Merge pull request #42 from ansible-lockdown/issues_40_41

Issues 40 41
2025-12-24 14:23:05 +00:00 · 2023-03-13 14:15:37 +00:00 · 2023-03-13 14:15:37 +00:00 · 7dd21ee96b
commit 7dd21ee96b
parent cd66d451db 181002c23b
8 changed files with 30 additions and 41 deletions
--- a/Changelog.md
+++ b/Changelog.md
@ -1,5 +1,10 @@
 # Changes to rhel9CIS

+## 1.0.4
+
+#40 tmp systemd file variable naming update
+#41 5.3.7 logic and rewrite - tidy up prelim for sugroup work - audit updated
+
 ## 1.0.3

 Update to auditd components improve idempotency and tidy up
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -645,11 +645,9 @@ rhel9cis_shell_session_timeout:
 # RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords
 rhel9cis_futurepwchgdate_autofix: true

-# 5.7
-# rhel9cis_sugroup: sugroup  # change accordingly wheel is default
+# 5.3.7
+rhel9cis_sugroup: nosugroup

-# wheel users list please supply comma seperated e.g. "vagrant,root"
-rhel9cis_sugroup_users: "root"

 ## Section6 vars

@ -660,13 +658,10 @@ rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check
 rhel9cis_no_world_write_adjust: true
 rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}"

-
 # 6.2.16
 ## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj
 rhel_09_6_2_16_home_follow_symlinks: false

-
-
 #### Goss Configuration Settings ####
 # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
 audit_run_script_environment:
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -31,7 +31,7 @@
      daemon_reload: true
      enabled: true
      masked: false
-      state: Reloaded
+      state: reloaded

 - name: Remount tmp
  ansible.posix.mount:
--- a/tasks/pre_remediation_audit.yml
+++ b/tasks/pre_remediation_audit.yml
@ -21,6 +21,10 @@
  when:
  - audit_content == 'git'

+- name: Pre Audit | confirm audit branch vs benchmark version
+  ansible.builtin.debug:
+      msg: "Audit will run the branch {{ audit_git_version }} for this Benchmark {{ benchmark_version }}"
+
 - name: Pre Audit | copy to audit content files to server
  ansible.builtin.copy:
      src: "{{ audit_local_copy }}"
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -226,26 +226,6 @@
      - rule_5.3.4
      - rule_5.3.5

- name: "PRELIM | Check sugroup exists if used"
-  block:
-      - name: "PRELIM | Check su group exists if defined"
-        ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
-        register: sugroup_exists
-        changed_when: false
-        failed_when: sugroup_exists.rc >= 2
-        tags:
-            - skip_ansible_lint
-
-      - name: "PRELIM | Check sugroup if defined exists before continuing"
-        ansible.builtin.assert:
-            that: sugroup_exists.rc == 0
-            msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify"
-  when:
-      - rhel9cis_sugroup is defined
-      - rhel9cis_rule_5_7
-  tags:
-      - rule_5.7
-
 - name: "PRELIM | Discover Interactive UID MIN and MIN from logins.def"
  block:
      - name: "PRELIM | Capture UID_MIN information from logins.def"
--- a/tasks/section_5/cis_5.3.x.yml
+++ b/tasks/section_5/cis_5.3.x.yml
@ -109,17 +109,25 @@

 - name: "5.3.7 | PATCH | Ensure access to the su command is restricted"
  block:
+
+      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists"
+        ansible.builtin.group:
+            name: "{{ rhel9cis_sugroup }}"
+            state: present
+        register: rhel9cis_5_3_7_sugroup
+
+      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
+        ansible.builtin.lineinfile:
+            path: /etc/group
+            regexp: '^{{ rhel9cis_sugroup }}(:.:.*:).*$'
+            line: '{{ rhel9cis_sugroup }}\g<1>'
+            backrefs: true
+
      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/su
            regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
-            line: 'auth           required        pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}'
-
-      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root"
-        ansible.builtin.user:
-            name: "{{ item }}"
-            groups: "{{ rhel9cis_sugroup | default('wheel') }}"
-        loop: "{{ rhel9cis_sugroup_users }}"
+            line: 'auth           required        pam_wheel.so use_uid group={{ rhel9cis_sugroup }}'
  when:
      - rhel9cis_rule_5_3_7
  tags:
--- a/templates/ansible_vars_goss.yml.j2
+++ b/templates/ansible_vars_goss.yml.j2
@ -508,7 +508,4 @@ rhel9cis_pass:
  warn_age: {{ rhel9cis_pass['warn_age'] }}

 ## 5.3.7 set sugroup if differs from wheel
-rhel9cis_sugroup: {% if rhel9cis_sugroup is undefined %}wheel{% else %}{{ rhel9cis_sugroup }}{% endif %}
-
-## 5.3.7 sugroup users list
-rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }}
+rhel9cis_sugroup: {{ rhel9cis_sugroup }}
--- a/templates/etc/systemd/system/tmp.mount.j2
+++ b/templates/etc/systemd/system/tmp.mount.j2
@ -23,8 +23,8 @@ After=swap.target
 What=tmpfs
 Where=/tmp
 Type=tmpfs
-Options=mode=1777,strictatime,{% if rhel9cis_rule_1_1_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_5 %}noexec{% endif %}
+Options=mode=1777,strictatime,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec{% endif %}

 # Make 'systemctl enable tmp.mount' work:
 [Install]
-WantedBy=local-fs.target
+WantedBy=local-fs.target