From 7c09b264a15032d705586cd43bc7f404ecad618d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 16 May 2023 08:52:18 +0100 Subject: [PATCH 1/5] fixed layout Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.x.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index cb37024..52c1f70 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -54,9 +54,9 @@ line: "{{ item.line }}" insertbefore: "{{ item.before }}" loop: - - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'} - - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+required\s+pam_deny.so'} - - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so', 'before':'^account required pam_unix.so'} + - { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'} + - { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+required\s+pam_deny.so'} + - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so', 'before':'^account required pam_unix.so'} when: - rhel9cis_add_faillock_without_authselect - rhel9cis_5_4_2_risks == 'ACCEPT' From 195e42e3eae5acb12370d5c0b13cfe57837beee4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 16 May 2023 08:52:45 +0100 Subject: [PATCH 2/5] removed line and updated requirement #53 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index b8749b3..566823a 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -82,14 +82,14 @@ - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality" ansible.builtin.lineinfile: path: /etc/pam.d/system-auth - line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" + line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" insertafter: '^password\s*requisite\s*pam_pwquality.so' - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" ansible.builtin.replace: path: /etc/pam.d/system-auth - regexp: '^password\s*(sufficient|requisite|sufficient)\s*pam_unix.so.*$' - replace: 'password requisite pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' + regexp: '^password\s*sufficient\s*pam_unix.so.*$' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_3 tags: From 2da0d870c890bf4d1d4386bc3e43e8ea0310c432 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 16 May 2023 11:56:07 +0100 Subject: [PATCH 3/5] #57 great catch Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 56b3d5f..3e49a46 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -13,7 +13,7 @@ - item.id != "shutdown" - item.id != "halt" - item.id != "nfsnobody" - - item.gid < min_int_uid | int + - item.uid < min_int_uid | int - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" loop_control: @@ -30,7 +30,7 @@ - item.id != "sync" - item.id != "root" - item.id != "nfsnobody" - - item.gid < min_int_uid | int + - item.uid < min_int_uid | int - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" loop_control: From c7d72b564b9280126f0e92b5af1ec12048d8bf61 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 May 2023 15:42:30 +0100 Subject: [PATCH 4/5] 4.1.3.6 command improvement Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index 922ea61..ec925bb 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -69,7 +69,7 @@ - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" block: - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done + ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done changed_when: false failed_when: false check_mode: false From 3ee1923f382390bfbe7d5095be0b74e3e6e9e322 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 17 May 2023 15:42:43 +0100 Subject: [PATCH 5/5] updated Signed-off-by: Mark Bolwell --- Changelog.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Changelog.md b/Changelog.md index 5f990a3..ef5157b 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,8 +2,9 @@ ## 1.0.7 -lint and yamll updates -improvemnst to 6.1.10, 6.1.11, 6.1.13, 6.1.14 +lint and yaml updates +improvements to 6.1.10, 6.1.11, 6.1.13, 6.1.14 +4.1.3.6 updated on process discovery ## 1.0.6