From 7c6555d92ef27eff7249b3900550b63dd80c5dd9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 09:09:21 +0000 Subject: [PATCH] Lint updates & control alignment Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.1.x.yml | 8 -------- tasks/section_5/cis_5.2.x.yml | 20 -------------------- tasks/section_5/cis_5.3.x.yml | 7 ------- tasks/section_5/cis_5.4.x.yml | 1 - tasks/section_5/cis_5.5.x.yml | 12 ++++++------ tasks/section_5/cis_5.6.1.x.yml | 4 ---- tasks/section_5/cis_5.6.x.yml | 24 ++++++++++++++++++++---- 7 files changed, 26 insertions(+), 50 deletions(-) diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 7cbcd7f..9edc7c7 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -9,7 +9,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.1 @@ -25,7 +24,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.2 @@ -42,7 +40,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.3 @@ -59,7 +56,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.4 @@ -91,7 +87,6 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_5.1.6 @@ -107,7 +102,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.7 @@ -136,7 +130,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.8 @@ -165,7 +158,6 @@ tags: - level1-server - level1-workstation - - automated - patch - cron - rule_5.1.9 diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 580585e..a599a4b 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -12,7 +12,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - permissions @@ -43,7 +42,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - permissions @@ -74,7 +72,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.3 @@ -121,7 +118,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.4 @@ -137,7 +133,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sshs - rule_5.2.5 @@ -153,7 +148,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.6 @@ -169,7 +163,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.7 @@ -185,7 +178,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.8 @@ -201,7 +193,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.9 @@ -217,7 +208,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.10 @@ -233,7 +223,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.11 @@ -249,7 +238,6 @@ tags: - level2-server - level1-workstation - - automated - patch - ssh - rule_5.2.12 @@ -265,7 +253,6 @@ tags: - level2-server - level2-workstation - - automated - patch - ssh - rule_5.2.13 @@ -287,7 +274,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.14 @@ -302,7 +288,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.15 @@ -318,7 +303,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.16 @@ -334,7 +318,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.17 @@ -350,7 +333,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.18 @@ -366,7 +348,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.19 @@ -391,7 +372,6 @@ tags: - level1-server - level1-workstation - - automated - patch - ssh - rule_5.2.20 diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 0cdfaac..25d05d2 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -9,7 +9,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.1 @@ -24,7 +23,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.2 @@ -40,7 +38,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.3 @@ -58,7 +55,6 @@ tags: - level2-server - level2-workstation - - automated - patch - sudo - rule_5.3.4 @@ -76,7 +72,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.5 @@ -111,7 +106,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.6 @@ -133,7 +127,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sudo - rule_5.3.7 diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index d78d6ce..ac37cf2 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -51,7 +51,6 @@ tags: - level1-server - level1-workstation - - automated - patch - authselect - rule_5.4.2 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 8f0f4d9..51c18f9 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -1,6 +1,6 @@ --- -- name: "5.5.1 | PATCH | " +- name: "5.5.1 | PATCH | Ensure password creation requirements are configured" block: - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" ansible.builtin.lineinfile: @@ -32,7 +32,7 @@ - patch - rule_5.5.1 -- name: "5.5.2 | PATCH | Ensure system accounts are secured" +- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured" ansible.builtin.lineinfile: path: /etc/security/faillock.conf regexp: "{{ item.regexp }}" @@ -45,7 +45,7 @@ - name: "5.5.3 | PATCH | Ensure password reuse is limited" block: - - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwhistory" + - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality" ansible.builtin.lineinfile: path: /etc/pam.d/system-auth line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" @@ -54,8 +54,8 @@ - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" ansible.builtin.replace: path: /etc/pam.d/system-auth - regexp: '^password\s*sufficient\s*pam_unix.so.*$' - replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' + regexp: '^password\s*(sufficient|requisite|sufficient)\s*pam_unix.so.*$' + replace: 'password requisite pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_3 tags: @@ -64,7 +64,7 @@ - patch - rule_5.5.3 -- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512" +- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 or yescrypt" block: - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" ansible.builtin.replace: diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 2e178cd..df3478f 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -10,7 +10,6 @@ tags: - level1-server - level1-workstation - - automated - patch - password - rule_5.5.1.1 @@ -25,7 +24,6 @@ tags: - level1-server - level1-workstation - - automated - patch - password - rule_5.6.1.2 @@ -40,7 +38,6 @@ tags: - level1-server - level1-workstation - - automated - patch - password - rule_5.5.1.3 @@ -73,7 +70,6 @@ tags: - level1-server - level1-workstation - - automated - patch - password - rule_5.6.1.4 diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 4f0ec0b..884efd8 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -41,7 +41,6 @@ tags: - level1-server - level1-workstation - - automated - patch - accounts - rule_5.6.2 @@ -65,7 +64,6 @@ tags: - level1-server - level1-workstation - - automated - patch - accounts - rule_5.6.3 @@ -79,7 +77,6 @@ tags: - level1-server - level1-workstation - - automated - patch - accounts - rule_5.6.4 @@ -111,7 +108,26 @@ tags: - level1-server - level1-workstation - - automated - patch - accounts - rule_5.6.5 + +- name: "5.6.6 | PATCH | Ensure root password is set" + block: + - name: "5.6.6 | PATCH | Ensure root password is set" + ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt" + register: root_passwd + + - name: "5.6.6 | PATCH | Ensure root password is set" + ansible.builtin.fail: + msg: The root password is not set + when: root_passwd.rc != 0 + when: + - rhel9cis_rule_5_6_6 + tags: + - level1-server + - level1-workstation + - patch + - accounts + - root + - rule_5.6.6