From a53569a474995be8e7babcefcd8ab6cbb71c70d4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 22 Jul 2024 12:43:35 +0100 Subject: [PATCH] section 2 v2.0.0 update Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 + tasks/section_2/cis_2.4.x.yml | 182 ++++++++++++++++++++++++++++++++++ templates/etc/chrony.conf.j2 | 101 +++++-------------- 3 files changed, 207 insertions(+), 78 deletions(-) create mode 100644 tasks/section_2/cis_2.4.x.yml diff --git a/tasks/main.yml b/tasks/main.yml index b2c2695..e13477d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -117,6 +117,8 @@ - rhel9cis_crypto_policy_module | length > 0 tags: - rule_1.6.1 + - crypto + - NIST800-53R5_SC-6 ansible.builtin.assert: that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules fail_msg: "Crypto policy module is not a permitted version" diff --git a/tasks/section_2/cis_2.4.x.yml b/tasks/section_2/cis_2.4.x.yml new file mode 100644 index 0000000..072fa0b --- /dev/null +++ b/tasks/section_2/cis_2.4.x.yml @@ -0,0 +1,182 @@ +--- + +- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled" + when: + - rhel9cis_rule_2_4_1_1 + tags: + - level1-server + - level1-workstation + - patch + - cron + - rule_2.4.1.1 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + ansible.builtin.service: + name: crond + enabled: true + +- name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" + when: + - rhel9cis_rule_2_4_1_2 + tags: + - level1-server + - level1-workstation + - patch + - cron + - rule_2.4.1.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/crontab + owner: root + group: root + mode: og-rwx + +- name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" + when: + - rhel9cis_rule_2_4_1_3 + tags: + - level1-server + - level1-workstation + - patch + - cron + - rule_2.4.1.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/cron.hourly + state: directory + owner: root + group: root + mode: og-rwx + +- name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" + when: + - rhel9cis_rule_2_4_1_4 + tags: + - level1-server + - level1-workstation + - patch + - cron + - rule_2.4.1.4 + ansible.builtin.file: + path: /etc/cron.daily + state: directory + owner: root + group: root + mode: og-rwx + +- name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" + when: + - rhel9cis_rule_2_4_1_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.5 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/cron.weekly + state: directory + owner: root + group: root + mode: og-rwx + +- name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" + when: + - rhel9cis_rule_2_4_1_6 + tags: + - level1-server + - level1-workstation + - patch + - rule_2.4.1.6 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/cron.monthly + state: directory + owner: root + group: root + mode: og-rwx + +- name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" + when: + - rhel9cis_rule_2_4_1_7 + tags: + - level1-server + - level1-workstation + - patch + - cron + - rule_2.4.1.7 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/cron.d + state: directory + owner: root + group: root + mode: '0700' + +- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users" + when: + - rhel9cis_rule_2_4_1_8 + tags: + - level1-server + - level1-workstation + - patch + - cron + - rule_2.4.1.8 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + block: + - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Remove cron.deny" + ansible.builtin.file: + path: /etc/cron.deny + state: absent + + - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Check if cron.allow exists" + ansible.builtin.stat: + path: "/etc/cron.allow" + register: rhel9cis_2_4_1_8_cron_allow_state + + - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users" + ansible.builtin.file: + path: /etc/cron.allow + state: '{{ "file" if rhel9cis_2_4_1_8_cron_allow_state.stat.exists else "touch" }}' + owner: root + group: root + mode: u-x,g-wx,o-rwx + +- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users" + when: + - rhel9cis_rule_2_4_2_1 + tags: + - level1-server + - level1-workstation + - patch + - cron + - rule_2.4.2.1 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + block: + - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" + ansible.builtin.file: + path: /etc/at.deny + state: absent + + - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" + ansible.builtin.stat: + path: "/etc/at.allow" + register: rhel9cis_rule_2_4_2_1_at_allow_state + + - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" + ansible.builtin.file: + path: /etc/at.allow + state: '{{ "file" if rhel9cis_rule_2_4_2_1_at_allow_state.stat.exists else "touch" }}' + owner: root + group: root + mode: u-x,g-wx,o-rwx diff --git a/templates/etc/chrony.conf.j2 b/templates/etc/chrony.conf.j2 index a1837a9..cc5cd84 100644 --- a/templates/etc/chrony.conf.j2 +++ b/templates/etc/chrony.conf.j2 @@ -1,97 +1,42 @@ -## {{ ansible_managed }} - -# This the default chrony.conf file for the Debian chrony package. After -# editing this file use the command 'invoke-rc.d chrony restart' to make -# your changes take effect. John Hasler 1998-2008 - -# See www.pool.ntp.org for an explanation of these servers. Please -# consider joining the project if possible. If you can't or don't want to -# use these servers I suggest that you try your ISP's nameservers. We mark -# the servers 'offline' so that chronyd won't try to connect when the link -# is down. Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc -# commands to switch it on when a dialup link comes up and off when it goes -# down. Code in /etc/init.d/chrony attempts to determine whether or not -# the link is up at boot time and set the online status accordingly. If -# you have an always-on connection such as cable omit the 'offline' -# directive and chronyd will default to online. -# -# Note that if Chrony tries to go "online" and dns lookup of the servers -# fails they will be discarded. Thus under some circumstances it is -# better to use IP numbers than host names. +{{ ansible_managed | comment }} +# Use public servers from the pool.ntp.org project. +# Please consider joining the pool (http://www.pool.ntp.org/join.html). {% for server in rhel9cis_time_synchronization_servers -%} server {{ server }} {{ rhel9cis_chrony_server_options }} {% endfor %} -# Look here for the admin password needed for chronyc. The initial -# password is generated by a random process at install time. You may -# change it if you wish. - -keyfile /etc/chrony.keys - # Record the rate at which the system clock gains/losses time. driftfile /var/lib/chrony/drift # Allow the system clock to be stepped in the first three updates # if its offset is larger than 1 second. -makestep {{ rhel9cis_chrony_server_makestep }} +makestep 1.0 3 # Enable kernel synchronization of the real-time clock (RTC). -{% if not rhel9cis_chrony_server_rtcsync %}#{% endif %}rtcsync +rtcsync + +# Enable hardware timestamping on all interfaces that support it. +#hwtimestamp * # Increase the minimum number of selectable sources required to adjust # the system clock. -minsources {{ rhel9cis_chrony_server_minsources }} +#minsources 2 -# Comment this line out to turn off logging. +# Allow NTP client access from local network. +#allow 192.168.0.0/16 -log tracking measurements statistics +# Serve time even if not synchronized to a time source. +#local stratum 10 + +# Specify file containing keys for NTP authentication. +keyfile /etc/chrony.keys + +# Get TAI-UTC offset and leap seconds from the system tz database. +leapsectz right/UTC + +# Specify directory for log files. logdir /var/log/chrony -# Stop bad estimates upsetting machine clock. - -maxupdateskew 100.0 - -# Dump measurements when daemon exits. - -dumponexit - -# Specify directory for dumping measurements. - -dumpdir /var/lib/chrony - -# Let computer be a server when it is unsynchronised. - -local stratum 10 - -# Allow computers on the unrouted nets to use the server. - -#allow 10/8 -#allow 192.168/16 -#allow 172.16/12 - -# This directive forces `chronyd' to send a message to syslog if it -# makes a system clock adjustment larger than a threshold value in seconds. - -logchange 0.5 - -# This directive defines an email address to which mail should be sent -# if chronyd applies a correction exceeding a particular threshold to the -# system clock. - -# mailonchange root@localhost 0.5 - -# This directive tells chrony to regulate the real-time clock and tells it -# Where to store related data. It may not work on some newer motherboards -# that use the HPET real-time clock. It requires enhanced real-time -# support in the kernel. I've commented it out because with certain -# combinations of motherboard and kernel it is reported to cause lockups. - -# rtcfile /var/lib/chrony/chrony.rtc - -# If the last line of this file reads 'rtconutc' chrony will assume that -# the CMOS clock is on UTC (GMT). If it reads '# rtconutc' or is absent -# chrony will assume local time. The line (if any) was written by the -# chrony postinst based on what it found in /etc/default/rcS. You may -# change it if necessary. -rtconutc +# Select which information is logged. +#log measurements statistics tracking