ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-28 07:53:07 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Revert "Merge 'devel' of kris9854/RHEL9-CIS-fix into devel"

Browse source 
This reverts commit d4471a3016, reversing
changes made to d6ca36a91f.
This commit is contained in:
Kristian 2022-09-26 19:10:53 +02:00
parent 66d8fb8b32
commit da0734c3a8
65 changed files with 461 additions and 801 deletions
Download patch file Download diff file Expand all files Collapse all files

7
tasks/section_4/cis_4.1.1.x.yml
View file

@ -27,9 +27,10 @@
service:
name: auditd
state: started
enabled: true
enabled: yes
when:
- rhel9cis_rule_4_1_1_2
- ansible_connection != 'docker'
tags:
- level2-server
- level2-workstation
@ -44,7 +45,7 @@
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
changed_when: false
failed_when: false
check_mode: false
check_mode: no
register: rhel9cis_4_1_1_3_grub_cmdline_linux
- name: "4.1.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting"
@ -79,7 +80,7 @@
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
changed_when: false
failed_when: false
check_mode: false
check_mode: no
register: rhel9cis_4_1_1_4_grub_cmdline_linux
- name: "4.1.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting"

148
tasks/section_4/cis_4.1.3.x.yml
View file

@ -1,9 +1,10 @@
---
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_1
tags:
@ -14,10 +15,11 @@
- auditd
- rule_4.1.3.1
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.2 | PATCH | Ensure actions as another user are always logged"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_2
tags:
@ -28,10 +30,11 @@
- auditd
- rule_4.1.3.2
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.3 | PATCH | Ensure events that modify the sudo log file are collected"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_3
tags:
@ -42,10 +45,11 @@
- auditd
- rule_4.1.3.3
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.4 | PATCH | Ensure events that modify date and time information are collected"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_4
tags:
@ -56,10 +60,11 @@
- auditd
- rule_4.1.3.4
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.5 | PATCH | Ensure events that modify the system's network environment are collected"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_5
tags:
@ -70,19 +75,19 @@
- auditd
- rule_4.1.3.5
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
block:
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
changed_when: false
failed_when: false
check_mode: false
check_mode: no
register: priv_procs
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_6
@ -94,10 +99,11 @@
- auditd
- rule_4.1.3.6
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_7
tags:
@ -108,10 +114,11 @@
- auditd
- rule_4.1.3_7
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_8
tags:
@ -122,10 +129,11 @@
- auditd
- rule_4.1.3.8
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_9
tags:
@ -136,10 +144,11 @@
- auditd
- rule_4.1.3.9
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_10
tags:
@ -150,10 +159,11 @@
- auditd
- rule_4.1.3.10
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.11 | PATCH | Ensure session initiation information is collected"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_11
tags:
@ -164,10 +174,11 @@
- auditd
- rule_4.1.3.11
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.12 | PATCH | Ensure login and logout events are collected"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_12
tags:
@ -178,10 +189,11 @@
- auditd
- rule_4.1.3.12
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_13
tags:
@ -191,10 +203,11 @@
- patch
- rule_4.1.3.13
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_14
tags:
@ -205,10 +218,11 @@
- auditd
- rule_4.1.3.14
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_15
tags:
@ -219,10 +233,11 @@
- auditd
- rule_4.1.3.15
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_16
tags:
@ -233,10 +248,11 @@
- auditd
- rule_4.1.3.16
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_17
tags:
@ -247,10 +263,11 @@
- auditd
- rule_4.1.3.17
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_18
tags:
@ -261,10 +278,11 @@
- auditd
- rule_4.1.3.18
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_19
tags:
@ -275,10 +293,11 @@
- auditd
- rule_4.1.3.19
# All changes selected are managed by the POST audit and handlers to update
- name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable"
set_fact:
update_audit_template: true
debug:
msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
changed_when: true
notify: update auditd
when:
- rhel9cis_rule_4_1_3_20
tags:
@ -302,10 +321,3 @@
- patch
- auditd
- rule_4.1.3.21
- name: Auditd | 4.1.3 | Auditd controls updated
debug:
msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules"
changed_when: false
when:
- update_audit_template

7
tasks/section_4/cis_4.2.1.x.yml
View file

@ -18,7 +18,7 @@
- name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled"
service:
name: rsyslog
enabled: true
enabled: yes
when:
- rhel9cis_rule_4_2_1_2
tags:
@ -65,9 +65,10 @@
block:
- name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
command: cat /etc/rsyslog.conf
become: yes
changed_when: false
failed_when: false
check_mode: false
failed_when: no
check_mode: no
register: rhel_08_4_2_1_5_audit
- name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"

29
tasks/section_4/cis_4.2.2.x.yml
View file

@ -39,9 +39,8 @@
systemd:
name: systemd-journal-upload
state: started
enabled: true
enabled: yes
when:
- rhel9cis_system_is_log_server
- rhel9cis_rule_4_2_2_1_3
tags:
- level1-server
@ -53,12 +52,11 @@
- name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client"
systemd:
name: systemd-journal-remote.socket
name: systemd-journal-remote
state: stopped
enabled: false
masked: true
enabled: no
masked: yes
when:
- not rhel9cis_system_is_log_server
- rhel9cis_rule_4_2_2_1_4
tags:
- level1-server
@ -74,7 +72,7 @@
systemd:
name: systemd-journald
state: started
enabled: true
enabled: yes
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status"
shell: systemctl is-enabled systemd-journald.service
@ -85,13 +83,7 @@
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status"
debug:
msg:
- "Warning!! The status of systemd-journald should be static and it is not. Please investigate"
when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]"
warn_count: "{{ warn_count | int + 1 }}"
- "Warning! The status of systemd-journald should be static and it is not. Please investigate"
when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
when:
- rhel9cis_rule_4_2_2_2
@ -142,6 +134,7 @@
notify: restart systemd_journal_upload
when:
- rhel9cis_rule_4_2_2_5
- rhel9cis_preferred_log_capture == "journald"
tags:
- level1-server
- level2-workstation
@ -197,13 +190,9 @@
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings"
debug:
msg:
- "Warning!! Below are the current default settings for journald, please confirm they align with your site policies"
- "Warning! Below are the current default settings for journald, please confirm they align with your site policies"
# - "{{ rhel9cis_4_2_2_7_override_settings.stdout_lines }}"
- "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}"
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_4.2.2.7' ]"
warn_count: "{{ warn_count | int + 1 }}"
when:
- rhel9cis_rule_4_2_2_7
tags:

2
tasks/section_4/cis_4.3.yml
View file

@ -16,7 +16,7 @@
- name: "4.3.2 | PATCH | Ensure logrotate is running and enabled"
systemd:
name: logrotate.timer
name: logrotate
state: started
enabled: true
when:

1
tasks/section_4/main.yml
View file

@ -17,7 +17,6 @@
- name: "SECTION | 4.2.2 Configure journald"
import_tasks: cis_4.2.2.x.yml
when: rhel9cis_syslog == 'journald'
- name: "SECTION | 4.2.3 | Configure logile perms"
import_tasks: cis_4.2.3.yml