diff --git a/.ansible-lint b/.ansible-lint index 3b7c373..8d34382 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,9 +1,9 @@ --- -parseable: true quiet: true skip_list: - 'package-latest' - 'risky-shell-pipe' + - 'var-naming[read-only]' use_default_rules: true verbosity: 0 diff --git a/.github/workflows/export_badges_private.yml b/.github/workflows/export_badges_private.yml index d316cbf..761c42e 100644 --- a/.github/workflows/export_badges_private.yml +++ b/.github/workflows/export_badges_private.yml @@ -12,8 +12,6 @@ on: push: branches: - latest - schedule: - - cron: '0 */6 * * *' workflow_dispatch: jobs: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2ff7b79..6abad7b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -39,11 +39,13 @@ repos: rev: v1.5.0 hooks: - id: detect-secrets + name: Detect Secrets test - repo: https://github.com/gitleaks/gitleaks rev: v8.30.0 hooks: - id: gitleaks + name: Run Gitleaks test - repo: https://github.com/ansible-community/ansible-lint rev: v26.1.1 diff --git a/.yamllint b/.yamllint index fa7b697..af0d9ab 100644 --- a/.yamllint +++ b/.yamllint @@ -1,4 +1,5 @@ --- + extends: default ignore: | tests/ diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 13e0b49..d7cdcbf 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -7,7 +7,7 @@ Rules 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) 3) All work is done in your own branch 4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) -5) Be open and nice to eachother +5) Be open and nice to each other Workflow -------- diff --git a/Changelog.md b/Changelog.md index 70c3d00..035d685 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,4 +1,81 @@ -# Changes to rhel9CIS +# Changes to RHEL9CIS + +## 2.0.5 - Based on CIS v2.0.0 + +- QA Fixes +- .j2 Branding Update +- Added rhel9cis_uses_root variable definition for 5.4.2.5 root PATH integrity task +- fixed spelling and grammar across defaults/main.yml, Changelog.md, README.md, tasks/main.yml, and vars/main.yml +- Fixed incorrect product reference in vars/main.yml comment (ubtu24cis -> rhel9cis) +- Fixed broken Changelog link in README.md (case mismatch) +- Added var-naming[read-only] to ansible-lint skip list for molecule files +- Bootloader password logic updated with salt and hash options +- Added passlib dependency documentation for bootloader password hash +- Updated company title +- Tidied up comments and variables for bootloader password +- Removed scheduled tasks +- Fixed typo thanks to Eugene @Frequentis +- Unused variable audit: wired up all unused variables, removed legacy references +- Updated chrony template to use rhel9cis_chrony_server_makestep, rtcsync, and minsources variables instead of hardcoded values +- Wired up rhel9cis_authselect_custom_profile_create toggle in authselect profile creation task +- Fixed task 5.3.3.2.7/5.3.3.2.8 mislabeling: separated password quality enforce and root enforce into correct tasks +- Wired up audit_capture_files_dir in audit_only workflow for file capture to control node +- Clarified rhel9cis_root_unlock_time documentation for commented-out alternative usage +- Removed legacy rhel9cis_rule_1_1_10 from molecule converge files and is_container.yml +- Fixed wrong variable name rhel9cis_unowned_group to rhel9cis_ungrouped_group in tasks/section_7/cis_7.1.x.yml +- Added rhel9cis_install_network_manager toggle to 3.1.2 wireless interfaces task + +## 2.0.4 - Based on CIS v2.0.0 + +addressed issue #419, thank you @aaronk1 +addressed issue #418 thank you @bbaassssiiee +Added better sysctl logic to disable IPv6 +Added option to disable IPv6 via sysctl (original method) or via the kernel +pre-commit updates +public issue #410 thanks to @kpi-nourman +public issue #413 thanks to @bbaassssiiee +Public issues incorporated +Workflow updates +Pre-commit updates +README latest versions +Audit improvements and max-concurrent option added +Benchmark version variable in audit template +fixed typo thanks to @fragglexarmy #393 +fixed typo thanks to @trumbaut #397 & #399 +updated auditd template to be 2.19 compliant +PR345 thanks to thulium-drake boot password hash - if used needs passlib module +tidy up tags on tasks/main.yml + +## 2.0.3 - Based on CIS v2.0.0 + +- Thank you @fragglexarmy + - addressed Public issue 387 +- Addressed Public issue 382 to improve regex logic on 5.4.2.4 +- Improvement on crypto policy managed controls with var logic +- Thanks to @polski-g + - addressed issue 384 +- update command to shell module on tasks +- Thanks to @numericillustration + - Public PR 380 + - systemd_service rolled back to systemd for < ansible 2.14 +- Thanks to @bgro and @Kodebach + - Public PR 371 + - updated to user sudo check 5.2.4 +- Thanks to @DianaMariaDDM + - Public PR 367 + - updated several typos +- Thanks to @polski-g + - Public PR 364 + - gdm section 1.8 improvements +- Thanks to @chrispipo + - Public PR 350 + - change insert before for rsyslog setting +- Thanks to @thesmilinglord + - public issue 377 + - change 1.3 from include task to import for tagging +- Thanks to @Fredouye + - public issue 372 + - allow password with different locale ## 2.0.4 - Based on CIS v2.0.0 @@ -64,7 +141,7 @@ - updated controls 6.2.10-6.2.14 - audit - steps moved to prelim - - update to coipy and archive logic and variables + - update to copy and archive logic and variables - removed vars not used - updated quotes used in mode tasks - pre-commit update @@ -98,7 +175,7 @@ - lint updates - .secrets updated - file mode quoted -- updated 5.6.5 thansk to feedback from S!ghs on discord community +- updated 5.6.5 thanks to feedback from S!ghs on discord community ## 1.1.1 - Based on CIS v1.0.0 @@ -130,7 +207,7 @@ ## 1.0.10 - [#72](https://github.com/ansible-lockdown/RHEL9-CIS/issues/72) - - Only run check when paybook user not a superuser + - Only run check when playbook user not a superuser - fix for 5.5.3 thanks to @nrg-fv ## 1.0.9 @@ -202,7 +279,7 @@ Jan-2023 release - updated ansible minimum to 2.10 - Lint file updates and improvements -- auditd now shows diff ater initial template added +- auditd now shows diff after initial template added - many control rewritten - Many controls moved ID references - Audit updates aligned @@ -227,7 +304,7 @@ Jan-2023 release - #209 5.6.5 rewrite umask settings - #220 tidy up and align variables - #226 Thanks to Thulium-Drake - -Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required fopr auditd to run correctly in some cases) + -Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required for auditd to run correctly in some cases) - #227 thanks to OscarElits - chrony files now RH expected locations @@ -267,9 +344,9 @@ Jan-2023 release - not all controls work with rhel8 releases any longer - selinux disabled 1.6.1.4 - logrotate - 4.3.x -- updated to rhel8cis v2.0 benchamrk requirements +- updated to rhel8cis v2.0 benchmark requirements - removed iptables firewall controls (not valid on rhel9) -- added more to logrotate 4.3.x - sure to logrotate now a seperate package +- added more to logrotate 4.3.x - sure to logrotate now a separate package - grub path now standard to /boot/grub2/grub.cfg - 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer - workflow update @@ -288,7 +365,7 @@ args: ``` - update boolean values to true/false -- 3.4.2 improved checks for p[ackage presence +- 3.4.2 improved checks for package presence - changed to assert for OS/release and ansible version ## Initial diff --git a/README.md b/README.md index 65a8fca..15b5823 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,6 @@ ## Lint & Pre-Commit Tools 🔧 -[![Pre-Commit.ci](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/RHEL9-CIS/pre-commit-ci.json)](https://results.pre-commit.ci/latest/github/ansible-lockdown/RHEL9-CIS/devel) ![YamlLint](https://img.shields.io/badge/yamllint-Present-brightgreen?style=flat&logo=yaml&logoColor=white) ![Ansible-Lint](https://img.shields.io/badge/ansible--lint-Present-brightgreen?style=flat&logo=ansible&logoColor=white) @@ -49,7 +48,6 @@ ![Private Benchmark Version](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/benchmark-version.json) [![Private Remediate Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/remediate.json)](https://github.com/ansible-lockdown/Private-RHEL9-CIS/actions/workflows/main_pipeline_validation.yml) -[![Private GPO Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/gpo.json)](https://github.com/ansible-lockdown/Private-RHEL9-CIS/actions/workflows/main_pipeline_validation_gpo.yml) ![Private Pull Requests](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/prs.json) ![Private Closed Issues](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/issues-closed.json) @@ -58,9 +56,9 @@ ## Looking for support? 🤝 -[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RHEL9-CIS) +[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH9-CIS) -[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RHEL9-CIS) +[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH9-CIS) ### Community 💬 @@ -86,10 +84,10 @@ This role **will make changes to the system** which may have unintended conseque ## Coming From A Previous Release ⏪ -CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release. +CIS release always contains changes, it is highly recommended to review the new references and available variables. These have changed significantly since ansible-lockdown initial release. This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. -Further details can be seen in the [Changelog](./ChangeLog.md) +Further details can be seen in the [Changelog](./Changelog.md) --- @@ -103,7 +101,7 @@ This is managed using tags: - level2-server - level2-workstation -The control found in defaults main also need to reflect this as this control the testing that takes place if you are using the audit component. +The controls found in defaults/main.yml also need to reflect this, as they control the testing that takes place if you are using the audit component. --- ## Requirements ✅ @@ -130,6 +128,9 @@ RHEL Family OS 9 - python-def - libselinux-python +If you are using the option to create your own bootloader hash the ansible controller +- passlib + --- ## Auditing 🔍 diff --git a/defaults/main.yml b/defaults/main.yml index 014b927..4245f53 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,6 @@ --- -# defaults file for rhel9-cis + +# defaults file for RHEL9-CIS # WARNING: # These values may be overridden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here: # https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable @@ -63,7 +64,7 @@ benchmark: RHEL9-CIS # System will reboot if false, can give better audit results skip_reboot: true -# default value will change to true but wont reboot if not enabled but will error +# default value will change to true but won't reboot if not enabled but will error change_requires_reboot: false ### @@ -93,17 +94,11 @@ audit_max_concurrent: 50 ## Only run Audit do not remediate audit_only: false -### As part of audit_only ### -# Path to copy the files to will create dir structure in audit_only mode -audit_capture_files_dir: /some/location to copy to on control node ############################# -## How to retrieve audit binary(Goss) -# Options are 'copy' or 'download' - detailed settings at the bottom of this file -# - if 'copy': -# - the filepath mentioned via the below 'audit_bin_copy_location' var will be used to access already downloaded Goss -# - if 'download': -# - the GitHub Goss-releases URL will be used for a fresh-download, via 'audit_bin_url' and 'audit_pkg_arch_name' vars +# How to retrieve audit binary +# Options are copy or download - detailed settings at the bottom of this file +# you will need access to either github or the file already downloaded get_audit_binary_method: download ## if get_audit_binary_method - copy the following needs to be updated for your environment @@ -257,9 +252,8 @@ rhel9cis_rule_1_8_8: true rhel9cis_rule_1_8_9: true rhel9cis_rule_1_8_10: true -## Section 2 Fixes # Section 2 rules are controlling Services (Special Purpose Services, and service clients) -# Configure Server Services +## Configure Server Services rhel9cis_rule_2_1_1: true rhel9cis_rule_2_1_2: true rhel9cis_rule_2_1_3: true @@ -400,7 +394,6 @@ rhel9cis_rule_5_3_3_2_4: true rhel9cis_rule_5_3_3_2_5: true rhel9cis_rule_5_3_3_2_6: true rhel9cis_rule_5_3_3_2_7: true -rhel9cis_rule_5_3_3_2_8: true # 5.3.3.3 Configure pam_pwhistory module # These are added as part of 5.3.2.4 using jinja2 template rhel9cis_rule_5_3_3_3_1: true @@ -539,7 +532,7 @@ rhel9cis_rule_7_2_9: true ## Ability to enable debug on mounts to assist in troubleshooting # Mount point changes are set based upon facts created in Prelim -# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1. +# these then build the variable and options that are passed to the handler to set the mount point for the controls in section1. rhel9cis_debug_mount_data: false ## Control 1.1.2 @@ -583,14 +576,33 @@ rhel9cis_selinux_pol: targeted rhel9cis_selinux_enforce: enforcing ## Control 1.4.1 -# This variable will store the hashed GRUB bootloader password to be stored in '/boot/grub2/user.cfg' file. The default value -# must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with -# this format: 'grub.pbkdf2.sha512...' +# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. +rhel9cis_set_boot_pass: false + +################### bootloader password ############################################################ +# +# Two options for setting the bootloader password +# +# Option 1: Set the bootloader password and salt – requires the passlib Python module +# to be available on the Ansible controller. +# Set this value to something secure to have predictable hashes, +# which will prevent unnecessary changes. + +rhel9cis_bootloader_salt: '' + +# This variable stores the GRUB bootloader password to be written +# to the '/boot/grub2/user.cfg' file. The default value must be changed. + +rhel9cis_bootloader_password: 'password' # pragma: allowlist secret + +# Option 2: Set the bootloader password hash – if the salt value is empty, +# the password will be set using the variable below. +# If you are not using the bootloader hash filter, you can set it here +# in encrypted format, e.g. grub.pbkdf2.sha512.hashstring + rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret -## Control 1.4.1 -# This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. -rhel9cis_set_boot_pass: true +###################################################################################################### ## Controls 1.6.x and Controls 5.1.x # This variable governs if current Ansible role should manage system-wide crypto policy. @@ -612,7 +624,7 @@ rhel9cis_additional_crypto_policy_module: '' # - 1.7.1 - Ensure message of the day is configured properly # - 1.7.2 - Ensure local login warning banner is configured properly # - 1.7.3 - Ensure remote login warning banner is configured properly -# This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd). +# This variable stores the content for the Warning Banner(relevant for issue, issue.net, motd). rhel9cis_warning_banner: Authorized users only. All activity may be monitored and reported. # End Banner @@ -902,8 +914,8 @@ rhel9cis_sshd_clientalivecountmax: 3 # keep the connection alive and prevent it being terminated due to inactivity. rhel9cis_sshd_clientaliveinterval: 15 -## Control 5.1.10 - Ensure sshd DisableForwarding is enabled -# By Default this will also disablex11 forwarding +## Control 5.1.12 - disable forwarding +# By Default this will also disable X11 forwarding # set 'yes' if x11 is required this can be changed to run in /etc/ssh/ssh_config.d/50-redhat.conf # This variable's value is used in the `/etc/ssh/ssh_config.d/50-redhat.conf` file to # disable X11Forwarding. If X11 is required, set this variable's value to `yes`! @@ -947,14 +959,7 @@ rhel9cis_ssh_maxsessions: 4 # This variable defines the path and file name of the sudo log file. rhel9cis_sudolog_location: "/var/log/sudo.log" -## Control 5.2.4 - Ensure users must provide password for escalation -# The following variable specifies a list of users that should not be required to provide a password -# for escalation. Feel free to edit it according to your needs. -rhel9cis_sudoers_exclude_nopasswd_list: - - ec2-user - - vagrant - -## Control 5.2.6 - Ensure sudo authentication timeout is configured correctly +## Control 5.2.x - Ensure sudo authentication timeout is configured correctly # This variable sets the duration (in minutes) during which a user's authentication credentials # are cached after successfully authenticating using "sudo". This allows the user to execute # multiple commands with elevated privileges without needing to re-enter their password for each @@ -994,19 +999,38 @@ rhel9cis_authselect_default_profile_to_copy: "sssd --symlink-meta" ## Control 5.3.3.1.1 - # This variable sets the amount of tries a password can be entered, before a user is locked. rhel9cis_pam_faillock_deny: 5 -## Control 5.3.3.2, 5.3.2.2 + +# - 5.3.3.1.2 # This variable sets the amount of time a user will be unlocked after the max amount of # password failures. rhel9cis_pam_faillock_unlock_time: 900 -## Control 5.3.3.1.3 - Ensure password failed attempts lockout includes root account -# This variable is used in the task that ensures that even the root account -# is included in the password failed attempts lockout measure. -# The following variable is used in the 'regexp' field. This field is used to find the -# line in the file. If the line matches the regular expression, it will be replaced -# with the line parameter's value. +##################################################################################################################### +# 5.3.3.1.3 | Ensure pam_faillock is configured - root account lockout behavior +# +# Controls how root is handled when the failed login threshold is reached. +#################### Two mutually exclusive options ################################################################# +# +# -> even_deny_root : Lock root just like any other account +# -> root_unlock_time = : Lock root but auto-unlock after seconds +# +# Note: The default value is set to 'even_deny_root' to align with the CIS Benchmark recommendation of locking root +# identically to regular users when the failed login threshold is reached. If you prefer to have root auto-unlock +# after a specified time, set 'rhel9cis_pamroot_lock_option' to "root_unlock_time = {{ rhel9cis_root_unlock_time }}" +# and adjust 'rhel9cis_root_unlock_time' as needed. +# +# Set ONE of the following: +# +# Option 1: root is locked identically to regular users when the failed login threshold is reached rhel9cis_pamroot_lock_option: even_deny_root +# Option 2: root is locked but auto-unlocks after the specified seconds. +# Seconds before root is automatically unlocked (only used when rhel9cis_pamroot_lock_option includes root_unlock_time) +rhel9cis_root_unlock_time: 60 +# rhel9cis_pamroot_lock_option: "root_unlock_time = {{ rhel9cis_root_unlock_time }}" +# +######################################################################################################################## + ## Control 5.3.3.2.1 - Ensure password number of changed characters is configured # This variable holds the path to the configuration file that will be created (or overwritten if already existing) # in order to implement the 'Ensure password number of changed characters is configured' control. @@ -1079,14 +1103,9 @@ rhel9cis_passwd_dictcheck_file: etc/security/pwquality.conf.d/50-pwdictcheck.con # When set to '0', dictionary checks are disabled. CIS states that it shall always be set to '1'. rhel9cis_passwd_dictcheck_value: 1 -# This variable is used in one of the config files to ensure password quality checking is enforced +# 5.3.3.2.7 - Ensure password quality is enforced for the root user +rhel9cis_passwd_quality_enforce_file: etc/security/pwquality.conf.d/50-pwquality_enforce.conf # pragma: allowlist secret rhel9cis_passwd_quality_enforce_value: 1 - -## Control 5.3.3.2.7 - Ensure password quality is enforced for the root user -# This variable holds the path to the configuration file that will be created (or overwritten if already existing) -# in order to implement the 'Ensure password quality is enforced for the root user' control. -rhel9cis_passwd_quality_enforce_root_file: etc/security/pwquality.conf.d/50-pwroot.conf # pragma: allowlist secret -# The following variable enforces that the root user must adhere to the same password quality policies as other users. rhel9cis_passwd_quality_enforce_root_value: enforce_for_root # pragma: allowlist secret ## Control 5.3.3.3.1 - Ensure password history remember is configured @@ -1126,21 +1145,21 @@ rhel9cis_inactivelock: # CIS requires a value of 30 days or less. lock_days: 30 -## Control 5.4.1.6 - Ensure all users last password change date is in the past +## Control 5.4.1.x - Ensure all users last password change date is in the past # Allow ansible to expire password for account with a last changed date in the future. Setting it # to 'false' will just display users in violation, while 'true' will expire those users passwords. rhel9cis_futurepwchgdate_autofix: true -## Control 5.4.2.6 - Ensure root user umask is configured -# The following variable specifies the "umask" to configure for the root user. -# The user file-creation mode mask ( umask ) is used to determine the file -# permission for newly created directories and files. In Linux, the default -# permissions for any newly created directory is 0777 ( rwxrwxrwx ), and for -# any newly created file it is 0666 ( rw-rw-rw- ). The umask modifies the default -# Linux permissions by restricting (masking) these permissions. The umask is not -# simply subtracted, but is processed bitwise. Bits set in the umask are cleared -# in the resulting file mode. CIS recommends setting 'umask' to '0027' or more -# restrictive. +# 5.4.2.x + +## 5.4.2.5 Root user used +# Root by default is not used unless setup by user +# The role will only run certain commands if set to true +# This allows the ability to skip tasks that may cause an issue +# With the understanding root has full access +rhel9cis_uses_root: false + +## 5.4.2.6 - Ensure root home directory permissions are 750 or more restrictive rhel9cis_root_umask: '0027' # 0027 or more restrictive ## Control 5.4.2.7 - Ensure system accounts are secured | Set nologin @@ -1157,7 +1176,7 @@ rhel9cis_shell_session_timeout: 900 # This variable specifies the path of the timeout setting file. # (TMOUT setting can be set in multiple files, but only one is required for the # rule to pass. Options are: -# - a file in `/etc/profile.d/` ending in `.s`, +# - a file in `/etc/profile.d/` ending in `.sh`, # - `/etc/profile`, or # - `/etc/bash.bashrc`. rhel9cis_shell_session_file: /etc/profile.d/tmout.sh @@ -1185,9 +1204,8 @@ rhel9cis_aide_db_file_age: 1w # If AIDE is already setup this variable forces a new database # file to be created. rhel9cis_aide_db_recreate: false -# This variable is used to check if there is already an existing database file -# created by AIDE on the target system. If it is not present, the role will generate -# a database file with the same name as the value of this variable. + +# allows changing the db file; note the config needs to be adjusted too rhel9cis_aide_db_file: /var/lib/aide/aide.db.gz ## Control 6.1.2 - Ensure filesystem integrity is regularly checked @@ -1217,12 +1235,12 @@ rhel9cis_aide_cron: # This variable governs the day of the month when the AIDE cronjob is run. # `*` signifies that the job is run on all days; furthermore, specific days # can be given in the range `1-31`; several days can be concatenated with a comma. - # The specified day(s) can must be in the range `1-31`. + # The specified day(s) must be in the range `1-31`. aide_day: '*' # This variable governs months when the AIDE cronjob is run. # `*` signifies that the job is run in every month; furthermore, specific months # can be given in the range `1-12`; several months can be concatenated with commas. - # The specified month(s) can must be in the range `1-12`. + # The specified month(s) must be in the range `1-12`. aide_month: '*' # This variable governs the weekdays, when the AIDE cronjob is run. # `*` signifies that the job is run on all weekdays; furthermore, specific weekdays @@ -1262,7 +1280,7 @@ rhel9cis_journald_runtimekeepfree: 100G # Current variable governs the settings for log retention(how long the log files will be kept). # Thus, it specifies the maximum time to store entries in a single journal # file before rotating to the next one. Set to 0 to turn off this feature. -# The given values is interpreted as seconds, unless suffixed with the units +# The given value is interpreted as seconds, unless suffixed with the units # `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. # Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks # ATTENTION: Uncomment the keyword below when values are set! diff --git a/filter_plugins/grub_hash.py b/filter_plugins/grub_hash.py new file mode 100644 index 0000000..245756b --- /dev/null +++ b/filter_plugins/grub_hash.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# Copyright (c) 2025, Jeffrey van Pelt +# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) +# SPDX-License-Identifier: GPL-3.0-or-later + +from __future__ import annotations + +DOCUMENTATION = r""" +name: grub_hash +short_description: Generate a GRUB2 password hash +version_added: 1.0.0 +author: Jeffrey van Pelt (@Thulium-Drake) +description: + - Generate a GRUB2 password hash from the input +options: + _input: + description: The desired password for the GRUB bootloader + type: string + required: true + salt: + description: The salt used to generate the hash + type: string + required: false + rounds: + description: The amount of rounds to run the PBKDF2 function + type: int + required: false +""" + +EXAMPLES = r""" +- name: 'Generate hash with defaults' + ansible.builtin.debug: + msg: "{{ 'mango123!' | grub_hash }}" + +- name: 'Generate hash with custom rounds and salt' + ansible.builtin.debug: + msg: "{{ 'mango123!' | grub_hash(rounds=10001, salt='andpepper') }}" + # Produces: grub.pbkdf2.sha512.10001.616E64706570706572.4C6AEA2A811B4059D4F47AEA36B77DB185B41E9F08ECC3C4C694427DB876C21B24E6CBA0319053E4F1431CDEE83076398C73B9AA8F50A7355E446229BC69A97C +""" + +RETURN = r""" +_value: + description: A GRUB2 password hash + type: string +""" + +from ansible.errors import AnsibleFilterError +import os +import base64 +from passlib.hash import grub_pbkdf2_sha512 + +def grub_hash(password, rounds=10000, salt=None): + if salt is None: + # Generate 64-byte salt if not provided + salt = os.urandom(64) + + # Check if the salt, when not generated, is a valid bytes value and attempt to convert if needed + if not isinstance(salt, bytes): + try: + salt = salt.encode("utf-8") + except AttributeError: + raise TypeError("Salt must be a string, not int.") + + # Configure hash generator + pbkdf2_generator = grub_pbkdf2_sha512.using(rounds=rounds, salt=salt) + return pbkdf2_generator.hash(password) + +class FilterModule(object): + def filters(self): + return { + 'grub_hash': grub_hash + } diff --git a/handlers/main.yml b/handlers/main.yml index 1ef6ccf..c6de8f3 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -150,7 +150,7 @@ ansible.posix.mount: path: "{{ mount_point }}" state: remounted - notify: Change_requires_reboot + notify: Set reboot required listen: "Remount /boot/efi" - name: Reload sysctl @@ -194,7 +194,7 @@ ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" changed_when: true notify: - - Change_requires_reboot + - Set reboot required - Restart sshd - name: Restart firewalld @@ -255,7 +255,7 @@ when: discovered_auditd_immutable_check.stdout == '1' ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" - notify: Change_requires_reboot + notify: Set reboot required - name: Stop auditd process ansible.builtin.command: systemctl kill auditd @@ -268,6 +268,6 @@ state: started listen: Restart auditd -- name: Change_requires_reboot +- name: Set reboot required ansible.builtin.set_fact: change_requires_reboot: true diff --git a/meta/main.yml b/meta/main.yml index 8f8b65f..9418c84 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,11 +1,11 @@ --- galaxy_info: - author: "MindPoint Group" + author: "Ansible-Lockdown" description: "Apply the RHEL 9 CIS" - company: "MindPoint Group" + company: "MindPoint Group - A Tyto Athene Company" license: MIT role_name: rhel9_cis - namespace: mindpointgroup + namespace: ansible-lockdown min_ansible_version: 2.10.1 platforms: - name: EL diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index 27172b2..348d0ab 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -10,7 +10,6 @@ system_is_container: true rhel9cis_selinux_disable: true rhel9cis_rule_5_2_4: false - rhel9cis_rule_1_1_10: false rhel9cis_firewall: "none" rhel9cis_rule_4_1_1_1: false rhel9cis_rule_4_1_1_2: false diff --git a/molecule/wsl/converge.yml b/molecule/wsl/converge.yml index 5128600..daa9d18 100644 --- a/molecule/wsl/converge.yml +++ b/molecule/wsl/converge.yml @@ -8,16 +8,15 @@ vars: ansible_user: "{{ lookup('env', 'USER') }}" system_is_container: true - rhel8cis_selinux_disable: true + rhel9cis_selinux_disable: true role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}" - rhel8cis_rule_5_3_4: false - rhel8cis_rule_1_1_10: false - rhel8cis_rsyslog_ansiblemanaged: false - rhel8cis_rule_3_4_1_3: false - rhel8cis_rule_3_4_1_4: false - rhel8cis_rule_4_2_1_2: false - rhel8cis_rule_4_2_1_4: false - rhel8cis_rule_5_1_1: false + rhel9cis_rule_5_3_4: false + rhel9cis_rsyslog_ansiblemanaged: false + rhel9cis_rule_3_4_1_3: false + rhel9cis_rule_3_4_1_4: false + rhel9cis_rule_4_2_1_2: false + rhel9cis_rule_4_2_1_4: false + rhel9cis_rule_5_1_1: false pre_tasks: tasks: diff --git a/site.yml b/site.yml index f3f0fae..4386b04 100644 --- a/site.yml +++ b/site.yml @@ -1,7 +1,7 @@ --- - name: Apply ansible-lockdown hardening - hosts: all + hosts: "{{ hosts | default('all') }}" become: true roles: - role: "{{ playbook_dir }}" diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index d784dc1..53293e7 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,4 +1,5 @@ --- + - name: Pre Audit Setup | Set audit package name block: - name: Pre Audit Setup | Set audit package name | 64bit diff --git a/tasks/main.yml b/tasks/main.yml index 4d1887d..fe3b9b9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -17,9 +17,7 @@ success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" - name: "Setup rules if container" - when: - - ansible_connection == 'docker' or - ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + when: ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] tags: - container_discovery - always @@ -43,18 +41,18 @@ fail_msg: "Crypto policy is not a permitted version" success_msg: "Crypto policy is a permitted version" -- name: "Check rhel9cis_bootloader_password_hash variable has been changed" +- name: "Check rhel9cis_bootloader_password variable has been changed" when: - rhel9cis_set_boot_pass - rhel9cis_rule_1_4_1 tags: always ansible.builtin.assert: - that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret - msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" + that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' or (rhel9cis_bootloader_salt != '' and rhel9cis_bootloader_password != 'password') # pragma: allowlist secret + msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password or rhel9cis_bootloader_password_hash variable has not been set correctly" - name: "Check crypto-policy module input" when: - - rhel9cis_rule_1_6_1 + - rhel9cis_crypto_policy_ansiblemanaged - rhel9cis_crypto_policy_module | length > 0 tags: - rule_1.6.1 @@ -99,7 +97,7 @@ or (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list) ) - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access" + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or the user is not included in the exception list for rule 5.2.4 - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4" - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template] @@ -120,8 +118,8 @@ - name: "Check authselect profile is selected | Check current profile" ansible.builtin.command: authselect list changed_when: false - failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ] - register: prelim_authselect_current_profile + failed_when: prelim_authselect_profile_list.rc not in [ 0, 1 ] + register: prelim_authselect_profile_list - name: "Ensure root password is set" when: rhel9cis_rule_5_4_2_4 @@ -156,9 +154,7 @@ file: "{{ ansible_facts.distribution }}.yml" - name: "Include preliminary steps" - tags: - - prelim_tasks - - always + tags: prelim_tasks ansible.builtin.import_tasks: file: prelim.yml diff --git a/tasks/post.yml b/tasks/post.yml index 383cdf6..b6efdfe 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -28,8 +28,7 @@ - name: POST | reboot system if changes require it and not skipped when: change_requires_reboot - tags: - - always + tags: always vars: warn_control_id: Reboot_required block: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 7c31c25..09e3620 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,10 +1,12 @@ --- -# Preliminary tasks that should always be run -# List users in order to look files inside each home directory +# Preliminary tasks that should always run +# List users in order to look up files inside each home directory - name: "PRELIM | Include audit specific variables" - when: run_audit or audit_only or setup_audit + when: + - run_audit or audit_only + - setup_audit tags: - setup_audit - run_audit @@ -12,7 +14,8 @@ file: audit.yml - name: "PRELIM | Include pre-remediation audit tasks" - when: run_audit or audit_only or setup_audit + when: + - run_audit or audit_only tags: run_audit ansible.builtin.import_tasks: pre_remediation_audit.yml @@ -92,6 +95,11 @@ - rhel9cis_rule_1_2_1_1 - ansible_facts.distribution != 'RedHat' - ansible_facts.distribution != 'OracleLinux' + tags: + - level1-server + - level1-workstation + - rule_1.2.1.1 + - gpg ansible.builtin.package: name: "{{ gpg_key_package }}" state: latest @@ -206,14 +214,15 @@ block: - name: "PRELIM | AUDIT | Discover is wireless adapter on system" ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless - register: discover_wireless_adapters + register: prelim_wireless_adapters changed_when: false check_mode: false - failed_when: discover_wireless_adapters.rc not in [ 0, 1 ] + failed_when: prelim_wireless_adapters.rc not in [ 0, 1 ] - name: "PRELIM | PATCH | Install Network-Manager | if wireless adapter present" when: - - discover_wireless_adapters.rc == 0 + - rhel9cis_install_network_manager + - prelim_wireless_adapters.rc == 0 - "'NetworkManager' not in ansible_facts.packages" ansible.builtin.package: name: NetworkManager @@ -277,8 +286,7 @@ - name: "PRELIM | PATCH | Create journald config directory" when: - rhel9cis_syslog == 'journald' - - rhel9cis_rule_6_2_1_3 or - rhel9cis_rule_6_2_1_4 + - rhel9cis_rule_6_2_1_3 or rhel9cis_rule_6_2_1_4 tags: always ansible.builtin.file: path: /etc/systemd/journald.conf.d diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index adc094d..e67bb39 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -27,8 +27,7 @@ mode: 'go-rwx' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: cramfs state: absent diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index 635648d..efb1dc3 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -1,4 +1,5 @@ --- + - name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition" when: - rhel9cis_rule_1_1_2_3_1 diff --git a/tasks/section_1/cis_1.2.2.x.yml b/tasks/section_1/cis_1.2.2.x.yml index 2ccb59f..379b92d 100644 --- a/tasks/section_1/cis_1.2.2.x.yml +++ b/tasks/section_1/cis_1.2.2.x.yml @@ -13,4 +13,4 @@ ansible.builtin.package: name: "*" state: latest - notify: Change_requires_reboot + notify: Set reboot required diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 5969dff..4476d30 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -13,7 +13,7 @@ - NIST800-53R5_AC-3 ansible.builtin.copy: dest: /boot/grub2/user.cfg - content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy + content: "GRUB2_PASSWORD={{ rhel9_compiled_bootloader_password }}" # noqa template-instead-of-copy owner: root group: root mode: 'go-rwx' diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index ff9ec46..b6bff9d 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -38,12 +38,13 @@ when: - "'kernel' in rhel9cis_ipv6_disable_method" - "'ipv6.disable=1' not in discovered_rhel9cis_3_1_1_ipv6_status.stdout" - ansible.builtin.shell: grubby --update-kernel=ALL --args="ipv6.disable=1" + ansible.builtin.command: grubby --update-kernel=ALL --args="ipv6.disable=1" + changed_when: discovered_rhel9cis_3_1_1_ipv6_status.rc == 0 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled" when: - rhel9cis_rule_3_1_2 - - discover_wireless_adapters.rc == 0 + - prelim_wireless_adapters.rc == 0 tags: - level1-server - patch diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 9600a1c..a75e444 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -411,6 +411,8 @@ path: "{{ rhel9cis_sshd_config_file }}" regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}' + insertbefore: "^Match" + firstmatch: true validate: sshd -t -f %s notify: Restart sshd diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 5dd4352..51f032e 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -14,7 +14,7 @@ - rule_5.3.2.1 block: - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles" - when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout + when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_profile_list.stdout ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}" changed_when: false args: diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml index e8e1530..aa2e0f8 100644 --- a/tasks/section_5/cis_5.3.3.2.x.yml +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -340,7 +340,7 @@ - system notify: Authselect update -- name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user" +- name: "5.3.3.2.7 | PATCH | Ensure password quality checking is enforced" when: rhel9cis_rule_5_3_3_2_7 tags: - level1-server @@ -350,8 +350,8 @@ - NIST800-53R5_IA-5 - pam ansible.builtin.template: - src: "{{ rhel9cis_passwd_quality_enforce_root_file }}.j2" - dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}" + src: "{{ rhel9cis_passwd_quality_enforce_file }}.j2" + dest: "/{{ rhel9cis_passwd_quality_enforce_file }}" owner: root group: root mode: 'o-rwx' diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index b291cc2..d1ba865 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -179,7 +179,7 @@ - item.stat.exists - item.stat.isdir - item.stat.pw_name != 'root' or item.stat.gr_name != 'root' or item.stat.woth or item.stat.wgrp - - (item != 'root') and (not rhel9cis_uses_root) + - (item != 'root') and (not rhel9cis_uses_root ) ansible.builtin.file: path: "{{ item.stat.path }}" state: directory diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 09a2fdd..3d4db89 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -10,14 +10,12 @@ file: cis_5.1.x.yml - name: "SECTION | 5.2 | Configure privilege escalation" - when: - - rhel9cis_section5_2 + when: rhel9cis_section5_2 ansible.builtin.import_tasks: file: cis_5.2.x.yml - name: "SECTION | 5.3" - when: - - rhel9cis_section5_3 + when: rhel9cis_section5_3 block: - name: "SECTION | 5.3.1.x | Configure PAM software packages" ansible.builtin.import_tasks: @@ -44,8 +42,7 @@ file: cis_5.3.3.4.x.yml - name: "SECTION | 5.4" - when: - - rhel9cis_section5_4 + when: rhel9cis_section5_4 block: - name: "SECTION | 5.4.1.x | Configure shadow password suite parameters" ansible.builtin.import_tasks: diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml index eaa3bd1..42c7725 100644 --- a/tasks/section_6/cis_6.2.3.x.yml +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -195,7 +195,7 @@ register: discovered_rsyslog_remote_host notify: Restart rsyslog -- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" +- name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client" when: rhel9cis_rule_6_2_3_7 tags: - level1-server @@ -208,7 +208,7 @@ - NIST800-53R5_AU-12 - NIST800-53R5_CM-6 block: - - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host" + - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client. | When not log host" when: not rhel9cis_system_is_log_server ansible.builtin.replace: path: /etc/rsyslog.conf @@ -221,7 +221,7 @@ - '^(module\(load="imtcp"\))' - '^(input\(type="imtcp")' - - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host" + - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote clients. | When log host" when: rhel9cis_system_is_log_server ansible.builtin.replace: path: /etc/rsyslog.conf diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index b23fb89..b7655aa 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -58,7 +58,7 @@ - level1-server - level1-workstation - patch - - permissionss + - permissions - rule_7.1.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 @@ -254,7 +254,7 @@ ansible.builtin.file: path: "{{ item }}" owner: "{{ rhel9cis_unowned_owner }}" - group: "{{ rhel9cis_unowned_group }}" + group: "{{ rhel9cis_ungrouped_group }}" with_items: - "{{ discovered_unowned_files_flatten }}" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 3c53c72..a0343ee 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,7 +1,7 @@ --- -# Enable logrunning potential resource intensive tests +# Enable long running potential resource intensive tests run_heavy_tests: {{ audit_run_heavy_tests }} # Extend default command timeout for longer running tests @@ -206,7 +206,6 @@ rhel9cis_rule_2_4_2_1: {{ rhel9cis_rule_2_4_2_1 }} rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }} rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }} rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }} -rhel9cis_ipv6_disable_method: {{ rhel9cis_ipv6_disable_method }} ## Network Kernel Modules rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }} @@ -293,7 +292,6 @@ rhel9cis_rule_5_3_3_2_4: {{ rhel9cis_rule_5_3_3_2_4 }} rhel9cis_rule_5_3_3_2_5: {{ rhel9cis_rule_5_3_3_2_5 }} rhel9cis_rule_5_3_3_2_6: {{ rhel9cis_rule_5_3_3_2_6 }} rhel9cis_rule_5_3_3_2_7: {{ rhel9cis_rule_5_3_3_2_7 }} -rhel9cis_rule_5_3_3_2_8: {{ rhel9cis_rule_5_3_3_2_8 }} # 5.3.3.3 Configure pam_pwhistory module # This are added as part of 5.3.2.4 using jinja2 template rhel9cis_rule_5_3_3_3_1: {{ rhel9cis_rule_5_3_3_3_1 }} @@ -532,6 +530,8 @@ rhel9cis_bluetooth_mask: {{ rhel9cis_bluetooth_mask }} ## 3.1 IPv6 requirement toggle # This variable governs whether ipv6 is enabled or disabled. rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }} +# rhel9cis_ipv6_disable defines the method of disabling IPv6, sysctl vs kernel +rhel9cis_ipv6_disable_method: {{ rhel9cis_ipv6_disable_method }} # 3.3 System network parameters (host only OR host and router) # This variable governs whether specific CIS rules diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index 70ebd03..d3e394a 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,6 +1,4 @@ -## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline -# provided by Mindpoint Group - A Tyto Athene Company +{{ file_managed_by_ansible }} ### YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index c3c2b6c..af65935 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,6 +1,4 @@ -## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline -# provided by Mindpoint Group - A Tyto Athene Company +{{ file_managed_by_ansible }} ### YOUR CHANGES WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually diff --git a/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 b/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 index fb12b29..b28aea1 100644 --- a/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 +++ b/templates/etc/aide.conf.d/crypt_audit_procs.conf.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} # Audit Tools /sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512 diff --git a/templates/etc/ansible/compliance_facts.j2 b/templates/etc/ansible/compliance_facts.j2 index f8725e1..0da1b18 100644 --- a/templates/etc/ansible/compliance_facts.j2 +++ b/templates/etc/ansible/compliance_facts.j2 @@ -1,6 +1,4 @@ -# CIS Hardening Carried out -# Added as part of ansible-lockdown CIS baseline -# provided by Mindpoint Group - A Tyto Athene Company +{{ file_managed_by_ansible }} [lockdown_details] # Benchmark release diff --git a/templates/etc/chrony.conf.j2 b/templates/etc/chrony.conf.j2 index cc5cd84..671e2f0 100644 --- a/templates/etc/chrony.conf.j2 +++ b/templates/etc/chrony.conf.j2 @@ -1,4 +1,4 @@ -{{ ansible_managed | comment }} +{{ file_managed_by_ansible }} # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). @@ -11,17 +11,19 @@ driftfile /var/lib/chrony/drift # Allow the system clock to be stepped in the first three updates # if its offset is larger than 1 second. -makestep 1.0 3 +makestep {{ rhel9cis_chrony_server_makestep }} +{% if rhel9cis_chrony_server_rtcsync %} # Enable kernel synchronization of the real-time clock (RTC). rtcsync +{% endif %} # Enable hardware timestamping on all interfaces that support it. #hwtimestamp * # Increase the minimum number of selectable sources required to adjust # the system clock. -#minsources 2 +minsources {{ rhel9cis_chrony_server_minsources }} # Allow NTP client access from local network. #allow 192.168.0.0/16 diff --git a/templates/etc/cron.d/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 index 4c1af92..df0b1a5 100644 --- a/templates/etc/cron.d/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,7 +1,5 @@ +{{ file_managed_by_ansible }} # Run AIDE integrity check -## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline -# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # CIS 1.3.2 diff --git a/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2 index fd6eaff..7b907ab 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-SHA1.pmod.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} # This is a subpolicy dropping the SHA1 hash and signature support # Carried out as part of CIS Benchmark rule 1.6.3 diff --git a/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2 index 9092036..3619008 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} # This is a subpolicy to disable all CBC mode ciphers # for the SSH protocol (libssh and OpenSSH) # Carried out as part of CIS Benchmark rule 1.6.5 diff --git a/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2 index cebc2ad..570048c 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} # This is a subpolicy to disable Encrypt then MAC # for the SSH protocol (libssh and OpenSSH) # Carried out as part of CIS Benchmark rule 1.6.7 diff --git a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 index 393cf88..f03cd05 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} # This is a subpolicy to disable weak ciphers # for the SSH protocol (libssh and OpenSSH) # Carried out as part of CIS Benchmark rules combined 1.6.6 and 5.1.4 diff --git a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2 index f040399..25e2336 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} # This is a subpolicy to disable weak macs # Carried out as part of CIS Benchmark control 5.1.6 diff --git a/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 b/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 index 0020e6d..984106a 100644 --- a/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 +++ b/templates/etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} # This is a subpolicy to disable weak macs # Carried out as part of CIS Benchmark rule 1.6.4 diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 index 0e55b5a..f3c3b74 100644 --- a/templates/etc/dconf/db/00-automount_lock.j2 +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -1,6 +1,4 @@ -## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline -# provided by Mindpoint Group - A Tyto Athene Company +{{ file_managed_by_ansible }} # Lock desktop media-handling automount setting /org/gnome/desktop/media-handling/automount diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 index cf9ed5d..a09aca5 100644 --- a/templates/etc/dconf/db/00-autorun_lock.j2 +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -1,6 +1,4 @@ -## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline -# provided by Mindpoint Group - A Tyto Athene Company +{{ file_managed_by_ansible }} # Lock desktop media-handling settings /org/gnome/desktop/media-handling/autorun-never diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 index 640538c..f81aaea 100644 --- a/templates/etc/dconf/db/00-media-automount.j2 +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -1,6 +1,4 @@ -## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline -# provided by Mindpoint Group - A Tyto Athene Company +{{ file_managed_by_ansible }} [org/gnome/desktop/media-handling] automount=false diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 index 382469c..6928d80 100644 --- a/templates/etc/dconf/db/00-media-autorun.j2 +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -1,6 +1,4 @@ -## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline -# provided by Mindpoint Group - A Tyto Athene Company +{{ file_managed_by_ansible }} [org/gnome/desktop/media-handling] autorun-never=true diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index a747336..1445dcc 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -1,6 +1,4 @@ -## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline -# provided by Mindpoint Group - A Tyto Athene Company +{{ file_managed_by_ansible }} # Specify the dconf path [org/gnome/desktop/session] diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 index 5988316..eafc95e 100644 --- a/templates/etc/dconf/db/00-screensaver_lock.j2 +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -1,6 +1,4 @@ -## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline -# provided by Mindpoint Group - A Tyto Athene Company +{{ file_managed_by_ansible }} # Lock desktop screensaver idle-delay setting /org/gnome/desktop/session/idle-delay diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 index ec42bfc..54562d2 100644 --- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -1,6 +1,4 @@ -## Ansible controlled file -# Added as part of ansible-lockdown CIS baseline -# provided by Mindpoint Group - A Tyto Athene Company +{{ file_managed_by_ansible }} [org/gnome/login-screen] banner-message-enable=true diff --git a/templates/etc/logrotate.d/rsyslog_log.j2 b/templates/etc/logrotate.d/rsyslog_log.j2 index 8acb53e..d9aa2a7 100644 --- a/templates/etc/logrotate.d/rsyslog_log.j2 +++ b/templates/etc/logrotate.d/rsyslog_log.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} /var/log/rsyslog/*.log { {{ rhel9cis_rsyslog_logrotate_rotated_when }} rotate {{ rhel9cis_rsyslog_logrotate_rotatation_keep }} diff --git a/templates/etc/modprobe.d/modprobe.conf.j2 b/templates/etc/modprobe.d/modprobe.conf.j2 index 77b8cd5..6c3d7d8 100644 --- a/templates/etc/modprobe.d/modprobe.conf.j2 +++ b/templates/etc/modprobe.d/modprobe.conf.j2 @@ -1,6 +1,4 @@ -# Disable usage of protocol {{ item }} -# Set by ansible {{ benchmark }} remediation role -# https://github.com/ansible-lockdown -## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! +{{ file_managed_by_ansible }} +## YOUR CHANGES WILL BE LOST! install {{ item }} /bin/true diff --git a/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 index c223c84..d8cdb67 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} # CIS Configurations # 5.3.3.2.3 Ensure password complexity is configured {% if rhel9cis_passwd_complex_option == 'minclass' %} # pragma: allowlist secret diff --git a/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2 index 09b6ee3..e7cd0e0 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwdictcheck.conf.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} # CIS Configurations # 5.3.3.2.6 Ensure password dictionary check is enabled dictcheck = {{ rhel9cis_passwd_dictcheck_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2 index 2e8ae2d..d69120a 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwdifok.conf.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} # CIS Configurations # 5.3.3.2.1 Ensure password number of changed characters is configured difok = {{ rhel9cis_passwd_difok_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2 index 9e874ee..0f893ac 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwlength.conf.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} # CIS Configurations # 5.3.3.2.2 Ensure minimum password length is configured minlen = {{ rhel9cis_passwd_minlen_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2 index a561fec..d200904 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwmaxsequence.conf.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} # CIS Configurations # 5.3.3.2.5 Ensure password maximum sequential characters is configured maxsequence = {{ rhel9cis_passwd_maxsequence_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 index 6fea8db..c8fff7e 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwquality_enforce.conf.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} # CIS Configurations # 5.3.3.2.7 Ensure password quality checking is enforced enforcing = {{ rhel9cis_passwd_quality_enforce_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2 index 28b8dde..0b2c592 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwrepeat.conf.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} # CIS Configurations # 5.3.3.2.4 Ensure password same consecutive characters is configured maxrepeat = {{ rhel9cis_passwd_maxrepeat_value }} diff --git a/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2 index 9effdae..243d7fb 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwroot.conf.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} # CIS Configurations -# 5.3.3.2.8 Ensure password quality is enforced for the root user +# 5.3.3.2.7 Ensure password quality is enforced for the root user {{ rhel9cis_passwd_quality_enforce_root_value }} diff --git a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 index b4b5318..dfca519 100644 --- a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -1,4 +1,5 @@ -## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! +{{ file_managed_by_ansible }} +## YOUR CHANGES WILL BE LOST! # IPv6 disable {% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %} diff --git a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 index 11a93f2..12901dc 100644 --- a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 @@ -1,4 +1,5 @@ -## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! +{{ file_managed_by_ansible }} +## YOUR CHANGES WILL BE LOST! {% if rhel9cis_rule_1_5_1 %} # Adress space randomise diff --git a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 index 336071c..8d27e8f 100644 --- a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 @@ -1,4 +1,5 @@ -## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! +{{ file_managed_by_ansible }} +## YOUR CHANGES WILL BE LOST! # IPv4 Network sysctl {% if rhel9cis_rule_3_3_1 %} diff --git a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 index 07e045d..3ef53f4 100644 --- a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 +++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 @@ -1,4 +1,5 @@ -## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! +{{ file_managed_by_ansible }} +## YOUR CHANGES WILL BE LOST! # IPv6 Network sysctl {% if rhel9cis_ipv6_required %} diff --git a/templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2 b/templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2 index 3b00ce1..682cdd5 100644 --- a/templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2 +++ b/templates/etc/systemd/journald.conf.d/forwardtosyslog.conf.j2 @@ -1,4 +1,4 @@ -# File created for CIS benchmark +{{ file_managed_by_ansible }} # CIS rule 6_2_2_2 [Journal] ForwardToSyslog=no diff --git a/templates/etc/systemd/journald.conf.d/rotation.conf.j2 b/templates/etc/systemd/journald.conf.d/rotation.conf.j2 index 07eedba..4a3174b 100644 --- a/templates/etc/systemd/journald.conf.d/rotation.conf.j2 +++ b/templates/etc/systemd/journald.conf.d/rotation.conf.j2 @@ -1,4 +1,4 @@ -# File created for CIS benchmark +{{ file_managed_by_ansible }} # CIS rule 6_2_1_3 [Journal] SystemMaxUse={{ rhel9cis_journald_systemmaxuse }} diff --git a/templates/etc/systemd/journald.conf.d/storage.conf.j2 b/templates/etc/systemd/journald.conf.d/storage.conf.j2 index 214f9db..5e5726d 100644 --- a/templates/etc/systemd/journald.conf.d/storage.conf.j2 +++ b/templates/etc/systemd/journald.conf.d/storage.conf.j2 @@ -1,4 +1,4 @@ -# File created for CIS benchmark +{{ file_managed_by_ansible }} [Journal] {% if rhel9cis_rule_6_2_2_3 %} # Set compress CIS rule 6_2_2_3 diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2 index 7f64547..245102f 100644 --- a/templates/etc/systemd/system/tmp.mount.j2 +++ b/templates/etc/systemd/system/tmp.mount.j2 @@ -1,3 +1,4 @@ +{{ file_managed_by_ansible }} # SPDX-License-Identifier: LGPL-2.1+ # # This file is part of systemd. @@ -7,7 +8,7 @@ # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. -## This file is managed by Ansible, YOUR CHANGED WILL BE LOST! +## YOUR CHANGED WILL BE LOST! [Unit] Description=Temporary Directory (/tmp) diff --git a/vars/OracleLinux.yml b/vars/OracleLinux.yml index 64927cc..f407fa5 100644 --- a/vars/OracleLinux.yml +++ b/vars/OracleLinux.yml @@ -1,4 +1,5 @@ --- + # OS Specific Settings os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec os_gpg_key_pubkey_content: "Oracle Linux (release key 1) " diff --git a/vars/is_container.yml b/vars/is_container.yml index 1a69784..bcc4cd4 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -2,7 +2,7 @@ # File to skip controls if container # Based on standard image no changes -# it expected all pkgs required for the container are alreday installed +# it expected all pkgs required for the container are already installed ## controls @@ -57,7 +57,6 @@ rhel9cis_rule_1_1_6: false rhel9cis_rule_1_1_7: false rhel9cis_rule_1_1_8: false rhel9cis_rule_1_1_9: false -rhel9cis_rule_1_1_10: false # /var/log rhel9cis_rule_1_1_11: false # /var/log/audit diff --git a/vars/main.yml b/vars/main.yml index 9337d58..2225042 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -24,6 +24,8 @@ rhel9cis_allowed_crypto_policies_modules: - 'NO-SSHWEAKMAC' - 'NO-WEAKMAC' +rhel9_compiled_bootloader_password: "{% if rhel9cis_bootloader_salt != '' %}{{ (rhel9cis_bootloader_password | grub_hash(salt=rhel9cis_bootloader_salt)) }}{% else %}{{ rhel9cis_bootloader_password_hash }}{% endif %}" # noqa template-instead-of-copy + # Used to control warning summary warn_control_list: "" warn_count: 0 @@ -39,7 +41,7 @@ gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys" ## Controls 6.3.3.x - Audit template # This variable is set to true by tasks 6.3.3.1 to 6.3.3.20. As a result, the # audit settings are overwritten with the role's template. In order to exclude -# specific rules, you must set the variable of form `ubtu24cis_rule_6_3_3_x` above +# specific rules, you must set the variable of form `rhel9cis_rule_6_3_3_x` above # to `false`. update_audit_template: false @@ -50,7 +52,7 @@ update_audit_template: false # system_is_container the true. Otherwise, the default value # 'false' is left unchanged. system_is_container: false -# The filename of the existing yml file in role's 'vars/' sub-directory +# The filename of the existing yml file in role's 'vars/' sub-directory # to be used for managing the role-behavior when a container was detected: # (de)activating rules or for other tasks(e.g. disabling Selinux or a specific # firewall-type). @@ -74,3 +76,10 @@ audit_bins: - /sbin/autrace - /sbin/auditd - /sbin/augenrules + +company_title: 'MindPoint Group - A Tyto Athene Company' + +file_managed_by_ansible: |- + # File managed by ansible as part of {{ benchmark }} benchmark + # As part of Ansible-lockdown + # Provided by {{ company_title }}