ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Lint updates

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-12-11 11:49:02 +00:00
parent fcf9eb674f
commit 88ac5c3d65
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
19 changed files with 127 additions and 84 deletions
Download patch file Download diff file Expand all files Collapse all files

5
templates/fs_with_cves.sh → files/fs_with_cves.sh
View file

@ -1,11 +1,8 @@
{% raw %}
#! /usr/bin/env bash
{% raw %}#! /usr/bin/env bash
# Based on original Script provided by CIS
# CVEs correct at time of creation - April2024
#! /usr/bin/env bash
{
a_output=(); a_output2=(); a_modprope_config=(); a_excluded=(); a_available_modules=()
a_ignore=("xfs" "vfat" "ext2" "ext3" "ext4")

6
tasks/section_1/cis_1.1.1.x.yml
View file

@ -284,15 +284,15 @@
warn_control_id: '1.1.1.9'
block:
- name: "1.1.1.9 | PATCH | Ensure unused filesystems kernel modules are not available | Add discovery script"
ansible.builtin.template:
ansible.builtin.copy:
src: fs_with_cves.sh
dest: /var/fs_with_cves.sh
owner: root
group: root
mode: '0744'
mode: 'u+x,go-wx'
- name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Run discovery script"
ansible.builtin.shell: /var/fs_with_cves.sh
ansible.builtin.command: /var/fs_with_cves.sh
changed_when: false
failed_when: discovered_fs_modules_loaded.rc not in [ 0, 99 ]
register: discovered_fs_modules_loaded

8
tasks/section_1/cis_1.2.1.x.yml
View file

@ -15,13 +15,15 @@
- NIST800-53R5_SI-2
block:
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys"
ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}"
ansible.builtin.shell: |
"rpm -qa | grep {{ os_gpg_key_pubkey_name }}"
changed_when: false
failed_when: false
register: discovered_os_installed_pub_keys
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys"
ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"'
ansible.builtin.shell: |
'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"'
changed_when: false
failed_when: false
register: discovered_os_gpg_key_check
@ -107,7 +109,7 @@
warn_control_id: '1.2.1.4'
block:
- name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Get repo list"
ansible.builtin.shell: dnf repolist
ansible.builtin.command: dnf repolist
changed_when: false
failed_when: false
register: discovered_dnf_configured

2
tasks/section_2/cis_2.1.x.yml
View file

@ -718,7 +718,7 @@
warn_control_id: '2.1.22'
block:
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services"
ansible.builtin.shell: systemctl list-units --type=service
ansible.builtin.command: systemctl list-units --type=service # noqa command-instead-of-module
changed_when: false
failed_when: discovered_running_services.rc not in [ 0, 1 ]
check_mode: false

2
tasks/section_2/cis_2.4.x.yml
View file

@ -146,7 +146,7 @@
- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
ansible.builtin.file:
path: /etc/cron.allow
state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}'
state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}'
owner: root
group: root
mode: u-x,g-wx,o-rwx

4
tasks/section_3/cis_3.1.x.yml
View file

@ -40,7 +40,7 @@
block:
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool"
when: "'network-manager' in ansible_facts.packages"
ansible.builtin.shell: nmcli radio wifi
ansible.builtin.command: nmcli radio wifi
changed_when: false
failed_when: false
check_mode: false
@ -50,7 +50,7 @@
when:
- "'network-manager' in ansible_facts.packages"
- "'enabled' in discovered_wifi_status.stdout"
ansible.builtin.shell: nmcli radio all off
ansible.builtin.command: nmcli radio all off
changed_when: discovered_nmcli_radio_off.rc == 0
register: discovered_nmcli_radio_off

12
tasks/section_3/cis_3.2.x.yml
View file

@ -18,6 +18,7 @@
regexp: '^(#)?install dccp(\\s|$)'
line: "{{ item }}"
create: true
mode: 'u-x,go-rwx'
loop:
- install dccp /bin/true
- blacklist dccp
@ -28,7 +29,7 @@
regexp: "^(#)?blacklist cramfs(\\s|$)"
line: "blacklist cramfs"
create: true
mode: '0600'
mode: 'u-x,go-rwx'
- name: "3.2.2 | PATCH | Ensure tipc kernel module is not available"
when:
@ -48,6 +49,7 @@
regexp: '^(#)?install tipc(\\s|$)'
line: "{{ item }}"
create: true
mode: 'u-x,go-rwx'
loop:
- install tipc /bin/true
- blacklist tipc
@ -58,7 +60,7 @@
regexp: "^(#)?blacklist tipc(\\s|$)"
line: "blacklist tipc"
create: true
mode: '0600'
mode: 'u-x,go-rwx'
- name: "3.2.3 | PATCH | Ensure rds kernel module is not available"
when:
@ -78,6 +80,7 @@
regexp: '^(#)?install rds(\\s|$)'
line: "{{ item }}"
create: true
mode: 'u-x,go-rwx'
loop:
- install rds /bin/true
- blacklist rds
@ -88,7 +91,7 @@
regexp: "^(#)?blacklist rds(\\s|$)"
line: "blacklist rds"
create: true
mode: '0600'
mode: 'u-x,go-rwx'
- name: "3.2.4 | PATCH | Ensure sctp kernel module is not available"
when:
@ -108,6 +111,7 @@
regexp: '^(#)?install sctp(\\s|$)'
line: "{{ item }}"
create: true
mode: 'u-x,go-rwx'
loop:
- install sctp /bin/true
- blacklist sctp
@ -118,4 +122,4 @@
regexp: "^(#)?blacklist sctp(\\s|$)"
line: "blacklist sctp"
create: true
mode: '0600'
mode: 'u-x,go-rwx'

2
tasks/section_4/cis_4.1.x.yml
View file

@ -52,7 +52,7 @@
name: "{{ rhel9cis_firewall }}"
state: installed
- name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled"
- name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" # noqa name[template]
ansible.builtin.systemd:
name: "{{ rhel9cis_firewall }}"
enabled: true

62
tasks/section_4/cis_4.3.x.yml
View file

@ -8,7 +8,8 @@
- rhel9cis_rule_4_3_3
- rhel9cis_rule_4_3_4
tags: always
ansible.builtin.shell: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
ansible.builtin.command: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
changed_when: true
- name: "4.3.1 | PATCH | Ensure nftables base chains exist"
when:
@ -22,19 +23,22 @@
- NIST800-55_CA-9
block:
- name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT"
ansible.builtin.shell: nft list ruleset | grep 'hook input'
ansible.builtin.shell: |
nft list ruleset | grep 'hook input'
changed_when: false
failed_when: false
register: discovered_nftables_input_chains
- name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD"
ansible.builtin.shell: nft list ruleset | grep 'hook forward'
ansible.builtin.shell: |
nft list ruleset | grep 'hook forward'
changed_when: false
failed_when: false
register: discovered_nftables_forward_chains
- name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT"
ansible.builtin.shell: nft list ruleset | grep 'hook output'
ansible.builtin.shell: |
nft list ruleset | grep 'hook output'
changed_when: false
failed_when: false
register: discovered_nftables_output_chains
@ -52,7 +56,8 @@
- name: "4.3.1 | PATCH | Ensure nftables base chains exist | Create chains if needed"
when: rhel9cis_nft_tables_autochaincreate
ansible.builtin.shell: "{{ item }}"
ansible.builtin.command: "{{ item }}"
changed_when: true
failed_when: false
loop:
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; }
@ -71,44 +76,50 @@
- NIST800-55_CA-9
block:
- name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather incoming connection rules"
ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
ansible.builtin.shell: |
nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
changed_when: false
failed_when: false
register: discovered_nftables_inconnectionrule
- name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules"
ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
ansible.builtin.command: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
changed_when: false
failed_when: false
register: discovered_nftables_outconnectionrule
- name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy"
when: '"ip protocol tcp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
ansible.builtin.shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
changed_when: true
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy"
when: '"ip protocol udp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept
changed_when: true
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy"
when: '"ip protocol icmp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept
changed_when: true
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy"
when: '"ip protocol tcp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept
changed_when: true
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy"
when: '"ip protocol udp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept
changed_when: true
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy"
when: '"ip protocol icmp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
changed_when: true
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy"
when:
- rhel9cis_rule_4_3_3
when: rhel9cis_rule_4_3_3
tags:
- level1-server
- level1-workstation
@ -118,25 +129,29 @@
- NIST800-55_CA-9
block:
- name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy"
ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input'
ansible.builtin.shell: |
nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input'
failed_when: false
changed_when: false
register: discovered_nftables_inputpolicy
- name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy"
ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward'
ansible.builtin.shell: |
nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward'
failed_when: false
changed_when: false
register: discovered_nftables_forwardpolicy
- name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy"
ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output'
ansible.builtin.shell: |
nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output'
failed_when: false
changed_when: false
register: discovered_nftables_outputpolicy
- name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow"
ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh'
ansible.builtin.shell: |
nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh'
failed_when: false
changed_when: false
register: discovered_nftables_sshallowcheck
@ -144,22 +159,25 @@
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic"
when: '"tcp dport ssh accept" not in discovered_nftables_sshallowcheck.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept
changed_when: true
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy"
when: '"type filter hook input priority 0; policy drop;" not in discovered_nftables_inputpolicy.stdout'
ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; }
changed_when: true
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy"
when: '"type filter hook forward priority 0; policy drop;" not in discovered_nftables_forwardpolicy.stdout'
ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; }
changed_when: true
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy"
when: '"type filter hook output priority 0; policy drop;" not in discovered_nftables_outputpolicy.stdout'
ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; }
changed_when: true
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured"
when:
- rhel9cis_rule_4_3_4
when: rhel9cis_rule_4_3_4
tags:
- level1-server
- level1-workstation
@ -169,19 +187,22 @@
- NIST800-55_CA-9
block:
- name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence | nftables"
ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept'
ansible.builtin.shell: |
nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept'
changed_when: false
failed_when: false
register: discovered_nftables_iiflo
- name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence | nftables"
ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr'
ansible.builtin.shell: |
nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr'
changed_when: false
failed_when: false
register: discovered_nftables_ipsaddr
- name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence | nftables"
ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr'
ansible.builtin.shell: |
nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr'
changed_when: false
failed_when: false
register: discovered_nftables_ip6saddr
@ -189,11 +210,14 @@
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule | nftables"
when: '"iif \"lo\" accept" not in discovered_nftables_iiflo.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept
changed_when: true
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule | nftables"
when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in discovered_nftables_ipsaddr.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop
changed_when: true
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule | nftables"
when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in discovered_nftables_ip6saddr.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop
changed_when: true

36
tasks/section_5/cis_5.3.2.x.yml
View file

@ -17,12 +17,13 @@
when:
- rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or
prelim_authselect_current_profile.stdout is not defined
ansible.builtin.shell: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
changed_when: false
args:
creates: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}"
- name: "5.3.2.1 | AUDIT | Ensure active authselect profile includes pam modules | get profile features"
ansible.builtin.shell: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}"
ansible.builtin.command: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}"
changed_when: false
register: discovered_authselect_profile_features
@ -37,7 +38,8 @@
- password
- name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Backup and Add pam modules"
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}"
ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}"
changed_when: true
- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled"
when:
@ -59,14 +61,16 @@
notify: Authselect update
block:
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config"
ansible.builtin.shell: authselect current | grep faillock
ansible.builtin.shell: |
authselect current | grep faillock
changed_when: false
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: discovered_authselect_current_faillock
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing"
when: discovered_authselect_current_faillock.rc != 0
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
changed_when: true
- name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
when:
@ -83,14 +87,16 @@
- rule_5.3.2.3
block:
- name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Get current config"
ansible.builtin.shell: authselect current | grep quality
ansible.builtin.shell: |
authselect current | grep quality
changed_when: false
failed_when: discovered_authselect_current_quality.rc not in [ 0, 1 ]
register: discovered_authselect_current_quality
- name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Add feature if missing"
- name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled | Add feature if missing"
when: discovered_authselect_current_quality.rc != 0
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
changed_when: true
notify: Authselect update
- name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled"
@ -108,14 +114,16 @@
- rule_5.3.2.4
block:
- name: "5.3.2.4 | AUDIT | Ensure pam_pwhistory module is enabled | Get current config"
ansible.builtin.shell: authselect current | grep pwhistory
ansible.builtin.shell: |
authselect current | grep pwhistory
changed_when: false
failed_when: discovered_authselect_current_history.rc not in [ 0, 1 ]
register: discovered_authselect_current_history
- name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled | enable feature"
when: discovered_authselect_current_history.rc != 0
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
changed_when: true
notify: Authselect update
- name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled"
@ -146,8 +154,8 @@
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
backrefs: true
insertafter: "{{ item.after | default (omit) }}"
insertbefore: "{{ item.before | default (omit) }}"
insertafter: "{{ item.after | default(omit) }}"
insertbefore: "{{ item.before | default(omit) }}"
loop:
- { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', after: '^auth.*pam_faillock.*preauth' }
- { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' }
@ -160,8 +168,8 @@
line: "{{ item.line }}"
regexp: "{{ item.regexp }}"
backrefs: true
insertafter: "{{ item.after | default (omit) }}"
insertbefore: "{{ item.before | default (omit) }}"
insertafter: "{{ item.after | default(omit) }}"
insertbefore: "{{ item.before | default(omit) }}"
loop:
- { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\2', after: '^auth.*pam_faillock.*preauth' }
- { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' }

1
tasks/section_5/cis_5.3.3.1.x.yml
View file

@ -104,6 +104,7 @@
line: "{{ rhel9cis_pamroot_lock_option }}"
insertafter: '^# end of pam-auth-update config'
create: true
mode: 'u-x,go-wx'
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | remove lockout from pam files NOT AuthSelect"
when:

28
tasks/section_5/cis_5.4.1.x.yml
View file

@ -96,7 +96,8 @@
- discovered_warn_days.stdout_lines | length > 0
- item in prelim_interactive_usernames.stdout
- rhel9cis_force_user_warnage
ansible.builtin.shell: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}"
ansible.builtin.command: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}"
changed_when: true
loop: "{{ discovered_warn_days.stdout_lines }}"
- name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured"
@ -125,25 +126,29 @@
- rule_5.4.1.5
block:
- name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | Check current settings"
ansible.builtin.shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
ansible.builtin.shell: |
useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
changed_when: false
failed_when: false
check_mode: false
register: discovered_passwdlck_inactive_settings
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set default inactive setting"
ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
when: discovered_passwdlck_inactive_settings.stdout | length == 0
ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
changed_when: true
- name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
ansible.builtin.shell: |
"awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
changed_when: false
check_mode: false
register: discovered_passwdlck_user_list
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
when: item in prelim_interactive_usernames.stdout
ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
changed_when: true
loop: "{{ discovered_passwdlck_user_list.stdout_lines }}"
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past"
@ -172,22 +177,23 @@
register: discovered_passwdlck_user_future
- name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
when:
- discovered_passwdlck_user_future.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
ansible.builtin.debug:
msg: "Warning!! The following accounts have the last PW change date in the future: {{ discovered_passwdlck_user_future.stdout_lines }}"
when:
- discovered_passwdlck_user_future.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
- name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
when:
- discovered_passwdlck_user_future.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
ansible.builtin.shell: passwd --expire {{ item }}
changed_when: true
when:
- discovered_passwdlck_user_future.stdout | length > 0
- rhel9cis_futurepwchgdate_autofix
loop: "{{ discovered_passwdlck_user_future.stdout_lines }}"
ansible.builtin.command: passwd --expire {{ item }}

3
tasks/section_5/cis_5.4.2.x.yml
View file

@ -17,7 +17,7 @@
- NIST800-53R5_CM-6
- NIST800-53R5_CM-7
- NIST800-53R5_IA-5
ansible.builtin.shell: passwd -l {{ item }}
ansible.builtin.command: passwd -l {{ item }}
changed_when: false
failed_when: false
loop: "{{ prelim_uid_zero_accounts_except_root.stdout_lines }}"
@ -194,6 +194,7 @@
regexp: \s*umask
line: "umask {{ rhel9cis_root_umask }}"
create: true
mode: 'u+x,go-rwx'
- name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell"
when:

10
tasks/section_6/cis_6.1.x.yml
View file

@ -45,7 +45,8 @@
rhel9cis_aide_db_recreate
block:
- name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB"
ansible.builtin.shell: "{{ aide_initiate_command }}"
ansible.builtin.command: "{{ aide_initiate_command }}"
changed_when: true
- name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB | Wait for file before continuing"
ansible.builtin.wait_for:
@ -56,6 +57,7 @@
src: /var/lib/aide/aide.db.new.gz
dest: /var/lib/aide/aide.db.gz
remote_src: true
mode: 'ug-wx,o-rwx'
- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked"
when:
@ -85,15 +87,15 @@
- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
when: rhel9cis_aide_scan == "timer"
ansible.builtin.systemd:
ansible.builtin.systemd_service:
name: aidecheck.service
enabled: true
- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
when: rhel9cis_aide_scan == "timer"
ansible.builtin.systemd:
ansible.builtin.systemd_service:
name: aidecheck.timer
state: running
state: started
enabled: true
- name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"

18
tasks/section_6/cis_6.3.1.x.yml
View file

@ -1,8 +1,7 @@
---
- name: "6.3.1.1 | PATCH | Ensure auditd is installed"
when:
- rhel9cis_rule_6_3_1_1
when: rhel9cis_rule_6_3_1_1
tags:
- level2-server
- level2-workstation
@ -27,8 +26,7 @@
state: present
- name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
when:
- rhel9cis_rule_6_3_1_2
when: rhel9cis_rule_6_3_1_2
tags:
- level2-server
- level2-workstation
@ -49,7 +47,8 @@
- discovered_grubby_curr_value_audit_linux.stdout == '' or
'0' in discovered_grubby_curr_value_audit_linux.stdout or
'off' in discovered_grubby_curr_value_audit_linux.stdout|lower
ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1"
ansible.builtin.command: grubby --update-kernel=ALL --args="audit=1"
changed_when: true
- name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
when:
@ -81,17 +80,16 @@
discovered_reset_backlog_limits: true
- name: "6.3.1.3 | AUDIT | Check to see if any limits are too low"
when:
- (item | int < rhel9cis_audit_back_log_limit)
when: (item | int < rhel9cis_audit_back_log_limit)
ansible.builtin.set_fact:
discovered_reset_backlog_limits: true
loop: "{{ discovered_grubby_curr_value_backlog_linux.stdout_lines }}"
- name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied"
when:
- discovered_reset_backlog_limits is defined
ansible.builtin.shell:
when: discovered_reset_backlog_limits is defined
ansible.builtin.command:
cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
changed_when: true
- name: "6.3.1.4 | PATCH | Ensure auditd service is enabled and active"
when:

4
tasks/section_7/cis_7.1.x.yml
View file

@ -221,7 +221,7 @@
warn_control_id: '7.1.12'
block:
- name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories"
ansible.builtin.shell: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs
ansible.builtin.command: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs
changed_when: false
failed_when: false
check_mode: false
@ -283,7 +283,7 @@
warn_control_id: '7.1.13'
block:
- name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID"
ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs
ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs
changed_when: false
failed_when: false
check_mode: false

4
tasks/section_7/cis_7.2.x.yml
View file

@ -237,13 +237,13 @@
- users
- rule_7.2.8
block:
- name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent"
- name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent" # noqa risky-file-permissions
ansible.builtin.file:
path: "{{ item.dir }}"
state: directory
owner: "{{ item.id }}"
group: "{{ item.gid }}"
loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | list }}"
loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', prelim_max_int_uid | int) | list }}"
loop_control:
label: "{{ item.id }}"

2
tasks/warning_facts.yml
View file

@ -14,7 +14,7 @@
#
# warn_count the main variable for the number of warnings and each time a warn_control_id is added
# the count increases by a value of 1
- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning."
- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." # noqa name[template]
ansible.builtin.set_fact:
warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]"
warn_count: "{{ warn_count | int + 1 }}"

2
vars/audit.yml
View file

@ -35,7 +35,7 @@ audit_format: json
audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml"
audit_results: |
The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results}}
The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }}
{% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %}
Full breakdown can be found in {{ audit_log_dir }}