diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 6af5981..7cbcd7f 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -1,7 +1,7 @@ --- - name: "5.1.1 | PATCH | Ensure cron daemon is enabled" - service: + ansible.builtin.service: name: crond enabled: true when: @@ -15,7 +15,7 @@ - rule_5.1.1 - name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" - file: + ansible.builtin.file: dest: /etc/crontab owner: root group: root @@ -31,7 +31,7 @@ - rule_5.1.2 - name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" - file: + ansible.builtin.file: dest: /etc/cron.hourly state: directory owner: root @@ -48,7 +48,7 @@ - rule_5.1.3 - name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" - file: + ansible.builtin.file: dest: /etc/cron.daily state: directory owner: root @@ -65,7 +65,7 @@ - rule_5.1.4 - name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" - file: + ansible.builtin.file: dest: /etc/cron.weekly state: directory owner: root @@ -80,7 +80,7 @@ - rule_5.1.5 - name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" - file: + ansible.builtin.file: dest: /etc/cron.monthly state: directory owner: root @@ -96,7 +96,7 @@ - rule_5.1.6 - name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" - file: + ansible.builtin.file: dest: /etc/cron.d state: directory owner: root @@ -115,17 +115,17 @@ - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users" block: - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" - file: + ansible.builtin.file: dest: /etc/cron.deny state: absent - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists" - stat: + ansible.builtin.stat: path: "/etc/cron.allow" register: rhel9cis_5_1_8_cron_allow_state - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" - file: + ansible.builtin.file: dest: /etc/cron.allow state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root @@ -144,17 +144,17 @@ - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users" block: - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" - file: + ansible.builtin.file: dest: /etc/at.deny state: absent - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" - stat: + ansible.builtin.stat: path: "/etc/at.allow" register: rhel9cis_5_1_9_at_allow_state - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" - file: + ansible.builtin.file: dest: /etc/at.allow state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 11eca29..580585e 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,7 +1,7 @@ --- - name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" - file: + ansible.builtin.file: dest: /etc/ssh/sshd_config state: file owner: root @@ -21,7 +21,7 @@ - name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured" block: - name: "5.2.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys" - find: + ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*_key' recurse: true @@ -29,7 +29,7 @@ register: rhel9cis_5_2_2_ssh_private_host_key - name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys" - file: + ansible.builtin.file: path: "{{ item.path }}" owner: root group: root @@ -52,7 +52,7 @@ - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured" block: - name: "5.2.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys" - find: + ansible.builtin.find: paths: /etc/ssh patterns: 'ssh_host_*_key.pub' recurse: true @@ -60,7 +60,7 @@ register: rhel9cis_5_2_3_ssh_public_host_key - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys" - file: + ansible.builtin.file: path: "{{ item.path }}" owner: root group: root @@ -82,7 +82,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited" block: - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^AllowUsers" line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} @@ -91,7 +91,7 @@ when: "rhel9cis_sshd['allowusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^AllowGroups" line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} @@ -100,7 +100,7 @@ when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^DenyUsers" line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} @@ -109,7 +109,7 @@ when: "rhel9cis_sshd['denyusers']|default('') | length > 0" - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^DenyGroups" line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} @@ -127,7 +127,7 @@ - rule_5.2.4 - name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' @@ -143,7 +143,7 @@ - rule_5.2.5 - name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' @@ -159,7 +159,7 @@ - rule_5.2.6 - name: "5.2.7 | PATCH | Ensure SSH root login is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' @@ -175,7 +175,7 @@ - rule_5.2.7 - name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' @@ -191,7 +191,7 @@ - rule_5.2.8 - name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' @@ -207,7 +207,7 @@ - rule_5.2.9 - name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' @@ -223,7 +223,7 @@ - rule_5.2.10 - name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#IgnoreRhosts|^IgnoreRhosts" line: 'IgnoreRhosts yes' @@ -239,7 +239,7 @@ - rule_5.2.11 - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' @@ -255,7 +255,7 @@ - rule_5.2.12 - name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' @@ -273,13 +273,13 @@ - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" block: - name: "5.2.14 | AUDIT | Ensure system-wide crypto policy is not over-ridden" - shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd + ansible.builtin.shell: grep -i '^\s*CRYPTO_POLICY=' /etc/sysconfig/sshd changed_when: false failed_when: ( ssh_crypto_discovery.rc not in [ 0, 1 ] ) register: ssh_crypto_discovery - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" - shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd + ansible.builtin.shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd notify: restart sshd when: ssh_crypto_discovery.stdout | length > 0 when: @@ -293,7 +293,7 @@ - rule_5.2.14 - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: '^Banner' line: 'Banner /etc/issue.net' @@ -308,7 +308,7 @@ - rule_5.2.15 - name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' @@ -324,7 +324,7 @@ - rule_5.2.16 - name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' @@ -340,7 +340,7 @@ - rule_5.2.17 - name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' @@ -356,7 +356,7 @@ - rule_5.2.18 - name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" @@ -374,14 +374,14 @@ - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured" block: - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" - lineinfile: + ansible.builtin.linefile: path: /etc/ssh/sshd_config regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index f9dad14..0cdfaac 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -1,7 +1,7 @@ --- - name: "5.3.1 | PATCH | Ensure sudo is installed" - package: + ansible.builtin.package: name: sudo state: present when: @@ -15,7 +15,7 @@ - rule_5.3.1 - name: "5.3.2 | PATCH | Ensure sudo commands use pty" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers line: "Defaults use_pty" validate: '/usr/sbin/visudo -cf %s' @@ -30,7 +30,7 @@ - rule_5.3.2 - name: "5.3.3 | PATCH | Ensure sudo log file exists" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regexp: '^Defaults logfile=' line: 'Defaults logfile="{{ rhel9cis_sudolog_location }}"' @@ -46,7 +46,7 @@ - rule_5.3.3 - name: "5.3.4 | PATCH | Ensure users must provide password for escalation" - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' replace: '\1PASSWD\2' @@ -64,7 +64,7 @@ - rule_5.3.4 - name: "5.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#].*)!authenticate(.*)' replace: '\1authenticate\2' @@ -84,13 +84,13 @@ - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly" block: - name: "5.3.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" - shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false register: rhel9cis_5_3_6_timeout_files - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" - lineinfile: + ansible.builtin.lineinfile: path: /etc/sudoers regexp: 'Defaults timestamp_timeout=' line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" @@ -98,7 +98,7 @@ when: rhel9cis_5_3_6_timeout_files.stdout | length == 0 - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" - replace: + ansible.builtin.replace: path: "{{ item }}" regexp: 'timestamp_timeout=(\d+)' replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" @@ -119,13 +119,13 @@ - name: "5.3.7 | PATCH | Ensure access to the su command is restricted" block: - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/su regexp: '^(#)?auth\s+required\s+pam_wheel\.so' line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}' - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root" - user: + ansible.builtin.user: name: "{{ rhel9cis_sugroup_users }}" groups: "{{ rhel9cis_sugroup | default('wheel') }}" when: diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index fc0f2ad..d78d6ce 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -3,20 +3,20 @@ - name: "5.4.1 | PATCH | Ensure custom authselect profile is used" block: - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles" - shell: 'authselect current | grep "Profile ID: custom/"' + ansible.builtin.shell: 'authselect current | grep "Profile ID: custom/"' failed_when: false changed_when: false check_mode: false register: rhel9cis_5_4_1_profiles - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles" - debug: + ansible.builtin.debug: msg: - "Below are the current custom profiles" - "{{ rhel9cis_5_4_1_profiles.stdout_lines }}" - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles" - shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} + ansible.builtin.shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} when: rhel9cis_authselect_custom_profile_create when: - rhel9cis_rule_5_4_1 @@ -31,20 +31,20 @@ - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock" block: - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" - shell: "authselect current | grep with-faillock" + ansible.builtin.shell: "authselect current | grep with-faillock" failed_when: false changed_when: false check_mode: false register: rhel9cis_5_4_2_profiles_faillock - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles" - debug: + ansible.builtin.debug: msg: - "Below are the current custom profiles" - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}" - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" - shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" + ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" when: rhel9cis_authselect_custom_profile_select when: - rhel9cis_rule_5_4_2 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index d16d91f..8f0f4d9 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -3,7 +3,7 @@ - name: "5.5.1 | PATCH | " block: - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/pwquality.conf regexp: ^{{ item.name }} line: "{{ item.name }} = {{ item.value }}" @@ -12,14 +12,14 @@ - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" insertbefore: '^#?password ?' - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/password-auth regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" @@ -33,7 +33,7 @@ - rule_5.5.1 - name: "5.5.2 | PATCH | Ensure system accounts are secured" - lineinfile: + ansible.builtin.lineinfile: path: /etc/security/faillock.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -46,13 +46,13 @@ - name: "5.5.3 | PATCH | Ensure password reuse is limited" block: - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwhistory" - lineinfile: + ansible.builtin.lineinfile: path: /etc/pam.d/system-auth line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" insertafter: '^password\s*requisite\s*pam_pwquality.so' - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" - replace: + ansible.builtin.replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' @@ -67,25 +67,25 @@ - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512" block: - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" - replace: + ansible.builtin.replace: path: /etc/libuser.conf regexp: '^crypt_style\s*=\s*.*$' replace: 'crypt_style = sha512' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs" - replace: + ansible.builtin.replace: path: /etc/login.defs regexp: '^ENCRYPT_METHOD.*' replace: 'ENCRYPT_METHOD SHA512' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth" - replace: + ansible.builtin.replace: path: /etc/pam.d/password-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth" - replace: + ansible.builtin.replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 358d075..2e178cd 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -1,7 +1,7 @@ --- - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less" - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MAX_DAYS' line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" @@ -16,7 +16,7 @@ - rule_5.5.1.1 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_MIN_DAYS' line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" @@ -31,7 +31,7 @@ - rule_5.6.1.2 - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more" - lineinfile: + ansible.builtin.lineinfile: path: /etc/login.defs regexp: '^PASS_WARN_AGE' line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" @@ -48,24 +48,24 @@ - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less" block: - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings" - shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= + ansible.builtin.shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= changed_when: false failed_when: false check_mode: false register: rhel9cis_5_6_1_4_inactive_settings - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" - command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0 - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false check_mode: false register: rhel_8_5_6_1_4_user_list - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" with_items: - "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}" when: @@ -81,33 +81,33 @@ - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" block: - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" - shell: echo $(($(date --utc --date "$1" +%s)/86400)) + ansible.builtin.shell: echo $(($(date --utc --date "$1" +%s)/86400)) changed_when: false failed_when: false check_mode: false register: rhel9cis_5_6_1_5_currentut - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" - shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'" + ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'" changed_when: false failed_when: false check_mode: false register: rhel9cis_5_6_1_5_user_list - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" - debug: + ansible.builtin.debug: msg: "Good News! All accounts have PW change dates that are in the past" when: rhel9cis_5_6_1_5_user_list.stdout | length == 0 - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" - debug: + ansible.builtin.debug: msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]" warn_count: "{{ warn_count | int + 1 }}" when: @@ -115,7 +115,7 @@ - not rhel9cis_futurepwchgdate_autofix - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - command: passwd --expire {{ item }} + ansible.builtin.command: passwd --expire {{ item }} when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index f1052c3..4f0ec0b 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -3,7 +3,7 @@ - name: "5.6.2 | PATCH | Ensure system accounts are secured" block: - name: "5.6.2 | Ensure system accounts are secured | Set nologin" - user: + ansible.builtin.user: name: "{{ item.id }}" shell: /usr/sbin/nologin with_items: @@ -21,11 +21,10 @@ label: "{{ item.id }}" - name: "5.6.2 | PATCH | Ensure system accounts are secured | Lock accounts" - user: + ansible.builtin.user: name: "{{ item.id }}" password_lock: true - with_items: - - "{{ rhel9cis_passwd }}" + loop: "{{ rhel9cis_passwd }}" when: - item.id != "halt" - item.id != "shutdown" @@ -48,7 +47,7 @@ - rule_5.6.2 - name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" - blockinfile: + ansible.builtin.blockinfile: create: true mode: 0644 dest: "{{ item.dest }}" @@ -58,7 +57,7 @@ TMOUT={{ rhel9cis_shell_session_timeout.timeout }} export TMOUT readonly TMOUT - with_items: + loop: - { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present } - { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } when: @@ -72,7 +71,7 @@ - rule_5.6.3 - name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0" - user: + ansible.builtin.user: name: root group: 0 when: @@ -88,7 +87,7 @@ - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings" - replace: + ansible.builtin.replace: path: /etc/login.defs regexp: "{{ item.regexp }}" replace: "{{ item.replace }}" @@ -97,13 +96,13 @@ - { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' } - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" - replace: + ansible.builtin.replace: path: /etc/bashrc regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' replace: '\1 027' - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" - replace: + ansible.builtin.replace: path: /etc/profile regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' replace: '\1 027'