diff --git a/Changelog.md b/Changelog.md index baa0d44..0fe314f 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,16 @@ # Changes to rhel9CIS +## 1.1.4 - Based on CIS v1.0.0 + +- 1.2.1 new option for a new system to import gpg key for 1.2.1 to pass redhat only +- thanks to @ipruteanu-sie + - #156 + - #165 + - #180 + - #181 + - #183 + - #184 + ## 1.1.3 - Based on CIS v1.0.0 - updated goss binary to 0.4.4 diff --git a/defaults/main.yml b/defaults/main.yml index 6cd15ce..f5838c0 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -424,6 +424,11 @@ rhel9cis_rule_6_2_16: true # These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards. rhel9cis_tmp_svc: false +## Control 1.2.1 +# For new systems that have not yet run update the gpg key is not yet imported +# Setting to `true` will allow a test on the package and the foce the import of the key +rhel9cis_force_gpg_key_import: true + ## Control 1.2.4 # When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM # repo ('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks @@ -998,11 +1003,11 @@ rhel9cis_sshd: # This variable sets the maximum number of unresponsive "keep-alive" messages # that can be sent from the server to the client before the connection is considered # inactive and thus, closed. - clientalivecountmax: 0 + clientalivecountmax: 3 # This variable sets the time interval in seconds between sending "keep-alive" # messages from the server to the client. These types of messages are intended to # keep the connection alive and prevent it being terminated due to inactivity. - clientaliveinterval: 900 + clientaliveinterval: 15 # This variable specifies the amount of seconds allowed for successful authentication to # the SSH server. logingracetime: 60 @@ -1012,26 +1017,29 @@ rhel9cis_sshd: # If an USER@HOST format will be used, the specified user will be allowed only on that particular host. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, see https://linux.die.net/man/5/sshd_config - allow_users: "" - # (String) This variable, if spcieifed, configures a list of GROUP name patterns, separated by spaces, to allow SSH access + # allowusers: "" + + # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access # for users whose primary group or supplementary group list matches one of the patterns. This is done # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, https://linux.die.net/man/5/sshd_config - allow_groups: "wheel" + # allowgroups: "wheel" + # This variable, if specified, configures a list of USER name patterns, separated by spaces, to prevent SSH access # for users whose user name matches one of the patterns. This is done # by setting the value of `DenyUsers` option in `/etc/ssh/sshd_config` file. # If an USER@HOST format will be used, the specified user will be restricted only on that particular host. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, see https://linux.die.net/man/5/sshd_config - deny_users: "nobody" + denyusers: "nobody" + # This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to prevent SSH access # for users whose primary group or supplementary group list matches one of the patterns. This is done # by setting the value of `DenyGroups` option in `/etc/ssh/sshd_config` file. # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups. # For more info, see https://linux.die.net/man/5/sshd_config - deny_groups: "" + denygroups: "" ## Control 5.2.5 - Ensure SSH LogLevel is appropriate # This variable is used to control the verbosity of the logging produced by the SSH server. @@ -1055,10 +1063,6 @@ rhel9cis_inactivelock: # This variable specifies the number of days of inactivity before an account will be locked. # CIS requires a value of 30 days or less. lock_days: 30 -# This variable governs if authconfig package should be installed. This package provides a simple method of -# configuring /etc/sysconfig/network to handle NIS, as well as /etc/passwd and /etc/shadow, the files used -# for shadow password support. Basic LDAP, Kerberos 5, and Winbind client configuration is also provided. -rhel9cis_use_authconfig: false ## Section 5.4 - Configure authselect: Custom authselect profile settings(name, profile to customize, options) ## Controls: diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 56ffbd6..7ef94b4 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -5,12 +5,12 @@ - name: Pre Audit Setup | Set audit package name | 64bit ansible.builtin.set_fact: audit_pkg_arch_name: AMD64 - when: ansible_machine == "x86_64" + when: ansible_facts.machine == "x86_64" - name: Pre Audit Setup | Set audit package name | ARM64 ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 - when: ansible_machine == "arm64" + when: ansible_facts.machine == "arm64" - name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: diff --git a/tasks/main.yml b/tasks/main.yml index 2d7aa57..114c806 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -8,7 +8,6 @@ success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}" when: - os_check - - not system_is_ec2 tags: - always @@ -169,63 +168,63 @@ - run_audit ansible.builtin.import_tasks: pre_remediation_audit.yml -- name: run Section 1 tasks +- name: Run Section 1 tasks ansible.builtin.import_tasks: file: section_1/main.yml when: rhel9cis_section1 tags: - rhel9cis_section1 -- name: run Section 2 tasks +- name: Run Section 2 tasks ansible.builtin.import_tasks: file: section_2/main.yml when: rhel9cis_section2 tags: - rhel9cis_section2 -- name: run Section 3 tasks +- name: Run Section 3 tasks ansible.builtin.import_tasks: file: section_3/main.yml when: rhel9cis_section3 tags: - rhel9cis_section3 -- name: run Section 4 tasks +- name: Run Section 4 tasks ansible.builtin.import_tasks: file: section_4/main.yml when: rhel9cis_section4 tags: - rhel9cis_section4 -- name: run Section 5 tasks +- name: Run Section 5 tasks ansible.builtin.import_tasks: file: section_5/main.yml when: rhel9cis_section5 tags: - rhel9cis_section5 -- name: run Section 6 tasks +- name: Run Section 6 tasks ansible.builtin.import_tasks: file: section_6/main.yml when: rhel9cis_section6 tags: - rhel9cis_section6 -- name: run auditd logic +- name: Run auditd logic ansible.builtin.import_tasks: file: auditd.yml when: update_audit_template tags: - always -- name: run post remediation tasks +- name: Run post remediation tasks ansible.builtin.import_tasks: file: post.yml tags: - post_tasks - always -- name: run post_remediation audit +- name: Run post_remediation audit ansible.builtin.import_tasks: file: post_remediation_audit.yml when: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 4eee776..f58ad01 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -136,6 +136,31 @@ - ansible_facts.distribution != 'RedHat' - ansible_facts.distribution != 'OracleLinux' +- name: "PRELIM | Check gpg keys are imported will cause 1.2.1 to fail if not | RedHat Only" + block: + - name: "PRELIM | Check gpg keys are imported will cause 1.2.1 to fail if not" + ansible.builtin.shell: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' + changed_when: false + failed_when: false + register: check_gpg_imported + + - name: "PRELIM | Check key package matches RedHat" + ansible.builtin.shell: rpm -qi redhat-release | grep Signature + changed_when: false + failed_when: false + register: os_gpg_package_valid + when: "'not installed' in check_gpg_imported.stdout" + + - name: "PRELIM | Force keys to be imported" + ansible.builtin.shell: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + when: + - "'not installed' in check_gpg_imported.stdout" + - "'Key ID 199e2f91fd431d51' in os_gpg_package_valid.stdout" + when: + - rhel9cis_rule_1_2_1 + - rhel9cis_force_gpg_key_import + - ansible_facts.distribution == 'RedHat' + - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" ansible.builtin.package: name: audit @@ -201,27 +226,6 @@ - level1_server - level1_workstation -- name: "PRELIM | Install authconfig" - ansible.builtin.package: - name: authconfig - state: present - become: true - when: - - rhel9cis_use_authconfig - - rhel9cis_rule_5_3_1 or - rhel9cis_rule_5_3_2 or - rhel9cis_rule_5_3_3 or - '"authconfig" not in ansible_facts.packages or - "auditd-lib" not in ansible_facts.packages' - tags: - - level1-server - - level1-workstation - - rule_5.3.1 or - rule_5.3.2 or - rule_5.3.3 - - authconfig - - auditd - - name: "PRELIM | 5.3.4 | Find all sudoers files." ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index ef16988..d113361 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -39,7 +39,6 @@ notify: Change_requires_reboot when: - item.mount == "/home" - - rhel9cis_rule_1_1_7_1 - rhel9cis_rule_1_1_7_2 or rhel9cis_rule_1_1_7_3 tags: @@ -49,5 +48,4 @@ - mounts - rule_1.1.7.2 - rule_1.1.7.3 - - rule_1.1.7.4 - skip_ansible_lint diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index dda9c66..3010b5a 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -54,7 +54,7 @@ - patch - rule_1.3.2 -- name: "1.3.3 | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" +- name: "1.3.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" ansible.builtin.blockinfile: path: /etc/aide.conf marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown" diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index e6f4b0c..b7f4791 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -118,7 +118,7 @@ - gui - rule_1.8.4 -- name: "1.8.5 PATCH | Ensure GDM screen locks cannot be overridden" +- name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden" block: - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock directory" ansible.builtin.file: diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index ec925bb..2c8746a 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -99,7 +99,7 @@ - level2-workstation - patch - auditd - - rule_4.1.3_7 + - rule_4.1.3.7 # All changes selected are managed by the POST audit and handlers to update - name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" @@ -268,7 +268,7 @@ - level2-workstation - patch - auditd - - rule_4.1.20 + - rule_4.1.3.20 - name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same" ansible.builtin.debug: diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 7d683cf..c42f876 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -65,7 +65,7 @@ ansible.builtin.file: path: "{{ item.path }}" mode: "{{ '0600' if item.mode == '0600' else '0640' }}" - loop: "{{ auditd_conf_files.files | default([]) }}" + loop: "{{ auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" when: diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 7daf6d1..ac62767 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,6 +1,6 @@ --- -- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" +- name: "5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" ansible.builtin.file: path: "/etc/ssh/sshd_config" owner: root diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index a2c0219..8fba898 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -2,7 +2,7 @@ - name: "5.6.2 | PATCH | Ensure system accounts are secured" block: - - name: "5.6.2 | Ensure system accounts are secured | Set nologin" + - name: "5.6.2 | PATCH | Ensure system accounts are secured | Set nologin" ansible.builtin.user: name: "{{ item.id }}" shell: /usr/sbin/nologin @@ -98,11 +98,30 @@ regexp: '^USERGROUPS_ENAB' line: USERGROUPS_ENAB no - - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth" - ansible.builtin.lineinfile: - path: /etc/pam.d/system-auth - line: 'session required pam_umask.so' - insertafter: EOF + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Add umask sessions for pamd" + community.general.pamd: + name: "{{ item }}" + type: session + control: required + module_path: pam_limits.so + new_type: session + new_module_path: pam_umask.so + new_control: optional + state: before + register: rhel9cis_pamd_umask_added + loop: + - system-auth + - password-auth + + - name: "5.6.5 | AUDIT | Ensure default user umask is 027 or more restrictive | update umask settings if required" + ansible.builtin.replace: + path: "/etc/pam.d/{{ item }}" + regexp: ^(session\s+)(requisite|required)(\s+pam_umask.so)$ + replace: \1optional\3 + loop: + - system-auth + - password-auth + when: - rhel9cis_rule_5_6_5 tags: diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 6ab91cd..e2d03e5 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -75,7 +75,7 @@ - groups - rule_6.2.3 -- name: "6.2.4 | AUDIT Ensure no duplicate UIDs exist" +- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist" block: - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" @@ -88,7 +88,7 @@ msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_4_user_uid_check.stdout_lines }}" when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 - - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" + - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | warning count" ansible.builtin.import_tasks: file: warning_facts.yml when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1