diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml index 226cd79..ab15169 100644 --- a/tasks/section_3/cis_3.4.1.x.yml +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -1,7 +1,7 @@ --- - name: "3.4.1.1 | PATCH | Ensure nftables is installed" - package: + ansible.builtin.package: name: - nftables state: present @@ -38,7 +38,7 @@ - rhel9cis_firewall == 'firewalld' - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" - systemd: + ansible.builtin.systemd: name: "{{ rhel9cis_firewall }}" enabled: true state: started diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index d21e6c4..167f8d2 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -3,13 +3,13 @@ - name: "4.1.1.1 | PATCH | Ensure auditd is installed" block: - name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd packages" - package: + ansible.builtin.package: name: audit state: present when: '"auditd" not in ansible_facts.packages' - name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages" - package: + ansible.builtin.package: name: audit-libs state: present when: '"auditd-lib" not in ansible_facts.packages' @@ -25,14 +25,14 @@ - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" block: - name: "4.1.1.2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX" - shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false check_mode: false register: rhel9cis_4_1_1_2_grub_cmdline_linux - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting" - replace: + ansible.builtin.replace: dest: /etc/default/grub regexp: 'audit=.' replace: 'audit=1' @@ -40,7 +40,7 @@ when: "'audit=' in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout" - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: '{{ rhel9cis_4_1_1_2_grub_cmdline_linux.stdout }} audit=1"' @@ -59,14 +59,14 @@ - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" block: - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX" - shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' + ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//' changed_when: false failed_when: false check_mode: false register: rhel9cis_4_1_1_3_grub_cmdline_linux - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting" - replace: + ansible.builtin.replace: dest: /etc/default/grub regexp: 'audit_backlog_limit=\d+' replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}' @@ -74,7 +74,7 @@ when: "'audit_backlog_limit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout" - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing" - lineinfile: + ansible.builtin.lineinfile: path: /etc/default/grub regexp: '^GRUB_CMDLINE_LINUX=' line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' @@ -91,7 +91,7 @@ - rule_4.1.1.3 - name: "4.1.1.4 | PATCH | Ensure auditd service is enabled" - service: + ansible.builtin.systemd: name: auditd state: started enabled: true diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml index 62bee82..9850ce4 100644 --- a/tasks/section_4/cis_4.1.2.x.yml +++ b/tasks/section_4/cis_4.1.2.x.yml @@ -1,7 +1,7 @@ --- - name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured" - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "^max_log_file( |=)" line: "max_log_file = {{ rhel9cis_max_log_file_size }}" @@ -17,7 +17,7 @@ - rule_4.1.2.1 - name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted" - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "^max_log_file_action" line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}" @@ -32,7 +32,7 @@ - rule_4.1.2.2 - name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full" - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -51,14 +51,14 @@ - rule_4.1.2.3 - name: PATCH | Configure other keys for auditd.conf - lineinfile: + ansible.builtin.lineinfile: path: /etc/audit/auditd.conf regexp: "^{{ item }}( |=)" line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}" loop: "{{ rhel9cis_auditd_extra_conf.keys() }}" notify: restart auditd when: - - rhel9cis_auditd_extra_conf.keys() | length > 0 + - rhel9cis_auditd_extra_conf.keys() | length > 0 tags: - level2-server - level2-workstation diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index ec61402..e29f496 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -70,7 +70,7 @@ - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" block: - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" - shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done + ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done changed_when: false failed_when: false check_mode: false diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index b7828ae..d7cce3b 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -16,13 +16,13 @@ "4.1.4.2 | PATCH | Ensure only authorized users own audit log files" "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" ansible.builtin.file: - path: "{{ audit_logfile.stdout }}" - state: file - mode: 0640 - owner: root - group: root + path: "{{ audit_logfile.stdout }}" + state: file + mode: 0640 + owner: root + group: root when: - - rhel9cis_rule_4_1_4_1 or + - rhel9cis_rule_4_1_4_1 or rhel9cis_rule_4_1_4_2 or rhel9cis_rule_4_1_4_3 tags: @@ -38,14 +38,14 @@ block: - name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions" ansible.builtin.stat: - path: "{{ audit_logfile.stdout | dirname }}" + path: "{{ audit_logfile.stdout | dirname }}" register: auditlog_dir - name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set" ansible.builtin.file: - path: "{{ audit_logfile.stdout | dirname }}" - state: directory - mode: 0750 + path: "{{ audit_logfile.stdout | dirname }}" + state: directory + mode: 0750 when: not auditlog_dir.stat.mode is match('07(0|5)0') when: - rhel9cis_rule_4_1_4_4 @@ -58,22 +58,22 @@ - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" block: - - - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | get permissions" - ansible.builtin.stat: - path: "{{ item.path }}" - register: item_file - loop: "{{ audit_conf_files.results | map(attribute='files') | flatten }}" - loop_control: - label: "{{ item.path }}" - - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | set permissions" - ansible.builtin.file: - path: "{{ audit_logfile.stdout | dirname }}" - state: file - mode: 0640 - loop: "{{ audit_config_files }}" - when: not item_file.stat.mode is match('06(0|4)0') + - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | get permissions" + ansible.builtin.stat: + path: "{{ item.path }}" + register: item_file + loop: "{{ audit_conf_files.results | map(attribute='files') | flatten }}" + loop_control: + label: "{{ item.path }}" + + - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | set permissions" + ansible.builtin.file: + path: "{{ audit_logfile.stdout | dirname }}" + state: file + mode: 0640 + loop: "{{ audit_config_files }}" + when: not item_file.stat.mode is match('06(0|4)0') when: - rhel9cis_rule_4_1_4_5 tags: @@ -158,7 +158,7 @@ - /sbin/auditd - /sbin/augenrules when: - - rhel9cis_rule_4_1_4_9 + - rhel9cis_rule_4_1_4_9 tags: - level2-server - level2-workstation diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 08db497..474026c 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -183,14 +183,14 @@ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Set live file" ansible.builtin.set_fact: - systemd_conf_file: /etc/tmpfiles.d/systemd.conf + systemd_conf_file: /etc/tmpfiles.d/systemd.conf when: rhel9cis_4_2_2_7_override_stat.exists - name: "4.2.2.7 | PATCH | Ensure journald default file permissions configured | Set permission" ansible.builtin.lineinfile: - path: "{{ /etc/tmpfiles.d/systemd.conf | default('/usr/lib/tmpfiles.d/systemd.conf') }}" - regexp: "^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root" - line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -' + path: "{{ systemd_conf_file | default('/usr/lib/tmpfiles.d/systemd.conf') }}" + regexp: "^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root" + line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -' when: - rhel9cis_rule_4_2_2_7 diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index e1e6bec..3fa195c 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -3,7 +3,7 @@ - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" block: - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files" - ansible.builtin.find: + ansible.builtin.find: paths: "/var/log" type: file register: logfiles