From 0a56b16d32259a4d09288df2f6dce90e49a681b3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 4 Jul 2025 11:32:56 +0100 Subject: [PATCH 01/12] updated as per public fix #360 Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 0fa0b32..9ada459 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -25,7 +25,7 @@ dest: /etc/audit/rules.d/99_auditd.rules owner: root group: root - mode: 'u-x,go-wx' + mode: 'u-x,g-wx,o-rwx' diff: "{{ discovered_auditd_rules_file.stat.exists }}" # Only run diff if not a new file register: discovered_auditd_rules_template_updated notify: From 3778d6fb620e9f289e61fb693e59bdd305e8cb57 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 4 Jul 2025 11:34:53 +0100 Subject: [PATCH 02/12] improvement updated with public #361 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.2.x.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index 37a4e11..9a93947 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -135,6 +135,22 @@ ansible.builtin.set_fact: root_paths: "{{ discovered_root_paths.stdout }}" + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for presence of non-dirs" + ansible.builtin.stat: + path: "{{ item }}" + loop: "{{ discovered_root_paths_split.stdout_lines }}" + register: paths_stat + + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Create dirs for some paths that are not dirs" + ansible.builtin.file: + path: "{{ item.item }}" + state: directory + owner: root + group: root + mode: 'go-w' + loop: "{{ paths_stat.results }}" + when: not item.stat.exists + - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs" when: discovered_root_paths is defined ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"' From 62095f75fe9f97b35d0a584286c3b75cee9e204b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Aug 2025 16:14:47 +0100 Subject: [PATCH 03/12] updated as per public PR #350 Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml index 9d26acf..eaa3bd1 100644 --- a/tasks/section_6/cis_6.2.3.x.yml +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -131,7 +131,7 @@ *.=warning;*.=err -/var/log/warn *.crit /var/log/warn *.*;mail.none;news.none /var/log/messages - insertafter: '#### RULES ####' + insertbefore: '# ### sample forwarding rule ###' notify: Restart rsyslog - name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings" From 73320db603a2878c6567f1ce15fbe40c4661c473 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Aug 2025 16:17:45 +0100 Subject: [PATCH 04/12] dont not run section 1.8 if not gdm PR #364 from public Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 ++ tasks/section_1/main.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 23312e5..bf40e8f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -592,6 +592,8 @@ rhel9cis_warning_banner: Authorized users only. All activity may be monitored an # End Banner ## Control 1.8.x - Settings for GDM +# do not run Control 1.8.x if using a display manager different than gdm +rhel9cis_display_manager: "gdm" ## 1.8 GDM graphical interface rhel9cis_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}" # This variable specifies the GNOME configuration database file to which configurations are written. diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 5d99f48..8c1f39b 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -61,5 +61,6 @@ file: cis_1.7.x.yml - name: "SECTION | 1.8 | Gnome Display Manager" + when: rhel9cis_display_manager == 'gdm' ansible.builtin.import_tasks: file: cis_1.8.x.yml From 625e4041c1d68735b16abbf2575a0b9086527fb2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Aug 2025 16:20:51 +0100 Subject: [PATCH 05/12] update logic for 5.2.4 public PR #371 Signed-off-by: Mark Bolwell --- tasks/main.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 7912aca..c778d5f 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -91,11 +91,14 @@ block: - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" # noqa name[template] ansible.builtin.assert: - that: - - prelim_ansible_user_password_set.stdout | length != 0 - - prelim_ansible_user_password_set.stdout != "!!" - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" - success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" + that: | + ( + ((prelim_ansible_user_password_set.stdout | length != 0) and (prelim_ansible_user_password_set.stdout != "!!" )) + or + (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list) + ) + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access" + success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4" - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template] ansible.builtin.assert: From 55917c8daad28c6767331ab0b61d362d70142dae Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Aug 2025 16:27:41 +0100 Subject: [PATCH 06/12] udpated pre-commit hooks version Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 2561fb5..b4f6d0c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v5.0.0 + rev: v6.0.0 hooks: # Safety - id: detect-aws-credentials From 4b302f97f9067c35f04ae578314db674dc9e4577 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Aug 2025 16:50:41 +0100 Subject: [PATCH 07/12] fixed compability pre 2.14 thanks to public PR #380 Signed-off-by: Mark Bolwell --- handlers/main.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 71f5554..c6de8f3 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -263,7 +263,7 @@ listen: Restart auditd - name: Start auditd process - ansible.builtin.systemd_service: + ansible.builtin.systemd: name: auditd state: started listen: Restart auditd diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 1db531b..a29118a 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -91,13 +91,13 @@ - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service" when: rhel9cis_aide_scan == "timer" - ansible.builtin.systemd_service: + ansible.builtin.systemd: name: aidecheck.service enabled: true - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service" when: rhel9cis_aide_scan == "timer" - ansible.builtin.systemd_service: + ansible.builtin.systemd: name: aidecheck.timer state: started enabled: true From 95ed2ff03d520c90d5f40ebf61b71b85e05fdd52 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Aug 2025 17:09:58 +0100 Subject: [PATCH 08/12] changed to import task public PR 377 Signed-off-by: Mark Bolwell --- Changelog.md | 15 +++++++++++++++ tasks/section_1/main.yml | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index b6db646..931df92 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,20 @@ # Changes to rhel9CIS +## 2.0.3 - Based on CIS v2.0.0 + +- Thanks to @numericillustration + - Public PR 380 + - systemd_service rolled back to systemd for < ansible 2.14 +- Thanks to @bgro and @Kodebach + - Public PR 371 + - updated to user sudo check 5.2.4 +- Thanks to @polski-g + - Public PR 364 + - gdm section 1.8 improvements +- Thanks to @chrispipo + - Public PR 350 + - change insert before for rsyslog setting + ## 2.0.2 - Based on CIS v2.0.0 - Update to audit_only to allow fetching results diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 8c1f39b..fff557b 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -41,7 +41,7 @@ file: cis_1.2.2.x.yml - name: "SECTION | 1.3.1 | Configure SELinux" - ansible.builtin.include_tasks: + ansible.builtin.import_tasks: file: cis_1.3.1.x.yml - name: "SECTION | 1.4 | Configure Bootloader" From 55c7fa6dd5eef06d4f200c7ff6ff9b9363225efe Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Aug 2025 17:12:56 +0100 Subject: [PATCH 09/12] added password of different LC public issue 372 Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index c778d5f..ed2af41 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -132,7 +132,7 @@ - rule_5.4.2.4 block: - name: "Ensure root password is set" - ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)" + ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)" changed_when: false failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ] register: prelim_root_passwd_set From f1e50bdc4c2a9f4007c28f94d423d9ead5630229 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Aug 2025 17:15:35 +0100 Subject: [PATCH 10/12] updated Signed-off-by: Mark Bolwell --- Changelog.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Changelog.md b/Changelog.md index 931df92..89a54c3 100644 --- a/Changelog.md +++ b/Changelog.md @@ -14,6 +14,12 @@ - Thanks to @chrispipo - Public PR 350 - change insert before for rsyslog setting +- Thanks to @thesmilinglord + - public issue 377 + - change 1.3 from include task to import for tagging +- Thanks to @Fredouye + - public issue 372 + - allow password with different locale ## 2.0.2 - Based on CIS v2.0.0 From eafee7e040cadbe59728e8b472f7d20673f2a32e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Aug 2025 17:19:53 +0100 Subject: [PATCH 11/12] Added typo updates thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.6.x.yml | 2 +- tasks/section_1/cis_1.1.2.7.x.yml | 2 +- tasks/section_3/cis_3.3.x.yml | 4 ++-- tasks/section_5/cis_5.4.2.x.yml | 2 +- tasks/section_6/cis_6.3.4.x.yml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index 765de3d..b27e4cc 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -1,6 +1,6 @@ --- -- name: "1/.1 | PATCH | Ensure /var/log is a separate partition" +- name: "1.1.2.6.1 | PATCH | Ensure /var/log is a separate partition" when: - rhel9cis_rule_1_1_2_6_1 - required_mount not in prelim_mount_names diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index 2dc5939..b4513dd 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -1,6 +1,6 @@ --- -- name: "1/.1 | PATCH | Ensure /var/log/audit is a separate partition" +- name: "1.1.2.7.1 | PATCH | Ensure /var/log/audit is a separate partition" when: - rhel9cis_rule_1_1_2_7_1 - required_mount not in prelim_mount_names diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 123928e..0281f12 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -240,12 +240,12 @@ - rule_3.3.9 - NIST800-53R5_AU-3 block: - - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact" + - name: "3.3.9 | PATCH | Ensure suspicious packets are logged | Set Fact" ansible.builtin.set_fact: rhel9cis_sysctl_update: true rhel9cis_flush_ipv4_route: true - - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" + - name: "3.3.9 | PATCH | Ensure suspicious packets are logged" ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index 9a93947..b3dd7d9 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -61,7 +61,7 @@ - level1-server - level1-workstation - patch - - rule_5.4.2.2 + - rule_5.4.2.3 - user - system - NIST800-53R5_CM-1 diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml index 74de70a..b044abc 100644 --- a/tasks/section_6/cis_6.3.4.x.yml +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -27,9 +27,9 @@ - level2-workstation - patch - auditd - - rule_6.3.4.1 - rule_6.3.4.2 - rule_6.3.4.3 + - rule_6.3.4.4 - NIST800-53R5_AU-3 ansible.builtin.file: path: "{{ prelim_auditd_logfile.stdout }}" From 811b70612ea8c7f4c8527b962c130eb634bbe1b3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 14 Aug 2025 17:25:37 +0100 Subject: [PATCH 12/12] udpated Signed-off-by: Mark Bolwell --- Changelog.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Changelog.md b/Changelog.md index 89a54c3..b25de77 100644 --- a/Changelog.md +++ b/Changelog.md @@ -8,6 +8,9 @@ - Thanks to @bgro and @Kodebach - Public PR 371 - updated to user sudo check 5.2.4 +- Thanks to @DianaMariaDDM + - Public PR 367 + - updated several typos - Thanks to @polski-g - Public PR 364 - gdm section 1.8 improvements