diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 86c1cac..9190421 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -4,7 +4,7 @@ tags: always block: - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - ansible.builtin.command: cat /etc/passwd + ansible.builtin.shell: cat /etc/passwd | grep -v '^#' changed_when: false check_mode: false register: prelim_passwd_file_audit diff --git a/tasks/prelim.yml b/tasks/prelim.yml index dbd1493..c1edb39 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -23,22 +23,23 @@ - name: "PRELIM | AUDIT | Interactive Users" tags: always ansible.builtin.shell: > - grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }' + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1":"$3":"$6 }' changed_when: false - register: prelim_interactive_usernames + check_mode: false + register: prelim_interactive_users_raw -- name: "PRELIM | AUDIT | Interactive User accounts home directories" +- name: "PRELIM | AUDIT | Interactive Users (reformat)" tags: always - ansible.builtin.shell: > - grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }' - changed_when: false - register: prelim_interactive_users_home + ansible.builtin.set_fact: + prelim_interactive_usernames: "{{ prelim_interactive_users | default([]) + [dict([('username', item.split(':')[0]), ('uid', item.split(':')[1]), ('home', item.split(':')[2])])] }}" + loop: "{{ prelim_interactive_users_raw.stdout_lines }}" - name: "PRELIM | AUDIT | Interactive UIDs" tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }' changed_when: false + check_mode: false register: prelim_interactive_uids - name: "PRELIM | AUDIT | Capture /etc/password variables" @@ -64,6 +65,7 @@ ansible.builtin.shell: | mount | awk '{print $1, $3, $5, $6}' changed_when: false + check_mode: false register: prelim_mount_output - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact # This is inherited and used in mountpoints tasks @@ -100,6 +102,7 @@ ansible.builtin.command: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' # noqa command-instead-of-module changed_when: false failed_when: false + check_mode: false register: prelim_check_gpg_imported - name: "PRELIM | AUDIT | Import gpg keys | Check Package" # noqa command-instead-of-module @@ -200,7 +203,7 @@ tags: - always block: - - name: "PRELIM | AUDIT | Discover is wirelss adapter on system" + - name: "PRELIM | AUDIT | Discover is wireless adapter on system" ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless register: discover_wireless_adapters changed_when: false @@ -328,12 +331,14 @@ ansible.builtin.command: awk '/^UID_MIN/ {print $2}' /etc/login.defs changed_when: false failed_when: false + check_mode: false register: prelim_uid_min_id - name: "PRELIM | AUDIT | Capture UID_MAX from /etc/login.defs" ansible.builtin.command: awk '/^UID_MAX/ {print $2}' /etc/login.defs changed_when: false failed_when: false + check_mode: false register: prelim_uid_max_id - name: "PRELIM | AUDIT | Set facts for interactive UID/GID ranges" diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 6a492e5..1962101 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -29,7 +29,7 @@ - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" when: - discovered_max_days.stdout_lines | length > 0 - - item in prelim_interactive_usernames.stdout + - item in prelim_interactive_usernames | map(attribute='username') | list - rhel9cis_force_user_maxdays ansible.builtin.user: name: "{{ item }}" @@ -60,7 +60,7 @@ - name: "5.4.1.2 | PATCH | Ensure minimum password days is configured | Set existing users PASS_MIN_DAYS" when: - discovered_min_days.stdout_lines | length > 0 - - item in prelim_interactive_usernames.stdout + - item in prelim_interactive_usernames | map(attribute='username') | list - rhel9cis_force_user_mindays ansible.builtin.user: name: "{{ item }}" @@ -91,7 +91,7 @@ - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured | Set existing users WARN_DAYS" when: - discovered_warn_days.stdout_lines | length > 0 - - item in prelim_interactive_usernames.stdout + - item in prelim_interactive_usernames | map(attribute='username') | list - rhel9cis_force_user_warnage ansible.builtin.command: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}" changed_when: true @@ -140,7 +140,7 @@ register: discovered_passwdlck_user_list - name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - when: item in prelim_interactive_usernames.stdout + when: item in prelim_interactive_usernames | map(attribute='username') | list ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" changed_when: true loop: "{{ discovered_passwdlck_user_list.stdout_lines }}" diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index 12390b3..a8eb4d0 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -195,7 +195,7 @@ - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell" when: - rhel9cis_rule_5_4_2_7 - - "item.id not in prelim_interactive_usernames.stdout" + - "item.id not in prelim_interactive_usernames | map(attribute='username')" - item.id not in rhel9cis_system_users_shell - "'root' not in item.id" - rhel9cis_disruption_high @@ -220,7 +220,7 @@ when: - rhel9cis_rule_5_4_2_8 - rhel9cis_disruption_high - - "item.id not in prelim_interactive_usernames.stdout" + - "item.id not in prelim_interactive_usernames | map(attribute='username')" - "'root' not in item.id" tags: - level1-server diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index c000fe1..1db531b 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -58,6 +58,10 @@ dest: /var/lib/aide/aide.db.gz remote_src: true mode: 'ug-wx,o-rwx' + register: aide_db_cp + failed_when: + - not ansible_check_mode + - aide_db_cp.failed - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked" when: @@ -119,4 +123,7 @@ /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 - validate: aide -D --config %s + register: aide_file_integrity_check + failed_when: + - not ansible_check_mode + - aide_file_integrity_check.failed diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index dda7ee5..dbff078 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -20,7 +20,9 @@ file: cis_6.2.2.x.yml - name: "SECTION | 6.2.3 | Configure rsyslog" - when: rhel9cis_syslog == 'rsyslog' + when: + - rhel9cis_syslog == 'rsyslog' + - rhel9cis_rsyslog_ansiblemanaged ansible.builtin.import_tasks: file: cis_6.2.3.x.yml diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index cc1825c..8706877 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -256,7 +256,7 @@ etype: group permissions: rx state: present - loop: "{{ prelim_interactive_users_home.stdout_lines }}" + loop: "{{ prelim_interactive_users | map(attribute='home') | list }}" - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Set other ACL" when: not system_is_container @@ -266,7 +266,7 @@ etype: other permissions: 0 state: present - loop: "{{ prelim_interactive_users_home.stdout_lines }}" + loop: "{{ prelim_interactive_users | map(attribute='home') | list }}" - name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured" when: @@ -315,6 +315,6 @@ ansible.builtin.file: path: '{{ item }}' mode: 'go-w' - owner: "{{ rhel9cis_passwd | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}" - group: "{{ rhel9cis_passwd | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}" + owner: "{{ rhel9cis_passwd | selectattr('dir', 'in', prelim_interactive_users_raw.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}" + group: "{{ rhel9cis_passwd | selectattr('dir', 'in', prelim_interactive_users_raw.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}" with_items: "{{ discovered_homedir_hidden_files.stdout_lines }}" diff --git a/vars/main.yml b/vars/main.yml index cdca90d..5eed07c 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -22,6 +22,9 @@ rhel9cis_allowed_crypto_policies_modules: warn_control_list: "" warn_count: 0 +# list of dicts of interactive users, filled in during prelim.yml +prelim_interactive_users: [] + # Default empty values for 1.4.2 efi_mount_opts_addition: ''