section1 v2 initial

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-12-24 14:23:05 +00:00 · 2024-07-19 17:01:23 +01:00 · 2024-07-19 17:01:23 +01:00 · 8b58d71e4b
commit 8b58d71e4b
parent cf4376f1f7
47 changed files with 2181 additions and 1707 deletions
--- a/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2
@ -0,0 +1,6 @@
+# This is a subpolicy dropping the SHA1 hash and signature support
+# Carried out as part of CIS Benchmark
+
+hash = -SHA1
+sign = -*-SHA1
+sha1_in_certs = 0
--- a/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2
@ -0,0 +1,5 @@
+# This is a subpolicy to disable all CBC mode ciphers
+# for the SSH protocol (libssh and OpenSSH)
+# Carried out as part of CIS Benchmark
+
+cipher@SSH = -*-CBC
--- a/templates/etc/crypto-policies/policies/modules/NO-SSHCHACHA20.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-SSHCHACHA20.pmod.j2
@ -0,0 +1,5 @@
+# This is a subpolicy to disable the chacha20-poly1305 ciphers
+# for the SSH protocol (libssh and OpenSSH)
+# Carried out as part of CIS Benchmark
+
+cipher@SSH = -CHACHA20-POLY1305
--- a/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2
@ -0,0 +1,5 @@
+# This is a subpolicy to disable Encrypt then MAC
+# for the SSH protocol (libssh and OpenSSH)
+# Carried out as part of CIS Benchmark
+
+etm@SSH = DISABLE_ETM
--- a/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
+++ b/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
@ -0,0 +1,4 @@
+# This is a subpolicy to disable weak macs
+# Carried out as part of CIS Benchmark
+
+mac = -*-64
--- a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2
+++ b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2
@ -1,7 +1,12 @@
 ## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!

-{% if rhel9cis_rule_1_5_3 %}
-# Kernel sysctl
-# CIS 1.5.3
+{% if rhel9cis_rule_1_5_1 %}
+# Adress space randomise
+# CIS 1.5.1
 kernel.randomize_va_space = 2
 {% endif %}
+{% if rhel9cis_rule_1_5_2 %}
+# Ptrace scope
+# CIS 1.5.2
+kernel.yama.ptrace_scope = 1
+{% endif %}
--- a/templates/fs_with_cves.sh
+++ b/templates/fs_with_cves.sh
@ -0,0 +1,60 @@
+{% raw %}
+#! /usr/bin/env bash
+
+# Based on original Script provided by CIS
+# CVEs correct at time of creation - April2024
+
+#! /usr/bin/env bash
+
+{
+   a_output=(); a_output2=(); a_modprope_config=(); a_excluded=(); a_available_modules=()
+   a_ignore=("xfs" "vfat" "ext2" "ext3" "ext4")
+   a_cve_exists=("afs" "ceph" "cifs" "exfat" "ext" "fat" "fscache" "fuse" "gfs2" "nfs_common" "nfsd" "smbfs_common")
+   f_module_chk()
+   {
+      l_out2=""; grep -Pq -- "\b$l_mod_name\b" <<< "${a_cve_exists[*]}" && l_out2=" <- CVE exists!"
+      if ! grep -Pq -- '\bblacklist\h+'"$l_mod_name"'\b' <<< "${a_modprope_config[*]}"; then
+         a_output2+=("  - Kernel module: \"$l_mod_name\" is not fully disabled $l_out2")
+      elif ! grep -Pq -- '\binstall\h+'"$l_mod_name"'\h+\/bin\/(false|true)\b' <<< "${a_modprope_config[*]}"; then
+         a_output2+=("  - Kernel module: \"$l_mod_name\" is not fully disabled $l_out2")
+      fi
+      if lsmod | grep "$l_mod_name" &> /dev/null; then # Check if the module is currently loaded
+         l_output2+=("  - Kernel module: \"$l_mod_name\" is loaded" "")
+      fi
+   }
+   while IFS= read -r -d $'\0' l_module_dir; do
+      a_available_modules+=("$(basename "$l_module_dir")")
+   done < <(find "$(readlink -f /lib/modules/"$(uname -r)"/kernel/fs)" -mindepth 1 -maxdepth 1 -type d ! -empty -print0)
+   while IFS= read -r l_exclude; do
+      if grep -Pq -- "\b$l_exclude\b" <<< "${a_cve_exists[*]}"; then
+         a_output2+=("  - ** WARNING: kernel module: \"$l_exclude\" has a CVE and is currently mounted! **")
+      elif
+         grep -Pq -- "\b$l_exclude\b" <<< "${a_available_modules[*]}"; then
+         a_output+=("  - Kernel module: \"$l_exclude\" is currently mounted - do NOT unload or disable")
+      fi
+      ! grep -Pq -- "\b$l_exclude\b" <<< "${a_ignore[*]}" && a_ignore+=("$l_exclude")
+   done < <(findmnt -knD | awk '{print $2}' | sort -u)
+   while IFS= read -r l_config; do
+      a_modprope_config+=("$l_config")
+   done < <(modprobe --showconfig | grep -P '^\h*(blacklist|install)')
+   for l_mod_name in "${a_available_modules[@]}"; do # Iterate over all filesystem modules
+      [[ "$l_mod_name" =~ overlay ]] && l_mod_name="${l_mod_name::-2}"
+      if grep -Pq -- "\b$l_mod_name\b" <<< "${a_ignore[*]}"; then
+         a_excluded+=(" - Kernel module: \"$l_mod_name\"")
+      else
+         f_module_chk
+      fi
+   done
+# Output findings
+
+   echo "### Script can be found at ${BASH_SOURCE} ##"
+   if [ "${#a_output2[@]}" -le 0 ]; then
+      printf '%s\n' "" "  - No unused filesystem kernel modules are enabled" "${a_output[@]}" ""
+   else
+      printf '%s\n' "" "-- Audit Result: --" "  ** REVIEW the following **" "${a_output2[@]}"
+      # Changed return value to capture error
+      exit 99
+      #[ "${#a_output[@]}" -gt 0 ] && printf '%s\n' "" "-- Correctly set: --" "${a_output[@]}" ""
+   fi
+}
+{% endraw %}