From dab815f7b6c1b38796942b8f69b8e01fe2257e9a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 8 Apr 2026 12:53:02 +0100 Subject: [PATCH] lin and 7.1.12/13 logic improvements Signed-off-by: Mark Bolwell --- tasks/section_7/cis_7.1.x.yml | 49 +++++++++++++---------------------- 1 file changed, 18 insertions(+), 31 deletions(-) diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index b7655aa..530e72a 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -1,8 +1,7 @@ --- - name: "7.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" - when: - - rhel9cis_rule_7_1_1 + when: rhel9cis_rule_7_1_1 tags: - level1-server - level1-workstation @@ -18,8 +17,7 @@ mode: 'u-x,go-wx' - name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" - when: - - rhel9cis_rule_7_1_2 + when: rhel9cis_rule_7_1_2 tags: - level1-server - level1-workstation @@ -35,8 +33,7 @@ mode: 'u-x,go-wx' - name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured" - when: - - rhel9cis_rule_7_1_3 + when: rhel9cis_rule_7_1_3 tags: - level1-server - level1-workstation @@ -52,8 +49,7 @@ mode: 'u-x,go-wx' - name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured" - when: - - rhel9cis_rule_7_1_4 + when: rhel9cis_rule_7_1_4 tags: - level1-server - level1-workstation @@ -69,8 +65,7 @@ mode: 'u-x,go-wx' - name: "7.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" - when: - - rhel9cis_rule_7_1_5 + when: rhel9cis_rule_7_1_5 tags: - level1-server - level1-workstation @@ -86,8 +81,7 @@ mode: 'ugo-rwx' - name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" - when: - - rhel9cis_rule_7_1_6 + when: rhel9cis_rule_7_1_6 tags: - level1-server - level1-workstation @@ -103,8 +97,7 @@ mode: 'ugo-rwx' - name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" - when: - - rhel9cis_rule_7_1_7 + when: rhel9cis_rule_7_1_7 tags: - level1-server - level1-workstation @@ -120,8 +113,7 @@ mode: 'ugo-rwx' - name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" - when: - - rhel9cis_rule_7_1_8 + when: rhel9cis_rule_7_1_8 tags: - level1-server - level1-workstation @@ -137,8 +129,7 @@ mode: 'ugo-rwx' - name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured" - when: - - rhel9cis_rule_7_1_9 + when: rhel9cis_rule_7_1_9 tags: - level1-server - level1-workstation @@ -154,8 +145,7 @@ mode: 'u-x,go-wx' - name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured" - when: - - rhel9cis_rule_7_1_10 + when: rhel9cis_rule_7_1_10 tags: - level1-server - level1-workstation @@ -173,8 +163,7 @@ register: discovered_file_exists - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured" - when: - - rhel9cis_rule_7_1_11 + when: rhel9cis_rule_7_1_11 tags: - level1-server - level1-workstation @@ -191,7 +180,7 @@ changed_when: false register: discovered_world_writable - - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" + - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable files if they exist (Configurable)" when: - discovered_world_writable.stdout_lines is defined - discovered_world_writable.stdout_lines | length > 0 @@ -202,15 +191,14 @@ state: touch loop: "{{ discovered_world_writable.stdout_lines }}" - - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit" + - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable directories add sticky bit" ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -o+w ! -perm -1002 2>/dev/null | xargs chmod a+t failed_when: discovered_set_stickybit.rc not in [ 0, 123 ] changed_when: discovered_set_stickybit.rc == 0 register: discovered_set_stickybit - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist" - when: - - rhel9cis_rule_7_1_12 + when: rhel9cis_rule_7_1_12 tags: - level1-server - level1-workstation @@ -223,7 +211,7 @@ warn_control_id: '7.1.12' block: - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories" - ansible.builtin.command: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs + ansible.builtin.command: "find {{ item.mount }} -xdev {{ rhel9cis_exclude_unowned_search_path }} \\( -nouser -o -nogroup \\) -not -fstype nfs" changed_when: false failed_when: false check_mode: false @@ -266,8 +254,7 @@ file: warning_facts.yml - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed" - when: - - rhel9cis_rule_7_1_13 + when: rhel9cis_rule_7_1_13 tags: - level1-server - level1-workstation @@ -285,7 +272,7 @@ warn_control_id: '7.1.13' block: - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID" - ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs + ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 -o -04000 \) -not -fstype nfs changed_when: false failed_when: false check_mode: false @@ -309,7 +296,7 @@ - "The files are listed below, please confirm the integrity of these binaries" - "{{ discovered_suid_sgid_files_flatten }}" - - name: "7.1.13 | PATCH | Audit SUID executables | Remove SUID bit" + - name: "7.1.13 | PATCH | Ensure SUID and SGID files are reviewed | Remove SUID bit" when: - rhel9cis_suid_sgid_adjust - discovered_suid_sgid_files_flatten | length > 0