ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2026-03-26 06:37:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #3 from ansible-lockdown/benchmark_v2.0.0

Browse source 
Benchmark to devel
This commit is contained in:
uk-bolly 2024-09-10 14:11:54 +01:00 committed by GitHub
commit cd829d16ac
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
17 changed files with 164 additions and 150 deletions
Download patch file Download diff file Expand all files Collapse all files

16
defaults/main.yml
View file

@ -733,16 +733,20 @@ rhel9cis_firewall: firewalld
rhel9cis_default_zone: public rhel9cis_default_zone: public
## Controls 4.3.x nftables ## Controls 4.3.x nftables
# This variable stores the name of the table to be used when configuring nftables(creating chains, configuring loopback
# traffic, established connections, default deny). If 'rhel9cis_nft_tables_autonewtable' is set as true, a new table will ## 4.3.1 Ensure nftables base chains exist
# be created using as name the value stored by this variable.
rhel9cis_nft_tables_tablename: filter
## Ensure nftables base chains exist
# This variable governs if a nftables base chain(entry point for packets from the networking stack) will be automatically # This variable governs if a nftables base chain(entry point for packets from the networking stack) will be automatically
# created, if needed. Without a chain, a hook for input, forward, and delete, packets that would flow through those # created, if needed. Without a chain, a hook for input, forward, and delete, packets that would flow through those
# chains will not be touched by nftables. # chains will not be touched by nftables.
rhel9cis_nft_tables_autochaincreate: true rhel9cis_nft_tables_autochaincreate: true
## 4.3.2 Create tables if required
rhel9cis_nft_tables_autonewtable: true
# This variable stores the name of the table to be used when configuring nftables(creating chains, configuring loopback
# traffic, established connections, default deny). If 'rhel9cis_nft_tables_autonewtable' is set as true, a new table will
# be created using as name the value stored by this variable.
rhel9cis_nft_tables_tablename: filter
## Section5 vars ## Section5 vars
## Section 5.1 - SSH ## Section 5.1 - SSH
@ -750,7 +754,7 @@ rhel9cis_nft_tables_autochaincreate: true
# This value, containing the absolute filepath of the produced 'sshd' config file, allows usage of # This value, containing the absolute filepath of the produced 'sshd' config file, allows usage of
# drop-in files('/etc/ssh/ssh_config.d/{ssh_drop_in_name}.conf', supported by RHEL9) when CIS adopts them. # drop-in files('/etc/ssh/ssh_config.d/{ssh_drop_in_name}.conf', supported by RHEL9) when CIS adopts them.
# Otherwise, the default value is '/etc/ssh/ssh_config'. # Otherwise, the default value is '/etc/ssh/ssh_config'.
rhel9_cis_sshd_config_file: /etc/ssh/sshd_config rhel9cis_sshd_config_file: /etc/ssh/sshd_config
## Controls: ## Controls:
## - 5.1.7 - Ensure SSH access is limited ## - 5.1.7 - Ensure SSH access is limited

6
tasks/prelim.yml
View file

@ -196,14 +196,14 @@
# Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config # Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config
- name: "PRELIM | PATCH | SSH Config file is not exist" - name: "PRELIM | PATCH | SSH Config file is not exist"
when: when:
- rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config' - rhel9cis_sshd_config_file != '/etc/ssh/sshd_config'
- "'openssh-server' in ansible_facts.packages" - "'openssh-server' in ansible_facts.packages"
tags: tags:
- ssh - always
- level1_server - level1_server
- level1_workstation - level1_workstation
ansible.builtin.file: ansible.builtin.file:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
owner: root owner: root
group: root group: root
mode: '0600' mode: '0600'

4
tasks/section_1/cis_1.1.2.2.x.yml
View file

@ -17,10 +17,10 @@
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists" - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists"
ansible.builtin.shell: mount -l | grep -w /dev/shm ansible.builtin.shell: mount -l | grep -w /dev/shm
changed_when: false changed_when: false
register: rhel9cis_1_8_1_1_mount_check register: discovered_dev_shm_mount_check
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition" - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition"
when: rhel9cis_1_8_1_1_mount_check.rc == 1 when: discovered_dev_shm_mount_check.rc == 1
block: block:
- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent"
ansible.builtin.debug: ansible.builtin.debug:

8
tasks/section_2/cis_2.4.x.yml
View file

@ -141,12 +141,12 @@
- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Check if cron.allow exists" - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Check if cron.allow exists"
ansible.builtin.stat: ansible.builtin.stat:
path: "/etc/cron.allow" path: "/etc/cron.allow"
register: rhel9cis_2_4_1_8_cron_allow_state register: discovered_cron_allow_state
- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users" - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
ansible.builtin.file: ansible.builtin.file:
path: /etc/cron.allow path: /etc/cron.allow
state: '{{ "file" if rhel9cis_2_4_1_8_cron_allow_state.stat.exists else "touch" }}' state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}'
owner: root owner: root
group: root group: root
mode: u-x,g-wx,o-rwx mode: u-x,g-wx,o-rwx
@ -171,12 +171,12 @@
- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists"
ansible.builtin.stat: ansible.builtin.stat:
path: "/etc/at.allow" path: "/etc/at.allow"
register: rhel9cis_rule_2_4_2_1_at_allow_state register: discovered_at_allow_state
- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users"
ansible.builtin.file: ansible.builtin.file:
path: /etc/at.allow path: /etc/at.allow
state: '{{ "file" if rhel9cis_rule_2_4_2_1_at_allow_state.stat.exists else "touch" }}' state: '{{ "file" if discovered_at_allow_state.stat.exists else "touch" }}'
owner: root owner: root
group: root group: root
mode: u-x,g-wx,o-rwx mode: u-x,g-wx,o-rwx

8
tasks/section_3/cis_3.1.x.yml
View file

@ -44,15 +44,15 @@
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: rhel9cis_3_1_2_wifi_status register: discovered_wifi_status
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wireless if network-manager installed"
when: when:
- "'network-manager' in ansible_facts.packages" - "'network-manager' in ansible_facts.packages"
- "'enabled' in rhel9cis_3_1_2_wifi_status.stdout" - "'enabled' in discovered_wifi_status.stdout"
ansible.builtin.shell: nmcli radio all off ansible.builtin.shell: nmcli radio all off
changed_when: rhel9cis_3_1_2_nmcli_radio_off.rc == 0 changed_when: discovered_nmcli_radio_off.rc == 0
register: rhel9cis_3_1_2_nmcli_radio_off register: discovered_nmcli_radio_off
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Warn about wireless if network-manager not installed"
when: "'network-manager' not in ansible_facts.packages" when: "'network-manager' not in ansible_facts.packages"

4
tasks/section_4/cis_4.2.x.yml
View file

@ -16,13 +16,13 @@
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: rhel9cis_4_2_5_servicesport register: discovered_services_and_ports
- name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" - name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports"
ansible.builtin.debug: ansible.builtin.debug:
msg: msg:
- "The items below are the services and ports that are accepted, please correct as needed" - "The items below are the services and ports that are accepted, please correct as needed"
- "{{ rhel9cis_4_2_5_servicesport.stdout_lines }}" - "{{ discovered_services_and_ports.stdout_lines }}"
- name: "4.2.2 | PATCH | Ensure firewalld loopback traffic is configured | firewalld" - name: "4.2.2 | PATCH | Ensure firewalld loopback traffic is configured | firewalld"
when: when:

70
tasks/section_4/cis_4.3.x.yml
View file

@ -1,5 +1,15 @@
--- ---
- name: "OPTIONAL | PATCH | Create Table if doesn't exist and required"
when:
- rhel9cis_nft_tables_autonewtable
- rhel9cis_rule_4_3_1
- rhel9cis_rule_4_3_2
- rhel9cis_rule_4_3_3
- rhel9cis_rule_4_3_4
tags: always
ansible.builtin.shell: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
- name: "4.3.1 | PATCH | Ensure nftables base chains exist" - name: "4.3.1 | PATCH | Ensure nftables base chains exist"
when: when:
- rhel9cis_rule_4_3_1 - rhel9cis_rule_4_3_1
@ -15,30 +25,30 @@
ansible.builtin.shell: nft list ruleset | grep 'hook input' ansible.builtin.shell: nft list ruleset | grep 'hook input'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: rhel9cis_4_3_1_input_chains register: discovered_nftables_input_chains
- name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD"
ansible.builtin.shell: nft list ruleset | grep 'hook forward' ansible.builtin.shell: nft list ruleset | grep 'hook forward'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: rhel9cis_4_3_1_forward_chains register: discovered_nftables_forward_chains
- name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT"
ansible.builtin.shell: nft list ruleset | grep 'hook output' ansible.builtin.shell: nft list ruleset | grep 'hook output'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: rhel9cis_4_3_1_output_chains register: discovered_nftables_output_chains
- name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Display chains for review" - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Display chains for review"
when: not rhel9cis_nft_tables_autochaincreate when: not rhel9cis_nft_tables_autochaincreate
ansible.builtin.debug: ansible.builtin.debug:
msg: msg:
- "Below are the current INPUT chains" - "Below are the current INPUT chains"
- "{{ rhel9cis_4_3_1_input_chains.stdout_lines }}" - "{{ discovered_nftables_input_chains.stdout_lines }}"
- "Below are the current FORWARD chains" - "Below are the current FORWARD chains"
- "{{ rhel9cis_4_3_1_forward_chains.stdout_lines }}" - "{{ discovered_nftables_forward_chains.stdout_lines }}"
- "Below are teh current OUTPUT chains" - "Below are teh current OUTPUT chains"
- "{{ rhel9cis_4_3_1_output_chains.stdout_lines }}" - "{{ discovered_nftables_output_chains.stdout_lines }}"
- name: "4.3.1 | PATCH | Ensure nftables base chains exist | Create chains if needed" - name: "4.3.1 | PATCH | Ensure nftables base chains exist | Create chains if needed"
when: rhel9cis_nft_tables_autochaincreate when: rhel9cis_nft_tables_autochaincreate
@ -64,36 +74,36 @@
ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: rhel9cis_4_3_2_inconnectionrule register: discovered_nftables_inconnectionrule
- name: "4.3.2| AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules" - name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules"
ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: rhel9cis_4_3_2_outconnectionrule register: discovered_nftables_outconnectionrule
- name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy" - name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy"
when: '"ip protocol tcp ct state established accept" not in rhel9cis_4_3_2_inconnectionrule.stdout' when: '"ip protocol tcp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept ansible.builtin.shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy" - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy"
when: '"ip protocol udp ct state established accept" not in rhel9cis_4_3_2_inconnectionrule.stdout' when: '"ip protocol udp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy" - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy"
when: '"ip protocol icmp ct state established accept" not in rhel9cis_4_3_2_inconnectionrule.stdout' when: '"ip protocol icmp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy" - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy"
when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_4_3_2_outconnectionrule.stdout' when: '"ip protocol tcp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy" - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy"
when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_4_3_2_outconnectionrule.stdout' when: '"ip protocol udp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy" - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy"
when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_4_3_2_outconnectionrule.stdout' when: '"ip protocol icmp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy" - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy"
@ -111,40 +121,40 @@
ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input'
failed_when: false failed_when: false
changed_when: false changed_when: false
register: rhel9cis_4_3_3_inputpolicy register: discovered_nftables_inputpolicy
- name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy"
ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward'
failed_when: false failed_when: false
changed_when: false changed_when: false
register: rhel9cis_4_3_3_forwardpolicy register: discovered_nftables_forwardpolicy
- name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy"
ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output'
failed_when: false failed_when: false
changed_when: false changed_when: false
register: rhel9cis_4_3_3_outputpolicy register: discovered_nftables_outputpolicy
- name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow"
ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh'
failed_when: false failed_when: false
changed_when: false changed_when: false
register: rhel9cis_4_3_3_sshallowcheck register: discovered_nftables_sshallowcheck
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic"
when: '"tcp dport ssh accept" not in rhel9cis_4_3_3_sshallowcheck.stdout' when: '"tcp dport ssh accept" not in discovered_nftables_sshallowcheck.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy"
when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_4_3_3_inputpolicy.stdout' when: '"type filter hook input priority 0; policy drop;" not in discovered_nftables_inputpolicy.stdout'
ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; }
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy"
when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_4_3_3_forwardpolicy.stdout' when: '"type filter hook forward priority 0; policy drop;" not in discovered_nftables_forwardpolicy.stdout'
ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; }
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy"
when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_4_3_3_outputpolicy.stdout' when: '"type filter hook output priority 0; policy drop;" not in discovered_nftables_outputpolicy.stdout'
ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; }
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured" - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured"
@ -162,28 +172,28 @@
ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: rhel9cis_4_3_4_iiflo register: discovered_nftables_iiflo
- name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence | nftables" - name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence | nftables"
ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: rhel9cis_4_3_4_ipsaddr register: discovered_nftables_ipsaddr
- name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence | nftables" - name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence | nftables"
ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: rhel9cis_4_3_4_ip6saddr register: discovered_nftables_ip6saddr
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule | nftables" - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule | nftables"
when: '"iif \"lo\" accept" not in rhel9cis_4_3_4_iiflo.stdout' when: '"iif \"lo\" accept" not in discovered_nftables_iiflo.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule | nftables" - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule | nftables"
when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_4_3_4_ipsaddr.stdout' when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in discovered_nftables_ipsaddr.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule | nftables" - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule | nftables"
when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_4_3_4_ip6saddr.stdout' when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in discovered_nftables_ip6saddr.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop

48
tasks/section_5/cis_5.1.x.yml
View file

@ -37,7 +37,7 @@
patterns: 'ssh_host_*_key' patterns: 'ssh_host_*_key'
recurse: true recurse: true
file_type: any file_type: any
register: rhel9cis_5_1_2_ssh_private_host_key register: discovered_ssh_private_host_key
- name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys" - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys"
ansible.builtin.file: ansible.builtin.file:
@ -45,7 +45,7 @@
owner: root owner: root
group: root group: root
mode: 'u-x,go-rwx' mode: 'u-x,go-rwx'
loop: "{{ rhel9cis_5_1_2_ssh_private_host_key.files }}" loop: "{{ discovered_ssh_private_host_key.files }}"
loop_control: loop_control:
label: "{{ item.path }}" label: "{{ item.path }}"
@ -67,7 +67,7 @@
patterns: 'ssh_host_*_key.pub' patterns: 'ssh_host_*_key.pub'
recurse: true recurse: true
file_type: any file_type: any
register: rhel9cis_5_1_3_ssh_public_host_key register: discovered_ssh_public_host_key
- name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys" - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys"
ansible.builtin.file: ansible.builtin.file:
@ -75,7 +75,7 @@
owner: root owner: root
group: root group: root
mode: 'u-x,go-wx' mode: 'u-x,go-wx'
loop: "{{ rhel9cis_5_1_3_ssh_public_host_key.files }}" loop: "{{ discovered_ssh_public_host_key.files }}"
loop_control: loop_control:
label: "{{ item.path }}" label: "{{ item.path }}"
@ -178,7 +178,7 @@
- name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for allowusers" - name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for allowusers"
when: "rhel9cis_sshd_allowusers | length > 0" when: "rhel9cis_sshd_allowusers | length > 0"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: "^AllowUsers" regexp: "^AllowUsers"
line: "AllowUsers {{ rhel9cis_sshd_allowusers }}" line: "AllowUsers {{ rhel9cis_sshd_allowusers }}"
validate: sshd -t -f %s validate: sshd -t -f %s
@ -187,7 +187,7 @@
- name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for allowgroups" - name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for allowgroups"
when: "rhel9cis_sshd_allowgroups | length > 0" when: "rhel9cis_sshd_allowgroups | length > 0"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: "^AllowGroups" regexp: "^AllowGroups"
line: "AllowGroups {{ rhel9cis_sshd_allowgroups }}" line: "AllowGroups {{ rhel9cis_sshd_allowgroups }}"
validate: sshd -t -f %s validate: sshd -t -f %s
@ -196,7 +196,7 @@
- name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for denyusers" - name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for denyusers"
when: "rhel9cis_sshd_denyusers | length > 0" when: "rhel9cis_sshd_denyusers | length > 0"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: "^DenyUsers" regexp: "^DenyUsers"
line: "DenyUsers {{ rhel9cis_sshd_denyusers }}" line: "DenyUsers {{ rhel9cis_sshd_denyusers }}"
validate: sshd -t -f %s validate: sshd -t -f %s
@ -205,7 +205,7 @@
- name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for denygroups" - name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for denygroups"
when: "rhel9cis_sshd_denygroups | length > 0" when: "rhel9cis_sshd_denygroups | length > 0"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: "^DenyGroups" regexp: "^DenyGroups"
line: "DenyGroups {{ rhel9cis_sshd_denygroups }}" line: "DenyGroups {{ rhel9cis_sshd_denygroups }}"
validate: sshd -t -f %s validate: sshd -t -f %s
@ -226,7 +226,7 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: '^Banner' regexp: '^Banner'
line: 'Banner /etc/issue.net' line: 'Banner /etc/issue.net'
@ -247,7 +247,7 @@
block: block:
- name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Add line in sshd_config for ClientAliveInterval" - name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Add line in sshd_config for ClientAliveInterval"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: '^ClientAliveInterval' regexp: '^ClientAliveInterval'
line: "ClientAliveInterval {{ rhel9cis_sshd_clientaliveinterval }}" line: "ClientAliveInterval {{ rhel9cis_sshd_clientaliveinterval }}"
validate: sshd -t -f %s validate: sshd -t -f %s
@ -255,7 +255,7 @@
- name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Ensure SSH ClientAliveCountMax set to <= 3" - name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Ensure SSH ClientAliveCountMax set to <= 3"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: '^ClientAliveCountMax' regexp: '^ClientAliveCountMax'
line: "ClientAliveCountMax {{ rhel9cis_sshd_clientalivecountmax }}" line: "ClientAliveCountMax {{ rhel9cis_sshd_clientalivecountmax }}"
validate: sshd -t -f %s validate: sshd -t -f %s
@ -274,7 +274,7 @@
block: block:
- name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | config file" - name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | config file"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(#|)\s*DisableForwarding regexp: ^(#|)\s*DisableForwarding
line: 'DisableForwarding yes' line: 'DisableForwarding yes'
validate: sshd -t -f %s validate: sshd -t -f %s
@ -313,7 +313,7 @@
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | ssh config" - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | ssh config"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*GSSAPIAuthentication regexp: ^(?i)(#|)\s*GSSAPIAuthentication
line: GSSAPIAuthentication no line: GSSAPIAuthentication no
validate: sshd -t -f %s validate: sshd -t -f %s
@ -334,7 +334,7 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*HostbasedAuthentication regexp: ^(?i)(#|)\s*HostbasedAuthentication
line: 'HostbasedAuthentication no' line: 'HostbasedAuthentication no'
validate: sshd -t -f %s validate: sshd -t -f %s
@ -355,7 +355,7 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*IgnoreRhosts regexp: ^(?i)(#|)\s*IgnoreRhosts
line: 'IgnoreRhosts yes' line: 'IgnoreRhosts yes'
validate: sshd -t -f %s validate: sshd -t -f %s
@ -372,7 +372,7 @@
- rule_5.1.14 - rule_5.1.14
- NIST800-53R5_CM-6 - NIST800-53R5_CM-6
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*LoginGraceTime regexp: ^(?i)(#|)\s*LoginGraceTime
line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}" line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}"
validate: sshd -t -f %s validate: sshd -t -f %s
@ -391,7 +391,7 @@
- NIST800-53R5_AU-12 - NIST800-53R5_AU-12
- NIST800-53R5_SI-5 - NIST800-53R5_SI-5
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*LogLevel regexp: ^(?i)(#|)\s*LogLevel
line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
validate: sshd -t -f %s validate: sshd -t -f %s
@ -408,7 +408,7 @@
- rule_5.1.16 - rule_5.1.16
- NIST800-53R5_AU-3 - NIST800-53R5_AU-3
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: '^(#)?MaxAuthTries \d' regexp: '^(#)?MaxAuthTries \d'
line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}' line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}'
validate: sshd -t -f %s validate: sshd -t -f %s
@ -429,7 +429,7 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*MaxStartups regexp: ^(?i)(#|)\s*MaxStartups
line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}' line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}'
validate: sshd -t -f %s validate: sshd -t -f %s
@ -450,7 +450,7 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*MaxSessions regexp: ^(?i)(#|)\s*MaxSessions
line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
validate: sshd -t -f %s validate: sshd -t -f %s
@ -471,7 +471,7 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*PermitEmptyPasswords regexp: ^(?i)(#|)\s*PermitEmptyPasswords
line: 'PermitEmptyPasswords no' line: 'PermitEmptyPasswords no'
validate: sshd -t -f %s validate: sshd -t -f %s
@ -490,7 +490,7 @@
block: block:
- name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled | config file" - name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled | config file"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*PermitRootLogin regexp: ^(?i)(#|)\s*PermitRootLogin
line: 'PermitRootLogin no' line: 'PermitRootLogin no'
validate: sshd -t -f %s validate: sshd -t -f %s
@ -517,7 +517,7 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*PermitUserEnvironment regexp: ^(?i)(#|)\s*PermitUserEnvironment
line: 'PermitUserEnvironment no' line: 'PermitUserEnvironment no'
validate: sshd -t -f %s validate: sshd -t -f %s
@ -538,7 +538,7 @@
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9_cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*UsePAM regexp: ^(?i)(#|)\s*UsePAM
line: 'UsePAM yes' line: 'UsePAM yes'
validate: sshd -t -f %s validate: sshd -t -f %s

20
tasks/section_5/cis_5.2.x.yml
View file

@ -57,21 +57,21 @@
- rule_5.2.4 - rule_5.2.4
- NIST800-53R5_AC-6 - NIST800-53R5_AC-6
block: block:
- name: "5.2.4 | AUDIT | Ensure users must provide password for escalation | discover accts with NOPASSWD" - name: "5.2.4 | AUDIT | Ensure users must provide password for escalation | Discover accts with NOPASSWD"
ansible.builtin.shell: grep -Ei '(nopasswd)' /etc/sudoers /etc/sudoers.d/* | cut -d':' -f1 ansible.builtin.shell: grep -Ei '(nopasswd)' /etc/sudoers /etc/sudoers.d/* | cut -d':' -f1
become: true become: true
changed_when: false changed_when: false
failed_when: false failed_when: false
register: rhel9cis_5_2_4_nopasswd register: discovered_nopasswd_sudoers
- name: "5.2.4 | PATCH | Ensure users must provide password for escalation" - name: "5.2.4 | PATCH | Ensure users must provide password for escalation | Remove nopasswd for accounts not excluded"
when: rhel9cis_5_2_4_nopasswd.std | length > 0 when: discovered_nopasswd_sudoers.stdout | length > 0
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ item }}" path: "{{ item }}"
regexp: '^((?!#|{% for name in rhel9cis_sudoers_exclude_nopasswd_list %}{{ name }}{% if not loop.last -%}|{%- endif -%}{% endfor %}).*)NOPASSWD(.*)' regexp: '^((?!#|{% for name in rhel9cis_sudoers_exclude_nopasswd_list %}{{ name }}{% if not loop.last -%}|{%- endif -%}{% endfor %}).*)NOPASSWD(.*)'
replace: '\1PASSWD\2' replace: '\1PASSWD\2'
validate: '/usr/sbin/visudo -cf %s' validate: '/usr/sbin/visudo -cf %s'
loop: "{{ rhel9cis_5_2_4_nopasswd.stdout_lines }}" loop: "{{ discovered_nopasswd_sudoers.stdout_lines }}"
- name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
when: when:
@ -114,24 +114,24 @@
ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
changed_when: false changed_when: false
failed_when: false failed_when: false
register: rhel9cis_5_2_6_timeout_files register: discovered_sudo_timeout_files
- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results"
when: discovered_sudo_timeout_files.stdout | length == 0
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/sudoers path: /etc/sudoers
regexp: 'Defaults timestamp_timeout=' regexp: 'Defaults timestamp_timeout='
line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}"
validate: '/usr/sbin/visudo -cf %s' validate: '/usr/sbin/visudo -cf %s'
when: rhel9cis_5_2_6_timeout_files.stdout | length == 0
- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results"
when: discovered_sudo_timeout_files.stdout | length > 0
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ item }}" path: "{{ item }}"
regexp: 'timestamp_timeout=(\d+)' regexp: 'timestamp_timeout=(\d+)'
replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}"
validate: '/usr/sbin/visudo -cf %s' validate: '/usr/sbin/visudo -cf %s'
loop: "{{ rhel9cis_5_2_6_timeout_files.stdout_lines }}" loop: "{{ discovered_sudo_timeout_files.stdout_lines }}"
when: rhel9cis_5_2_6_timeout_files.stdout | length > 0
- name: "5.2.7 | PATCH | Ensure access to the su command is restricted" - name: "5.2.7 | PATCH | Ensure access to the su command is restricted"
when: when:
@ -149,7 +149,7 @@
ansible.builtin.group: ansible.builtin.group:
name: "{{ rhel9cis_sugroup }}" name: "{{ rhel9cis_sugroup }}"
state: present state: present
register: rhel9cis_5_2_7_sugroup register: discovered_sugroup
- name: "5.2.7 | PATCH | Ensure access to the su command is restricted | remove users from group" - name: "5.2.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:

18
tasks/section_5/cis_5.3.2.x.yml
View file

@ -61,11 +61,11 @@
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config" - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config"
ansible.builtin.shell: authselect current | grep faillock ansible.builtin.shell: authselect current | grep faillock
changed_when: false changed_when: false
failed_when: rhel9cis_authselect_current_faillock.rc not in [ 0, 1 ] failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: rhel9cis_authselect_current_faillock register: discovered_authselect_current_faillock
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing"
when: rhel9cis_authselect_current_faillock.rc != 0 when: discovered_authselect_current_faillock.rc != 0
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
- name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled" - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
@ -85,11 +85,11 @@
- name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Get current config" - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Get current config"
ansible.builtin.shell: authselect current | grep quality ansible.builtin.shell: authselect current | grep quality
changed_when: false changed_when: false
failed_when: rhel9cis_authselect_current_quality.rc not in [ 0, 1 ] failed_when: discovered_authselect_current_quality.rc not in [ 0, 1 ]
register: rhel9cis_authselect_current_quality register: discovered_authselect_current_quality
- name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Add feature if missing" - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Add feature if missing"
when: rhel9cis_authselect_current_quality.rc != 0 when: discovered_authselect_current_quality.rc != 0
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
notify: Authselect update notify: Authselect update
@ -110,11 +110,11 @@
- name: "5.3.2.4 | AUDIT | Ensure pam_pwhistory module is enabled | Get current config" - name: "5.3.2.4 | AUDIT | Ensure pam_pwhistory module is enabled | Get current config"
ansible.builtin.shell: authselect current | grep pwhistory ansible.builtin.shell: authselect current | grep pwhistory
changed_when: false changed_when: false
failed_when: rhel9cis_authselect_current_history.rc not in [ 0, 1 ] failed_when: discovered_authselect_current_history.rc not in [ 0, 1 ]
register: rhel9cis_authselect_current_history register: discovered_authselect_current_history
- name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled | enable feature" - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled | enable feature"
when: rhel9cis_authselect_current_history.rc != 0 when: discovered_authselect_current_history.rc != 0
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
notify: Authselect update notify: Authselect update

34
tasks/section_5/cis_5.3.3.4.x.yml
View file

@ -14,18 +14,18 @@
- name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | capture state" - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | capture state"
ansible.builtin.shell: grep -E "pam_unix.so.*nullok" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq ansible.builtin.shell: grep -E "pam_unix.so.*nullok" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq
changed_when: false changed_when: false
failed_when: rhel9cis_pam_nullok.rc not in [ 0, 1 ] failed_when: discovered_pam_nullok.rc not in [ 0, 1 ]
register: rhel9cis_pam_nullok register: discovered_pam_nullok
- name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Ensure nullok removed" - name: "5.3.3.4.1 | PATCH | Ensure pam_unix does not include nullok | Ensure nullok removed"
when: when:
- rhel9cis_pam_nullok.stdout | length > 0 - discovered_pam_nullok.stdout | length > 0
- not rhel9cis_allow_authselect_updates - not rhel9cis_allow_authselect_updates
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ item }}" path: "{{ item }}"
regexp: nullok regexp: nullok
replace: '' replace: ''
loop: "{{ rhel9cis_pam_nullok.stdout_lines }}" loop: "{{ discovered_pam_nullok.stdout_lines }}"
- name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect" - name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect"
when: when:
@ -53,18 +53,18 @@
- name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state" - name: "5.3.3.4.2 | AUDIT | Ensure pam_unix does not include remember | capture state"
ansible.builtin.shell: grep -E "password.*pam_unix.so.*remember" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq ansible.builtin.shell: grep -E "password.*pam_unix.so.*remember" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq
changed_when: false changed_when: false
failed_when: rhel9cis_pam_remember.rc not in [ 0, 1 ] failed_when: discovered_pam_remember.rc not in [ 0, 1 ]
register: rhel9cis_pam_remember register: discovered_pam_remember
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Ensure remember removed" - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Ensure remember removed"
when: when:
- not rhel9cis_allow_authselect_updates - not rhel9cis_allow_authselect_updates
- rhel9cis_pam_remember.stdout | length > 0 - discovered_pam_remember.stdout | length > 0
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ item }}" path: "{{ item }}"
regexp: remember regexp: remember
replace: '' replace: ''
loop: "{{ rhel9cis_pam_remember.stdout_lines }}" loop: "{{ discovered_pam_remember.stdout_lines }}"
- name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect" - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect"
when: when:
@ -93,18 +93,18 @@
- name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state" - name: "5.3.3.4.3 | AUDIT | Ensure pam_unix includes a strong password hashing algorithm | capture state"
ansible.builtin.shell: grep -E "password.*pam_unix.so.*(sha512|yescrypt)" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq ansible.builtin.shell: grep -E "password.*pam_unix.so.*(sha512|yescrypt)" /etc/pam.d/*-auth | cut -d ':' -f1 | uniq
changed_when: false changed_when: false
failed_when: rhel9cis_pam_pwhash.rc not in [ 0, 1 ] failed_when: discovered_pam_pwhash.rc not in [ 0, 1 ]
register: rhel9cis_pam_pwhash register: discovered_pam_pwhash
- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Ensure hash algorithm set" - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Ensure hash algorithm set"
when: when:
- not rhel9cis_allow_authselect_updates - not rhel9cis_allow_authselect_updates
- rhel9cis_pam_remember.stdout | length > 0 - discovered_pam_remember.stdout | length > 0
ansible.builtin.replace: ansible.builtin.replace:
path: "{{ item }}" path: "{{ item }}"
regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)" regexp: "(md5|bigcrypt|sha256|blowfish|gost_yescrypt|sha512|yescrypt)"
replace: '{{ rhel9cis_passwd_hash_algo }}' replace: '{{ rhel9cis_passwd_hash_algo }}'
loop: "{{ rhel9cis_pam_remember.stdout_lines }}" loop: "{{ discovered_pam_remember.stdout_lines }}"
- name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Add hash algorithm to pam files AuthSelect" - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Add hash algorithm to pam files AuthSelect"
when: when:
@ -134,20 +134,20 @@
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state" - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | capture state"
ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix.so\b' /etc/pam.d/{password,system}-auth | grep -Pv -- '\buse_authtok\b' ansible.builtin.shell: grep -PH -- '^\h*^password\h*[^#\n\r]+\h+pam_unix.so\b' /etc/pam.d/{password,system}-auth | grep -Pv -- '\buse_authtok\b'
changed_when: false changed_when: false
failed_when: rhel9cis_pam_authtok.rc not in [ 0, 1 ] failed_when: discovered_pam_authtok.rc not in [ 0, 1 ]
register: rhel9cis_pam_authtok register: discovered_pam_authtok
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | pam_files" - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | pam_files"
when: when:
- not rhel9cis_allow_authselect_updates - not rhel9cis_allow_authselect_updates
- rhel9cis_pam_authtok is defined - discovered_pam_authtok is defined
- rhel9cis_pam_authtok.stdout | length > 0 - discovered_pam_authtok.stdout | length > 0
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ item }}" path: "{{ item }}"
regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$) regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$)
line: \1\2\3\4use_authtok \5 line: \1\2\3\4use_authtok \5
backrefs: true backrefs: true
loop: "{{ rhel9cis_pam_authtok.stdout_lines }}" loop: "{{ discovered_pam_authtok.stdout_lines }}"
- name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | Add use_authtok pam files AuthSelect" - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | Add use_authtok pam files AuthSelect"
when: when:

24
tasks/section_5/cis_5.4.1.x.yml
View file

@ -129,22 +129,22 @@
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: rhel9cis_5_4_1_5_inactive_settings register: discovered_passwdlck_inactive_settings
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set default inactive setting" - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set default inactive setting"
ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
when: rhel9cis_5_4_1_5_inactive_settings.stdout | length == 0 when: discovered_passwdlck_inactive_settings.stdout | length == 0
- name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
changed_when: false changed_when: false
check_mode: false check_mode: false
register: rhel9cis_5_4_1_5_user_list register: discovered_passwdlck_user_list
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
when: item in prelim_interactive_usernames.stdout when: item in prelim_interactive_usernames.stdout
ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
loop: "{{ rhel9cis_5_4_1_5_user_list.stdout_lines }}" loop: "{{ discovered_passwdlck_user_list.stdout_lines }}"
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past" - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past"
when: when:
@ -162,32 +162,32 @@
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: rhel9cis_5_4_1_6_currentut register: discovered_passwdlck_currentunixtime
- name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_4_1_6_currentut.stdout }})print$1}'" ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ discovered_passwdlck_currentunixtime.stdout }})print$1}'"
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: rhel9cis_5_4_1_6_user_list register: discovered_passwdlck_user_future
- name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_4_1_6_user_list.stdout_lines }}" msg: "Warning!! The following accounts have the last PW change date in the future: {{ discovered_passwdlck_user_future.stdout_lines }}"
when: when:
- rhel9cis_5_4_1_6_user_list.stdout | length > 0 - discovered_passwdlck_user_future.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix - not rhel9cis_futurepwchgdate_autofix
- name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | warning count" - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | warning count"
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: warning_facts.yml file: warning_facts.yml
when: when:
- rhel9cis_5_4_1_6_user_list.stdout | length > 0 - discovered_passwdlck_user_future.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix - not rhel9cis_futurepwchgdate_autofix
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
ansible.builtin.shell: passwd --expire {{ item }} ansible.builtin.shell: passwd --expire {{ item }}
when: when:
- rhel9cis_5_4_1_5_user_list.stdout | length > 0 - discovered_passwdlck_user_future.stdout | length > 0
- rhel9cis_futurepwchgdate_autofix - rhel9cis_futurepwchgdate_autofix
loop: "{{ rhel9cis_5_4_1_6_user_list.stdout_lines }}" loop: "{{ discovered_passwdlck_user_future.stdout_lines }}"

2
tasks/section_6/cis_6.2.3.x.yml
View file

@ -149,7 +149,7 @@
local2,local3.* -/var/log/localmessages local2,local3.* -/var/log/localmessages
local4,local5.* -/var/log/localmessages local4,local5.* -/var/log/localmessages
local6,local7.* -/var/log/localmessages local6,local7.* -/var/log/localmessages
*.emrg :omusrmsg:* *.emerg :omusrmsg:*
insertafter: '#### RULES ####' insertafter: '#### RULES ####'
notify: Restart rsyslog notify: Restart rsyslog

12
tasks/section_6/cis_6.2.4.1.yml
View file

@ -27,8 +27,8 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
mode: 'u-x,g-wx,o-rwx' mode: 'u-x,g-wx,o-rwx'
failed_when: rhel9cis_logfile_list.state not in '[ file, absent ]' failed_when: discovered_logfile_list.state not in '[ file, absent ]'
register: rhel9cis_logfile_list register: discovered_logfile_list
loop: "{{ discovered_logfiles.stdout_lines }}" loop: "{{ discovered_logfiles.stdout_lines }}"
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
@ -38,8 +38,8 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
mode: 'u-x,g-x,o-rwx' mode: 'u-x,g-x,o-rwx'
failed_when: rhel9cis_logfile_list.state not in '[ file, absent ]' failed_when: discovered_logfile_list.state not in '[ file, absent ]'
register: rhel9cis_logfile_list register: discovered_logfile_list
loop: "{{ discovered_logfiles.stdout_lines }}" loop: "{{ discovered_logfiles.stdout_lines }}"
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
@ -53,6 +53,6 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"
mode: 'ug-x,o-wx' mode: 'ug-x,o-wx'
failed_when: rhel9cis_logfile_list.state not in '[ file, absent ]' failed_when: discovered_logfile_list.state not in '[ file, absent ]'
register: rhel9cis_logfile_list register: discovered_logfile_list
loop: "{{ discovered_logfiles.stdout_lines }}" loop: "{{ discovered_logfiles.stdout_lines }}"

22
tasks/section_6/cis_6.3.1.x.yml
View file

@ -42,13 +42,13 @@
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: rhel9cis_6_3_1_2_grubby_curr_value_audit_linux register: discovered_grubby_curr_value_audit_linux
- name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed" - name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed"
when: when:
- rhel9cis_6_3_1_2_grubby_curr_value_audit_linux.stdout == '' or - discovered_grubby_curr_value_audit_linux.stdout == '' or
'0' in rhel9cis_6_3_1_2_grubby_curr_value_audit_linux.stdout or '0' in discovered_grubby_curr_value_audit_linux.stdout or
'off' in rhel9cis_6_3_1_2_grubby_curr_value_audit_linux.stdout|lower 'off' in discovered_grubby_curr_value_audit_linux.stdout|lower
ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1"
- name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" - name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
@ -71,25 +71,25 @@
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux register: discovered_grubby_curr_value_backlog_linux
- name: "6.3.1.3 | AUDIT | Check to see if limits are set" - name: "6.3.1.3 | AUDIT | Check to see if limits are set"
when: when:
- rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux is not defined or - discovered_grubby_curr_value_backlog_linux is not defined or
rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux.stdout_lines == [] discovered_grubby_curr_value_backlog_linux.stdout_lines == []
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_6_3_1_3_reset_backlog_limits: true discovered_reset_backlog_limits: true
- name: "6.3.1.3 | AUDIT | Check to see if any limits are too low" - name: "6.3.1.3 | AUDIT | Check to see if any limits are too low"
when: when:
- (item | int < rhel9cis_audit_back_log_limit) - (item | int < rhel9cis_audit_back_log_limit)
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_6_3_1_3_reset_backlog_limits: true discovered_reset_backlog_limits: true
loop: "{{ rhel9cis_6_3_1_3_grubby_curr_value_backlog_linux.stdout_lines }}" loop: "{{ discovered_grubby_curr_value_backlog_linux.stdout_lines }}"
- name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied" - name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied"
when: when:
- rhel9cis_6_3_1_3_reset_backlog_limits is defined - discovered_reset_backlog_limits is defined
ansible.builtin.shell: ansible.builtin.shell:
cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'

12
tasks/section_6/cis_6.3.4.x.yml
View file

@ -50,8 +50,8 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
mode: 'u-x,g-wx,o-rwx' mode: 'u-x,g-wx,o-rwx'
failed_when: rhel9cis_6_3_4_5_file_list.state not in '[ file, absent ]' failed_when: discovered_audit_conf_file_list.state not in '[ file, absent ]'
register: rhel9cis_6_3_4_5_file_list register: discovered_audit_conf_file_list
loop: "{{ prelim_auditd_conf_files.files }}" loop: "{{ prelim_auditd_conf_files.files }}"
loop_control: loop_control:
label: "{{ item.path }}" label: "{{ item.path }}"
@ -68,8 +68,8 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
owner: root owner: root
failed_when: rhel9cis_6_3_4_6_file_list.state not in '[ file, absent ]' failed_when: discovered_audit_conf_file_list.state not in '[ file, absent ]'
register: rhel9cis_6_3_4_6_file_list register: discovered_audit_conf_file_list
loop: "{{ prelim_auditd_conf_files.files | default([]) }}" loop: "{{ prelim_auditd_conf_files.files | default([]) }}"
loop_control: loop_control:
label: "{{ item.path }}" label: "{{ item.path }}"
@ -86,8 +86,8 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
group: root group: root
failed_when: rhel9cis_6_3_4_7_file_list.state not in '[ file, absent ]' failed_when: discovered_audit_conf_file_list.state not in '[ file, absent ]'
register: rhel9cis_6_3_4_7_file_list register: discovered_audit_conf_file_list
loop: "{{ prelim_auditd_conf_files.files | default([]) }}" loop: "{{ prelim_auditd_conf_files.files | default([]) }}"
loop_control: loop_control:
label: "{{ item.path }}" label: "{{ item.path }}"

6
tasks/section_7/cis_7.1.x.yml
View file

@ -202,9 +202,9 @@
- name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit" - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit"
ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -o+w ! -perm -1002 2>/dev/null | xargs chmod a+t ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -o+w ! -perm -1002 2>/dev/null | xargs chmod a+t
failed_when: rhel9cis_set_stickybit.rc not in [ 0, 123 ] failed_when: discovered_set_stickybit.rc not in [ 0, 123 ]
changed_when: rhel9cis_set_stickybit.rc == 0 changed_when: discovered_set_stickybit.rc == 0
register: rhel9cis_set_stickybit register: discovered_set_stickybit
- name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist" - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist"
when: when: