ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-25 22:37:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #41 from ansible-lockdown/benchmark_v2.0.0

Browse source 
Apply updates to the latest branch
This commit is contained in:
Fred W. 2025-08-21 16:34:38 -04:00 committed by GitHub
commit a1d88edde0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
16 changed files with 68 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.pre-commit-config.yaml
View file

@ -7,7 +7,7 @@ ci:
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
rev: v6.0.0
hooks:
# Safety
- id: detect-aws-credentials

24
Changelog.md
View file

@ -1,5 +1,29 @@
# Changes to rhel9CIS
## 2.0.3 - Based on CIS v2.0.0
- Thanks to @numericillustration
- Public PR 380
- systemd_service rolled back to systemd for < ansible 2.14
- Thanks to @bgro and @Kodebach
- Public PR 371
- updated to user sudo check 5.2.4
- Thanks to @DianaMariaDDM
- Public PR 367
- updated several typos
- Thanks to @polski-g
- Public PR 364
- gdm section 1.8 improvements
- Thanks to @chrispipo
- Public PR 350
- change insert before for rsyslog setting
- Thanks to @thesmilinglord
- public issue 377
- change 1.3 from include task to import for tagging
- Thanks to @Fredouye
- public issue 372
- allow password with different locale
## 2.0.2 - Based on CIS v2.0.0
- Update to audit_only to allow fetching results

2
defaults/main.yml
View file

@ -592,6 +592,8 @@ rhel9cis_warning_banner: Authorized users only. All activity may be monitored an
# End Banner
## Control 1.8.x - Settings for GDM
# do not run Control 1.8.x if using a display manager different than gdm
rhel9cis_display_manager: "gdm"
## 1.8 GDM graphical interface
rhel9cis_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}"
# This variable specifies the GNOME configuration database file to which configurations are written.

2
handlers/main.yml
View file

@ -263,7 +263,7 @@
listen: Restart auditd
- name: Start auditd process
ansible.builtin.systemd_service:
ansible.builtin.systemd:
name: auditd
state: started
listen: Restart auditd

2
tasks/auditd.yml
View file

@ -25,7 +25,7 @@
dest: /etc/audit/rules.d/99_auditd.rules
owner: root
group: root
mode: 'u-x,go-wx'
mode: 'u-x,g-wx,o-rwx'
diff: "{{ discovered_auditd_rules_file.stat.exists }}" # Only run diff if not a new file
register: discovered_auditd_rules_template_updated
notify:

15
tasks/main.yml
View file

@ -91,11 +91,14 @@
block:
- name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" # noqa name[template]
ansible.builtin.assert:
that:
- prelim_ansible_user_password_set.stdout | length != 0
- prelim_ansible_user_password_set.stdout != "!!"
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
that: |
(
((prelim_ansible_user_password_set.stdout | length != 0) and (prelim_ansible_user_password_set.stdout != "!!" ))
or
(ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list)
)
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access"
success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4"
- name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template]
ansible.builtin.assert:
@ -129,7 +132,7 @@
- rule_5.4.2.4
block:
- name: "Ensure root password is set"
ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
changed_when: false
failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
register: prelim_root_passwd_set

11
tasks/post_remediation_audit.yml
View file

@ -1,22 +1,13 @@
---
- name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template]
ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length]
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}"
AUDIT_FILE: goss.yml
- name: Post Audit | ensure audit files readable by users
ansible.builtin.file:
path: "{{ item }}"
mode: '0644'
state: file
loop:
- "{{ post_audit_outfile }}"
- "{{ pre_audit_outfile }}"
- name: Post Audit | Capture audit data if json format
when: audit_format == "json"
block:

4
tasks/pre_remediation_audit.yml
View file

@ -47,7 +47,7 @@
remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}"
extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}"
- name: Pre Audit Setup | Check goss is available
- name: Pre Audit Setup | Check Goss is available
when: run_audit
block:
- name: Pre Audit Setup | Check for goss file
@ -71,7 +71,7 @@
mode: 'go-rwx'
- name: Pre Audit | Run pre_remediation audit {{ benchmark }} # noqa name[template]
ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length]
ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length]
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"

2
tasks/section_1/cis_1.1.2.6.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "1/.1 | PATCH | Ensure /var/log is a separate partition"
- name: "1.1.2.6.1 | PATCH | Ensure /var/log is a separate partition"
when:
- rhel9cis_rule_1_1_2_6_1
- required_mount not in prelim_mount_names

2
tasks/section_1/cis_1.1.2.7.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "1/.1 | PATCH | Ensure /var/log/audit is a separate partition"
- name: "1.1.2.7.1 | PATCH | Ensure /var/log/audit is a separate partition"
when:
- rhel9cis_rule_1_1_2_7_1
- required_mount not in prelim_mount_names

3
tasks/section_1/main.yml
View file

@ -41,7 +41,7 @@
file: cis_1.2.2.x.yml
- name: "SECTION | 1.3.1 | Configure SELinux"
ansible.builtin.include_tasks:
ansible.builtin.import_tasks:
file: cis_1.3.1.x.yml
- name: "SECTION | 1.4 | Configure Bootloader"
@ -61,5 +61,6 @@
file: cis_1.7.x.yml
- name: "SECTION | 1.8 | Gnome Display Manager"
when: rhel9cis_display_manager == 'gdm'
ansible.builtin.import_tasks:
file: cis_1.8.x.yml

4
tasks/section_3/cis_3.3.x.yml
View file

@ -240,12 +240,12 @@
- rule_3.3.9
- NIST800-53R5_AU-3
block:
- name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact"
- name: "3.3.9 | PATCH | Ensure suspicious packets are logged | Set Fact"
ansible.builtin.set_fact:
rhel9cis_sysctl_update: true
rhel9cis_flush_ipv4_route: true
- name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
- name: "3.3.9 | PATCH | Ensure suspicious packets are logged"
ansible.builtin.debug:
msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"

18
tasks/section_5/cis_5.4.2.x.yml
View file

@ -61,7 +61,7 @@
- level1-server
- level1-workstation
- patch
- rule_5.4.2.2
- rule_5.4.2.3
- user
- system
- NIST800-53R5_CM-1
@ -135,6 +135,22 @@
ansible.builtin.set_fact:
root_paths: "{{ discovered_root_paths.stdout }}"
- name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for presence of non-dirs"
ansible.builtin.stat:
path: "{{ item }}"
loop: "{{ discovered_root_paths_split.stdout_lines }}"
register: paths_stat
- name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Create dirs for some paths that are not dirs"
ansible.builtin.file:
path: "{{ item.item }}"
state: directory
owner: root
group: root
mode: 'go-w'
loop: "{{ paths_stat.results }}"
when: not item.stat.exists
- name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs"
when: discovered_root_paths is defined
ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"'

4
tasks/section_6/cis_6.1.x.yml
View file

@ -91,13 +91,13 @@
- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
when: rhel9cis_aide_scan == "timer"
ansible.builtin.systemd_service:
ansible.builtin.systemd:
name: aidecheck.service
enabled: true
- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
when: rhel9cis_aide_scan == "timer"
ansible.builtin.systemd_service:
ansible.builtin.systemd:
name: aidecheck.timer
state: started
enabled: true

2
tasks/section_6/cis_6.2.3.x.yml
View file

@ -131,7 +131,7 @@
*.=warning;*.=err -/var/log/warn
*.crit /var/log/warn
*.*;mail.none;news.none /var/log/messages
insertafter: '#### RULES ####'
insertbefore: '# ### sample forwarding rule ###'
notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings"

2
tasks/section_6/cis_6.3.4.x.yml
View file

@ -27,9 +27,9 @@
- level2-workstation
- patch
- auditd
- rule_6.3.4.1
- rule_6.3.4.2
- rule_6.3.4.3
- rule_6.3.4.4
- NIST800-53R5_AU-3
ansible.builtin.file:
path: "{{ prelim_auditd_logfile.stdout }}"