From de63984cd8ef4bd83163ab99dd7453862f943471 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 22 Apr 2025 16:10:53 -0400 Subject: [PATCH 1/5] Typo fixes Signed-off-by: Frederick Witty --- README.md | 2 +- defaults/main.yml | 4 ++-- templates/ansible_vars_goss.yml.j2 | 10 +++++----- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index d3bf75a..098c50a 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ This is managed using tags: - level2-server - level2-workstation -The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. +The control found in defaults main also need to reflect this as this control the testing that takes place if you are using the audit component. ## Coming from a previous release diff --git a/defaults/main.yml b/defaults/main.yml index eaf33a1..071e55b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1046,14 +1046,14 @@ rhel9cis_bash_umask: '0027' # 0027 or more restrictive # These are discovered via logins.def if set true rhel9cis_discover_int_uid: true # This variable sets the minimum number from which to search for UID -# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# Note that the value will be dynamically overwritten if variable `discover_int_uid` has # been set to `true`. min_int_uid: 1000 ### Controls: # - Ensure local interactive user home directories exist # - Ensure local interactive users own their home directories # This variable sets the maximum number at which the search stops for UID -# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# Note that the value will be dynamically overwritten if variable `discover_int_uid` has # been set to `true`. max_int_uid: 65533 diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ad44fb3..7cb906b 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -34,7 +34,7 @@ rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }} # UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg'). rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }} -## Benchmark name used by audting control role +## Benchmark name used by auditing control role # The audit variable found at the base ## metadata for Audit benchmark benchmark_version: 'v2.0.0' @@ -151,7 +151,7 @@ rhel9cis_rule_1_8_8: {{ rhel9cis_rule_1_8_8 }} rhel9cis_rule_1_8_9: {{ rhel9cis_rule_1_8_9 }} rhel9cis_rule_1_8_10: {{ rhel9cis_rule_1_8_10 }} -# Section 2 rules are controling Services (Special Purpose Services, and service clients) +# Section 2 rules are controlling Services (Special Purpose Services, and service clients) ## Configure Server Services rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }} rhel9cis_rule_2_1_2: {{ rhel9cis_rule_2_1_2 }} @@ -625,21 +625,21 @@ rhel9cis_authselect_custom_profile_name: {{ rhel9cis_authselect_custom_profile_n # These are discovered via logins.def if set true rhel9cis_discover_int_uid: {{ rhel9cis_discover_int_uid }} # This variable sets the minimum number from which to search for UID -# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# Note that the value will be dynamically overwritten if variable `discover_int_uid` has # been set to `true`. min_int_uid: 1000 ### Controls: # - Ensure local interactive user home directories exist # - Ensure local interactive users own their home directories # This variable sets the maximum number at which the search stops for UID -# Note that the value will be dynamically overwritten if variable `dicover_int_uid` has +# Note that the value will be dynamically overwritten if variable `discover_int_uid` has # been set to `true`. max_int_uid: 65533 ## Section6 vars ## Control 6.1.2 AIDE schedule -# how aide sceduler runs can be one of cron or timer +# how aide scheduler runs can be one of cron or timer rhel9cis_aide_scan: {{ rhel9cis_aide_scan }} # These are the crontab settings for periodical checking of the filesystem's integrity using AIDE. From 7173eba3f68faf6e7e8b72f6d417798491a3cc36 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 22 Apr 2025 16:29:43 -0400 Subject: [PATCH 2/5] Typo fixes v2 Signed-off-by: Frederick Witty --- defaults/main.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 071e55b..9358939 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -12,7 +12,7 @@ os_check: true # Disruption is high ## Run tests that are considered higher risk and could have a system impact if not properly tested ## Default false -## Will be fine if clean new unconfigured build +## Will be fine if clean new un-configured build rhel9cis_disruption_high: false ## Switching on/off specific baseline sections @@ -46,7 +46,7 @@ rhel9cis_selinux_disable: false # UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg'). rhel9cis_legacy_boot: false -## Benchmark name used by audting control role +## Benchmark name used by auditing control role # The audit variable found at the base ## metadata for Audit benchmark benchmark_version: 'v2.0.0' @@ -112,12 +112,12 @@ audit_conf_dest: "/opt" # Where the audit logs are stored audit_log_dir: '/opt' -## Ability to collect and take audit files moving to a centralised location +## Ability to collect and take audit files moving to a centralized location # This enables the collection of the files from the host fetch_audit_output: false # Method of getting,uploading the summary files -## Ensure access and permissions are avaiable for these to occur. +## Ensure access and permissions are available for these to occur. ## options are # fetch - fetches from server and moves to location on the ansible controller (could be a mount point available to controller) # copy - copies file to a location available to the managed node @@ -514,7 +514,7 @@ rhel9cis_rule_7_2_9: true ## Section 1 vars -## Ability to enabe debug on mounts to assist in troubleshooting +## Ability to enable debug on mounts to assist in troubleshooting # Mount point changes are set based upon facts created in Prelim # these then build the variable and options that is passed to the handler to set the mount point for the controls in section1. rhel9cis_debug_mount_data: false @@ -722,7 +722,7 @@ rhel9cis_bluetooth_mask: false rhel9cis_ipv6_required: true ## 3.1.2 wireless network requirements -# if wireless adapetr found allow network manager to be installed +# if wireless adapter found allow network manager to be installed rhel9cis_install_network_manager: false # 3.3 System network parameters (host only OR host and router) # This variable governs whether specific CIS rules @@ -730,15 +730,15 @@ rhel9cis_install_network_manager: false rhel9cis_is_router: false # This variable governs if the task which updates sysctl(including sysctl reload) is executed. -# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). +# NOTE: The current default value is likely to be overridden by other further tasks(via 'set_fact'). rhel9cis_sysctl_update: false # This variable governs if the task which flushes the IPv4 routing table is executed(forcing subsequent connections to # use the new configuration). -# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). +# NOTE: The current default value is likely to be overridden by other further tasks(via 'set_fact'). rhel9cis_flush_ipv4_route: false # This variable governs if the task which flushes the IPv6 routing table is executed(forcing subsequent connections to # use the new configuration). -# NOTE: The current default value is likely to be overriden by other further tasks(via 'set_fact'). +# NOTE: The current default value is likely to be overridden by other further tasks(via 'set_fact'). rhel9cis_flush_ipv6_route: false # Section 4 vars @@ -890,13 +890,13 @@ rhel9cis_authselect_pkg_update: false # NOTE the risks if system is using SSSD # To create a new profile (best for greenfield fresh sites not configured) # This allows creation of a custom profile using an existing one to build from -# will only create if profiel does not already exist +# will only create if profile does not already exist ## options true or false rhel9cis_authselect_custom_profile_create: true ## Controls: # - 5.3.2.1 - Ensure custom authselect profile is used # Settings in place now will fail, they are placeholders from the control example. Due to the way many multiple -# options and ways to configure this control needs to be enabled and settings adjusted to minimise risk. +# options and ways to configure this control needs to be enabled and settings adjusted to minimize risk. # This variable configures the name of the custom profile to be created and selected. # To be changed from default - cis_example_profile @@ -1046,14 +1046,14 @@ rhel9cis_bash_umask: '0027' # 0027 or more restrictive # These are discovered via logins.def if set true rhel9cis_discover_int_uid: true # This variable sets the minimum number from which to search for UID -# Note that the value will be dynamically overwritten if variable `discover_int_uid` has +# Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has # been set to `true`. min_int_uid: 1000 ### Controls: # - Ensure local interactive user home directories exist # - Ensure local interactive users own their home directories # This variable sets the maximum number at which the search stops for UID -# Note that the value will be dynamically overwritten if variable `discover_int_uid` has +# Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has # been set to `true`. max_int_uid: 65533 From 350b30dfe4d117395dcf25ae21cab713c0440c59 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 22 Apr 2025 16:32:47 -0400 Subject: [PATCH 3/5] prelim_ prefix added to max_int_uid and min_int_uid Signed-off-by: Frederick Witty --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9358939..385d160 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1048,14 +1048,14 @@ rhel9cis_discover_int_uid: true # This variable sets the minimum number from which to search for UID # Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has # been set to `true`. -min_int_uid: 1000 +prelim_min_int_uid: 1000 ### Controls: # - Ensure local interactive user home directories exist # - Ensure local interactive users own their home directories # This variable sets the maximum number at which the search stops for UID # Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has # been set to `true`. -max_int_uid: 65533 +prelim_max_int_uid: 65533 ## Section6 vars ## Control 6.1.x - allow aide to be configured From 42024903e3eb83901f44dc4bf8596e785ad77d46 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 23 Apr 2025 12:47:22 -0400 Subject: [PATCH 4/5] revamp set facts premlim_ max_int_uid and prelim_min_int_uid Signed-off-by: Frederick Witty --- defaults/main.yml | 4 ++-- tasks/prelim.yml | 21 ++++++++++++--------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 385d160..9358939 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1048,14 +1048,14 @@ rhel9cis_discover_int_uid: true # This variable sets the minimum number from which to search for UID # Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has # been set to `true`. -prelim_min_int_uid: 1000 +min_int_uid: 1000 ### Controls: # - Ensure local interactive user home directories exist # - Ensure local interactive users own their home directories # This variable sets the maximum number at which the search stops for UID # Note that the value will be dynamically overwritten if variable `rhel9cis_discover_int_uid` has # been set to `true`. -prelim_max_int_uid: 65533 +max_int_uid: 65533 ## Section6 vars ## Control 6.1.x - allow aide to be configured diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1ec355b..dbd1493 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -320,24 +320,27 @@ patterns: '*.conf,*.rules' register: prelim_auditd_conf_files -- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" +- name: "PRELIM | AUDIT | Discover Interactive UID_MIN and UID_MAX from /etc/login.defs" when: rhel9cis_discover_int_uid tags: always block: - - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" - ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' + - name: "PRELIM | AUDIT | Capture UID_MIN from /etc/login.defs" + ansible.builtin.command: awk '/^UID_MIN/ {print $2}' /etc/login.defs changed_when: false + failed_when: false register: prelim_uid_min_id - - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" - ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' + - name: "PRELIM | AUDIT | Capture UID_MAX from /etc/login.defs" + ansible.builtin.command: awk '/^UID_MAX/ {print $2}' /etc/login.defs changed_when: false + failed_when: false register: prelim_uid_max_id - - name: "PRELIM | AUDIT | Set Fact for interactive uid/gid" - ansible.builtin.set_fact: - prelim_min_int_uid: "{{ prelim_uid_min_id.stdout }}" - prelim_max_int_uid: "{{ prelim_uid_max_id.stdout }}" +- name: "PRELIM | AUDIT | Set facts for interactive UID/GID ranges" + tags: always + ansible.builtin.set_fact: + prelim_min_int_uid: "{{ prelim_uid_min_id.stdout | default(min_int_uid) }}" + prelim_max_int_uid: "{{ prelim_uid_max_id.stdout | default(max_int_uid) }}" - name: "PRELIM | AUDIT | Gather the package facts after prelim" tags: From e27e413f943d00253c3c4d702cbc6bb6d0efaf9b Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 23 Apr 2025 16:04:16 -0400 Subject: [PATCH 5/5] Update URL in defaults/main Signed-off-by: Frederick Witty --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9358939..91261b7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -102,7 +102,7 @@ audit_content: git # If using either archive, copy, get_url: ## Note will work with .tar files - zip will require extra configuration ### If using get_url this is expecting github url in tar.gz format e.g. -### https://github.com/ansible-lockdown/UBUNTU22-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz +### https://github.com/ansible-lockdown/RHEL9-CIS-Audit/archive/refs/heads/benchmark-v1.0.0.tar.gz audit_conf_source: "some path or url to copy from" # Destination for the audit content to be placed on managed node