.packages" - name: "SECTION | 5.3 | Configure privilege escalation" - ansible.builtin.import_tasks: cis_5.3.x.yml + ansible.builtin.import_tasks: + file: cis_5.3.x.yml - name: "SECTION | 5.4 | Configure authselect" - ansible.builtin.import_tasks: cis_5.4.x.yml + ansible.builtin.import_tasks: + file: cis_5.4.x.yml - name: "SECTION | 5.5 | Configure PAM " - ansible.builtin.import_tasks: cis_5.5.x.yml + ansible.builtin.import_tasks: + file: cis_5.5.x.yml - name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters" - ansible.builtin.import_tasks: cis_5.6.1.x.yml + ansible.builtin.import_tasks: + file: cis_5.6.1.x.yml - name: "SECTION | 5.6.x | Misc. User Account Settings" - ansible.builtin.import_tasks: cis_5.6.x.yml + ansible.builtin.import_tasks: + file: cis_5.6.x.yml diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index 35328e5..b194fdc 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,7 +1,9 @@ --- - name: "SECTION | 6.1 | System File Permissions" - ansible.builtin.import_tasks: cis_6.1.x.yml + ansible.builtin.import_tasks: + file: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - ansible.builtin.import_tasks: cis_6.2.x.yml + ansible.builtin.import_tasks: + file: cis_6.2.x.yml From af20f70f24c10bfa8c9ac8ba41a83fb1e51babc1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 14:57:25 +0100 Subject: [PATCH 16/90] updated test Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 52a3f3c..dad3fe9 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -26,7 +26,7 @@ - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" block: - - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" + - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available | if wlan exists" ansible.builtin.shell: rpm -q NetworkManager changed_when: false failed_when: false @@ -47,6 +47,7 @@ when: rhel_09_wifi_enabled is changed # noqa no-handler when: - rhel9cis_rule_3_1_2 + - "'wlan' in ansible_facts.interfaces" tags: - level1-server - patch From c5ed197e039738f4a630863a995940f5da812414 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:07:52 +0100 Subject: [PATCH 17/90] import_tasks file added Signed-off-by: Mark Bolwell --- site.yml | 6 +++--- tasks/auditd.yml | 3 ++- tasks/post.yml | 3 ++- tasks/section_1/cis_1.1.2.x.yml | 3 ++- tasks/section_1/cis_1.1.3.x.yml | 3 ++- tasks/section_1/cis_1.1.4.x.yml | 3 ++- tasks/section_1/cis_1.1.5.x.yml | 3 ++- tasks/section_1/cis_1.1.6.x.yml | 3 ++- tasks/section_1/cis_1.1.7.x.yml | 3 ++- tasks/section_1/cis_1.1.8.x.yml | 3 ++- tasks/section_1/cis_1.2.x.yml | 3 ++- tasks/section_1/cis_1.6.1.x.yml | 3 ++- tasks/section_2/cis_2.4.yml | 3 ++- tasks/section_3/cis_3.4.2.x.yml | 3 ++- tasks/section_4/cis_4.2.2.x.yml | 3 ++- tasks/section_4/cis_4.3.yml | 3 ++- tasks/section_5/cis_5.6.1.x.yml | 3 ++- tasks/section_6/cis_6.1.x.yml | 15 ++++++++++----- tasks/section_6/cis_6.2.x.yml | 18 ++++++++++++------ 19 files changed, 57 insertions(+), 30 deletions(-) diff --git a/site.yml b/site.yml index c56b473..16fe8c6 100644 --- a/site.yml +++ b/site.yml @@ -1,7 +1,7 @@ --- -- hosts: all # noqa: name[play] + +- name: Apply RHEL9 CIS hardening + hosts: all become: true - roles: - - role: "{{ playbook_dir }}" diff --git a/tasks/auditd.yml b/tasks/auditd.yml index f578657..fb761b9 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -20,7 +20,8 @@ - Restart auditd - name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'Auditd template updated, see diff output for details' when: diff --git a/tasks/post.yml b/tasks/post.yml index 8e8fea7..ccb4181 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -46,7 +46,8 @@ - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: - change_requires_reboot - skip_reboot diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 5df0ba9..ab8c264 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.2.1' required_mount: '/tmp' diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 4a98729..8dea033 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.1.3.1' required_mount: '/var' diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 0b043e5..2d6dcb2 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -8,7 +8,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.1.4.1' required_mount: '/var/tmp' diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index d1ae159..2ebb828 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.1.5.1' diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 4d7ff28..b41b13d 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.1.6.1' diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 3ba95ce..4abb548 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.1.7.1' diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 441006b..41e2de8 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -15,7 +15,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: rhel9cis_1_8_1_1_mount_check.rc == 1 vars: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index fc2d992..6f2506f 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -73,7 +73,8 @@ - "{{ dnf_configured.stdout_lines }}" - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.2.3' when: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index f05143c..76a30a6 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -93,7 +93,8 @@ when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 vars: warn_control_id: '1.6.1.6' diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index ce02b40..388edcc 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -25,7 +25,8 @@ - "{{ rhel9cis_2_4_sockets.stdout_lines }}" - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yamlfacts.yml vars: warn_control_id: '2.4' when: diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 16644c5..37de476 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -46,7 +46,8 @@ - not rhel9cis_nft_tables_autonewtable - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yamlfacts.yml when: - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 84513b2..767fb79 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -88,7 +88,8 @@ when: "'static' not in rhel9cis_4_2_2_2_status.stdout" - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: "'static' not in rhel9cis_4_2_2_2_status.stdout" vars: warn_control_id: '4.2.2.2' diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index be17c70..7631d8b 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -39,7 +39,8 @@ loop: "{{ log_rotates.files }}" - name: "4.3 | AUDIT | Ensure logrotate is configured | Warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '4.3' when: log_rotates.matched > 0 diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 141c013..1c96511 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -97,7 +97,8 @@ - not rhel9cis_futurepwchgdate_autofix - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 1361083..e92eca6 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -177,7 +177,8 @@ when: rhel_09_6_1_10_unowned_files_found - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.1.10' when: rhel_09_6_1_10_unowned_files_found @@ -223,7 +224,8 @@ when: rhel_09_6_1_11_ungrouped_files_found - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.1.11' when: rhel_09_6_1_11_ungrouped_files_found @@ -279,7 +281,8 @@ when: rhel9_6_1_13_suid_found - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.1.13' when: rhel9_6_1_13_suid_found @@ -321,7 +324,8 @@ when: rhel9_6_1_14_sgid_found - name: "6.1.14 | AUDIT | Audit SGID executables| warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.1.14' when: rhel9_6_1_14_sgid_found @@ -362,7 +366,8 @@ The file list can be found in {{ rhel9cis_rpm_audit_file }}" - name: "6.1.15 | AUDIT | Audit system file permissions | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.1.15' when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 618cadb..57deacd 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -15,7 +15,8 @@ when: shadow_passwd.stdout | length > 0 - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.2.1' when: shadow_passwd.stdout | length >= 1 @@ -59,7 +60,8 @@ when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.2.3' when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 @@ -87,7 +89,8 @@ when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 vars: warn_control_id: '6.2.4' @@ -115,7 +118,8 @@ when: rhel9cis_6_2_5_user_user_check.stdout | length >= 1 - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.2.5' when: rhel9cis_6_2_5_user_user_check.stdout_lines | length >= 1 @@ -144,7 +148,8 @@ when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.2.6' when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 @@ -173,7 +178,8 @@ when: rhel9cis_6_2_7_group_group_check.stdout is not defined - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.2.7' when: rhel9cis_6_2_7_group_group_check.stdout is not defined From e5d17f74ca435c68a587017d84b6588dcfe22f07 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:08:37 +0100 Subject: [PATCH 18/90] import_tasks file added Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index e92eca6..25b6e45 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -367,7 +367,7 @@ - name: "6.1.15 | AUDIT | Audit system file permissions | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yaml vars: warn_control_id: '6.1.15' when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 From 061483f15eb128a76737659ca32e2e239a953785 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:11:24 +0100 Subject: [PATCH 19/90] updated Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 231 ++------------------------------------ 1 file changed, 9 insertions(+), 222 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index fcb806d..7707be7 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -75,10 +75,6 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".config/.secrets.baseline" - }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -109,224 +105,15 @@ }, { "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + ".config/.gitleaks-report.json", + "tasks/parse_etc_password.yml" + ] } ], - "results": { - ".config/.gitleaks-report.json": [ - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", - "is_verified": false, - "line_number": 9, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", - "is_verified": false, - "line_number": 9, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "cd6f8dc4b799af818fedddd7c83e5df8bf770555", - "is_verified": false, - "line_number": 12, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", - "is_verified": false, - "line_number": 29, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", - "is_verified": false, - "line_number": 29, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", - "is_verified": false, - "line_number": 49, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", - "is_verified": false, - "line_number": 49, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", - "is_verified": false, - "line_number": 69, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", - "is_verified": false, - "line_number": 69, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", - "is_verified": false, - "line_number": 89, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", - "is_verified": false, - "line_number": 89, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", - "is_verified": false, - "line_number": 109, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", - "is_verified": false, - "line_number": 109, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "cb5e191d260065309ce16cd3675837069c8734c8", - "is_verified": false, - "line_number": 132, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "976b057e0978bf8956e05b173f070cd7757c38c6", - "is_verified": false, - "line_number": 249, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "bdb4ffe72f980b517d691e83c9eb50219a63fe91", - "is_verified": false, - "line_number": 252, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "95f603d65dd6aec15f75185df59f92e90737da49", - "is_verified": false, - "line_number": 269, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "72172e3578dc29c275e5a39bdf7a1a038bdc03c4", - "is_verified": false, - "line_number": 272, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "08f0ac7a7bbbb1819417e5a47aa0eebbd5fe4e86", - "is_verified": false, - "line_number": 289, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "23fdd48a76e5b32e85c6698062f1489d6fbac450", - "is_verified": false, - "line_number": 309, - "is_secret": false - } - ], - "defaults/main.yml": [ - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", - "is_verified": false, - "line_number": 364, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", - "is_verified": false, - "line_number": 376, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", - "is_verified": false, - "line_number": 377, - "is_secret": false - } - ], - "tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb", - "is_verified": false, - "line_number": 38, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 110, - "is_secret": false - } - ], - "tasks/parse_etc_password.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_password.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ] - }, - "generated_at": "2023-09-07T13:18:00Z" + "results": {}, + "generated_at": "2023-09-21T14:11:05Z" } From 580ee762eea482444d91d8ac7372f58ec38c68cb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:35:35 +0100 Subject: [PATCH 20/90] fix filename Signed-off-by: Mark Bolwell --- tasks/post.yml | 2 +- tasks/section_1/cis_1.1.3.x.yml | 2 +- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 2 +- tasks/section_1/cis_1.1.7.x.yml | 2 +- tasks/section_1/cis_1.1.8.x.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 2 +- tasks/section_1/cis_1.6.1.x.yml | 2 +- tasks/section_2/cis_2.4.yml | 2 +- tasks/section_3/cis_3.4.2.x.yml | 2 +- tasks/section_4/cis_4.2.2.x.yml | 2 +- tasks/section_4/cis_4.3.yml | 2 +- tasks/section_5/cis_5.6.1.x.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 10 +++++----- tasks/section_6/cis_6.2.x.yml | 12 ++++++------ 16 files changed, 25 insertions(+), 25 deletions(-) diff --git a/tasks/post.yml b/tasks/post.yml index ccb4181..1888940 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -47,7 +47,7 @@ - name: "POST | Warning a reboot required but skip option set | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: - change_requires_reboot - skip_reboot diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 8dea033..4ff1ccb 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -8,7 +8,7 @@ - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.1.3.1' required_mount: '/var' diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 2d6dcb2..713dba6 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -9,7 +9,7 @@ - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.1.4.1' required_mount: '/var/tmp' diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 2ebb828..ac8b827 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -8,7 +8,7 @@ - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.1.5.1' diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index b41b13d..5a7c8f4 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -8,7 +8,7 @@ - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.1.6.1' diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 4abb548..ee922b3 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -8,7 +8,7 @@ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.1.7.1' diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 41e2de8..6a50de8 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -16,7 +16,7 @@ - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: rhel9cis_1_8_1_1_mount_check.rc == 1 vars: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 6f2506f..fc0bf27 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -74,7 +74,7 @@ - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.2.3' when: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 76a30a6..724fd29 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -94,7 +94,7 @@ - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 vars: warn_control_id: '1.6.1.6' diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 388edcc..ac56312 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -26,7 +26,7 @@ - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count" ansible.builtin.import_tasks: - file: warning_facts.yamlfacts.yml + file: warning_facts.yml vars: warn_control_id: '2.4' when: diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 37de476..73d85f4 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -47,7 +47,7 @@ - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" ansible.builtin.import_tasks: - file: warning_facts.yamlfacts.yml + file: warning_facts.yml when: - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 767fb79..cf4b011 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -89,7 +89,7 @@ - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: "'static' not in rhel9cis_4_2_2_2_status.stdout" vars: warn_control_id: '4.2.2.2' diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 7631d8b..7da565e 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -40,7 +40,7 @@ - name: "4.3 | AUDIT | Ensure logrotate is configured | Warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '4.3' when: log_rotates.matched > 0 diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 1c96511..3d59a16 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -98,7 +98,7 @@ - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 25b6e45..c6a8375 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -178,7 +178,7 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.1.10' when: rhel_09_6_1_10_unowned_files_found @@ -225,7 +225,7 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.1.11' when: rhel_09_6_1_11_ungrouped_files_found @@ -282,7 +282,7 @@ - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.1.13' when: rhel9_6_1_13_suid_found @@ -325,7 +325,7 @@ - name: "6.1.14 | AUDIT | Audit SGID executables| warning" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.1.14' when: rhel9_6_1_14_sgid_found @@ -367,7 +367,7 @@ - name: "6.1.15 | AUDIT | Audit system file permissions | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.1.15' when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 57deacd..2f3141b 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -16,7 +16,7 @@ - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.2.1' when: shadow_passwd.stdout | length >= 1 @@ -61,7 +61,7 @@ - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.2.3' when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 @@ -90,7 +90,7 @@ - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 vars: warn_control_id: '6.2.4' @@ -119,7 +119,7 @@ - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.2.5' when: rhel9cis_6_2_5_user_user_check.stdout_lines | length >= 1 @@ -149,7 +149,7 @@ - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.2.6' when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 @@ -179,7 +179,7 @@ - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.2.7' when: rhel9cis_6_2_7_group_group_check.stdout is not defined From 11071a66ab242ee9ec317bd65791f23b3d04814f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:36:05 +0100 Subject: [PATCH 21/90] added pragma allowed Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- tasks/main.yml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3b8cd4a..3fe96c1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -361,7 +361,7 @@ rhel9cis_allow_autofs: false # DO NOT USE PLAIN TEXT PASSWORDS!!!!! # The intent here is to use a password utility like Ansible Vault here rhel9cis_rh_sub_user: user -rhel9cis_rh_sub_password: password +rhel9cis_rh_sub_password: password # pragma: allowlist secret # 1.2.2 # Do you require rhnsd @@ -373,8 +373,8 @@ rhel9cis_rhel_default_repo: true rhel9cis_rule_enable_repogpg: true # 1.4.1 Bootloader password -rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' -rhel9cis_bootloader_password: random +rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' # pragma: allowlist secret +rhel9cis_bootloader_password: random # pragma: allowlist secret rhel9cis_set_boot_pass: true # 1.8 Gnome Desktop diff --git a/tasks/main.yml b/tasks/main.yml index e1cd780..60f4fbc 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -35,7 +35,7 @@ fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" vars: - sudo_password_rule: rhel9cis_rule_5_3_4 + sudo_password_rule: rhel9cis_rule_5_3_4 # pragma: allowlist secret when: - rhel9cis_rule_5_3_4 - ansible_env.SUDO_USER is defined @@ -107,7 +107,7 @@ - name: Check rhel9cis_bootloader_password_hash variable has been changed ansible.builtin.assert: - that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' + that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" when: - rhel9cis_set_boot_pass From 35dfa8770a3ca0b481055bd3fa64b243d5b5a346 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:45:49 +0100 Subject: [PATCH 22/90] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 7d2352f..2185343 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,6 +3,8 @@ ## 1.1.2 - Based on CIS v1.0.0 - updated audit binary versions - aligned with rhel9-cis-audit +- lint updates +- .secrets updated ## 1.1.1 - Based on CIS v1.0.0 From e82b2cefacb6e721565d497acb0b467a59fb115a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 16:25:59 +0100 Subject: [PATCH 23/90] quoted file mode Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 4 ++-- tasks/auditd.yml | 4 ++-- tasks/post.yml | 2 +- tasks/post_remediation_audit.yml | 2 +- tasks/pre_remediation_audit.yml | 2 +- tasks/prelim.yml | 2 +- tasks/section_1/cis_1.1.1.x.yml | 8 ++++---- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.1.x.yml | 4 ++-- tasks/section_1/cis_1.4.x.yml | 2 +- tasks/section_1/cis_1.7.x.yml | 12 ++++++------ tasks/section_1/cis_1.8.x.yml | 24 ++++++++++++------------ tasks/section_2/cis_2.1.x.yml | 4 ++-- tasks/section_3/cis_3.1.x.yml | 2 +- tasks/section_4/cis_4.1.4.x.yml | 6 +++--- tasks/section_4/cis_4.2.3.yml | 2 +- tasks/section_5/cis_5.1.x.yml | 16 ++++++++-------- tasks/section_5/cis_5.2.x.yml | 6 +++--- tasks/section_5/cis_5.6.x.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 20 ++++++++++---------- 20 files changed, 63 insertions(+), 63 deletions(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 29f8960..7a7fb0d 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -19,7 +19,7 @@ owner: root group: root checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" - mode: 0555 + mode: '0555' when: - get_audit_binary_method == 'download' @@ -27,7 +27,7 @@ ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" - mode: 0555 + mode: '0555' owner: root group: root when: diff --git a/tasks/auditd.yml b/tasks/auditd.yml index fb761b9..62f2794 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -11,7 +11,7 @@ dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: 0640 + mode: '0640' diff: "{{ rhel9cis_auditd_file.stat.exists }}" # Only run diff if not a new file register: rhel9cis_auditd_template_updated notify: @@ -39,7 +39,7 @@ dest: /etc/audit/rules.d/98_auditd_exceptions.rules owner: root group: root - mode: 0640 + mode: '0640' diff: "{{ rhel9cis_auditd_exception_file.stat.exists }}" notify: Restart auditd when: diff --git a/tasks/post.yml b/tasks/post.yml index 1888940..3f1f706 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -13,7 +13,7 @@ dest: "/etc/sysctl.d/{{ item }}" owner: root group: root - mode: 0600 + mode: '0600' register: sysctl_updated notify: Reload sysctl loop: diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index f0a7664..a5dc34b 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -11,7 +11,7 @@ - name: Post Audit | ensure audit files readable by users ansible.builtin.file: path: "{{ item }}" - mode: 0644 + mode: '0644' state: file loop: - "{{ post_audit_outfile }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 711f59b..35ada1f 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -69,7 +69,7 @@ ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" - mode: 0600 + mode: '0600' when: - run_audit tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f26c794..a564a29 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -191,7 +191,7 @@ path: "{{ rhel9_cis_sshd_config_file }}" owner: root group: root - mode: 0600 + mode: '0600' state: touch when: - rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config' diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 7a88f6f..263fc50 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -8,7 +8,7 @@ regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: true - mode: 0600 + mode: '0600' - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -16,7 +16,7 @@ regexp: "^(#)?blacklist squashfs(\\s|$)" line: "blacklist squashfs" create: true - mode: 0600 + mode: '0600' - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" community.general.modprobe: @@ -41,7 +41,7 @@ regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: true - mode: 0600 + mode: '0600' - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -49,7 +49,7 @@ regexp: "^(#)?blacklist udf(\\s|$)" line: "blacklist udf" create: true - mode: 0600 + mode: '0600' - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" community.general.modprobe: diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index ab8c264..10d6d2d 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -63,7 +63,7 @@ dest: /etc/systemd/system/tmp.mount owner: root group: root - mode: 0644 + mode: '0644' notify: Systemd restart tmp.mount when: - rhel9cis_tmp_svc diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index bf76b5c..c6cde83 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -10,7 +10,7 @@ create: true owner: root group: root - mode: 0600 + mode: '0600' - name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config" community.general.modprobe: @@ -24,7 +24,7 @@ regexp: "^(#)?blacklist usb-storage(\\s|$)" line: "blacklist usb-storage" create: true - mode: 0600 + mode: '0600' when: - rhel9cis_rule_1_1_9 tags: diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index ec27fa6..dd8d83f 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -6,7 +6,7 @@ content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy owner: root group: root - mode: 0600 + mode: '0600' notify: Grub2cfg when: - rhel9cis_set_boot_pass diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 1c20dca..883b35b 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -6,7 +6,7 @@ dest: /etc/motd owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_1 tags: @@ -22,7 +22,7 @@ dest: /etc/issue owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_2 tags: @@ -37,7 +37,7 @@ dest: /etc/issue.net owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_3 tags: @@ -52,7 +52,7 @@ path: /etc/motd owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_4 tags: @@ -67,7 +67,7 @@ path: /etc/issue owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_5 tags: @@ -82,7 +82,7 @@ path: /etc/issue.net owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_6 tags: diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 4f6922f..20e56c4 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -25,7 +25,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf loop: - { regexp: 'user-db', line: 'user-db:user' } @@ -38,7 +38,7 @@ dest: /etc/dconf/db/gdm.d/01-banner-message owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf when: - rhel9cis_rule_1_8_2 @@ -59,7 +59,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf loop: - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } @@ -87,7 +87,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' loop: - { regexp: '^user-db', line: 'user-db: user' } - { regexp: '^system-db', line: 'system-db: local' } @@ -97,7 +97,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d" owner: root group: root - mode: 0755 + mode: '0755' state: directory - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make conf file" @@ -125,7 +125,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: 0755 + mode: '0755' state: directory - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file" @@ -134,7 +134,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf when: - rhel9cis_rule_1_8_5 @@ -171,7 +171,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: 0755 + mode: '0755' state: directory - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock file" @@ -180,7 +180,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-automount_lock" owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf when: - rhel9cis_rule_1_8_7 @@ -199,7 +199,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d" owner: root group: root - mode: 0755 + mode: '0755' state: directory - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make conf file" @@ -227,7 +227,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: 0755 + mode: '0755' state: directory - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile" @@ -236,7 +236,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock" owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf when: - rhel9cis_rule_1_8_9 diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 43cc226..3312843 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -21,7 +21,7 @@ dest: /etc/chrony.conf owner: root group: root - mode: 0644 + mode: '0644' - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" ansible.builtin.lineinfile: @@ -29,7 +29,7 @@ regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u chrony\"" create: true - mode: 0644 + mode: '0644' when: - rhel9cis_rule_2_1_2 - not system_is_container diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index dad3fe9..2a13574 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -73,7 +73,7 @@ regexp: "^(#)?blacklist tipc(\\s|$)" line: "blacklist tipc" create: true - mode: 0600 + mode: '0600' when: - rhel9cis_rule_3_1_3 tags: diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index ec3eebd..60b4e9b 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -50,7 +50,7 @@ ansible.builtin.file: path: "{{ audit_discovered_logfile.stdout | dirname }}" state: directory - mode: 0750 + mode: '0750' when: not auditlog_dir.stat.mode is match('07(0|5)0') when: - rhel9cis_rule_4_1_4_4 @@ -64,7 +64,7 @@ - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" ansible.builtin.file: path: "{{ item.path }}" - mode: 0640 + mode: '0640' loop: "{{ auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -127,7 +127,7 @@ - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" ansible.builtin.file: path: "{{ item.item }}" - mode: 0750 + mode: '0750' loop: "{{ audit_bins.results }}" loop_control: diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index a391254..2f2a8a4 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -12,7 +12,7 @@ - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" ansible.builtin.file: path: "{{ item.path }}" - mode: 0640 + mode: '0640' loop: "{{ logfiles.files }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index f897c6c..ce8bb58 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -18,7 +18,7 @@ path: /etc/crontab owner: root group: root - mode: 0600 + mode: '0600' when: - rhel9cis_rule_5_1_2 tags: @@ -34,7 +34,7 @@ state: directory owner: root group: root - mode: 0700 + mode: '0700' when: - rhel9cis_rule_5_1_3 tags: @@ -50,7 +50,7 @@ state: directory owner: root group: root - mode: 0700 + mode: '0700' when: - rhel9cis_rule_5_1_4 tags: @@ -66,7 +66,7 @@ state: directory owner: root group: root - mode: 0700 + mode: '0700' when: - rhel9cis_rule_5_1_5 tags: @@ -81,7 +81,7 @@ state: directory owner: root group: root - mode: 0700 + mode: '0700' when: - rhel9cis_rule_5_1_6 tags: @@ -96,7 +96,7 @@ state: directory owner: root group: root - mode: 0700 + mode: '0700' when: - rhel9cis_rule_5_1_7 tags: @@ -124,7 +124,7 @@ state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root group: root - mode: 0600 + mode: '0600' when: - rhel9cis_rule_5_1_8 tags: @@ -152,7 +152,7 @@ state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root group: root - mode: 0600 + mode: '0600' when: - rhel9cis_rule_5_1_9 tags: diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 9054afd..5451cff 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -5,7 +5,7 @@ path: "/etc/ssh/sshd_config" owner: root group: root - mode: 0600 + mode: '0600' when: - rhel9cis_rule_5_2_1 tags: @@ -31,7 +31,7 @@ path: "{{ item.path }}" owner: root group: root - mode: 0600 + mode: '0600' loop: "{{ rhel9cis_5_2_2_ssh_private_host_key.files }}" loop_control: label: "{{ item.path }}" @@ -60,7 +60,7 @@ path: "{{ item.path }}" owner: root group: root - mode: 0644 + mode: '0644' loop: "{{ rhel9cis_5_2_3_ssh_public_host_key.files }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 7379f3f..a529290 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -50,7 +50,7 @@ state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true - mode: 0644 + mode: '0644' block: | TMOUT={{ rhel9cis_shell_session_timeout.timeout }} export TMOUT diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index c6a8375..4cc5cbd 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -5,7 +5,7 @@ path: /etc/passwd owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_6_1_1 tags: @@ -20,7 +20,7 @@ path: /etc/passwd- owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_6_1_2 tags: @@ -32,10 +32,10 @@ - name: "6.1.3 | PATCH | Ensure permissions on /etc/group are configured" ansible.builtin.file: - path: /etc/group- + path: /etc/group owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_6_1_3 tags: @@ -50,7 +50,7 @@ path: /etc/group- owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_6_1_4 tags: @@ -65,7 +65,7 @@ path: /etc/shadow owner: root group: root - mode: 0000 + mode: '0000' when: - rhel9cis_rule_6_1_5 tags: @@ -80,7 +80,7 @@ path: /etc/shadow- owner: root group: root - mode: 0000 + mode: '0000' when: - rhel9cis_rule_6_1_6 tags: @@ -95,7 +95,7 @@ path: /etc/gshadow owner: root group: root - mode: 0000 + mode: '0000' when: - rhel9cis_rule_6_1_7 tags: @@ -110,7 +110,7 @@ path: /etc/gshadow- owner: root group: root - mode: 0000 + mode: '0000' when: - rhel9cis_rule_6_1_8 tags: @@ -357,7 +357,7 @@ content: "{{ rhel9cis_6_1_15_packages_rpm.stdout }}" owner: root group: root - mode: 0640 + mode: '0640' - name: "6.1.15 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" ansible.builtin.debug: From 076c02ea92058309bcf91e76a27cd4263fde5cb3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 16:26:28 +0100 Subject: [PATCH 24/90] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 2185343..77c96c0 100644 --- a/Changelog.md +++ b/Changelog.md @@ -5,6 +5,7 @@ - updated audit binary versions - aligned with rhel9-cis-audit - lint updates - .secrets updated +- file mode quoted ## 1.1.1 - Based on CIS v1.0.0 From 729fac35805154823053088317e4a7edbdd729e9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 22 Sep 2023 08:44:43 +0100 Subject: [PATCH 25/90] updated 5.6.5 Signed-off-by: Mark Bolwell --- Changelog.md | 1 + tasks/section_5/cis_5.6.x.yml | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index 77c96c0..3b4f9e9 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,7 @@ - lint updates - .secrets updated - file mode quoted +- updated 5.6.5 thansk to feedback from S!ghs on discord community ## 1.1.1 - Based on CIS v1.0.0 diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index a529290..e5565b4 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -83,10 +83,10 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings" - ansible.builtin.lineinfile: + ansible.builtin.replace: path: "{{ item.path }}" - regexp: '(?i)(umask\s*)' - line: '{{ item.line }} 027' + regexp: (?i)(umask\s+\d\d\d) + replace: '{{ item.line }} 027' with_items: - { path: '/etc/bashrc', line: 'umask' } - { path: '/etc/profile', line: 'umask' } From c4714f58074a27f30bdc2e413db4018ffd9c53db Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 6 Oct 2023 22:02:41 +0100 Subject: [PATCH 26/90] updated collections Signed-off-by: Mark Bolwell --- collections/requirements.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/collections/requirements.yml b/collections/requirements.yml index 3f594d0..8ebc618 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,5 +1,14 @@ --- + collections: - name: community.general + source: https://github.com/ansible-collections/community.general + type: git + - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git + - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git From 646b4decc1750334624bb3053a950352cdf27019 Mon Sep 17 00:00:00 2001 From: Bernd Grobauer Date: Thu, 12 Oct 2023 12:56:20 +0200 Subject: [PATCH 27/90] Adding missing lines to sysctl.d/50-default.conf Signed-off-by: Bernd Grobauer --- tasks/post.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tasks/post.yml b/tasks/post.yml index 3f1f706..724611d 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -26,6 +26,19 @@ - not system_is_container - "'procps-ng' in ansible_facts.packages" +- name: POST | Update usr sysctl + ansible.builtin.lineinfile: + dest: /usr/lib/sysctl.d/50-default.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: '^net.ipv4.conf.default.rp_filter', line: 'net.ipv4.conf.default.rp_filter = 1' } + - { regexp: '^net.ipv4.conf.*.rp_filter', line: 'net.ipv4.conf.*.rp_filter = 1' } + when: + - rhel9cis_sysctl_update + - not system_is_container + - "'procps-ng' in ansible_facts.packages" + - name: Flush handlers ansible.builtin.meta: flush_handlers From df36a1e7af3d5544562a020bea3a5d0df90d8a44 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 31 Oct 2023 15:21:19 +0000 Subject: [PATCH 28/90] updated workflow for galaxy and versions Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/main_pipeline_validation.yml | 18 +++++++++--------- .github/workflows/update_galaxy.yml | 14 ++++++-------- 3 files changed, 24 insertions(+), 26 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index dba39dc..9fbe7aa 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -29,7 +29,7 @@ Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -44,13 +44,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -74,7 +74,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -82,7 +82,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -90,7 +90,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -111,9 +111,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 0b149fb..67ee9d9 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -18,7 +18,7 @@ # that can run sequentially or in parallel jobs: - # This workflow contains a single job which tests the playbook + # This workflow contains a single job that tests the playbook playbook-test: # The type of runner that the job will run on runs-on: ubuntu-latest @@ -33,13 +33,13 @@ steps: - name: Clone ${{ github.event.repository.name }} - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ github.event.pull_request.head.sha }} # Pull in terraform code for linux servers - - name: Clone github IaC plan - uses: actions/checkout@v3 + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 with: repository: ansible-lockdown/github_linux_IaC path: .github/workflows/github_linux_IaC @@ -63,7 +63,7 @@ pwd ls env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -71,7 +71,7 @@ id: init run: terraform init env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -79,7 +79,7 @@ id: validate run: terraform validate env: - # Imported from github variables this is used to load the relvent OS.tfvars file + # Imported from GitHub variables this is used to load the relevant OS.tfvars file OSVAR: ${{ vars.OSVAR }} TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} @@ -100,9 +100,9 @@ # Aws deployments taking a while to come up insert sleep or playbook fails - name: Sleep for 60 seconds - run: sleep 60s + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the ansible playbook + # Run the Ansibleplaybook - name: Run_Ansible_Playbook uses: arillso/action.playbook@master with: diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 951a53c..f935280 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,11 +1,7 @@ --- -# This is a basic workflow to help you get started with Actions - name: update galaxy -# Controls when the action will run. -# Triggers the workflow on merge request events to the main branch on: push: branches: @@ -14,8 +10,10 @@ jobs: update_role: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: robertdebock/galaxy-action@master + - name: Checkout repo + uses: actions/checkout@v4 + + - name: Action Ansible Galaxy Release ${{ github.ref_name }} + uses: ansible-actions/ansible-galaxy-action@main with: - galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} - git_branch: main + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} From c6a51ad38a1d4c77075ffe8788f0ba171314aea1 Mon Sep 17 00:00:00 2001 From: "root@DERVISHx" Date: Fri, 10 Nov 2023 15:28:12 +0000 Subject: [PATCH 29/90] Adding new entry in /etc/pam.d/system-auth Signed-off-by: root@DERVISHx --- tasks/section_5/cis_5.6.x.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index e5565b4..a2c0219 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -98,6 +98,11 @@ regexp: '^USERGROUPS_ENAB' line: USERGROUPS_ENAB no + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth" + ansible.builtin.lineinfile: + path: /etc/pam.d/system-auth + line: 'session required pam_umask.so' + insertafter: EOF when: - rhel9cis_rule_5_6_5 tags: From d51efffd500b8b2969d447534a4da722be07df0e Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 13 Nov 2023 17:46:18 +0000 Subject: [PATCH 30/90] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v3.2.0 → v4.5.0](https://github.com/pre-commit/pre-commit-hooks/compare/v3.2.0...v4.5.0) - [github.com/gitleaks/gitleaks: v8.17.0 → v8.18.0](https://github.com/gitleaks/gitleaks/compare/v8.17.0...v8.18.0) - [github.com/ansible-community/ansible-lint: v6.17.2 → v6.22.0](https://github.com/ansible-community/ansible-lint/compare/v6.17.2...v6.22.0) - [github.com/adrienverge/yamllint.git: v1.32.0 → v1.33.0](https://github.com/adrienverge/yamllint.git/compare/v1.32.0...v1.33.0) --- .pre-commit-config.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 97c7943..33fd6ed 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.2.0 + rev: v4.5.0 hooks: # Safety - id: detect-aws-credentials @@ -37,13 +37,13 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.17.0 + rev: v8.18.0 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.17.2 + rev: v6.22.0 hooks: - id: ansible-lint name: Ansible-lint @@ -62,6 +62,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.32.0 # or higher tag + rev: v1.33.0 # or higher tag hooks: - id: yamllint From 7d64ebbca03fb3c3e4f4e5947770bba2bbee4c3a Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 20 Nov 2023 17:35:48 +0000 Subject: [PATCH 31/90] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.0 → v8.18.1](https://github.com/gitleaks/gitleaks/compare/v8.18.0...v8.18.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 33fd6ed..68f44f0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,7 +37,7 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.0 + rev: v8.18.1 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From 8784941179651c0dffb5cac8453a1e1a7b676202 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 09:48:49 +0000 Subject: [PATCH 32/90] audit variables seperated Signed-off-by: Mark Bolwell --- defaults/main.yml | 89 +++++++++++++++++--------------------------- tasks/audit_only.yml | 30 +++++++++++++++ 2 files changed, 65 insertions(+), 54 deletions(-) create mode 100644 tasks/audit_only.yml diff --git a/defaults/main.yml b/defaults/main.yml index 3fe96c1..0bc0137 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -45,28 +45,53 @@ skip_reboot: true # default value will change to true but wont reboot if not enabled but will error change_requires_reboot: false -#### Basic external goss audit enablement settings #### -#### Precise details - per setting can be found at the bottom of this file #### +########################################## +### Goss is required on the remote host ### +## Refer to vars/auditd.yml for any other settings ## -### Goss is required on the remote host +# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false -# How to retrive goss + +# enable audits to run - this runs the audit and get the latest content +run_audit: false + +# Only run Audit do not remediate +audit_only: false +# As part of audit_only +# This will enable files to be copied back to control node +fetch_audit_files: false +# Path to copy the files to will create dir structure +audit_capture_files_dir: /some/location to copy to on control node + +# How to retrieve audit binary # Options are copy or download - detailed settings at the bottom of this file # you will need to access to either github or the file already dowmloaded get_audit_binary_method: download +## if get_audit_binary_method - copy the following needs to be updated for your environment +## it is expected that it will be copied from somewhere accessible to the control node +## e.g copy from ansible control node to remote host +audit_bin_copy_location: /some/accessible/path + # how to get audit files onto host options -# options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly) +# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# enable audits to run - this runs the audit and get the latest content -run_audit: false +# archive or copy: +audit_conf_copy: "some path to copy from" -# Timeout for those cmds that take longer to run where timeout set -audit_cmd_timeout: 60000 +# get_url: +audit_files_url: "some url maybe s3?" + +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true + +# This variable specifies the timeout (in ms) for audit commands that +# take a very long time: if a command takes too long to complete, +# it will be forcefully terminated after the specified duration. +audit_cmd_timeout: 120000 ### End Goss enablements #### -#### Detailed settings found at the end of this document #### # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. @@ -663,47 +688,3 @@ audit_run_script_environment: AUDIT_BIN: "{{ audit_bin }}" AUDIT_FILE: 'goss.yml' AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - -### Goss binary settings ### -audit_bin_release: v0.4.2 -audit_bin_version: - AMD64_checksum: 'sha256:e50e43d75c47c731f5fdff176f5abeb8aca35f17aea60f85ebc28f6110cb6945' - ARM64_checksum: 'sha256:6da14a98f12d1929ea719d4cfe96087c8e3a37b29d91b72fbe6edc7f8a580784 ' -audit_bin_path: /usr/local/bin/ -audit_bin: "{{ audit_bin_path }}goss" -audit_format: json - -# if get_goss_file == download change accordingly -audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_release }}/goss-linux-" - -## if get_goss_file - copy the following needs to be updated for your environment -## it is expected that it will be copied from somewhere accessible to the control node -## e.g copy from ansible control node to remote host -copy_goss_from_path: /some/accessible/path - -### Goss Audit Benchmark file ### -## managed by the control audit_content -# git -audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: "benchmark_{{ benchmark_version }}" - -# copy: -audit_local_copy: "some path to copy from" - -# get_url: -audit_files_url: "some url maybe s3?" - -## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" - -## The following should not need changing -goss_file: "{{ audit_conf_dir }}goss.yml" -audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" -audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml new file mode 100644 index 0000000..864f5bb --- /dev/null +++ b/tasks/audit_only.yml @@ -0,0 +1,30 @@ +--- + +- name: Audit_Only | Create local Directories for hosts + ansible.builtin.file: + mode: '0755' + path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" + recurse: true + state: directory + when: fetch_audit_files + delegate_to: localhost + become: false + +- name: Audit_only | Get audits from systems and put in group dir + ansible.builtin.fetch: + dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" + flat: true + mode: '0644' + src: "{{ pre_audit_outfile }}" + when: fetch_audit_files + +- name: Audit_only | Show Audit Summary + when: + - audit_only + ansible.builtin.debug: + msg: "The Audit results are: {{ pre_audit_summary }}." + +- name: Audit_only | Stop Playbook Audit Only selected + when: + - audit_only + ansible.builtin.meta: end_play From 23a4386e953db5bf86ebeca237d2a8ee17ec3c2a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 09:49:36 +0000 Subject: [PATCH 33/90] addition of audit_only config Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 2 +- tasks/main.yml | 17 ++++++-- tasks/post_remediation_audit.yml | 22 +++++----- tasks/pre_remediation_audit.yml | 73 +++++++++++++++++--------------- vars/audit.yml | 38 +++++++++++++++++ 5 files changed, 103 insertions(+), 49 deletions(-) create mode 100644 vars/audit.yml diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 7a7fb0d..56ffbd6 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -23,7 +23,7 @@ when: - get_audit_binary_method == 'download' -- name: Pre Audit Setup | copy audit binary +- name: Pre Audit Setup | Copy audit binary ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" diff --git a/tasks/main.yml b/tasks/main.yml index 60f4fbc..858755b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -133,11 +133,22 @@ - prelim_tasks - always -- name: run pre_remediation audit - ansible.builtin.include_tasks: - file: pre_remediation_audit.yml +- name: Include audit specific variables when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit - run_audit + ansible.builtin.include_vars: audit.yml + +- name: Include pre-remediation audit tasks + when: + - run_audit or audit_only + - setup_audit + tags: + - run_audit + ansible.builtin.import_tasks: pre_remediation_audit.yml - name: run Section 1 tasks ansible.builtin.import_tasks: diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index a5dc34b..eb01bc7 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,12 +1,12 @@ --- -- name: "Post Audit | Run post_remediation {{ benchmark }} audit" +- name: Post Audit | Run post_remediation {{ benchmark }} audit ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" + AUDIT_FILE: goss.yml - name: Post Audit | ensure audit files readable by users ansible.builtin.file: @@ -18,9 +18,11 @@ - "{{ pre_audit_outfile }}" - name: Post Audit | Capture audit data if json format + when: + - audit_format == "json" block: - - name: "capture data {{ post_audit_outfile }}" - ansible.builtin.shell: "cat {{ post_audit_outfile }}" + - name: capture data {{ post_audit_outfile }} + ansible.builtin.shell: cat {{ post_audit_outfile }} register: post_audit changed_when: false @@ -28,19 +30,17 @@ ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + summary: summary."summary-line" - name: Post Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - name: "Post Audit | capture data {{ post_audit_outfile }}" - ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" + - name: Post Audit | capture data {{ post_audit_outfile }} + ansible.builtin.shell: tail -2 {{ post_audit_outfile }} register: post_audit changed_when: false - name: Post Audit | Capture post-audit result ansible.builtin.set_fact: post_audit_summary: "{{ post_audit.stdout_lines }}" - when: - - audit_format == "documentation" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 35ada1f..258171a 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,56 +1,58 @@ --- -- name: Pre Audit Binary Setup | Setup the LE audit - ansible.builtin.include_tasks: LE_audit_setup.yml +- name: Pre Audit Setup | Setup the LE audit when: - setup_audit tags: - setup_audit + ansible.builtin.include_tasks: LE_audit_setup.yml -- name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists" +- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory mode: '0755' - name: Pre Audit Setup | If using git for content set up + when: + - audit_content == 'git' block: - name: Pre Audit Setup | Install git ansible.builtin.package: name: git state: present - - name: Pre Audit Setup | retrieve audit content files from git + - name: Pre Audit Setup | Retrieve audit content files from git ansible.builtin.git: repo: "{{ audit_file_git }}" dest: "{{ audit_conf_dir }}" version: "{{ audit_git_version }}" - when: - - audit_content == 'git' -- name: Pre Audit Setup | copy to audit content files to server +- name: Pre Audit Setup | Copy to audit content files to server + when: + - audit_content == 'copy' ansible.builtin.copy: src: "{{ audit_local_copy }}" dest: "{{ audit_conf_dest }}" mode: preserve - when: - - audit_content == 'copy' -- name: Pre Audit Setup | unarchive audit content files on server +- name: Pre Audit Setup | Unarchive audit content files on server + when: + - audit_content == 'archived' ansible.builtin.unarchive: src: "{{ audit_conf_copy }}" dest: "{{ audit_conf_dir }}" - when: - - audit_content == 'archived' -- name: Pre Audit Setup | get audit content from url +- name: Pre Audit Setup | Get audit content from url + when: + - audit_content == 'get_url' ansible.builtin.get_url: url: "{{ audit_files_url }}" dest: "{{ audit_conf_dir }}" - when: - - audit_content == 'get_url' - name: Pre Audit Setup | Check Goss is available + when: + - run_audit block: - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: @@ -58,36 +60,36 @@ register: goss_available - name: Pre Audit Setup | If audit ensure goss is available - ansible.builtin.assert: - msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" when: - not goss_available.stat.exists - when: - - run_audit + ansible.builtin.assert: + msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit + tags: + - goss_template + - run_audit + when: + - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" mode: '0600' - when: - - run_audit - tags: - - goss_template - - always -- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" +- name: Pre Audit | Run pre_remediation {{ benchmark }} audit ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" - AUDIT_FILE: "goss.yml" + AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format + when: + - audit_format == "json" block: - - name: "capture data {{ pre_audit_outfile }}" - ansible.builtin.shell: "cat {{ pre_audit_outfile }}" + - name: capture data {{ pre_audit_outfile }} + ansible.builtin.shell: cat {{ pre_audit_outfile }} register: pre_audit changed_when: false @@ -95,19 +97,22 @@ ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: - summary: 'summary."summary-line"' - when: - - audit_format == "json" + summary: summary."summary-line" - name: Pre Audit | Capture audit data if documentation format + when: + - audit_format == "documentation" block: - - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format" - ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" + - name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format + ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} register: pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result | documentation format ansible.builtin.set_fact: pre_audit_summary: "{{ pre_audit.stdout_lines }}" + +- name: Audit_Only | Run Audit Only when: - - audit_format == "documentation" + - audit_only + ansible.builtin.import_tasks: audit_only.yml diff --git a/vars/audit.yml b/vars/audit.yml new file mode 100644 index 0000000..e5ca959 --- /dev/null +++ b/vars/audit.yml @@ -0,0 +1,38 @@ +--- + +#### Audit Configuration Settings #### + +# if get_audit_binary_method == download change accordingly +audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-" + +### Goss Audit Benchmark file ### +## managed by the control audit_content +# git +audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" +audit_git_version: "benchmark-{{ benchmark_version }}" + +## Goss configuration information +# Where the goss configs and outputs are stored +audit_out_dir: '/opt' +# Where the goss audit configuration will be stored +audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" + +# If changed these can affect other products +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" + +## The following should not need changing + +### Audit binary settings ### +audit_bin_version: + release: v0.4.4 + AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' +audit_bin_path: /usr/local/bin/ +audit_bin: "{{ audit_bin_path }}goss" +audit_format: json + +audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" +audit_results: | + The pre remediation results are: {{ pre_audit_summary }}. + The post remediation results are: {{ post_audit_summary }}. + Full breakdown can be found in {{ audit_out_dir }} From 2c152b3ae5d86bd07785af8d19f0f7635f1a7df6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 09:50:11 +0000 Subject: [PATCH 34/90] removed dupe line Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 8b21441..e83dd40 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -239,7 +239,6 @@ rhel9cis_rule_4_1_4_10: {{ rhel9cis_rule_4_1_4_10 }} # 4.2.1 Configure rsyslog rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }} rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }} -rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_3 }} rhel9cis_rule_4_2_1_3: {{ rhel9cis_rule_4_2_1_3 }} rhel9cis_rule_4_2_1_4: {{ rhel9cis_rule_4_2_1_4 }} rhel9cis_rule_4_2_1_5: {{ rhel9cis_rule_4_2_1_5 }} From 41520312e61d64f9fd65fd86b6a2d77aafd68a66 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 10:00:27 +0000 Subject: [PATCH 35/90] updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog.md b/Changelog.md index 3b4f9e9..baa0d44 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,12 @@ # Changes to rhel9CIS +## 1.1.3 - Based on CIS v1.0.0 + +- updated goss binary to 0.4.4 +- moved majority of audit variables to vars/audit.yml +- new function to enable audit_only using remediation +- removed some dupes in audit config + ## 1.1.2 - Based on CIS v1.0.0 - updated audit binary versions - aligned with rhel9-cis-audit From afd1c2ff01b7c7f4b694cd73543fc4116086fa16 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 10:11:08 +0000 Subject: [PATCH 36/90] fixed benchmark_name Signed-off-by: Mark Bolwell --- vars/audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/audit.yml b/vars/audit.yml index e5ca959..dd61b8a 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -15,7 +15,7 @@ audit_git_version: "benchmark-{{ benchmark_version }}" # Where the goss configs and outputs are stored audit_out_dir: '/opt' # Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" +audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}_Audit" # If changed these can affect other products pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" From 669f5352257f12edaf0e2cf0e622ab3f94f5c129 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 12:28:06 +0000 Subject: [PATCH 37/90] updated benchmark name Signed-off-by: Mark Bolwell --- vars/audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/audit.yml b/vars/audit.yml index dd61b8a..74a7093 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -9,7 +9,7 @@ audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_ ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: "benchmark-{{ benchmark_version }}" +audit_git_version: "benchmark_{{ benchmark_version }}" ## Goss configuration information # Where the goss configs and outputs are stored From dc7da70b611f1f621c1c2ff18e2d1d3093fe839d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 21 Nov 2023 12:37:09 +0000 Subject: [PATCH 38/90] fixed typo Signed-off-by: Mark Bolwell --- vars/audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vars/audit.yml b/vars/audit.yml index 74a7093..26e2b87 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -15,7 +15,7 @@ audit_git_version: "benchmark_{{ benchmark_version }}" # Where the goss configs and outputs are stored audit_out_dir: '/opt' # Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}_Audit" +audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" # If changed these can affect other products pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" From 8b875ad228294c8954bca1b647b401e1cb29b4b7 Mon Sep 17 00:00:00 2001 From: Marcin Dulinski Date: Wed, 22 Nov 2023 09:17:15 +0000 Subject: [PATCH 39/90] Fixed chrony configuration options Signed-off-by: Marcin Dulinski --- defaults/main.yml | 3 +++ templates/etc/chrony.conf.j2 | 22 ++++++++++++---------- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0bc0137..ff21216 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -449,6 +449,9 @@ rhel9cis_time_synchronization_servers: - 2.pool.ntp.org - 3.pool.ntp.org rhel9cis_chrony_server_options: "minpoll 8" +rhel9cis_chrony_server_rtcsync: false +rhel9cis_chrony_server_makestep: "1.0 3" +rhel9cis_chrony_server_minsources: 2 ### 2.2 Special Purposes ##### Service configuration booleans set true to keep service diff --git a/templates/etc/chrony.conf.j2 b/templates/etc/chrony.conf.j2 index 54c1b6c..a1837a9 100644 --- a/templates/etc/chrony.conf.j2 +++ b/templates/etc/chrony.conf.j2 @@ -1,4 +1,4 @@ -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## {{ ansible_managed }} # This the default chrony.conf file for the Debian chrony package. After # editing this file use the command 'invoke-rc.d chrony restart' to make @@ -27,19 +27,21 @@ server {{ server }} {{ rhel9cis_chrony_server_options }} # password is generated by a random process at install time. You may # change it if you wish. -keyfile /etc/chrony/chrony.keys +keyfile /etc/chrony.keys -# Set runtime command key. Note that if you change the key (not the -# password) to anything other than 1 you will need to edit -# /etc/ppp/ip-up.d/chrony, /etc/ppp/ip-down.d/chrony, /etc/init.d/chrony -# and /etc/cron.weekly/chrony as these scripts use it to get the password. +# Record the rate at which the system clock gains/losses time. +driftfile /var/lib/chrony/drift -commandkey 1 +# Allow the system clock to be stepped in the first three updates +# if its offset is larger than 1 second. +makestep {{ rhel9cis_chrony_server_makestep }} -# I moved the driftfile to /var/lib/chrony to comply with the Debian -# filesystem standard. +# Enable kernel synchronization of the real-time clock (RTC). +{% if not rhel9cis_chrony_server_rtcsync %}#{% endif %}rtcsync -driftfile /var/lib/chrony/chrony.drift +# Increase the minimum number of selectable sources required to adjust +# the system clock. +minsources {{ rhel9cis_chrony_server_minsources }} # Comment this line out to turn off logging. From cce2b25d80a0b3dace4ca5bf27f345d972b86ddb Mon Sep 17 00:00:00 2001 From: Senih <40578755+senihucar@users.noreply.github.com> Date: Thu, 23 Nov 2023 12:02:37 -0800 Subject: [PATCH 40/90] Update cis_5.6.1.x.yml Typo fixed from: - rule_5.5.1.3 to: - rule_5.6.1.3 Signed-off-by: Senih <40578755+senihucar@users.noreply.github.com> --- tasks/section_5/cis_5.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 3d59a16..f7b8136 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -40,7 +40,7 @@ - level1-workstation - patch - password - - rule_5.5.1.3 + - rule_5.6.1.3 - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less" block: From f3726b8908fb4530cd9df2f5225a4e71c6e54074 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 4 Dec 2023 17:36:20 +0000 Subject: [PATCH 41/90] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v6.22.0 → v6.22.1](https://github.com/ansible-community/ansible-lint/compare/v6.22.0...v6.22.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 68f44f0..a79d4cb 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -43,7 +43,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.0 + rev: v6.22.1 hooks: - id: ansible-lint name: Ansible-lint From 72b503bf46fff97e122982d96098467b50401226 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Tue, 5 Dec 2023 14:42:51 +0200 Subject: [PATCH 42/90] Removing redundant conditional statements Signed-off-by: Ionut Pruteanu --- tasks/section_1/cis_1.6.1.x.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 724fd29..7ca0fd1 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -39,7 +39,6 @@ policy: "{{ rhel9cis_selinux_pol }}" state: "{{ rhel9cis_selinux_enforce }}" when: - - not rhel9cis_selinux_disable - rhel9cis_rule_1_6_1_3 tags: - level1-server @@ -54,7 +53,6 @@ policy: "{{ rhel9cis_selinux_pol }}" state: "{{ rhel9cis_selinux_enforce }}" when: - - not rhel9cis_selinux_disable - rhel9cis_rule_1_6_1_4 tags: - level1-server @@ -69,7 +67,6 @@ policy: "{{ rhel9cis_selinux_pol }}" state: enforcing when: - - not rhel9cis_selinux_disable - rhel9cis_selinux_enforce == 'enforcing' - rhel9cis_rule_1_6_1_5 tags: From b6f1703cfc7a7b67ceaaeb75b6971fe00100de94 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Tue, 5 Dec 2023 19:51:38 +0200 Subject: [PATCH 43/90] Replacing vars according to Audit needs Signed-off-by: Ionut Pruteanu --- tasks/pre_remediation_audit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 258171a..49d1081 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -32,8 +32,8 @@ when: - audit_content == 'copy' ansible.builtin.copy: - src: "{{ audit_local_copy }}" - dest: "{{ audit_conf_dest }}" + src: "{{ audit_conf_copy }}" + dest: "{{ audit_conf_dir }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server From 4fe5f95cf7b4167b277b89c074a96cd374c914c7 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Tue, 5 Dec 2023 20:40:50 +0200 Subject: [PATCH 44/90] Timeout value defined in defaults/main.yml file not used Signed-off-by: Ionut Pruteanu --- templates/ansible_vars_goss.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e83dd40..f3b8a98 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -10,7 +10,7 @@ benchmark_version: '1.0.0' host_os_distribution: {{ ansible_facts.distribution | lower }} # timeout for each command to run where set - default = 10seconds/10000ms -timeout_ms: 60000 +timeout_ms: {{ audit_cmd_timeout }} # Taken from LE rhel9-cis rhel9cis_section1: {{ rhel9cis_section1 }} From 9d988b483f6222ac310a1af342ffa9f1745f07e0 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Thu, 7 Dec 2023 18:10:09 +0200 Subject: [PATCH 45/90] Masking service when server package is needed Signed-off-by: Ionut Pruteanu --- tasks/section_2/cis_2.2.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 8c6ccf6..563ec4b 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -274,8 +274,8 @@ masked: true state: stopped when: - - not rhel9cis_use_nfs_server - - rhel9cis_use_nfs_service + - rhel9cis_use_nfs_server + - not rhel9cis_use_nfs_service when: - "'nfs-utils' in ansible_facts.packages" - rhel9cis_rule_2_2_16 From cd04537bf10b9c03228a3ab61b49ca242c7849da Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Thu, 7 Dec 2023 18:58:02 +0200 Subject: [PATCH 46/90] Using correct conditional for ftpd Signed-off-by: Ionut Pruteanu --- tasks/section_2/cis_2.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index 10a0662..c576a65 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -50,7 +50,7 @@ name: ftp state: absent when: - - not rhel9cis_tftp_client + - not rhel9cis_ftp_client - "'ftp' in ansible_facts.packages" - rhel9cis_rule_2_3_4 tags: From 81fd98e2c63bc6ffcedcd77203be6124cf4d8976 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Thu, 7 Dec 2023 20:38:20 +0200 Subject: [PATCH 47/90] Using correct conditional for Task relying on 'firewall-cmd --get-active-zones' cmd Signed-off-by: Ionut Pruteanu --- tasks/section_3/cis_3.4.2.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 73d85f4..ee57e5b 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -194,6 +194,7 @@ - "{{ rhel9cis_3_4_2_5_servicesport.stdout_lines }}" when: - rhel9cis_rule_3_4_2_5 + - rhel9cis_firewall == "firewalld" tags: - level1-server - level1-workstation From d79bba53c6950f317665d586180eae2a7b1d3fe0 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 8 Dec 2023 12:01:10 +0200 Subject: [PATCH 48/90] Rsyslog subsection corrected header(was using 4.2 logging name, instead of 4.2.1. rsyslog name) Signed-off-by: Ionut Pruteanu --- tasks/section_4/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index db729af..d3b6b8d 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -18,7 +18,7 @@ ansible.builtin.import_tasks: file: cis_4.1.4.x.yml -- name: "SECTION | 4.2 | Configure Logging" +- name: "SECTION | 4.2.1 | Configure rsyslog" ansible.builtin.import_tasks: file: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' From e0de491263db91eab4849ad471721a7ec256aadb Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 8 Dec 2023 12:03:00 +0200 Subject: [PATCH 49/90] whole section defined in cis_4.2.1.x.yml gets executed only `when: rhel9cis_syslog == 'rsyslog'`, having same condition is redundant and may confuse users. Signed-off-by: Ionut Pruteanu --- tasks/section_4/cis_4.2.1.x.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 10e0ac2..a3f2a44 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -35,7 +35,6 @@ notify: Restart rsyslog when: - rhel9cis_rule_4_2_1_3 - - rhel9cis_syslog == "rsyslog" tags: - level1-server - level1-workstation From c19e350b7d1bd87fe7a1e30ff53ebeab39897ae4 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 8 Dec 2023 16:44:30 +0200 Subject: [PATCH 50/90] Using rhel9cis_authselect['options'], otherwise not used at all Signed-off-by: Ionut Pruteanu --- tasks/section_5/cis_5.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 52c1f70..69eb090 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -44,7 +44,7 @@ - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}" - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" - ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" + ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }}" when: rhel9cis_authselect_custom_profile_select - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile" From 8d85f178e22a815434be590736222abea90872db Mon Sep 17 00:00:00 2001 From: Corey Reid Date: Thu, 19 Oct 2023 13:19:07 +0100 Subject: [PATCH 51/90] find hidden files in /var/log for 4.3.2 Signed-off-by: Corey Reid --- tasks/section_4/cis_4.2.3.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index 2f2a8a4..19bfce8 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -7,6 +7,7 @@ paths: "/var/log" file_type: file recurse: true + hidden: true register: logfiles - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" From 88ffe32137c841e4c1d63f9d7020aaa81026edc3 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Wed, 20 Dec 2023 21:58:49 +0200 Subject: [PATCH 52/90] Storing max_log_file under `rhel9cis_auditd` dict variable. Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 11 ++--------- tasks/section_4/cis_4.1.2.x.yml | 2 +- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0bc0137..39d8691 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -525,26 +525,19 @@ rhel9cis_auditd: space_left_action: email action_mail_acct: root admin_space_left_action: halt + # The max_log_file parameter should be based on your sites policy. + max_log_file: 10 max_log_file_action: keep_logs # The audit_back_log_limit value should never be below 8192 rhel9cis_audit_back_log_limit: 8192 -# The max_log_file parameter should be based on your sites policy -rhel9cis_max_log_file_size: 10 - ### 4.1.3.x audit template update_audit_template: false ## Advanced option found in auditd post rhel9cis_allow_auditd_uid_user_exclusions: false -# This can be used to configure other keys in auditd.conf -rhel9cis_auditd_extra_conf: {} -# Example: -# rhel9cis_auditd_extra_conf: -# admin_space_left: '10%' - ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index b830b1f..f235493 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -4,7 +4,7 @@ ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" - line: "max_log_file = {{ rhel9cis_max_log_file_size }}" + line: "max_log_file = {{ rhel9cis_auditd['max_log_file'] }}" notify: Restart auditd when: - rhel9cis_rule_4_1_2_1 From ca41b128cd895410dab925c4db7694ce24ef7907 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Wed, 20 Dec 2023 22:21:14 +0200 Subject: [PATCH 53/90] Defining some threshold for (audit_)space_left vars, as well as a bool which governs if extra params will be configured Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 11 +++++++++++ tasks/section_4/cis_4.1.2.x.yml | 1 + 2 files changed, 12 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 39d8691..58c84d7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -529,6 +529,17 @@ rhel9cis_auditd: max_log_file: 10 max_log_file_action: keep_logs +# This value governs if the below extra-vars for auditd should be used by the role +rhel9cis_auditd_extra_conf_usage: false + +# This can be used to configure other keys in auditd.conf +# Example: +# rhel9cis_auditd_extra_conf: +# admin_space_left: '10%' +rhel9cis_auditd_extra_conf: + admin_space_left: 50 + space_left: 75 + # The audit_back_log_limit value should never be below 8192 rhel9cis_audit_back_log_limit: 8192 diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index f235493..8370114 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -58,6 +58,7 @@ notify: Restart auditd when: - rhel9cis_auditd_extra_conf.keys() | length > 0 + - rhel9cis_auditd_extra_conf_usage tags: - level2-server - level2-workstation From 1e55d8600190706d9a42f54901030dfb4d4d1cfa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?= <14360383+sickbock@users.noreply.github.com> Date: Wed, 3 Jan 2024 11:12:06 +0100 Subject: [PATCH 54/90] Update cis_1.3.x.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Correction to "when": 1_3_3 Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com> --- tasks/section_1/cis_1.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 7a5e544..dda9c66 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -67,7 +67,7 @@ /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 validate: aide -D --config %s when: - - rhel9cis_rule_1_3_2 + - rhel9cis_rule_1_3_3 - not system_is_ec2 tags: - level1-server From 4d749d988d87c6bbd281f2efe40fbd92ee3c291a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?= <14360383+sickbock@users.noreply.github.com> Date: Wed, 3 Jan 2024 11:13:32 +0100 Subject: [PATCH 55/90] Update cis_1.8.x.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Corrected tag rule_1.8.10 Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com> --- tasks/section_1/cis_1.8.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 20e56c4..e6f4b0c 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -261,4 +261,4 @@ - level1-workstation - patch - gui - - rule_1.8.4 + - rule_1.8.10 From 712b8b6ecd3b6dbd120934adfbdcdc0a287eba53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?= <14360383+sickbock@users.noreply.github.com> Date: Wed, 3 Jan 2024 11:15:11 +0100 Subject: [PATCH 56/90] Update cis_5.6.1.x.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Corrected tag: rule_5.6.1.1 Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com> --- tasks/section_5/cis_5.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index f7b8136..d1f488f 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -12,7 +12,7 @@ - level1-workstation - patch - password - - rule_5.5.1.1 + - rule_5.6.1.1 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" ansible.builtin.lineinfile: From 3b256ff8311f65c527c69334d65a7f7bf32e5ed9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?= <14360383+sickbock@users.noreply.github.com> Date: Wed, 3 Jan 2024 11:16:20 +0100 Subject: [PATCH 57/90] Update cis_5.6.1.x.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Corrected tag: rule_5.6.1.5 Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com> --- tasks/section_5/cis_5.6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index d1f488f..8d082bc 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -117,4 +117,4 @@ - level1-server - level1-workstation - patch - - rule_5.5.1.5 + - rule_5.6.1.5 From d6b44aac70db771be180954191a4809831480b2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?= <14360383+sickbock@users.noreply.github.com> Date: Wed, 3 Jan 2024 11:18:52 +0100 Subject: [PATCH 58/90] Update cis_6.1.x.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Corrected tags: rule_6.1.8 & rule_6.1.12 Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com> --- tasks/section_6/cis_6.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 4cc5cbd..7bce9c5 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -118,7 +118,7 @@ - level1-workstation - patch - permissions - - rule_6.1.10 + - rule_6.1.8 - name: "6.1.9 | PATCH | Ensure no world writable files exist" block: @@ -253,7 +253,7 @@ - patch - stickybits - permissons - - rule_1.1.21 + - rule_6.1.12 - name: "6.1.13 | AUDIT | Audit SUID executables" block: From e0491ccb8f7fd4e0b85335eeb4795790ea773172 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?= <14360383+sickbock@users.noreply.github.com> Date: Wed, 3 Jan 2024 11:20:08 +0100 Subject: [PATCH 59/90] Update cis_6.2.x.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Corrected tag: rule_6.2.3 Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com> --- tasks/section_6/cis_6.2.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 2f3141b..6ab91cd 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -73,7 +73,7 @@ - audit - accounts - groups - - rule_6.2.2 + - rule_6.2.3 - name: "6.2.4 | AUDIT Ensure no duplicate UIDs exist" block: From d73f26a7ab9ffd0e99787657fd7c5ea946381ad2 Mon Sep 17 00:00:00 2001 From: Joshua Hemmings Date: Tue, 9 Jan 2024 09:17:00 +0100 Subject: [PATCH 60/90] Remove trailing comma to align with other roles Signed-off-by: Joshua Hemmings --- tasks/section_1/cis_1.1.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 4ff1ccb..3a64a06 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -31,7 +31,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid{% endif %} loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" From 87d2685f4ec2586c5792b500d9e0a4b0e8a2dfaf Mon Sep 17 00:00:00 2001 From: Joshua Hemmings Date: Wed, 10 Jan 2024 16:11:27 +0100 Subject: [PATCH 61/90] Update cis_1.1.7.x.yml Signed-off-by: Joshua Hemmings --- tasks/section_1/cis_1.1.7.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index ee922b3..ef16988 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -32,7 +32,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid{% endif %} loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" From aa8a60b4ee5e10aafdf45399b223298bca325db3 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 22 Jan 2024 17:33:49 +0000 Subject: [PATCH 62/90] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v6.22.1 → v6.22.2](https://github.com/ansible-community/ansible-lint/compare/v6.22.1...v6.22.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a79d4cb..25fbc9e 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -43,7 +43,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.1 + rev: v6.22.2 hooks: - id: ansible-lint name: Ansible-lint From c70c23680a51627eb8379e9d8df5c073d6fa62c8 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Wed, 31 Jan 2024 10:26:10 +0200 Subject: [PATCH 63/90] Aplying patch to be used for extending-documentation Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 764 +++++++++++++++++++++++++++++++++++++++------- 1 file changed, 660 insertions(+), 104 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index decf352..6ae4b24 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,19 @@ --- # defaults file for rhel9-cis +# WARNING: +# These values may be overriden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here: +# https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable +## Usage on containerized images +# The role discovers dynamically (in tasks/main.yml) whether it +# is executed on a container image and sets the variable +# system_is_container the true. Otherwise, the default value +# 'false' is left unchanged. system_is_container: false +# The filename of the existing yml file in role's 'vars/' sub-directory +# to be used for managing the role-behavior when a container was detected: +# (de)activating rules or for other tasks(e.g. disabling Selinux or a specific +# firewall-type). container_vars_file: is_container.yml # rhel9cis is left off the front of this var for consistency in testing pipeline # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks @@ -11,6 +23,10 @@ system_is_ec2: false # Supported OSs will not need for this to be changed - see README e.g. CentOS os_check: true +## Switching on/off specific baseline sections +# These variables govern whether the tasks of a particular section are to be executed when running the role. +# E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true. +# If you do not want the tasks from that section to get executed you simply set the variable to "false". rhel9cis_section1: true rhel9cis_section2: true rhel9cis_section3: true @@ -25,7 +41,12 @@ rhel9cis_section6: true rhel9cis_level_1: true rhel9cis_level_2: true +## Section 1.6 - Mandatory Access Control +# This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting +# 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed. rhel9cis_selinux_disable: false +# This variable is used in a preliminary task, handling grub2 paths either in case of +# UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg'). rhel9cis_legacy_boot: false ## Python Binary @@ -39,7 +60,8 @@ benchmark_version: 'v1.0.0' benchmark: RHEL9-CIS -# Whether to skip the reboot +# Whether to skip the system reboot before audit +# System will reboot if false, can give better audit results skip_reboot: true # default value will change to true but wont reboot if not enabled but will error @@ -48,44 +70,66 @@ change_requires_reboot: false ########################################## ### Goss is required on the remote host ### ## Refer to vars/auditd.yml for any other settings ## +#### Basic external goss audit enablement settings #### +#### Precise details - per setting can be found at the bottom of this file #### -# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) + +## Audit setup +# Audits are carried out using Goss. This variable +# determines whether execution of the role prepares for auditing +# by installing the required binary. setup_audit: false -# enable audits to run - this runs the audit and get the latest content +## Enable audits to run - this runs the audit and get the latest content +# This variable governs whether the audit using the +# separately maintained audit role using Goss +# is carried out. run_audit: false # Only run Audit do not remediate audit_only: false -# As part of audit_only -# This will enable files to be copied back to control node +# This will enable files to be copied back to control node(part of audit_only) fetch_audit_files: false -# Path to copy the files to will create dir structure +# Path to copy the files to will create dir structure(part of audit_only) audit_capture_files_dir: /some/location to copy to on control node -# How to retrieve audit binary -# Options are copy or download - detailed settings at the bottom of this file -# you will need to access to either github or the file already dowmloaded +## How to retrieve audit binary(Goss) +# Options are 'copy' or 'download' - detailed settings at the bottom of this file +# - if 'copy': +# - the filepath mentioned via the below 'audit_bin_copy_location' var will be used to access already downloaded Goss +# - if 'download': +# - the GitHub Goss-releases URL will be used for a fresh-download, via 'audit_bin_url' and 'audit_pkg_arch_name' vars get_audit_binary_method: download -## if get_audit_binary_method - copy the following needs to be updated for your environment +## if get_audit_binary_method is 'copy', the following var needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node ## e.g copy from ansible control node to remote host audit_bin_copy_location: /some/accessible/path -# how to get audit files onto host options +## How to retrieve the audit role +# The role for auditing is maintained separately. +# This variable specifies the method of how to get the audit role # options are git/copy/get_url other e.g. if you wish to run from already downloaded conf +# onto the system. The options are as follows: +# - 'git': clone audit content from GitHub REPOSITORY, set up via `audit_file_git` var, and +# VERSION(e.g. branch, tag name), set up via `audit_git_version` var. +# - 'copy': copy from path as specified in variable `audit_conf_copy`. +# - 'archive': same as 'copy', only that the specified filepath needs to be unpacked. +# - 'get_url': Download from url as specified in variable `audit_files_url` audit_content: git -# archive or copy: +# This variable(only used when 'audit_content' is 'copy' or 'archive') should +# contain the filepath with audit-content to be copied/unarchived on server: audit_conf_copy: "some path to copy from" -# get_url: +# This variable(only used when 'audit_content' is 'get_url') should +# contain the URL from where the audit-content must be downloaded on server: audit_files_url: "some url maybe s3?" # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system audit_run_heavy_tests: true +# Timeout for those cmds that take longer to run where timeout set # This variable specifies the timeout (in ms) for audit commands that # take a very long time: if a command takes too long to complete, # it will be forcefully terminated after the specified duration. @@ -97,7 +141,9 @@ audit_cmd_timeout: 120000 # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. -# Section 1 rules + +# Section 1 is Initial setup (FileSystem Configuration, Configure Software Updates, Filesystem Integrity Checking, Secure Boot Settings, +# Additional Process Hardening, Mandatory Access Control, Command Line Warning Banners, and GNOME Display Manager) rhel9cis_rule_1_1_1_1: true rhel9cis_rule_1_1_1_2: true rhel9cis_rule_1_1_2_1: true @@ -170,7 +216,7 @@ rhel9cis_rule_1_8_10: true rhel9cis_rule_1_9: true rhel9cis_rule_1_10: true -# Section 2 rules +# Section 2 rules are controling Services (Special Purpose Services, and service clients) rhel9cis_rule_2_1_1: true rhel9cis_rule_2_1_2: true rhel9cis_rule_2_2_1: true @@ -197,7 +243,7 @@ rhel9cis_rule_2_3_3: true rhel9cis_rule_2_3_4: true rhel9cis_rule_2_4: true -# Section 3 rules +# Section 3 rules are used for securely configuring the network configuration(kernel params, ACL, Firewall settings) rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true rhel9cis_rule_3_1_3: true @@ -222,7 +268,8 @@ rhel9cis_rule_3_4_2_5: true rhel9cis_rule_3_4_2_6: true rhel9cis_rule_3_4_2_7: true -# Section 4 rules +# Section 4 rules are Logging and Auditing (Configure System Accounting (auditd), +# Configure Data Retention, and Configure Logging) rhel9cis_rule_4_1_1_1: true rhel9cis_rule_4_1_1_2: true rhel9cis_rule_4_1_1_3: true @@ -281,7 +328,8 @@ rhel9cis_rule_4_2_2_7: true rhel9cis_rule_4_2_3: true rhel9cis_rule_4_3: true -# Section 5 rules +# Section 5 rules control Access, Authentication, and Authorization (Configure time-based job schedulers, +# Configure sudo, Configure SSH Server, Configure PAM and User Accounts and Environment) rhel9cis_rule_5_1_1: true rhel9cis_rule_5_1_2: true rhel9cis_rule_5_1_3: true @@ -336,7 +384,7 @@ rhel9cis_rule_5_6_4: true rhel9cis_rule_5_6_5: true rhel9cis_rule_5_6_6: true -# Section 6 rules +# Section 6 rules controls System Maintenance (System File Permissions and User and Group Settings) rhel9cis_rule_6_1_1: true rhel9cis_rule_6_1_2: true rhel9cis_rule_6_1_3: true @@ -371,140 +419,372 @@ rhel9cis_rule_6_2_16: true ## Section 1 vars -#### 1.1.2 -# These settings go into the /etc/fstab file for the /tmp mount settings -# The value must contain nosuid,nodev,noexec to conform to CIS standards -# rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0" -# If set true uses the tmp.mount service else using fstab configuration +## Control 1.1.2 +# If set to `true`, rule will be implemented using the `tmp.mount` systemd-service, +# otherwise fstab configuration will be used. +# These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards. rhel9cis_tmp_svc: false -#### 1.1.9 +## Control 1.1.9 rhel9cis_allow_autofs: false -# 1.2.1 +## Control 1.2.1 # This is the login information for your RedHat Subscription # DO NOT USE PLAIN TEXT PASSWORDS!!!!! # The intent here is to use a password utility like Ansible Vault here rhel9cis_rh_sub_user: user rhel9cis_rh_sub_password: password # pragma: allowlist secret -# 1.2.2 +## Control 1.2.2 # Do you require rhnsd # RedHat Satellite Subscription items rhel9cis_rhnsd_required: false -# 1.2.4 repo_gpgcheck +## Control 1.2.4 +# When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM +# repo ('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks +# which check the GPG signatures for all the individual YUM repositories. rhel9cis_rhel_default_repo: true +## Control 1.2.4 +# When 'rhel9cis_rule_enable_repogpg' is set to 'true'(in conjunction with 'rhel9cis_rhel_default_repo':'false'), conditions are met for +# enabling the GPG signatures-check for all the individual YUM repositories. If GPG signatures-check is enabled on repositories which do not +# support it(like RedHat), installation of packages will fail. rhel9cis_rule_enable_repogpg: true -# 1.4.1 Bootloader password +## Control 1.4.1 +# This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value +# must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with +# this format: 'grub.pbkdf2.sha512...' rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' # pragma: allowlist secret rhel9cis_bootloader_password: random # pragma: allowlist secret +## Control 1.4.1 +# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. rhel9cis_set_boot_pass: true -# 1.8 Gnome Desktop +## Control 1.8.x - Settings for GDM +# This variable specifies the GNOME configuration database file to which configurations are written. +# (See "https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en") +# The default database is 'local'. rhel9cis_dconf_db_name: local -rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) -rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) +# This variable governs the number of seconds of inactivity before the screen goes blank. +# Set max value for idle-delay in seconds (between 1 and 900) +rhel9cis_screensaver_idle_delay: 900 +# This variable governs the number of seconds the screen remains blank before it is locked. +# Set max value for lock-delay in seconds (between 0 and 5) +rhel9cis_screensaver_lock_delay: 5 -# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) -# Control 1.10 states do not use LEGACY and control 1.11 says to use FUTURE or FIPS. +## Control 1.10 +# This variable contains the value to be set as the system-wide crypto policy. Current rule enforces NOT USING +# 'LEGACY' value(as it is less secure, it just ensures compatibility with legacy systems), therefore +# possible values for this variable are, as explained by RedHat docs: +# -'DEFAULT': reasonable default policy for today's standards (balances usability and security) +# -'FUTURE': conservative security level that is believed to withstand any near-term future attacks +# -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' -# Added module to be allowed as default setting (Allowed options in vars/main.yml) +## Control 1.10 +# This variable contains the value of the crypto policy module(combinations of policies and +# sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, +# using 'rhel9cis_allowed_crypto_policies_modules' variable. rhel9cis_crypto_policy_module: '' # System network parameters (host only OR host and router) +# This variable governs whether specific CIS rules +# concerned with acceptance and routing of packages are skipped. rhel9cis_is_router: false -# IPv6 required +## IPv6 requirement toggle +# This variable governs whether ipv6 is enabled or disabled. rhel9cis_ipv6_required: true -# AIDE +## Control 1.3.1 - allow aide to be configured +# AIDE is a file integrity checking tool, similar in nature to Tripwire. +# While it cannot prevent intrusions, it can detect unauthorized changes +# to configuration files by alerting when the files are changed. Review +# the AIDE quick start guide and AIDE documentation before proceeding. +# By setting this variable to `true`, all of the settings related to AIDE will be applied! rhel9cis_config_aide: true -# AIDE cron settings + +## Control 1.3.2 AIDE cron settings +# These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. +# The sub-settings of this variable provide the parameters required to configure +# the cron job on the target system. +# Cron is a time-based job scheduling program in Unix OS, which allows tasks to be scheduled +# and executed automatically at a certain point in time. rhel9cis_aide_cron: + # This variable represents the user account under which the cron job for AIDE will run. cron_user: root + # This variable represents the path to the AIDE crontab file. cron_file: /etc/cron.d/aide_cron + # This variable represents the actual command or script that the cron job + # will execute for running AIDE. aide_job: '/usr/sbin/aide --check' + # These variables define the schedule for the cron job + # This variable governs the minute of the time of day when the AIDE cronjob is run. + # It must be in the range `0-59`. aide_minute: 0 + # This variable governs the hour of the time of day when the AIDE cronjob is run. + # It must be in the range `0-23`. aide_hour: 5 + # This variable governs the day of the month when the AIDE cronjob is run. + # `*` signifies that the job is run on all days; furthermore, specific days + # can be given in the range `1-31`; several days can be concatenated with a comma. + # The specified day(s) can must be in the range `1-31`. aide_day: '*' + # This variable governs months when the AIDE cronjob is run. + # `*` signifies that the job is run in every month; furthermore, specific months + # can be given in the range `1-12`; several months can be concatenated with commas. + # The specified month(s) can must be in the range `1-12`. aide_month: '*' + # This variable governs the weekdays, when the AIDE cronjob is run. + # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays + # can be given in the range `0-7` (both `0` and `7` represent Sunday); several weekdays + # can be concatenated with commas. aide_weekday: '*' -# SELinux policy +## Control 1.6.1.3|4|5 - SELinux policy settings +# This selects type of policy; targeted or mls( multilevel ) +# mls should not be used, since it will disable unconfined policy module +# and may prevent some services from running. Requires SELinux not being disabled (by +# having 'rhel9cis_selinux_disable' var set as 'true'), otherwise setting will be ignored. rhel9cis_selinux_pol: targeted -# chose onf or enfocing or permissive +## Control 1.6.1.3|4 - SELinux configured and not disabled +# This variable contains a specific SELinux mode, respectively: +# - 'enforcing': SELinux policy IS enforced, therefore denies operations based on SELinux policy +# rules. If system was installed with SELinux, this is enabled by default. +# - 'permissive': SELinux policy IS NOT enforced, therefore does NOT deny any operation, only +# logs AVC(Access Vector Cache) messages. RedHat docs suggest it "can be used +# briefly to check if SELinux is the culprit in preventing your application +# from working". +# CIS expects enforcing since permissive allows operations that might compromise the system. +# Even though logging still occurs. rhel9cis_selinux_enforce: enforcing # Whether or not to run tasks related to auditing/patching the desktop environment -## 2. Services +## Section 2. Services ### 2.1 Time Synchronization -#### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 + + +## Control 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 +# The following variable represents a list of time servers used +# for configuring chrony, timesyncd, and ntp. +# Each list item contains two settings, `name` (the domain name of the server) and synchronization `options`. +# The default setting for the `options` is `minpoll` but `iburst` can be used, please refer to the documentation +# of the time synchronization mechanism you are using. rhel9cis_time_synchronization_servers: - 0.pool.ntp.org - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org +## Control 2.1.2 - Time Synchronization servers +# This variable should contain the default options to be used for every NTP server hostname defined +# within the 'rhel9cis_time_synchronization_servers' var. rhel9cis_chrony_server_options: "minpoll 8" +# This variable, if set to 'true'(default), will inform the kernel the system clock is kept synchronized +# and the kernel will update the real-time clock every 11 minutes. Otherwise, if 'rtcsync' option is +# disabled, chronyd will not be in sync(kernel discipline is disabled, 11 minutes mode will be off). rhel9cis_chrony_server_rtcsync: false +# This variable configures the values to be used by chronyd to gradually correct any time offset, +# by slowing down/speeding up the clock. An example of this directive usage would be: +# 'makestep 1000 10'. +# Step the system clock: +# - IF the adjustment is larger than 1000 seconds +# - but ONLY IN the first ten clock updates rhel9cis_chrony_server_makestep: "1.0 3" +# This variable configures the minimum number of sources that need to be considered as selectable in the source +# selection algorithm before the local clock is updated. Setting minsources to a larger number can be used to +# improve the reliability, because multiple sources will need to correspond with each other. rhel9cis_chrony_server_minsources: 2 -### 2.2 Special Purposes -##### Service configuration booleans set true to keep service -rhel9cis_gui: false -rhel9cis_avahi_server: false -rhel9cis_cups_server: false -rhel9cis_dhcp_server: false -rhel9cis_dns_server: false -rhel9cis_dnsmasq_server: false -rhel9cis_vsftpd_server: false -rhel9cis_tftp_server: false -rhel9cis_httpd_server: false -rhel9cis_nginx_server: false -rhel9cis_dovecot_server: false -rhel9cis_imap_server: false -rhel9cis_samba_server: false -rhel9cis_squid_server: false -rhel9cis_snmp_server: false -rhel9cis_telnet_server: false -rhel9cis_is_mail_server: false -# Note the options -# Packages are used for client services and Server- only remove if you dont use the client service -# +### 2.2 Special Purposes + +# Service configuration variables (boolean). +# Set the respective variable to true to keep the service. +# otherwise the service is stopped and disabled + + +# This variable governs whether rules dealing with GUI specific packages(and/or their settings) should +# be executed either to: +# - secure GDM, if GUI is needed('rhel9cis_gui: true') +# - or remove GDM and X-Windows-system, if no GUI is needed('rhel9cis_gui: false') +rhel9cis_gui: false +## Control 2.2.2 - Ensure Avahi Server is not installed +# This variable, when set to false, will specify that Avahi Server packages should be uninstalled. +rhel9cis_avahi_server: false +## Control 2.2.3 - Ensure CUPS is not installed +# This variable, when set to false, will specify that CUPS(Common UNIX Printing System) package should be uninstalled. +rhel9cis_cups_server: false +## Control 2.2.4 - Ensure DHCP Server is not installed +# This variable, when set to false, will specify that DHCP server package should be uninstalled. +rhel9cis_dhcp_server: false +## Control 2.2.5 - Ensure DNS Server is not installed +# This variable, when set to false, will specify that DNS server package should be uninstalled. +rhel9cis_dns_server: false +## Control 2.2.14 - Ensure dnsmasq is not installed +# This variable, when set to false, will specify that dnsmasq package should be uninstalled. +rhel9cis_dnsmasq_server: false +## Control 2.2.6 - Ensure VSFTP Server is not installed +# This variable, when set to false, will specify that VSFTP server package should be uninstalled. +rhel9cis_vsftpd_server: false +## Control 2.2.7 - Ensure TFTP Server is not installed +# This variable, when set to false, will specify that TFTP server package should be uninstalled. +rhel9cis_tftp_server: false +## Control 2.2.8 - Ensure a web server is not installed - HTTPD +# This variable, when set to false, will specify that webserver packages(HTTPD) should be uninstalled. +rhel9cis_httpd_server: false +## Control 2.2.8 - Ensure a web server is not installed - NGINX +# This variable, when set to false, will specify that webserver packages(NGINX) should be uninstalled. +rhel9cis_nginx_server: false +## Control 2.2.9 - Ensure IMAP and POP3 server is not installed - dovecot +# This variable, when set to false, will specify that IMAP and POP3 servers(dovecot) should be uninstalled. +rhel9cis_dovecot_server: false +## Control 2.2.9 - Ensure IMAP and POP3 server is not installed - cyrus-imapd +# This variable, when set to false, will specify that IMAP and POP3 servers(cyrus-imapd) should be uninstalled. +rhel9cis_imap_server: false +## Control 2.2.10 - Ensure Samba is not enabled +# This variable, when set to false, will specify that 'samba' package should be uninstalled. +rhel9cis_samba_server: false +## Control 2.2.11 - Ensure HTTP Proxy Server is not installed +# This variable, when set to false, will specify that 'squid' package should be uninstalled. +rhel9cis_squid_server: false +## Control 2.2.12 - Ensure net-snmp is not installed +# This variable, when set to false, will specify that 'net-snmp' package should be uninstalled. +rhel9cis_snmp_server: false +## Control 2.2.13 - Ensure telnet-server is not installed +# This variable, when set to false, will specify that 'telnet-server' package should be uninstalled. +rhel9cis_telnet_server: false +## Control 2.2.15 - Ensure mail transfer agent is configured for local-only mode +# This variable, when system is NOT a mailserver, will configure Postfix to listen only on the loopback interface(the virtual +# network interface that the server uses to communicate internally. +rhel9cis_is_mail_server: false + +# Note the options +# Client package configuration variables. +# Packages are used for client services and Server- only remove if you dont use the client service +# Set the respective variable to `true` to keep the +# client package, otherwise it is uninstalled (false). + +## Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked" +# This variable specifies if the usage of NFS SERVER is needed. Execution of the rule which secures (by uninstalling or masking service) +# NFS(if it's NOT needed) will depend on the var used in conjunction('rhel9cis_use_nfs_service') with current one, respectively: +# - if Server IS NOT needed('false') and: +# - Service IS NOT needed('rhel9cis_use_nfs_service: false'): 'nfs-utils' package will be removed +# - Service IS needed('rhel9cis_use_nfs_service: true'): impossible to need the service without the server +# - if Server IS needed('true') and: +# - Service IS NOT needed('rhel9cis_use_nfs_service: false'): 'nfs-server' service will be masked +# - Service IS needed('rhel9cis_use_nfs_service: true'): Rule will be SKIPPED. +# | Server | Service | Result | +# |---------|---------|-----------------------------------------------------------| +# | false | false | Remove package | +# | false | true | Needing 'service' without needing 'server' makes no sense | +# | true | false | Mask 'service' | +# | true | true | SKIP RULE, BOTH 'service' and 'server' are required | rhel9cis_use_nfs_server: false +## Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked. +# This variable specifies if the usage of NFS SERVICE is needed. If it's: +# - needed('true'): rule which uninstalls/masks-service WILL NOT be executed at all +# - not needed('false'): rule which uninstalls/masks-service WILL be executed, its behavior being +# controlled by the var used in conjunction with current one: +# - removing 'nfs-utils' package('rhel9cis_use_nfs_server' set to 'false') +# - masking the 'nfs-server' service('rhel9cis_use_nfs_server' set to 'true') rhel9cis_use_nfs_service: false +## Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked +# This variable specifies if the usage of RPC SERVER is needed. Execution of the rule which secures (by uninstalling or masking service) +# RPC(if it's NOT needed) will depend on the var used in conjunction('rhel9cis_use_rpc_service') with current one, respectively: +# - if Server IS NOT needed('false') and: +# - Service IS NOT needed('rhel9cis_use_rpc_service: false'): 'rpcbind' package will be removed +# - Service IS needed('rhel9cis_use_rpc_service: true'): impossible to need the service without the server +# - if Server IS needed('true') and: +# - Service IS NOT needed('rhel9cis_use_rpc_service: false'): 'rpcbind.socket' service will be masked +# - Service IS needed('rhel9cis_use_rpc_service: true'): Rule will be SKIPPED. +# | Server | Service | Result | +# |---------|---------|-----------------------------------------------------------| +# | false | false | Remove package | +# | false | true | Needing 'service' without needing 'server' makes no sense | +# | true | false | Mask 'service' | +# | true | true | SKIP RULE, BOTH 'service' and 'server' are required | rhel9cis_use_rpc_server: false +## Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked +# This variable specifies if the usage of RPC SERVICE is needed. If it's: +# - needed('true'): rule which uninstalls/masks-service WILL NOT be executed at all +# - not needed('false'): rule which uninstalls/masks-service WILL be executed, its behavior being controlled by the var +# used in conjunction with current one: +# - removing 'rpcbind' package('rhel9cis_use_rpc_server' set to 'false') +# - masking the 'rpcbind.socket' service('rhel9cis_use_rpc_server' set to 'true') rhel9cis_use_rpc_service: false +## Control 2.2.18 - Ensure rsync service is not enabled +# This variable specifies if the usage of RSYNC SERVER is needed. Execution of the rule which secures (by uninstalling or masking service) +# RSYNC(if it's NOT needed) will depend on the var used in conjunction('rhel9cis_use_rsync_service') with current one, respectively: +# - if Server IS NOT needed('false') and: +# - Service IS NOT needed('rhel9cis_use_rsync_service: false'): 'rsync-daemon' package will be removed +# - Service IS needed('rhel9cis_use_rsync_service: true'): impossible to need the service without the server +# - if Server IS needed('true') and: +# - Service IS NOT needed('rhel9cis_use_rsync_service: false'): 'rsyncd' service will be masked +# - Service IS needed('rhel9cis_use_rsync_service: true'): Rule will be SKIPPED. +# | Server | Service | Result | +# |---------|---------|-----------------------------------------------------------| +# | false | false | Remove package | +# | false | true | Needing 'service' without needing 'server' makes no sense | +# | true | false | Mask 'service' | +# | true | true | SKIP RULE, BOTH 'service' and 'server' are required | rhel9cis_use_rsync_server: false +## Control 2.2.18 - Ensure rsync service is not enabled +# This variable specifies if the usage of RSYNC SERVICE is needed. If it's: +# - needed('true'): rule which uninstalls/masks-service WILL NOT be executed at all +# - not needed('false'): rule which uninstalls/masks-service WILL be executed, its behavior being controlled by the var +# used in conjunction with current one: +# - removing 'rsync-daemon' package('rhel9cis_use_rsync_server' set to 'false') +# - masking the 'rsyncd' service('rhel9cis_use_rsync_server' set to 'true') rhel9cis_use_rsync_service: false #### 2.3 Service clients + + +## Control - 2.3.1 - Ensure telnet client is not installed +# Set this variable to `true` to keep package `telnet`; otherwise, the package is uninstalled. rhel9cis_telnet_required: false +## Control - 2.3.2 - Ensure LDAP client is not installed +# Set this variable to `true` to keep package `openldap-clients`; otherwise, the package is uninstalled. rhel9cis_openldap_clients_required: false +## Control - 2.3.3 - Ensure FTP client is not installed +# Set this variable to `true` to keep package `tftp`; otherwise, the package is uninstalled. rhel9cis_tftp_client: false +## Control - 2.3.4 - Ensure FTP client is not installed +# Set this variable to `true` to keep package `ftp`; otherwise, the package is uninstalled. rhel9cis_ftp_client: false ## Section3 vars ## Sysctl + + +# This variable governs if the task which updates sysctl(including sysctl reload) is executed. +# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). rhel9cis_sysctl_update: false +# This variable governs if the task which flushes the IPv4 routing table is executed(forcing subsequent connections to +# use the new configuration). +# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). rhel9cis_flush_ipv4_route: false +# This variable governs if the task which flushes the IPv6 routing table is executed(forcing subsequent connections to +# use the new configuration). +# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). rhel9cis_flush_ipv6_route: false -### Firewall Service - either firewalld, iptables, or nftables +### Firewall Service to install and configure - Options are: +# 1) either 'firewalld' +# 2) or 'nftables' #### Some control allow for services to be removed or masked #### The options are under each heading #### absent = remove the package #### masked = leave package if installed and mask the service rhel9cis_firewall: firewalld -##### firewalld +## Control 3.4.2.1 - Ensure firewalld default zone is set +# This variable will set the firewalld default zone(that is used for everything that is not explicitly bound/assigned +# to another zone): if there is no zone assigned to a connection, interface or source, only the default zone is used. rhel9cis_default_zone: public # These settings are added to demonstrate how this update can be done (eventually will require a new control) @@ -512,24 +792,66 @@ rhel9cis_firewalld_ports: - number: 80 protocol: tcp -#### nftables +## Controls 3.5.2.x - nftables + + +## Control 3.4.2.2 - Ensure at least one nftables table exists +# This variable governs if a table will be automatically created in nftables. Without a table (no default one), nftables +# will not filter network traffic, so if this variable is set to 'false' and no tables exist, an alarm will be triggered! rhel9cis_nft_tables_autonewtable: true +## Controls 3.4.2.{2|3|4|6|7} nftables +# This variable stores the name of the table to be used when configuring nftables(creating chains, configuring loopback +# traffic, established connections, default deny). If 'rhel9cis_nft_tables_autonewtable' is set as true, a new table will +# be created using as name the value stored by this variable. rhel9cis_nft_tables_tablename: filter +## Control 3.4.2.3 - Ensure nftables base chains exist +# This variable governs if a nftables base chain(entry point for packets from the networking stack) will be automatically +# created, if needed. Without a chain, a hook for input, forward, and delete, packets that would flow through those +# chains will not be touched by nftables. rhel9cis_nft_tables_autochaincreate: true -# Warning Banner Content (issue, issue.net, motd) +## Controls: +# - 1.7.1 - Ensure message of the day is configured properly +# - 1.7.2 - Ensure local login warning banner is configured properly +# - 1.7.3 - Ensure remote login warning banner is configured properly +# This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd). rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and reported. # End Banner ## Section4 vars ### 4.1 Configure System Accounting #### 4.1.2 Configure Data Retention +## Controls what actions, when log files fill up +# This variable controls how the audit system behaves when +# log files are getting too full and space is getting too low. rhel9cis_auditd: + # This variable tells the system what action to take when the system has detected + # that it is starting to get low on disk space. Options are the same as for `admin_space_left_action`. space_left_action: email + # This variable should contain a valid email address or alias(default value is root), + # which will be used to send a warning when configured action is 'email'. action_mail_acct: root + # This variable determines the action the audit system should take when disk + # space runs low. + # The options for setting this variable are as follows: + # - `ignore`: the system does nothing when presented with the aforementioned issue; + # - `syslog`: a message is sent to the system log about disk space running low; + # - `suspend`: the system suspends recording audit events until more space is available; + # - `halt`: the system is halted when disk space is critically low. + # - `single`: the audit daemon will put the computer system in single user mode + # CIS prescribes either `halt` or `single`. admin_space_left_action: halt # The max_log_file parameter should be based on your sites policy. max_log_file: 10 + # This variable determines what action the audit system should take when the maximum + # size of a log file is reached. + # The options for setting this variable are as follows: + # - `ignore`: the system does nothing when the size of a log file is full; + # - `syslog`: a message is sent to the system log indicating the problem; + # - `suspend`: the system suspends recording audit events until the log file is cleared or rotated; + # - `rotate`: the log file is rotated (archived) and a new empty log file is created; + # - `keep_logs`: the system attempts to keep as many logs as possible without violating disk space constraints. + # CIS prescribes the value `keep_logs`. max_log_file_action: keep_logs # This value governs if the below extra-vars for auditd should be used by the role @@ -543,151 +865,385 @@ rhel9cis_auditd_extra_conf: admin_space_left: 50 space_left: 75 -# The audit_back_log_limit value should never be below 8192 +## Control 4.1.1.4 - Ensure rhel9cis_audit_back_log_limit is sufficient +# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the +# system can buffer in memory, if the audit subsystem is unable to process them in real-time. +# Buffering in memory is useful in situations, where the audit system is overwhelmed +# with incoming audit events, and needs to temporarily store them until they can be processed. +# This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value. rhel9cis_audit_back_log_limit: 8192 -### 4.1.3.x audit template +## Control 4.1.2.1 - Ensure audit log storage size is configured +# This variable specifies the maximum size in MB that an audit log file can reach +# before it is archived or deleted to make space for the new audit data. +# This should be set based on your sites policy. CIS does not provide a specific value. +rhel9cis_max_log_file_size: 10 + +## Control 4.1.3.x - Audit template +# This variable governs if the auditd logic should be executed(if value is true). +# NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules'). update_audit_template: false ## Advanced option found in auditd post +# This variable governs if defining user exceptions for auditd logging is acceptable. rhel9cis_allow_auditd_uid_user_exclusions: false +# This variable contains a list of uids to be excluded(users whose actions are not logged by auditd) +rhel9cis_auditd_uid_exclude: + - 1999 ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging -## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 +## Control 4.2.1 | Configure rsyslog +## Control 4.2.2 | Configure journald +# This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation) +# or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best +# practices are written wholly independent of each other. rhel9cis_syslog: rsyslog +## Control 4.2.1.5 | PATCH | Ensure logging is configured +# This variable governs if current Ansible role should manage syslog settings +# in /etc/rsyslog.conf file, namely mail, news and misc(warn, messages) rhel9cis_rsyslog_ansiblemanaged: true -#### 4.2.1.6 remote and destation log server name +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable governs if 'rsyslog' service should be automatically configured to forward messages to a +# remote log server. If set to 'false', the configuration of the 'omfwd' plugin, used to provide forwarding +# over UDP or TCP, will not be performed. rhel9cis_remote_log_server: false +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable configures the value of the 'target' parameter to be configured when enabling +# forwarding syslog messages to a remote log server, thus configuring the actual FQDN/IP address of the +# destination server. For this value to be reflected in the configuration, the variable which enables the +# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_host: logagg.example.com +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable configures the value of the 'port' parameter to be configured when enabling +# forwarding syslog messages to a remote log server. The default value for this destination port is 514. +# For this value to be reflected in the configuration, the variable which enables the +# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_port: 514 +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable configures the value("TCP"/"UDP") of the 'protocol' parameter to be configured when enabling +# forwarding syslog messages to a remote log server. The default value for the 'omfwd' plug-in is UDP. +# For this value to be reflected in the configuration, the variable which enables the +# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_protocol: tcp +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable governs how often an action is retried(value is passed to 'action.resumeRetryCount' parameter) before +# it is considered to have failed(that roughly translates to discarded messages). The default value is 0, but +# when set to "-1"(eternal), this setting would prevent rsyslog from dropping messages when retrying to connect +# if server is not responding. For this value to be reflected in the configuration, the variable which enables the +# automatic configuration of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_retrycount: 100 +## Control 4.2.1.6 - Ensure rsyslog is configured to send logs to a remote log host +# This variable configures the maximum number of messages that can be hold(value is passed to 'queue.size' parameter). +# For this value to be reflected in the configuration, the variable which enables the automatic configuration +# of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_queuesize: 1000 -#### 4.2.1.7 +## Control 4.2.1.7 - Ensure rsyslog is not configured to receive logs from a remote client +# This variable expresses whether the system is used as a log server or not. If set to: +# - 'false', current system will act as a log CLIENT, thus it should NOT receive data from other hosts. +# - 'true', current system will act as a log SERVER, enabling centralised log management(by protecting log integrity +# from local attacks on remote clients) rhel9cis_system_is_log_server: false -# 4.2.2.1.2 -# rhel9cis_journal_upload_url is the ip address to upload the journal entries to +## Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured +# 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to +# URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port +# number may be specified after a colon (":"), otherwise 19532 will be used by default. rhel9cis_journal_upload_url: 192.168.50.42 -# The paths below have the default paths/files, but allow user to create custom paths/filenames +## The paths below have the default paths/files, but allow user to create custom paths/filenames +## Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured +# This variable specifies the path to the private key file used by the remote journal +# server to authenticate itself to the client. This key is used alongside the server's +# public certificate to establish secure communication. rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +## Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured +# This variable specifies the path to the public certificate file of the remote journal +# server. This certificate is used to verify the authenticity of the remote server. rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +## Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured +# This variable specifies the path to a file containing one or more public certificates +# of certificate authorities (CAs) that the client trusts. These trusted certificates are used +# to validate the authenticity of the remote server's certificate. rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" +# ATTENTION: Uncomment the keyword below when values are set! -# 4.2.2.1 +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# Current variable configures the max amount of disk space the logs will use(thus, journal files +# will not grow without bounds) # The variables below related to journald, please set these to your site specific values -# rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use +# These variable specifies how much disk space the journal may use up at most +# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. +# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. rhel9cis_journald_systemmaxuse: 10M -# rhel9cis_journald_systemkeepfree is the amount of disk space to keep free +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# Current variable configures the amount of disk space to keep free for other uses. rhel9cis_journald_systemkeepfree: 100G +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# This variable configures how much disk space the journal may use up at most. +# Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space. rhel9cis_journald_runtimemaxuse: 10M +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# This variable configures the actual amount of disk space to keep free +# Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space. rhel9cis_journald_runtimekeepfree: 100G -# rhel9cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +## Control 4.2.2.6 - Ensure journald log rotation is configured per site policy +# Current variable governs the settings for log retention(how long the log files will be kept). +# Thus, it specifies the maximum time to store entries in a single journal +# file before rotating to the next one. Set to 0 to turn off this feature. +# The given values is interpreted as seconds, unless suffixed with the units +# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. +# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +# ATTENTION: Uncomment the keyword below when values are set! rhel9cis_journald_maxfilesec: 1month -#### 4.3 +## Control 4.3 - Ensure logrotate is configured +# This variable defines the log file rotation period. +# Options are: daily, weekly, monthly, yearly. rhel9cis_logrotate: "daily" ## Section5 vars -# This will allow use of drop in files when CIS adopts them. +## Section 5.2 - SSH + +# This value, containing the absolute filepath of the produced 'sshd' config file, allows usage of +# drop-in files('/etc/ssh/ssh_config.d/{ssh_drop_in_name}.conf', supported by RHEL9) when CIS adopts them. +# Otherwise, the default value is '/etc/ssh/ssh_config'. rhel9_cis_sshd_config_file: /etc/ssh/sshd_config +## Controls: +## - 5.2.4 - Ensure SSH access is limited +## - 5.2.19 - Ensure SSH LoginGraceTime is set to one minute or less +## - 5.2.20 - Ensure SSH Idle Timeout Interval is configured rhel9cis_sshd: + # This variable sets the maximum number of unresponsive "keep-alive" messages + # that can be sent from the server to the client before the connection is considered + # inactive and thus, closed. clientalivecountmax: 0 + # This variable sets the time interval in seconds between sending "keep-alive" + # messages from the server to the client. These types of messages are intended to + # keep the connection alive and prevent it being terminated due to inactivity. clientaliveinterval: 900 + # This variable specifies the amount of seconds allowed for successful authentication to + # the SSH server. logingracetime: 60 # WARNING: make sure you understand the precedence when working with these values!! # allowusers: # allowgroups: systems dba # denyusers: # denygroups: + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH + # access for users whose user name matches one of the patterns. This is done + # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + allow_users: "" + # (String) This variable, if spcieifed, configures a list of GROUP name patterns, separated by spaces, to allow SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, https://linux.die.net/man/5/sshd_config + allow_groups: "wheel" + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access + # for users whose user name matches one of the patterns. This is done + # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. + # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_users: "nobody" + # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access + # for users whose primary group or supplementary group list matches one of the patterns. This is done + # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. + # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. + # For more info, see https://linux.die.net/man/5/sshd_config + deny_groups: "" -# 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE +## Control 5.2.5 - Ensure SSH LogLevel is appropriate +# This variable is used to control the verbosity of the logging produced by the SSH server. +# The options for setting it are as follows: +# - `QUIET`: Minimal logging; +# - `FATAL`: logs only fatal errors; +# - `ERROR`: logs error messages; +# - `INFO`: logs informational messages in addition to errors; +# - `VERBOSE`: logs a higher level of detail, including login attempts and key exchanges; +# - `DEBUG`: generates very detailed debugging information including sensitive information. +# - `DEBUG(x)`: Whereas x = debug level 1 to 3, DEBUG=DEBUG1. rhel9cis_ssh_loglevel: INFO -# 5.2.19 SSH MaxSessions setting. Must be 4 our less +## Control 5.2.18 - Ensure SSH MaxSessions is set to 10 or less +# This variable value specifies the maximum number of open sessions that are permitted from +# a given location rhel9cis_ssh_maxsessions: 4 -rhel9cis_inactivelock: - lock_days: 30 +## Control 5.6.1.4 - Ensure inactive password lock is 30 days or less +rhel9cis_inactivelock: +# This variable specifies the number of days of inactivity before an account will be locked. +# CIS requires a value of 30 days or less. + lock_days: 30 +# This variable governs if authconfig package should be installed. This package provides a simple method of +# configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used +# for shadow password support. Basic LDAP, Kerberos 5, and Winbind client configuration is also provided. rhel9cis_use_authconfig: false -# 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example -# Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk + +## Section 5.4 - Configure authselect: Custom authselect profile settings(name, profile to customize, options) +## Controls: +# - 5.4.1 - Ensure custom authselect profile is used('custom_profile_name', 'default_file_to_copy' subsettings) +# - 5.4.2 - Ensure authselect includes with-faillock | with auth select profile('custom_profile_name') +# Settings in place now will fail, they are placeholders from the control example. Due to the way many multiple +# options and ways to configure this control needs to be enabled and settings adjusted to minimise risk. rhel9cis_authselect: + # This variable configures the name of the custom profile to be created and selected. custom_profile_name: custom-profile + # This variable configures the ID of the existing profile that should be used as a base for the new profile. default_file_to_copy: "sssd --symlink-meta" options: with-sudo with-faillock without-nullok -# 5.3.1 Enable automation to create custom profile settings, using the settings above +## Control 5.4.1 - Ensure custom authselect profile is used +# This variable governs if an authselect custom profile should be automatically created, by copying and +# customizing one of the default profiles. The default profiles include: sssd, winbind, or the nis. This profile can then be +# customized to follow site specific requirements. rhel9cis_authselect_custom_profile_create: false -# 5.3.2 Enable automation to select custom profile options, using the settings above +## Control 5.4.2 - Ensure authselect includes with-faillock | Create custom profiles +# This variable governs if the existing custom profile should be selected(Note: please keep in mind that all future updates +# to the PAM templates and meta files in the original profile will be reflected in your custom profile, too.) rhel9cis_authselect_custom_profile_select: false +## Section 5.6.1.x: Shadow Password Suite Parameters rhel9cis_pass: + ## Control 5.6.1.1 - Ensure password expiration is 365 days or less + # This variable governs after how many days a password expires. + # CIS requires a value of 365 or less. max_days: 365 + ## Control 5.6.1.2 - Ensure minimum days between password changes is 7 or more + # This variable specifies the minimum number of days allowed between changing + # passwords. CIS requires a value of at least 1. min_days: 7 + ## Control 5.6.1.3 - Ensure password expiration warning days is 7 or more + # This variable governs, how many days before a password expires, the user will be warned. + # CIS requires a value of at least 7. warn_age: 7 -# 5.5.1 -## PAM +## Control 5.5.1 - Ensure password creation requirements are configured - PAM rhel9cis_pam_password: + # This variable sets the minimum chars a password needs to be set. minlen: 14 + # This variable set password complexity,the minimum number of + # character types that must be used (i.e., uppercase, lowercase, digits, other) + # Set to 2, passwords cannot have all lower/upper case. + # Set to 3, passwords needs numbers. + # set to 4, passwords will have to include all four types of characters. minclass: 4 +## Controls +# - 5.5.2 - Ensure lockout for failed password attempts is configured +# - 5.5.3 - Ensure password reuse is limited +# - 5.5.4 - Ensure password hashing algorithm is SHA-512 +# - 5.4.2 - Ensure authselect includes with-faillock rhel9cis_pam_faillock: + # This variable sets the amount of time a user will be unlocked after the max amount of + # password failures. unlock_time: 900 + # This variable sets the amount of tries a password can be entered, before a user is locked. deny: 5 + # This variable represents the number of password change cycles, after which + # an user can re-use a password. + # CIS requires a value of 5 or more. remember: 5 # UID settings for interactive users # These are discovered via logins.def if set true discover_int_uid: false +### Controls: +# - 5.6.2 - Ensure system accounts are secured +# - 6.2.10 - Ensure local interactive user home directories exist +# - 6.2.11 - Ensure local interactive users own their home directories +# This variable sets the minimum number from which to search for UID +# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# been set to `true`. min_int_uid: 1000 +### Controls: +# - 6.2.10 - Ensure local interactive user home directories exist +# - 6.2.11 - Ensure local interactive users own their home directories +# This variable sets the maximum number at which the search stops for UID +# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# been set to `true`. max_int_uid: 65533 -# 5.3.3 var log location variable +## Control 5.3.3 - Ensure sudo log file exists +# By default, sudo logs through syslog(3). However, to specify a custom log file, the +# 'logfile' parameter will be used, setting it with current variable's value. +# This variable defines the path and file name of the sudo log file. rhel9cis_sudolog_location: "/var/log/sudo.log" -#### 5.3.6 +## Control 5.3.6 -Ensure sudo authentication timeout is configured correctly +# This variable sets the duration (in minutes) during which a user's authentication credentials +# are cached after successfully authenticating using "sudo". This allows the user to execute +# multiple commands with elevated privileges without needing to re-enter their password for each +# command within the specified time period. CIS requires a value of at most 15 minutes. rhel9cis_sudo_timestamp_timeout: 15 -### 5.4.2 authselect and faillock +## Control 5.4.2 - authselect and faillock ## This option is used at your own risk it will enable faillock for users ## Only to be used on a new clean system if not using authselect -## THIS CAN BREAK ACCESS EVEN FOR ROOT - UNDERSTAND RISKS ## +## THIS CAN BREAK ACCESS EVEN FOR ROOT - PLEASE UNDERSTAND RISKS ! rhel9cis_add_faillock_without_authselect: false -# This needs to be set to ACCEPT +# This needs to be set to 'ACCEPT'(as string), besides setting 'rhel9cis_add_faillock_without_authselect' +# to 'true', in order to include the 'with-failock' option to the current authselect profile. rhel9cis_5_4_2_risks: NEVER -# RHEL-09-5.4.5 +## Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) rhel9cis_shell_session_timeout: + # This variable specifies the path of the timeout setting file. + # (TMOUT setting can be set in multiple files, but only one is required for the + # rule to pass. Options are: + # - a file in `/etc/profile.d/` ending in `.s`, + # - `/etc/profile`, or + # - `/etc/bash.bashrc`. file: /etc/profile.d/tmout.sh + # This variable represents the amount of seconds a command or process is allowed to + # run before being forcefully terminated. + # CIS requires a value of at most 900 seconds. timeout: 600 -# RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords + +## Control 5.6.1.5 - Ensure all users last password change date is in the past +# Allow ansible to expire password for account with a last changed date in the future. Setting it +# to 'false' will just display users in violation, while 'true' will expire those users passwords. rhel9cis_futurepwchgdate_autofix: true -# 5.3.7 +## Control 5.3.7 - Ensure access to the 'su' command is restricted +# This variable determines the name of the group of users that are allowed to use the su command. +# CIS requires that such a group be CREATED(named according to site policy) and be kept EMPTY. rhel9cis_sugroup: nosugroup ## Section6 vars -# RHEL-09_6.1.1 +## Control 6.1.15 - Audit system file permissions | Create list and warning +# The RPM package-manager has many useful options. For example, using option: +# - '-V': RPM can automatically check if system packages are correctly installed +# - '-qf': RPM can be used to determine which package a particular file belongs to +# Auditing system file-permissions takes advantage of the combination of those two options and, therefore, is able to +# detect any discrepancy regarding installed packages, redirecting the output of this combined +# command into a specific file. If no output is returned, the package is installed correctly. +# Current variable stores the preferred absolute filepath for such a file, therefore if this file +# contains any lines, an alert message will be generated to warn about each discrepancy. rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check -# RHEL-09_6.1.10 Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable +## Control 6.1.9 - Ensure no world writable files exist +# Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable. rhel9cis_no_world_write_adjust: true + rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" -# 6.2.16 -## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj +## Control 6.2.16 - Ensure local interactive user dot files are not group or world writable +# This boolean variable governs if current role should follow filesystem links for changes to +# user home directory. rhel_09_6_2_16_home_follow_symlinks: false +# thanks to @dulin-gnet and community for rhel8-cis feedback. #### Goss Configuration Settings #### # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" From a83678e9ce6cdca51a561d8347ee6b0c26d0704c Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Wed, 31 Jan 2024 20:27:07 +0200 Subject: [PATCH 64/90] Removing statement about SSH precedence vars. Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6ae4b24..7a86433 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1028,11 +1028,6 @@ rhel9cis_sshd: # This variable specifies the amount of seconds allowed for successful authentication to # the SSH server. logingracetime: 60 - # WARNING: make sure you understand the precedence when working with these values!! - # allowusers: - # allowgroups: systems dba - # denyusers: - # denygroups: # This variable, if specified, configures a list of USER name patterns, separated by spaces, to allow SSH # access for users whose user name matches one of the patterns. This is done # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. From f2a2757d1bda32c8eb5a3532e5674a2d5e68ff0b Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Wed, 31 Jan 2024 20:30:25 +0200 Subject: [PATCH 65/90] Fixing yaml-lint errors Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 26 +++++++++----------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7a86433..fc5e9bf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -73,7 +73,6 @@ change_requires_reboot: false #### Basic external goss audit enablement settings #### #### Precise details - per setting can be found at the bottom of this file #### - ## Audit setup # Audits are carried out using Goss. This variable # determines whether execution of the role prepares for auditing @@ -563,8 +562,7 @@ rhel9cis_selinux_enforce: enforcing ## Section 2. Services -### 2.1 Time Synchronization - +## Section 2.1 Time Synchronization ## Control 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 # The following variable represents a list of time servers used @@ -597,14 +595,12 @@ rhel9cis_chrony_server_makestep: "1.0 3" # improve the reliability, because multiple sources will need to correspond with each other. rhel9cis_chrony_server_minsources: 2 - -### 2.2 Special Purposes - +## Section 2.2 Special Purposes # Service configuration variables (boolean). -# Set the respective variable to true to keep the service. +# Set the respective variable to true to keep the service, # otherwise the service is stopped and disabled - +## Control 1.8.10-10, 2.2.1 # This variable governs whether rules dealing with GUI specific packages(and/or their settings) should # be executed either to: # - secure GDM, if GUI is needed('rhel9cis_gui: true') @@ -741,8 +737,7 @@ rhel9cis_use_rsync_server: false # - masking the 'rsyncd' service('rhel9cis_use_rsync_server' set to 'true') rhel9cis_use_rsync_service: false -#### 2.3 Service clients - +## Section 2.3 Service clients ## Control - 2.3.1 - Ensure telnet client is not installed # Set this variable to `true` to keep package `telnet`; otherwise, the package is uninstalled. @@ -757,10 +752,9 @@ rhel9cis_tftp_client: false # Set this variable to `true` to keep package `ftp`; otherwise, the package is uninstalled. rhel9cis_ftp_client: false -## Section3 vars +## Section 3 vars ## Sysctl - # This variable governs if the task which updates sysctl(including sysctl reload) is executed. # NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). rhel9cis_sysctl_update: false @@ -792,9 +786,6 @@ rhel9cis_firewalld_ports: - number: 80 protocol: tcp -## Controls 3.5.2.x - nftables - - ## Control 3.4.2.2 - Ensure at least one nftables table exists # This variable governs if a table will be automatically created in nftables. Without a table (no default one), nftables # will not filter network traffic, so if this variable is set to 'false' and no tables exist, an alarm will be triggered! @@ -953,6 +944,7 @@ rhel9cis_system_is_log_server: false # number may be specified after a colon (":"), otherwise 19532 will be used by default. rhel9cis_journal_upload_url: 192.168.50.42 ## The paths below have the default paths/files, but allow user to create custom paths/filenames + ## Control 4.2.2.1.2 - Ensure systemd-journal-remote is configured # This variable specifies the path to the private key file used by the remote journal # server to authenticate itself to the client. This key is used alongside the server's @@ -1074,8 +1066,8 @@ rhel9cis_ssh_maxsessions: 4 ## Control 5.6.1.4 - Ensure inactive password lock is 30 days or less rhel9cis_inactivelock: -# This variable specifies the number of days of inactivity before an account will be locked. -# CIS requires a value of 30 days or less. + # This variable specifies the number of days of inactivity before an account will be locked. + # CIS requires a value of 30 days or less. lock_days: 30 # This variable governs if authconfig package should be installed. This package provides a simple method of # configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used From 3581793d8e03d363eb358d9f860d919dab62e4fb Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Wed, 31 Jan 2024 20:31:03 +0200 Subject: [PATCH 66/90] Documenting also new added(`space_left` & `admin_space_left`) Signed-off-by: Ionut Pruteanu --- defaults/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index fc5e9bf..9e9cb4c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -853,7 +853,13 @@ rhel9cis_auditd_extra_conf_usage: false # rhel9cis_auditd_extra_conf: # admin_space_left: '10%' rhel9cis_auditd_extra_conf: + # This variable governs the threshold(MegaBytes) under which the audit daemon should perform a + # specific action to alert that the system is running low on disk space. Must be lower than + # the 'space_left' variable. admin_space_left: 50 + # This variable governs the threshold(MegaBytes) under which the audit daemon should perform a + # specific action to alert that the system is running low on disk space(last chance to do something + # before running out of disk space). Must be lower than the 'space_left' variable. space_left: 75 ## Control 4.1.1.4 - Ensure rhel9cis_audit_back_log_limit is sufficient From 18803420f03bee5f6a980d6516962dc7a19b4daf Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Fri, 26 Jan 2024 16:52:28 +0200 Subject: [PATCH 67/90] Replacing secure-configuration of 'audit' and 'audit_backlog_limit' from the `/etc/default/grub` approach to `grubby`(actually used by CIS) Signed-off-by: Ionut Pruteanu --- tasks/section_4/cis_4.1.1.x.yml | 50 +++++++++------------------------ 1 file changed, 14 insertions(+), 36 deletions(-) diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index a8be25f..8a30972 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -24,28 +24,17 @@ - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" block: - - name: "4.1.1.2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" - ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby existence of current value" + ansible.builtin.shell: grubby --info=ALL | grep args | grep -o -E "audit=([[:digit:]])+" | grep -o -E "([[:digit:]])+" changed_when: false failed_when: false check_mode: false - register: rhel9cis_4_1_1_2_grub_cmdline_linux + register: rhel9cis_4_1_1_2_grubby_curr_value_audit_linux - - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" - ansible.builtin.replace: - path: /etc/default/grub - regexp: 'audit=.' - replace: 'audit=1' - notify: Grub2cfg - when: "'audit=' in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" - - - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" - ansible.builtin.lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: '{{ rhel9cis_4_1_1_2_grub_cmdline_linux.stdout }} audit=1"' - notify: Grub2cfg - when: "'audit=' not in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" + - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed" + ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" + when: + - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux | int != 1 when: - rhel9cis_rule_4_1_1_2 tags: @@ -58,28 +47,17 @@ - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" block: - - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX" - ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby existence of current value" + ansible.builtin.shell: grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+" changed_when: false failed_when: false check_mode: false - register: rhel9cis_4_1_1_3_grub_cmdline_linux + register: rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux - - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" - ansible.builtin.replace: - path: /etc/default/grub - regexp: 'audit_backlog_limit=\d+' - replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}' - notify: Grub2cfg - when: "'audit_backlog_limit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" - - - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" - ansible.builtin.lineinfile: - path: /etc/default/grub - regexp: '^GRUB_CMDLINE_LINUX=' - line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' - notify: Grub2cfg - when: "'audit_backlog_limit=' not in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" + - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update, if needed" + ansible.builtin.shell: grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}" + when: + - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout | int < rhel9cis_audit_back_log_limit when: - rhel9cis_rule_4_1_1_3 tags: From e2738f0a447d24c66841db9effe78a58b2590798 Mon Sep 17 00:00:00 2001 From: Ionut Pruteanu Date: Wed, 31 Jan 2024 21:31:14 +0200 Subject: [PATCH 68/90] Fixing indentation for lines reported by yamllint Signed-off-by: Ionut Pruteanu --- tasks/section_4/cis_4.1.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index 8a30972..cbf9209 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -34,7 +34,7 @@ - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed" ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" when: - - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux | int != 1 + - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux | int != 1 when: - rhel9cis_rule_4_1_1_2 tags: @@ -57,7 +57,7 @@ - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update, if needed" ansible.builtin.shell: grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}" when: - - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout | int < rhel9cis_audit_back_log_limit + - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout | int < rhel9cis_audit_back_log_limit when: - rhel9cis_rule_4_1_1_3 tags: From fcab25c61f67a03fe8493b8948b2481f8a6b3a41 Mon Sep 17 00:00:00 2001 From: Illibur <72218972+Illibur@users.noreply.github.com> Date: Tue, 6 Feb 2024 18:46:30 +0200 Subject: [PATCH 69/90] Update cis_6.1.x.yml Fixed: [DEPRECATION WARNING]: Specifying a list of dictionaries for vars is deprecated in favor of specifying a dictionary. This feature will be removed in version 2.18. Signed-off-by: Illibur <72218972+Illibur@users.noreply.github.com> --- tasks/section_6/cis_6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 7bce9c5..f7c33cc 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -230,7 +230,7 @@ warn_control_id: '6.1.11' when: rhel_09_6_1_11_ungrouped_files_found vars: - - rhel_09_6_1_11_ungrouped_files_found: false + rhel_09_6_1_11_ungrouped_files_found: false when: - rhel9cis_rule_6_1_11 tags: From baf8987a5fd6817f7115b581f0db76ae6037d3ce Mon Sep 17 00:00:00 2001 From: Bas Meijer Date: Fri, 9 Feb 2024 22:32:09 +0100 Subject: [PATCH 70/90] PermitRootLogin found in /etc/ssh/sshd_config.d/01-permitrootlogin.conf Signed-off-by: Bas Meijer --- tasks/section_5/cis_5.2.x.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 5451cff..659a11d 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -150,11 +150,18 @@ - rule_5.2.6 - name: "5.2.7 | PATCH | Ensure SSH root login is disabled" - ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" - regexp: "^#PermitRootLogin|^PermitRootLogin" - line: 'PermitRootLogin no' - validate: sshd -t -f %s + block: + - name: "5.2.7 | PATCH | Ensure SSH root login is disabled | config file" + ansible.builtin.lineinfile: + path: "{{ rhel9_cis_sshd_config_file }}" + regexp: "^#PermitRootLogin|^PermitRootLogin" + line: 'PermitRootLogin no' + validate: sshd -t -f %s + + - name: "5.2.7 | PATCH | Ensure SSH root login is disabled | override file" + ansible.builtin.file: + path: /etc/ssh/sshd_config.d/01-permitrootlogin.conf + state: absent when: - rhel9cis_rule_5_2_7 tags: From cc7f9ccfd02085201373694028c82c1e705203f8 Mon Sep 17 00:00:00 2001 From: Bas Meijer Date: Sat, 10 Feb 2024 00:27:33 +0100 Subject: [PATCH 71/90] X11Forwarding found in /etc/ssh/sshd_config.d/50-redhat.conf Signed-off-by: Bas Meijer --- tasks/section_5/cis_5.2.x.yml | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 659a11d..7daf6d1 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -232,11 +232,21 @@ - rule_5.2.11 - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" - ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" - regexp: "^#X11Forwarding|^X11Forwarding" - line: 'X11Forwarding no' - validate: sshd -t -f %s + block: + + - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled | config file" + ansible.builtin.lineinfile: + path: "{{ rhel9_cis_sshd_config_file }}" + regexp: "^#X11Forwarding|^X11Forwarding" + line: 'X11Forwarding no' + validate: sshd -t -f %s + + - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled | override" + ansible.builtin.lineinfile: + path: /etc/ssh/sshd_config.d/50-redhat.conf + regexp: "^#X11Forwarding|^X11Forwarding" + line: 'X11Forwarding no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_12 tags: From c805ee398bb42415473461631af0af338d765786 Mon Sep 17 00:00:00 2001 From: rjacobs1990 Date: Mon, 12 Feb 2024 14:47:12 +0100 Subject: [PATCH 72/90] fix: idempotency molecule issue fixed for logfiles #173 Signed-off-by: rjacobs1990 --- tasks/section_4/cis_4.2.3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index 19bfce8..867b253 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -13,7 +13,7 @@ - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" ansible.builtin.file: path: "{{ item.path }}" - mode: '0640' + mode: "{% if item.mode != '0600' %}0640{% endif %}" loop: "{{ logfiles.files }}" loop_control: label: "{{ item.path }}" From 8652390bebfc84ab8707ef5cdac2b2d6c8646226 Mon Sep 17 00:00:00 2001 From: rjacobs1990 Date: Mon, 12 Feb 2024 15:55:42 +0100 Subject: [PATCH 73/90] fix: idempotency molecule issue fixed for logfiles and prevent skipping 0600 #173 Signed-off-by: rjacobs1990 --- tasks/section_4/cis_4.2.3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index 867b253..bebd40f 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -13,7 +13,7 @@ - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" ansible.builtin.file: path: "{{ item.path }}" - mode: "{% if item.mode != '0600' %}0640{% endif %}" + mode: "{{ '0640' if item.mode != '0600' else '0600' }}" loop: "{{ logfiles.files }}" loop_control: label: "{{ item.path }}" From 742165cd726ff8238a0e6bc569259ae35fd726a6 Mon Sep 17 00:00:00 2001 From: rjacobs1990 Date: Mon, 12 Feb 2024 16:21:31 +0100 Subject: [PATCH 74/90] fix: more readable condition and prevent skipping 0600 #173 Signed-off-by: rjacobs1990 --- tasks/section_4/cis_4.2.3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index bebd40f..823975a 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -13,7 +13,7 @@ - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" ansible.builtin.file: path: "{{ item.path }}" - mode: "{{ '0640' if item.mode != '0600' else '0600' }}" + mode: "{{ '0600' if item.mode == '0600' else '0640' }}" loop: "{{ logfiles.files }}" loop_control: label: "{{ item.path }}" From 0a98ad4aea3c920ea8329961077449cfc8170a90 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 12 Feb 2024 17:38:29 +0000 Subject: [PATCH 75/90] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.1 → v8.18.2](https://github.com/gitleaks/gitleaks/compare/v8.18.1...v8.18.2) - [github.com/ansible-community/ansible-lint: v6.22.2 → v24.2.0](https://github.com/ansible-community/ansible-lint/compare/v6.22.2...v24.2.0) - [github.com/adrienverge/yamllint.git: v1.33.0 → v1.34.0](https://github.com/adrienverge/yamllint.git/compare/v1.33.0...v1.34.0) --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 25fbc9e..ab43cdc 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,13 +37,13 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.1 + rev: v8.18.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v6.22.2 + rev: v24.2.0 hooks: - id: ansible-lint name: Ansible-lint @@ -62,6 +62,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.33.0 # or higher tag + rev: v1.34.0 # or higher tag hooks: - id: yamllint From 7fde313f85118115c09a317d4a37a4d855bf60b7 Mon Sep 17 00:00:00 2001 From: John Foster Date: Tue, 13 Feb 2024 15:37:39 +0000 Subject: [PATCH 76/90] Main task was failing when using an AD account to connect to host. With an AD account there isn't an entry in the /etc/shadow file. This caused the password length check to treat it as a zero length password. Now local password check is skipped for AD account. Also added an additional check for a locked local account for the sudo user. Signed-off-by: John Foster --- tasks/main.yml | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 858755b..5b64d7c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -23,19 +23,34 @@ - name: "Check password set for {{ ansible_env.SUDO_USER }}" block: - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state" - ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'" + ansible.builtin.shell: "(grep {{ ansible_env.SUDO_USER }} /etc/shadow || echo 'not found:not found') | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: rhel9cis_ansible_user_password_set - - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert password set and not locked" - ansible.builtin.assert: - that: rhel9cis_ansible_user_password_set.stdout | length != 0 and rhel9cis_ansible_user_password_set.stdout != "!!" - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" - success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" - vars: - sudo_password_rule: rhel9cis_rule_5_3_4 # pragma: allowlist secret + - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account" + ansible.builtin.debug: + msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks." + when: + - rhel9cis_ansible_user_password_set.stdout == "not found" + - name: "Check local account" + block: + - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" + ansible.builtin.assert: + that: + - rhel9cis_ansible_user_password_set.stdout | length != 0 + - rhel9cis_ansible_user_password_set.stdout != "!!" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" + success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" + - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" + ansible.builtin.assert: + that: + - not rhel9cis_ansible_user_password_set.stdout.startswith("!") + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access" + success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" + when: + - rhel9cis_ansible_user_password_set.stdout != "not found" when: - rhel9cis_rule_5_3_4 - ansible_env.SUDO_USER is defined @@ -43,6 +58,8 @@ tags: - user_passwd - rule_5.3.4 + vars: + sudo_password_rule: rhel9cis_rule_5_3_4 # pragma: allowlist secret - name: Ensure root password is set block: From 1c7990cecdcef96c7fbb03f69a10f6a9f9005dbf Mon Sep 17 00:00:00 2001 From: Michael Hicks Date: Thu, 21 Dec 2023 15:12:01 -0800 Subject: [PATCH 77/90] fixing some mismatched tags and tasks in 5.6.1.x Signed-off-by: Michael Hicks --- tasks/section_5/cis_5.6.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index f7b8136..8d082bc 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -12,7 +12,7 @@ - level1-workstation - patch - password - - rule_5.5.1.1 + - rule_5.6.1.1 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" ansible.builtin.lineinfile: @@ -117,4 +117,4 @@ - level1-server - level1-workstation - patch - - rule_5.5.1.5 + - rule_5.6.1.5 From 0e89fedfcac6ca36ee56383702503641c008cc01 Mon Sep 17 00:00:00 2001 From: John Foster Date: Thu, 15 Feb 2024 10:17:41 +0000 Subject: [PATCH 78/90] Adjusted tasks/main.yml indentation after running precommit checks Signed-off-by: John Foster --- tasks/main.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 5b64d7c..84bc1ae 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -33,24 +33,24 @@ ansible.builtin.debug: msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks." when: - - rhel9cis_ansible_user_password_set.stdout == "not found" + - rhel9cis_ansible_user_password_set.stdout == "not found" - name: "Check local account" block: - - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" - ansible.builtin.assert: - that: - - rhel9cis_ansible_user_password_set.stdout | length != 0 - - rhel9cis_ansible_user_password_set.stdout != "!!" - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" - success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" - - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" - ansible.builtin.assert: - that: - - not rhel9cis_ansible_user_password_set.stdout.startswith("!") - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access" - success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" + - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" + ansible.builtin.assert: + that: + - rhel9cis_ansible_user_password_set.stdout | length != 0 + - rhel9cis_ansible_user_password_set.stdout != "!!" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" + success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" + - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" + ansible.builtin.assert: + that: + - not rhel9cis_ansible_user_password_set.stdout.startswith("!") + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access" + success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" when: - - rhel9cis_ansible_user_password_set.stdout != "not found" + - rhel9cis_ansible_user_password_set.stdout != "not found" when: - rhel9cis_rule_5_3_4 - ansible_env.SUDO_USER is defined From e100b02f44957633553738daa5f22d6b9ddcf68d Mon Sep 17 00:00:00 2001 From: John Foster Date: Fri, 16 Feb 2024 15:06:27 +0000 Subject: [PATCH 79/90] Updated cis_6.1.x.yml to avoid deprecation warning as per Illibur's findings in issue #168. Changed vars on line 233 to use dictionary. Signed-off-by: John Foster --- tasks/section_6/cis_6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 7bce9c5..f7c33cc 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -230,7 +230,7 @@ warn_control_id: '6.1.11' when: rhel_09_6_1_11_ungrouped_files_found vars: - - rhel_09_6_1_11_ungrouped_files_found: false + rhel_09_6_1_11_ungrouped_files_found: false when: - rhel9cis_rule_6_1_11 tags: From 467434a56f5dce96bcfb6467b4ee429d121ffdbf Mon Sep 17 00:00:00 2001 From: John Foster Date: Mon, 19 Feb 2024 12:03:08 +0000 Subject: [PATCH 80/90] Added blank line between each named task for consistency. Signed-off-by: John Foster --- tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index 84bc1ae..40f49af 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -34,6 +34,7 @@ msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks." when: - rhel9cis_ansible_user_password_set.stdout == "not found" + - name: "Check local account" block: - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" @@ -43,6 +44,7 @@ - rhel9cis_ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" + - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" ansible.builtin.assert: that: From 40bc7aa0829344e9a5bd4df12b98a17607b4d0c6 Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Tue, 20 Feb 2024 15:43:43 +0000 Subject: [PATCH 81/90] Feb24 updates (#179) * change logic thanks to @rjacobs1990 see #175 Signed-off-by: Mark Bolwell * thanks to @ipruteani-sie #134 Signed-off-by: Mark Bolwell * Thanks to @stwongst #125 Signed-off-by: Mark Bolwell * thanks to @sgomez86 #146 Signed-off-by: Mark Bolwell * Added updates from #115 Signed-off-by: Mark Bolwell * removed rp_filter in post added in error Signed-off-by: Mark Bolwell * updated yamllint precommit Signed-off-by: Mark Bolwell * updated fqcn fo json_query Signed-off-by: Mark Bolwell * updated Signed-off-by: Mark Bolwell * fix typo for virt type query Signed-off-by: Mark Bolwell --------- Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 1 + .../workflows/main_pipeline_validation.yml | 1 + .pre-commit-config.yaml | 2 +- README.md | 4 ++-- defaults/main.yml | 24 +------------------ tasks/main.yml | 6 ++--- tasks/post.yml | 13 ---------- tasks/post_remediation_audit.yml | 2 +- tasks/pre_remediation_audit.yml | 2 +- tasks/prelim.yml | 2 +- tasks/section_4/cis_4.1.4.x.yml | 9 ++++--- tasks/section_6/cis_6.1.x.yml | 8 +++---- vars/main.yml | 2 +- 13 files changed, 21 insertions(+), 55 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 9fbe7aa..64feef4 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -125,6 +125,7 @@ env: ANSIBLE_HOST_KEY_CHECKING: "false" ANSIBLE_DEPRECATION_WARNINGS: "false" + ANSIBLE_INJECT_FACT_VARS: "false" # Remove test system - User secrets to keep if necessary diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 67ee9d9..cfa5801 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -114,6 +114,7 @@ env: ANSIBLE_HOST_KEY_CHECKING: "false" ANSIBLE_DEPRECATION_WARNINGS: "false" + ANSIBLE_INJECT_FACT_VARS: "false" # Remove test system - User secrets to keep if necessary diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ab43cdc..873f275 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -62,6 +62,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.34.0 # or higher tag + rev: v1.35.1 # or higher tag hooks: - id: yamllint diff --git a/README.md b/README.md index 22bcd92..2ff1311 100644 --- a/README.md +++ b/README.md @@ -132,8 +132,8 @@ os_check: false - python-def (should be included in RHEL 9) - libselinux-python - pip packages - - jmespath ( complete list found in requirements.txt) -- collections found in collections/requirememnts.yml + - jmespath +- collections found in collections/requirements.yml pre-commit is available if installed on your host for pull request testing. diff --git a/defaults/main.yml b/defaults/main.yml index 9e9cb4c..6cd15ce 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -424,21 +424,6 @@ rhel9cis_rule_6_2_16: true # These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards. rhel9cis_tmp_svc: false -## Control 1.1.9 -rhel9cis_allow_autofs: false - -## Control 1.2.1 -# This is the login information for your RedHat Subscription -# DO NOT USE PLAIN TEXT PASSWORDS!!!!! -# The intent here is to use a password utility like Ansible Vault here -rhel9cis_rh_sub_user: user -rhel9cis_rh_sub_password: password # pragma: allowlist secret - -## Control 1.2.2 -# Do you require rhnsd -# RedHat Satellite Subscription items -rhel9cis_rhnsd_required: false - ## Control 1.2.4 # When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM # repo ('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks @@ -455,7 +440,7 @@ rhel9cis_rule_enable_repogpg: true # must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with # this format: 'grub.pbkdf2.sha512...' rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' # pragma: allowlist secret -rhel9cis_bootloader_password: random # pragma: allowlist secret + ## Control 1.4.1 # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. rhel9cis_set_boot_pass: true @@ -781,11 +766,6 @@ rhel9cis_firewall: firewalld # to another zone): if there is no zone assigned to a connection, interface or source, only the default zone is used. rhel9cis_default_zone: public -# These settings are added to demonstrate how this update can be done (eventually will require a new control) -rhel9cis_firewalld_ports: - - number: 80 - protocol: tcp - ## Control 3.4.2.2 - Ensure at least one nftables table exists # This variable governs if a table will be automatically created in nftables. Without a table (no default one), nftables # will not filter network traffic, so if this variable is set to 'false' and no tables exist, an alarm will be triggered! @@ -1230,8 +1210,6 @@ rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check # Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable. rhel9cis_no_world_write_adjust: true -rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" - ## Control 6.2.16 - Ensure local interactive user dot files are not group or world writable # This boolean variable governs if current role should follow filesystem links for changes to # user home directory. diff --git a/tasks/main.yml b/tasks/main.yml index 40f49af..2d7aa57 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,7 +3,7 @@ - name: Check OS version and family ansible.builtin.assert: - that: (ansible_facts.distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==') + that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}" when: @@ -66,7 +66,7 @@ - name: Ensure root password is set block: - name: Ensure root password is set - ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt" + ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)" changed_when: false register: root_passwd_set @@ -102,7 +102,7 @@ - system_is_container when: - ansible_connection == 'docker' or - ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] tags: - container_discovery - always diff --git a/tasks/post.yml b/tasks/post.yml index 724611d..3f1f706 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -26,19 +26,6 @@ - not system_is_container - "'procps-ng' in ansible_facts.packages" -- name: POST | Update usr sysctl - ansible.builtin.lineinfile: - dest: /usr/lib/sysctl.d/50-default.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - loop: - - { regexp: '^net.ipv4.conf.default.rp_filter', line: 'net.ipv4.conf.default.rp_filter = 1' } - - { regexp: '^net.ipv4.conf.*.rp_filter', line: 'net.ipv4.conf.*.rp_filter = 1' } - when: - - rhel9cis_sysctl_update - - not system_is_container - - "'procps-ng' in ansible_facts.packages" - - name: Flush handlers ansible.builtin.meta: flush_handlers diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index eb01bc7..6bc5086 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -28,7 +28,7 @@ - name: Capture post-audit result ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" + post_audit_summary: "{{ post_audit.stdout | from_json | community.general.json_query(summary) }}" vars: summary: summary."summary-line" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 49d1081..158c053 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -95,7 +95,7 @@ - name: Pre Audit | Capture pre-audit result ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" + pre_audit_summary: "{{ pre_audit.stdout | from_json | community.general.json_query(summary) }}" vars: summary: summary."summary-line" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index a564a29..4eee776 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -97,7 +97,7 @@ - name: "PRELIM | Section 1.1 | Create list of mount points" ansible.builtin.set_fact: - mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" + mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 60b4e9b..7d683cf 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -64,12 +64,11 @@ - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" ansible.builtin.file: path: "{{ item.path }}" - mode: '0640' - loop: "{{ auditd_conf_files.files }}" + mode: "{{ '0600' if item.mode == '0600' else '0640' }}" + loop: "{{ auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" when: - - item.mode != '06(0|4)0' - rhel9cis_rule_4_1_4_5 tags: - level2-server @@ -82,7 +81,7 @@ ansible.builtin.file: path: "{{ item.path }}" owner: root - loop: "{{ auditd_conf_files.files }}" + loop: "{{ auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" when: @@ -98,7 +97,7 @@ ansible.builtin.file: path: "{{ item.path }}" group: root - loop: "{{ auditd_conf_files.files }}" + loop: "{{ auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" when: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index f7c33cc..84df13e 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -173,7 +173,7 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: - msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] + msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | community.general.json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel_09_6_1_10_unowned_files_found - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" @@ -220,7 +220,7 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: - msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] + msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | community.general.json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel_09_6_1_11_ungrouped_files_found - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" @@ -277,7 +277,7 @@ - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: - msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] + msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | community.general.json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel9_6_1_13_suid_found - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" @@ -320,7 +320,7 @@ - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: - msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] + msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | community.general.json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel9_6_1_14_sgid_found - name: "6.1.14 | AUDIT | Audit SGID executables| warning" diff --git a/vars/main.yml b/vars/main.yml index 022c230..6f73a63 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -16,4 +16,4 @@ rhel9cis_allowed_crypto_policies_modules: warn_control_list: "" warn_count: 0 -gpg_key_package: "{{ ansible_distribution | lower }}-gpg-keys" +gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys" From 0215412e9bea5c98b9b3752d66299dac2b0854ae Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 5 Mar 2024 18:39:12 +0000 Subject: [PATCH 82/90] [pre-commit.ci] pre-commit autoupdate (#178) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/adrienverge/yamllint.git: v1.34.0 → v1.35.1](https://github.com/adrienverge/yamllint.git/compare/v1.34.0...v1.35.1) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> From 0f58436212c55b38859cac6389e311e54af8a5a0 Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Wed, 6 Mar 2024 09:10:06 +0000 Subject: [PATCH 83/90] Gpg import for rhel servers (#185) * change logic thanks to @rjacobs1990 see #175 * 1.2.1 force gpg import rhel * fix missing facts --------- Signed-off-by: Mark Bolwell --- Changelog.md | 4 ++++ defaults/main.yml | 5 +++++ tasks/LE_audit_setup.yml | 4 ++-- tasks/prelim.yml | 25 +++++++++++++++++++++++++ tasks/section_4/cis_4.1.4.x.yml | 2 +- 5 files changed, 37 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index baa0d44..b6f9886 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,9 @@ # Changes to rhel9CIS +## 1.1.4 - Based on CIS v1.0.0 + +- 1.2.1 new option for a new system to import gpg key for 1.2.1 to pass redhat only + ## 1.1.3 - Based on CIS v1.0.0 - updated goss binary to 0.4.4 diff --git a/defaults/main.yml b/defaults/main.yml index 6cd15ce..43671f3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -424,6 +424,11 @@ rhel9cis_rule_6_2_16: true # These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards. rhel9cis_tmp_svc: false +## Control 1.2.1 +# For new systems that have not yet run update the gpg key is not yet imported +# Setting to `true` will allow a test on the package and the foce the import of the key +rhel9cis_force_gpg_key_import: true + ## Control 1.2.4 # When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM # repo ('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 56ffbd6..7ef94b4 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -5,12 +5,12 @@ - name: Pre Audit Setup | Set audit package name | 64bit ansible.builtin.set_fact: audit_pkg_arch_name: AMD64 - when: ansible_machine == "x86_64" + when: ansible_facts.machine == "x86_64" - name: Pre Audit Setup | Set audit package name | ARM64 ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 - when: ansible_machine == "arm64" + when: ansible_facts.machine == "arm64" - name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 4eee776..d363a9f 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -136,6 +136,31 @@ - ansible_facts.distribution != 'RedHat' - ansible_facts.distribution != 'OracleLinux' +- name: "PRELIM | Check gpg keys are imported will cause 1.2.1 to fail if not | RedHat Only" + block: + - name: "PRELIM | Check gpg keys are imported will cause 1.2.1 to fail if not" + ansible.builtin.shell: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' + changed_when: false + failed_when: false + register: check_gpg_imported + + - name: "PRELIM | Check key package matches RedHat" + ansible.builtin.shell: rpm -qi redhat-release | grep Signature + changed_when: false + failed_when: false + register: os_gpg_package_valid + when: "'not installed' in check_gpg_imported.stdout" + + - name: "PRELIM | Force keys to be imported" + ansible.builtin.shell: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + when: + - "'not installed' in check_gpg_imported.stdout" + - "'Key ID 199e2f91fd431d51' in os_gpg_package_valid.stdout" + when: + - rhel9cis_rule_1_2_1 + - rhel9cis_force_gpg_key_import + - ansible_facts.distribution == 'RedHat' + - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" ansible.builtin.package: name: audit diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 7d683cf..c42f876 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -65,7 +65,7 @@ ansible.builtin.file: path: "{{ item.path }}" mode: "{{ '0600' if item.mode == '0600' else '0640' }}" - loop: "{{ auditd_conf_files.files | default([]) }}" + loop: "{{ auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" when: From 7d7b6132f4716ec0ed9118dfcda948b681a3827d Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Wed, 6 Mar 2024 16:52:38 +0000 Subject: [PATCH 84/90] March 24 to devel (#186) * Issue #170, PR #181 thanks to @ipruteanu-sie * issue #182, PR #183 thansk to @ipruteanu-sie * PR #180 thanks to @ipruteanu-sie and @raabf * Addressed PR #165 thanks to @ipruteanu-sie * PT #184 addressed thansk to @ipruteanu-sie * updated credits * typo and ssh allow_deny comments * enable OS check --------- Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++++ defaults/main.yml | 21 ++++++++++----------- tasks/main.yml | 19 +++++++++---------- tasks/prelim.yml | 21 --------------------- tasks/section_1/cis_1.1.7.x.yml | 2 -- tasks/section_1/cis_1.3.x.yml | 2 +- tasks/section_1/cis_1.8.x.yml | 2 +- tasks/section_4/cis_4.1.3.x.yml | 4 ++-- tasks/section_5/cis_5.2.x.yml | 2 +- tasks/section_5/cis_5.6.x.yml | 31 +++++++++++++++++++++++++------ tasks/section_6/cis_6.2.x.yml | 4 ++-- 11 files changed, 58 insertions(+), 57 deletions(-) diff --git a/Changelog.md b/Changelog.md index b6f9886..0fe314f 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,6 +3,13 @@ ## 1.1.4 - Based on CIS v1.0.0 - 1.2.1 new option for a new system to import gpg key for 1.2.1 to pass redhat only +- thanks to @ipruteanu-sie + - #156 + - #165 + - #180 + - #181 + - #183 + - #184 ## 1.1.3 - Based on CIS v1.0.0 diff --git a/defaults/main.yml b/defaults/main.yml index 43671f3..f5838c0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1003,11 +1003,11 @@ rhel9cis_sshd: # This variable sets the maximum number of unresponsive "keep-alive" messages # that can be sent from the server to the client before the connection is considered # inactive and thus, closed. - clientalivecountmax: 0 + clientalivecountmax: 3 # This variable sets the time interval in seconds between sending "keep-alive" # messages from the server to the client. These types of messages are intended to # keep the connection alive and prevent it being terminated due to inactivity. - clientaliveinterval: 900 + clientaliveinterval: 15 # This variable specifies the amount of seconds allowed for successful authentication to # the SSH server. logingracetime: 60 @@ -1017,26 +1017,29 @@ rhel9cis_sshd: # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, see https://linux.die.net/man/5/sshd_config - allow_users: "" - # (String) This variable, if spcieifed, configures a list of GROUP name patterns, separated by spaces, to allow SSH access + # allowusers: "" + + # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access # for users whose primary group or supplementary group list matches one of the patterns. This is done # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, https://linux.die.net/man/5/sshd_config - allow_groups: "wheel" + # allowgroups: "wheel" + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access # for users whose user name matches one of the patterns. This is done # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, see https://linux.die.net/man/5/sshd_config - deny_users: "nobody" + denyusers: "nobody" + # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access # for users whose primary group or supplementary group list matches one of the patterns. This is done # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, see https://linux.die.net/man/5/sshd_config - deny_groups: "" + denygroups: "" ## Control 5.2.5 - Ensure SSH LogLevel is appropriate # This variable is used to control the verbosity of the logging produced by the SSH server. @@ -1060,10 +1063,6 @@ rhel9cis_inactivelock: # This variable specifies the number of days of inactivity before an account will be locked. # CIS requires a value of 30 days or less. lock_days: 30 -# This variable governs if authconfig package should be installed. This package provides a simple method of -# configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used -# for shadow password support. Basic LDAP, Kerberos 5, and Winbind client configuration is also provided. -rhel9cis_use_authconfig: false ## Section 5.4 - Configure authselect: Custom authselect profile settings(name, profile to customize, options) ## Controls: diff --git a/tasks/main.yml b/tasks/main.yml index 2d7aa57..114c806 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -8,7 +8,6 @@ success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}" when: - os_check - - not system_is_ec2 tags: - always @@ -169,63 +168,63 @@ - run_audit ansible.builtin.import_tasks: pre_remediation_audit.yml -- name: run Section 1 tasks +- name: Run Section 1 tasks ansible.builtin.import_tasks: file: section_1/main.yml when: rhel9cis_section1 tags: - rhel9cis_section1 -- name: run Section 2 tasks +- name: Run Section 2 tasks ansible.builtin.import_tasks: file: section_2/main.yml when: rhel9cis_section2 tags: - rhel9cis_section2 -- name: run Section 3 tasks +- name: Run Section 3 tasks ansible.builtin.import_tasks: file: section_3/main.yml when: rhel9cis_section3 tags: - rhel9cis_section3 -- name: run Section 4 tasks +- name: Run Section 4 tasks ansible.builtin.import_tasks: file: section_4/main.yml when: rhel9cis_section4 tags: - rhel9cis_section4 -- name: run Section 5 tasks +- name: Run Section 5 tasks ansible.builtin.import_tasks: file: section_5/main.yml when: rhel9cis_section5 tags: - rhel9cis_section5 -- name: run Section 6 tasks +- name: Run Section 6 tasks ansible.builtin.import_tasks: file: section_6/main.yml when: rhel9cis_section6 tags: - rhel9cis_section6 -- name: run auditd logic +- name: Run auditd logic ansible.builtin.import_tasks: file: auditd.yml when: update_audit_template tags: - always -- name: run post remediation tasks +- name: Run post remediation tasks ansible.builtin.import_tasks: file: post.yml tags: - post_tasks - always -- name: run post_remediation audit +- name: Run post_remediation audit ansible.builtin.import_tasks: file: post_remediation_audit.yml when: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index d363a9f..f58ad01 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -226,27 +226,6 @@ - level1_server - level1_workstation -- name: "PRELIM | Install authconfig" - ansible.builtin.package: - name: authconfig - state: present - become: true - when: - - rhel9cis_use_authconfig - - rhel9cis_rule_5_3_1 or - rhel9cis_rule_5_3_2 or - rhel9cis_rule_5_3_3 or - '"authconfig" not in ansible_facts.packages or - "auditd-lib" not in ansible_facts.packages' - tags: - - level1-server - - level1-workstation - - rule_5.3.1 or - rule_5.3.2 or - rule_5.3.3 - - authconfig - - auditd - - name: "PRELIM | 5.3.4 | Find all sudoers files." ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index ef16988..d113361 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -39,7 +39,6 @@ notify: Change_requires_reboot when: - item.mount == "/home" - - rhel9cis_rule_1_1_7_1 - rhel9cis_rule_1_1_7_2 or rhel9cis_rule_1_1_7_3 tags: @@ -49,5 +48,4 @@ - mounts - rule_1.1.7.2 - rule_1.1.7.3 - - rule_1.1.7.4 - skip_ansible_lint diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index dda9c66..3010b5a 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -54,7 +54,7 @@ - patch - rule_1.3.2 -- name: "1.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" +- name: "1.3.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" ansible.builtin.blockinfile: path: /etc/aide.conf marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown" diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index e6f4b0c..b7f4791 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -118,7 +118,7 @@ - gui - rule_1.8.4 -- name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden" +- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden" block: - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock directory" ansible.builtin.file: diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index ec925bb..2c8746a 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -99,7 +99,7 @@ - level2-workstation - patch - auditd - - rule_4.1.3_7 + - rule_4.1.3.7 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" @@ -268,7 +268,7 @@ - level2-workstation - patch - auditd - - rule_4.1.20 + - rule_4.1.3.20 - name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same" ansible.builtin.debug: diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 7daf6d1..ac62767 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,6 +1,6 @@ --- -- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" +- name: "5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" ansible.builtin.file: path: "/etc/ssh/sshd_config" owner: root diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index a2c0219..8fba898 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -2,7 +2,7 @@ - name: "5.6.2 | PATCH | Ensure system accounts are secured" block: - - name: "5.6.2 | Ensure system accounts are secured | Set nologin" + - name: "5.6.2 | PATCH | Ensure system accounts are secured | Set nologin" ansible.builtin.user: name: "{{ item.id }}" shell: /usr/sbin/nologin @@ -98,11 +98,30 @@ regexp: '^USERGROUPS_ENAB' line: USERGROUPS_ENAB no - - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth" - ansible.builtin.lineinfile: - path: /etc/pam.d/system-auth - line: 'session required pam_umask.so' - insertafter: EOF + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Add umask sessions for pamd" + community.general.pamd: + name: "{{ item }}" + type: session + control: required + module_path: pam_limits.so + new_type: session + new_module_path: pam_umask.so + new_control: optional + state: before + register: rhel9cis_pamd_umask_added + loop: + - system-auth + - password-auth + + - name: "5.6.5 | AUDIT | Ensure default user umask is 027 or more restrictive | update umask settings if required" + ansible.builtin.replace: + path: "/etc/pam.d/{{ item }}" + regexp: ^(session\s+)(requisite|required)(\s+pam_umask.so)$ + replace: \1optional\3 + loop: + - system-auth + - password-auth + when: - rhel9cis_rule_5_6_5 tags: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 6ab91cd..e2d03e5 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -75,7 +75,7 @@ - groups - rule_6.2.3 -- name: "6.2.4 | AUDIT Ensure no duplicate UIDs exist" +- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist" block: - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" @@ -88,7 +88,7 @@ msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_4_user_uid_check.stdout_lines }}" when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 - - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" + - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | warning count" ansible.builtin.import_tasks: file: warning_facts.yml when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 From 6eeae19517bc8834d86bef908783ec30922bbd4f Mon Sep 17 00:00:00 2001 From: RoboPickle <158301938+RoboPickle@users.noreply.github.com> Date: Thu, 14 Mar 2024 17:13:34 +0000 Subject: [PATCH 85/90] Address issues in 4.1.1.2 and 4.1.1.3 including idempotent status (#188) * Fixed issues with 4.1.1.2 and 4.1.1.3 Now handle multiple kernels and are idempotent Signed-off-by: John Foster * Fixed issues with 4.1.1.2 and 4.1.1.3 Now handle multiple kernels and are idempotent Removed debug messages Signed-off-by: John Foster --------- Signed-off-by: John Foster --- tasks/section_4/cis_4.1.1.x.yml | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index cbf9209..3d0082a 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -25,7 +25,7 @@ - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" block: - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby existence of current value" - ansible.builtin.shell: grubby --info=ALL | grep args | grep -o -E "audit=([[:digit:]])+" | grep -o -E "([[:digit:]])+" + ansible.builtin.shell: grubby --info=ALL | grep args | sed -n 's/.*audit=\([[:alnum:]]\+\).*/\1/p' changed_when: false failed_when: false check_mode: false @@ -34,7 +34,9 @@ - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed" ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" when: - - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux | int != 1 + - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout == '' or + '0' in rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout or + 'off' in rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout|lower when: - rhel9cis_rule_4_1_1_2 tags: @@ -48,16 +50,32 @@ - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" block: - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby existence of current value" - ansible.builtin.shell: grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+" + ansible.builtin.shell: + cmd: 'grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"' changed_when: false failed_when: false check_mode: false register: rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux - - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update, if needed" - ansible.builtin.shell: grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}" + - name: "4.1.1.3 | AUDIT | Check to see if limits are set" + ansible.builtin.set_fact: + rhel9cis_4_1_1_3_reset_backlog_limits: true when: - - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout | int < rhel9cis_audit_back_log_limit + - rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux is not defined or + rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux.stdout_lines == [] + + - name: "4.1.1.3 | AUDIT | Check to see if any limits are too low" + ansible.builtin.set_fact: + rhel9cis_4_1_1_3_reset_backlog_limits: true + when: + - (item | int < rhel9cis_audit_back_log_limit) + loop: "{{ rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux.stdout_lines }}" + + - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied" + ansible.builtin.shell: + cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' + when: + - rhel9cis_4_1_1_3_reset_backlog_limits is defined when: - rhel9cis_rule_4_1_1_3 tags: From e87d637eb2605e22ff6f340fd24edfaa998db712 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 25 Mar 2024 11:10:05 +0000 Subject: [PATCH 86/90] [pre-commit.ci] pre-commit autoupdate (#192) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.2.0 → v24.2.1](https://github.com/ansible-community/ansible-lint/compare/v24.2.0...v24.2.1) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 873f275..8af784f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -43,7 +43,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.0 + rev: v24.2.1 hooks: - id: ansible-lint name: Ansible-lint From f8fcfe0e782136434c5421acc758a80ae1053b85 Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Mon, 15 Apr 2024 14:02:07 +0100 Subject: [PATCH 87/90] April_24 updates (#201) * Issue #170, PR #181 thanks to @ipruteanu-sie Signed-off-by: Mark Bolwell * issue #182, PR #183 thansk to @ipruteanu-sie Signed-off-by: Mark Bolwell * PR #180 thanks to @ipruteanu-sie and @raabf Signed-off-by: Mark Bolwell * Addressed PR #165 thanks to @ipruteanu-sie Signed-off-by: Mark Bolwell * PT #184 addressed thansk to @ipruteanu-sie Signed-off-by: Mark Bolwell * updated credits Signed-off-by: Mark Bolwell * typo and ssh allow_deny comments Signed-off-by: Mark Bolwell * enable OS check Signed-off-by: Mark Bolwell * PR - #198 addressed thanks to @brakkio86 Signed-off-by: Mark Bolwell * Addressed issue #190 Signed-off-by: Mark Bolwell * Additional vars for issue #190 Signed-off-by: Mark Bolwell * updated pre-commit version Signed-off-by: Mark Bolwell * consistent quotes around mode Signed-off-by: Mark Bolwell * moved audit added discoveries Signed-off-by: Mark Bolwell * removed unneeded vars Signed-off-by: Mark Bolwell * audit moved to prelim Signed-off-by: Mark Bolwell * tidy up Signed-off-by: Mark Bolwell * improved new variable usage Signed-off-by: Mark Bolwell * fixed logic 6.2.10 Signed-off-by: Mark Bolwell * updated Signed-off-by: Mark Bolwell * addressed #197 thanks to @mark-tomich Signed-off-by: Mark Bolwell * updates for audit section Signed-off-by: Mark Bolwell * fixed naming Signed-off-by: Mark Bolwell * updated Signed-off-by: Mark Bolwell * added prelim to includes Signed-off-by: Mark Bolwell --------- Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 2 +- Changelog.md | 16 ++++ defaults/main.yml | 153 +++++++++++++------------------ tasks/main.yml | 17 ---- tasks/post_remediation_audit.yml | 10 +- tasks/pre_remediation_audit.yml | 35 +++---- tasks/prelim.yml | 67 ++++++++++---- tasks/section_1/cis_1.3.x.yml | 20 ++-- tasks/section_3/cis_3.1.x.yml | 2 +- tasks/section_5/cis_5.6.1.x.yml | 76 ++++++++++++--- tasks/section_6/cis_6.2.x.yml | 27 +++--- vars/audit.yml | 20 ++-- 12 files changed, 250 insertions(+), 195 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8af784f..3014d8a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v4.6.0 hooks: # Safety - id: detect-aws-credentials diff --git a/Changelog.md b/Changelog.md index 0fe314f..04969f0 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,21 @@ # Changes to rhel9CIS +## 1.1.5 - Based on CIS v1.0.0 + +- added new interactive user discoveries + - updated controls 6.2.10-6.2.14 +- audit + - steps moved to prelim + - update to coipy and archive logic and variables +- removed vars not used +- updated quotes used in mode tasks +- pre-commit update +- issues addressed + - #190 thanks to @ipruteanu-sie + - aligned logic for user shadow suite params (aligned with other repos) + - new variables to force changes to existing users added 5.6.1.1 - 5.6.1.2 + - #198 thanks to @brakkio86 + ## 1.1.4 - Based on CIS v1.0.0 - 1.2.1 new option for a new system to import gpg key for 1.2.1 to pass redhat only diff --git a/defaults/main.yml b/defaults/main.yml index f5838c0..d48728a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -67,74 +67,56 @@ skip_reboot: true # default value will change to true but wont reboot if not enabled but will error change_requires_reboot: false -########################################## +########################################### ### Goss is required on the remote host ### -## Refer to vars/auditd.yml for any other settings ## -#### Basic external goss audit enablement settings #### -#### Precise details - per setting can be found at the bottom of this file #### +### vars/auditd.yml for other settings ### -## Audit setup -# Audits are carried out using Goss. This variable -# determines whether execution of the role prepares for auditing -# by installing the required binary. +# Allow audit to setup the requirements including installing git (if option chosen and downloading and adding goss binary to system) setup_audit: false -## Enable audits to run - this runs the audit and get the latest content -# This variable governs whether the audit using the -# separately maintained audit role using Goss -# is carried out. +# enable audits to run - this runs the audit and get the latest content run_audit: false +# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system +audit_run_heavy_tests: true -# Only run Audit do not remediate +## Only run Audit do not remediate audit_only: false -# This will enable files to be copied back to control node(part of audit_only) +### As part of audit_only ### +# This will enable files to be copied back to control node in audit_only mode fetch_audit_files: false -# Path to copy the files to will create dir structure(part of audit_only) +# Path to copy the files to will create dir structure in audit_only mode audit_capture_files_dir: /some/location to copy to on control node +############################# -## How to retrieve audit binary(Goss) -# Options are 'copy' or 'download' - detailed settings at the bottom of this file -# - if 'copy': -# - the filepath mentioned via the below 'audit_bin_copy_location' var will be used to access already downloaded Goss -# - if 'download': -# - the GitHub Goss-releases URL will be used for a fresh-download, via 'audit_bin_url' and 'audit_pkg_arch_name' vars +# How to retrieve audit binary +# Options are copy or download - detailed settings at the bottom of this file +# you will need to access to either github or the file already dowmloaded get_audit_binary_method: download -## if get_audit_binary_method is 'copy', the following var needs to be updated for your environment +## if get_audit_binary_method - copy the following needs to be updated for your environment ## it is expected that it will be copied from somewhere accessible to the control node ## e.g copy from ansible control node to remote host audit_bin_copy_location: /some/accessible/path -## How to retrieve the audit role -# The role for auditing is maintained separately. -# This variable specifies the method of how to get the audit role -# options are git/copy/get_url other e.g. if you wish to run from already downloaded conf -# onto the system. The options are as follows: -# - 'git': clone audit content from GitHub REPOSITORY, set up via `audit_file_git` var, and -# VERSION(e.g. branch, tag name), set up via `audit_git_version` var. -# - 'copy': copy from path as specified in variable `audit_conf_copy`. -# - 'archive': same as 'copy', only that the specified filepath needs to be unpacked. -# - 'get_url': Download from url as specified in variable `audit_files_url` +# how to get audit files onto host options +# options are git/copy/archive/get_url other e.g. if you wish to run from already downloaded conf audit_content: git -# This variable(only used when 'audit_content' is 'copy' or 'archive') should -# contain the filepath with audit-content to be copied/unarchived on server: -audit_conf_copy: "some path to copy from" +# If using either archive, copy, get_url: +## Note will work with .tar files - zip will require extra configuration +### If using get_url this is expecting github url in tar.gz format e.g. +### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz +audit_conf_source: "some path or url to copy from" -# This variable(only used when 'audit_content' is 'get_url') should -# contain the URL from where the audit-content must be downloaded on server: -audit_files_url: "some url maybe s3?" +# Destination for the audit content to be placed on managed node +# note may not need full path e.g. /opt with the directory being the {{ benchmark }}-Audit directory +audit_conf_dest: "/opt" -# Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system -audit_run_heavy_tests: true +# Where the audit logs are stored +audit_log_dir: '/opt' -# Timeout for those cmds that take longer to run where timeout set -# This variable specifies the timeout (in ms) for audit commands that -# take a very long time: if a command takes too long to complete, -# it will be forcefully terminated after the specified duration. -audit_cmd_timeout: 120000 - -### End Goss enablements #### +### Goss Settings ## +####### END ######## # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. @@ -171,10 +153,6 @@ rhel9cis_rule_1_1_8_1: true rhel9cis_rule_1_1_8_2: true rhel9cis_rule_1_1_8_3: true rhel9cis_rule_1_1_8_4: true -rhel9cis_rule_1_1_18: true -rhel9cis_rule_1_1_19: true -rhel9cis_rule_1_1_20: true -rhel9cis_rule_1_1_21: true rhel9cis_rule_1_1_9: true rhel9cis_rule_1_2_1: true rhel9cis_rule_1_2_2: true @@ -371,7 +349,6 @@ rhel9cis_rule_5_5_1: true rhel9cis_rule_5_5_2: true rhel9cis_rule_5_5_3: true rhel9cis_rule_5_5_4: true -rhel9cis_rule_5_5_5: true rhel9cis_rule_5_6_1_1: true rhel9cis_rule_5_6_1_2: true rhel9cis_rule_5_6_1_3: true @@ -821,7 +798,7 @@ rhel9cis_auditd: max_log_file: 10 # This variable determines what action the audit system should take when the maximum # size of a log file is reached. - # The options for setting this variable are as follows: + # The options for setting this variable are as follows: # - `ignore`: the system does nothing when the size of a log file is full; # - `syslog`: a message is sent to the system log indicating the problem; # - `suspend`: the system suspends recording audit events until the log file is cleared or rotated; @@ -837,14 +814,12 @@ rhel9cis_auditd_extra_conf_usage: false # Example: # rhel9cis_auditd_extra_conf: # admin_space_left: '10%' + +# These variables governs the threshold(MegaBytes) under which the audit daemon should perform a +# specific action to alert that the system is running low on disk space. rhel9cis_auditd_extra_conf: - # This variable governs the threshold(MegaBytes) under which the audit daemon should perform a - # specific action to alert that the system is running low on disk space. Must be lower than - # the 'space_left' variable. + # Must be lower than the 'space_left' variable. admin_space_left: 50 - # This variable governs the threshold(MegaBytes) under which the audit daemon should perform a - # specific action to alert that the system is running low on disk space(last chance to do something - # before running out of disk space). Must be lower than the 'space_left' variable. space_left: 75 ## Control 4.1.1.4 - Ensure rhel9cis_audit_back_log_limit is sufficient @@ -855,12 +830,6 @@ rhel9cis_auditd_extra_conf: # This variable should be set to a sufficient value. The CIS baseline recommends at least `8192` as value. rhel9cis_audit_back_log_limit: 8192 -## Control 4.1.2.1 - Ensure audit log storage size is configured -# This variable specifies the maximum size in MB that an audit log file can reach -# before it is archived or deleted to make space for the new audit data. -# This should be set based on your sites policy. CIS does not provide a specific value. -rhel9cis_max_log_file_size: 10 - ## Control 4.1.3.x - Audit template # This variable governs if the auditd logic should be executed(if value is true). # NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules'). @@ -1015,30 +984,22 @@ rhel9cis_sshd: # access for users whose user name matches one of the patterns. This is done # by setting the value of `AllowUsers` option in `/etc/ssh/sshd_config` file. # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config # allowusers: "" # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access # for users whose primary group or supplementary group list matches one of the patterns. This is done # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, https://linux.die.net/man/5/sshd_config # allowgroups: "wheel" # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access # for users whose user name matches one of the patterns. This is done # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config denyusers: "nobody" - # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access - # for users whose primary group or supplementary group list matches one of the patterns. This is done + # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, + # to prevent SSH access for users whose primary group or supplementary group list matches one of the patterns. This is done # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. - # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. - # For more info, see https://linux.die.net/man/5/sshd_config denygroups: "" ## Control 5.2.5 - Ensure SSH LogLevel is appropriate @@ -1088,21 +1049,6 @@ rhel9cis_authselect_custom_profile_create: false # to the PAM templates and meta files in the original profile will be reflected in your custom profile, too.) rhel9cis_authselect_custom_profile_select: false -## Section 5.6.1.x: Shadow Password Suite Parameters -rhel9cis_pass: - ## Control 5.6.1.1 - Ensure password expiration is 365 days or less - # This variable governs after how many days a password expires. - # CIS requires a value of 365 or less. - max_days: 365 - ## Control 5.6.1.2 - Ensure minimum days between password changes is 7 or more - # This variable specifies the minimum number of days allowed between changing - # passwords. CIS requires a value of at least 1. - min_days: 7 - ## Control 5.6.1.3 - Ensure password expiration warning days is 7 or more - # This variable governs, how many days before a password expires, the user will be warned. - # CIS requires a value of at least 7. - warn_age: 7 - ## Control 5.5.1 - Ensure password creation requirements are configured - PAM rhel9cis_pam_password: # This variable sets the minimum chars a password needs to be set. @@ -1171,6 +1117,33 @@ rhel9cis_add_faillock_without_authselect: false # to 'true', in order to include the 'with-failock' option to the current authselect profile. rhel9cis_5_4_2_risks: NEVER +## Section 5.6.1.x: Shadow Password Suite Parameters +rhel9cis_pass: + ## Control 5.6.1.1 - Ensure password expiration is 365 days or less + # This variable governs after how many days a password expires. + # CIS requires a value of 365 or less. + max_days: 365 + ## Control 5.6.1.2 - Ensure minimum days between password changes is 7 or more + # This variable specifies the minimum number of days allowed between changing + # passwords. CIS requires a value of at least 1. + min_days: 7 + ## Control 5.6.1.3 - Ensure password expiration warning days is 7 or more + # This variable governs, how many days before a password expires, the user will be warned. + # CIS requires a value of at least 7. + warn_age: 7 + +## Allow the forcing of setting user_max_days for logins. +# This can break current connecting user access +rhel9cis_force_user_maxdays: false + +## Allow the force setting of minimum days between changing the password +# This can break current connecting user access +rhel9cis_force_user_mindays: false + +## Allow the forcing of of number of days before warning users of password expiry +# This can break current connecting user access +rhel9cis_force_user_warnage: false + ## Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) diff --git a/tasks/main.yml b/tasks/main.yml index 114c806..509ae27 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -151,23 +151,6 @@ - prelim_tasks - always -- name: Include audit specific variables - when: - - run_audit or audit_only - - setup_audit - tags: - - setup_audit - - run_audit - ansible.builtin.include_vars: audit.yml - -- name: Include pre-remediation audit tasks - when: - - run_audit or audit_only - - setup_audit - tags: - - run_audit - ansible.builtin.import_tasks: pre_remediation_audit.yml - - name: Run Section 1 tasks ansible.builtin.import_tasks: file: section_1/main.yml diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 6bc5086..b3111c8 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,11 +1,11 @@ --- - name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml - name: Post Audit | ensure audit files readable by users @@ -22,13 +22,13 @@ - audit_format == "json" block: - name: capture data {{ post_audit_outfile }} - ansible.builtin.shell: cat {{ post_audit_outfile }} + ansible.builtin.shell: "cat {{ post_audit_outfile }}" register: post_audit changed_when: false - name: Capture post-audit result ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout | from_json | community.general.json_query(summary) }}" + post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" vars: summary: summary."summary-line" @@ -37,7 +37,7 @@ - audit_format == "documentation" block: - name: Post Audit | capture data {{ post_audit_outfile }} - ansible.builtin.shell: tail -2 {{ post_audit_outfile }} + ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}" register: post_audit changed_when: false diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 158c053..d0137e8 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -5,7 +5,8 @@ - setup_audit tags: - setup_audit - ansible.builtin.include_tasks: LE_audit_setup.yml + ansible.builtin.include_tasks: + file: LE_audit_setup.yml - name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists ansible.builtin.file: @@ -32,23 +33,25 @@ when: - audit_content == 'copy' ansible.builtin.copy: - src: "{{ audit_conf_copy }}" - dest: "{{ audit_conf_dir }}" + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server when: - - audit_content == 'archived' + - audit_content == 'archive' ansible.builtin.unarchive: - src: "{{ audit_conf_copy }}" - dest: "{{ audit_conf_dir }}" + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url when: - audit_content == 'get_url' - ansible.builtin.get_url: - url: "{{ audit_files_url }}" - dest: "{{ audit_conf_dir }}" + ansible.builtin.unarchive: + src: "{{ audit_conf_source }}" + dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" + remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" + extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" - name: Pre Audit Setup | Check Goss is available when: @@ -77,25 +80,25 @@ mode: '0600' - name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" + ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" - AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" + AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format when: - audit_format == "json" block: - - name: capture data {{ pre_audit_outfile }} - ansible.builtin.shell: cat {{ pre_audit_outfile }} + - name: Pre Audit | Capture data {{ pre_audit_outfile }} + ansible.builtin.shell: "cat {{ pre_audit_outfile }}" register: pre_audit changed_when: false - name: Pre Audit | Capture pre-audit result ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json | community.general.json_query(summary) }}" + pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" vars: summary: summary."summary-line" @@ -103,8 +106,8 @@ when: - audit_format == "documentation" block: - - name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format - ansible.builtin.shell: tail -2 {{ pre_audit_outfile }} + - name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format + ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" register: pre_audit changed_when: false diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f58ad01..6ffc298 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -2,6 +2,54 @@ # Preliminary tasks that should always be run # List users in order to look files inside each home directory + +- name: PRELIM | Include audit specific variables + when: + - run_audit or audit_only + - setup_audit + tags: + - setup_audit + - run_audit + ansible.builtin.include_vars: audit.yml + +- name: PRELIM | Include pre-remediation audit tasks + when: + - run_audit or audit_only + - setup_audit + tags: + - run_audit + ansible.builtin.import_tasks: pre_remediation_audit.yml + +- name: "PRELIM | AUDIT | Interactive Users" + tags: + - always + ansible.builtin.shell: > + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $1 }' + changed_when: false + register: discovered_interactive_usernames + +- name: "PRELIM | AUDIT | Interactive User accounts home directories" + tags: + - always + ansible.builtin.shell: > + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }' + changed_when: false + register: discovered_interactive_users_home + +- name: "PRELIM | AUDIT | Interactive UIDs" + tags: + - always + ansible.builtin.shell: > + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }' + changed_when: false + register: discovered_interactive_uids + +- name: "PRELIM | capture /etc/password variables" + ansible.builtin.include_tasks: + file: parse_etc_password.yml + tags: + - always + - name: "PRELIM | List users accounts" ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd" changed_when: false @@ -12,25 +60,6 @@ - level1-workstation - users -- name: "PRELIM | capture /etc/password variables" - ansible.builtin.include_tasks: parse_etc_password.yml - tags: - - rule_5.5.2 - - rule_5.6.2 - - rule_6.2.9 - - rule_6.2.10 - - rule_6.2.11 - - rhel9cis_section5 - - rhel9cis_section6 - - level1-server - -- name: "PRELIM | Interactive User accounts" - ansible.builtin.shell: 'cat /etc/passwd | grep -Ev "nologin|/sbin" | cut -d: -f6' - changed_when: false - register: interactive_users_home - tags: - - always - - name: "PRELIM | Gather accounts with empty password fields" ansible.builtin.shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" changed_when: false diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 3010b5a..fa2d6a5 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -9,14 +9,14 @@ - name: "1.3.1 | PATCH | Ensure AIDE is installed | Build AIDE DB" ansible.builtin.shell: /usr/sbin/aide --init - changed_when: false - failed_when: false - async: 45 - poll: 0 args: creates: /var/lib/aide/aide.db.new.gz when: not ansible_check_mode + - name: "1.3.1 | PATCH | Ensure AIDE is installed | Wait for file before continuing" + ansible.builtin.wait_for: + path: /var/lib/aide/aide.db.new.gz + - name: "1.3.1 | PATCH | Ensure AIDE is installed | copy AIDE DB" ansible.builtin.copy: src: /var/lib/aide/aide.db.new.gz @@ -59,12 +59,12 @@ path: /etc/aide.conf marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown" block: | - /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 - /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 + /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 validate: aide -D --config %s when: - rhel9cis_rule_1_3_3 diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 2a13574..3f93858 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -60,7 +60,7 @@ ansible.builtin.template: src: "etc/modprobe.d/modprobe.conf.j2" dest: "/etc/modprobe.d/{{ item }}.conf" - mode: "0600" + mode: '0600' owner: root group: root loop: diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 8d082bc..6ad3dc0 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -1,10 +1,28 @@ --- - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_MAX_DAYS' - line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" + block: + - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_MAX_DAYS' + line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" + + - name: "5.6.1.1 | AUDIT | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS" + ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass['max_days'] }} || $5< {{ rhel9cis_pass['max_days'] }} || $5 == -1)){print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: discovered_max_days + + - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" + ansible.builtin.user: + name: "{{ item }}" + password_expire_max: "{{ rhel9cis_pass['max_days'] }}" + loop: "{{ discovered_max_days.stdout_lines }}" + when: + - discovered_max_days.stdout_lines | length > 0 + - item in discovered_interactive_usernames.stdout + - rhel9cis_force_user_maxdays when: - rhel9cis_rule_5_6_1_1 tags: @@ -15,10 +33,28 @@ - rule_5.6.1.1 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_MIN_DAYS' - line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" + block: + - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is configured | set login.defs" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_MIN_DAYS' + line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" + + - name: "5.6.1.2 | AUDIT | Ensure minimum days between password changes is configured | Get existing users PASS_MIN_DAYS" + ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $4< {{ rhel9cis_pass['min_days'] }} {print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: discovered_min_days + + - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS" + ansible.builtin.user: + name: "{{ item }}" + password_expire_max: "{{ rhel9cis_pass['min_days'] }}" + loop: "{{ discovered_min_days.stdout_lines }}" + when: + - discovered_min_days.stdout_lines | length > 0 + - item in discovered_interactive_usernames.stdout + - rhel9cis_force_user_mindays when: - rhel9cis_rule_5_6_1_2 tags: @@ -29,10 +65,26 @@ - rule_5.6.1.2 - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_WARN_AGE' - line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" + block: + - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | set login.defs" + ansible.builtin.lineinfile: + path: /etc/login.defs + regexp: '^PASS_WARN_AGE' + line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" + + - name: "5.6.1.3 | AUDIT | Ensure password expiration warning days is 7 or more | Get existing users WARN_DAYS" + ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel9cis_pass['warn_age'] }} {print $1}' /etc/shadow" + changed_when: false + failed_when: false + register: discovered_warn_days + + - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users WARN_DAYS" + ansible.builtin.shell: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}" + loop: "{{ discovered_warn_days.stdout_lines }}" + when: + - discovered_warn_days.stdout_lines | length > 0 + - item in discovered_interactive_usernames.stdout + - rhel9cis_force_user_warnage when: - rhel9cis_rule_5_6_1_3 tags: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index e2d03e5..7be9ae9 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -235,7 +235,7 @@ state: directory owner: root group: root - mode: "0755" + mode: '0755' follow: false loop: "{{ root_path_perms.results }}" loop_control: @@ -278,7 +278,7 @@ owner: "{{ item.id }}" group: "{{ item.gid }}" register: rhel_09_6_2_10_home_dir - loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" + loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" loop_control: label: "{{ item.id }}" @@ -290,7 +290,7 @@ etype: group permissions: rx state: present - loop: "{{ interactive_users_home.stdout_lines }}" + loop: "{{ discovered_interactive_users_home.stdout_lines }}" when: not system_is_container - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Set other ACL" @@ -300,7 +300,7 @@ etype: other permissions: 0 state: present - loop: "{{ interactive_users_home.stdout_lines }}" + loop: "{{ discovered_interactive_users_home.stdout_lines }}" when: not system_is_container when: - rhel9cis_rule_6_2_10 @@ -320,10 +320,7 @@ loop_control: label: "{{ item.id }}" when: - - item.uid >= min_int_uid | int - - item.id != 'nobody' - - (item.id != 'tss' and item.dir != '/dev/null') - - item.shell != '/sbin/nologin' + - item.id in discovered_interactive_usernames.stdout - rhel9cis_rule_6_2_11 tags: - level1-server @@ -338,13 +335,13 @@ ansible.builtin.stat: path: "{{ item }}" register: rhel_09_6_2_12_home_dir_perms - loop: "{{ interactive_users_home.stdout_lines }}" + loop: "{{ discovered_interactive_users_home.stdout_lines }}" - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | amend if needed" ansible.builtin.file: path: "{{ item.stat.path }}" state: directory - mode: "0750" + mode: '0750' loop: "{{ rhel_09_6_2_12_home_dir_perms.results }}" loop_control: label: "{{ item }}" @@ -359,7 +356,7 @@ etype: group permissions: rx state: present - loop: "{{ interactive_users_home.stdout_lines }}" + loop: "{{ discovered_interactive_users_home.stdout_lines }}" when: not system_is_container - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | Set other ACL" @@ -369,7 +366,7 @@ etype: other permissions: 0 state: present - loop: "{{ interactive_users_home.stdout_lines }}" + loop: "{{ discovered_interactive_users_home.stdout_lines }}" when: not system_is_container when: - rhel9cis_rule_6_2_12 @@ -385,7 +382,7 @@ ansible.builtin.file: path: "{{ item }}/.netrc" state: absent - loop: "{{ interactive_users_home.stdout_lines }}" + loop: "{{ discovered_interactive_users_home.stdout_lines }}" when: - rhel9cis_rule_6_2_13 tags: @@ -400,7 +397,7 @@ ansible.builtin.file: path: "{{ item }}/.forward" state: absent - loop: "{{ interactive_users_home.stdout_lines }}" + loop: "{{ discovered_interactive_users_home.stdout_lines }}" when: - rhel9cis_rule_6_2_14 tags: @@ -415,7 +412,7 @@ ansible.builtin.file: path: "~{{ item }}/.rhosts" state: absent - loop: "{{ interactive_users_home.stdout_lines }}" + loop: "{{ discovered_interactive_users_home.stdout_lines }}" when: - rhel9cis_rule_6_2_15 tags: diff --git a/vars/audit.yml b/vars/audit.yml index 26e2b87..bb50f6d 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -2,6 +2,9 @@ #### Audit Configuration Settings #### +# Timeout for those cmds that take longer to run where timeout set +audit_cmd_timeout: 120000 + # if get_audit_binary_method == download change accordingly audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_version.release }}/goss-linux-" @@ -12,14 +15,12 @@ audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_git_version: "benchmark_{{ benchmark_version }}" ## Goss configuration information -# Where the goss configs and outputs are stored -audit_out_dir: '/opt' -# Where the goss audit configuration will be stored -audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit" +# Where the goss audit configuration will be stored - NOTE benchmark-audit is expected +audit_conf_dir: "{{ audit_conf_dest | default('/opt') }}/{{ benchmark }}-Audit" # If changed these can affect other products -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_pre_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}-{{ benchmark_version }}_post_scan_{{ ansible_facts.date_time.epoch }}.{{ audit_format }}" ## The following should not need changing @@ -33,6 +34,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The pre remediation results are: {{ pre_audit_summary }}. - The post remediation results are: {{ post_audit_summary }}. - Full breakdown can be found in {{ audit_out_dir }} + The audit results are: {{ pre_audit_summary }} + {% if not audit_only %}The post remediation audit results are: {{ post_audit_summary }}{% endif %} + + Full breakdown can be found in {{ audit_log_dir }} From b5bea721f18350a25799fce828b11ded276dfca3 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 15 Apr 2024 14:04:13 +0100 Subject: [PATCH 88/90] [pre-commit.ci] pre-commit autoupdate (#200) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v4.5.0 → v4.6.0](https://github.com/pre-commit/pre-commit-hooks/compare/v4.5.0...v4.6.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> From d8f9b30182651bf6609123c36e56323a82d26de5 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Thu, 25 Apr 2024 10:44:25 +0100 Subject: [PATCH 89/90] [pre-commit.ci] pre-commit autoupdate (#202) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.2.1 → v24.2.2](https://github.com/ansible-community/ansible-lint/compare/v24.2.1...v24.2.2) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3014d8a..a76a23f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -43,7 +43,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.1 + rev: v24.2.2 hooks: - id: ansible-lint name: Ansible-lint From 79e36d8736be52543d31948c68fda0169ff924f2 Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Mon, 29 Apr 2024 16:40:53 +0100 Subject: [PATCH 90/90] updated assert statement (#204) Signed-off-by: Mark Bolwell --- tasks/pre_remediation_audit.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index d0137e8..9777bd1 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -63,9 +63,8 @@ register: goss_available - name: Pre Audit Setup | If audit ensure goss is available - when: - - not goss_available.stat.exists ansible.builtin.assert: + that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit