ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

updated

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-03-30 16:18:11 +01:00
parent 398bc5bd0c
commit c6caa90059
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
36 changed files with 2584 additions and 2078 deletions
Download patch file Download diff file Expand all files Collapse all files

48
tasks/section_4/cis_4.1.1.x.yml
View file

@ -1,14 +1,14 @@
---
- name: "4.1.1.1 | L2 | PATCH | Ensure auditd is installed"
- name: "4.1.1.1 | PATCH | Ensure auditd is installed"
block:
- name: "4.1.1.1 | L2 | PATCH | Ensure auditd is installed | Install auditd packages"
- name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd packages"
package:
name: audit
state: present
when: '"auditd" not in ansible_facts.packages'
- name: "4.1.1.1 | L2 | PATCH | Ensure auditd is installed | Install auditd-lib packages"
- name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages"
package:
name: audit-libs
state: present
@ -18,38 +18,38 @@
tags:
- level2-server
- level2-workstation
- automated
- patch
- rule_4.1.1.1
- auditd
- rule_4.1.1.1
- name: "4.1.1.2 | L2 | PATCH | Ensure auditd service is enabled"
- name: "4.1.1.2 | PATCH | Ensure auditd service is enabled"
service:
name: auditd
state: started
enabled: true
enabled: yes
when:
- not rhel9cis_skip_for_travis
- rhel9cis_rule_4_1_1_2
- not system_is_container
- ansible_connection != 'docker'
tags:
- level2-server
- level2-workstation
- auditd
- automated
- patch
- auditd
- rule_4.1.1.2
- name: "4.1.1.3 | L2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
block:
- name: "4.1.1.3 | L2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX"
- name: "4.1.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX"
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
args:
warn: false
changed_when: false
failed_when: false
check_mode: false
check_mode: no
register: rhel9cis_4_1_1_3_grub_cmdline_linux
- name: "4.1.1.3 | L2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting"
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting"
replace:
dest: /etc/default/grub
regexp: 'audit=.'
@ -57,7 +57,7 @@
notify: grub2cfg
when: "'audit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout"
- name: "4.1.1.3 | L2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing"
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing"
lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
@ -69,22 +69,22 @@
tags:
- level2-server
- level2-workstation
- auditd
- automated
- patch
- auditd
- grub
- rule_4.1.1.3
- name: "4.1.1.4 | L2 | PATCH | Ensure audit_backlog_limit is sufficient"
- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient"
block:
- name: "4.1.1.4 | L2 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX"
- name: "4.1.1.4 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX"
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
args:
warn: false
changed_when: false
failed_when: false
check_mode: false
check_mode: no
register: rhel9cis_4_1_1_4_grub_cmdline_linux
- name: "4.1.1.4 | L2 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting"
- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting"
replace:
dest: /etc/default/grub
regexp: 'audit_backlog_limit=\d+'
@ -92,7 +92,7 @@
notify: grub2cfg
when: "'audit_backlog_limit=' in rhel9cis_4_1_1_4_grub_cmdline_linux.stdout"
- name: "4.1.1.4 | L2 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing"
- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing"
lineinfile:
path: /etc/default/grub
regexp: '^GRUB_CMDLINE_LINUX='
@ -104,6 +104,8 @@
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- grub
- rule_4.1.1.4

15
tasks/section_4/cis_4.1.2.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "4.1.2.1 | L2 | PATCH | Ensure audit log storage size is configured"
- name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured"
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^max_log_file( |=)"
@ -12,11 +12,12 @@
tags:
- level2-server
- level2-workstation
- auditd
- automated
- patch
- auditd
- rule_4.1.2.1
- name: "4.1.2.2 | L2 | PATCH | Ensure audit logs are not automatically deleted"
- name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted"
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "^max_log_file_action"
@ -28,11 +29,12 @@
tags:
- level2-server
- level2-workstation
- auditd
- automated
- patch
- auditd
- rule_4.1.2.2
- name: "4.1.2.3 | L2 | PATCH | Ensure system is disabled when audit logs are full"
- name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full"
lineinfile:
dest: /etc/audit/auditd.conf
regexp: "{{ item.regexp }}"
@ -48,6 +50,7 @@
tags:
- level2-server
- level2-workstation
- auditd
- automated
- patch
- auditd
- rule_4.1.2.3

322
tasks/section_4/cis_4.1.3.x.yml Normal file
View file

@ -0,0 +1,322 @@
- name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_1
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.1
- name: "4.1.3.2 | PATCH | Ensure actions as another user are always logged"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_2
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.2
- name: "4.1.3.3 | PATCH | Ensure events that modify the sudo log file are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_3
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.3
- name: "4.1.3.4 | PATCH | Ensure events that modify date and time information are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_4
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.4
- name: "4.1.3.5 | PATCH | Ensure events that modify the system's network environment are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_5
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.5
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
block:
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
changed_when: false
failed_when: false
check_mode: no
register: priv_procs
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_6
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.6
- name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_7
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3_7
- name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_8
tags:
- level2-server
- level2-workstation
- autoamted
- patch
- auditd
- rule_4.1.3.8
- name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_9
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.9
- name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_10
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.10
- name: "4.1.3.11 | PATCH | Ensure session initiation information is collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_11
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.11
- name: "4.1.3.12 | PATCH | Ensure login and logout events are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_12
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.12
- name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_13
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.3.13
- name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_14
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.14
- name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_15
tags:
- level2-server
- level2- workstation
- automated
- patch
- auditd
- rule_4.1.3.15
- name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_16
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.16
- name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_17
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.17
- name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_18
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.18
- name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_19
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.3.19
- name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_20
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd
- rule_4.1.20
- name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same"
debug:
msg:
- "Please run augenrules --load if you suspect there is a configuration that is not active"
when:
- rhel9cis_rule_4_1_3_21
tags:
- level2-server
- level2-workstation
- manual
- patch
- auditd
- rule_4.1.3.21

207
tasks/section_4/cis_4.1.x.yml
View file

@ -1,207 +0,0 @@
---
- name: "4.1.3 | L2 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_3
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.3
- name: "4.1.4 | L2 | PATCH | Ensure login and logout events are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_4
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.4
- name: "4.1.5 | L2 | PATCH | Ensure session initiation information is collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_5
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.5
- name: "4.1.6 | L2 | PATCH | Ensure events that modify date and time information are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_6
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.6
- name: "4.1.7 | L2 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_7
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.7
- name: "4.1.8 | L2 | PATCH | Ensure events that modify the system's network environment are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_8
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.8
- name: "4.1.9 | L2 | PATCH | Ensure discretionary access control permission modification events are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_9
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.9
- name: "4.1.10 | L2 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_10
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.10
- name: "4.1.11 | L2 | PATCH | Ensure events that modify user/group information are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_11
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.11
- name: "4.1.12 | L2 | PATCH | Ensure successful file system mounts are collected"
block:
- name: "4.1.12 | L2 | AUDIT | Ensure successful file system mounts are collected"
shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
args:
warn: false
changed_when: false
failed_when: false
check_mode: false
register: priv_procs
- name: "4.1.12 | L2 | PATCH | Ensure successful file system mounts are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_12
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.12
- name: "4.1.13 | L2 | PATCH | Ensure use of privileged commands is collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_13
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.13
- name: "4.1.14 | L2 | PATCH | Ensure file deletion events by users are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_14
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.14
- name: "4.1.15 | L2 | PATCH | Ensure kernel module loading and unloading is collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_15
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.15
- name: "4.1.16 | L2 | PATCH | Ensure system administrator actions (sudolog) are collected"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_16
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.16
- name: "4.1.17 | L2 | PATCH | Ensure the audit configuration is immutable"
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
notify: update auditd
when:
- rhel9cis_rule_4_1_17
tags:
- level2-server
- level2-workstation
- auditd
- patch
- rule_4.1.17

112
tasks/section_4/cis_4.2.1.x.yml
View file

@ -1,6 +1,6 @@
---
- name: "4.2.1.1 | L1 | PATCH | Ensure rsyslog installed"
- name: "4.2.1.1 | PATCH | Ensure rsyslog installed"
package:
name: rsyslog
state: present
@ -10,55 +10,74 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- rsyslog
- rule_4.2.1.1
- name: "4.2.1.2 | L1 | PATCH | Ensure rsyslog Service is enabled"
- name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled"
service:
name: rsyslog
enabled: true
enabled: yes
when:
- rhel9cis_rule_4_2_1_2
tags:
- level1-server
- level1-workstation
- autoamted
- patch
- rsyslog
- rule_4.2.1.2
- name: "4.2.1.3 | L1 | PATCH | Ensure rsyslog default file permissions configured"
# This is counter to control 4.2.1.5??
- name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog"
lineinfile:
dest: /etc/systemd/journald.conf
regexp: "^#ForwardToSyslog=|^ForwardToSyslog="
line: ForwardToSyslog=yes
state: present
when:
- rhel9cis_rule_4_2_1_3
tags:
- level1-server
- level1-workstation
- manual
- patch
- rule_4.2.1.3
- name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured"
lineinfile:
dest: /etc/rsyslog.conf
regexp: '^\$FileCreateMode'
line: '$FileCreateMode 0640'
notify: restart rsyslog
when:
- rhel9cis_rule_4_2_1_3
- rhel9cis_rule_4_2_1_4
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_4.2.1.3
- rsyslog
- rule_4.2.1.4
- name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured"
- name: "4.2.1.5 | PATCH | Ensure logging is configured"
block:
- name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out"
shell: cat /etc/rsyslog.conf
args:
warn: false
become: true
- name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
command: cat /etc/rsyslog.conf
become: yes
changed_when: false
failed_when: false
check_mode: false
register: rhel_09_4_2_1_4_audit
failed_when: no
check_mode: no
register: rhel_08_4_2_1_5_audit
- name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out"
- name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
debug:
msg:
- "These are the current logging configurations for rsyslog, please review:"
- "{{ rhel_09_4_2_1_4_audit.stdout_lines }}"
- "{{ rhel_08_4_2_1_5_audit.stdout_lines }}"
- name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | mail.* log setting"
- name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting"
blockinfile:
path: /etc/rsyslog.conf
state: present
@ -73,7 +92,7 @@
notify: restart rsyslog
when: rhel9cis_rsyslog_ansiblemanaged
- name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | news.crit log setting"
- name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting"
blockinfile:
path: /etc/rsyslog.conf
state: present
@ -86,7 +105,7 @@
notify: restart rsyslog
when: rhel9cis_rsyslog_ansiblemanaged
- name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | Misc. log setting"
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting"
blockinfile:
path: /etc/rsyslog.conf
state: present
@ -100,13 +119,13 @@
notify: restart rsyslog
when: rhel9cis_rsyslog_ansiblemanaged
- name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | Local log settings"
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings"
blockinfile:
path: /etc/rsyslog.conf
state: present
marker: "#{mark} LOCAL LOG SETTINGS (ANSIBLE MANAGED)"
block: |
# local log settings
# local log settings to meet CIS standards
local0,local1.* -/var/log/localmessages
local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages
@ -114,16 +133,39 @@
*.emrg :omusrmsg:*
insertafter: '#### RULES ####'
notify: restart rsyslog
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings"
blockinfile:
path: /etc/rsyslog.conf
state: present
marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)"
block: |
# Private settings to meet CIS standards
auth,authpriv.* -/var/log/secure
insertafter: '#### RULES ####'
notify: restart rsyslog
- name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings"
blockinfile:
path: /etc/rsyslog.conf
state: present
marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)"
block: |
# Cron settings to meet CIS standards
cron.* /var/log/cron
insertafter: '#### RULES ####'
notify: restart rsyslog
when:
- rhel9cis_rule_4_2_1_4
- rhel9cis_rule_4_2_1_5
tags:
- level1-server
- level1-workstation
- manual
- patch
- rsyslog
- rule_4.2.1.4
- rule_4.2.1.5
- name: "4.2.1.5 | L1 | PATCH | Ensure rsyslog is configured to send logs to a remote log host"
- name: "4.2.1.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host"
blockinfile:
path: /etc/rsyslog.conf
state: present
@ -137,18 +179,19 @@
- result.rc != 257
notify: restart rsyslog
when:
- rhel9cis_rule_4_2_1_5
- rhel9cis_rule_4_2_1_6
- rhel9cis_remote_log_server is defined
tags:
- level1-server
- level1-workstation
- manual
- patch
- rule_4.2.1.5
- rsyslog
- rule_4.2.1.6
- name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts."
- name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client"
block:
- name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | When not log host"
- name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host"
replace:
path: /etc/rsyslog.conf
regexp: '({{ item }})'
@ -157,9 +200,11 @@
with_items:
- '^(\$ModLoad imtcp)'
- '^(\$InputTCPServerRun)'
- '^(module\(load="imtcp"\))'
- '^(input\(type="imtcp")'
when: not rhel9cis_system_is_log_server
- name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | When log host"
- name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host"
replace:
path: /etc/rsyslog.conf
regexp: '^#(.*{{ item }}.*)'
@ -168,12 +213,15 @@
with_items:
- 'ModLoad imtcp'
- 'InputTCPServerRun'
- 'module\(load="imtcp"\)'
- 'input\(type="imtcp"'
when: rhel9cis_system_is_log_server
when:
- rhel9cis_rule_4_2_1_6
- rhel9cis_rule_4_2_1_7
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_4.2.1.6
- rsyslog
- rule_4.2.1.7

189
tasks/section_4/cis_4.2.2.x.yml
View file

@ -1,43 +1,206 @@
---
- name: "4.2.2.1 | L1 | PATCH | Ensure journald is configured to send logs to rsyslog"
lineinfile:
dest: /etc/systemd/journald.conf
regexp: "^#ForwardToSyslog=|^ForwardToSyslog="
line: ForwardToSyslog=yes
- name: "4.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed"
package:
name: systemd-journal-remote
state: present
when:
- rhel9cis_rule_4_2_2_1
- rhel9cis_rule_4_2_2_1_1
tags:
- level1-server
- level1-workstation
- manual
- patch
- rule_4.2.2.1
- journald
- rule_4.2.2.1.1
- name: "4.2.2.2 | L1 | PATCH | Ensure journald is configured to compress large log files"
- name: "4.2.2.1.2 | PATCH | Ensure systemd-journal-remote is configured"
lineinfile:
path: /etc/systemd/journal-upload.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
notify: restart systemd_journal_upload
with_items:
- { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'}
- { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'}
- { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'}
- { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'}
when:
- rhel9cis_rule_4_2_2_1_2
tags:
- level1-server
- level1-workstation
- manual
- patch
- journald
- rule_4.2.2.1.2
- name: "4.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled"
systemd:
name: systemd-journal-upload
state: started
enabled: yes
when:
- rhel9cis_rule_4_2_2_1_3
tags:
- level1-server
- level1-workstation
- manual
- patch
- journald
- rule_4.2.2.1.3
- name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client"
systemd:
name: systemd-journal-remote
state: stopped
enabled: no
masked: yes
when:
- rhel9cis_rule_4_2_2_1_4
tags:
- level1-server
- level1-workstation
- automated
- patch
- journald
- rule_4.2.2.1.4
- name: "4.2.2.2 | PATCH | Ensure journald service is enabled"
block:
- name: "4.2.2.2 | PATCH | Ensure journald service is enabled | Enable service"
systemd:
name: systemd-journald
state: started
enabled: yes
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status"
shell: systemctl is-enabled systemd-journald.service
changed_when: false
failed_when: false
register: rhel9cis_4_2_2_2_status
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status"
debug:
msg:
- "ALERT! The status of systemd-journald should be static and it is not. Please investigate"
when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
when:
- rhel9cis_rule_4_2_2_2
tags:
- level1-server
- level1-workstation
- automated
- audit
- journald
- rule_4.2.2.2
- name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files"
lineinfile:
dest: /etc/systemd/journald.conf
regexp: "^#Compress=|^Compress="
line: Compress=yes
state: present
when:
- rhel9cis_rule_4_2_2_2
- rhel9cis_rule_4_2_2_3
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_4.2.2.2
- journald
- rule_4.2.2.3
- name: "4.2.2.3 | L1 | PATCH | Ensure journald is configured to write logfiles to persistent disk"
- name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk"
lineinfile:
dest: /etc/systemd/journald.conf
regexp: "^#Storage=|^Storage="
line: Storage=persistent
state: present
when:
- rhel9cis_rule_4_2_2_3
- rhel9cis_rule_4_2_2_4
tags:
- level1-server
- level1-workstation
- automated
- patch
- rule_4.2.2.3
- journald
- rule_4.2.2.4
# This is counter to control 4.2.1.3??
- name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog"
lineinfile:
dest: /etc/systemd/journald.conf
regexp: "^ForwardToSyslog="
line: "#ForwardToSyslog=yes"
state: present
notify: restart systemd_journal_upload
when:
- rhel9cis_rule_4_2_2_5
tags:
- level1-server
- level2-workstation
- manual
- patch
- journald
- rule_4.2.2.5
- name: "4.2.2.6 | PATCH | Ensure journald log rotation is configured per site policy"
lineinfile:
path: /etc/systemd/journald.conf
regexp: "{{ item.regexp }}"
line: "{{ item.line }}"
notify: restart journald
with_items:
- { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'}
- { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' }
- { regexp: '^#RuntimeMaxUse=|^RuntimeMaxUse=', line: 'RuntimeMaxUse={{ rhel9cis_journald_runtimemaxuse }}'}
- { regexp: '^#RuntimeKeepFree=|^RuntimeKeepFree=', line: 'RuntimeKeepFree={{ rhel9cis_journald_runtimekeepfree }}'}
- { regexp: '^#MaxFileSec=|^MaxFileSec=', line: 'MaxFileSec={{ rhel9cis_journald_maxfilesec }}'}
when:
- rhel9cis_rule_4_2_2_6
tags:
- level1-server
- level1-workstation
- manual
- patch
- journald
- rule_4.2.2.6
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured"
block:
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Check for override file"
find:
paths: /etc/tmpfiles.d
patterns: systemd.conf
register: rhel9cis_4_2_2_7_override_status
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get override file settings"
shell: cat /etc/tmpfiles.d/systemd.conf
changed_when: false
failed_when: false
register: rhel9cis_4_2_2_7_override_settings
when: rhel9cis_4_2_2_7_override_status.matched >= 1
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get non-override file settings"
shell: cat /usr/lib/tmpfiles.d/systemd.conf
changed_when: false
failed_when: false
register: rhel9cis_4_2_2_7_notoverride_settings
when: rhel9cis_4_2_2_7_override_status.matched == 0
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings"
debug:
msg:
- "Alert! Below are the current default settings for journald, please confirm they align with your site policies"
# - "{{ rhel9cis_4_2_2_7_override_settings.stdout_lines }}"
- "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}"
when:
- rhel9cis_rule_4_2_2_7
tags:
- level1-server
- level1-workstation
- manual
- patch
- journald
- rule_4.2.2.7

8
tasks/section_4/cis_4.2.3.yml
View file

@ -1,9 +1,7 @@
---
- name: "4.2.3 | L1 | PATCH | Ensure permissions on all logfiles are configured"
shell: find /var/log -type f -exec chmod g-wx,o-rwx "{}" +
args:
warn: false
- name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured"
command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" +
changed_when: false
failed_when: false
when:
@ -11,5 +9,7 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- logfiles
- rule_4.2.3

11
tasks/section_4/cis_4.3.yml
View file

@ -1,13 +1,13 @@
---
- name: "4.3 | L1 | PATCH | Ensure logrotate is configured"
- name: "4.3 | PATCH | Ensure logrotate is configured"
block:
- name: "4.3 | L1 | AUDIT | Ensure logrotate is configured | Get logrotate settings"
- name: "4.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings"
find:
paths: /etc/logrotate.d/
register: log_rotates
- name: "4.3 | L1 | PATCH | Ensure logrotate is configured"
- name: "4.3 | PATCH | Ensure logrotate is configured"
replace:
path: "{{ item.path }}"
regexp: '^(\s*)(daily|weekly|monthly|yearly)$'
@ -15,11 +15,14 @@
with_items:
- "{{ log_rotates.files }}"
- { path: "/etc/logrotate.conf" }
loop_control:
label: "{{ item.path }}"
when:
- rhel9cis_rule_4_3
- "'logrotate' in ansible_facts.packages"
tags:
- level1-server
- level1-workstation
- manual
- patch
- logrotate
- rule_4.3

10
tasks/section_4/main.yml
View file

@ -1,21 +1,21 @@
---
- name: "SECTION | 4.1| Configure System Accounting (auditd)"
- name: "SECTION | 4.1 | Configure System Accounting (auditd)"
include_tasks: cis_4.1.1.x.yml
when:
- not system_is_container
- name: "SECTION | 4.1.2.x| Configure Data Retention"
- name: "SECTION | 4.1.2 | Configure Data Retention"
import_tasks: cis_4.1.2.x.yml
- name: "SECTION | 4.1.x| Auditd rules"
- name: "SECTION | 4.1.3 | Configure Auditd rules"
import_tasks: cis_4.1.x.yml
- name: "SECTION | 4.2.x| Configure Logging"
- name: "SECTION | 4.2 | Configure Logging"
import_tasks: cis_4.2.1.x.yml
when: rhel9cis_syslog == 'rsyslog'
- name: "SECTION | 4.2.2.x| Configure journald"
- name: "SECTION | 4.2.2 Configure journald"
import_tasks: cis_4.2.2.x.yml
- name: "SECTION | 4.2.3 | Configure logile perms"