From 82d1d185043e60bff7da7cdb252caaa83353f93b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Apr 2022 16:58:03 +0100 Subject: [PATCH] consistent lineinfile usage Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 6 ++-- tasks/section_1/cis_1.1.x.yml | 2 +- tasks/section_1/cis_1.8.x.yml | 2 +- tasks/section_2/cis_2.1.x.yml | 3 +- tasks/section_2/cis_2.2.x.yml | 2 +- tasks/section_3/cis_3.4.2.x.yml | 1 - tasks/section_4/cis_4.1.2.x.yml | 9 ++--- tasks/section_4/cis_4.2.1.x.yml | 5 ++- tasks/section_4/cis_4.2.2.x.yml | 9 ++--- tasks/section_5/cis_5.2.x.yml | 60 +++++++++++---------------------- tasks/section_5/cis_5.3.x.yml | 9 ++--- tasks/section_5/cis_5.6.1.x.yml | 9 ++--- 12 files changed, 41 insertions(+), 76 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 8cf70dc..f687901 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -4,7 +4,7 @@ block: - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" create: yes @@ -29,7 +29,7 @@ block: - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: yes @@ -54,7 +54,7 @@ block: - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: yes diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index ed2872e..a77e524 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -21,7 +21,7 @@ block: - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" create: yes diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 1edc704..e056cef 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -17,7 +17,7 @@ - name: "1.8.2 | PATCH | Ensure GDM login banner is configured" lineinfile: - dest: "{{ item.file }}" + path: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" state: present diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index ba927e9..effe806 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -26,10 +26,9 @@ - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" lineinfile: - dest: /etc/sysconfig/chronyd + path: /etc/sysconfig/chronyd regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u chrony\"" - state: present create: yes mode: 0644 when: diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 00a61ef..6a195ca 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -285,7 +285,7 @@ - name: "2.2.17 | PATCH | Ensure mail transfer agent is configured for local-only mode" lineinfile: - dest: /etc/postfix/main.cf + path: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" line: "inet_interfaces = loopback-only" notify: restart postfix diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 3484bf6..a9284c5 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -332,7 +332,6 @@ - name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent" lineinfile: path: /etc/sysconfig/nftables.conf - state: present insertafter: EOF line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" when: diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index a7e0282..0eec0b2 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -2,10 +2,9 @@ - name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured" lineinfile: - dest: /etc/audit/auditd.conf + path: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ rhel9cis_max_log_file_size }}" - state: present notify: restart auditd when: - rhel9cis_rule_4_1_2_1 @@ -19,10 +18,9 @@ - name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" lineinfile: - dest: /etc/audit/auditd.conf + path: /etc/audit/auditd.conf regexp: "^max_log_file_action" line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" - state: present notify: restart auditd when: - rhel9cis_rule_4_1_2_2 @@ -36,10 +34,9 @@ - name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" lineinfile: - dest: /etc/audit/auditd.conf + path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" - state: present notify: restart auditd with_items: - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' } diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 6196c80..7e70a02 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -32,10 +32,9 @@ # This is counter to control 4.2.2.5?? - name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog" lineinfile: - dest: /etc/systemd/journald.conf + path: /etc/systemd/journald.conf regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" line: ForwardToSyslog=yes - state: present when: - rhel9cis_rule_4_2_1_3 - rhel9cis_preferred_log_capture == "rsyslog" @@ -48,7 +47,7 @@ - name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" lineinfile: - dest: /etc/rsyslog.conf + path: /etc/rsyslog.conf regexp: '^\$FileCreateMode' line: '$FileCreateMode 0640' notify: restart rsyslog diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 5b59d63..8523066 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -97,10 +97,9 @@ - name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files" lineinfile: - dest: /etc/systemd/journald.conf + path: /etc/systemd/journald.conf regexp: "^#Compress=|^Compress=" line: Compress=yes - state: present when: - rhel9cis_rule_4_2_2_3 tags: @@ -113,10 +112,9 @@ - name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" lineinfile: - dest: /etc/systemd/journald.conf + path: /etc/systemd/journald.conf regexp: "^#Storage=|^Storage=" line: Storage=persistent - state: present when: - rhel9cis_rule_4_2_2_4 tags: @@ -130,10 +128,9 @@ # This is counter to control 4.2.1.3?? - name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" lineinfile: - dest: /etc/systemd/journald.conf + path: /etc/systemd/journald.conf regexp: "^ForwardToSyslog=" line: "#ForwardToSyslog=yes" - state: present notify: restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_5 diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index d606507..7234da6 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -83,8 +83,7 @@ block: - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^AllowUsers" line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} validate: sshd -t -f %s @@ -93,8 +92,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^AllowGroups" line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} validate: sshd -t -f %s @@ -103,8 +101,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^DenyUsers" line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} validate: sshd -t -f %s @@ -113,8 +110,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^DenyGroups" line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} validate: sshd -t -f %s @@ -132,8 +128,7 @@ - name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' validate: sshd -t -f %s @@ -149,8 +144,7 @@ - name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' validate: sshd -t -f %s @@ -166,8 +160,7 @@ - name: "5.2.7 | PATCH | Ensure SSH root login is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' validate: sshd -t -f %s @@ -183,8 +176,7 @@ - name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' validate: sshd -t -f %s @@ -200,8 +192,7 @@ - name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' validate: sshd -t -f %s @@ -217,8 +208,7 @@ - name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' validate: sshd -t -f %s @@ -234,8 +224,7 @@ - name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#IgnoreRhosts|^IgnoreRhosts" line: 'IgnoreRhosts yes' validate: sshd -t -f %s @@ -251,8 +240,7 @@ - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' validate: sshd -t -f %s @@ -268,8 +256,7 @@ - name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' validate: sshd -t -f %s @@ -300,8 +287,7 @@ - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: '^Banner' line: 'Banner /etc/issue.net' when: @@ -316,8 +302,7 @@ - name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' validate: sshd -t -f %s @@ -333,8 +318,7 @@ - name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' validate: sshd -t -f %s @@ -350,8 +334,7 @@ - name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' validate: sshd -t -f %s @@ -367,8 +350,7 @@ - name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" validate: sshd -t -f %s @@ -386,16 +368,14 @@ block: - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" validate: sshd -t -f %s diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 9aa864a..f9dad14 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -16,9 +16,8 @@ - name: "5.3.2 | PATCH | Ensure sudo commands use pty" lineinfile: - dest: /etc/sudoers + path: /etc/sudoers line: "Defaults use_pty" - state: present validate: '/usr/sbin/visudo -cf %s' when: - rhel9cis_rule_5_3_2 @@ -32,10 +31,9 @@ - name: "5.3.3 | PATCH | Ensure sudo log file exists" lineinfile: - dest: /etc/sudoers + path: /etc/sudoers regexp: '^Defaults logfile=' line: 'Defaults logfile="{{ rhel9cis_sudolog_location }}"' - state: present validate: '/usr/sbin/visudo -cf %s' when: - rhel9cis_rule_5_3_3 @@ -122,8 +120,7 @@ block: - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" lineinfile: - state: present - dest: /etc/pam.d/su + path: /etc/pam.d/su regexp: '^(#)?auth\s+required\s+pam_wheel\.so' line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}' diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 6609026..c728d90 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -2,8 +2,7 @@ - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less" lineinfile: - state: present - dest: /etc/login.defs + path: /etc/login.defs regexp: '^PASS_MAX_DAYS' line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" when: @@ -18,8 +17,7 @@ - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" lineinfile: - state: present - dest: /etc/login.defs + path: /etc/login.defs regexp: '^PASS_MIN_DAYS' line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" when: @@ -34,8 +32,7 @@ - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more" lineinfile: - state: present - dest: /etc/login.defs + path: /etc/login.defs regexp: '^PASS_WARN_AGE' line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" when: