diff --git a/defaults/main.yml b/defaults/main.yml index c524a55..56f07c5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -733,16 +733,20 @@ rhel9cis_firewall: firewalld rhel9cis_default_zone: public ## Controls 4.3.x nftables -# This variable stores the name of the table to be used when configuring nftables(creating chains, configuring loopback -# traffic, established connections, default deny). If 'rhel9cis_nft_tables_autonewtable' is set as true, a new table will -# be created using as name the value stored by this variable. -rhel9cis_nft_tables_tablename: filter -## Ensure nftables base chains exist + +## 4.3.1 Ensure nftables base chains exist # This variable governs if a nftables base chain(entry point for packets from the networking stack) will be automatically # created, if needed. Without a chain, a hook for input, forward, and delete, packets that would flow through those # chains will not be touched by nftables. rhel9cis_nft_tables_autochaincreate: true +## 4.3.2 Create tables if required +rhel9cis_nft_tables_autonewtable: true +# This variable stores the name of the table to be used when configuring nftables(creating chains, configuring loopback +# traffic, established connections, default deny). If 'rhel9cis_nft_tables_autonewtable' is set as true, a new table will +# be created using as name the value stored by this variable. +rhel9cis_nft_tables_tablename: filter + ## Section5 vars ## Section 5.1 - SSH @@ -750,7 +754,7 @@ rhel9cis_nft_tables_autochaincreate: true # This value, containing the absolute filepath of the produced 'sshd' config file, allows usage of # drop-in files('/etc/ssh/ssh_config.d/{ssh_drop_in_name}.conf', supported by RHEL9) when CIS adopts them. # Otherwise, the default value is '/etc/ssh/ssh_config'. -rhel9_cis_sshd_config_file: /etc/ssh/sshd_config +rhel9cis_sshd_config_file: /etc/ssh/sshd_config ## Controls: ## - 5.1.7 - Ensure SSH access is limited diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 96e9657..78d1771 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -196,14 +196,14 @@ # Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config - name: "PRELIM | PATCH | SSH Config file is not exist" when: - - rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config' + - rhel9cis_sshd_config_file != '/etc/ssh/sshd_config' - "'openssh-server' in ansible_facts.packages" tags: - - ssh + - always - level1_server - level1_workstation ansible.builtin.file: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" owner: root group: root mode: '0600' diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index f93a1d4..eb82773 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -17,10 +17,10 @@ - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists" ansible.builtin.shell: mount -l | grep -w /dev/shm changed_when: false - register: rhel9cis_1_8_1_1_mount_check + register: discovered_dev_shm_mount_check - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition" - when: rhel9cis_1_8_1_1_mount_check.rc == 1 + when: discovered_dev_shm_mount_check.rc == 1 block: - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" ansible.builtin.debug: diff --git a/tasks/section_2/cis_2.4.x.yml b/tasks/section_2/cis_2.4.x.yml index 072fa0b..16ed0e9 100644 --- a/tasks/section_2/cis_2.4.x.yml +++ b/tasks/section_2/cis_2.4.x.yml @@ -141,12 +141,12 @@ - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Check if cron.allow exists" ansible.builtin.stat: path: "/etc/cron.allow" - register: rhel9cis_2_4_1_8_cron_allow_state + register: discovered_cron_allow_state - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users" ansible.builtin.file: path: /etc/cron.allow - state: '{{ "file" if rhel9cis_2_4_1_8_cron_allow_state.stat.exists else "touch" }}' + state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}' owner: root group: root mode: u-x,g-wx,o-rwx @@ -171,12 +171,12 @@ - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" ansible.builtin.stat: path: "/etc/at.allow" - register: rhel9cis_rule_2_4_2_1_at_allow_state + register: discovered_at_allow_state - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" ansible.builtin.file: path: /etc/at.allow - state: '{{ "file" if rhel9cis_rule_2_4_2_1_at_allow_state.stat.exists else "touch" }}' + state: '{{ "file" if discovered_at_allow_state.stat.exists else "touch" }}' owner: root group: root mode: u-x,g-wx,o-rwx diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 5c76ab6..98e3a93 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -44,15 +44,15 @@ changed_when: false failed_when: false check_mode: false - register: rhel9cis_3_1_2_wifi_status + register: discovered_wifi_status - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" when: - "'network-manager' in ansible_facts.packages" - - "'enabled' in rhel9cis_3_1_2_wifi_status.stdout" + - "'enabled' in discovered_wifi_status.stdout" ansible.builtin.shell: nmcli radio all off - changed_when: rhel9cis_3_1_2_nmcli_radio_off.rc == 0 - register: rhel9cis_3_1_2_nmcli_radio_off + changed_when: discovered_nmcli_radio_off.rc == 0 + register: discovered_nmcli_radio_off - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" when: "'network-manager' not in ansible_facts.packages" diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index 01fd1eb..0fca4cc 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -16,13 +16,13 @@ changed_when: false failed_when: false check_mode: false - register: rhel9cis_4_2_5_servicesport + register: discovered_services_and_ports - name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" ansible.builtin.debug: msg: - "The items below are the services and ports that are accepted, please correct as needed" - - "{{ rhel9cis_4_2_5_servicesport.stdout_lines }}" + - "{{ discovered_services_and_ports.stdout_lines }}" - name: "4.2.2 | PATCH | Ensure firewalld loopback traffic is configured | firewalld" when: diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml index 09e8979..4e85deb 100644 --- a/tasks/section_4/cis_4.3.x.yml +++ b/tasks/section_4/cis_4.3.x.yml @@ -1,5 +1,15 @@ --- +- name: "OPTIONAL | PATCH | Create Table if doesn't exist and required" + when: + - rhel9cis_nft_tables_autonewtable + - rhel9cis_rule_4_3_1 + - rhel9cis_rule_4_3_2 + - rhel9cis_rule_4_3_3 + - rhel9cis_rule_4_3_4 + tags: always + ansible.builtin.shell: "nft add table inet {{ rhel9cis_nft_tables_tablename }}" + - name: "4.3.1 | PATCH | Ensure nftables base chains exist" when: - rhel9cis_rule_4_3_1 @@ -15,30 +25,30 @@ ansible.builtin.shell: nft list ruleset | grep 'hook input' changed_when: false failed_when: false - register: rhel9cis_4_3_1_input_chains + register: discovered_nftables_input_chains - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" ansible.builtin.shell: nft list ruleset | grep 'hook forward' changed_when: false failed_when: false - register: rhel9cis_4_3_1_forward_chains + register: discovered_nftables_forward_chains - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" ansible.builtin.shell: nft list ruleset | grep 'hook output' changed_when: false failed_when: false - register: rhel9cis_4_3_1_output_chains + register: discovered_nftables_output_chains - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Display chains for review" when: not rhel9cis_nft_tables_autochaincreate ansible.builtin.debug: msg: - "Below are the current INPUT chains" - - "{{ rhel9cis_4_3_1_input_chains.stdout_lines }}" + - "{{ discovered_nftables_input_chains.stdout_lines }}" - "Below are the current FORWARD chains" - - "{{ rhel9cis_4_3_1_forward_chains.stdout_lines }}" + - "{{ discovered_nftables_forward_chains.stdout_lines }}" - "Below are teh current OUTPUT chains" - - "{{ rhel9cis_4_3_1_output_chains.stdout_lines }}" + - "{{ discovered_nftables_output_chains.stdout_lines }}" - name: "4.3.1 | PATCH | Ensure nftables base chains exist | Create chains if needed" when: rhel9cis_nft_tables_autochaincreate @@ -64,36 +74,36 @@ ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' changed_when: false failed_when: false - register: rhel9cis_4_3_2_inconnectionrule + register: discovered_nftables_inconnectionrule - - name: "4.3.2| AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules" + - name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules" ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' changed_when: false failed_when: false - register: rhel9cis_4_3_2_outconnectionrule + register: discovered_nftables_outconnectionrule - name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy" - when: '"ip protocol tcp ct state established accept" not in rhel9cis_4_3_2_inconnectionrule.stdout' - ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + when: '"ip protocol tcp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' + ansible.builtin.shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy" - when: '"ip protocol udp ct state established accept" not in rhel9cis_4_3_2_inconnectionrule.stdout' + when: '"ip protocol udp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy" - when: '"ip protocol icmp ct state established accept" not in rhel9cis_4_3_2_inconnectionrule.stdout' + when: '"ip protocol icmp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy" - when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_4_3_2_outconnectionrule.stdout' + when: '"ip protocol tcp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy" - when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_4_3_2_outconnectionrule.stdout' + when: '"ip protocol udp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy" - when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_4_3_2_outconnectionrule.stdout' + when: '"ip protocol icmp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy" @@ -111,40 +121,40 @@ ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' failed_when: false changed_when: false - register: rhel9cis_4_3_3_inputpolicy + register: discovered_nftables_inputpolicy - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' failed_when: false changed_when: false - register: rhel9cis_4_3_3_forwardpolicy + register: discovered_nftables_forwardpolicy - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' failed_when: false changed_when: false - register: rhel9cis_4_3_3_outputpolicy + register: discovered_nftables_outputpolicy - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' failed_when: false changed_when: false - register: rhel9cis_4_3_3_sshallowcheck + register: discovered_nftables_sshallowcheck - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" - when: '"tcp dport ssh accept" not in rhel9cis_4_3_3_sshallowcheck.stdout' + when: '"tcp dport ssh accept" not in discovered_nftables_sshallowcheck.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" - when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_4_3_3_inputpolicy.stdout' + when: '"type filter hook input priority 0; policy drop;" not in discovered_nftables_inputpolicy.stdout' ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" - when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_4_3_3_forwardpolicy.stdout' + when: '"type filter hook forward priority 0; policy drop;" not in discovered_nftables_forwardpolicy.stdout' ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" - when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_4_3_3_outputpolicy.stdout' + when: '"type filter hook output priority 0; policy drop;" not in discovered_nftables_outputpolicy.stdout' ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured" @@ -162,28 +172,28 @@ ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' changed_when: false failed_when: false - register: rhel9cis_4_3_4_iiflo + register: discovered_nftables_iiflo - name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence | nftables" ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' changed_when: false failed_when: false - register: rhel9cis_4_3_4_ipsaddr + register: discovered_nftables_ipsaddr - name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence | nftables" ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' changed_when: false failed_when: false - register: rhel9cis_4_3_4_ip6saddr + register: discovered_nftables_ip6saddr - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule | nftables" - when: '"iif \"lo\" accept" not in rhel9cis_4_3_4_iiflo.stdout' + when: '"iif \"lo\" accept" not in discovered_nftables_iiflo.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule | nftables" - when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_4_3_4_ipsaddr.stdout' + when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in discovered_nftables_ipsaddr.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule | nftables" - when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_4_3_4_ip6saddr.stdout' + when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in discovered_nftables_ip6saddr.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 95addf3..31ba7e2 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -37,7 +37,7 @@ patterns: 'ssh_host_*_key' recurse: true file_type: any - register: rhel9cis_5_1_2_ssh_private_host_key + register: discovered_ssh_private_host_key - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys" ansible.builtin.file: @@ -45,7 +45,7 @@ owner: root group: root mode: 'u-x,go-rwx' - loop: "{{ rhel9cis_5_1_2_ssh_private_host_key.files }}" + loop: "{{ discovered_ssh_private_host_key.files }}" loop_control: label: "{{ item.path }}" @@ -67,7 +67,7 @@ patterns: 'ssh_host_*_key.pub' recurse: true file_type: any - register: rhel9cis_5_1_3_ssh_public_host_key + register: discovered_ssh_public_host_key - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys" ansible.builtin.file: @@ -75,7 +75,7 @@ owner: root group: root mode: 'u-x,go-wx' - loop: "{{ rhel9cis_5_1_3_ssh_public_host_key.files }}" + loop: "{{ discovered_ssh_public_host_key.files }}" loop_control: label: "{{ item.path }}" @@ -178,7 +178,7 @@ - name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for allowusers" when: "rhel9cis_sshd_allowusers | length > 0" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^AllowUsers" line: "AllowUsers {{ rhel9cis_sshd_allowusers }}" validate: sshd -t -f %s @@ -187,7 +187,7 @@ - name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for allowgroups" when: "rhel9cis_sshd_allowgroups | length > 0" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^AllowGroups" line: "AllowGroups {{ rhel9cis_sshd_allowgroups }}" validate: sshd -t -f %s @@ -196,7 +196,7 @@ - name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for denyusers" when: "rhel9cis_sshd_denyusers | length > 0" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^DenyUsers" line: "DenyUsers {{ rhel9cis_sshd_denyusers }}" validate: sshd -t -f %s @@ -205,7 +205,7 @@ - name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for denygroups" when: "rhel9cis_sshd_denygroups | length > 0" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^DenyGroups" line: "DenyGroups {{ rhel9cis_sshd_denygroups }}" validate: sshd -t -f %s @@ -226,7 +226,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: '^Banner' line: 'Banner /etc/issue.net' @@ -247,7 +247,7 @@ block: - name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Add line in sshd_config for ClientAliveInterval" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd_clientaliveinterval }}" validate: sshd -t -f %s @@ -255,7 +255,7 @@ - name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Ensure SSH ClientAliveCountMax set to <= 3" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd_clientalivecountmax }}" validate: sshd -t -f %s @@ -274,7 +274,7 @@ block: - name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | config file" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(#|)\s*DisableForwarding line: 'DisableForwarding yes' validate: sshd -t -f %s @@ -313,7 +313,7 @@ - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | ssh config" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*GSSAPIAuthentication line: GSSAPIAuthentication no validate: sshd -t -f %s @@ -334,7 +334,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*HostbasedAuthentication line: 'HostbasedAuthentication no' validate: sshd -t -f %s @@ -355,7 +355,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*IgnoreRhosts line: 'IgnoreRhosts yes' validate: sshd -t -f %s @@ -372,7 +372,7 @@ - rule_5.1.14 - NIST800-53R5_CM-6 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*LoginGraceTime line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}" validate: sshd -t -f %s @@ -391,7 +391,7 @@ - NIST800-53R5_AU-12 - NIST800-53R5_SI-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*LogLevel line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' validate: sshd -t -f %s @@ -408,7 +408,7 @@ - rule_5.1.16 - NIST800-53R5_AU-3 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}' validate: sshd -t -f %s @@ -429,7 +429,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*MaxStartups line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}' validate: sshd -t -f %s @@ -450,7 +450,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*MaxSessions line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' validate: sshd -t -f %s @@ -471,7 +471,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*PermitEmptyPasswords line: 'PermitEmptyPasswords no' validate: sshd -t -f %s @@ -490,7 +490,7 @@ block: - name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled | config file" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*PermitRootLogin line: 'PermitRootLogin no' validate: sshd -t -f %s @@ -517,7 +517,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*PermitUserEnvironment line: 'PermitUserEnvironment no' validate: sshd -t -f %s @@ -538,7 +538,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*UsePAM line: 'UsePAM yes' validate: sshd -t -f %s diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 6bb0608..2e46de4 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -57,21 +57,21 @@ - rule_5.2.4 - NIST800-53R5_AC-6 block: - - name: "5.2.4 | AUDIT | Ensure users must provide password for escalation | discover accts with NOPASSWD" + - name: "5.2.4 | AUDIT | Ensure users must provide password for escalation | Discover accts with NOPASSWD" ansible.builtin.shell: grep -Ei '(nopasswd)' /etc/sudoers /etc/sudoers.d/* | cut -d':' -f1 become: true changed_when: false failed_when: false - register: rhel9cis_5_2_4_nopasswd + register: discovered_nopasswd_sudoers - - name: "5.2.4 | PATCH | Ensure users must provide password for escalation" - when: rhel9cis_5_2_4_nopasswd.std | length > 0 + - name: "5.2.4 | PATCH | Ensure users must provide password for escalation | Remove nopasswd for accounts not excluded" + when: discovered_nopasswd_sudoers.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: '^((?!#|{% for name in rhel9cis_sudoers_exclude_nopasswd_list %}{{ name }}{% if not loop.last -%}|{%- endif -%}{% endfor %}).*)NOPASSWD(.*)' replace: '\1PASSWD\2' validate: '/usr/sbin/visudo -cf %s' - loop: "{{ rhel9cis_5_2_4_nopasswd.stdout_lines }}" + loop: "{{ discovered_nopasswd_sudoers.stdout_lines }}" - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" when: @@ -114,24 +114,24 @@ ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort changed_when: false failed_when: false - register: rhel9cis_5_2_6_timeout_files + register: discovered_sudo_timeout_files - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" + when: discovered_sudo_timeout_files.stdout | length == 0 ansible.builtin.lineinfile: path: /etc/sudoers regexp: 'Defaults timestamp_timeout=' line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" validate: '/usr/sbin/visudo -cf %s' - when: rhel9cis_5_2_6_timeout_files.stdout | length == 0 - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" + when: discovered_sudo_timeout_files.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: 'timestamp_timeout=(\d+)' replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" validate: '/usr/sbin/visudo -cf %s' - loop: "{{ rhel9cis_5_2_6_timeout_files.stdout_lines }}" - when: rhel9cis_5_2_6_timeout_files.stdout | length > 0 + loop: "{{ discovered_sudo_timeout_files.stdout_lines }}" - name: "5.2.7 | PATCH | Ensure access to the su command is restricted" when: @@ -149,7 +149,7 @@ ansible.builtin.group: name: "{{ rhel9cis_sugroup }}" state: present - register: rhel9cis_5_2_7_sugroup + register: discovered_sugroup - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | remove users from group" ansible.builtin.lineinfile: diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index c9a7559..3996edc 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -61,11 +61,11 @@ - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config" ansible.builtin.shell: authselect current | grep faillock changed_when: false - failed_when: rhel9cis_authselect_current_faillock.rc not in [ 0, 1 ] - register: rhel9cis_authselect_current_faillock + failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ] + register: discovered_authselect_current_faillock - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" - when: rhel9cis_authselect_current_faillock.rc != 0 + when: discovered_authselect_current_faillock.rc != 0 ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled" @@ -85,11 +85,11 @@ - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Get current config" ansible.builtin.shell: authselect current | grep quality changed_when: false - failed_when: rhel9cis_authselect_current_quality.rc not in [ 0, 1 ] - register: rhel9cis_authselect_current_quality + failed_when: discovered_authselect_current_quality.rc not in [ 0, 1 ] + register: discovered_authselect_current_quality - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Add feature if missing" - when: rhel9cis_authselect_current_quality.rc != 0 + when: discovered_authselect_current_quality.rc != 0 ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" notify: Authselect update @@ -110,11 +110,11 @@ - name: "5.3.2.4 | AUDIT | Ensure pam_pwhistory module is enabled | Get current config" ansible.builtin.shell: authselect current | grep pwhistory changed_when: false - failed_when: rhel9cis_authselect_current_history.rc not in [ 0, 1 ] - register: rhel9cis_authselect_current_history + failed_when: discovered_authselect_current_history.rc not in [ 0, 1 ] + register: discovered_authselect_current_history - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled | enable feature" - when: rhel9cis_authselect_current_history.rc != 0 + when: discovered_authselect_current_history.rc != 0 ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" notify: Authselect update diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml index 4712373..a1e5768 100644 --- a/tasks/section_5/cis_5.3.3.4.x.yml +++ b/tasks/section_5/cis_5.3.3.4.x.yml @@ -14,18 +14,18 @@ - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | capture state" ansible.builtin.shell: grep -E "pam_unix.so.*nullok" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq changed_when: false - failed_when: rhel9cis_pam_nullok.rc not in [ 0, 1 ] - register: rhel9cis_pam_nullok + failed_when: discovered_pam_nullok.rc not in [ 0, 1 ] + register: discovered_pam_nullok - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Ensure nullok removed" when: - - rhel9cis_pam_nullok.stdout | length > 0 + - discovered_pam_nullok.stdout | length > 0 - not rhel9cis_allow_authselect_updates ansible.builtin.replace: path: "{{ item }}" regexp: nullok replace: '' - loop: "{{ rhel9cis_pam_nullok.stdout_lines }}" + loop: "{{ discovered_pam_nullok.stdout_lines }}" - name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect" when: @@ -53,18 +53,18 @@ - name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state" ansible.builtin.shell: grep -E "password.*pam_unix.so.*remember" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq changed_when: false - failed_when: rhel9cis_pam_remember.rc not in [ 0, 1 ] - register: rhel9cis_pam_remember + failed_when: discovered_pam_remember.rc not in [ 0, 1 ] + register: discovered_pam_remember - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Ensure remember removed" when: - not rhel9cis_allow_authselect_updates - - rhel9cis_pam_remember.stdout | length > 0 + - discovered_pam_remember.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: remember replace: '' - loop: "{{ rhel9cis_pam_remember.stdout_lines }}" + loop: "{{ discovered_pam_remember.stdout_lines }}" - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect" when: @@ -93,18 +93,18 @@ - name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state" ansible.builtin.shell: grep -E "password.*pam_unix.so.*(sha512|yescrypt)" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq changed_when: false - failed_when: rhel9cis_pam_pwhash.rc not in [ 0, 1 ] - register: rhel9cis_pam_pwhash + failed_when: discovered_pam_pwhash.rc not in [ 0, 1 ] + register: discovered_pam_pwhash - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Ensure hash algorithm set" when: - not rhel9cis_allow_authselect_updates - - rhel9cis_pam_remember.stdout | length > 0 + - discovered_pam_remember.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)" replace: '{{ rhel9cis_passwd_hash_algo }}' - loop: "{{ rhel9cis_pam_remember.stdout_lines }}" + loop: "{{ discovered_pam_remember.stdout_lines }}" - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Add hash algorithm to pam files AuthSelect" when: @@ -134,20 +134,20 @@ - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state" ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix.so\b' /etc/pam.d/{password,system}-auth | grep -Pv -- '\buse_authtok\b' changed_when: false - failed_when: rhel9cis_pam_authtok.rc not in [ 0, 1 ] - register: rhel9cis_pam_authtok + failed_when: discovered_pam_authtok.rc not in [ 0, 1 ] + register: discovered_pam_authtok - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | pam_files" when: - not rhel9cis_allow_authselect_updates - - rhel9cis_pam_authtok is defined - - rhel9cis_pam_authtok.stdout | length > 0 + - discovered_pam_authtok is defined + - discovered_pam_authtok.stdout | length > 0 ansible.builtin.lineinfile: path: "{{ item }}" regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$) line: \1\2\3\4use_authtok \5 backrefs: true - loop: "{{ rhel9cis_pam_authtok.stdout_lines }}" + loop: "{{ discovered_pam_authtok.stdout_lines }}" - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | Add use_authtok pam files AuthSelect" when: diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index a5cd8c5..9e92e86 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -129,22 +129,22 @@ changed_when: false failed_when: false check_mode: false - register: rhel9cis_5_4_1_5_inactive_settings + register: discovered_passwdlck_inactive_settings - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set default inactive setting" ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} - when: rhel9cis_5_4_1_5_inactive_settings.stdout | length == 0 + when: discovered_passwdlck_inactive_settings.stdout | length == 0 - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false check_mode: false - register: rhel9cis_5_4_1_5_user_list + register: discovered_passwdlck_user_list - name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" when: item in prelim_interactive_usernames.stdout ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" - loop: "{{ rhel9cis_5_4_1_5_user_list.stdout_lines }}" + loop: "{{ discovered_passwdlck_user_list.stdout_lines }}" - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past" when: @@ -162,32 +162,32 @@ changed_when: false failed_when: false check_mode: false - register: rhel9cis_5_4_1_6_currentut + register: discovered_passwdlck_currentunixtime - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" - ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_4_1_6_currentut.stdout }})print$1}'" + ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ discovered_passwdlck_currentunixtime.stdout }})print$1}'" changed_when: false failed_when: false check_mode: false - register: rhel9cis_5_4_1_6_user_list + register: discovered_passwdlck_user_future - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" ansible.builtin.debug: - msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_4_1_6_user_list.stdout_lines }}" + msg: "Warning!! The following accounts have the last PW change date in the future: {{ discovered_passwdlck_user_future.stdout_lines }}" when: - - rhel9cis_5_4_1_6_user_list.stdout | length > 0 + - discovered_passwdlck_user_future.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | warning count" ansible.builtin.import_tasks: file: warning_facts.yml when: - - rhel9cis_5_4_1_6_user_list.stdout | length > 0 + - discovered_passwdlck_user_future.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" ansible.builtin.shell: passwd --expire {{ item }} when: - - rhel9cis_5_4_1_5_user_list.stdout | length > 0 + - discovered_passwdlck_user_future.stdout | length > 0 - rhel9cis_futurepwchgdate_autofix - loop: "{{ rhel9cis_5_4_1_6_user_list.stdout_lines }}" + loop: "{{ discovered_passwdlck_user_future.stdout_lines }}" diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml index 4274429..9e42ee2 100644 --- a/tasks/section_6/cis_6.2.3.x.yml +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -149,7 +149,7 @@ local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages local6,local7.* -/var/log/localmessages - *.emrg :omusrmsg:* + *.emerg :omusrmsg:* insertafter: '#### RULES ####' notify: Restart rsyslog diff --git a/tasks/section_6/cis_6.2.4.1.yml b/tasks/section_6/cis_6.2.4.1.yml index dd584e0..8111ef4 100644 --- a/tasks/section_6/cis_6.2.4.1.yml +++ b/tasks/section_6/cis_6.2.4.1.yml @@ -27,8 +27,8 @@ ansible.builtin.file: path: "{{ item }}" mode: 'u-x,g-wx,o-rwx' - failed_when: rhel9cis_logfile_list.state not in '[ file, absent ]' - register: rhel9cis_logfile_list + failed_when: discovered_logfile_list.state not in '[ file, absent ]' + register: discovered_logfile_list loop: "{{ discovered_logfiles.stdout_lines }}" - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" @@ -38,8 +38,8 @@ ansible.builtin.file: path: "{{ item }}" mode: 'u-x,g-x,o-rwx' - failed_when: rhel9cis_logfile_list.state not in '[ file, absent ]' - register: rhel9cis_logfile_list + failed_when: discovered_logfile_list.state not in '[ file, absent ]' + register: discovered_logfile_list loop: "{{ discovered_logfiles.stdout_lines }}" - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" @@ -53,6 +53,6 @@ ansible.builtin.file: path: "{{ item }}" mode: 'ug-x,o-wx' - failed_when: rhel9cis_logfile_list.state not in '[ file, absent ]' - register: rhel9cis_logfile_list + failed_when: discovered_logfile_list.state not in '[ file, absent ]' + register: discovered_logfile_list loop: "{{ discovered_logfiles.stdout_lines }}" diff --git a/tasks/section_6/cis_6.3.1.x.yml b/tasks/section_6/cis_6.3.1.x.yml index b25ab69..3039f2c 100644 --- a/tasks/section_6/cis_6.3.1.x.yml +++ b/tasks/section_6/cis_6.3.1.x.yml @@ -42,13 +42,13 @@ changed_when: false failed_when: false check_mode: false - register: rhel9cis_6_3_1_2_grubby_curr_value_audit_linux + register: discovered_grubby_curr_value_audit_linux - name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed" when: - - rhel9cis_6_3_1_2_grubby_curr_value_audit_linux.stdout == '' or - '0' in rhel9cis_6_3_1_2_grubby_curr_value_audit_linux.stdout or - 'off' in rhel9cis_6_3_1_2_grubby_curr_value_audit_linux.stdout|lower + - discovered_grubby_curr_value_audit_linux.stdout == '' or + '0' in discovered_grubby_curr_value_audit_linux.stdout or + 'off' in discovered_grubby_curr_value_audit_linux.stdout|lower ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" - name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" @@ -71,25 +71,25 @@ changed_when: false failed_when: false check_mode: false - register: rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux + register: discovered_grubby_curr_value_backlog_linux - name: "6.3.1.3 | AUDIT | Check to see if limits are set" when: - - rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux is not defined or - rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux.stdout_lines == [] + - discovered_grubby_curr_value_backlog_linux is not defined or + discovered_grubby_curr_value_backlog_linux.stdout_lines == [] ansible.builtin.set_fact: - rhel9cis_6_3_1_3_reset_backlog_limits: true + discovered_reset_backlog_limits: true - name: "6.3.1.3 | AUDIT | Check to see if any limits are too low" when: - (item | int < rhel9cis_audit_back_log_limit) ansible.builtin.set_fact: - rhel9cis_6_3_1_3_reset_backlog_limits: true - loop: "{{ rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux.stdout_lines }}" + discovered_reset_backlog_limits: true + loop: "{{ discovered_grubby_curr_value_backlog_linux.stdout_lines }}" - name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied" when: - - rhel9cis_6_3_1_3_reset_backlog_limits is defined + - discovered_reset_backlog_limits is defined ansible.builtin.shell: cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml index 5977406..c89af87 100644 --- a/tasks/section_6/cis_6.3.4.x.yml +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -50,8 +50,8 @@ ansible.builtin.file: path: "{{ item.path }}" mode: 'u-x,g-wx,o-rwx' - failed_when: rhel9cis_6_3_4_5_file_list.state not in '[ file, absent ]' - register: rhel9cis_6_3_4_5_file_list + failed_when: discovered_audit_conf_file_list.state not in '[ file, absent ]' + register: discovered_audit_conf_file_list loop: "{{ prelim_auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -68,8 +68,8 @@ ansible.builtin.file: path: "{{ item.path }}" owner: root - failed_when: rhel9cis_6_3_4_6_file_list.state not in '[ file, absent ]' - register: rhel9cis_6_3_4_6_file_list + failed_when: discovered_audit_conf_file_list.state not in '[ file, absent ]' + register: discovered_audit_conf_file_list loop: "{{ prelim_auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" @@ -86,8 +86,8 @@ ansible.builtin.file: path: "{{ item.path }}" group: root - failed_when: rhel9cis_6_3_4_7_file_list.state not in '[ file, absent ]' - register: rhel9cis_6_3_4_7_file_list + failed_when: discovered_audit_conf_file_list.state not in '[ file, absent ]' + register: discovered_audit_conf_file_list loop: "{{ prelim_auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 4c95687..0fe5fe7 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -202,9 +202,9 @@ - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit" ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -o+w ! -perm -1002 2>/dev/null | xargs chmod a+t - failed_when: rhel9cis_set_stickybit.rc not in [ 0, 123 ] - changed_when: rhel9cis_set_stickybit.rc == 0 - register: rhel9cis_set_stickybit + failed_when: discovered_set_stickybit.rc not in [ 0, 123 ] + changed_when: discovered_set_stickybit.rc == 0 + register: discovered_set_stickybit - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist" when: