diff --git a/LICENSE b/LICENSE index bb487ce..7e51eb7 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown +Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 7551cc9..0a4b4ff 100644 --- a/README.md +++ b/README.md @@ -32,65 +32,82 @@ --- -## Looking for support? - -[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH9_cis) - -[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH9_cis) - ### Community Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. -### Contributing - -Issues and Pull requests are welcome please ensure that all commits are signed-off-by and gpg-signed. -Refer to [Contributing Guide](./CONTRIBUTING.rst) - --- ## Caution(s) This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. -Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL8-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode. +- Testing is the most important thing you can do. -This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. +- Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL9-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode. -To use the release version, please point to the `main` branch and relevant release for the cis benchmark you wish to work with. +- This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. + +- To use release version please point to main branch and relevant release/tag for the cis benchmark you wish to work with. + +- If moving across major releases e.g. v2.0.0 - v3.0.0 there are significant changes to the benchmarks and controls it is suggested to start as a new standard not to upgrade. + +- Containers references vars/is_container.yml this is an example and to be updated for your requirements + +- Did we mention testing?? --- ## Matching a security Level for CIS -It is possible to only run level 1 or level 2 controls for CIS. +It is possible to to only run level 1 or level 2 controls for CIS. This is managed using tags: -- level1-server -- level1-workstation -- level2-server -- level2-workstation +- level1_server +- level1_workstation +- level2_server +- level2_workstation -The control found in the `defaults` main also needs to reflect this, as this control is the testing that takes place if you are using the audit component. +The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. ## Coming from a previous release -CIS release always contains changes, it is highly recommended to review the new references and available variables. This has changed significantly since the ansible-lockdown initial release. -This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites which configure the system accordingly. +CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release. +This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. Further details can be seen in the [Changelog](./ChangeLog.md) ## Auditing (new) -This can be turned on or off within the `defaults/main.yml` file with the variables `setup_audit` and `run_audit`. The value is `false` by default. Please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. +This can be turned on or off within the defaults/main.yml file with the variable run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings. -A new form of auditing has been developed by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check without the need for infrastructure or other tooling. -This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also try to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. +A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. +This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit). +## Example Audit Summary + +This is based on a vagrant image with selections enabled. e.g. No Gui or firewall. +Note: More tests are run during audit as we check config and running state. + +```txt + +ok: [default] => { + "msg": [ + "The pre remediation results are: ['Total Duration: 5.454s', 'Count: 338, Failed: 47, Skipped: 5'].", + "The post remediation results are: ['Total Duration: 5.007s', 'Count: 338, Failed: 46, Skipped: 5'].", + "Full breakdown can be found in /var/tmp", + "" + ] +} + +PLAY RECAP ******************************************************************************************************************************************* +default : ok=270 changed=23 unreachable=0 failed=0 skipped=140 rescued=0 ignored=0 +``` + ## Documentation - [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/) @@ -101,19 +118,6 @@ Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit). ## Requirements -RHEL 9 -Almalinux 9 -Rocky 9 -OracleLinux 9 - -- Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) - -CentOS stream - while this will generally work it is not supported and requires the following variable setting - -```sh -os_check: false -``` - **General:** - Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible @@ -123,23 +127,22 @@ os_check: false - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) - Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file. +- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file. **Technical Dependencies:** -- Python3 -- Ansible 2.10+ -- python-def (should be included in RHEL 9) -- libselinux-python -- pip packages - - jmespath -- collections found in collections/requirements.yml +RHEL/AlmaLinux/Rocky/Oracle 9 - Other versions are not supported. -pre-commit is available if installed on your host for pull request testing. +- Access to download or add the goss binary and content to the system if using auditing +(other options are available on how to get the content to the system.) +- Python3.8 +- Ansible 2.12+ +- python-def +- libselinux-python ## Role Variables -This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done by overriding the required varaibles as found in defaults/main.yml file. e.g. using inventory, group_vars, extra_vars +This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. ## Tags @@ -169,10 +172,7 @@ We encourage you (the community) to contribute to this role. Please read the rul ## Known Issues -CIS 1.2.4 - repo_gpgcheck is not carried out for RedHat hosts as the default repos do not have this function. This also affect EPEL(not covered by var). - - Rocky and Alma not affected. -Variable used to unset. -rhel9cis_rhel_default_repo: true # to be set to false if using repo that does have this ability +Almalinux BaseOS, EPEL and many cloud providers repositories, do not allow gpgcheck(rule_1.2.1.2) or repo_gpgcheck (rule_1.2.1.3) this will cause issues during the playbook unless or a workaround is found. ## Pipeline Testing @@ -180,21 +180,32 @@ uses: - ansible-core 2.12 - ansible collections - pulls in the latest version based on requirements file -- Runs the audit using the devel branch -- Runs the pre-commit setup on the PR to ensure everything is in place as expected. +- runs the audit using the devel branch - This is an automated test that occurs on pull requests into devel ## Local Testing -- Ansible +Molecule can be used to work on this role and test in distinct _scenarios_. - - ansible-base 2.10.17 - python 3.8 - - ansible-core 2.13.4 - python 3.10 - - ansible-core 2.15.1 - python 3.11 +### examples + +```bash +molecule test -s default +molecule converge -s wsl -- --check +molecule verify -s localhost +``` + +local testing uses: + +- ansible 2.13.3 +- molecule 4.0.1 +- molecule-docker 2.0.0 +- molecule-podman 2.0.2 +- molecule-vagrant 1.0.0 +- molecule-azure 0.5.0 ## Added Extras -- makefile - this is there purely for testing and initial setup purposes. - [pre-commit](https://pre-commit.com) can be tested and can be run from within the directory ```sh diff --git a/handlers/main.yml b/handlers/main.yml index 91181a1..3c51ddf 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -243,8 +243,7 @@ register: discovered_auditd_immutable_check - name: Audit immutable fact - when: - - discovered_auditd_immutable_check.stdout == '1' + when: discovered_auditd_immutable_check.stdout == '1' ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" notify: Change_requires_reboot diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 52fc8bd..c1fd66e 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,5 +1,4 @@ --- - - name: Pre Audit Setup | Set audit package name block: - name: Pre Audit Setup | Set audit package name | 64bit diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index 008d358..1377f9f 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -1,5 +1,4 @@ --- - - name: Audit_Only | Create local Directories for hosts when: fetch_audit_files ansible.builtin.file: diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml index 159b72f..b9bf2af 100644 --- a/tasks/check_prereqs.yml +++ b/tasks/check_prereqs.yml @@ -1,8 +1,7 @@ --- - name: "PREREQ | If required install libselinux package to manage file changes." - when: - - '"libselinux-python3" not in ansible_facts.packages' + when: '"libselinux-python3" not in ansible_facts.packages' ansible.builtin.package: name: libselinux-python3 state: present diff --git a/tasks/main.yml b/tasks/main.yml index 4cb6869..2ea223c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,22 +2,19 @@ # tasks file for RHEL9-CIS - name: "Check OS version and family" + when: os_check + tags: always ansible.builtin.assert: that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}" - when: - - os_check - tags: - - always - name: "Check ansible version" + tags: always ansible.builtin.assert: that: ansible_version.full is version_compare(min_ansible_version, '>=') fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" - tags: - - always - name: "Setup rules if container" when: @@ -36,8 +33,7 @@ file: "{{ container_vars_file }}" - name: "Output if discovered is a container" - when: - - system_is_container + when: system_is_container ansible.builtin.debug: msg: system has been discovered as a container @@ -51,8 +47,7 @@ when: - rhel9cis_set_boot_pass - rhel9cis_rule_1_4_1 - tags: - - always + tags: always ansible.builtin.assert: that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" @@ -94,8 +89,7 @@ msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks." - name: "Check local account" - when: - - prelim_ansible_user_password_set.stdout != "not found" + when: prelim_ansible_user_password_set.stdout != "not found" block: - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" # noqa name[template] ansible.builtin.assert: @@ -113,10 +107,8 @@ success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" - name: "PRELIM | AUDIT | Check authselect profile is selected" - when: - - rhel9cis_allow_authselect_updates - tags: - - always + when: rhel9cis_allow_authselect_updates + tags: always block: - name: "PRELIM | AUDIT | Check authselect profile name has been updated" ansible.builtin.assert: @@ -136,8 +128,7 @@ fail_msg: Authselect updates have been selected there are issues with profile selection" - name: "Ensure root password is set" - when: - - rhel9cis_rule_5_4_2_4 + when: rhel9cis_rule_5_4_2_4 tags: - level1-server - level1-workstation @@ -158,14 +149,12 @@ success_msg: "You have a root password set" - name: "Gather the package facts" - tags: - - always + tags: always ansible.builtin.package_facts: manager: auto - name: "Include OS specific variables" - tags: - - always + tags: always ansible.builtin.include_vars: file: "{{ ansible_facts.distribution }}.yml" @@ -213,8 +202,7 @@ - name: "Run auditd logic" when: update_audit_template - tags: - - always + tags: always ansible.builtin.import_tasks: file: auditd.yml @@ -226,8 +214,7 @@ file: post.yml - name: "Run post_remediation audit" - when: - - run_audit + when: run_audit ansible.builtin.import_tasks: file: post_remediation_audit.yml @@ -238,7 +225,6 @@ - name: "If Warnings found Output count and control IDs affected" when: warn_count != 0 - tags: - - always + tags: always ansible.builtin.debug: msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 337889c..86c1cac 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -1,8 +1,7 @@ --- - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - tags: - - always + tags: always block: - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" ansible.builtin.command: cat /etc/passwd diff --git a/tasks/post.yml b/tasks/post.yml index 4308727..383cdf6 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -1,9 +1,7 @@ --- -# Post tasks - name: POST | Gather the package facts after remediation - tags: - - always + tags: always ansible.builtin.package_facts: manager: auto @@ -17,7 +15,7 @@ dest: "/etc/sysctl.d/{{ item }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' notify: Reload sysctl loop: - 60-kernel_sysctl.conf diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 91cc9b7..61959fa 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,5 +1,4 @@ --- - - name: Pre Audit Setup | Setup the LE audit when: setup_audit tags: setup_audit diff --git a/tasks/prelim.yml b/tasks/prelim.yml index efa13d5..6602d28 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -17,43 +17,37 @@ when: - run_audit or audit_only - setup_audit - tags: - - run_audit + tags: run_audit ansible.builtin.import_tasks: pre_remediation_audit.yml - name: "PRELIM | AUDIT | Interactive Users" - tags: - - always + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }' changed_when: false register: prelim_interactive_usernames - name: "PRELIM | AUDIT | Interactive User accounts home directories" - tags: - - always + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }' changed_when: false register: prelim_interactive_users_home - name: "PRELIM | AUDIT | Interactive UIDs" - tags: - - always + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }' changed_when: false register: prelim_interactive_uids - name: "PRELIM | AUDIT | Capture /etc/password variables" + tags: always ansible.builtin.include_tasks: file: parse_etc_password.yml - tags: - - always - name: "PRELIM | PATCH | Ensure python3-libselinux is installed" - when: - - '"python3-libselinux" not in ansible_facts.packages' + when: '"python3-libselinux" not in ansible_facts.packages' ansible.builtin.package: name: python3-libselinux state: present @@ -108,14 +102,14 @@ failed_when: false register: prelim_check_gpg_imported - - name: "PRELIM | AUDIT | Import gpg keys | Check Package" + - name: "PRELIM | AUDIT | Import gpg keys | Check Package" # noqa command-instead-of-module when: "'not installed' in prelim_check_gpg_imported.stdout" ansible.builtin.shell: rpm -qi redhat-release | grep Signature # noqa command-instead-of-module changed_when: false failed_when: false register: prelim_os_gpg_package_valid - - name: "PRELIM | PATCH | Force keys to be imported" + - name: "PRELIM | PATCH | Force keys to be imported" # noqa command-instead-of-module when: - "'not installed' in prelim_check_gpg_imported.stdout" - "'Key ID 199e2f91fd431d51' in prelim_os_gpg_package_valid.stdout" @@ -124,8 +118,7 @@ state: present - name: "PRELIM | AUDIT | Check systemd coredump" - when: - - rhel9cis_rule_1_5_4 + when: rhel9cis_rule_1_5_4 tags: - level1-server - level1-workstation @@ -208,7 +201,7 @@ - always block: - name: "PRELIM | AUDIT | Discover is wirelss adapter on system" - ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless + ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless register: discover_wireless_adapters changed_when: false failed_when: discover_wireless_adapters.rc not in [ 0, 1 ] @@ -247,7 +240,7 @@ path: "{{ rhel9cis_sshd_config_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' state: touch - name: "PRELIM | AUDIT | Gather UID 0 accounts other than root" diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 02a387e..adc094d 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -1,8 +1,7 @@ --- - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available" - when: - - rhel9cis_rule_1_1_1_1 + when: rhel9cis_rule_1_1_1_1 tags: - level1-server - level1-workstation @@ -17,7 +16,7 @@ regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -25,7 +24,7 @@ regexp: "^(#)?blacklist cramfs(\\s|$)" line: "blacklist cramfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs" when: @@ -35,8 +34,7 @@ state: absent - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available" - when: - - rhel9cis_rule_1_1_1_2 + when: rhel9cis_rule_1_1_1_2 tags: - level1-server - level1-workstation @@ -51,7 +49,7 @@ regexp: "^(#)?install freevxfs(\\s|$)" line: "install freevxfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -59,18 +57,16 @@ regexp: "^(#)?blacklist freevxfs(\\s|$)" line: "blacklist freevxfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: freevxfs state: absent - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available" - when: - - rhel9cis_rule_1_1_1_3 + when: rhel9cis_rule_1_1_1_3 tags: - level1-server - level1-workstation @@ -85,7 +81,7 @@ regexp: "^(#)?install hfs(\\s|$)" line: "install hfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -93,18 +89,16 @@ regexp: "^(#)?blacklist hfs(\\s|$)" line: "blacklist hfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable hfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: hfs state: absent - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available" - when: - - rhel9cis_rule_1_1_1_4 + when: rhel9cis_rule_1_1_1_4 tags: - level1-server - level1-workstation @@ -119,7 +113,7 @@ regexp: "^(#)?install hfsplus(\\s|$)" line: "install hfsplus /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -127,18 +121,16 @@ regexp: "^(#)?blacklist hfsplus(\\s|$)" line: "blacklist hfsplus" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: hfsplus state: absent - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available" - when: - - rhel9cis_rule_1_1_1_5 + when: rhel9cis_rule_1_1_1_5 tags: - level1-server - level1-workstation @@ -153,7 +145,7 @@ regexp: "^(#)?install jffs2(\\s|$)" line: "install jffs2 /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -161,18 +153,16 @@ regexp: "^(#)?blacklist jffs2(\\s|$)" line: "blacklist jffs2" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: jffs2 state: absent - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available" - when: - - rhel9cis_rule_1_1_1_6 + when: rhel9cis_rule_1_1_1_6 tags: - level2-server - level2-workstation @@ -187,7 +177,7 @@ regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -195,18 +185,16 @@ regexp: "^(#)?blacklist squashfs(\\s|$)" line: "blacklist squashfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: squashfs state: absent - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available" - when: - - rhel9cis_rule_1_1_1_7 + when: rhel9cis_rule_1_1_1_7 tags: - level2-server - level2-workstation @@ -221,7 +209,7 @@ regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -229,18 +217,16 @@ regexp: "^(#)?blacklist udf(\\s|$)" line: "blacklist udf" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Disable udf" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: udf state: absent - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available" - when: - - rhel9cis_rule_1_1_1_8 + when: rhel9cis_rule_1_1_1_8 tags: - level1-server - level2-workstation @@ -255,7 +241,7 @@ regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -263,18 +249,16 @@ regexp: "^(#)?blacklist usb-storage(\\s|$)" line: "blacklist usb-storage" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Disable usb" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: usb-storage state: absent - name: "1.1.1.9 | PATCH | Ensure unused filesystems kernel modules are not available" - when: - - rhel9cis_rule_1_1_1_9 + when: rhel9cis_rule_1_1_1_9 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml index 960b495..a5a8d71 100644 --- a/tasks/section_1/cis_1.2.1.x.yml +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -26,7 +26,6 @@ changed_when: false failed_when: false register: discovered_os_gpg_key_check - when: discovered_os_installed_pub_keys.rc == 0 - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | If expected keys fail" when: @@ -36,8 +35,7 @@ msg: Installed GPG Keys do not meet expected values or expected keys are not installed - name: "1.2.1.2 | PATCH | Ensure gpgcheck is globally activated" - when: - - rhel9cis_rule_1_2_1_2 + when: rhel9cis_rule_1_2_1_2 tags: - level1-server - level1-workstation @@ -95,8 +93,7 @@ label: "{{ item.path }}" - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured" - when: - - rhel9cis_rule_1_2_1_4 + when: rhel9cis_rule_1_2_1_4 tags: - level1-server - level1-workstation @@ -111,8 +108,8 @@ ansible.builtin.command: dnf repolist changed_when: false failed_when: false - register: discovered_dnf_configured check_mode: false + register: discovered_dnf_configured - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" ansible.builtin.debug: diff --git a/tasks/section_1/cis_1.3.1.x.yml b/tasks/section_1/cis_1.3.1.x.yml index f3f67f8..198ae7b 100644 --- a/tasks/section_1/cis_1.3.1.x.yml +++ b/tasks/section_1/cis_1.3.1.x.yml @@ -122,8 +122,7 @@ file: warning_facts.yml - name: "1.3.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" - when: - - rhel9cis_rule_1_3_1_7 + when: rhel9cis_rule_1_3_1_7 tags: - level1-server - level1-workstation @@ -136,9 +135,6 @@ state: absent - name: "1.3.1.8 | PATCH | Ensure SETroubleshoot is not installed" - ansible.builtin.package: - name: setroubleshoot - state: absent when: - rhel9cis_rule_1_3_1_8 - "'setroubleshoot' in ansible_facts.packages" @@ -149,3 +145,6 @@ - rule_1.3.1.8 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 + ansible.builtin.package: + name: setroubleshoot + state: absent diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 747faa8..d422f14 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -16,12 +16,11 @@ content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy owner: root group: root - mode: '0600' + mode: 'go-rwx' notify: Grub2cfg - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" - when: - - rhel9cis_rule_1_4_2 + when: rhel9cis_rule_1_4_2 tags: - level1-server - level1-workstation @@ -41,5 +40,5 @@ access_time: preserve loop: - { path: 'grub.cfg', mode: '0700' } - - { path: 'grubenv', mode: '0600' } - - { path: 'user.cfg', mode: '0600' } + - { path: 'grubenv', mode: 'go-rwx' } + - { path: 'user.cfg', mode: 'go-rwx' } diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 1184603..992785b 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,8 +1,7 @@ --- - name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - when: - - rhel9cis_rule_1_5_1 + when: rhel9cis_rule_1_5_1 tags: - level1-server - level1-workstation @@ -21,8 +20,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" - name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted" - when: - - rhel9cis_rule_1_5_2 + when: rhel9cis_rule_1_5_2 tags: - level1-server - level1-workstation @@ -39,8 +37,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" - name: "1.5.3 | PATCH | Ensure core dump backtraces are disabled" - when: - - rhel9cis_rule_1_5_3 + when: rhel9cis_rule_1_5_3 tags: - level1-server - level1-workstation @@ -50,7 +47,7 @@ - NIST800-53R5_CM-6b ansible.builtin.lineinfile: path: /etc/systemd/coredump.conf - regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$' + regexp: '(?#)^ProcessSizeMax\s*=\s*.*[1-9].*$' line: 'ProcessSizeMax=0' - name: "1.5.4 | PATCH | Ensure core dump storage is disabled" diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 5d9441e..c418324 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -1,8 +1,7 @@ --- - name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy" - when: - - rhel9cis_rule_1_6_1 + when: rhel9cis_rule_1_6_1 tags: - level1-server - level1-workstation @@ -18,8 +17,7 @@ - Set Crypto Policy - name: "1.6.2 | PATCH | Ensure system wide crypto policy is not set in sshd configuration" - when: - - rhel9cis_rule_1_6_2 + when: rhel9cis_rule_1_6_2 tags: - level1-server - level1-workstation @@ -54,7 +52,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' register: discovered_no_sha1_template - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules" @@ -85,7 +83,7 @@ dest: /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' register: discovered_no_weakmac_template - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules" @@ -115,7 +113,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' register: discovered_no_sshcbc_template - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules" @@ -145,7 +143,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' register: discovered_no_sshweakciphers_template - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules" @@ -175,7 +173,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SSHETM.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' register: discovered_no_sshetm_template - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules" diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index c7484cd..7f45476 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -1,8 +1,7 @@ --- - name: "1.7.1 | PATCH | Ensure message of the day is configured properly" - when: - - rhel9cis_rule_1_7_1 + when: rhel9cis_rule_1_7_1 tags: - level1-server - level1-workstation @@ -17,11 +16,10 @@ dest: /etc/motd owner: root group: root - mode: u-x,go-wx + mode: 'u-x,go-wx' - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" - when: - - rhel9cis_rule_1_7_2 + when: rhel9cis_rule_1_7_2 tags: - level1-server - level1-workstation @@ -35,11 +33,10 @@ dest: /etc/issue owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" - when: - - rhel9cis_rule_1_7_3 + when: rhel9cis_rule_1_7_3 tags: - level1-server - level1-workstation @@ -54,11 +51,10 @@ dest: /etc/issue.net owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" - when: - - rhel9cis_rule_1_7_4 + when: rhel9cis_rule_1_7_4 tags: - level1-server - level1-workstation @@ -71,11 +67,10 @@ path: /etc/motd owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" - when: - - rhel9cis_rule_1_7_5 + when: rhel9cis_rule_1_7_5 tags: - level1-server - level1-workstation @@ -88,11 +83,10 @@ path: /etc/issue owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - when: - - rhel9cis_rule_1_7_6 + when: rhel9cis_rule_1_7_6 tags: - level1-server - level1-workstation @@ -105,4 +99,4 @@ path: /etc/issue.net owner: root group: root - mode: '0644' + mode: 'go-wx' diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 427eb79..c38b75c 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -35,7 +35,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf loop: - { regexp: 'user-db', line: 'user-db:user' } @@ -48,7 +48,7 @@ dest: /etc/dconf/db/gdm.d/01-banner-message owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.3 | PATCH | Ensure GDM disable-user-list option is enabled" @@ -68,7 +68,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf loop: - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } @@ -96,7 +96,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'go-wx' loop: - { regexp: '^user-db', line: 'user-db:user' } - { regexp: '^system-db', line: 'system-db:local' } @@ -106,7 +106,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make conf file" @@ -115,7 +115,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-screensaver" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden" @@ -134,7 +134,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file" @@ -143,7 +143,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled" @@ -161,7 +161,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-automount" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden" @@ -180,7 +180,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock file" @@ -189,7 +189,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-automount_lock" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled" @@ -208,7 +208,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make conf file" @@ -217,7 +217,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-autorun" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden" @@ -236,7 +236,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile" @@ -245,7 +245,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.10 | PATCH | Ensure XDMCP is not enabled" diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index bf6a81d..e49e733 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -33,9 +33,7 @@ masked: true - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use" - when: - - rhel9cis_rule_2_1_2 - - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" + when: rhel9cis_rule_2_1_2 tags: - level1-server - level2-workstation @@ -70,9 +68,7 @@ - avahi-daemon.service - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use" - when: - - "'dhcp-server' in ansible_facts.packages" - - rhel9cis_rule_2_1_3 + when: rhel9cis_rule_2_1_3 tags: - level1-server - level1-workstation @@ -105,9 +101,7 @@ - dhcpd6.service - name: "2.1.4 | PATCH | Ensure dns server services are not in use" - when: - - "'bind' in ansible_facts.packages" - - rhel9cis_rule_2_1_4 + when: rhel9cis_rule_2_1_4 tags: - level1-server - level1-workstation @@ -137,9 +131,7 @@ masked: true - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use" - when: - - "'dnsmasq' in ansible_facts.packages" - - rhel9cis_rule_2_1_5 + when: rhel9cis_rule_2_1_5 tags: - level1-server - level1-workstation @@ -169,9 +161,7 @@ masked: true - name: "2.1.6 | PATCH | Ensure samba file server services are not in use" - when: - - "'samba' in ansible_facts.packages" - - rhel9cis_rule_2_1_6 + when: rhel9cis_rule_2_1_6 tags: - level1-server - level1-workstation @@ -202,9 +192,7 @@ masked: true - name: "2.1.7 | PATCH | Ensure ftp server services are not in use" - when: - - "'ftp' in ansible_facts.packages" - - rhel9cis_rule_2_1_7 + when: rhel9cis_rule_2_1_7 tags: - level1-server - level1-workstation @@ -235,9 +223,7 @@ masked: true - name: "2.1.8 | PATCH | Ensure message access server services are not in use" - when: - - "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages" - - rhel9cis_rule_2_1_8 + when: rhel9cis_rule_2_1_8 tags: - level1-server - level1-workstation @@ -275,9 +261,7 @@ - "cyrus-imapd.service" - name: "2.1.9 | PATCH | Ensure network file system services are not in use" - when: - - "'nfs-utils' in ansible_facts.packages" - - rhel9cis_rule_2_1_9 + when: rhel9cis_rule_2_1_9 tags: - level1-server - level1-workstation @@ -309,9 +293,7 @@ masked: true - name: "2.1.10 | PATCH | Ensure nis server services are not in use" - when: - - "'ypserv' in ansible_facts.packages" - - rhel9cis_rule_2_1_10 + when: rhel9cis_rule_2_1_10 tags: - level1-server - level1-workstation @@ -341,9 +323,7 @@ masked: true - name: "2.1.11 | PATCH | Ensure print server services are not in use" - when: - - "'cups' in ansible_facts.packages" - - rhel9cis_rule_2_1_11 + when: rhel9cis_rule_2_1_11 tags: - level1-server - automated @@ -375,9 +355,7 @@ - "cups.service" - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use" - when: - - "'rpcbind' in ansible_facts.packages" - - rhel9cis_rule_2_1_12 + when: rhel9cis_rule_2_1_12 tags: - level1-server - level1-workstation @@ -411,9 +389,7 @@ - rpcbind.socket - name: "2.1.13 | PATCH | Ensure rsync services are not in use" - when: - - "'rsync-daemon' in ansible_facts.packages" - - rhel9cis_rule_2_1_13 + when: rhel9cis_rule_2_1_13 tags: - level1-server - level1-workstation @@ -447,9 +423,7 @@ - 'rsyncd.service' - name: "2.1.14 | PATCH | Ensure snmp services are not in use" - when: - - "'net-snmp' in ansible_facts.packages" - - rhel9cis_rule_2_1_14 + when: rhel9cis_rule_2_1_14 tags: - level1-server - level1-workstation @@ -479,9 +453,7 @@ masked: true - name: "2.1.15 | PATCH | Ensure telnet server services are not in use" - when: - - "'telnet-server' in ansible_facts.packages" - - rhel9cis_rule_2_1_15 + when: rhel9cis_rule_2_1_15 tags: - level1-server - level1-workstation @@ -512,9 +484,7 @@ masked: true - name: "2.1.16 | PATCH | Ensure tftp server services are not in use" - when: - - "'tftp-server' in ansible_facts.packages" - - rhel9cis_rule_2_1_16 + when: rhel9cis_rule_2_1_16 tags: - level1-server - level1-workstation @@ -547,9 +517,7 @@ - 'tftp.service' - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use" - when: - - "'squid' in ansible_facts.packages" - - rhel9cis_rule_2_117 + when: rhel9cis_rule_2_1_17 tags: - level1-server - level1-workstation @@ -580,8 +548,7 @@ masked: true - name: "2.1.18 | PATCH | Ensure web server services are not in use" - when: - - rhel9cis_rule_2_1_18 + when: rhel9cis_rule_2_1_18 tags: - level1-server - level1-workstation @@ -597,7 +564,6 @@ when: - not rhel9cis_httpd_server - not rhel9cis_httpd_mask - - "'httpd' in ansible_facts.packages" ansible.builtin.package: name: httpd state: absent @@ -606,7 +572,6 @@ when: - not rhel9cis_nginx_server - not rhel9cis_nginx_mask - - "'nginx' in ansible_facts.packages" ansible.builtin.package: name: nginx state: absent @@ -615,7 +580,6 @@ when: - not rhel9cis_httpd_server - rhel9cis_httpd_mask - - "'httpd' in ansible_facts.packages" notify: Systemd_daemon_reload ansible.builtin.systemd: name: httpd.service @@ -627,7 +591,6 @@ when: - not rhel9cis_nginx_server - rhel9cis_nginx_mask - - "'nginx' in ansible_facts.packages" notify: Systemd_daemon_reload ansible.builtin.systemd: name: ngnix.service @@ -636,9 +599,7 @@ masked: true - name: "2.1.19 | PATCH | Ensure xinetd services are not in use" - when: - - "'xinetd' in ansible_facts.packages" - - rhel9cis_rule_2_1_19 + when: rhel9cis_rule_2_1_19 tags: - level1-server - level1-workstation @@ -670,7 +631,6 @@ - name: "2.1.20 | PATCH | Ensure X window server services are not in use" when: - not rhel9cis_xwindow_server - - "'xorg-x11-server-common' in ansible_facts.packages" - rhel9cis_rule_2_1_20 tags: - level1-server @@ -704,8 +664,7 @@ line: "inet_interfaces = loopback-only" - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface" - when: - - rhel9cis_rule_2_1_22 + when: rhel9cis_rule_2_1_22 tags: - level1-server - level1-workstation diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index cdd03b8..0e019e7 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -3,7 +3,6 @@ - name: "2.2.1 | PATCH | Ensure ftp client is not installed" when: - not rhel9cis_ftp_client - - "'ftp' in ansible_facts.packages" - rhel9cis_rule_2_2_1 tags: - level1-server @@ -20,7 +19,6 @@ - name: "2.2.2 | PATCH | Ensure ldap client is not installed" when: - not rhel9cis_openldap_clients_required - - "'openldap-clients' in ansible_facts.packages" - rhel9cis_rule_2_2_2 tags: - level2-server @@ -37,7 +35,6 @@ - name: "2.2.3 | PATCH | Ensure nis client is not installed" when: - not rhel9cis_ypbind_required - - "'ypbind' in ansible_facts.packages" - rhel9cis_rule_2_2_3 tags: - level1-server @@ -54,7 +51,6 @@ - name: "2.2.4 | PATCH | Ensure telnet client is not installed" when: - not rhel9cis_telnet_required - - "'telnet' in ansible_facts.packages" - rhel9cis_rule_2_2_4 tags: - level1-server @@ -71,7 +67,6 @@ - name: "2.2.5 | PATCH | Ensure TFTP client is not installed" when: - not rhel9cis_tftp_client - - "'tftp' in ansible_facts.packages" - rhel9cis_rule_2_2_5 tags: - level1-server diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index dacd624..b84a84b 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -31,7 +31,7 @@ dest: /etc/chrony.conf owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "2.3.3 | PATCH | Ensure chrony is not run as the root user" when: @@ -48,4 +48,4 @@ line: OPTIONS="\1 -u chrony" create: true backrefs: true - mode: '0644' + mode: 'go-wx' diff --git a/tasks/section_2/cis_2.4.x.yml b/tasks/section_2/cis_2.4.x.yml index 3789aae..c4b6b8b 100644 --- a/tasks/section_2/cis_2.4.x.yml +++ b/tasks/section_2/cis_2.4.x.yml @@ -1,8 +1,7 @@ --- - name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled" - when: - - rhel9cis_rule_2_4_1_1 + when: rhel9cis_rule_2_4_1_1 tags: - level1-server - level1-workstation @@ -19,8 +18,7 @@ enabled: true - name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" - when: - - rhel9cis_rule_2_4_1_2 + when: rhel9cis_rule_2_4_1_2 tags: - level1-server - level1-workstation @@ -33,11 +31,10 @@ path: /etc/crontab owner: root group: root - mode: og-rwx + mode: 'og-rwx' - name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" - when: - - rhel9cis_rule_2_4_1_3 + when: rhel9cis_rule_2_4_1_3 tags: - level1-server - level1-workstation @@ -51,11 +48,10 @@ state: directory owner: root group: root - mode: og-rwx + mode: 'og-rwx' - name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" - when: - - rhel9cis_rule_2_4_1_4 + when: rhel9cis_rule_2_4_1_4 tags: - level1-server - level1-workstation @@ -67,11 +63,10 @@ state: directory owner: root group: root - mode: og-rwx + mode: 'og-rwx' - name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" - when: - - rhel9cis_rule_2_4_1_5 + when: rhel9cis_rule_2_4_1_5 tags: - level1-server - level1-workstation @@ -84,11 +79,10 @@ state: directory owner: root group: root - mode: og-rwx + mode: 'og-rwx' - name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" - when: - - rhel9cis_rule_2_4_1_6 + when: rhel9cis_rule_2_4_1_6 tags: - level1-server - level1-workstation @@ -101,11 +95,10 @@ state: directory owner: root group: root - mode: og-rwx + mode: 'og-rwx' - name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" - when: - - rhel9cis_rule_2_4_1_7 + when: rhel9cis_rule_2_4_1_7 tags: - level1-server - level1-workstation @@ -119,11 +112,10 @@ state: directory owner: root group: root - mode: '0700' + mode: 'og-rwx' - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users" - when: - - rhel9cis_rule_2_4_1_8 + when: rhel9cis_rule_2_4_1_8 tags: - level1-server - level1-workstation @@ -149,11 +141,10 @@ state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}' owner: root group: root - mode: u-x,g-wx,o-rwx + mode: 'u-x,g-wx,o-rwx' - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users" - when: - - rhel9cis_rule_2_4_2_1 + when: rhel9cis_rule_2_4_2_1 tags: - level1-server - level1-workstation @@ -179,4 +170,4 @@ state: '{{ "file" if discovered_at_allow_state.stat.exists else "touch" }}' owner: root group: root - mode: u-x,g-wx,o-rwx + mode: 'u-x,g-wx,o-rwx' diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 84d8784..e8934d4 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -65,8 +65,7 @@ file: warning_facts.yml - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use" - when: - - rhel9cis_rule_3_1_3 + when: rhel9cis_rule_3_1_3 tags: - level1-server - level2-workstation diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index 4413d59..a49d907 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -1,8 +1,7 @@ --- - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available" - when: - - rhel9cis_rule_3_2_1 + when: rhel9cis_rule_3_2_1 tags: - level2-server - level2-workstation @@ -32,8 +31,7 @@ mode: 'u-x,go-rwx' - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available" - when: - - rhel9cis_rule_3_2_2 + when: rhel9cis_rule_3_2_2 tags: - level2-server - level2-workstation @@ -63,8 +61,7 @@ mode: 'u-x,go-rwx' - name: "3.2.3 | PATCH | Ensure rds kernel module is not available" - when: - - rhel9cis_rule_3_2_3 + when: rhel9cis_rule_3_2_3 tags: - level2-server - level2-workstation @@ -94,8 +91,7 @@ mode: 'u-x,go-rwx' - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available" - when: - - rhel9cis_rule_3_2_4 + when: rhel9cis_rule_3_2_4 tags: - level2-server - level2-workstation diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 2f73979..123928e 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -61,8 +61,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored" - when: - - rhel9cis_rule_3_3_3 + when: rhel9cis_rule_3_3_3 tags: - level1-server - level1-workstation @@ -85,8 +84,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored" - when: - - rhel9cis_rule_3_3_4 + when: rhel9cis_rule_3_3_4 tags: - level1-server - level1-workstation @@ -109,8 +107,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted" - when: - - rhel9cis_rule_3_3_5 + when: rhel9cis_rule_3_3_5 tags: - level1-server - level1-workstation @@ -144,8 +141,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted" - when: - - rhel9cis_rule_3_3_6 + when: rhel9cis_rule_3_3_6 tags: - level1-server - level1-workstation @@ -179,8 +175,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - when: - - rhel9cis_rule_3_3_7 + when: rhel9cis_rule_3_3_7 tags: - level1-server - level1-workstation @@ -203,8 +198,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted" - when: - - rhel9cis_rule_3_3_8 + when: rhel9cis_rule_3_3_8 tags: - level1-server - level1-workstation @@ -237,8 +231,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - name: "3.3.9 | PATCH | Ensure suspicious packets are logged" - when: - - rhel9cis_rule_3_3_9 + when: rhel9cis_rule_3_3_9 tags: - level1-server - level1-workstation @@ -257,8 +250,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled" - when: - - rhel9cis_rule_3_3_10 + when: rhel9cis_rule_3_3_10 tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index 06cffbd..ab61c81 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -17,8 +17,7 @@ state: present - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use" - when: - - rhel9cis_rule_4_1_2 + when: rhel9cis_rule_4_1_2 tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index 0fca4cc..6e8eb3c 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -1,8 +1,7 @@ --- - name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports" - when: - - rhel9cis_rule_4_2_1 + when: rhel9cis_rule_4_2_1 tags: - level1-server - level1-workstation @@ -25,8 +24,7 @@ - "{{ discovered_services_and_ports.stdout_lines }}" - name: "4.2.2 | PATCH | Ensure firewalld loopback traffic is configured | firewalld" - when: - - rhel9cis_rule_4_2_2 + when: rhel9cis_rule_4_2_2 tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml index 9cab1b4..4e23998 100644 --- a/tasks/section_4/cis_4.3.x.yml +++ b/tasks/section_4/cis_4.3.x.yml @@ -12,8 +12,7 @@ changed_when: true - name: "4.3.1 | PATCH | Ensure nftables base chains exist" - when: - - rhel9cis_rule_4_3_1 + when: rhel9cis_rule_4_3_1 tags: - level1-server - level1-workstation @@ -65,8 +64,7 @@ - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } - name: "4.3.2 | PATCH | Ensure nftables established connections are configured" - when: - - rhel9cis_rule_4_3_2 + when: rhel9cis_rule_4_3_2 tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 31ba7e2..296ebf9 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -1,8 +1,7 @@ --- - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" - when: - - rhel9cis_rule_5_1_1 + when: rhel9cis_rule_5_1_1 tags: - level1-server - level1-workstation @@ -16,11 +15,10 @@ path: "/etc/ssh/sshd_config" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured" - when: - - rhel9cis_rule_5_1_2 + when: rhel9cis_rule_5_1_2 tags: - level1-server - level1-workstation @@ -50,8 +48,7 @@ label: "{{ item.path }}" - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured" - when: - - rhel9cis_rule_5_1_3 + when: rhel9cis_rule_5_1_3 tags: - level1-server - level1-workstation @@ -98,7 +95,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' notify: - Update Crypto Policy - Set Crypto Policy @@ -126,7 +123,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' notify: - Update Crypto Policy - Set Crypto Policy @@ -154,7 +151,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' notify: - Update Crypto Policy - Set Crypto Policy @@ -164,8 +161,7 @@ rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}" - name: "5.1.7 | PATCH | Ensure sshd access is configured" - when: - - rhel9cis_rule_5_1_7 + when: rhel9cis_rule_5_1_7 tags: - level1-server - level1-workstation @@ -212,8 +208,7 @@ notify: Restart sshd - name: "5.1.8 | PATCH | Ensure sshd Banner is configured" - when: - - rhel9cis_rule_5_1_8 + when: rhel9cis_rule_5_1_8 tags: - level1-server - level1-workstation @@ -231,8 +226,7 @@ line: 'Banner /etc/issue.net' - name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured" - when: - - rhel9cis_rule_5_1_9 + when: rhel9cis_rule_5_1_9 tags: - level1-server - level1-workstation @@ -262,8 +256,7 @@ notify: Restart sshd - name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled" - when: - - rhel9cis_rule_5_1_10 + when: rhel9cis_rule_5_1_10 tags: - level2-server - level1-workstation @@ -289,8 +282,7 @@ notify: Restart sshd - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled" - when: - - rhel9cis_rule_5_1_11 + when: rhel9cis_rule_5_1_11 tags: - level1-server - level1-workstation @@ -320,8 +312,7 @@ notify: Restart sshd - name: "5.1.12 | PATCH | Ensure sshd HostbasedAuthentication is disabled" - when: - - rhel9cis_rule_5_1_12 + when: rhel9cis_rule_5_1_12 tags: - level1-server - level1-workstation @@ -341,8 +332,7 @@ notify: Restart sshd - name: "5.1.13 | PATCH | Ensure sshd IgnoreRhosts is enabled" - when: - - rhel9cis_rule_5_1_13 + when: rhel9cis_rule_5_1_13 tags: - level1-server - level1-workstation @@ -362,8 +352,7 @@ notify: Restart sshd - name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less" - when: - - rhel9cis_rule_5_1_14 + when: rhel9cis_rule_5_1_14 tags: - level1-server - level1-workstation @@ -379,8 +368,7 @@ notify: Restart sshd - name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate" - when: - - rhel9cis_rule_5_1_15 + when: rhel9cis_rule_5_1_15 tags: - level1-server - level1-workstation @@ -398,8 +386,7 @@ notify: Restart sshd - name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less" - when: - - rhel9cis_rule_5_1_16 + when: rhel9cis_rule_5_1_16 tags: - level1-server - level1-workstation @@ -415,8 +402,7 @@ notify: Restart sshd - name: "5.1.17 | PATCH | Ensure sshd MaxStartups is configured" - when: - - rhel9cis_rule_5_1_17 + when: rhel9cis_rule_5_1_17 tags: - level1-server - level1-workstation @@ -436,8 +422,7 @@ notify: Restart sshd - name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" - when: - - rhel9cis_rule_5_1_18 + when: rhel9cis_rule_5_1_18 tags: - level1-server - level1-workstation @@ -457,8 +442,7 @@ notify: Restart sshd - name: "5.1.19 | PATCH | Ensure sshd PermitEmptyPasswords is disabled" - when: - - rhel9cis_rule_5_1_19 + when: rhel9cis_rule_5_1_19 tags: - level1-server - level1-workstation @@ -478,8 +462,7 @@ notify: Restart sshd - name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled" - when: - - rhel9cis_rule_5_1_20 + when: rhel9cis_rule_5_1_20 tags: - level1-server - level1-workstation @@ -503,8 +486,7 @@ notify: Restart sshd - name: "5.1.21 | PATCH | Ensure sshd PermitUserEnvironment is disabled" - when: - - rhel9cis_rule_5_1_21 + when: rhel9cis_rule_5_1_21 tags: - level1-server - level1-workstation @@ -524,8 +506,7 @@ notify: Restart sshd - name: "5.1.22 | PATCH | Ensure SSH PAM is enabled" - when: - - rhel9cis_rule_5_1_22 + when: rhel9cis_rule_5_1_22 tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 87fe46e..3d57dbf 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,8 +1,7 @@ --- - name: "5.2.1 | PATCH | Ensure sudo is installed" - when: - - rhel9cis_rule_5_2_1 + when: rhel9cis_rule_5_2_1 tags: - level1-server - level1-workstation @@ -15,8 +14,7 @@ state: present - name: "5.2.2 | PATCH | Ensure sudo commands use pty" - when: - - rhel9cis_rule_5_2_2 + when: rhel9cis_rule_5_2_2 tags: - level1-server - level1-workstation @@ -30,8 +28,7 @@ validate: '/usr/sbin/visudo -cf %s' - name: "5.2.3 | PATCH | Ensure sudo log file exists" - when: - - rhel9cis_rule_5_2_3 + when: rhel9cis_rule_5_2_3 tags: - level1-server - level1-workstation @@ -47,8 +44,7 @@ validate: '/usr/sbin/visudo -cf %s' - name: "5.2.4 | PATCH | Ensure users must provide password for escalation" - when: - - rhel9cis_rule_5_2_4 + when: rhel9cis_rule_5_2_4 tags: - level2-server - level2-workstation @@ -74,8 +70,7 @@ loop: "{{ discovered_nopasswd_sudoers.stdout_lines }}" - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" - when: - - rhel9cis_rule_5_2_5 + when: rhel9cis_rule_5_2_5 tags: - level1-server - level1-workstation @@ -101,8 +96,7 @@ loop: "{{ discovered_priv_reauth.stdout_lines }}" - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly" - when: - - rhel9cis_rule_5_2_6 + when: rhel9cis_rule_5_2_6 tags: - level1-server - level1-workstation @@ -134,8 +128,7 @@ loop: "{{ discovered_sudo_timeout_files.stdout_lines }}" - name: "5.2.7 | PATCH | Ensure access to the su command is restricted" - when: - - rhel9cis_rule_5_2_7 + when: rhel9cis_rule_5_2_7 tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 696010f..eddf5ee 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -67,7 +67,7 @@ failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ] register: discovered_authselect_current_faillock - - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" + - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" # noqa syntax-check[specific]" when: discovered_authselect_current_faillock.rc != 0 ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" changed_when: true @@ -141,8 +141,7 @@ - rule_5.3.2.5 block: - name: "5.3.2.5 | AUDIT | Ensure pam_unix module is enabled" - ansible.builtin.shell: | - grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth + ansible.builtin.command: grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth changed_when: false failed_when: discovered_discovered_authselect_pam_unix.rc not in [ 0, 1 ] register: discovered_discovered_authselect_pam_unix @@ -150,7 +149,7 @@ - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | system-auth" when: "'system-auth:password' not in discovered_authselect_pam_unix.stdout" ansible.builtin.lineinfile: - path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth + path: /etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/system-auth regexp: "{{ item.regexp }}" line: "{{ item.line }}" backrefs: true @@ -164,7 +163,7 @@ - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | password-auth" when: "'password-auth:password' not in discovered_authselect_pam_unix.stdout" ansible.builtin.lineinfile: - path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth + path: /etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/password-auth line: "{{ item.line }}" regexp: "{{ item.regexp }}" backrefs: true diff --git a/tasks/section_5/cis_5.3.3.1.x.yml b/tasks/section_5/cis_5.3.3.1.x.yml index d625cac..19e1c44 100644 --- a/tasks/section_5/cis_5.3.3.1.x.yml +++ b/tasks/section_5/cis_5.3.3.1.x.yml @@ -1,8 +1,7 @@ --- - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured" - when: - - rhel9cis_rule_5_3_3_1_1 + when: rhel9cis_rule_5_3_3_1_1 tags: - level1-server - level1-workstation @@ -44,8 +43,7 @@ notify: Authselect update - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured" - when: - - rhel9cis_rule_5_3_3_1_2 + when: rhel9cis_rule_5_3_3_1_2 tags: - level1-server - level1-workstation @@ -87,8 +85,7 @@ notify: Authselect update - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account" - when: - - rhel9cis_rule_5_3_3_1_3 + when: rhel9cis_rule_5_3_3_1_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml index 9317326..920ed88 100644 --- a/tasks/section_5/cis_5.3.3.2.x.yml +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -1,8 +1,7 @@ --- - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured" - when: - - rhel9cis_rule_5_3_3_2_1 + when: rhel9cis_rule_5_3_3_2_1 tags: - level1-server - level1-workstation @@ -30,7 +29,7 @@ dest: "/{{ rhel9cis_passwd_difok_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from pam files Not AuthSelect" when: @@ -58,8 +57,7 @@ notify: Authselect update - name: "5.3.3.2.2 | PATCH | Ensure password length is configured" - when: - - rhel9cis_rule_5_3_3_2_2 + when: rhel9cis_rule_5_3_3_2_2 tags: - level1-server - level1-workstation @@ -87,7 +85,7 @@ dest: "/{{ rhel9cis_passwd_minlen_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect" when: @@ -115,8 +113,7 @@ notify: Authselect update - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured" - when: - - rhel9cis_rule_5_3_3_2_3 + when: rhel9cis_rule_5_3_3_2_3 tags: - level1-server - level1-workstation @@ -144,7 +141,7 @@ dest: "/{{ rhel9cis_passwd_complex_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove complexity from pam files NOT AuthSelect" when: @@ -172,8 +169,7 @@ notify: Authselect update - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured" - when: - - rhel9cis_rule_5_3_3_2_4 + when: rhel9cis_rule_5_3_3_2_4 tags: - level1-server - level1-workstation @@ -183,8 +179,7 @@ - pam block: - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file" - when: - - item != rhel9cis_passwd_maxrepeat_file + when: item != rhel9cis_passwd_maxrepeat_file ansible.builtin.replace: path: "{{ item }}" regexp: 'maxrepeat\s*=\s*\d+\b' @@ -200,7 +195,7 @@ dest: "/{{ rhel9cis_passwd_maxrepeat_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat from pam files NOT AuthSelect" when: @@ -228,8 +223,7 @@ notify: Authselect update - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured" - when: - - rhel9cis_rule_5_3_3_2_5 + when: rhel9cis_rule_5_3_3_2_5 tags: - level1-server - level1-workstation @@ -257,7 +251,7 @@ dest: "/{{ rhel9cis_passwd_maxsequence_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence from pam files NOT AuthSelect" when: @@ -285,8 +279,7 @@ notify: Authselect update - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled" - when: - - rhel9cis_rule_5_3_3_2_6 + when: rhel9cis_rule_5_3_3_2_6 tags: - level1-server - level1-workstation @@ -313,7 +306,7 @@ dest: "/{{ rhel9cis_passwd_dictcheck_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck from pam files NOT AuthSelect" when: @@ -342,8 +335,7 @@ notify: Authselect update - name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user" - when: - - rhel9cis_rule_5_3_3_2_7 + when: rhel9cis_rule_5_3_3_2_7 tags: - level1-server - level1-workstation @@ -356,4 +348,4 @@ dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}" owner: root group: root - mode: '0600' + mode: 'o-rwx' diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml index 21a03ee..ca5a5dc 100644 --- a/tasks/section_5/cis_5.3.3.3.x.yml +++ b/tasks/section_5/cis_5.3.3.3.x.yml @@ -1,8 +1,7 @@ --- - name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured" - when: - - rhel9cis_rule_5_3_3_3_1 + when: rhel9cis_rule_5_3_3_3_1 tags: - level1-server - level1-workstation @@ -48,8 +47,7 @@ notify: Authselect update - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user" - when: - - rhel9cis_rule_5_3_3_3_2 + when: rhel9cis_rule_5_3_3_3_2 tags: - level1-server - level1-workstation @@ -95,8 +93,7 @@ notify: Authselect update - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok" - when: - - rhel9cis_rule_5_3_3_3_3 + when: rhel9cis_rule_5_3_3_3_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml index a1e5768..ddca97a 100644 --- a/tasks/section_5/cis_5.3.3.4.x.yml +++ b/tasks/section_5/cis_5.3.3.4.x.yml @@ -28,8 +28,7 @@ loop: "{{ discovered_pam_nullok.stdout_lines }}" - name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect" - when: - - rhel9cis_allow_authselect_updates + when: rhel9cis_allow_authselect_updates ansible.builtin.replace: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)\snullok(.*$) @@ -67,8 +66,7 @@ loop: "{{ discovered_pam_remember.stdout_lines }}" - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect" - when: - - rhel9cis_allow_authselect_updates + when: rhel9cis_allow_authselect_updates ansible.builtin.replace: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)\sremember\s*=\s*=\d*(.*$) @@ -107,8 +105,7 @@ loop: "{{ discovered_pam_remember.stdout_lines }}" - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Add hash algorithm to pam files AuthSelect" - when: - - rhel9cis_allow_authselect_updates + when: rhel9cis_allow_authselect_updates ansible.builtin.lineinfile: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)(sha512|yescrypt)(.*$) @@ -150,8 +147,7 @@ loop: "{{ discovered_pam_authtok.stdout_lines }}" - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | Add use_authtok pam files AuthSelect" - when: - - rhel9cis_allow_authselect_updates + when: rhel9cis_allow_authselect_updates ansible.builtin.lineinfile: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$) diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 72dc50f..6a492e5 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -1,8 +1,7 @@ --- - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less" - when: - - rhel9cis_rule_5_4_1_1 + when: rhel9cis_rule_5_4_1_1 tags: - level1-server - level1-workstation @@ -38,8 +37,7 @@ loop: "{{ discovered_max_days.stdout_lines }}" - name: "5.4.1.2 | PATCH | Ensure minimum password days is configured" - when: - - rhel9cis_rule_5_4_1_2 + when: rhel9cis_rule_5_4_1_2 tags: - level1-server - level1-workstation @@ -70,8 +68,7 @@ loop: "{{ discovered_min_days.stdout_lines }}" - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured" - when: - - rhel9cis_rule_5_4_1_3 + when: rhel9cis_rule_5_4_1_3 tags: - level1-server - level1-workstation @@ -101,8 +98,7 @@ loop: "{{ discovered_warn_days.stdout_lines }}" - name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured" - when: - - rhel9cis_rule_5_4_1_4 + when: rhel9cis_rule_5_4_1_4 tags: - level1-server - level1-workstation @@ -116,8 +112,7 @@ line: 'ENCRYPT_METHOD {{ rhel9cis_passwd_hash_algo | upper }}' - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured" - when: - - rhel9cis_rule_5_4_1_5 + when: rhel9cis_rule_5_4_1_5 tags: - level1-server - level1-workstation @@ -139,7 +134,7 @@ changed_when: true - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" + ansible.builtin.command: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false check_mode: false register: discovered_passwdlck_user_list @@ -151,8 +146,7 @@ loop: "{{ discovered_passwdlck_user_list.stdout_lines }}" - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past" - when: - - rhel9cis_rule_5_4_1_6 + when: rhel9cis_rule_5_4_1_6 tags: - level1-server - level1-workstation @@ -190,9 +184,9 @@ file: warning_facts.yml - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - changed_when: true when: - discovered_passwdlck_user_future.stdout | length > 0 - rhel9cis_futurepwchgdate_autofix - loop: "{{ discovered_passwdlck_user_future.stdout_lines }}" ansible.builtin.command: passwd --expire {{ item }} + changed_when: true + loop: "{{ discovered_passwdlck_user_future.stdout_lines }}" diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index a367f72..ef15f1a 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -56,8 +56,7 @@ loop: "{{ discovered_gid0_members.stdout_lines }}" - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group" - when: - - rhel9cis_rule_5_4_2_3 + when: rhel9cis_rule_5_4_2_3 tags: - level1-server - level1-workstation @@ -96,8 +95,7 @@ warn_control_id: '5.4.2.3' - name: "5.4.2.4 | PATCH | Ensure root account access is controlled " - when: - - rhel9cis_rule_5_4_2_4 + when: rhel9cis_rule_5_4_2_4 tags: - level1-server - level1-workstation @@ -108,8 +106,7 @@ msg: "This is set as an assert in tasks/main" - name: "5.4.2.5 | PATCH | Ensure root PATH Integrity" - when: - - rhel9cis_rule_5_4_2_5 + when: rhel9cis_rule_5_4_2_5 tags: - level1-server - level1-workstation @@ -172,15 +169,14 @@ state: directory owner: root group: root - mode: '0755' + mode: 'go-w' follow: false loop: "{{ discovered_root_path_perms.results }}" loop_control: label: "{{ item }}" - name: "5.4.2.6 | PATCH | Ensure root user umask is configured" - when: - - rhel9cis_rule_5_4_2_6 + when: rhel9cis_rule_5_4_2_6 tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml index 7816938..109b6a5 100644 --- a/tasks/section_5/cis_5.4.3.x.yml +++ b/tasks/section_5/cis_5.4.3.x.yml @@ -1,8 +1,7 @@ --- - name: "5.4.3.1 | PATCH | Ensure nologin is not listed in /etc/shells" - when: - - rhel9cis_rule_5_4_3_1 + when: rhel9cis_rule_5_4_3_1 tags: - level2-server - level2-workstation @@ -20,8 +19,7 @@ replace: "" - name: "5.4.3.2 | PATCH | Ensure default user shell timeout is configured" - when: - - rhel9cis_rule_5_4_3_2 + when: rhel9cis_rule_5_4_3_2 tags: - level1-server - level1-workstation @@ -33,7 +31,7 @@ state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true - mode: '0644' + mode: 'go-wx' block: | TMOUT={{ rhel9cis_shell_session_timeout }} readonly TMOUT @@ -43,8 +41,7 @@ - { path: /etc/profile, state: "{{ (rhel9cis_shell_session_file == '/etc/profile') | ternary('present', 'absent') }}" } - name: "5.4.3.3 | PATCH | Ensure default user umask is configured" - when: - - rhel9cis_rule_5_4_3_3 + when: rhel9cis_rule_5_4_3_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_6/cis_6.2.1.x.yml b/tasks/section_6/cis_6.2.1.x.yml index 1a2a8aa..3afa31c 100644 --- a/tasks/section_6/cis_6.2.1.x.yml +++ b/tasks/section_6/cis_6.2.1.x.yml @@ -1,8 +1,7 @@ --- - name: "6.2.1.1 | PATCH | Ensure journald service is enabled and active" - when: - - rhel9cis_rule_6_2_1_1 + when: rhel9cis_rule_6_2_1_1 tags: - level1-server - level1-workstation @@ -15,8 +14,7 @@ state: started - name: "6.2.1.2 | PATCH | Ensure journald log file access is configured" - when: - - rhel9cis_rule_6_2_1_2 + when: rhel9cis_rule_6_2_1_2 tags: - level1-server - level1-workstation @@ -27,7 +25,7 @@ - name: "6.2.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions" ansible.builtin.file: path: /usr/lib/tmpfiles.d/systemd.conf - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file" ansible.builtin.stat: @@ -58,8 +56,7 @@ warn_control_id: '6.2.1.2' - name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured" - when: - - rhel9cis_rule_6_2_1_3 + when: rhel9cis_rule_6_2_1_3 tags: - level1-server - level1-workstation @@ -74,7 +71,7 @@ dest: /etc/systemd/journald.conf.d/rotation.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries" ansible.builtin.replace: @@ -89,8 +86,7 @@ - '^(\s*MaxFileSec\s*=.*)' - name: "6.2.1.4 | PATCH | Ensure only one logging system is in use" - when: - - rhel9cis_rule_6_2_1_4 + when: rhel9cis_rule_6_2_1_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_6/cis_6.2.2.x.yml b/tasks/section_6/cis_6.2.2.x.yml index 3dd8dab..a57efe2 100644 --- a/tasks/section_6/cis_6.2.2.x.yml +++ b/tasks/section_6/cis_6.2.2.x.yml @@ -1,8 +1,7 @@ --- - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled" - when: - - rhel9cis_rule_6_2_2_2 + when: rhel9cis_rule_6_2_2_2 tags: - level1-server - level2-workstation @@ -21,7 +20,7 @@ dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" ansible.builtin.replace: @@ -30,8 +29,7 @@ replace: '#\1' - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured" - when: - - rhel9cis_rule_6_2_2_3 + when: rhel9cis_rule_6_2_2_3 tags: - level1-server - level1-workstation @@ -47,7 +45,7 @@ dest: /etc/systemd/journald.conf.d/storage.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries" ansible.builtin.replace: @@ -56,8 +54,7 @@ replace: '#\1' - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured" - when: - - rhel9cis_rule_6_2_2_4 + when: rhel9cis_rule_6_2_2_4 tags: - level1-server - level1-workstation @@ -74,7 +71,7 @@ dest: /etc/systemd/journald.conf.d/storage.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries" ansible.builtin.replace: diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml index 5af5fcd..9333697 100644 --- a/tasks/section_6/cis_6.2.3.x.yml +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -18,8 +18,7 @@ state: present - name: "6.2.3.2 | PATCH | Ensure rsyslog Service is enabled and active" - when: - - rhel9cis_rule_6_2_3_2 + when: rhel9cis_rule_6_2_3_2 tags: - level1-server - level1-workstation @@ -35,8 +34,7 @@ state: started - name: "6.2.3.3 | PATCH | Ensure journald is configured to send logs to rsyslog" - when: - - rhel9cis_rule_6_2_3_3 + when: rhel9cis_rule_6_2_3_3 tags: - level1-server - level1-workstation @@ -54,8 +52,7 @@ notify: Restart rsyslog - name: "6.2.3.4 | PATCH | Ensure rsyslog log file creation mode is configured" - when: - - rhel9cis_rule_6_2_3_4 + when: rhel9cis_rule_6_2_3_4 tags: - level1-server - level1-workstation @@ -72,8 +69,7 @@ notify: Restart rsyslog - name: "6.2.3.5 | PATCH | Ensure logging is configured" - when: - - rhel9cis_rule_6_2_3_5 + when: rhel9cis_rule_6_2_3_5 tags: - level1-server - level1-workstation @@ -200,8 +196,7 @@ notify: Restart rsyslog - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" - when: - - rhel9cis_rule_6_2_3_7 + when: rhel9cis_rule_6_2_3_7 tags: - level1-server - level1-workstation @@ -238,8 +233,7 @@ - 'InputTCPServerRun' - name: "6.2.3.8 | PATCH | Ensure rsyslog logrotate is configured" - when: - - rhel9cis_rule_6_2_3_8 + when: rhel9cis_rule_6_2_3_8 tags: - level1-server - level1-workstation @@ -266,4 +260,4 @@ dest: /etc/logrotate.d/rsyslog.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' diff --git a/tasks/section_6/cis_6.2.4.1.yml b/tasks/section_6/cis_6.2.4.1.yml index 8111ef4..814c46c 100644 --- a/tasks/section_6/cis_6.2.4.1.yml +++ b/tasks/section_6/cis_6.2.4.1.yml @@ -1,8 +1,7 @@ --- - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured" - when: - - rhel9cis_rule_6_2_4_1 + when: rhel9cis_rule_6_2_4_1 tags: - level1-server - level1-workstation diff --git a/tasks/section_6/cis_6.3.1.x.yml b/tasks/section_6/cis_6.3.1.x.yml index b054848..e795c83 100644 --- a/tasks/section_6/cis_6.3.1.x.yml +++ b/tasks/section_6/cis_6.3.1.x.yml @@ -51,8 +51,7 @@ changed_when: true - name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" - when: - - rhel9cis_rule_6_3_1_3 + when: rhel9cis_rule_6_3_1_3 tags: - level2-server - level2-workstation @@ -92,8 +91,7 @@ changed_when: true - name: "6.3.1.4 | PATCH | Ensure auditd service is enabled and active" - when: - - rhel9cis_rule_6_3_1_4 + when: rhel9cis_rule_6_3_1_4 tags: - level2-server - level2-workstation diff --git a/tasks/section_6/cis_6.3.2.x.yml b/tasks/section_6/cis_6.3.2.x.yml index 08a5365..dc0804f 100644 --- a/tasks/section_6/cis_6.3.2.x.yml +++ b/tasks/section_6/cis_6.3.2.x.yml @@ -1,8 +1,7 @@ --- - name: "6.3.2.1 | PATCH | Ensure audit log storage size is configured" - when: - - rhel9cis_rule_6_3_2_1 + when: rhel9cis_rule_6_3_2_1 tags: - level2-server - level2-workstation @@ -17,8 +16,7 @@ notify: Restart auditd - name: "6.3.2.2 | PATCH | Ensure audit logs are not automatically deleted" - when: - - rhel9cis_rule_6_3_2_2 + when: rhel9cis_rule_6_3_2_2 tags: - level2-server - level2-workstation @@ -33,8 +31,7 @@ notify: Restart auditd - name: "6.3.2.3 | PATCH | Ensure system is disabled when audit logs are full" - when: - - rhel9cis_rule_6_3_2_3 + when: rhel9cis_rule_6_3_2_3 tags: - level2-server - level2-workstation @@ -55,8 +52,7 @@ - { regexp: '^disk_error_action', line: 'disk_error_action = {{ rhel9cis_auditd_disk_error_action }}' } - name: "6.3.2.4 | PATCH | Ensure system warns when audit logs are low on space" - when: - - rhel9cis_rule_6_3_2_4 + when: rhel9cis_rule_6_3_2_4 tags: - level2-server - level2-workstation diff --git a/tasks/section_6/cis_6.3.3.x.yml b/tasks/section_6/cis_6.3.3.x.yml index d279259..5ff73f9 100644 --- a/tasks/section_6/cis_6.3.3.x.yml +++ b/tasks/section_6/cis_6.3.3.x.yml @@ -2,8 +2,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - when: - - rhel9cis_rule_6_3_3_1 + when: rhel9cis_rule_6_3_3_1 tags: - level2-server - level2-workstation @@ -16,8 +15,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.2 | PATCH | Ensure actions as another user are always logged" - when: - - rhel9cis_rule_6_3_3_2 + when: rhel9cis_rule_6_3_3_2 tags: - level2-server - level2-workstation @@ -30,8 +28,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.3 | PATCH | Ensure events that modify the sudo log file are collected" - when: - - rhel9cis_rule_6_3_3_3 + when: rhel9cis_rule_6_3_3_3 tags: - level2-server - level2-workstation @@ -43,8 +40,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.4 | PATCH | Ensure events that modify date and time information are collected" - when: - - rhel9cis_rule_6_3_3_4 + when: rhel9cis_rule_6_3_3_4 tags: - level2-server - level2-workstation @@ -58,8 +54,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.5 | PATCH | Ensure events that modify the system's network environment are collected" - when: - - rhel9cis_rule_6_3_3_5 + when: rhel9cis_rule_6_3_3_5 tags: - level2-server - level2-workstation @@ -73,8 +68,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" - when: - - rhel9cis_rule_6_3_3_6 + when: rhel9cis_rule_6_3_3_6 tags: - level2-server - level2-workstation @@ -97,8 +91,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.7 | PATCH | Ensure unsuccessful file access attempts are collected" - when: - - rhel9cis_rule_6_3_3_7 + when: rhel9cis_rule_6_3_3_7 tags: - level2-server - level2-workstation @@ -111,8 +104,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.8 | PATCH | Ensure events that modify user/group information are collected" - when: - - rhel9cis_rule_6_3_3_8 + when: rhel9cis_rule_6_3_3_8 tags: - level2-server - level2-workstation @@ -125,8 +117,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" - when: - - rhel9cis_rule_6_3_3_9 + when: rhel9cis_rule_6_3_3_9 tags: - level2-server - level2-workstation @@ -140,8 +131,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.10 | PATCH | Ensure successful file system mounts are collected" - when: - - rhel9cis_rule_6_3_3_10 + when: rhel9cis_rule_6_3_3_10 tags: - level2-server - level2-workstation @@ -154,8 +144,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.11 | PATCH | Ensure session initiation information is collected" - when: - - rhel9cis_rule_6_3_3_11 + when: rhel9cis_rule_6_3_3_11 tags: - level2-server - level2-workstation @@ -168,8 +157,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.12 | PATCH | Ensure login and logout events are collected" - when: - - rhel9cis_rule_6_3_3_12 + when: rhel9cis_rule_6_3_3_12 tags: - level2-server - level2-workstation @@ -182,8 +170,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.13 | PATCH | Ensure file deletion events by users are collected" - when: - - rhel9cis_rule_6_3_3_13 + when: rhel9cis_rule_6_3_3_13 tags: - level2-server - level2-workstation @@ -197,8 +184,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - when: - - rhel9cis_rule_6_3_3_14 + when: rhel9cis_rule_6_3_3_14 tags: - level2-server - level2-workstation @@ -212,8 +198,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - when: - - rhel9cis_rule_6_3_3_15 + when: rhel9cis_rule_6_3_3_15 tags: - level2-server - level2- workstation @@ -228,8 +213,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - when: - - rhel9cis_rule_6_3_3_16 + when: rhel9cis_rule_6_3_3_16 tags: - level2-server - level2-workstation @@ -244,8 +228,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - when: - - rhel9cis_rule_6_3_3_17 + when: rhel9cis_rule_6_3_3_17 tags: - level2-server - level2-workstation @@ -260,8 +243,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - when: - - rhel9cis_rule_6_3_3_18 + when: rhel9cis_rule_6_3_3_18 tags: - level2-server - level2-workstation @@ -276,8 +258,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading and modification is collected" - when: - - rhel9cis_rule_6_3_3_19 + when: rhel9cis_rule_6_3_3_19 tags: - level2-server - level2-workstation @@ -291,8 +272,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.20 | PATCH | Ensure the audit configuration is immutable" - when: - - rhel9cis_rule_6_3_3_20 + when: rhel9cis_rule_6_3_3_20 tags: - level2-server - level2-workstation @@ -306,8 +286,7 @@ update_audit_template: true - name: "6.3.3.21 | AUDIT | Ensure the running and on disk configuration is the same" - when: - - rhel9cis_rule_6_3_3_21 + when: rhel9cis_rule_6_3_3_21 tags: - level2-server - level2-workstation @@ -321,8 +300,7 @@ - "Please run augenrules --load if you suspect there is a configuration that is not active" - name: Auditd | 6.3.3.x | Auditd controls updated - when: - - update_audit_template + when: update_audit_template ansible.builtin.debug: msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules" changed_when: false diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml index d55b4e8..74de70a 100644 --- a/tasks/section_6/cis_6.3.4.x.yml +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -1,8 +1,7 @@ --- - name: "6.3.4.1 | PATCH | Ensure the audit log file directory mode is configured" - when: - - rhel9cis_rule_6_3_4_1 + when: rhel9cis_rule_6_3_4_1 tags: - level2-server - level2-workstation @@ -39,8 +38,7 @@ group: root - name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured" - when: - - rhel9cis_rule_6_3_4_5 + when: rhel9cis_rule_6_3_4_5 tags: - level2-server - level2-workstation @@ -57,8 +55,7 @@ label: "{{ item.path }}" - name: "6.3.4.6 | PATCH | Ensure audit configuration files owner is configured" - when: - - rhel9cis_rule_6_3_4_6 + when: rhel9cis_rule_6_3_4_6 tags: - level2-server - level2-workstation @@ -75,8 +72,7 @@ label: "{{ item.path }}" - name: "6.3.4.7 | PATCH | Ensure audit configuration files group owner is configured" - when: - - rhel9cis_rule_6_3_4_7 + when: rhel9cis_rule_6_3_4_7 tags: - level2-server - level2-workstation @@ -93,8 +89,7 @@ label: "{{ item.path }}" - name: "6.3.4.8 | PATCH | Ensure audit tools mode is configured" - when: - - rhel9cis_rule_6_3_4_8 + when: rhel9cis_rule_6_3_4_8 tags: - level2-server - level2-workstation @@ -108,8 +103,7 @@ loop: "{{ audit_bins }}" - name: "6.3.4.9 | PATCH | Ensure audit tools owner is configured" - when: - - rhel9cis_rule_6_3_4_9 + when: rhel9cis_rule_6_3_4_9 tags: - level2-server - level2-workstation @@ -123,8 +117,7 @@ loop: "{{ audit_bins }}" - name: "6.3.4.10 | PATCH | Ensure audit tools group owner is configured" - when: - - rhel9cis_rule_6_3_4_10 + when: rhel9cis_rule_6_3_4_10 tags: - level2-server - level2-workstation diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index d70bf5f..83c83a0 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -83,7 +83,7 @@ path: /etc/shadow owner: root group: root - mode: '0000' + mode: 'ugo-rwx' - name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" when: @@ -100,7 +100,7 @@ path: /etc/shadow- owner: root group: root - mode: '0000' + mode: 'ugo-rwx' - name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" when: @@ -117,7 +117,7 @@ path: /etc/gshadow owner: root group: root - mode: '0000' + mode: 'ugo-rwx' - name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" when: @@ -134,7 +134,7 @@ path: /etc/gshadow- owner: root group: root - mode: '0000' + mode: 'ugo-rwx' - name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured" when: @@ -196,7 +196,7 @@ - rhel9cis_no_world_write_adjust ansible.builtin.file: path: '{{ item }}' - mode: o-w + mode: 'o-w' state: touch loop: "{{ discovered_world_writable.stdout_lines }}" diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index 36f61cb..108cb89 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -1,5 +1,4 @@ --- - # This task is used to create variables used in giving a warning summary for manual tasks # that need attention #