From 8f3150e6c9bd8741bc8a121ba1e46a25d64e400f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 08:27:34 +0100 Subject: [PATCH 01/29] #60 addressed for ipb6 Signed-off-by: Mark Bolwell --- templates/etc/sysctl.d/60-disable_ipv6.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index 599103e..bdded40 100644 --- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -1,7 +1,7 @@ ## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! # IPv6 disable -{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} +{% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %} net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 {% endif %} From 04cb2e0f1d4a6692a8951f6278afc44af523ad80 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 08:44:23 +0100 Subject: [PATCH 02/29] #54 merged into new layout Signed-off-by: Mark Bolwell --- tasks/main.yml | 8 ++++---- tasks/prelim.yml | 4 ++-- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.1.3.x.yml | 2 +- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 2 +- tasks/section_1/cis_1.1.7.x.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 10 +++++----- tasks/section_6/cis_6.1.x.yml | 8 ++++---- templates/ansible_vars_goss.yml.j2 | 2 +- 11 files changed, 22 insertions(+), 22 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index e8f72f4..f13a39b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,9 +3,9 @@ - name: Check OS version and family ansible.builtin.assert: - that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==') - fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." - success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" + that: (ansible_facts.distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==') + fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." + success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}" when: - os_check - not system_is_ec2 @@ -122,7 +122,7 @@ - always - name: Include OS specific variables - ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" + ansible.builtin.include_vars: "{{ ansible_facts.distribution }}.yml" tags: - always diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 65d4be4..f26c794 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -133,8 +133,8 @@ state: latest when: - rhel9cis_rule_1_2_4 - - ansible_distribution != 'RedHat' - - ansible_distribution != 'OracleLinux' + - ansible_facts.distribution != 'RedHat' + - ansible_facts.distribution != 'OracleLinux' - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" ansible.builtin.package: diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 780d7da..5df0ba9 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -33,7 +33,7 @@ state: present opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} notify: Remount tmp - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" when: diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index d873c51..4a98729 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -31,7 +31,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %} - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index f063fbd..0b043e5 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -33,7 +33,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 1707f30..d1ae159 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -33,7 +33,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 274f668..4d7ff28 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -32,7 +32,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 7f16610..3ba95ce 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -32,7 +32,7 @@ fstype: "{{ item.fstype }}" state: present opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %} - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 9d732bb..1317cc7 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -23,9 +23,9 @@ os_gpg_key_check.rc == 1 when: - rhel9cis_rule_1_2_1 - - ansible_distribution == "RedHat" or - ansible_distribution == "Rocky" or - ansible_distribution == "AlmaLinux" + - ansible_facts.distribution == "RedHat" or + ansible_facts.distribution == "Rocky" or + ansible_facts.distribution == "AlmaLinux" tags: - level1-server - level1-workstation @@ -111,8 +111,8 @@ when: - rhel9cis_rule_1_2_4 - - not rhel9cis_rhel_default_repo or ansible_distribution != 'RedHat' - - ansible_distribution != 'OracleLinux' + - not rhel9cis_rhel_default_repo or ansible_facts.distribution != 'RedHat' + - ansible_facts.distribution != 'OracleLinux' tags: - level1-server - level1-workstation diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 76f92be..1361083 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -155,7 +155,7 @@ failed_when: false check_mode: false register: rhel_09_6_1_10_audit - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" when: @@ -201,7 +201,7 @@ failed_when: false changed_when: false register: rhel_09_6_1_11_audit - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" when: @@ -260,7 +260,7 @@ failed_when: false changed_when: false register: rhel_09_6_1_13_suid_perms - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" @@ -302,7 +302,7 @@ failed_when: false changed_when: false register: rhel_09_6_1_14_sgid_perms - loop: "{{ ansible_mounts }}" + loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.mount }}" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index e862c1d..8b21441 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -7,7 +7,7 @@ benchmark_version: '1.0.0' # Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS # If run via script this is discovered and set -host_os_distribution: {{ ansible_distribution | lower }} +host_os_distribution: {{ ansible_facts.distribution | lower }} # timeout for each command to run where set - default = 10seconds/10000ms timeout_ms: 60000 From 7c7902772fa85f21446525b22314b654bb14ad86 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 09:50:22 +0100 Subject: [PATCH 03/29] updated Signed-off-by: Mark Bolwell --- Changelog.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index e3b0e82..c807008 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,13 @@ # Changes to rhel9CIS +## 1.1.1 - Based on CIS v1.0.0 + +- thanks to @agbrowne + - [#90](https://github.com/ansible-lockdown/RHEL9-CIS/issues/90) + +- thanks to @mnasiadka + - [#54](https://github.com/ansible-lockdown/RHEL9-CIS/pull/54) + ## 1.1.0 - new workflow configuration @@ -81,7 +89,7 @@ Aligned benchmark audit version with remediate release ## 1.0.1 -Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 +Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 Will not follow ynlink in hoe directoris and amend permissions. - rhel_09_6_2_16_home_follow_symlink: false From 18e59d32f1a0236d1c174409a9ab3b9162440859 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 09:55:27 +0100 Subject: [PATCH 04/29] more ansible_facst referenced #54 Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f7cef1c..72857c0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -696,12 +696,12 @@ audit_files_url: "some url maybe s3?" # Where the goss configs and outputs are stored audit_out_dir: '/opt' audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" -pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" -post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" +post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" ## The following should not need changing goss_file: "{{ audit_conf_dir }}goss.yml" -audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml" +audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | The pre remediation results are: {{ pre_audit_summary }}. The post remediation results are: {{ post_audit_summary }}. From 3f32f9c58c0e47e970ef4ed5cd3b32b1f121470d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 12:42:30 +0100 Subject: [PATCH 05/29] updated typos Signed-off-by: Mark Bolwell --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index c807008..baddb61 100644 --- a/Changelog.md +++ b/Changelog.md @@ -90,7 +90,7 @@ Aligned benchmark audit version with remediate release ## 1.0.1 Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 -Will not follow ynlink in hoe directoris and amend permissions. +Will not follow symlink in home directoris and amend permissions. - rhel_09_6_2_16_home_follow_symlink: false From 8bd176757778312aaa1901a52cf4d4873e7007ee Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 6 Sep 2023 12:46:40 +0100 Subject: [PATCH 06/29] updated typos Signed-off-by: Mark Bolwell --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index baddb61..42c40d4 100644 --- a/Changelog.md +++ b/Changelog.md @@ -90,7 +90,7 @@ Aligned benchmark audit version with remediate release ## 1.0.1 Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 -Will not follow symlink in home directoris and amend permissions. +Will not follow symlink in home directories and amend permissions. - rhel_09_6_2_16_home_follow_symlink: false From 95140d32477eba538fea165d777817dc5258cb84 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 7 Sep 2023 14:19:48 +0100 Subject: [PATCH 07/29] updated due to changes Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 174 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 165 insertions(+), 9 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index 6edc284..fcb806d 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -109,15 +109,171 @@ }, { "path": "detect_secrets.filters.heuristic.is_templated_secret" - }, - { - "path": "detect_secrets.filters.regex.should_exclude_file", - "pattern": [ - ".config/.gitleaks-report.json" - ] } ], "results": { + ".config/.gitleaks-report.json": [ + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", + "is_verified": false, + "line_number": 9, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", + "is_verified": false, + "line_number": 9, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "cd6f8dc4b799af818fedddd7c83e5df8bf770555", + "is_verified": false, + "line_number": 12, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", + "is_verified": false, + "line_number": 29, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", + "is_verified": false, + "line_number": 29, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", + "is_verified": false, + "line_number": 49, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", + "is_verified": false, + "line_number": 49, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", + "is_verified": false, + "line_number": 69, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", + "is_verified": false, + "line_number": 69, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", + "is_verified": false, + "line_number": 89, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", + "is_verified": false, + "line_number": 89, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", + "is_verified": false, + "line_number": 109, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", + "is_verified": false, + "line_number": 109, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "cb5e191d260065309ce16cd3675837069c8734c8", + "is_verified": false, + "line_number": 132, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "976b057e0978bf8956e05b173f070cd7757c38c6", + "is_verified": false, + "line_number": 249, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "bdb4ffe72f980b517d691e83c9eb50219a63fe91", + "is_verified": false, + "line_number": 252, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "95f603d65dd6aec15f75185df59f92e90737da49", + "is_verified": false, + "line_number": 269, + "is_secret": false + }, + { + "type": "Hex High Entropy String", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "72172e3578dc29c275e5a39bdf7a1a038bdc03c4", + "is_verified": false, + "line_number": 272, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "08f0ac7a7bbbb1819417e5a47aa0eebbd5fe4e86", + "is_verified": false, + "line_number": 289, + "is_secret": false + }, + { + "type": "Secret Keyword", + "filename": ".config/.gitleaks-report.json", + "hashed_secret": "23fdd48a76e5b32e85c6698062f1489d6fbac450", + "is_verified": false, + "line_number": 309, + "is_secret": false + } + ], "defaults/main.yml": [ { "type": "Secret Keyword", @@ -132,7 +288,7 @@ "filename": "defaults/main.yml", "hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", "is_verified": false, - "line_number": 375, + "line_number": 376, "is_secret": false }, { @@ -140,7 +296,7 @@ "filename": "defaults/main.yml", "hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", "is_verified": false, - "line_number": 376, + "line_number": 377, "is_secret": false } ], @@ -172,5 +328,5 @@ } ] }, - "generated_at": "2023-08-10T12:54:13Z" + "generated_at": "2023-09-07T13:18:00Z" } From 43a339c74fe6b9038f694829921090c03a692d57 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 7 Sep 2023 14:23:12 +0100 Subject: [PATCH 08/29] new var rhel9cis_rhel_default_repo Signed-off-by: Mark Bolwell --- defaults/main.yml | 1 + tasks/section_1/cis_1.2.x.yml | 4 ++-- vars/AlmaLinux.yml | 2 ++ vars/OracleLinux.yml | 2 ++ vars/RedHat.yml | 3 +++ 5 files changed, 10 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 72857c0..2ace2f9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -370,6 +370,7 @@ rhel9cis_rhnsd_required: false # 1.2.4 repo_gpgcheck rhel9cis_rhel_default_repo: true +rhel9cis_rule_enable_repogpg: true # 1.4.1 Bootloader password rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 1317cc7..fc2d992 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -111,8 +111,8 @@ when: - rhel9cis_rule_1_2_4 - - not rhel9cis_rhel_default_repo or ansible_facts.distribution != 'RedHat' - - ansible_facts.distribution != 'OracleLinux' + - rhel9cis_rule_enable_repogpg + - not rhel9cis_rhel_default_repo tags: - level1-server - level1-workstation diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index c460fb0..b0eb3d9 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -3,3 +3,5 @@ os_gpg_key_pubkey_name: gpg-pubkey-b86b3716-61e69f29 os_gpg_key_pubkey_content: "AlmaLinux OS 9 b86b3716" +# disable repo_gpgcheck due to OS default repos +rhel9cis_rule_enable_repogpg: false diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml index d916178..64927cc 100644 --- a/vars/OracleLinux.yml +++ b/vars/OracleLinux.yml @@ -2,3 +2,5 @@ # OS Specific Settings os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec os_gpg_key_pubkey_content: "Oracle Linux (release key 1) " +# disable repo_gpgcheck due to OS default repos +rhel9cis_rule_enable_repogpg: false diff --git a/vars/RedHat.yml b/vars/RedHat.yml index d33b0bc..c5833a4 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -3,3 +3,6 @@ os_gpg_key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) fd431d51" + +# disable repo_gpgcheck due to OS default repos +rhel9cis_rule_enable_repogpg: false From 279023d02658411e5c7d31b55bf3838954f108dd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Sep 2023 15:31:35 +0100 Subject: [PATCH 09/29] updated Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8d75217..22bcd92 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,7 @@ ### Community -Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. +Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. ### Contributing From d64414ce9b4379a254ce74fd423b790149d51223 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Sep 2023 09:51:56 +0100 Subject: [PATCH 10/29] updated test and control Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.8.x.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 2bf9fc1..089ca28 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -3,18 +3,23 @@ # Skips if mount is absent - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition" block: - - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists" + ansible.builtin.shell: mount -l | grep -w /dev/shm + changed_when: false + register: rhel9cis_1_8_1_1_mount_check - - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.import_tasks: warning_facts.yml + - block: + - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + + - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" + ansible.builtin.import_tasks: warning_facts.yml + when: rhel9cis_1_8_1_1_mount_check.rc == 1 vars: warn_control_id: '1.1.8.1' - required_mount: '/dev/shm' when: - - required_mount not in mount_names - rhel9cis_rule_1_1_8_1 tags: - level1-server From 64416d59b7ec4db0c5707acf527f97835521257a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Sep 2023 09:58:01 +0100 Subject: [PATCH 11/29] updated discord link Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index a4e7d48..dba39dc 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,7 +27,7 @@ repo-token: ${{ secrets.GITHUB_TOKEN }} pr-message: |- Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. # This workflow contains a single job which tests the playbook playbook-test: From f6fd7e02d3d9d252d51ad354de86be1412f7c95e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Sep 2023 14:02:44 +0100 Subject: [PATCH 12/29] git audit binary version updated Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2ace2f9..3b8cd4a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -665,10 +665,10 @@ audit_run_script_environment: AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" ### Goss binary settings ### -audit_bin_release: v0.3.23 +audit_bin_release: v0.4.2 audit_bin_version: - AMD64_checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d' - ARM64_checksum: 'sha256:7b0794fa590857e7d64ef436e1a100ca26f6039f269a6138009aa837d27d7f9e' + AMD64_checksum: 'sha256:e50e43d75c47c731f5fdff176f5abeb8aca35f17aea60f85ebc28f6110cb6945' + ARM64_checksum: 'sha256:6da14a98f12d1929ea719d4cfe96087c8e3a37b29d91b72fbe6edc7f8a580784 ' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json From 9c84884357ee423e8e17f932ac7c26b531715422 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Sep 2023 14:02:50 +0100 Subject: [PATCH 13/29] updated Signed-off-by: Mark Bolwell --- Changelog.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Changelog.md b/Changelog.md index 42c40d4..7d2352f 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,9 @@ # Changes to rhel9CIS +## 1.1.2 - Based on CIS v1.0.0 + +- updated audit binary versions - aligned with rhel9-cis-audit + ## 1.1.1 - Based on CIS v1.0.0 - thanks to @agbrowne From e202d4bd6800671ca0662b93dc682b85a9d89015 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 14:55:00 +0100 Subject: [PATCH 14/29] lint updates Signed-off-by: Mark Bolwell --- .ansible-lint | 2 -- .yamllint | 2 +- tasks/main.yml | 33 ++++++++++++++++++++++----------- tasks/section_1/cis_1.1.8.x.yml | 3 ++- 4 files changed, 25 insertions(+), 15 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 057c65e..b717f67 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -6,12 +6,10 @@ skip_list: - 'schema' - 'no-changed-when' - 'var-spacing' - - 'fqcn-builtins' - 'experimental' - 'name[play]' - 'name[casing]' - 'name[template]' - - 'fqcn[action]' - 'key-order[task]' - '204' - '305' diff --git a/.yamllint b/.yamllint index ec46929..65faae6 100644 --- a/.yamllint +++ b/.yamllint @@ -30,4 +30,4 @@ rules: trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: false + check-keys: true diff --git a/tasks/main.yml b/tasks/main.yml index f13a39b..e1cd780 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -127,66 +127,77 @@ - always - name: Include preliminary steps - ansible.builtin.import_tasks: prelim.yml + ansible.builtin.import_tasks: + file: prelim.yml tags: - prelim_tasks - always - name: run pre_remediation audit - ansible.builtin.include_tasks: pre_remediation_audit.yml + ansible.builtin.include_tasks: + file: pre_remediation_audit.yml when: - run_audit - name: run Section 1 tasks - ansible.builtin.import_tasks: section_1/main.yml + ansible.builtin.import_tasks: + file: section_1/main.yml when: rhel9cis_section1 tags: - rhel9cis_section1 - name: run Section 2 tasks - ansible.builtin.import_tasks: section_2/main.yml + ansible.builtin.import_tasks: + file: section_2/main.yml when: rhel9cis_section2 tags: - rhel9cis_section2 - name: run Section 3 tasks - ansible.builtin.import_tasks: section_3/main.yml + ansible.builtin.import_tasks: + file: section_3/main.yml when: rhel9cis_section3 tags: - rhel9cis_section3 - name: run Section 4 tasks - ansible.builtin.import_tasks: section_4/main.yml + ansible.builtin.import_tasks: + file: section_4/main.yml when: rhel9cis_section4 tags: - rhel9cis_section4 - name: run Section 5 tasks - ansible.builtin.import_tasks: section_5/main.yml + ansible.builtin.import_tasks: + file: section_5/main.yml when: rhel9cis_section5 tags: - rhel9cis_section5 - name: run Section 6 tasks - ansible.builtin.import_tasks: section_6/main.yml + ansible.builtin.import_tasks: + file: section_6/main.yml when: rhel9cis_section6 tags: - rhel9cis_section6 - name: run auditd logic - ansible.builtin.import_tasks: auditd.yml + ansible.builtin.import_tasks: + file: auditd.yml when: update_audit_template tags: - always - name: run post remediation tasks - ansible.builtin.import_tasks: post.yml + ansible.builtin.import_tasks: + file: post.yml tags: - post_tasks - always - name: run post_remediation audit - ansible.builtin.import_tasks: post_remediation_audit.yml + ansible.builtin.import_tasks: + file: post_remediation_audit.yml when: - run_audit diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 089ca28..441006b 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -8,7 +8,8 @@ changed_when: false register: rhel9cis_1_8_1_1_mount_check - - block: + - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition" + block: - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" From a67a484971bd41ab53bbee286fec5cce32790bae Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 14:55:55 +0100 Subject: [PATCH 15/29] import_tasks file added Signed-off-by: Mark Bolwell --- tasks/section_1/main.yml | 54 ++++++++++++++++++++++++++-------------- tasks/section_2/main.yml | 12 ++++++--- tasks/section_3/main.yml | 15 +++++++---- tasks/section_4/main.yml | 24 ++++++++++++------ tasks/section_5/main.yml | 21 ++++++++++------ tasks/section_6/main.yml | 6 +++-- 6 files changed, 88 insertions(+), 44 deletions(-) diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index d9bc3b5..ccc1e04 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,59 +1,77 @@ --- - name: "SECTION | 1.1.1.x | Disable unused filesystems" - ansible.builtin.import_tasks: cis_1.1.1.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.1.x.yml - name: "SECTION | 1.1.2.x | Configure /tmp" - ansible.builtin.import_tasks: cis_1.1.2.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.2.x.yml - name: "SECTION | 1.1.3.x | Configure /var" - ansible.builtin.import_tasks: cis_1.1.3.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.3.x.yml - name: "SECTION | 1.1.4.x | Configure /var/tmp" - ansible.builtin.import_tasks: cis_1.1.4.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.4.x.yml - name: "SECTION | 1.1.5.x | Configure /var/log" - ansible.builtin.import_tasks: cis_1.1.5.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.5.x.yml - name: "SECTION | 1.1.6.x | Configure /var/log/audit" - ansible.builtin.import_tasks: cis_1.1.6.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.6.x.yml - name: "SECTION | 1.1.7.x | Configure /home" - ansible.builtin.import_tasks: cis_1.1.7.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.7.x.yml - name: "SECTION | 1.1.8.x | Configure /dev/shm" - ansible.builtin.import_tasks: cis_1.1.8.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.8.x.yml - name: "SECTION | 1.1.x | Disable various mounting" - ansible.builtin.import_tasks: cis_1.1.x.yml + ansible.builtin.import_tasks: + file: cis_1.1.x.yml - name: "SECTION | 1.2 | Configure Software Updates" - ansible.builtin.import_tasks: cis_1.2.x.yml + ansible.builtin.import_tasks: + file: cis_1.2.x.yml - name: "SECTION | 1.3 | Filesystem Integrity Checking" - ansible.builtin.import_tasks: cis_1.3.x.yml + ansible.builtin.import_tasks: + file: cis_1.3.x.yml when: rhel9cis_config_aide - name: "SECTION | 1.4 | Secure Boot Settings" - ansible.builtin.import_tasks: cis_1.4.x.yml + ansible.builtin.import_tasks: + file: cis_1.4.x.yml - name: "SECTION | 1.5 | Additional Process Hardening" - ansible.builtin.import_tasks: cis_1.5.x.yml + ansible.builtin.import_tasks: + file: cis_1.5.x.yml - name: "SECTION | 1.6 | Mandatory Access Control" - include_tasks: cis_1.6.1.x.yml + ansible.builtin.include_tasks: + file: cis_1.6.1.x.yml when: not rhel9cis_selinux_disable - name: "SECTION | 1.7 | Command Line Warning Banners" - ansible.builtin.import_tasks: cis_1.7.x.yml + ansible.builtin.import_tasks: + file: cis_1.7.x.yml - name: "SECTION | 1.8 | Gnome Display Manager" - ansible.builtin.import_tasks: cis_1.8.x.yml + ansible.builtin.import_tasks: + file: cis_1.8.x.yml - name: "SECTION | 1.9 | Updates and Patches" - ansible.builtin.import_tasks: cis_1.9.yml + ansible.builtin.import_tasks: + file: cis_1.9.yml - name: "SECTION | 1.10 | Crypto policies" - include_tasks: cis_1.10.yml + ansible.builtin.include_tasks: + file: cis_1.10.yml when: - not system_is_ec2 diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 39b912d..3e8996a 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,17 @@ --- - name: "SECTION | 2.1 | Time Synchronization" - ansible.builtin.import_tasks: cis_2.1.x.yml + ansible.builtin.import_tasks: + file: cis_2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" - ansible.builtin.import_tasks: cis_2.2.x.yml + ansible.builtin.import_tasks: + file: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" - ansible.builtin.import_tasks: cis_2.3.x.yml + ansible.builtin.import_tasks: + file: cis_2.3.x.yml - name: "SECTION | 2.4 | Nonessential services removed" - ansible.builtin.import_tasks: cis_2.4.yml + ansible.builtin.import_tasks: + file: cis_2.4.yml diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 535aba9..34553d7 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,16 +1,21 @@ --- - name: "SECTION | 3.1.x | Disable unused network protocols and devices" - ansible.builtin.import_tasks: cis_3.1.x.yml + ansible.builtin.import_tasks: + file: cis_3.1.x.yml - name: "SECTION | 3.2.x | Network Parameters (Host Only)" - ansible.builtin.import_tasks: cis_3.2.x.yml + ansible.builtin.import_tasks: + file: cis_3.2.x.yml - name: "SECTION | 3.3.x | Network Parameters (host and Router)" - ansible.builtin.import_tasks: cis_3.3.x.yml + ansible.builtin.import_tasks: + file: cis_3.3.x.yml - name: "SECTION | 3.4.1.x | Firewall configuration" - ansible.builtin.import_tasks: cis_3.4.1.x.yml + ansible.builtin.import_tasks: + file: cis_3.4.1.x.yml - name: "SECTION | 3.4.2.x | Configure firewall" - ansible.builtin.import_tasks: cis_3.4.2.x.yml + ansible.builtin.import_tasks: + file: cis_3.4.2.x.yml diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index 285a2f3..db729af 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,29 +1,37 @@ --- - name: "SECTION | 4.1 | Configure System Accounting (auditd)" - ansible.builtin.import_tasks: cis_4.1.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.1.x.yml when: - not system_is_container - name: "SECTION | 4.1.2 | Configure Data Retention" - ansible.builtin.import_tasks: cis_4.1.2.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.2.x.yml - name: "SECTION | 4.1.3 | Configure Auditd rules" - ansible.builtin.import_tasks: cis_4.1.3.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.3.x.yml - name: "SECTION | 4.1.4 | Configure Audit files" - ansible.builtin.import_tasks: cis_4.1.4.x.yml + ansible.builtin.import_tasks: + file: cis_4.1.4.x.yml - name: "SECTION | 4.2 | Configure Logging" - ansible.builtin.import_tasks: cis_4.2.1.x.yml + ansible.builtin.import_tasks: + file: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' - name: "SECTION | 4.2.2 | Configure journald" - ansible.builtin.import_tasks: cis_4.2.2.x.yml + ansible.builtin.import_tasks: + file: cis_4.2.2.x.yml when: rhel9cis_syslog == 'journald' - name: "SECTION | 4.2.3 | Configure logile perms" - ansible.builtin.import_tasks: cis_4.2.3.yml + ansible.builtin.import_tasks: + file: cis_4.2.3.yml - name: "SECTION | 4.3 | Configure logrotate" - ansible.builtin.import_tasks: cis_4.3.yml + ansible.builtin.import_tasks: + file: cis_4.3.yml diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 5aed1c1..ed06b5a 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -3,24 +3,31 @@ # Access, Authentication, and Authorization - name: "SECTION | 5.1 | Configure time-based job schedulers" - ansible.builtin.import_tasks: cis_5.1.x.yml + ansible.builtin.import_tasks: + file: cis_5.1.x.yml - name: "SECTION | 5.2 | Configure SSH Server" - ansible.builtin.import_tasks: cis_5.2.x.yml + ansible.builtin.import_tasks: + file: cis_5.2.x.yml when: - "'openssh-server' in ansible_facts.packages" - name: "SECTION | 5.3 | Configure privilege escalation" - ansible.builtin.import_tasks: cis_5.3.x.yml + ansible.builtin.import_tasks: + file: cis_5.3.x.yml - name: "SECTION | 5.4 | Configure authselect" - ansible.builtin.import_tasks: cis_5.4.x.yml + ansible.builtin.import_tasks: + file: cis_5.4.x.yml - name: "SECTION | 5.5 | Configure PAM " - ansible.builtin.import_tasks: cis_5.5.x.yml + ansible.builtin.import_tasks: + file: cis_5.5.x.yml - name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters" - ansible.builtin.import_tasks: cis_5.6.1.x.yml + ansible.builtin.import_tasks: + file: cis_5.6.1.x.yml - name: "SECTION | 5.6.x | Misc. User Account Settings" - ansible.builtin.import_tasks: cis_5.6.x.yml + ansible.builtin.import_tasks: + file: cis_5.6.x.yml diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index 35328e5..b194fdc 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,7 +1,9 @@ --- - name: "SECTION | 6.1 | System File Permissions" - ansible.builtin.import_tasks: cis_6.1.x.yml + ansible.builtin.import_tasks: + file: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - ansible.builtin.import_tasks: cis_6.2.x.yml + ansible.builtin.import_tasks: + file: cis_6.2.x.yml From af20f70f24c10bfa8c9ac8ba41a83fb1e51babc1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 14:57:25 +0100 Subject: [PATCH 16/29] updated test Signed-off-by: Mark Bolwell --- tasks/section_3/cis_3.1.x.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 52a3f3c..dad3fe9 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -26,7 +26,7 @@ - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" block: - - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" + - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available | if wlan exists" ansible.builtin.shell: rpm -q NetworkManager changed_when: false failed_when: false @@ -47,6 +47,7 @@ when: rhel_09_wifi_enabled is changed # noqa no-handler when: - rhel9cis_rule_3_1_2 + - "'wlan' in ansible_facts.interfaces" tags: - level1-server - patch From c5ed197e039738f4a630863a995940f5da812414 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:07:52 +0100 Subject: [PATCH 17/29] import_tasks file added Signed-off-by: Mark Bolwell --- site.yml | 6 +++--- tasks/auditd.yml | 3 ++- tasks/post.yml | 3 ++- tasks/section_1/cis_1.1.2.x.yml | 3 ++- tasks/section_1/cis_1.1.3.x.yml | 3 ++- tasks/section_1/cis_1.1.4.x.yml | 3 ++- tasks/section_1/cis_1.1.5.x.yml | 3 ++- tasks/section_1/cis_1.1.6.x.yml | 3 ++- tasks/section_1/cis_1.1.7.x.yml | 3 ++- tasks/section_1/cis_1.1.8.x.yml | 3 ++- tasks/section_1/cis_1.2.x.yml | 3 ++- tasks/section_1/cis_1.6.1.x.yml | 3 ++- tasks/section_2/cis_2.4.yml | 3 ++- tasks/section_3/cis_3.4.2.x.yml | 3 ++- tasks/section_4/cis_4.2.2.x.yml | 3 ++- tasks/section_4/cis_4.3.yml | 3 ++- tasks/section_5/cis_5.6.1.x.yml | 3 ++- tasks/section_6/cis_6.1.x.yml | 15 ++++++++++----- tasks/section_6/cis_6.2.x.yml | 18 ++++++++++++------ 19 files changed, 57 insertions(+), 30 deletions(-) diff --git a/site.yml b/site.yml index c56b473..16fe8c6 100644 --- a/site.yml +++ b/site.yml @@ -1,7 +1,7 @@ --- -- hosts: all # noqa: name[play] + +- name: Apply RHEL9 CIS hardening + hosts: all become: true - roles: - - role: "{{ playbook_dir }}" diff --git a/tasks/auditd.yml b/tasks/auditd.yml index f578657..fb761b9 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -20,7 +20,8 @@ - Restart auditd - name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: 'Auditd template updated, see diff output for details' when: diff --git a/tasks/post.yml b/tasks/post.yml index 8e8fea7..ccb4181 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -46,7 +46,8 @@ - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: - change_requires_reboot - skip_reboot diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 5df0ba9..ab8c264 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yml vars: warn_control_id: '1.1.2.1' required_mount: '/tmp' diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 4a98729..8dea033 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.1.3.1' required_mount: '/var' diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 0b043e5..2d6dcb2 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -8,7 +8,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.1.4.1' required_mount: '/var/tmp' diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index d1ae159..2ebb828 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.1.5.1' diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 4d7ff28..b41b13d 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.1.6.1' diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 3ba95ce..4abb548 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -7,7 +7,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.1.7.1' diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 441006b..41e2de8 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -15,7 +15,8 @@ msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: rhel9cis_1_8_1_1_mount_check.rc == 1 vars: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index fc2d992..6f2506f 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -73,7 +73,8 @@ - "{{ dnf_configured.stdout_lines }}" - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '1.2.3' when: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index f05143c..76a30a6 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -93,7 +93,8 @@ when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 vars: warn_control_id: '1.6.1.6' diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index ce02b40..388edcc 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -25,7 +25,8 @@ - "{{ rhel9cis_2_4_sockets.stdout_lines }}" - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yamlfacts.yml vars: warn_control_id: '2.4' when: diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 16644c5..37de476 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -46,7 +46,8 @@ - not rhel9cis_nft_tables_autonewtable - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yamlfacts.yml when: - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 84513b2..767fb79 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -88,7 +88,8 @@ when: "'static' not in rhel9cis_4_2_2_2_status.stdout" - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: "'static' not in rhel9cis_4_2_2_2_status.stdout" vars: warn_control_id: '4.2.2.2' diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index be17c70..7631d8b 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -39,7 +39,8 @@ loop: "{{ log_rotates.files }}" - name: "4.3 | AUDIT | Ensure logrotate is configured | Warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '4.3' when: log_rotates.matched > 0 diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 141c013..1c96511 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -97,7 +97,8 @@ - not rhel9cis_futurepwchgdate_autofix - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 1361083..e92eca6 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -177,7 +177,8 @@ when: rhel_09_6_1_10_unowned_files_found - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.1.10' when: rhel_09_6_1_10_unowned_files_found @@ -223,7 +224,8 @@ when: rhel_09_6_1_11_ungrouped_files_found - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.1.11' when: rhel_09_6_1_11_ungrouped_files_found @@ -279,7 +281,8 @@ when: rhel9_6_1_13_suid_found - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.1.13' when: rhel9_6_1_13_suid_found @@ -321,7 +324,8 @@ when: rhel9_6_1_14_sgid_found - name: "6.1.14 | AUDIT | Audit SGID executables| warning" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.1.14' when: rhel9_6_1_14_sgid_found @@ -362,7 +366,8 @@ The file list can be found in {{ rhel9cis_rpm_audit_file }}" - name: "6.1.15 | AUDIT | Audit system file permissions | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.1.15' when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 618cadb..57deacd 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -15,7 +15,8 @@ when: shadow_passwd.stdout | length > 0 - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.2.1' when: shadow_passwd.stdout | length >= 1 @@ -59,7 +60,8 @@ when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.2.3' when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 @@ -87,7 +89,8 @@ when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 vars: warn_control_id: '6.2.4' @@ -115,7 +118,8 @@ when: rhel9cis_6_2_5_user_user_check.stdout | length >= 1 - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.2.5' when: rhel9cis_6_2_5_user_user_check.stdout_lines | length >= 1 @@ -144,7 +148,8 @@ when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.2.6' when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 @@ -173,7 +178,8 @@ when: rhel9cis_6_2_7_group_group_check.stdout is not defined - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count" - ansible.builtin.import_tasks: warning_facts.yml + ansible.builtin.import_tasks: + file: warning_facts.yaml vars: warn_control_id: '6.2.7' when: rhel9cis_6_2_7_group_group_check.stdout is not defined From e5d17f74ca435c68a587017d84b6588dcfe22f07 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:08:37 +0100 Subject: [PATCH 18/29] import_tasks file added Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index e92eca6..25b6e45 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -367,7 +367,7 @@ - name: "6.1.15 | AUDIT | Audit system file permissions | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yaml vars: warn_control_id: '6.1.15' when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 From 061483f15eb128a76737659ca32e2e239a953785 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:11:24 +0100 Subject: [PATCH 19/29] updated Signed-off-by: Mark Bolwell --- .config/.secrets.baseline | 231 ++------------------------------------ 1 file changed, 9 insertions(+), 222 deletions(-) diff --git a/.config/.secrets.baseline b/.config/.secrets.baseline index fcb806d..7707be7 100644 --- a/.config/.secrets.baseline +++ b/.config/.secrets.baseline @@ -75,10 +75,6 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".config/.secrets.baseline" - }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -109,224 +105,15 @@ }, { "path": "detect_secrets.filters.heuristic.is_templated_secret" + }, + { + "path": "detect_secrets.filters.regex.should_exclude_file", + "pattern": [ + ".config/.gitleaks-report.json", + "tasks/parse_etc_password.yml" + ] } ], - "results": { - ".config/.gitleaks-report.json": [ - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", - "is_verified": false, - "line_number": 9, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b", - "is_verified": false, - "line_number": 9, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "cd6f8dc4b799af818fedddd7c83e5df8bf770555", - "is_verified": false, - "line_number": 12, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", - "is_verified": false, - "line_number": 29, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb", - "is_verified": false, - "line_number": 29, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", - "is_verified": false, - "line_number": 49, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657", - "is_verified": false, - "line_number": 49, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", - "is_verified": false, - "line_number": 69, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9", - "is_verified": false, - "line_number": 69, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", - "is_verified": false, - "line_number": 89, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7", - "is_verified": false, - "line_number": 89, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", - "is_verified": false, - "line_number": 109, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b", - "is_verified": false, - "line_number": 109, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "cb5e191d260065309ce16cd3675837069c8734c8", - "is_verified": false, - "line_number": 132, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "976b057e0978bf8956e05b173f070cd7757c38c6", - "is_verified": false, - "line_number": 249, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "bdb4ffe72f980b517d691e83c9eb50219a63fe91", - "is_verified": false, - "line_number": 252, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "95f603d65dd6aec15f75185df59f92e90737da49", - "is_verified": false, - "line_number": 269, - "is_secret": false - }, - { - "type": "Hex High Entropy String", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "72172e3578dc29c275e5a39bdf7a1a038bdc03c4", - "is_verified": false, - "line_number": 272, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "08f0ac7a7bbbb1819417e5a47aa0eebbd5fe4e86", - "is_verified": false, - "line_number": 289, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": ".config/.gitleaks-report.json", - "hashed_secret": "23fdd48a76e5b32e85c6698062f1489d6fbac450", - "is_verified": false, - "line_number": 309, - "is_secret": false - } - ], - "defaults/main.yml": [ - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", - "is_verified": false, - "line_number": 364, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", - "is_verified": false, - "line_number": 376, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "defaults/main.yml", - "hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", - "is_verified": false, - "line_number": 377, - "is_secret": false - } - ], - "tasks/main.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb", - "is_verified": false, - "line_number": 38, - "is_secret": false - }, - { - "type": "Secret Keyword", - "filename": "tasks/main.yml", - "hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a", - "is_verified": false, - "line_number": 110, - "is_secret": false - } - ], - "tasks/parse_etc_password.yml": [ - { - "type": "Secret Keyword", - "filename": "tasks/parse_etc_password.yml", - "hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360", - "is_verified": false, - "line_number": 18 - } - ] - }, - "generated_at": "2023-09-07T13:18:00Z" + "results": {}, + "generated_at": "2023-09-21T14:11:05Z" } From 580ee762eea482444d91d8ac7372f58ec38c68cb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:35:35 +0100 Subject: [PATCH 20/29] fix filename Signed-off-by: Mark Bolwell --- tasks/post.yml | 2 +- tasks/section_1/cis_1.1.3.x.yml | 2 +- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 2 +- tasks/section_1/cis_1.1.7.x.yml | 2 +- tasks/section_1/cis_1.1.8.x.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 2 +- tasks/section_1/cis_1.6.1.x.yml | 2 +- tasks/section_2/cis_2.4.yml | 2 +- tasks/section_3/cis_3.4.2.x.yml | 2 +- tasks/section_4/cis_4.2.2.x.yml | 2 +- tasks/section_4/cis_4.3.yml | 2 +- tasks/section_5/cis_5.6.1.x.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 10 +++++----- tasks/section_6/cis_6.2.x.yml | 12 ++++++------ 16 files changed, 25 insertions(+), 25 deletions(-) diff --git a/tasks/post.yml b/tasks/post.yml index ccb4181..1888940 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -47,7 +47,7 @@ - name: "POST | Warning a reboot required but skip option set | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: - change_requires_reboot - skip_reboot diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 8dea033..4ff1ccb 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -8,7 +8,7 @@ - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.1.3.1' required_mount: '/var' diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 2d6dcb2..713dba6 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -9,7 +9,7 @@ - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.1.4.1' required_mount: '/var/tmp' diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 2ebb828..ac8b827 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -8,7 +8,7 @@ - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.1.5.1' diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index b41b13d..5a7c8f4 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -8,7 +8,7 @@ - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.1.6.1' diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 4abb548..ee922b3 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -8,7 +8,7 @@ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.1.7.1' diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 41e2de8..6a50de8 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -16,7 +16,7 @@ - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: rhel9cis_1_8_1_1_mount_check.rc == 1 vars: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 6f2506f..fc0bf27 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -74,7 +74,7 @@ - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '1.2.3' when: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 76a30a6..724fd29 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -94,7 +94,7 @@ - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 vars: warn_control_id: '1.6.1.6' diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 388edcc..ac56312 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -26,7 +26,7 @@ - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Warn Count" ansible.builtin.import_tasks: - file: warning_facts.yamlfacts.yml + file: warning_facts.yml vars: warn_control_id: '2.4' when: diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 37de476..73d85f4 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -47,7 +47,7 @@ - name: "3.4.2.2 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" ansible.builtin.import_tasks: - file: warning_facts.yamlfacts.yml + file: warning_facts.yml when: - rhel9cis_3_4_2_2_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 767fb79..cf4b011 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -89,7 +89,7 @@ - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: "'static' not in rhel9cis_4_2_2_2_status.stdout" vars: warn_control_id: '4.2.2.2' diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 7631d8b..7da565e 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -40,7 +40,7 @@ - name: "4.3 | AUDIT | Ensure logrotate is configured | Warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '4.3' when: log_rotates.matched > 0 diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 1c96511..3d59a16 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -98,7 +98,7 @@ - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 25b6e45..c6a8375 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -178,7 +178,7 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.1.10' when: rhel_09_6_1_10_unowned_files_found @@ -225,7 +225,7 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.1.11' when: rhel_09_6_1_11_ungrouped_files_found @@ -282,7 +282,7 @@ - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.1.13' when: rhel9_6_1_13_suid_found @@ -325,7 +325,7 @@ - name: "6.1.14 | AUDIT | Audit SGID executables| warning" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.1.14' when: rhel9_6_1_14_sgid_found @@ -367,7 +367,7 @@ - name: "6.1.15 | AUDIT | Audit system file permissions | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.1.15' when: rhel9cis_6_1_15_packages_rpm.stdout|length > 0 diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 57deacd..2f3141b 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -16,7 +16,7 @@ - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.2.1' when: shadow_passwd.stdout | length >= 1 @@ -61,7 +61,7 @@ - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.2.3' when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 @@ -90,7 +90,7 @@ - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 vars: warn_control_id: '6.2.4' @@ -119,7 +119,7 @@ - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.2.5' when: rhel9cis_6_2_5_user_user_check.stdout_lines | length >= 1 @@ -149,7 +149,7 @@ - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.2.6' when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 @@ -179,7 +179,7 @@ - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count" ansible.builtin.import_tasks: - file: warning_facts.yaml + file: warning_facts.yml vars: warn_control_id: '6.2.7' when: rhel9cis_6_2_7_group_group_check.stdout is not defined From 11071a66ab242ee9ec317bd65791f23b3d04814f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:36:05 +0100 Subject: [PATCH 21/29] added pragma allowed Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +++--- tasks/main.yml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3b8cd4a..3fe96c1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -361,7 +361,7 @@ rhel9cis_allow_autofs: false # DO NOT USE PLAIN TEXT PASSWORDS!!!!! # The intent here is to use a password utility like Ansible Vault here rhel9cis_rh_sub_user: user -rhel9cis_rh_sub_password: password +rhel9cis_rh_sub_password: password # pragma: allowlist secret # 1.2.2 # Do you require rhnsd @@ -373,8 +373,8 @@ rhel9cis_rhel_default_repo: true rhel9cis_rule_enable_repogpg: true # 1.4.1 Bootloader password -rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' -rhel9cis_bootloader_password: random +rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' # pragma: allowlist secret +rhel9cis_bootloader_password: random # pragma: allowlist secret rhel9cis_set_boot_pass: true # 1.8 Gnome Desktop diff --git a/tasks/main.yml b/tasks/main.yml index e1cd780..60f4fbc 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -35,7 +35,7 @@ fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" vars: - sudo_password_rule: rhel9cis_rule_5_3_4 + sudo_password_rule: rhel9cis_rule_5_3_4 # pragma: allowlist secret when: - rhel9cis_rule_5_3_4 - ansible_env.SUDO_USER is defined @@ -107,7 +107,7 @@ - name: Check rhel9cis_bootloader_password_hash variable has been changed ansible.builtin.assert: - that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' + that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" when: - rhel9cis_set_boot_pass From 35dfa8770a3ca0b481055bd3fa64b243d5b5a346 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 15:45:49 +0100 Subject: [PATCH 22/29] updated Signed-off-by: Mark Bolwell --- Changelog.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Changelog.md b/Changelog.md index 7d2352f..2185343 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,6 +3,8 @@ ## 1.1.2 - Based on CIS v1.0.0 - updated audit binary versions - aligned with rhel9-cis-audit +- lint updates +- .secrets updated ## 1.1.1 - Based on CIS v1.0.0 From e82b2cefacb6e721565d497acb0b467a59fb115a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 16:25:59 +0100 Subject: [PATCH 23/29] quoted file mode Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 4 ++-- tasks/auditd.yml | 4 ++-- tasks/post.yml | 2 +- tasks/post_remediation_audit.yml | 2 +- tasks/pre_remediation_audit.yml | 2 +- tasks/prelim.yml | 2 +- tasks/section_1/cis_1.1.1.x.yml | 8 ++++---- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.1.x.yml | 4 ++-- tasks/section_1/cis_1.4.x.yml | 2 +- tasks/section_1/cis_1.7.x.yml | 12 ++++++------ tasks/section_1/cis_1.8.x.yml | 24 ++++++++++++------------ tasks/section_2/cis_2.1.x.yml | 4 ++-- tasks/section_3/cis_3.1.x.yml | 2 +- tasks/section_4/cis_4.1.4.x.yml | 6 +++--- tasks/section_4/cis_4.2.3.yml | 2 +- tasks/section_5/cis_5.1.x.yml | 16 ++++++++-------- tasks/section_5/cis_5.2.x.yml | 6 +++--- tasks/section_5/cis_5.6.x.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 20 ++++++++++---------- 20 files changed, 63 insertions(+), 63 deletions(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 29f8960..7a7fb0d 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -19,7 +19,7 @@ owner: root group: root checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" - mode: 0555 + mode: '0555' when: - get_audit_binary_method == 'download' @@ -27,7 +27,7 @@ ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" - mode: 0555 + mode: '0555' owner: root group: root when: diff --git a/tasks/auditd.yml b/tasks/auditd.yml index fb761b9..62f2794 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -11,7 +11,7 @@ dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: 0640 + mode: '0640' diff: "{{ rhel9cis_auditd_file.stat.exists }}" # Only run diff if not a new file register: rhel9cis_auditd_template_updated notify: @@ -39,7 +39,7 @@ dest: /etc/audit/rules.d/98_auditd_exceptions.rules owner: root group: root - mode: 0640 + mode: '0640' diff: "{{ rhel9cis_auditd_exception_file.stat.exists }}" notify: Restart auditd when: diff --git a/tasks/post.yml b/tasks/post.yml index 1888940..3f1f706 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -13,7 +13,7 @@ dest: "/etc/sysctl.d/{{ item }}" owner: root group: root - mode: 0600 + mode: '0600' register: sysctl_updated notify: Reload sysctl loop: diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index f0a7664..a5dc34b 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -11,7 +11,7 @@ - name: Post Audit | ensure audit files readable by users ansible.builtin.file: path: "{{ item }}" - mode: 0644 + mode: '0644' state: file loop: - "{{ post_audit_outfile }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 711f59b..35ada1f 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -69,7 +69,7 @@ ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" - mode: 0600 + mode: '0600' when: - run_audit tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index f26c794..a564a29 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -191,7 +191,7 @@ path: "{{ rhel9_cis_sshd_config_file }}" owner: root group: root - mode: 0600 + mode: '0600' state: touch when: - rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config' diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 7a88f6f..263fc50 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -8,7 +8,7 @@ regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: true - mode: 0600 + mode: '0600' - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -16,7 +16,7 @@ regexp: "^(#)?blacklist squashfs(\\s|$)" line: "blacklist squashfs" create: true - mode: 0600 + mode: '0600' - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" community.general.modprobe: @@ -41,7 +41,7 @@ regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: true - mode: 0600 + mode: '0600' - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled | blacklist" ansible.builtin.lineinfile: @@ -49,7 +49,7 @@ regexp: "^(#)?blacklist udf(\\s|$)" line: "blacklist udf" create: true - mode: 0600 + mode: '0600' - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" community.general.modprobe: diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index ab8c264..10d6d2d 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -63,7 +63,7 @@ dest: /etc/systemd/system/tmp.mount owner: root group: root - mode: 0644 + mode: '0644' notify: Systemd restart tmp.mount when: - rhel9cis_tmp_svc diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index bf76b5c..c6cde83 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -10,7 +10,7 @@ create: true owner: root group: root - mode: 0600 + mode: '0600' - name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config" community.general.modprobe: @@ -24,7 +24,7 @@ regexp: "^(#)?blacklist usb-storage(\\s|$)" line: "blacklist usb-storage" create: true - mode: 0600 + mode: '0600' when: - rhel9cis_rule_1_1_9 tags: diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index ec27fa6..dd8d83f 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -6,7 +6,7 @@ content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy owner: root group: root - mode: 0600 + mode: '0600' notify: Grub2cfg when: - rhel9cis_set_boot_pass diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 1c20dca..883b35b 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -6,7 +6,7 @@ dest: /etc/motd owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_1 tags: @@ -22,7 +22,7 @@ dest: /etc/issue owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_2 tags: @@ -37,7 +37,7 @@ dest: /etc/issue.net owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_3 tags: @@ -52,7 +52,7 @@ path: /etc/motd owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_4 tags: @@ -67,7 +67,7 @@ path: /etc/issue owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_5 tags: @@ -82,7 +82,7 @@ path: /etc/issue.net owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_1_7_6 tags: diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 4f6922f..20e56c4 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -25,7 +25,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf loop: - { regexp: 'user-db', line: 'user-db:user' } @@ -38,7 +38,7 @@ dest: /etc/dconf/db/gdm.d/01-banner-message owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf when: - rhel9cis_rule_1_8_2 @@ -59,7 +59,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf loop: - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } @@ -87,7 +87,7 @@ create: true owner: root group: root - mode: 0644 + mode: '0644' loop: - { regexp: '^user-db', line: 'user-db: user' } - { regexp: '^system-db', line: 'system-db: local' } @@ -97,7 +97,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d" owner: root group: root - mode: 0755 + mode: '0755' state: directory - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make conf file" @@ -125,7 +125,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: 0755 + mode: '0755' state: directory - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file" @@ -134,7 +134,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf when: - rhel9cis_rule_1_8_5 @@ -171,7 +171,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: 0755 + mode: '0755' state: directory - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock file" @@ -180,7 +180,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-automount_lock" owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf when: - rhel9cis_rule_1_8_7 @@ -199,7 +199,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d" owner: root group: root - mode: 0755 + mode: '0755' state: directory - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make conf file" @@ -227,7 +227,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: 0755 + mode: '0755' state: directory - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile" @@ -236,7 +236,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock" owner: root group: root - mode: 0644 + mode: '0644' notify: Reload dconf when: - rhel9cis_rule_1_8_9 diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 43cc226..3312843 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -21,7 +21,7 @@ dest: /etc/chrony.conf owner: root group: root - mode: 0644 + mode: '0644' - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" ansible.builtin.lineinfile: @@ -29,7 +29,7 @@ regexp: "^(#)?OPTIONS" line: "OPTIONS=\"-u chrony\"" create: true - mode: 0644 + mode: '0644' when: - rhel9cis_rule_2_1_2 - not system_is_container diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index dad3fe9..2a13574 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -73,7 +73,7 @@ regexp: "^(#)?blacklist tipc(\\s|$)" line: "blacklist tipc" create: true - mode: 0600 + mode: '0600' when: - rhel9cis_rule_3_1_3 tags: diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index ec3eebd..60b4e9b 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -50,7 +50,7 @@ ansible.builtin.file: path: "{{ audit_discovered_logfile.stdout | dirname }}" state: directory - mode: 0750 + mode: '0750' when: not auditlog_dir.stat.mode is match('07(0|5)0') when: - rhel9cis_rule_4_1_4_4 @@ -64,7 +64,7 @@ - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" ansible.builtin.file: path: "{{ item.path }}" - mode: 0640 + mode: '0640' loop: "{{ auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -127,7 +127,7 @@ - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" ansible.builtin.file: path: "{{ item.item }}" - mode: 0750 + mode: '0750' loop: "{{ audit_bins.results }}" loop_control: diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index a391254..2f2a8a4 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -12,7 +12,7 @@ - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions" ansible.builtin.file: path: "{{ item.path }}" - mode: 0640 + mode: '0640' loop: "{{ logfiles.files }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index f897c6c..ce8bb58 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -18,7 +18,7 @@ path: /etc/crontab owner: root group: root - mode: 0600 + mode: '0600' when: - rhel9cis_rule_5_1_2 tags: @@ -34,7 +34,7 @@ state: directory owner: root group: root - mode: 0700 + mode: '0700' when: - rhel9cis_rule_5_1_3 tags: @@ -50,7 +50,7 @@ state: directory owner: root group: root - mode: 0700 + mode: '0700' when: - rhel9cis_rule_5_1_4 tags: @@ -66,7 +66,7 @@ state: directory owner: root group: root - mode: 0700 + mode: '0700' when: - rhel9cis_rule_5_1_5 tags: @@ -81,7 +81,7 @@ state: directory owner: root group: root - mode: 0700 + mode: '0700' when: - rhel9cis_rule_5_1_6 tags: @@ -96,7 +96,7 @@ state: directory owner: root group: root - mode: 0700 + mode: '0700' when: - rhel9cis_rule_5_1_7 tags: @@ -124,7 +124,7 @@ state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root group: root - mode: 0600 + mode: '0600' when: - rhel9cis_rule_5_1_8 tags: @@ -152,7 +152,7 @@ state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root group: root - mode: 0600 + mode: '0600' when: - rhel9cis_rule_5_1_9 tags: diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 9054afd..5451cff 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -5,7 +5,7 @@ path: "/etc/ssh/sshd_config" owner: root group: root - mode: 0600 + mode: '0600' when: - rhel9cis_rule_5_2_1 tags: @@ -31,7 +31,7 @@ path: "{{ item.path }}" owner: root group: root - mode: 0600 + mode: '0600' loop: "{{ rhel9cis_5_2_2_ssh_private_host_key.files }}" loop_control: label: "{{ item.path }}" @@ -60,7 +60,7 @@ path: "{{ item.path }}" owner: root group: root - mode: 0644 + mode: '0644' loop: "{{ rhel9cis_5_2_3_ssh_public_host_key.files }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 7379f3f..a529290 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -50,7 +50,7 @@ state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true - mode: 0644 + mode: '0644' block: | TMOUT={{ rhel9cis_shell_session_timeout.timeout }} export TMOUT diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index c6a8375..4cc5cbd 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -5,7 +5,7 @@ path: /etc/passwd owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_6_1_1 tags: @@ -20,7 +20,7 @@ path: /etc/passwd- owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_6_1_2 tags: @@ -32,10 +32,10 @@ - name: "6.1.3 | PATCH | Ensure permissions on /etc/group are configured" ansible.builtin.file: - path: /etc/group- + path: /etc/group owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_6_1_3 tags: @@ -50,7 +50,7 @@ path: /etc/group- owner: root group: root - mode: 0644 + mode: '0644' when: - rhel9cis_rule_6_1_4 tags: @@ -65,7 +65,7 @@ path: /etc/shadow owner: root group: root - mode: 0000 + mode: '0000' when: - rhel9cis_rule_6_1_5 tags: @@ -80,7 +80,7 @@ path: /etc/shadow- owner: root group: root - mode: 0000 + mode: '0000' when: - rhel9cis_rule_6_1_6 tags: @@ -95,7 +95,7 @@ path: /etc/gshadow owner: root group: root - mode: 0000 + mode: '0000' when: - rhel9cis_rule_6_1_7 tags: @@ -110,7 +110,7 @@ path: /etc/gshadow- owner: root group: root - mode: 0000 + mode: '0000' when: - rhel9cis_rule_6_1_8 tags: @@ -357,7 +357,7 @@ content: "{{ rhel9cis_6_1_15_packages_rpm.stdout }}" owner: root group: root - mode: 0640 + mode: '0640' - name: "6.1.15 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" ansible.builtin.debug: From 076c02ea92058309bcf91e76a27cd4263fde5cb3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 21 Sep 2023 16:26:28 +0100 Subject: [PATCH 24/29] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 2185343..77c96c0 100644 --- a/Changelog.md +++ b/Changelog.md @@ -5,6 +5,7 @@ - updated audit binary versions - aligned with rhel9-cis-audit - lint updates - .secrets updated +- file mode quoted ## 1.1.1 - Based on CIS v1.0.0 From 729fac35805154823053088317e4a7edbdd729e9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 22 Sep 2023 08:44:43 +0100 Subject: [PATCH 25/29] updated 5.6.5 Signed-off-by: Mark Bolwell --- Changelog.md | 1 + tasks/section_5/cis_5.6.x.yml | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index 77c96c0..3b4f9e9 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,7 @@ - lint updates - .secrets updated - file mode quoted +- updated 5.6.5 thansk to feedback from S!ghs on discord community ## 1.1.1 - Based on CIS v1.0.0 diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index a529290..e5565b4 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -83,10 +83,10 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings" - ansible.builtin.lineinfile: + ansible.builtin.replace: path: "{{ item.path }}" - regexp: '(?i)(umask\s*)' - line: '{{ item.line }} 027' + regexp: (?i)(umask\s+\d\d\d) + replace: '{{ item.line }} 027' with_items: - { path: '/etc/bashrc', line: 'umask' } - { path: '/etc/profile', line: 'umask' } From c4714f58074a27f30bdc2e413db4018ffd9c53db Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 6 Oct 2023 22:02:41 +0100 Subject: [PATCH 26/29] updated collections Signed-off-by: Mark Bolwell --- collections/requirements.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/collections/requirements.yml b/collections/requirements.yml index 3f594d0..8ebc618 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,5 +1,14 @@ --- + collections: - name: community.general + source: https://github.com/ansible-collections/community.general + type: git + - name: community.crypto + source: https://github.com/ansible-collections/community.crypto + type: git + - name: ansible.posix + source: https://github.com/ansible-collections/ansible.posix + type: git From 646b4decc1750334624bb3053a950352cdf27019 Mon Sep 17 00:00:00 2001 From: Bernd Grobauer Date: Thu, 12 Oct 2023 12:56:20 +0200 Subject: [PATCH 27/29] Adding missing lines to sysctl.d/50-default.conf Signed-off-by: Bernd Grobauer --- tasks/post.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tasks/post.yml b/tasks/post.yml index 3f1f706..724611d 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -26,6 +26,19 @@ - not system_is_container - "'procps-ng' in ansible_facts.packages" +- name: POST | Update usr sysctl + ansible.builtin.lineinfile: + dest: /usr/lib/sysctl.d/50-default.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: '^net.ipv4.conf.default.rp_filter', line: 'net.ipv4.conf.default.rp_filter = 1' } + - { regexp: '^net.ipv4.conf.*.rp_filter', line: 'net.ipv4.conf.*.rp_filter = 1' } + when: + - rhel9cis_sysctl_update + - not system_is_container + - "'procps-ng' in ansible_facts.packages" + - name: Flush handlers ansible.builtin.meta: flush_handlers From 829766b949f3bb2ed5b1241ef92f372b9069b266 Mon Sep 17 00:00:00 2001 From: Nuno Carvalho Date: Mon, 16 Oct 2023 15:42:54 +0200 Subject: [PATCH 28/29] Update cis_5.6.x.yml --- tasks/section_5/cis_5.6.x.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 15f1a78..909d3af 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -98,12 +98,11 @@ regexp: '^USERGROUPS_ENAB' line: USERGROUPS_ENAB no - - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth" + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth" ansible.builtin.lineinfile: path: /etc/pam.d/system-auth line: 'session required pam_umask.so' insertafter: EOF - when: - rhel9cis_rule_5_6_5 tags: From 8319a028d8cf15e5ef4ccfe7d4e57d52448731c8 Mon Sep 17 00:00:00 2001 From: "root@DERVISHx" Date: Mon, 16 Oct 2023 14:51:34 +0100 Subject: [PATCH 29/29] Fix sintax Error on cis_5.2.x.yml Signed-off-by: root@DERVISHx --- tasks/section_5/cis_5.2.x.yml | 2 +- tasks/section_5/cis_5.6.x.yml | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 9054afd..a5d8291 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -361,7 +361,7 @@ - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" ansible.builtin.lineinfile: path: "{{ rhel9_cis_sshd_config_file }}" - regexp: '^ClientAliveCountMax' + regexp: '^ClientAliveCountMax|^#ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" validate: sshd -t -f %s when: diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 15f1a78..909d3af 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -98,12 +98,11 @@ regexp: '^USERGROUPS_ENAB' line: USERGROUPS_ENAB no - - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth" + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth" ansible.builtin.lineinfile: path: /etc/pam.d/system-auth line: 'session required pam_umask.so' insertafter: EOF - when: - rhel9cis_rule_5_6_5 tags: