From 68921be0b2aad58462ec31f0457453d8af356d09 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 22 Oct 2024 10:38:26 +0100 Subject: [PATCH 01/42] updated for gui discovery and dconf install Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/prelim.yml | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9f64850..7fee3af 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -569,7 +569,7 @@ rhel9cis_warning_banner: Authorized uses only. All activity may be monitored and ## Control 1.8.x - Settings for GDM ## 1.8 GDM graphical interface -rhel9cis_gui: false +rhel9cis_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}" # This variable specifies the GNOME configuration database file to which configurations are written. # (See "https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en") # The default database is 'local'. diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 78d1771..1ec5ace 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -159,6 +159,22 @@ ansible.builtin.set_fact: grub2_path: /etc/grub2-efi.cfg +- name: "PRELIM | Discover Gnome Desktop Environment" + tags: + - always + ansible.builtin.stat: + path: /usr/share/gnome/gnome-version.xml + register: prelim_gnome_present + +- name: "PRELIM | Install dconf if gui installed" + when: + - rhel9cis_gui + tags: + - always + ansible.builtin.package: + name: dconf + state: present + - name: "PRELIM | AUDIT | Wireless adapter pre-requisites" when: - rhel9cis_rule_3_1_2 From 13ab9d54408f5f300ee7dbadb046206ff32d1c5d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Nov 2024 14:10:10 +0000 Subject: [PATCH 02/42] updated logic on 7.12 and 7.13 thansk to @yinggs Signed-off-by: Mark Bolwell --- tasks/section_7/cis_7.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 0fe5fe7..8d0a730 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -233,7 +233,7 @@ - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Flatten no_user_items results for easier use" ansible.builtin.set_fact: - discovered_unowned_files_flatten: "{{ discovered_unowned_files.results | map(attribute='stdout_lines') | flatten }}" + discovered_unowned_files_flatten: "{{ discovered_unowned_files.results | selectattr('stdout_lines', 'defined') | map(attribute='stdout_lines') | flatten }}" - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Alert on unowned files and directories" when: @@ -295,7 +295,7 @@ - name: "7.1.13 | AUDIT | Audit SUID executables | Flatten suid_executables results for easier use" ansible.builtin.set_fact: - discovered_suid_sgid_files_flatten: "{{ discovered_suid_sgid_files.results | map(attribute='stdout_lines') | flatten }}" + discovered_suid_sgid_files_flatten: "{{ discovered_suid_sgid_files.results | selectattr('stdout_lines', 'defined') | map(attribute='stdout_lines') | flatten }}" - name: "7.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" when: From b7963f7c11ede7e6d83157aace3ec4a7df9f4f66 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Nov 2024 17:11:38 +0000 Subject: [PATCH 03/42] updated idempotency thanks to feedback from @Thulium-Drake Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.3.x.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index 728b3c9..c7920cd 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -24,8 +24,8 @@ file: warning_facts.yml - name: | - "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition - 1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition" + "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition + 1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition" when: - item.mount == "/home" - rhel9cis_rule_1_1_2_3_2 or @@ -45,7 +45,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_2_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3_3 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_3_3) %},nosuid{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" From fa13b06b1f915179c71616c525196bde54bd740a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Nov 2024 17:15:33 +0000 Subject: [PATCH 04/42] lint updates Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1ec5ace..28292fb 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -161,19 +161,19 @@ - name: "PRELIM | Discover Gnome Desktop Environment" tags: - - always + - always ansible.builtin.stat: - path: /usr/share/gnome/gnome-version.xml + path: /usr/share/gnome/gnome-version.xml register: prelim_gnome_present - name: "PRELIM | Install dconf if gui installed" when: - - rhel9cis_gui + - rhel9cis_gui tags: - - always + - always ansible.builtin.package: - name: dconf - state: present + name: dconf + state: present - name: "PRELIM | AUDIT | Wireless adapter pre-requisites" when: From 879d9c9a1b17e7f18d8cc402785d2ef9bb5e50b6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Nov 2024 18:39:01 +0000 Subject: [PATCH 05/42] lint and var renaming Signed-off-by: Mark Bolwell --- handlers/main.yml | 4 ++-- tasks/auditd.yml | 14 +++++++------- tasks/main.yml | 16 ++++++++-------- tasks/post.yml | 1 - tasks/pre_remediation_audit.yml | 4 ++-- tasks/section_1/cis_1.2.1.x.yml | 22 +++++++++++----------- tasks/section_1/cis_1.3.1.x.yml | 9 ++++----- tasks/section_1/cis_1.6.x.yml | 20 ++++++++++---------- tasks/section_5/cis_5.2.x.yml | 6 +++--- tasks/section_5/cis_5.3.1.x.yml | 4 ++-- tasks/section_5/cis_5.3.2.x.yml | 8 ++++---- tasks/section_5/cis_5.3.3.3.x.yml | 20 ++++++++++---------- tasks/section_6/cis_6.1.x.yml | 4 ++-- tasks/section_6/cis_6.2.1.x.yml | 16 ++++++++-------- tasks/section_6/cis_6.2.3.x.yml | 10 +++++----- tasks/section_6/cis_6.3.3.x.yml | 2 +- tasks/section_7/cis_7.1.x.yml | 8 ++++---- templates/audit/99_auditd.rules.j2 | 2 +- 18 files changed, 84 insertions(+), 86 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 2009fa2..27e4a56 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -98,11 +98,11 @@ - name: Auditd immutable check ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules changed_when: false - register: auditd_immutable_check + register: discovered_auditd_immutable_check - name: Audit immutable fact when: - - auditd_immutable_check.stdout == '1' + - discovered_auditd_immutable_check.stdout == '1' ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" notify: Change_requires_reboot diff --git a/tasks/auditd.yml b/tasks/auditd.yml index ac5b8f8..502497c 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -3,7 +3,7 @@ - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: path: /etc/audit/rules.d/99_auditd.rules - register: rhel9cis_auditd_file + register: discovered_auditd_rules_file - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file ansible.builtin.template: @@ -12,8 +12,8 @@ owner: root group: root mode: '0640' - diff: "{{ rhel9cis_auditd_file.stat.exists }}" # Only run diff if not a new file - register: rhel9cis_auditd_template_updated + diff: "{{ discovered_auditd_rules_file.stat.exists }}" # Only run diff if not a new file + register: discovered_auditd_rules_template_updated notify: - Auditd immutable check - Audit immutable fact @@ -21,8 +21,8 @@ - name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler when: - - rhel9cis_auditd_template_updated.changed - - rhel9cis_auditd_file.stat.exists + - discovered_auditd_rules_template_updated.changed + - discovered_auditd_rules_file.stat.exists ansible.builtin.import_tasks: file: warning_facts.yml vars: @@ -31,7 +31,7 @@ - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: path: /etc/audit/rules.d/98_auditd_exceptions.rules - register: rhel9cis_auditd_exception_file + register: discovered_auditd_exception_file - name: POST | Set up auditd user logging exceptions | setup file when: @@ -43,5 +43,5 @@ owner: root group: root mode: '0640' - diff: "{{ rhel9cis_auditd_exception_file.stat.exists }}" + diff: "{{ discovered_auditd_exception_file.stat.exists }}" notify: Restart auditd diff --git a/tasks/main.yml b/tasks/main.yml index 1dd529e..4598f85 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -86,29 +86,29 @@ changed_when: false failed_when: false check_mode: false - register: rhel9cis_ansible_user_password_set + register: prelim_ansible_user_password_set - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account" - when: rhel9cis_ansible_user_password_set.stdout == "not found" + when: prelim_ansible_user_password_set.stdout == "not found" ansible.builtin.debug: msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks." - name: "Check local account" when: - - rhel9cis_ansible_user_password_set.stdout != "not found" + - prelim_ansible_user_password_set.stdout != "not found" block: - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" ansible.builtin.assert: that: - - rhel9cis_ansible_user_password_set.stdout | length != 0 - - rhel9cis_ansible_user_password_set.stdout != "!!" + - prelim_ansible_user_password_set.stdout | length != 0 + - prelim_ansible_user_password_set.stdout != "!!" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" ansible.builtin.assert: that: - - not rhel9cis_ansible_user_password_set.stdout.startswith("!") + - not prelim_ansible_user_password_set.stdout.startswith("!") fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access" success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" @@ -149,11 +149,11 @@ - name: "Ensure root password is set" ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)" changed_when: false - register: root_passwd_set + register: prelim_root_passwd_set - name: "Ensure root password is set" ansible.builtin.assert: - that: root_passwd_set.rc == 0 + that: prelim_root_passwd_set.rc == 0 fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set" success_msg: "You have a root password set" diff --git a/tasks/post.yml b/tasks/post.yml index b3909bf..198d9c0 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -18,7 +18,6 @@ owner: root group: root mode: '0600' - register: sysctl_updated notify: Reload sysctl loop: - 60-kernel_sysctl.conf diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 9a2c2ce..3a3304c 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -60,11 +60,11 @@ - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: path: "{{ audit_bin }}" - register: goss_available + register: discovered_goss_available - name: Pre Audit Setup | If audit ensure goss is available when: - - not goss_available.stat.exists + - not discovered_goss_available.stat.exists ansible.builtin.assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml index c6ee203..d5ea30f 100644 --- a/tasks/section_1/cis_1.2.1.x.yml +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -18,19 +18,19 @@ ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" changed_when: false failed_when: false - register: os_installed_pub_keys + register: discovered_os_installed_pub_keys - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys" ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"' changed_when: false failed_when: false - register: os_gpg_key_check - when: os_installed_pub_keys.rc == 0 + register: discovered_os_gpg_key_check + when: discovered_os_installed_pub_keys.rc == 0 - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | expected keys fail" when: - - os_installed_pub_keys.rc == 1 or - os_gpg_key_check.rc == 1 + - discovered_os_installed_pub_keys.rc == 1 or + discovered_os_gpg_key_check.rc == 1 ansible.builtin.fail: msg: Installed GPG Keys do not meet expected values or expected keys are not installed @@ -48,14 +48,14 @@ ansible.builtin.find: paths: /etc/yum.repos.d patterns: "*.repo" - register: yum_repos + register: discovered_yum_repos - name: "1.2.1.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" ansible.builtin.replace: name: "{{ item.path }}" regexp: "^gpgcheck=0" replace: "gpgcheck=1" - loop: "{{ yum_repos.files }}" + loop: "{{ discovered_yum_repos.files }}" loop_control: label: "{{ item.path }}" @@ -82,14 +82,14 @@ ansible.builtin.find: paths: /etc/yum.repos.d patterns: "*.repo" - register: repo_files + register: discovered_repo_files - name: "1.2.1.3 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" ansible.builtin.replace: path: "{{ item.path }}" regexp: '^repo_gpgcheck( |)=( |)0' replace: repo_gpgcheck=1 - loop: "{{ repo_files.files }}" + loop: "{{ discovered_repo_files.files }}" loop_control: label: "{{ item.path }}" @@ -110,14 +110,14 @@ ansible.builtin.shell: dnf repolist changed_when: false failed_when: false - register: dnf_configured + register: discovered_dnf_configured check_mode: false - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" ansible.builtin.debug: msg: - "Warning!! Below are the configured repos. Please review and make sure all align with site policy" - - "{{ dnf_configured.stdout_lines }}" + - "{{ discovered_dnf_configured.stdout_lines }}" - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Warn Count" ansible.builtin.import_tasks: diff --git a/tasks/section_1/cis_1.3.1.x.yml b/tasks/section_1/cis_1.3.1.x.yml index 197e474..f3f67f8 100644 --- a/tasks/section_1/cis_1.3.1.x.yml +++ b/tasks/section_1/cis_1.3.1.x.yml @@ -34,7 +34,6 @@ loop: - selinux=0 - enforcing=0 - register: selinux_grub_patch ignore_errors: true # noqa ignore-errors notify: Grub2cfg @@ -108,17 +107,17 @@ block: - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" ansible.builtin.shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' - register: rhelcis_1_3_1_6_unconf_services + register: discovered_unconf_services failed_when: false changed_when: false - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" - when: rhelcis_1_3_1_6_unconf_services.stdout | length > 0 + when: discovered_unconf_services.stdout | length > 0 ansible.builtin.debug: - msg: "Warning!! You have unconfined services: {{ rhelcis_1_3_1_6_unconf_services.stdout_lines }}" + msg: "Warning!! You have unconfined services: {{ discovered_unconf_services.stdout_lines }}" - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | warning count" - when: rhelcis_1_3_1_6_unconf_services.stdout | length > 0 + when: discovered_unconf_services.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index f497f15..5d9441e 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -55,12 +55,12 @@ owner: root group: root mode: '0640' - register: no_sha1_template + register: discovered_no_sha1_template - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules" ansible.builtin.set_fact: rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SHA1' }}" - changed_when: no_sha1_template is defined + changed_when: discovered_no_sha1_template is changed # noqa: no-handler notify: - Update Crypto Policy - Set Crypto Policy @@ -86,12 +86,12 @@ owner: root group: root mode: '0640' - register: no_weakmac_template + register: discovered_no_weakmac_template - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules" ansible.builtin.set_fact: rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-WEAKMAC' }}" - changed_when: no_weakmac_template is defined + changed_when: discovered_no_weakmac_template is changed # noqa: no-handler notify: - Update Crypto Policy - Set Crypto Policy @@ -116,12 +116,12 @@ owner: root group: root mode: '0640' - register: no_sshcbc_template + register: discovered_no_sshcbc_template - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules" ansible.builtin.set_fact: rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHCBC' }}" - changed_when: no_sshcbc_template is defined + changed_when: discovered_no_sshcbc_template is changed # noqa: no-handler notify: - Update Crypto Policy - Set Crypto Policy @@ -146,12 +146,12 @@ owner: root group: root mode: '0640' - register: no_sshweakciphers_template + register: discovered_no_sshweakciphers_template - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules" ansible.builtin.set_fact: rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKCIPHERS' }}" - changed_when: no_sshweakciphers_template is defined + changed_when: discovered_no_sshweakciphers_template is changed # noqa: no-handler notify: - Update Crypto Policy - Set Crypto Policy @@ -176,12 +176,12 @@ owner: root group: root mode: '0640' - register: no_sshetm_template + register: discovered_no_sshetm_template - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules" ansible.builtin.set_fact: rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHETM' }}" - changed_when: no_sshetm_template is defined + changed_when: discovered_no_sshetm_template is changed # noqa: no-handler notify: - Update Crypto Policy - Set Crypto Policy diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 2e46de4..87fe46e 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -89,16 +89,16 @@ become: true changed_when: false failed_when: false - register: rhel9cis_5_2_4_authenticate + register: discovered_priv_reauth - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" - when: rhel9cis_5_2_4_authenticate.stdout | length > 0 + when: discovered_priv_reauth.stdout | length > 0 ansible.builtin.replace: path: "{{ item }}" regexp: '^([^#].*)!authenticate(.*)' replace: '\1authenticate\2' validate: '/usr/sbin/visudo -cf %s' - loop: "{{ rhel9cis_5_2_4_authenticate.stdout_lines }}" + loop: "{{ discovered_priv_reauth.stdout_lines }}" - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly" when: diff --git a/tasks/section_5/cis_5.3.1.x.yml b/tasks/section_5/cis_5.3.1.x.yml index b8a5576..ce5ae8a 100644 --- a/tasks/section_5/cis_5.3.1.x.yml +++ b/tasks/section_5/cis_5.3.1.x.yml @@ -32,10 +32,10 @@ ansible.builtin.package: name: authselect state: latest - register: rhel9cis_authselect_update + register: discovered_authselect_updated - name: "5.3.1.2 | AUDIT | Ensure latest version of authselect is installed | Patch" - when: rhel9cis_authselect_update.changed # noqa no-handler + when: discovered_authselect_updated.changed # noqa no-handler ansible.builtin.set_fact: authselect_update: OK diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 3996edc..18e9cfd 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -136,11 +136,11 @@ ansible.builtin.shell: | grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth changed_when: false - failed_when: rhel9cis_authselect_pam_unix.rc not in [ 0, 1 ] - register: rhel9cis_authselect_pam_unix + failed_when: discovered_discovered_authselect_pam_unix.rc not in [ 0, 1 ] + register: discovered_discovered_authselect_pam_unix - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | system-auth" - when: "'system-auth:password' not in rhel9cis_authselect_pam_unix.stdout" + when: "'system-auth:password' not in discovered_authselect_pam_unix.stdout" ansible.builtin.lineinfile: path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth regexp: "{{ item.regexp }}" @@ -154,7 +154,7 @@ notify: Authselect update - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | password-auth" - when: "'password-auth:password' not in rhel9cis_authselect_pam_unix.stdout" + when: "'password-auth:password' not in discovered_authselect_pam_unix.stdout" ansible.builtin.lineinfile: path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth line: "{{ item.line }}" diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml index 6c04d33..21a03ee 100644 --- a/tasks/section_5/cis_5.3.3.3.x.yml +++ b/tasks/section_5/cis_5.3.3.3.x.yml @@ -12,9 +12,9 @@ block: - name: "5.3.3.3.1 | AUDIT | Ensure password history remember is configured | Check existing files" ansible.builtin.shell: grep -Psi -- '^\h*password\s+[^#\n\r]+\h+pam_pwhistory\.so\s+([^#\n\r]+\s+)?remember=\d+\b' /etc/pam.d/password-auth /etc/pam.d/system-auth - register: rhel9_pwhistory_remember changed_when: false - failed_when: rhel9_pwhistory_remember.rc not in [0, 1] + failed_when: discovered_pwhistory_remember.rc not in [0, 1] + register: discovered_pwhistory_remember - name: "5.3.3.3.1 | PATCH | Ensure password number of changed characters is configured | Ensure remember is set pwhistory file" ansible.builtin.lineinfile: @@ -59,9 +59,9 @@ block: - name: "5.3.3.3.2 | AUDIT | Ensure password history is enforced for the root user | Check existing files" ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?enforce_for_root\b' /etc/pam.d/{system,password}-auth - register: rhel9_pwhistory_enforce_for_root + register: discovered_pwhistory_enforce_for_root changed_when: false - failed_when: rhel9_pwhistory_enforce_for_root.rc not in [0, 1] + failed_when: discovered_pwhistory_enforce_for_root.rc not in [0, 1] - name: "5.3.3.3.2 | PATCH| Ensure password history is enforced for the root user | Ensure enforce_for_root is set pwhistory file" ansible.builtin.lineinfile: @@ -72,7 +72,7 @@ - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set" when: - not rhel9cis_allow_authselect_updates - - rhel9_pwhistory_enforce_for_root.stdout | length == 0 + - discovered_pwhistory_enforce_for_root.stdout | length == 0 - rhel9cis_disruption_high ansible.builtin.lineinfile: path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}" @@ -83,7 +83,7 @@ - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user | Ensure enforce_for_root is set" when: - rhel9cis_allow_authselect_updates - - rhel9_pwhistory_enforce_for_root.stdout | length == 0 + - discovered_pwhistory_enforce_for_root.stdout | length == 0 - rhel9cis_disruption_high ansible.builtin.replace: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" @@ -106,9 +106,9 @@ block: - name: "5.3.3.3.3 | AUDIT | Ensure pam_pwhistory includes use_authtok | Check existing files" ansible.builtin.shell: grep -Psi -- '^\h*password\h+[^#\n\r]+\h+pam_pwhistory\.so\h+([^#\n\r]+\h+)?use_authtok\b' /etc/pam.d/{system,password}-auth - register: rhel9_pwhistory_use_authtok + register: discovered_pwhistory_use_authtok changed_when: false - failed_when: rhel9_pwhistory_use_authtok.rc not in [0, 1] + failed_when: discovered_pwhistory_use_authtok.rc not in [0, 1] - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Update pwhistory for use_authtok" ansible.builtin.lineinfile: @@ -119,7 +119,7 @@ - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok | Ensure use_authtok is set" when: - not rhel9cis_allow_authselect_updates - - rhel9_pwhistory_use_authtok.stdout | length == 0 + - discovered_pwhistory_use_authtok.stdout | length == 0 - rhel9cis_disruption_high ansible.builtin.lineinfile: path: "/{{ rhel9cis_pam_confd_dir }}{{ rhel9cis_pam_pwhistory_file }}" @@ -130,7 +130,7 @@ - name: "PATCH | Ensure pam_pwhistory includes use_authtok | add authtok to pam files AuthSelect" when: - rhel9cis_allow_authselect_updates - - rhel9_pwhistory_use_authtok.stdout | length == 0 + - discovered_pwhistory_use_authtok.stdout | length == 0 - rhel9cis_disruption_high ansible.builtin.lineinfile: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 95f8064..898444f 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -16,10 +16,10 @@ ansible.builtin.package: name: aide state: present - register: aide_installed + register: discovered_aide_installed - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB" - when: aide_installed.changed # noqa: no-handler + when: discovered_aide_installed.changed # noqa: no-handler block: - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB" ansible.builtin.shell: /usr/sbin/aide --init diff --git a/tasks/section_6/cis_6.2.1.x.yml b/tasks/section_6/cis_6.2.1.x.yml index 603e471..1a2a8aa 100644 --- a/tasks/section_6/cis_6.2.1.x.yml +++ b/tasks/section_6/cis_6.2.1.x.yml @@ -32,26 +32,26 @@ - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file" ansible.builtin.stat: path: /etc/tmpfiles.d/systemd.conf - register: tmpfile_override + register: discovered_tmpfile_override - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | If override file check for journal" - when: tmpfile_override.stat.exists + when: discovered_tmpfile_override.stat.exists ansible.builtin.shell: grep -E 'z /var/log/journal/%m/system.journal \d*' /usr/lib/tmpfiles.d/systemd.conf - register: journald_fileperms_override + register: discovered_journald_fileperms_override changed_when: false - failed_when: journald_fileperms_override.rc not in [ 0, 1 ] + failed_when: discovered_journald_fileperms_override.rc not in [ 0, 1 ] - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found" when: - - tmpfile_override.stat.exists - - journald_fileperms_override.stdout | length > 0 + - discovered_tmpfile_override.stat.exists + - discovered_journald_fileperms_override.stdout | length > 0 ansible.builtin.debug: msg: "Warning!! - tmpfiles override found /usr/lib/tmpfiles.d/systemd.conf affecting journald files please confirm matches site policy" - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found" when: - - tmpfile_override.stat.exists - - journald_fileperms_override.stdout | length > 0 + - discovered_tmpfile_override.stat.exists + - discovered_journald_fileperms_override.stdout | length > 0 ansible.builtin.import_tasks: file: warning_facts.yml vars: diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml index 9e42ee2..5af5fcd 100644 --- a/tasks/section_6/cis_6.2.3.x.yml +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -89,13 +89,13 @@ changed_when: false failed_when: false check_mode: false - register: rhel_09_6_2_3_5_audit + register: discovered_configured_rsyslog - name: "6.2.3.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" ansible.builtin.debug: msg: - "These are the current logging configurations for rsyslog, please review:" - - "{{ rhel_09_4_2_1_5_audit.stdout_lines }}" + - "{{ discovered_configured_rsyslog.stdout_lines }}" - name: "6.2.3.5 | PATCH | Ensure logging is configured | mail.* log setting" when: rhel9cis_rsyslog_ansiblemanaged @@ -193,10 +193,10 @@ # target can be IP or FQDN *.* action(type="omfwd" target="{{ rhel9cis_remote_log_host }}" port="{{ rhel9cis_remote_log_port }}" protocol="{{ rhel9cis_remote_log_protocol }}" action.resumeRetryCount="{{ rhel9cis_remote_log_retrycount }}" queue.type="LinkedList" queue.size="{{ rhel9cis_remote_log_queuesize }}") insertafter: EOF - register: result failed_when: - - result is failed - - result.rc != 257 + - discovered_rsyslog_remote_host is failed + - discovered_rsyslog_remote_host.rc != 257 + register: discovered_rsyslog_remote_host notify: Restart rsyslog - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" diff --git a/tasks/section_6/cis_6.3.3.x.yml b/tasks/section_6/cis_6.3.3.x.yml index 7e7e479..d279259 100644 --- a/tasks/section_6/cis_6.3.3.x.yml +++ b/tasks/section_6/cis_6.3.3.x.yml @@ -88,7 +88,7 @@ changed_when: false failed_when: false check_mode: false - register: priv_procs + register: discovered_priv_procs - name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" ansible.builtin.set_fact: diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 8d0a730..232b224 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -187,18 +187,18 @@ ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 failed_when: false changed_when: false - register: rhel_09_7_1_11_perms_results + register: discovered_world_writable - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" when: - - rhel_09_7_1_11_perms_results.stdout_lines is defined - - rhel_09_7_1_11_perms_results.stdout_lines | length > 0 + - discovered_world_writable.stdout_lines is defined + - discovered_world_writable.stdout_lines | length > 0 - rhel9cis_no_world_write_adjust ansible.builtin.file: path: '{{ item }}' mode: o-w state: touch - loop: "{{ rhel_09_7_1_11_perms_results.stdout_lines }}" + loop: "{{ discovered_world_writable.stdout_lines }}" - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit" ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -o+w ! -perm -1002 2>/dev/null | xargs chmod a+t diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index bfb925b..bf2d191 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -30,7 +30,7 @@ -w /etc/sysconfig/network-scripts -p wa -k system-locale {% endif %} {% if rhel9cis_rule_6_3_3_6 %} -{% for proc in priv_procs.stdout_lines -%} +{% for proc in discovered_priv_procs.stdout_lines -%} -a always,exit -F path={{ proc }} -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k privileged {% endfor %} {% endif %} From 3df7334cda626f842efa80a370257b349f04e961 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Nov 2024 16:04:14 +0000 Subject: [PATCH 06/42] improved mount idempotence Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.1.x.yml | 2 +- tasks/section_1/cis_1.1.2.4.x.yml | 2 +- tasks/section_1/cis_1.1.2.5.x.yml | 2 +- tasks/section_1/cis_1.1.2.6.x.yml | 2 +- tasks/section_1/cis_1.1.2.7.x.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index d64c3a7..5683cde 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -33,7 +33,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_2_1_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_1_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_1_4 %}noexec{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_1_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_1_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_1_4) %},noexec{% endif %}" notify: Remount tmp loop: "{{ ansible_facts.mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index d2e4aa8..0aa4fa2 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -45,7 +45,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_2_4_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_4_3 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_4_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_4_2) %},nosuid{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index a09d46d..449bc8b 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -49,7 +49,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_2_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_5_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_5_4 %}noexec{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_5_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_5_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_5_4) %},noexec{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index d6e2c56..c45da55 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -47,7 +47,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_2_6_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_6_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_6_4 %}noexec{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_6_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_6_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_6_4) %},noexec{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index 4e21461..4a8f67c 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -47,7 +47,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_2_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_7_4 %}noexec{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_7_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_7_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_7_4) %},noexec{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" From 44b712fdf90f4941d369fdb3ec8b4a72a495c616 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Nov 2024 16:06:29 +0000 Subject: [PATCH 07/42] improved gpg regex Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml index d5ea30f..dca12b0 100644 --- a/tasks/section_1/cis_1.2.1.x.yml +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -53,7 +53,7 @@ - name: "1.2.1.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" ansible.builtin.replace: name: "{{ item.path }}" - regexp: "^gpgcheck=0" + regexp: ^gpgcheck\s*=\s*0 replace: "gpgcheck=1" loop: "{{ discovered_yum_repos.files }}" loop_control: @@ -87,7 +87,7 @@ - name: "1.2.1.3 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" ansible.builtin.replace: path: "{{ item.path }}" - regexp: '^repo_gpgcheck( |)=( |)0' + regexp: ^repo_gpgcheck\s*=s*0 replace: repo_gpgcheck=1 loop: "{{ discovered_repo_files.files }}" loop_control: From f02a9d442fe74762cba84891de0f393090dfe9a2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Nov 2024 17:35:12 +0000 Subject: [PATCH 08/42] added system account enhancement 5.4.2.7 thanks to @Thulium-Drake Signed-off-by: Mark Bolwell --- defaults/main.yml | 5 +++++ tasks/section_5/cis_5.4.2.x.yml | 1 + 2 files changed, 6 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 4e07349..e210596 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -992,6 +992,11 @@ rhel9cis_futurepwchgdate_autofix: true # 5.4.2.x rhel9cis_root_umask: '0027' # 0027 or more restrictive +## Control 5.4.2.7 - Ensure system accounts are secured | Set nologin +# The system users on this list are allowed to have a shell (e.g. applications +# that require a shell to function) +rhel9cis_system_users_shell: [] + ## Control 5.4.3.2 - Configuring user shell timeout # This dictionary is related to ensuring the rule about user shell timeout # This variable represents the amount of seconds a command or process is allowed to diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index 4d75928..2cf378c 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -199,6 +199,7 @@ when: - rhel9cis_rule_5_4_2_7 - "item.id not in prelim_interactive_usernames.stdout" + - item.id not in rhel9cis_system_users_shell - "'root' not in item.id" - rhel9cis_disruption_high tags: From 9614fa9a9a45bd4e9490cd74c28d519eb45ffe73 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 12 Nov 2024 16:00:53 +0000 Subject: [PATCH 09/42] fixed filename thanks to @levaillx Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.8.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 427eb79..84121b7 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -140,7 +140,7 @@ - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file" ansible.builtin.template: src: etc/dconf/db/00-screensaver_lock.j2 - dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver_lock" owner: root group: root mode: '0644' From fef3554ddecdb81c00232940c45c5659b7febb75 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Nov 2024 18:00:08 +0000 Subject: [PATCH 10/42] updated readme Signed-off-by: Mark Bolwell --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 985dec7..7258e1e 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ Refer to [Contributing Guide](./CONTRIBUTING.rst) This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. -Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL8-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode. +Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL9-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode. This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. @@ -128,7 +128,7 @@ os_check: false **Technical Dependencies:** - Python3 -- Ansible 2.10+ +- Ansible 2.12+ - python-def (should be included in RHEL 9) - libselinux-python - pip packages From 0a5c35cd6983cd1344c875faf38ef028940a672a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 20 Nov 2024 12:00:14 +0000 Subject: [PATCH 11/42] updated to latest layout Signed-off-by: Mark Bolwell --- README.md | 131 +++++++++++++++++++++++++++++------------------------- 1 file changed, 71 insertions(+), 60 deletions(-) diff --git a/README.md b/README.md index 7258e1e..0a4b4ff 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL 9 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant -### Based on [ CIS RedHat Enterprise Linux 9 Benchmark v2.0.0 ](https://www.cisecurity.org/cis-benchmarks/) +### Based on [CIS RedHat Enterprise Linux 9 Benchmark v2.0.0](https://www.cisecurity.org/cis-benchmarks/) --- @@ -32,65 +32,82 @@ --- -## Looking for support? - -[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH9_cis) - -[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH9_cis) - ### Community Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. -### Contributing - -Issues and Pull requests are welcome please ensure that all commits are signed-off-by and gpg-signed. -Refer to [Contributing Guide](./CONTRIBUTING.rst) - --- ## Caution(s) This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. -Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL9-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode. +- Testing is the most important thing you can do. -This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. +- Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL9-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode. -To use the release version, please point to the `main` branch and relevant release for the cis benchmark you wish to work with. +- This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. + +- To use release version please point to main branch and relevant release/tag for the cis benchmark you wish to work with. + +- If moving across major releases e.g. v2.0.0 - v3.0.0 there are significant changes to the benchmarks and controls it is suggested to start as a new standard not to upgrade. + +- Containers references vars/is_container.yml this is an example and to be updated for your requirements + +- Did we mention testing?? --- ## Matching a security Level for CIS -It is possible to only run level 1 or level 2 controls for CIS. +It is possible to to only run level 1 or level 2 controls for CIS. This is managed using tags: -- level1-server -- level1-workstation -- level2-server -- level2-workstation +- level1_server +- level1_workstation +- level2_server +- level2_workstation -The control found in the `defaults` main also needs to reflect this, as this control is the testing that takes place if you are using the audit component. +The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. ## Coming from a previous release -CIS release always contains changes, it is highly recommended to review the new references and available variables. This has changed significantly since the ansible-lockdown initial release. -This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites which configure the system accordingly. +CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release. +This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. Further details can be seen in the [Changelog](./ChangeLog.md) ## Auditing (new) -This can be turned on or off within the `defaults/main.yml` file with the variables `setup_audit` and `run_audit`. The value is `false` by default. Please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. +This can be turned on or off within the defaults/main.yml file with the variable run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings. -A new form of auditing has been developed by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check without the need for infrastructure or other tooling. -This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also try to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. +A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. +This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit). +## Example Audit Summary + +This is based on a vagrant image with selections enabled. e.g. No Gui or firewall. +Note: More tests are run during audit as we check config and running state. + +```txt + +ok: [default] => { + "msg": [ + "The pre remediation results are: ['Total Duration: 5.454s', 'Count: 338, Failed: 47, Skipped: 5'].", + "The post remediation results are: ['Total Duration: 5.007s', 'Count: 338, Failed: 46, Skipped: 5'].", + "Full breakdown can be found in /var/tmp", + "" + ] +} + +PLAY RECAP ******************************************************************************************************************************************* +default : ok=270 changed=23 unreachable=0 failed=0 skipped=140 rescued=0 ignored=0 +``` + ## Documentation - [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/) @@ -101,19 +118,6 @@ Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit). ## Requirements -RHEL 9 -Almalinux 9 -Rocky 9 -OracleLinux 9 - -- Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) - -CentOS stream - while this will generally work it is not supported and requires the following variable setting - -```sh -os_check: false -``` - **General:** - Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible @@ -123,23 +127,22 @@ os_check: false - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) - Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file. +- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file. **Technical Dependencies:** -- Python3 -- Ansible 2.12+ -- python-def (should be included in RHEL 9) -- libselinux-python -- pip packages - - jmespath -- collections found in collections/requirements.yml +RHEL/AlmaLinux/Rocky/Oracle 9 - Other versions are not supported. -pre-commit is available if installed on your host for pull request testing. +- Access to download or add the goss binary and content to the system if using auditing +(other options are available on how to get the content to the system.) +- Python3.8 +- Ansible 2.12+ +- python-def +- libselinux-python ## Role Variables -This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done by overriding the required varaibles as found in defaults/main.yml file. e.g. using inventory, group_vars, extra_vars +This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. ## Tags @@ -169,10 +172,7 @@ We encourage you (the community) to contribute to this role. Please read the rul ## Known Issues -CIS 1.2.4 - repo_gpgcheck is not carried out for RedHat hosts as the default repos do not have this function. This also affect EPEL(not covered by var). - - Rocky and Alma not affected. -Variable used to unset. -rhel9cis_rhel_default_repo: true # to be set to false if using repo that does have this ability +Almalinux BaseOS, EPEL and many cloud providers repositories, do not allow gpgcheck(rule_1.2.1.2) or repo_gpgcheck (rule_1.2.1.3) this will cause issues during the playbook unless or a workaround is found. ## Pipeline Testing @@ -180,21 +180,32 @@ uses: - ansible-core 2.12 - ansible collections - pulls in the latest version based on requirements file -- Runs the audit using the devel branch -- Runs the pre-commit setup on the PR to ensure everything is in place as expected. +- runs the audit using the devel branch - This is an automated test that occurs on pull requests into devel ## Local Testing -- Ansible +Molecule can be used to work on this role and test in distinct _scenarios_. - - ansible-base 2.10.17 - python 3.8 - - ansible-core 2.13.4 - python 3.10 - - ansible-core 2.15.1 - python 3.11 +### examples + +```bash +molecule test -s default +molecule converge -s wsl -- --check +molecule verify -s localhost +``` + +local testing uses: + +- ansible 2.13.3 +- molecule 4.0.1 +- molecule-docker 2.0.0 +- molecule-podman 2.0.2 +- molecule-vagrant 1.0.0 +- molecule-azure 0.5.0 ## Added Extras -- makefile - this is there purely for testing and initial setup purposes. - [pre-commit](https://pre-commit.com) can be tested and can be run from within the directory ```sh From 888df3778dafae1cddd966cf3b53fbd3f859f33e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 4 Dec 2024 07:57:11 +0000 Subject: [PATCH 12/42] improve 1.5.3 test Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.5.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 1184603..3767a58 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -50,7 +50,7 @@ - NIST800-53R5_CM-6b ansible.builtin.lineinfile: path: /etc/systemd/coredump.conf - regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$' + regexp: '(?#)^ProcessSizeMax\s*=\s*.*[1-9].*$' line: 'ProcessSizeMax=0' - name: "1.5.4 | PATCH | Ensure core dump storage is disabled" From 9f829accd06c44413fd5d11d4ee26acc639259c4 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 4 Dec 2024 08:01:16 +0000 Subject: [PATCH 13/42] improvement to Warning Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.1.x.yml | 2 +- tasks/section_1/cis_1.1.2.2.x.yml | 2 +- tasks/section_1/cis_1.1.2.3.x.yml | 2 +- tasks/section_1/cis_1.1.2.4.x.yml | 2 +- tasks/section_1/cis_1.1.2.5.x.yml | 2 +- tasks/section_1/cis_1.1.2.6.x.yml | 2 +- tasks/section_1/cis_1.1.2.7.x.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index 5683cde..04402ab 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -17,7 +17,7 @@ block: - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Present" ansible.builtin.import_tasks: diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index eb82773..f360a21 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -24,7 +24,7 @@ block: - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.2.1 | AUDIT | Ensure separate partition exists for /home | Present" ansible.builtin.import_tasks: diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index c7920cd..8894013 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -17,7 +17,7 @@ block: - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Present" ansible.builtin.import_tasks: diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index 0aa4fa2..328ec8b 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -17,7 +17,7 @@ block: - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Present" ansible.builtin.import_tasks: diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index 449bc8b..dbb7b97 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -18,7 +18,7 @@ block: - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" ansible.builtin.import_tasks: diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index c45da55..c38240c 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -17,7 +17,7 @@ block: - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Present" ansible.builtin.import_tasks: diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index 4a8f67c..526e46b 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -17,7 +17,7 @@ block: - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task" - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" ansible.builtin.import_tasks: From 6ed7c7e420b06fb0a5af9c862c64091ac11aa72a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 4 Dec 2024 08:03:33 +0000 Subject: [PATCH 14/42] tidy up layout Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 48 +++++++++++---------------------- 1 file changed, 16 insertions(+), 32 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index fb0f119..e67edd9 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -1,8 +1,7 @@ --- - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available" - when: - - rhel9cis_rule_1_1_1_1 + when: rhel9cis_rule_1_1_1_1 tags: - level1-server - level1-workstation @@ -35,8 +34,7 @@ state: absent - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available" - when: - - rhel9cis_rule_1_1_1_2 + when: rhel9cis_rule_1_1_1_2 tags: - level1-server - level1-workstation @@ -62,15 +60,13 @@ mode: '0600' - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: freevxfs state: absent - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available" - when: - - rhel9cis_rule_1_1_1_3 + when: rhel9cis_rule_1_1_1_3 tags: - level1-server - level1-workstation @@ -96,15 +92,13 @@ mode: '0600' - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable hfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: hfs state: absent - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available" - when: - - rhel9cis_rule_1_1_1_4 + when: rhel9cis_rule_1_1_1_4 tags: - level1-server - level1-workstation @@ -130,15 +124,13 @@ mode: '0600' - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: hfsplus state: absent - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available" - when: - - rhel9cis_rule_1_1_1_5 + when: rhel9cis_rule_1_1_1_5 tags: - level1-server - level1-workstation @@ -164,15 +156,13 @@ mode: '0600' - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: jffs2 state: absent - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available" - when: - - rhel9cis_rule_1_1_1_6 + when: rhel9cis_rule_1_1_1_6 tags: - level2-server - level2-workstation @@ -198,15 +188,13 @@ mode: '0600' - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: squashfs state: absent - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available" - when: - - rhel9cis_rule_1_1_1_7 + when: rhel9cis_rule_1_1_1_7 tags: - level2-server - level2-workstation @@ -232,15 +220,13 @@ mode: '0600' - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Disable udf" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: udf state: absent - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available" - when: - - rhel9cis_rule_1_1_1_8 + when: rhel9cis_rule_1_1_1_8 tags: - level1-server - level2-workstation @@ -266,15 +252,13 @@ mode: '0600' - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Disable usb" - when: - - not system_is_container + when: not system_is_container community.general.modprobe: name: usb-storage state: absent - name: "1.1.1.9 | PATCH | Ensure unused filesystems kernel modules are not available" - when: - - rhel9cis_rule_1_1_1_9 + when: rhel9cis_rule_1_1_1_9 tags: - level1-server - level1-workstation From 1b694832bb584a6126beab487b45e84fa0a0f114 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 4 Dec 2024 11:37:12 +0000 Subject: [PATCH 15/42] updated lint standards Signed-off-by: Mark Bolwell --- .ansible-lint | 17 ++--------------- .yamllint | 22 ++++++++++++++-------- 2 files changed, 16 insertions(+), 23 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 3090307..3b7c373 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -3,20 +3,7 @@ parseable: true quiet: true skip_list: - - 'schema' - - 'no-changed-when' - - 'var-spacing' - - 'experimental' - - 'name[play]' - - 'name[casing]' - - 'name[template]' - - 'key-order[task]' - - '204' - - '305' - - '303' - - '403' - - '306' - - '602' - - '208' + - 'package-latest' + - 'risky-shell-pipe' use_default_rules: true verbosity: 0 diff --git a/.yamllint b/.yamllint index ec2d1cd..9c0a13b 100644 --- a/.yamllint +++ b/.yamllint @@ -1,32 +1,38 @@ --- extends: default - +locale: en_US.UTF-8 ignore: | tests/ molecule/ .github/ .gitlab-ci.yml *molecule.yml - rules: - indentation: - # Requiring 4 space indentation - spaces: 2 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent braces: max-spaces-inside: 1 level: error brackets: max-spaces-inside: 1 level: error + comments: + ignore-shebangs: true + min-spaces-from-content: 1 # prettier compatibility + comments-indentation: enabled empty-lines: max: 1 - line-length: disable + indentation: + # Requiring 2 space indentation + spaces: 2 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent key-duplicates: enable + line-length: disable new-line-at-end-of-file: enable new-lines: type: unix + octal-values: + forbid-implicit-octal: true # yamllint defaults to false + forbid-explicit-octal: true trailing-spaces: enable truthy: allowed-values: ['true', 'false'] From 2de8a39cdcfc44d770b169c642cbfcb8fbbdd287 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 4 Dec 2024 11:45:13 +0000 Subject: [PATCH 16/42] updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell --- .yamllint | 2 +- LICENSE | 2 +- handlers/main.yml | 26 +++--- tasks/LE_audit_setup.yml | 5 +- tasks/audit_only.yml | 11 +-- tasks/check_prereqs.yml | 3 +- tasks/main.yml | 50 ++++------- tasks/parse_etc_password.yml | 10 +-- tasks/post.yml | 26 ++---- tasks/post_remediation_audit.yml | 10 +-- tasks/pre_remediation_audit.yml | 55 +++++------- tasks/prelim.yml | 40 ++++----- tasks/section_1/cis_1.1.1.x.yml | 38 ++++----- tasks/section_1/cis_1.1.2.1.x.yml | 2 +- tasks/section_1/cis_1.1.2.2.x.yml | 5 +- tasks/section_1/cis_1.2.1.x.yml | 16 ++-- tasks/section_1/cis_1.3.1.x.yml | 9 +- tasks/section_1/cis_1.4.x.yml | 9 +- tasks/section_1/cis_1.5.x.yml | 9 +- tasks/section_1/cis_1.6.x.yml | 16 ++-- tasks/section_1/cis_1.7.x.yml | 30 +++---- tasks/section_1/cis_1.8.x.yml | 30 +++---- tasks/section_2/cis_2.1.x.yml | 84 +++++-------------- tasks/section_2/cis_2.2.x.yml | 5 -- tasks/section_2/cis_2.3.x.yml | 4 +- tasks/section_2/cis_2.4.x.yml | 45 ++++------ tasks/section_3/cis_3.1.x.yml | 7 +- tasks/section_3/cis_3.2.x.yml | 24 +++--- tasks/section_3/cis_3.3.x.yml | 24 ++---- tasks/section_4/cis_4.1.x.yml | 5 +- tasks/section_4/cis_4.2.x.yml | 6 +- tasks/section_4/cis_4.3.x.yml | 33 +++++--- tasks/section_5/cis_5.1.x.yml | 65 +++++--------- tasks/section_5/cis_5.2.x.yml | 21 ++--- tasks/section_5/cis_5.3.2.x.yml | 35 ++++---- tasks/section_5/cis_5.3.3.1.x.yml | 10 +-- tasks/section_5/cis_5.3.3.2.x.yml | 38 ++++----- tasks/section_5/cis_5.3.3.3.x.yml | 9 +- tasks/section_5/cis_5.3.3.4.x.yml | 12 +-- tasks/section_5/cis_5.4.1.x.yml | 42 +++++----- tasks/section_5/cis_5.4.2.x.yml | 19 ++--- tasks/section_5/cis_5.4.3.x.yml | 11 +-- tasks/section_6/cis_6.1.x.yml | 12 +-- tasks/section_6/cis_6.2.1.x.yml | 16 ++-- tasks/section_6/cis_6.2.2.x.yml | 15 ++-- tasks/section_6/cis_6.2.3.x.yml | 20 ++--- tasks/section_6/cis_6.2.4.1.yml | 3 +- tasks/section_6/cis_6.3.1.x.yml | 22 ++--- tasks/section_6/cis_6.3.2.x.yml | 12 +-- tasks/section_6/cis_6.3.3.x.yml | 66 +++++---------- tasks/section_6/cis_6.3.4.x.yml | 21 ++--- tasks/section_7/cis_7.1.x.yml | 14 ++-- tasks/section_7/cis_7.2.x.yml | 2 +- tasks/warning_facts.yml | 3 +- templates/audit/98_auditd_exception.rules.j2 | 2 +- templates/audit/99_auditd.rules.j2 | 2 +- templates/etc/cron.d/aide.cron.j2 | 2 +- templates/etc/dconf/db/00-automount_lock.j2 | 2 +- templates/etc/dconf/db/00-autorun_lock.j2 | 2 +- templates/etc/dconf/db/00-media-automount.j2 | 2 +- templates/etc/dconf/db/00-media-autorun.j2 | 2 +- templates/etc/dconf/db/00-screensaver.j2 | 2 +- templates/etc/dconf/db/00-screensaver_lock.j2 | 2 +- .../etc/dconf/db/gdm.d/01-banner-message.j2 | 2 +- templates/fs_with_cves.sh | 5 +- vars/audit.yml | 2 +- 66 files changed, 461 insertions(+), 675 deletions(-) diff --git a/.yamllint b/.yamllint index 9c0a13b..4cf7047 100644 --- a/.yamllint +++ b/.yamllint @@ -17,7 +17,7 @@ rules: comments: ignore-shebangs: true min-spaces-from-content: 1 # prettier compatibility - comments-indentation: enabled + comments-indentation: enable empty-lines: max: 1 indentation: diff --git a/LICENSE b/LICENSE index f6d2b57..7e51eb7 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/handlers/main.yml b/handlers/main.yml index 27e4a56..f6a2806 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -2,7 +2,8 @@ # handlers file for RHEL9-CIS - name: Reload sysctl - ansible.builtin.shell: sysctl --system + ansible.builtin.command: sysctl --system + changed_when: true - name: Sysctl flush ipv4 route table when: @@ -43,8 +44,8 @@ - name: Set Crypto Policy when: prelim_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy - ansible.builtin.shell: | - update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" + ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" + changed_when: true notify: - Change_requires_reboot - Restart sshd @@ -65,11 +66,13 @@ state: restarted - name: Reload dconf - ansible.builtin.shell: dconf update + ansible.builtin.command: dconf update + changed_when: true - name: Grub2cfg - ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" + ansible.builtin.command: "grub2-mkconfig -o /boot/grub2/grub.cfg" ignore_errors: true # noqa ignore-errors + changed_when: true - name: Restart rsyslog ansible.builtin.systemd: @@ -91,24 +94,25 @@ daemon-reload: true - name: Authselect update - ansible.builtin.shell: authselect apply-changes + ansible.builtin.command: authselect apply-changes + changed_when: true ## Auditd tasks note order for handlers to run - name: Auditd immutable check - ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules + ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules changed_when: false register: discovered_auditd_immutable_check - name: Audit immutable fact - when: - - discovered_auditd_immutable_check.stdout == '1' + when: discovered_auditd_immutable_check.stdout == '1' ansible.builtin.debug: msg: "Reboot required for auditd to apply new rules as immutable set" notify: Change_requires_reboot -- name: Restart auditd - ansible.builtin.shell: service auditd restart +- name: Restart auditd # noqa command-instead-of-module + ansible.builtin.command: service auditd restart + changed_when: true - name: Change_requires_reboot ansible.builtin.set_fact: diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 4b407eb..7c2243f 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -1,5 +1,4 @@ --- - - name: Pre Audit Setup | Set audit package name block: - name: Pre Audit Setup | Set audit package name | 64bit @@ -20,13 +19,13 @@ owner: root group: root checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" - mode: '0555' + mode: "0555" - name: Pre Audit Setup | Copy audit binary when: get_audit_binary_method == 'copy' ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" - mode: '0555' + mode: "0555" owner: root group: root diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index b7dad08..c3d9596 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -1,9 +1,8 @@ --- - - name: Audit_Only | Create local Directories for hosts when: fetch_audit_files ansible.builtin.file: - mode: '0755' + mode: "0755" path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" recurse: true state: directory @@ -15,16 +14,14 @@ ansible.builtin.fetch: dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" flat: true - mode: '0644' + mode: "0644" src: "{{ pre_audit_outfile }}" - name: Audit_only | Show Audit Summary - when: - - audit_only + when: audit_only ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" - name: Audit_only | Stop Playbook Audit Only selected - when: - - audit_only + when: audit_only ansible.builtin.meta: end_play diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml index 159b72f..b9bf2af 100644 --- a/tasks/check_prereqs.yml +++ b/tasks/check_prereqs.yml @@ -1,8 +1,7 @@ --- - name: "PREREQ | If required install libselinux package to manage file changes." - when: - - '"libselinux-python3" not in ansible_facts.packages' + when: '"libselinux-python3" not in ansible_facts.packages' ansible.builtin.package: name: libselinux-python3 state: present diff --git a/tasks/main.yml b/tasks/main.yml index 4598f85..2ea223c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -2,22 +2,19 @@ # tasks file for RHEL9-CIS - name: "Check OS version and family" + when: os_check + tags: always ansible.builtin.assert: that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}" - when: - - os_check - tags: - - always - name: "Check ansible version" + tags: always ansible.builtin.assert: that: ansible_version.full is version_compare(min_ansible_version, '>=') fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" - tags: - - always - name: "Setup rules if container" when: @@ -36,8 +33,7 @@ file: "{{ container_vars_file }}" - name: "Output if discovered is a container" - when: - - system_is_container + when: system_is_container ansible.builtin.debug: msg: system has been discovered as a container @@ -51,8 +47,7 @@ when: - rhel9cis_set_boot_pass - rhel9cis_rule_1_4_1 - tags: - - always + tags: always ansible.builtin.assert: that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" @@ -81,23 +76,22 @@ vars: sudo_password_rule: rhel9cis_rule_5_2_4 # pragma: allowlist secret block: - - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state" + - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state" # noqa name[template] ansible.builtin.shell: "(grep {{ ansible_env.SUDO_USER }} /etc/shadow || echo 'not found:not found') | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: prelim_ansible_user_password_set - - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account" + - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account" # noqa name[template] when: prelim_ansible_user_password_set.stdout == "not found" ansible.builtin.debug: msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks." - name: "Check local account" - when: - - prelim_ansible_user_password_set.stdout != "not found" + when: prelim_ansible_user_password_set.stdout != "not found" block: - - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" + - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" # noqa name[template] ansible.builtin.assert: that: - prelim_ansible_user_password_set.stdout | length != 0 @@ -105,7 +99,7 @@ fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" - - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" + - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template] ansible.builtin.assert: that: - not prelim_ansible_user_password_set.stdout.startswith("!") @@ -113,10 +107,8 @@ success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" - name: "PRELIM | AUDIT | Check authselect profile is selected" - when: - - rhel9cis_allow_authselect_updates - tags: - - always + when: rhel9cis_allow_authselect_updates + tags: always block: - name: "PRELIM | AUDIT | Check authselect profile name has been updated" ansible.builtin.assert: @@ -136,8 +128,7 @@ fail_msg: Authselect updates have been selected there are issues with profile selection" - name: "Ensure root password is set" - when: - - rhel9cis_rule_5_4_2_4 + when: rhel9cis_rule_5_4_2_4 tags: - level1-server - level1-workstation @@ -158,14 +149,12 @@ success_msg: "You have a root password set" - name: "Gather the package facts" - tags: - - always + tags: always ansible.builtin.package_facts: manager: auto - name: "Include OS specific variables" - tags: - - always + tags: always ansible.builtin.include_vars: file: "{{ ansible_facts.distribution }}.yml" @@ -213,8 +202,7 @@ - name: "Run auditd logic" when: update_audit_template - tags: - - always + tags: always ansible.builtin.import_tasks: file: auditd.yml @@ -226,8 +214,7 @@ file: post.yml - name: "Run post_remediation audit" - when: - - run_audit + when: run_audit ansible.builtin.import_tasks: file: post_remediation_audit.yml @@ -238,7 +225,6 @@ - name: "If Warnings found Output count and control IDs affected" when: warn_count != 0 - tags: - - always + tags: always ansible.builtin.debug: msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}" diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 8270b5a..102acef 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -1,19 +1,17 @@ --- - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - tags: - - always + tags: always block: - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - ansible.builtin.shell: cat /etc/passwd + ansible.builtin.command: cat /etc/passwd changed_when: false check_mode: false - register: rhel9cis_passwd_file_audit + register: prelim_passwd_file_audit - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries" ansible.builtin.set_fact: - rhel9cis_passwd: "{{ rhel9cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" - loop: "{{ rhel9cis_passwd_file_audit.stdout_lines }}" + rhel9cis_passwd: "{{ prelim_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) diff --git a/tasks/post.yml b/tasks/post.yml index 198d9c0..b6efdfe 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -1,9 +1,7 @@ --- -# Post tasks - name: POST | Gather the package facts after remediation - tags: - - always + tags: always ansible.builtin.package_facts: manager: auto @@ -17,7 +15,7 @@ dest: "/etc/sysctl.d/{{ item }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' notify: Reload sysctl loop: - 60-kernel_sysctl.conf @@ -29,28 +27,22 @@ ansible.builtin.meta: flush_handlers - name: POST | reboot system if changes require it and not skipped - tags: - - always + when: change_requires_reboot + tags: always + vars: + warn_control_id: Reboot_required block: - name: POST | Reboot system if changes require it and not skipped + when: not skip_reboot ansible.builtin.reboot: - when: - - change_requires_reboot - - not skip_reboot - name: POST | Warning a reboot required but skip option set + when: skip_reboot ansible.builtin.debug: msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" changed_when: true - when: - - change_requires_reboot - - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" + when: skip_reboot ansible.builtin.import_tasks: file: warning_facts.yml - when: - - change_requires_reboot - - skip_reboot - vars: - warn_control_id: Reboot_required diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 8004ed3..294d45a 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,7 +1,7 @@ --- -- name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" +- name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template] + ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" @@ -18,8 +18,7 @@ - "{{ pre_audit_outfile }}" - name: Post Audit | Capture audit data if json format - when: - - audit_format == "json" + when: audit_format == "json" block: - name: Post Audit | Capture audit data if json format ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 @@ -31,8 +30,7 @@ post_audit_results: "{{ post_audit_summary.stdout }}" - name: Post Audit | Capture audit data if documentation format - when: - - audit_format == "documentation" + when: audit_format == "documentation" block: - name: Post Audit | Capture audit data if documentation format ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' ' diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 3a3304c..c6a531a 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,22 +1,18 @@ --- - - name: Pre Audit Setup | Setup the LE audit - when: - - setup_audit - tags: - - setup_audit + when: setup_audit + tags: setup_audit ansible.builtin.include_tasks: file: LE_audit_setup.yml -- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists +- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists # noqa name[template] ansible.builtin.file: path: "{{ audit_conf_dir }}" state: directory - mode: '0755' + mode: "0755" - name: Pre Audit Setup | If using git for content set up - when: - - audit_content == 'git' + when: audit_content == 'git' block: - name: Pre Audit Setup | Install git ansible.builtin.package: @@ -30,32 +26,28 @@ version: "{{ audit_git_version }}" - name: Pre Audit Setup | Copy to audit content files to server - when: - - audit_content == 'copy' + when: audit_content == 'copy' ansible.builtin.copy: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server - when: - - audit_content == 'archive' + when: audit_content == 'archive' ansible.builtin.unarchive: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url - when: - - audit_content == 'get_url' + when: audit_content == 'get_url' ansible.builtin.unarchive: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" - remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" - extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" + remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}" + extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}" - name: Pre Audit Setup | Check Goss is available - when: - - run_audit + when: run_audit block: - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: @@ -63,24 +55,22 @@ register: discovered_goss_available - name: Pre Audit Setup | If audit ensure goss is available - when: - - not discovered_goss_available.stat.exists + when: not discovered_goss_available.stat.exists ansible.builtin.assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit - when: - - run_audit + when: run_audit tags: - goss_template - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" - mode: '0600' + mode: "0600" -- name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" +- name: Pre Audit | Run pre_remediation {{ benchmark }} audit # noqa name[template] + ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" @@ -88,33 +78,30 @@ AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format - when: - - audit_format == "json" + when: audit_format == "json" block: - name: Pre Audit | Capture audit data if json format ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 - register: pre_audit_summary changed_when: false + register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Pre Audit | Capture audit data if documentation format - when: - - audit_format == "documentation" + when: audit_format == "documentation" block: - name: Pre Audit | Capture audit data if documentation format ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' - register: pre_audit_summary changed_when: false + register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Audit_Only | Run Audit Only - when: - - audit_only + when: audit_only ansible.builtin.import_tasks: file: audit_only.yml diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 28292fb..1e67bb3 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -17,50 +17,43 @@ when: - run_audit or audit_only - setup_audit - tags: - - run_audit + tags: run_audit ansible.builtin.import_tasks: pre_remediation_audit.yml - name: "PRELIM | AUDIT | Interactive Users" - tags: - - always + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }' changed_when: false register: prelim_interactive_usernames - name: "PRELIM | AUDIT | Interactive User accounts home directories" - tags: - - always + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }' changed_when: false register: prelim_interactive_users_home - name: "PRELIM | AUDIT | Interactive UIDs" - tags: - - always + tags: always ansible.builtin.shell: > grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }' changed_when: false register: prelim_interactive_uids - name: "PRELIM | AUDIT | Capture /etc/password variables" + tags: always ansible.builtin.include_tasks: file: parse_etc_password.yml - tags: - - always - name: "PRELIM | PATCH | Ensure python3-libselinux is installed" - when: - - '"python3-libselinux" not in ansible_facts.packages' + when: '"python3-libselinux" not in ansible_facts.packages' ansible.builtin.package: name: python3-libselinux state: present - name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points" - tags: - - Always + tags: always ansible.builtin.set_fact: mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" @@ -80,27 +73,27 @@ - ansible_facts.distribution == 'RedHat' block: - name: "PRELIM | AUDIT | Import gpg keys | get data" - ansible.builtin.shell: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' + ansible.builtin.command: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' # noqa command-instead-of-module changed_when: false failed_when: false register: prelim_check_gpg_imported - - name: "PRELIM | AUDIT | Import gpg keys | Check Package" + - name: "PRELIM | AUDIT | Import gpg keys | Check Package" # noqa command-instead-of-module when: "'not installed' in prelim_check_gpg_imported.stdout" ansible.builtin.shell: rpm -qi redhat-release | grep Signature changed_when: false failed_when: false register: prelim_os_gpg_package_valid - - name: "PRELIM | PATCH | Force keys to be imported" + - name: "PRELIM | PATCH | Force keys to be imported" # noqa command-instead-of-module when: - "'not installed' in prelim_check_gpg_imported.stdout" - "'Key ID 199e2f91fd431d51' in prelim_os_gpg_package_valid.stdout" - ansible.builtin.shell: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + ansible.builtin.command: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + changed_when: false - name: "PRELIM | AUDIT | Check systemd coredump" - when: - - rhel9cis_rule_1_5_4 + when: rhel9cis_rule_1_5_4 tags: - level1-server - level1-workstation @@ -127,7 +120,7 @@ state: present - name: "PRELIM | AUDIT | Gather system-wide crypto-policy" - ansible.builtin.shell: 'update-crypto-policies --show' + ansible.builtin.command: 'update-crypto-policies --show' changed_when: false check_mode: false register: prelim_system_wide_crypto_policy @@ -183,7 +176,7 @@ - always block: - name: "PRELIM | AUDIT | Discover is wirelss adapter on system" - ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless + ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless register: discover_wireless_adapters changed_when: false failed_when: discover_wireless_adapters.rc not in [ 0, 1 ] @@ -222,7 +215,7 @@ path: "{{ rhel9cis_sshd_config_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' state: touch - name: "PRELIM | AUDIT | Gather UID 0 accounts other than root" @@ -246,6 +239,7 @@ ansible.builtin.file: path: /etc/systemd/journald.conf.d state: directory + mode: 'go-w' - name: "PRELIM | PATCH | Configure System Accounting (auditd)" when: diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index e67edd9..579fb1b 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -16,7 +16,7 @@ regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -24,7 +24,7 @@ regexp: "^(#)?blacklist cramfs(\\s|$)" line: "blacklist cramfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs" when: @@ -49,7 +49,7 @@ regexp: "^(#)?install freevxfs(\\s|$)" line: "install freevxfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -57,7 +57,7 @@ regexp: "^(#)?blacklist freevxfs(\\s|$)" line: "blacklist freevxfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs" when: not system_is_container @@ -81,7 +81,7 @@ regexp: "^(#)?install hfs(\\s|$)" line: "install hfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -89,7 +89,7 @@ regexp: "^(#)?blacklist hfs(\\s|$)" line: "blacklist hfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable hfs" when: not system_is_container @@ -113,7 +113,7 @@ regexp: "^(#)?install hfsplus(\\s|$)" line: "install hfsplus /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -121,7 +121,7 @@ regexp: "^(#)?blacklist hfsplus(\\s|$)" line: "blacklist hfsplus" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus" when: not system_is_container @@ -145,7 +145,7 @@ regexp: "^(#)?install jffs2(\\s|$)" line: "install jffs2 /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -153,7 +153,7 @@ regexp: "^(#)?blacklist jffs2(\\s|$)" line: "blacklist jffs2" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2" when: not system_is_container @@ -177,7 +177,7 @@ regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -185,7 +185,7 @@ regexp: "^(#)?blacklist squashfs(\\s|$)" line: "blacklist squashfs" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs" when: not system_is_container @@ -209,7 +209,7 @@ regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -217,7 +217,7 @@ regexp: "^(#)?blacklist udf(\\s|$)" line: "blacklist udf" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Disable udf" when: not system_is_container @@ -241,7 +241,7 @@ regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | blacklist" ansible.builtin.lineinfile: @@ -249,7 +249,7 @@ regexp: "^(#)?blacklist usb-storage(\\s|$)" line: "blacklist usb-storage" create: true - mode: '0600' + mode: 'go-rwx' - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Disable usb" when: not system_is_container @@ -273,10 +273,10 @@ dest: /var/fs_with_cves.sh owner: root group: root - mode: '0744' + mode: 'u+x,go-wx' - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Run discovery script" - ansible.builtin.shell: /var/fs_with_cves.sh + ansible.builtin.command: /var/fs_with_cves.sh changed_when: false failed_when: discovered_fs_modules_loaded.rc not in [ 0, 99 ] register: discovered_fs_modules_loaded @@ -286,7 +286,7 @@ ansible.builtin.debug: msg: | "Warning!! Discovered loaded Filesystem modules that need attention. This is a manual task - {{ discovered_fs_modules_loaded.stdout_lines}}" + {{ discovered_fs_modules_loaded.stdout_lines }}" - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Capture Warning" when: discovered_fs_modules_loaded.stdout | length > 0 diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index 04402ab..4457624 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -84,5 +84,5 @@ dest: /etc/systemd/system/tmp.mount owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Systemd restart tmp.mount diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index f360a21..6f0df56 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -2,8 +2,7 @@ # Skips if mount is absent - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition" - when: - - rhel9cis_rule_1_1_2_2_1 + when: rhel9cis_rule_1_1_2_2_1 tags: - level1-server - level1-workstation @@ -14,7 +13,7 @@ vars: warn_control_id: '1.1.2.2.1' block: - - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists" + - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists" # noqa command-instead-of-module ansible.builtin.shell: mount -l | grep -w /dev/shm changed_when: false register: discovered_dev_shm_mount_check diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml index dca12b0..28cd7cd 100644 --- a/tasks/section_1/cis_1.2.1.x.yml +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -14,18 +14,18 @@ - rule_1.2.1.1 - NIST800-53R5_SI-2 block: - - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" + - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" # noqa command-instead-of-module ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" changed_when: false failed_when: false register: discovered_os_installed_pub_keys - - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys" + - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys" # noqa command-instead-of-module + when: discovered_os_installed_pub_keys.rc == 0 ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"' changed_when: false failed_when: false register: discovered_os_gpg_key_check - when: discovered_os_installed_pub_keys.rc == 0 - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | expected keys fail" when: @@ -35,8 +35,7 @@ msg: Installed GPG Keys do not meet expected values or expected keys are not installed - name: "1.2.1.2 | PATCH | Ensure gpgcheck is globally activated" - when: - - rhel9cis_rule_1_2_1_2 + when: rhel9cis_rule_1_2_1_2 tags: - level1-server - level1-workstation @@ -94,8 +93,7 @@ label: "{{ item.path }}" - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured" - when: - - rhel9cis_rule_1_2_1_4 + when: rhel9cis_rule_1_2_1_4 tags: - level1-server - level1-workstation @@ -107,11 +105,11 @@ warn_control_id: '1.2.1.4' block: - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Get repo list" - ansible.builtin.shell: dnf repolist + ansible.builtin.command: dnf repolist changed_when: false failed_when: false - register: discovered_dnf_configured check_mode: false + register: discovered_dnf_configured - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" ansible.builtin.debug: diff --git a/tasks/section_1/cis_1.3.1.x.yml b/tasks/section_1/cis_1.3.1.x.yml index f3f67f8..198ae7b 100644 --- a/tasks/section_1/cis_1.3.1.x.yml +++ b/tasks/section_1/cis_1.3.1.x.yml @@ -122,8 +122,7 @@ file: warning_facts.yml - name: "1.3.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" - when: - - rhel9cis_rule_1_3_1_7 + when: rhel9cis_rule_1_3_1_7 tags: - level1-server - level1-workstation @@ -136,9 +135,6 @@ state: absent - name: "1.3.1.8 | PATCH | Ensure SETroubleshoot is not installed" - ansible.builtin.package: - name: setroubleshoot - state: absent when: - rhel9cis_rule_1_3_1_8 - "'setroubleshoot' in ansible_facts.packages" @@ -149,3 +145,6 @@ - rule_1.3.1.8 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 + ansible.builtin.package: + name: setroubleshoot + state: absent diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 747faa8..d422f14 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -16,12 +16,11 @@ content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy owner: root group: root - mode: '0600' + mode: 'go-rwx' notify: Grub2cfg - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" - when: - - rhel9cis_rule_1_4_2 + when: rhel9cis_rule_1_4_2 tags: - level1-server - level1-workstation @@ -41,5 +40,5 @@ access_time: preserve loop: - { path: 'grub.cfg', mode: '0700' } - - { path: 'grubenv', mode: '0600' } - - { path: 'user.cfg', mode: '0600' } + - { path: 'grubenv', mode: 'go-rwx' } + - { path: 'user.cfg', mode: 'go-rwx' } diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 3767a58..992785b 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,8 +1,7 @@ --- - name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - when: - - rhel9cis_rule_1_5_1 + when: rhel9cis_rule_1_5_1 tags: - level1-server - level1-workstation @@ -21,8 +20,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" - name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted" - when: - - rhel9cis_rule_1_5_2 + when: rhel9cis_rule_1_5_2 tags: - level1-server - level1-workstation @@ -39,8 +37,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" - name: "1.5.3 | PATCH | Ensure core dump backtraces are disabled" - when: - - rhel9cis_rule_1_5_3 + when: rhel9cis_rule_1_5_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 5d9441e..c418324 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -1,8 +1,7 @@ --- - name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy" - when: - - rhel9cis_rule_1_6_1 + when: rhel9cis_rule_1_6_1 tags: - level1-server - level1-workstation @@ -18,8 +17,7 @@ - Set Crypto Policy - name: "1.6.2 | PATCH | Ensure system wide crypto policy is not set in sshd configuration" - when: - - rhel9cis_rule_1_6_2 + when: rhel9cis_rule_1_6_2 tags: - level1-server - level1-workstation @@ -54,7 +52,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' register: discovered_no_sha1_template - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules" @@ -85,7 +83,7 @@ dest: /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' register: discovered_no_weakmac_template - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules" @@ -115,7 +113,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' register: discovered_no_sshcbc_template - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules" @@ -145,7 +143,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' register: discovered_no_sshweakciphers_template - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules" @@ -175,7 +173,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SSHETM.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' register: discovered_no_sshetm_template - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules" diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index c7484cd..7f45476 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -1,8 +1,7 @@ --- - name: "1.7.1 | PATCH | Ensure message of the day is configured properly" - when: - - rhel9cis_rule_1_7_1 + when: rhel9cis_rule_1_7_1 tags: - level1-server - level1-workstation @@ -17,11 +16,10 @@ dest: /etc/motd owner: root group: root - mode: u-x,go-wx + mode: 'u-x,go-wx' - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" - when: - - rhel9cis_rule_1_7_2 + when: rhel9cis_rule_1_7_2 tags: - level1-server - level1-workstation @@ -35,11 +33,10 @@ dest: /etc/issue owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" - when: - - rhel9cis_rule_1_7_3 + when: rhel9cis_rule_1_7_3 tags: - level1-server - level1-workstation @@ -54,11 +51,10 @@ dest: /etc/issue.net owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" - when: - - rhel9cis_rule_1_7_4 + when: rhel9cis_rule_1_7_4 tags: - level1-server - level1-workstation @@ -71,11 +67,10 @@ path: /etc/motd owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" - when: - - rhel9cis_rule_1_7_5 + when: rhel9cis_rule_1_7_5 tags: - level1-server - level1-workstation @@ -88,11 +83,10 @@ path: /etc/issue owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - when: - - rhel9cis_rule_1_7_6 + when: rhel9cis_rule_1_7_6 tags: - level1-server - level1-workstation @@ -105,4 +99,4 @@ path: /etc/issue.net owner: root group: root - mode: '0644' + mode: 'go-wx' diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index 427eb79..c38b75c 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -35,7 +35,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf loop: - { regexp: 'user-db', line: 'user-db:user' } @@ -48,7 +48,7 @@ dest: /etc/dconf/db/gdm.d/01-banner-message owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.3 | PATCH | Ensure GDM disable-user-list option is enabled" @@ -68,7 +68,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf loop: - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } @@ -96,7 +96,7 @@ create: true owner: root group: root - mode: '0644' + mode: 'go-wx' loop: - { regexp: '^user-db', line: 'user-db:user' } - { regexp: '^system-db', line: 'system-db:local' } @@ -106,7 +106,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make conf file" @@ -115,7 +115,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-screensaver" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden" @@ -134,7 +134,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file" @@ -143,7 +143,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled" @@ -161,7 +161,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-automount" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden" @@ -180,7 +180,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock file" @@ -189,7 +189,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-automount_lock" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled" @@ -208,7 +208,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make conf file" @@ -217,7 +217,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-autorun" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden" @@ -236,7 +236,7 @@ path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks" owner: root group: root - mode: '0755' + mode: 'go-w' state: directory - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile" @@ -245,7 +245,7 @@ dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock" owner: root group: root - mode: '0644' + mode: 'go-wx' notify: Reload dconf - name: "1.8.10 | PATCH | Ensure XDMCP is not enabled" diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 73e7986..fb0351f 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -33,9 +33,8 @@ masked: true - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use" - when: - - rhel9cis_rule_2_1_2 - - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" + when: rhel9cis_rule_2_1_2 + tags: - level1-server - level2-workstation @@ -70,9 +69,7 @@ - avahi-daemon.service - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use" - when: - - "'dhcp-server' in ansible_facts.packages" - - rhel9cis_rule_2_1_3 + when: rhel9cis_rule_2_1_3 tags: - level1-server - level1-workstation @@ -105,9 +102,7 @@ - dhcpd6.service - name: "2.1.4 | PATCH | Ensure dns server services are not in use" - when: - - "'bind' in ansible_facts.packages" - - rhel9cis_rule_2_1_4 + when: rhel9cis_rule_2_1_4 tags: - level1-server - level1-workstation @@ -137,9 +132,7 @@ masked: true - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use" - when: - - "'dnsmasq' in ansible_facts.packages" - - rhel9cis_rule_2_1_5 + when: rhel9cis_rule_2_1_5 tags: - level1-server - level1-workstation @@ -169,9 +162,7 @@ masked: true - name: "2.1.6 | PATCH | Ensure samba file server services are not in use" - when: - - "'samba' in ansible_facts.packages" - - rhel9cis_rule_2_1_6 + when: rhel9cis_rule_2_1_6 tags: - level1-server - level1-workstation @@ -202,9 +193,7 @@ masked: true - name: "2.1.7 | PATCH | Ensure ftp server services are not in use" - when: - - "'ftp' in ansible_facts.packages" - - rhel9cis_rule_2_1_7 + when: rhel9cis_rule_2_1_7 tags: - level1-server - level1-workstation @@ -235,9 +224,7 @@ masked: true - name: "2.1.8 | PATCH | Ensure message access server services are not in use" - when: - - "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages" - - rhel9cis_rule_2_1_8 + when: rhel9cis_rule_2_1_8 tags: - level1-server - level1-workstation @@ -275,9 +262,7 @@ - "cyrus-imapd.service" - name: "2.1.9 | PATCH | Ensure network file system services are not in use" - when: - - "'nfs-utils' in ansible_facts.packages" - - rhel9cis_rule_2_1_9 + when: rhel9cis_rule_2_1_9 tags: - level1-server - level1-workstation @@ -309,9 +294,7 @@ masked: true - name: "2.1.10 | PATCH | Ensure nis server services are not in use" - when: - - "'ypserv' in ansible_facts.packages" - - rhel9cis_rule_2_1_10 + when: rhel9cis_rule_2_1_10 tags: - level1-server - level1-workstation @@ -341,9 +324,7 @@ masked: true - name: "2.1.11 | PATCH | Ensure print server services are not in use" - when: - - "'cups' in ansible_facts.packages" - - rhel9cis_rule_2_1_11 + when: rhel9cis_rule_2_1_11 tags: - level1-server - automated @@ -375,9 +356,7 @@ - "cups.service" - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use" - when: - - "'rpcbind' in ansible_facts.packages" - - rhel9cis_rule_2_1_12 + when: rhel9cis_rule_2_1_12 tags: - level1-server - level1-workstation @@ -411,9 +390,7 @@ - rpcbind.socket - name: "2.1.13 | PATCH | Ensure rsync services are not in use" - when: - - "'rsync-daemon' in ansible_facts.packages" - - rhel9cis_rule_2_1_13 + when: rhel9cis_rule_2_1_13 tags: - level1-server - level1-workstation @@ -447,9 +424,7 @@ - 'rsyncd.service' - name: "2.1.14 | PATCH | Ensure snmp services are not in use" - when: - - "'net-snmp' in ansible_facts.packages" - - rhel9cis_rule_2_1_14 + when: rhel9cis_rule_2_1_14 tags: - level1-server - level1-workstation @@ -479,9 +454,7 @@ masked: true - name: "2.1.15 | PATCH | Ensure telnet server services are not in use" - when: - - "'telnet-server' in ansible_facts.packages" - - rhel9cis_rule_2_1_15 + when: rhel9cis_rule_2_1_15 tags: - level1-server - level1-workstation @@ -512,9 +485,7 @@ masked: true - name: "2.1.16 | PATCH | Ensure tftp server services are not in use" - when: - - "'tftp-server' in ansible_facts.packages" - - rhel9cis_rule_2_1_16 + when: rhel9cis_rule_2_1_16 tags: - level1-server - level1-workstation @@ -547,9 +518,7 @@ - 'tftp.service' - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use" - when: - - "'squid' in ansible_facts.packages" - - rhel9cis_rule_2_117 + when: rhel9cis_rule_2_1_17 tags: - level1-server - level1-workstation @@ -580,8 +549,7 @@ masked: true - name: "2.1.18 | PATCH | Ensure web server services are not in use" - when: - - rhel9cis_rule_2_1_18 + when: rhel9cis_rule_2_1_18 tags: - level1-server - level1-workstation @@ -597,7 +565,6 @@ when: - not rhel9cis_httpd_server - not rhel9cis_httpd_mask - - "'httpd' in ansible_facts.packages" ansible.builtin.package: name: httpd state: absent @@ -606,7 +573,6 @@ when: - not rhel9cis_nginx_server - not rhel9cis_nginx_mask - - "'nginx' in ansible_facts.packages" ansible.builtin.package: name: nginx state: absent @@ -615,7 +581,6 @@ when: - not rhel9cis_httpd_server - rhel9cis_httpd_mask - - "'httpd' in ansible_facts.packages" notify: Systemd_daemon_reload ansible.builtin.systemd: name: httpd.service @@ -627,7 +592,6 @@ when: - not rhel9cis_nginx_server - rhel9cis_nginx_mask - - "'nginx' in ansible_facts.packages" notify: Systemd_daemon_reload ansible.builtin.systemd: name: ngnix.service @@ -636,9 +600,7 @@ masked: true - name: "2.1.19 | PATCH | Ensure xinetd services are not in use" - when: - - "'xinetd' in ansible_facts.packages" - - rhel9cis_rule_2_1_19 + when: rhel9cis_rule_2_1_19 tags: - level1-server - level1-workstation @@ -670,7 +632,6 @@ - name: "2.1.20 | PATCH | Ensure X window server services are not in use" when: - not rhel9cis_xwindow_server - - "'xorg-x11-server-common' in ansible_facts.packages" - rhel9cis_rule_2_1_20 tags: - level1-server @@ -704,8 +665,7 @@ line: "inet_interfaces = loopback-only" - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface" - when: - - rhel9cis_rule_2_1_22 + when: rhel9cis_rule_2_1_22 tags: - level1-server - level1-workstation @@ -717,8 +677,8 @@ vars: warn_control_id: '2.1.22' block: - - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" - ansible.builtin.shell: systemctl list-units --type=service + - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" # noqa command-instead-of-module + ansible.builtin.command: systemctl list-units --type=service changed_when: false failed_when: discovered_running_services.rc not in [ 0, 1 ] check_mode: false diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index cdd03b8..0e019e7 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -3,7 +3,6 @@ - name: "2.2.1 | PATCH | Ensure ftp client is not installed" when: - not rhel9cis_ftp_client - - "'ftp' in ansible_facts.packages" - rhel9cis_rule_2_2_1 tags: - level1-server @@ -20,7 +19,6 @@ - name: "2.2.2 | PATCH | Ensure ldap client is not installed" when: - not rhel9cis_openldap_clients_required - - "'openldap-clients' in ansible_facts.packages" - rhel9cis_rule_2_2_2 tags: - level2-server @@ -37,7 +35,6 @@ - name: "2.2.3 | PATCH | Ensure nis client is not installed" when: - not rhel9cis_ypbind_required - - "'ypbind' in ansible_facts.packages" - rhel9cis_rule_2_2_3 tags: - level1-server @@ -54,7 +51,6 @@ - name: "2.2.4 | PATCH | Ensure telnet client is not installed" when: - not rhel9cis_telnet_required - - "'telnet' in ansible_facts.packages" - rhel9cis_rule_2_2_4 tags: - level1-server @@ -71,7 +67,6 @@ - name: "2.2.5 | PATCH | Ensure TFTP client is not installed" when: - not rhel9cis_tftp_client - - "'tftp' in ansible_facts.packages" - rhel9cis_rule_2_2_5 tags: - level1-server diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index dacd624..b84a84b 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -31,7 +31,7 @@ dest: /etc/chrony.conf owner: root group: root - mode: '0644' + mode: 'go-wx' - name: "2.3.3 | PATCH | Ensure chrony is not run as the root user" when: @@ -48,4 +48,4 @@ line: OPTIONS="\1 -u chrony" create: true backrefs: true - mode: '0644' + mode: 'go-wx' diff --git a/tasks/section_2/cis_2.4.x.yml b/tasks/section_2/cis_2.4.x.yml index 16ed0e9..c4b6b8b 100644 --- a/tasks/section_2/cis_2.4.x.yml +++ b/tasks/section_2/cis_2.4.x.yml @@ -1,8 +1,7 @@ --- - name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled" - when: - - rhel9cis_rule_2_4_1_1 + when: rhel9cis_rule_2_4_1_1 tags: - level1-server - level1-workstation @@ -19,8 +18,7 @@ enabled: true - name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" - when: - - rhel9cis_rule_2_4_1_2 + when: rhel9cis_rule_2_4_1_2 tags: - level1-server - level1-workstation @@ -33,11 +31,10 @@ path: /etc/crontab owner: root group: root - mode: og-rwx + mode: 'og-rwx' - name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" - when: - - rhel9cis_rule_2_4_1_3 + when: rhel9cis_rule_2_4_1_3 tags: - level1-server - level1-workstation @@ -51,11 +48,10 @@ state: directory owner: root group: root - mode: og-rwx + mode: 'og-rwx' - name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" - when: - - rhel9cis_rule_2_4_1_4 + when: rhel9cis_rule_2_4_1_4 tags: - level1-server - level1-workstation @@ -67,11 +63,10 @@ state: directory owner: root group: root - mode: og-rwx + mode: 'og-rwx' - name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" - when: - - rhel9cis_rule_2_4_1_5 + when: rhel9cis_rule_2_4_1_5 tags: - level1-server - level1-workstation @@ -84,11 +79,10 @@ state: directory owner: root group: root - mode: og-rwx + mode: 'og-rwx' - name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" - when: - - rhel9cis_rule_2_4_1_6 + when: rhel9cis_rule_2_4_1_6 tags: - level1-server - level1-workstation @@ -101,11 +95,10 @@ state: directory owner: root group: root - mode: og-rwx + mode: 'og-rwx' - name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" - when: - - rhel9cis_rule_2_4_1_7 + when: rhel9cis_rule_2_4_1_7 tags: - level1-server - level1-workstation @@ -119,11 +112,10 @@ state: directory owner: root group: root - mode: '0700' + mode: 'og-rwx' - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users" - when: - - rhel9cis_rule_2_4_1_8 + when: rhel9cis_rule_2_4_1_8 tags: - level1-server - level1-workstation @@ -146,14 +138,13 @@ - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users" ansible.builtin.file: path: /etc/cron.allow - state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}' + state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}' owner: root group: root - mode: u-x,g-wx,o-rwx + mode: 'u-x,g-wx,o-rwx' - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users" - when: - - rhel9cis_rule_2_4_2_1 + when: rhel9cis_rule_2_4_2_1 tags: - level1-server - level1-workstation @@ -179,4 +170,4 @@ state: '{{ "file" if discovered_at_allow_state.stat.exists else "touch" }}' owner: root group: root - mode: u-x,g-wx,o-rwx + mode: 'u-x,g-wx,o-rwx' diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 98e3a93..e8934d4 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -40,7 +40,7 @@ block: - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" when: "'network-manager' in ansible_facts.packages" - ansible.builtin.shell: nmcli radio wifi + ansible.builtin.command: nmcli radio wifi changed_when: false failed_when: false check_mode: false @@ -50,7 +50,7 @@ when: - "'network-manager' in ansible_facts.packages" - "'enabled' in discovered_wifi_status.stdout" - ansible.builtin.shell: nmcli radio all off + ansible.builtin.command: nmcli radio all off changed_when: discovered_nmcli_radio_off.rc == 0 register: discovered_nmcli_radio_off @@ -65,8 +65,7 @@ file: warning_facts.yml - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use" - when: - - rhel9cis_rule_3_1_3 + when: rhel9cis_rule_3_1_3 tags: - level1-server - level2-workstation diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index bc210ae..4903070 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -1,8 +1,7 @@ --- - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available" - when: - - rhel9cis_rule_3_2_1 + when: rhel9cis_rule_3_2_1 tags: - level2-server - level2-workstation @@ -18,6 +17,7 @@ regexp: '^(#)?install dccp(\\s|$)' line: "{{ item }}" create: true + mode: 'go-wx' loop: - install dccp /bin/true - blacklist dccp @@ -28,11 +28,10 @@ regexp: "^(#)?blacklist cramfs(\\s|$)" line: "blacklist cramfs" create: true - mode: '0600' + mode: 'go-wx' - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available" - when: - - rhel9cis_rule_3_2_2 + when: rhel9cis_rule_3_2_2 tags: - level2-server - level2-workstation @@ -48,6 +47,7 @@ regexp: '^(#)?install tipc(\\s|$)' line: "{{ item }}" create: true + mode: 'go-wx' loop: - install tipc /bin/true - blacklist tipc @@ -58,11 +58,10 @@ regexp: "^(#)?blacklist tipc(\\s|$)" line: "blacklist tipc" create: true - mode: '0600' + mode: 'go-wx' - name: "3.2.3 | PATCH | Ensure rds kernel module is not available" - when: - - rhel9cis_rule_3_2_3 + when: rhel9cis_rule_3_2_3 tags: - level2-server - level2-workstation @@ -78,6 +77,7 @@ regexp: '^(#)?install rds(\\s|$)' line: "{{ item }}" create: true + mode: 'go-wx' loop: - install rds /bin/true - blacklist rds @@ -88,11 +88,10 @@ regexp: "^(#)?blacklist rds(\\s|$)" line: "blacklist rds" create: true - mode: '0600' + mode: 'go-wx' - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available" - when: - - rhel9cis_rule_3_2_4 + when: rhel9cis_rule_3_2_4 tags: - level2-server - level2-workstation @@ -108,6 +107,7 @@ regexp: '^(#)?install sctp(\\s|$)' line: "{{ item }}" create: true + mode: 'go-wx' loop: - install sctp /bin/true - blacklist sctp @@ -118,4 +118,4 @@ regexp: "^(#)?blacklist sctp(\\s|$)" line: "blacklist sctp" create: true - mode: '0600' + mode: 'go-wx' diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 2f73979..123928e 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -61,8 +61,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored" - when: - - rhel9cis_rule_3_3_3 + when: rhel9cis_rule_3_3_3 tags: - level1-server - level1-workstation @@ -85,8 +84,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored" - when: - - rhel9cis_rule_3_3_4 + when: rhel9cis_rule_3_3_4 tags: - level1-server - level1-workstation @@ -109,8 +107,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted" - when: - - rhel9cis_rule_3_3_5 + when: rhel9cis_rule_3_3_5 tags: - level1-server - level1-workstation @@ -144,8 +141,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted" - when: - - rhel9cis_rule_3_3_6 + when: rhel9cis_rule_3_3_6 tags: - level1-server - level1-workstation @@ -179,8 +175,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" - when: - - rhel9cis_rule_3_3_7 + when: rhel9cis_rule_3_3_7 tags: - level1-server - level1-workstation @@ -203,8 +198,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted" - when: - - rhel9cis_rule_3_3_8 + when: rhel9cis_rule_3_3_8 tags: - level1-server - level1-workstation @@ -237,8 +231,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" - name: "3.3.9 | PATCH | Ensure suspicious packets are logged" - when: - - rhel9cis_rule_3_3_9 + when: rhel9cis_rule_3_3_9 tags: - level1-server - level1-workstation @@ -257,8 +250,7 @@ msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled" - when: - - rhel9cis_rule_3_3_10 + when: rhel9cis_rule_3_3_10 tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index f0a6636..ab61c81 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -17,8 +17,7 @@ state: present - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use" - when: - - rhel9cis_rule_4_1_2 + when: rhel9cis_rule_4_1_2 tags: - level1-server - level1-workstation @@ -52,7 +51,7 @@ name: "{{ rhel9cis_firewall }}" state: installed - - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" + - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" # noqa name[template] ansible.builtin.systemd: name: "{{ rhel9cis_firewall }}" enabled: true diff --git a/tasks/section_4/cis_4.2.x.yml b/tasks/section_4/cis_4.2.x.yml index 0fca4cc..6e8eb3c 100644 --- a/tasks/section_4/cis_4.2.x.yml +++ b/tasks/section_4/cis_4.2.x.yml @@ -1,8 +1,7 @@ --- - name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports" - when: - - rhel9cis_rule_4_2_1 + when: rhel9cis_rule_4_2_1 tags: - level1-server - level1-workstation @@ -25,8 +24,7 @@ - "{{ discovered_services_and_ports.stdout_lines }}" - name: "4.2.2 | PATCH | Ensure firewalld loopback traffic is configured | firewalld" - when: - - rhel9cis_rule_4_2_2 + when: rhel9cis_rule_4_2_2 tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml index 4e85deb..450ef3b 100644 --- a/tasks/section_4/cis_4.3.x.yml +++ b/tasks/section_4/cis_4.3.x.yml @@ -8,11 +8,11 @@ - rhel9cis_rule_4_3_3 - rhel9cis_rule_4_3_4 tags: always - ansible.builtin.shell: "nft add table inet {{ rhel9cis_nft_tables_tablename }}" + ansible.builtin.command: "nft add table inet {{ rhel9cis_nft_tables_tablename }}" + changed_when: true - name: "4.3.1 | PATCH | Ensure nftables base chains exist" - when: - - rhel9cis_rule_4_3_1 + when: rhel9cis_rule_4_3_1 tags: - level1-server - level1-workstation @@ -52,7 +52,8 @@ - name: "4.3.1 | PATCH | Ensure nftables base chains exist | Create chains if needed" when: rhel9cis_nft_tables_autochaincreate - ansible.builtin.shell: "{{ item }}" + ansible.builtin.command: "{{ item }}" + changed_when: true failed_when: false loop: - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } @@ -60,8 +61,7 @@ - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } - name: "4.3.2 | PATCH | Ensure nftables established connections are configured" - when: - - rhel9cis_rule_4_3_2 + when: rhel9cis_rule_4_3_2 tags: - level1-server - level1-workstation @@ -84,31 +84,36 @@ - name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy" when: '"ip protocol tcp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' - ansible.builtin.shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + changed_when: true - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy" when: '"ip protocol udp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept + changed_when: true - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy" when: '"ip protocol icmp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept + changed_when: true - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy" when: '"ip protocol tcp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept + changed_when: true - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy" when: '"ip protocol udp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept + changed_when: true - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy" when: '"ip protocol icmp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept + changed_when: true - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy" - when: - - rhel9cis_rule_4_3_3 + when: rhel9cis_rule_4_3_3 tags: - level1-server - level1-workstation @@ -144,22 +149,25 @@ - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" when: '"tcp dport ssh accept" not in discovered_nftables_sshallowcheck.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept + changed_when: true - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" when: '"type filter hook input priority 0; policy drop;" not in discovered_nftables_inputpolicy.stdout' ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } + changed_when: true - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" when: '"type filter hook forward priority 0; policy drop;" not in discovered_nftables_forwardpolicy.stdout' ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } + changed_when: true - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" when: '"type filter hook output priority 0; policy drop;" not in discovered_nftables_outputpolicy.stdout' ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } + changed_when: true - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured" - when: - - rhel9cis_rule_4_3_4 + when: rhel9cis_rule_4_3_4 tags: - level1-server - level1-workstation @@ -189,11 +197,14 @@ - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule | nftables" when: '"iif \"lo\" accept" not in discovered_nftables_iiflo.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept + changed_when: true - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule | nftables" when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in discovered_nftables_ipsaddr.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop + changed_when: true - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule | nftables" when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in discovered_nftables_ip6saddr.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop + changed_when: true diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 31ba7e2..296ebf9 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -1,8 +1,7 @@ --- - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" - when: - - rhel9cis_rule_5_1_1 + when: rhel9cis_rule_5_1_1 tags: - level1-server - level1-workstation @@ -16,11 +15,10 @@ path: "/etc/ssh/sshd_config" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured" - when: - - rhel9cis_rule_5_1_2 + when: rhel9cis_rule_5_1_2 tags: - level1-server - level1-workstation @@ -50,8 +48,7 @@ label: "{{ item.path }}" - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured" - when: - - rhel9cis_rule_5_1_3 + when: rhel9cis_rule_5_1_3 tags: - level1-server - level1-workstation @@ -98,7 +95,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' notify: - Update Crypto Policy - Set Crypto Policy @@ -126,7 +123,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' notify: - Update Crypto Policy - Set Crypto Policy @@ -154,7 +151,7 @@ dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' notify: - Update Crypto Policy - Set Crypto Policy @@ -164,8 +161,7 @@ rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}" - name: "5.1.7 | PATCH | Ensure sshd access is configured" - when: - - rhel9cis_rule_5_1_7 + when: rhel9cis_rule_5_1_7 tags: - level1-server - level1-workstation @@ -212,8 +208,7 @@ notify: Restart sshd - name: "5.1.8 | PATCH | Ensure sshd Banner is configured" - when: - - rhel9cis_rule_5_1_8 + when: rhel9cis_rule_5_1_8 tags: - level1-server - level1-workstation @@ -231,8 +226,7 @@ line: 'Banner /etc/issue.net' - name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured" - when: - - rhel9cis_rule_5_1_9 + when: rhel9cis_rule_5_1_9 tags: - level1-server - level1-workstation @@ -262,8 +256,7 @@ notify: Restart sshd - name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled" - when: - - rhel9cis_rule_5_1_10 + when: rhel9cis_rule_5_1_10 tags: - level2-server - level1-workstation @@ -289,8 +282,7 @@ notify: Restart sshd - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled" - when: - - rhel9cis_rule_5_1_11 + when: rhel9cis_rule_5_1_11 tags: - level1-server - level1-workstation @@ -320,8 +312,7 @@ notify: Restart sshd - name: "5.1.12 | PATCH | Ensure sshd HostbasedAuthentication is disabled" - when: - - rhel9cis_rule_5_1_12 + when: rhel9cis_rule_5_1_12 tags: - level1-server - level1-workstation @@ -341,8 +332,7 @@ notify: Restart sshd - name: "5.1.13 | PATCH | Ensure sshd IgnoreRhosts is enabled" - when: - - rhel9cis_rule_5_1_13 + when: rhel9cis_rule_5_1_13 tags: - level1-server - level1-workstation @@ -362,8 +352,7 @@ notify: Restart sshd - name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less" - when: - - rhel9cis_rule_5_1_14 + when: rhel9cis_rule_5_1_14 tags: - level1-server - level1-workstation @@ -379,8 +368,7 @@ notify: Restart sshd - name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate" - when: - - rhel9cis_rule_5_1_15 + when: rhel9cis_rule_5_1_15 tags: - level1-server - level1-workstation @@ -398,8 +386,7 @@ notify: Restart sshd - name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less" - when: - - rhel9cis_rule_5_1_16 + when: rhel9cis_rule_5_1_16 tags: - level1-server - level1-workstation @@ -415,8 +402,7 @@ notify: Restart sshd - name: "5.1.17 | PATCH | Ensure sshd MaxStartups is configured" - when: - - rhel9cis_rule_5_1_17 + when: rhel9cis_rule_5_1_17 tags: - level1-server - level1-workstation @@ -436,8 +422,7 @@ notify: Restart sshd - name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" - when: - - rhel9cis_rule_5_1_18 + when: rhel9cis_rule_5_1_18 tags: - level1-server - level1-workstation @@ -457,8 +442,7 @@ notify: Restart sshd - name: "5.1.19 | PATCH | Ensure sshd PermitEmptyPasswords is disabled" - when: - - rhel9cis_rule_5_1_19 + when: rhel9cis_rule_5_1_19 tags: - level1-server - level1-workstation @@ -478,8 +462,7 @@ notify: Restart sshd - name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled" - when: - - rhel9cis_rule_5_1_20 + when: rhel9cis_rule_5_1_20 tags: - level1-server - level1-workstation @@ -503,8 +486,7 @@ notify: Restart sshd - name: "5.1.21 | PATCH | Ensure sshd PermitUserEnvironment is disabled" - when: - - rhel9cis_rule_5_1_21 + when: rhel9cis_rule_5_1_21 tags: - level1-server - level1-workstation @@ -524,8 +506,7 @@ notify: Restart sshd - name: "5.1.22 | PATCH | Ensure SSH PAM is enabled" - when: - - rhel9cis_rule_5_1_22 + when: rhel9cis_rule_5_1_22 tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 87fe46e..3d57dbf 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,8 +1,7 @@ --- - name: "5.2.1 | PATCH | Ensure sudo is installed" - when: - - rhel9cis_rule_5_2_1 + when: rhel9cis_rule_5_2_1 tags: - level1-server - level1-workstation @@ -15,8 +14,7 @@ state: present - name: "5.2.2 | PATCH | Ensure sudo commands use pty" - when: - - rhel9cis_rule_5_2_2 + when: rhel9cis_rule_5_2_2 tags: - level1-server - level1-workstation @@ -30,8 +28,7 @@ validate: '/usr/sbin/visudo -cf %s' - name: "5.2.3 | PATCH | Ensure sudo log file exists" - when: - - rhel9cis_rule_5_2_3 + when: rhel9cis_rule_5_2_3 tags: - level1-server - level1-workstation @@ -47,8 +44,7 @@ validate: '/usr/sbin/visudo -cf %s' - name: "5.2.4 | PATCH | Ensure users must provide password for escalation" - when: - - rhel9cis_rule_5_2_4 + when: rhel9cis_rule_5_2_4 tags: - level2-server - level2-workstation @@ -74,8 +70,7 @@ loop: "{{ discovered_nopasswd_sudoers.stdout_lines }}" - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" - when: - - rhel9cis_rule_5_2_5 + when: rhel9cis_rule_5_2_5 tags: - level1-server - level1-workstation @@ -101,8 +96,7 @@ loop: "{{ discovered_priv_reauth.stdout_lines }}" - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly" - when: - - rhel9cis_rule_5_2_6 + when: rhel9cis_rule_5_2_6 tags: - level1-server - level1-workstation @@ -134,8 +128,7 @@ loop: "{{ discovered_sudo_timeout_files.stdout_lines }}" - name: "5.2.7 | PATCH | Ensure access to the su command is restricted" - when: - - rhel9cis_rule_5_2_7 + when: rhel9cis_rule_5_2_7 tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 18e9cfd..7923d50 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -17,12 +17,13 @@ when: - rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or prelim_authselect_current_profile.stdout is not defined - ansible.builtin.shell: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}" + ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}" + changed_when: true args: creates: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}" - name: "5.3.2.1 | AUDIT | Ensure active authselect profile includes pam modules | get profile features" - ansible.builtin.shell: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}" + ansible.builtin.command: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}" changed_when: false register: discovered_authselect_profile_features @@ -37,7 +38,8 @@ - password - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Backup and Add pam modules" - ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}" + ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}" + changed_when: true - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled" when: @@ -64,9 +66,11 @@ failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ] register: discovered_authselect_current_faillock - - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" + - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" # noqa syntax-check[specific]" when: discovered_authselect_current_faillock.rc != 0 - ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + changed_when: true + notify: Authselect update - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled" when: @@ -90,7 +94,8 @@ - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Add feature if missing" when: discovered_authselect_current_quality.rc != 0 - ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + changed_when: true notify: Authselect update - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled" @@ -115,7 +120,8 @@ - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled | enable feature" when: discovered_authselect_current_history.rc != 0 - ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + changed_when: true notify: Authselect update - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled" @@ -133,8 +139,7 @@ - rule_5.3.2.5 block: - name: "5.3.2.5 | AUDIT | Ensure pam_unix module is enabled" - ansible.builtin.shell: | - grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth + ansible.builtin.command: grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth changed_when: false failed_when: discovered_discovered_authselect_pam_unix.rc not in [ 0, 1 ] register: discovered_discovered_authselect_pam_unix @@ -142,12 +147,12 @@ - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | system-auth" when: "'system-auth:password' not in discovered_authselect_pam_unix.stdout" ansible.builtin.lineinfile: - path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth + path: /etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/system-auth regexp: "{{ item.regexp }}" line: "{{ item.line }}" backrefs: true - insertafter: "{{ item.after | default (omit) }}" - insertbefore: "{{ item.before | default (omit) }}" + insertafter: "{{ item.after | default(omit) }}" + insertbefore: "{{ item.before | default(omit) }}" loop: - { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', after: '^auth.*pam_faillock.*preauth' } - { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' } @@ -156,12 +161,12 @@ - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | password-auth" when: "'password-auth:password' not in discovered_authselect_pam_unix.stdout" ansible.builtin.lineinfile: - path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth + path: /etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/password-auth line: "{{ item.line }}" regexp: "{{ item.regexp }}" backrefs: true - insertafter: "{{ item.after | default (omit) }}" - insertbefore: "{{ item.before | default (omit) }}" + insertafter: "{{ item.after | default(omit) }}" + insertbefore: "{{ item.before | default(omit) }}" loop: - { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\2', after: '^auth.*pam_faillock.*preauth' } - { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' } diff --git a/tasks/section_5/cis_5.3.3.1.x.yml b/tasks/section_5/cis_5.3.3.1.x.yml index 8206074..f7bfb64 100644 --- a/tasks/section_5/cis_5.3.3.1.x.yml +++ b/tasks/section_5/cis_5.3.3.1.x.yml @@ -1,8 +1,7 @@ --- - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured" - when: - - rhel9cis_rule_5_3_3_1_1 + when: rhel9cis_rule_5_3_3_1_1 tags: - level1-server - level1-workstation @@ -44,8 +43,7 @@ notify: Authselect update - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured" - when: - - rhel9cis_rule_5_3_3_1_2 + when: rhel9cis_rule_5_3_3_1_2 tags: - level1-server - level1-workstation @@ -87,8 +85,7 @@ notify: Authselect update - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account" - when: - - rhel9cis_rule_5_3_3_1_3 + when: rhel9cis_rule_5_3_3_1_3 tags: - level1-server - level1-workstation @@ -104,6 +101,7 @@ line: "{{ rhel9cis_pamroot_lock_option }}" insertafter: '^# end of pam-auth-update config' create: true + mode: 'go-rwx' - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | remove lockout from pam files NOT AuthSelect" when: diff --git a/tasks/section_5/cis_5.3.3.2.x.yml b/tasks/section_5/cis_5.3.3.2.x.yml index 9317326..920ed88 100644 --- a/tasks/section_5/cis_5.3.3.2.x.yml +++ b/tasks/section_5/cis_5.3.3.2.x.yml @@ -1,8 +1,7 @@ --- - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured" - when: - - rhel9cis_rule_5_3_3_2_1 + when: rhel9cis_rule_5_3_3_2_1 tags: - level1-server - level1-workstation @@ -30,7 +29,7 @@ dest: "/{{ rhel9cis_passwd_difok_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from pam files Not AuthSelect" when: @@ -58,8 +57,7 @@ notify: Authselect update - name: "5.3.3.2.2 | PATCH | Ensure password length is configured" - when: - - rhel9cis_rule_5_3_3_2_2 + when: rhel9cis_rule_5_3_3_2_2 tags: - level1-server - level1-workstation @@ -87,7 +85,7 @@ dest: "/{{ rhel9cis_passwd_minlen_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect" when: @@ -115,8 +113,7 @@ notify: Authselect update - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured" - when: - - rhel9cis_rule_5_3_3_2_3 + when: rhel9cis_rule_5_3_3_2_3 tags: - level1-server - level1-workstation @@ -144,7 +141,7 @@ dest: "/{{ rhel9cis_passwd_complex_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove complexity from pam files NOT AuthSelect" when: @@ -172,8 +169,7 @@ notify: Authselect update - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured" - when: - - rhel9cis_rule_5_3_3_2_4 + when: rhel9cis_rule_5_3_3_2_4 tags: - level1-server - level1-workstation @@ -183,8 +179,7 @@ - pam block: - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file" - when: - - item != rhel9cis_passwd_maxrepeat_file + when: item != rhel9cis_passwd_maxrepeat_file ansible.builtin.replace: path: "{{ item }}" regexp: 'maxrepeat\s*=\s*\d+\b' @@ -200,7 +195,7 @@ dest: "/{{ rhel9cis_passwd_maxrepeat_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat from pam files NOT AuthSelect" when: @@ -228,8 +223,7 @@ notify: Authselect update - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured" - when: - - rhel9cis_rule_5_3_3_2_5 + when: rhel9cis_rule_5_3_3_2_5 tags: - level1-server - level1-workstation @@ -257,7 +251,7 @@ dest: "/{{ rhel9cis_passwd_maxsequence_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence from pam files NOT AuthSelect" when: @@ -285,8 +279,7 @@ notify: Authselect update - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled" - when: - - rhel9cis_rule_5_3_3_2_6 + when: rhel9cis_rule_5_3_3_2_6 tags: - level1-server - level1-workstation @@ -313,7 +306,7 @@ dest: "/{{ rhel9cis_passwd_dictcheck_file }}" owner: root group: root - mode: '0600' + mode: 'go-rwx' - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck from pam files NOT AuthSelect" when: @@ -342,8 +335,7 @@ notify: Authselect update - name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user" - when: - - rhel9cis_rule_5_3_3_2_7 + when: rhel9cis_rule_5_3_3_2_7 tags: - level1-server - level1-workstation @@ -356,4 +348,4 @@ dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}" owner: root group: root - mode: '0600' + mode: 'o-rwx' diff --git a/tasks/section_5/cis_5.3.3.3.x.yml b/tasks/section_5/cis_5.3.3.3.x.yml index 21a03ee..ca5a5dc 100644 --- a/tasks/section_5/cis_5.3.3.3.x.yml +++ b/tasks/section_5/cis_5.3.3.3.x.yml @@ -1,8 +1,7 @@ --- - name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured" - when: - - rhel9cis_rule_5_3_3_3_1 + when: rhel9cis_rule_5_3_3_3_1 tags: - level1-server - level1-workstation @@ -48,8 +47,7 @@ notify: Authselect update - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user" - when: - - rhel9cis_rule_5_3_3_3_2 + when: rhel9cis_rule_5_3_3_3_2 tags: - level1-server - level1-workstation @@ -95,8 +93,7 @@ notify: Authselect update - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok" - when: - - rhel9cis_rule_5_3_3_3_3 + when: rhel9cis_rule_5_3_3_3_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.3.3.4.x.yml b/tasks/section_5/cis_5.3.3.4.x.yml index a1e5768..ddca97a 100644 --- a/tasks/section_5/cis_5.3.3.4.x.yml +++ b/tasks/section_5/cis_5.3.3.4.x.yml @@ -28,8 +28,7 @@ loop: "{{ discovered_pam_nullok.stdout_lines }}" - name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect" - when: - - rhel9cis_allow_authselect_updates + when: rhel9cis_allow_authselect_updates ansible.builtin.replace: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)\snullok(.*$) @@ -67,8 +66,7 @@ loop: "{{ discovered_pam_remember.stdout_lines }}" - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember | Remove remember from pam files AuthSelect" - when: - - rhel9cis_allow_authselect_updates + when: rhel9cis_allow_authselect_updates ansible.builtin.replace: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)\sremember\s*=\s*=\d*(.*$) @@ -107,8 +105,7 @@ loop: "{{ discovered_pam_remember.stdout_lines }}" - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Add hash algorithm to pam files AuthSelect" - when: - - rhel9cis_allow_authselect_updates + when: rhel9cis_allow_authselect_updates ansible.builtin.lineinfile: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)(sha512|yescrypt)(.*$) @@ -150,8 +147,7 @@ loop: "{{ discovered_pam_authtok.stdout_lines }}" - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | Add use_authtok pam files AuthSelect" - when: - - rhel9cis_allow_authselect_updates + when: rhel9cis_allow_authselect_updates ansible.builtin.lineinfile: path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth" regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$) diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 9e92e86..2363590 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -1,8 +1,7 @@ --- - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less" - when: - - rhel9cis_rule_5_4_1_1 + when: rhel9cis_rule_5_4_1_1 tags: - level1-server - level1-workstation @@ -38,8 +37,7 @@ loop: "{{ discovered_max_days.stdout_lines }}" - name: "5.4.1.2 | PATCH | Ensure minimum password days is configured" - when: - - rhel9cis_rule_5_4_1_2 + when: rhel9cis_rule_5_4_1_2 tags: - level1-server - level1-workstation @@ -70,8 +68,7 @@ loop: "{{ discovered_min_days.stdout_lines }}" - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured" - when: - - rhel9cis_rule_5_4_1_3 + when: rhel9cis_rule_5_4_1_3 tags: - level1-server - level1-workstation @@ -96,12 +93,12 @@ - discovered_warn_days.stdout_lines | length > 0 - item in prelim_interactive_usernames.stdout - rhel9cis_force_user_warnage - ansible.builtin.shell: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}" + ansible.builtin.command: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}" + changed_when: true loop: "{{ discovered_warn_days.stdout_lines }}" - name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured" - when: - - rhel9cis_rule_5_4_1_4 + when: rhel9cis_rule_5_4_1_4 tags: - level1-server - level1-workstation @@ -115,8 +112,7 @@ line: 'ENCRYPT_METHOD {{ rhel9cis_passwd_hash_algo | upper }}' - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured" - when: - - rhel9cis_rule_5_4_1_5 + when: rhel9cis_rule_5_4_1_5 tags: - level1-server - level1-workstation @@ -132,23 +128,24 @@ register: discovered_passwdlck_inactive_settings - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set default inactive setting" - ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + changed_when: true when: discovered_passwdlck_inactive_settings.stdout | length == 0 - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" + ansible.builtin.command: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false check_mode: false register: discovered_passwdlck_user_list - name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" when: item in prelim_interactive_usernames.stdout - ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + changed_when: true loop: "{{ discovered_passwdlck_user_list.stdout_lines }}" - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past" - when: - - rhel9cis_rule_5_4_1_6 + when: rhel9cis_rule_5_4_1_6 tags: - level1-server - level1-workstation @@ -172,22 +169,23 @@ register: discovered_passwdlck_user_future - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" + when: + - discovered_passwdlck_user_future.stdout | length > 0 + - not rhel9cis_futurepwchgdate_autofix ansible.builtin.debug: msg: "Warning!! The following accounts have the last PW change date in the future: {{ discovered_passwdlck_user_future.stdout_lines }}" - when: - - discovered_passwdlck_user_future.stdout | length > 0 - - not rhel9cis_futurepwchgdate_autofix - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml when: - discovered_passwdlck_user_future.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix + ansible.builtin.import_tasks: + file: warning_facts.yml - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - ansible.builtin.shell: passwd --expire {{ item }} when: - discovered_passwdlck_user_future.stdout | length > 0 - rhel9cis_futurepwchgdate_autofix + ansible.builtin.command: passwd --expire {{ item }} + changed_when: true loop: "{{ discovered_passwdlck_user_future.stdout_lines }}" diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index 2cf378c..0153820 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -17,7 +17,7 @@ - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - ansible.builtin.shell: passwd -l {{ item }} + ansible.builtin.command: passwd -l {{ item }} changed_when: false failed_when: false loop: "{{ prelim_uid_zero_accounts_except_root.stdout_lines }}" @@ -56,8 +56,7 @@ loop: "{{ discovered_gid0_members.stdout_lines }}" - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group" - when: - - rhel9cis_rule_5_4_2_3 + when: rhel9cis_rule_5_4_2_3 tags: - level1-server - level1-workstation @@ -96,8 +95,7 @@ warn_control_id: '5.4.2.3' - name: "5.4.2.4 | PATCH | Ensure root account access is controlled " - when: - - rhel9cis_rule_5_4_2_4 + when: rhel9cis_rule_5_4_2_4 tags: - level1-server - level1-workstation @@ -108,8 +106,7 @@ msg: "This is set as an assert in tasks/main" - name: "5.4.2.5 | PATCH | Ensure root PATH Integrity" - when: - - rhel9cis_rule_5_4_2_5 + when: rhel9cis_rule_5_4_2_5 tags: - level1-server - level1-workstation @@ -172,15 +169,14 @@ state: directory owner: root group: root - mode: '0755' + mode: 'go-w' follow: false loop: "{{ discovered_root_path_perms.results }}" loop_control: label: "{{ item }}" - name: "5.4.2.6 | PATCH | Ensure root user umask is configured" - when: - - rhel9cis_rule_5_4_2_6 + when: rhel9cis_rule_5_4_2_6 tags: - level1-server - level1-workstation @@ -194,6 +190,9 @@ regexp: \s*umask line: "umask {{ rhel9cis_root_umask }}" create: true + owner: root + group: root + mode: 'go-rwx' - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell" when: diff --git a/tasks/section_5/cis_5.4.3.x.yml b/tasks/section_5/cis_5.4.3.x.yml index 7816938..109b6a5 100644 --- a/tasks/section_5/cis_5.4.3.x.yml +++ b/tasks/section_5/cis_5.4.3.x.yml @@ -1,8 +1,7 @@ --- - name: "5.4.3.1 | PATCH | Ensure nologin is not listed in /etc/shells" - when: - - rhel9cis_rule_5_4_3_1 + when: rhel9cis_rule_5_4_3_1 tags: - level2-server - level2-workstation @@ -20,8 +19,7 @@ replace: "" - name: "5.4.3.2 | PATCH | Ensure default user shell timeout is configured" - when: - - rhel9cis_rule_5_4_3_2 + when: rhel9cis_rule_5_4_3_2 tags: - level1-server - level1-workstation @@ -33,7 +31,7 @@ state: "{{ item.state }}" marker: "# {mark} - CIS benchmark - Ansible-lockdown" create: true - mode: '0644' + mode: 'go-wx' block: | TMOUT={{ rhel9cis_shell_session_timeout }} readonly TMOUT @@ -43,8 +41,7 @@ - { path: /etc/profile, state: "{{ (rhel9cis_shell_session_file == '/etc/profile') | ternary('present', 'absent') }}" } - name: "5.4.3.3 | PATCH | Ensure default user umask is configured" - when: - - rhel9cis_rule_5_4_3_3 + when: rhel9cis_rule_5_4_3_3 tags: - level1-server - level1-workstation diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 898444f..5896695 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -19,10 +19,11 @@ register: discovered_aide_installed - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB" - when: discovered_aide_installed.changed # noqa: no-handler + when: discovered_aide_installed.changed # noqa no-handler block: - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB" - ansible.builtin.shell: /usr/sbin/aide --init + ansible.builtin.command: /usr/sbin/aide --init + changed_when: true - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB | Wait for file before continuing" ansible.builtin.wait_for: @@ -33,6 +34,7 @@ src: /var/lib/aide/aide.db.new.gz dest: /var/lib/aide/aide.db.gz remote_src: true + mode: 'go-wx' - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked" when: @@ -62,15 +64,15 @@ - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service" when: rhel9cis_aide_scan == "timer" - ansible.builtin.systemd: + ansible.builtin.systemd_service: name: aidecheck.service enabled: true - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service" when: rhel9cis_aide_scan == "timer" - ansible.builtin.systemd: + ansible.builtin.systemd_service: name: aidecheck.timer - state: running + state: started enabled: true - name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" diff --git a/tasks/section_6/cis_6.2.1.x.yml b/tasks/section_6/cis_6.2.1.x.yml index 1a2a8aa..3afa31c 100644 --- a/tasks/section_6/cis_6.2.1.x.yml +++ b/tasks/section_6/cis_6.2.1.x.yml @@ -1,8 +1,7 @@ --- - name: "6.2.1.1 | PATCH | Ensure journald service is enabled and active" - when: - - rhel9cis_rule_6_2_1_1 + when: rhel9cis_rule_6_2_1_1 tags: - level1-server - level1-workstation @@ -15,8 +14,7 @@ state: started - name: "6.2.1.2 | PATCH | Ensure journald log file access is configured" - when: - - rhel9cis_rule_6_2_1_2 + when: rhel9cis_rule_6_2_1_2 tags: - level1-server - level1-workstation @@ -27,7 +25,7 @@ - name: "6.2.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions" ansible.builtin.file: path: /usr/lib/tmpfiles.d/systemd.conf - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file" ansible.builtin.stat: @@ -58,8 +56,7 @@ warn_control_id: '6.2.1.2' - name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured" - when: - - rhel9cis_rule_6_2_1_3 + when: rhel9cis_rule_6_2_1_3 tags: - level1-server - level1-workstation @@ -74,7 +71,7 @@ dest: /etc/systemd/journald.conf.d/rotation.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries" ansible.builtin.replace: @@ -89,8 +86,7 @@ - '^(\s*MaxFileSec\s*=.*)' - name: "6.2.1.4 | PATCH | Ensure only one logging system is in use" - when: - - rhel9cis_rule_6_2_1_4 + when: rhel9cis_rule_6_2_1_4 tags: - level1-server - level1-workstation diff --git a/tasks/section_6/cis_6.2.2.x.yml b/tasks/section_6/cis_6.2.2.x.yml index 3dd8dab..a57efe2 100644 --- a/tasks/section_6/cis_6.2.2.x.yml +++ b/tasks/section_6/cis_6.2.2.x.yml @@ -1,8 +1,7 @@ --- - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled" - when: - - rhel9cis_rule_6_2_2_2 + when: rhel9cis_rule_6_2_2_2 tags: - level1-server - level2-workstation @@ -21,7 +20,7 @@ dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries" ansible.builtin.replace: @@ -30,8 +29,7 @@ replace: '#\1' - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured" - when: - - rhel9cis_rule_6_2_2_3 + when: rhel9cis_rule_6_2_2_3 tags: - level1-server - level1-workstation @@ -47,7 +45,7 @@ dest: /etc/systemd/journald.conf.d/storage.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries" ansible.builtin.replace: @@ -56,8 +54,7 @@ replace: '#\1' - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured" - when: - - rhel9cis_rule_6_2_2_4 + when: rhel9cis_rule_6_2_2_4 tags: - level1-server - level1-workstation @@ -74,7 +71,7 @@ dest: /etc/systemd/journald.conf.d/storage.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries" ansible.builtin.replace: diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml index 5af5fcd..9333697 100644 --- a/tasks/section_6/cis_6.2.3.x.yml +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -18,8 +18,7 @@ state: present - name: "6.2.3.2 | PATCH | Ensure rsyslog Service is enabled and active" - when: - - rhel9cis_rule_6_2_3_2 + when: rhel9cis_rule_6_2_3_2 tags: - level1-server - level1-workstation @@ -35,8 +34,7 @@ state: started - name: "6.2.3.3 | PATCH | Ensure journald is configured to send logs to rsyslog" - when: - - rhel9cis_rule_6_2_3_3 + when: rhel9cis_rule_6_2_3_3 tags: - level1-server - level1-workstation @@ -54,8 +52,7 @@ notify: Restart rsyslog - name: "6.2.3.4 | PATCH | Ensure rsyslog log file creation mode is configured" - when: - - rhel9cis_rule_6_2_3_4 + when: rhel9cis_rule_6_2_3_4 tags: - level1-server - level1-workstation @@ -72,8 +69,7 @@ notify: Restart rsyslog - name: "6.2.3.5 | PATCH | Ensure logging is configured" - when: - - rhel9cis_rule_6_2_3_5 + when: rhel9cis_rule_6_2_3_5 tags: - level1-server - level1-workstation @@ -200,8 +196,7 @@ notify: Restart rsyslog - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" - when: - - rhel9cis_rule_6_2_3_7 + when: rhel9cis_rule_6_2_3_7 tags: - level1-server - level1-workstation @@ -238,8 +233,7 @@ - 'InputTCPServerRun' - name: "6.2.3.8 | PATCH | Ensure rsyslog logrotate is configured" - when: - - rhel9cis_rule_6_2_3_8 + when: rhel9cis_rule_6_2_3_8 tags: - level1-server - level1-workstation @@ -266,4 +260,4 @@ dest: /etc/logrotate.d/rsyslog.conf owner: root group: root - mode: '0640' + mode: 'g-wx,o-rwx' diff --git a/tasks/section_6/cis_6.2.4.1.yml b/tasks/section_6/cis_6.2.4.1.yml index 8111ef4..814c46c 100644 --- a/tasks/section_6/cis_6.2.4.1.yml +++ b/tasks/section_6/cis_6.2.4.1.yml @@ -1,8 +1,7 @@ --- - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured" - when: - - rhel9cis_rule_6_2_4_1 + when: rhel9cis_rule_6_2_4_1 tags: - level1-server - level1-workstation diff --git a/tasks/section_6/cis_6.3.1.x.yml b/tasks/section_6/cis_6.3.1.x.yml index 3039f2c..b27ba99 100644 --- a/tasks/section_6/cis_6.3.1.x.yml +++ b/tasks/section_6/cis_6.3.1.x.yml @@ -27,8 +27,7 @@ state: present - name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" - when: - - rhel9cis_rule_6_3_1_2 + when: rhel9cis_rule_6_3_1_2 tags: - level2-server - level2-workstation @@ -49,11 +48,11 @@ - discovered_grubby_curr_value_audit_linux.stdout == '' or '0' in discovered_grubby_curr_value_audit_linux.stdout or 'off' in discovered_grubby_curr_value_audit_linux.stdout|lower - ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" + ansible.builtin.command: grubby --update-kernel=ALL --args="audit=1" + changed_when: true - name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" - when: - - rhel9cis_rule_6_3_1_3 + when: rhel9cis_rule_6_3_1_3 tags: - level2-server - level2-workstation @@ -81,21 +80,18 @@ discovered_reset_backlog_limits: true - name: "6.3.1.3 | AUDIT | Check to see if any limits are too low" - when: - - (item | int < rhel9cis_audit_back_log_limit) + when: (item | int < rhel9cis_audit_back_log_limit) ansible.builtin.set_fact: discovered_reset_backlog_limits: true loop: "{{ discovered_grubby_curr_value_backlog_linux.stdout_lines }}" - name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied" - when: - - discovered_reset_backlog_limits is defined - ansible.builtin.shell: - cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' + when: discovered_reset_backlog_limits is defined + ansible.builtin.command: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' + changed_when: true - name: "6.3.1.4 | PATCH | Ensure auditd service is enabled and active" - when: - - rhel9cis_rule_6_3_1_4 + when: rhel9cis_rule_6_3_1_4 tags: - level2-server - level2-workstation diff --git a/tasks/section_6/cis_6.3.2.x.yml b/tasks/section_6/cis_6.3.2.x.yml index 08a5365..dc0804f 100644 --- a/tasks/section_6/cis_6.3.2.x.yml +++ b/tasks/section_6/cis_6.3.2.x.yml @@ -1,8 +1,7 @@ --- - name: "6.3.2.1 | PATCH | Ensure audit log storage size is configured" - when: - - rhel9cis_rule_6_3_2_1 + when: rhel9cis_rule_6_3_2_1 tags: - level2-server - level2-workstation @@ -17,8 +16,7 @@ notify: Restart auditd - name: "6.3.2.2 | PATCH | Ensure audit logs are not automatically deleted" - when: - - rhel9cis_rule_6_3_2_2 + when: rhel9cis_rule_6_3_2_2 tags: - level2-server - level2-workstation @@ -33,8 +31,7 @@ notify: Restart auditd - name: "6.3.2.3 | PATCH | Ensure system is disabled when audit logs are full" - when: - - rhel9cis_rule_6_3_2_3 + when: rhel9cis_rule_6_3_2_3 tags: - level2-server - level2-workstation @@ -55,8 +52,7 @@ - { regexp: '^disk_error_action', line: 'disk_error_action = {{ rhel9cis_auditd_disk_error_action }}' } - name: "6.3.2.4 | PATCH | Ensure system warns when audit logs are low on space" - when: - - rhel9cis_rule_6_3_2_4 + when: rhel9cis_rule_6_3_2_4 tags: - level2-server - level2-workstation diff --git a/tasks/section_6/cis_6.3.3.x.yml b/tasks/section_6/cis_6.3.3.x.yml index d279259..5ff73f9 100644 --- a/tasks/section_6/cis_6.3.3.x.yml +++ b/tasks/section_6/cis_6.3.3.x.yml @@ -2,8 +2,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - when: - - rhel9cis_rule_6_3_3_1 + when: rhel9cis_rule_6_3_3_1 tags: - level2-server - level2-workstation @@ -16,8 +15,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.2 | PATCH | Ensure actions as another user are always logged" - when: - - rhel9cis_rule_6_3_3_2 + when: rhel9cis_rule_6_3_3_2 tags: - level2-server - level2-workstation @@ -30,8 +28,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.3 | PATCH | Ensure events that modify the sudo log file are collected" - when: - - rhel9cis_rule_6_3_3_3 + when: rhel9cis_rule_6_3_3_3 tags: - level2-server - level2-workstation @@ -43,8 +40,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.4 | PATCH | Ensure events that modify date and time information are collected" - when: - - rhel9cis_rule_6_3_3_4 + when: rhel9cis_rule_6_3_3_4 tags: - level2-server - level2-workstation @@ -58,8 +54,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.5 | PATCH | Ensure events that modify the system's network environment are collected" - when: - - rhel9cis_rule_6_3_3_5 + when: rhel9cis_rule_6_3_3_5 tags: - level2-server - level2-workstation @@ -73,8 +68,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected" - when: - - rhel9cis_rule_6_3_3_6 + when: rhel9cis_rule_6_3_3_6 tags: - level2-server - level2-workstation @@ -97,8 +91,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.7 | PATCH | Ensure unsuccessful file access attempts are collected" - when: - - rhel9cis_rule_6_3_3_7 + when: rhel9cis_rule_6_3_3_7 tags: - level2-server - level2-workstation @@ -111,8 +104,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.8 | PATCH | Ensure events that modify user/group information are collected" - when: - - rhel9cis_rule_6_3_3_8 + when: rhel9cis_rule_6_3_3_8 tags: - level2-server - level2-workstation @@ -125,8 +117,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" - when: - - rhel9cis_rule_6_3_3_9 + when: rhel9cis_rule_6_3_3_9 tags: - level2-server - level2-workstation @@ -140,8 +131,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.10 | PATCH | Ensure successful file system mounts are collected" - when: - - rhel9cis_rule_6_3_3_10 + when: rhel9cis_rule_6_3_3_10 tags: - level2-server - level2-workstation @@ -154,8 +144,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.11 | PATCH | Ensure session initiation information is collected" - when: - - rhel9cis_rule_6_3_3_11 + when: rhel9cis_rule_6_3_3_11 tags: - level2-server - level2-workstation @@ -168,8 +157,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.12 | PATCH | Ensure login and logout events are collected" - when: - - rhel9cis_rule_6_3_3_12 + when: rhel9cis_rule_6_3_3_12 tags: - level2-server - level2-workstation @@ -182,8 +170,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.13 | PATCH | Ensure file deletion events by users are collected" - when: - - rhel9cis_rule_6_3_3_13 + when: rhel9cis_rule_6_3_3_13 tags: - level2-server - level2-workstation @@ -197,8 +184,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - when: - - rhel9cis_rule_6_3_3_14 + when: rhel9cis_rule_6_3_3_14 tags: - level2-server - level2-workstation @@ -212,8 +198,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" - when: - - rhel9cis_rule_6_3_3_15 + when: rhel9cis_rule_6_3_3_15 tags: - level2-server - level2- workstation @@ -228,8 +213,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" - when: - - rhel9cis_rule_6_3_3_16 + when: rhel9cis_rule_6_3_3_16 tags: - level2-server - level2-workstation @@ -244,8 +228,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" - when: - - rhel9cis_rule_6_3_3_17 + when: rhel9cis_rule_6_3_3_17 tags: - level2-server - level2-workstation @@ -260,8 +243,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" - when: - - rhel9cis_rule_6_3_3_18 + when: rhel9cis_rule_6_3_3_18 tags: - level2-server - level2-workstation @@ -276,8 +258,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading and modification is collected" - when: - - rhel9cis_rule_6_3_3_19 + when: rhel9cis_rule_6_3_3_19 tags: - level2-server - level2-workstation @@ -291,8 +272,7 @@ # All changes selected are managed by the POST audit and handlers to update - name: "6.3.3.20 | PATCH | Ensure the audit configuration is immutable" - when: - - rhel9cis_rule_6_3_3_20 + when: rhel9cis_rule_6_3_3_20 tags: - level2-server - level2-workstation @@ -306,8 +286,7 @@ update_audit_template: true - name: "6.3.3.21 | AUDIT | Ensure the running and on disk configuration is the same" - when: - - rhel9cis_rule_6_3_3_21 + when: rhel9cis_rule_6_3_3_21 tags: - level2-server - level2-workstation @@ -321,8 +300,7 @@ - "Please run augenrules --load if you suspect there is a configuration that is not active" - name: Auditd | 6.3.3.x | Auditd controls updated - when: - - update_audit_template + when: update_audit_template ansible.builtin.debug: msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules" changed_when: false diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml index c89af87..806a1ec 100644 --- a/tasks/section_6/cis_6.3.4.x.yml +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -1,8 +1,7 @@ --- - name: "6.3.4.1 | PATCH | Ensure the audit log file directory mode is configured" - when: - - rhel9cis_rule_6_3_4_1 + when: rhel9cis_rule_6_3_4_1 tags: - level2-server - level2-workstation @@ -39,8 +38,7 @@ group: root - name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured" - when: - - rhel9cis_rule_6_3_4_5 + when: rhel9cis_rule_6_3_4_5 tags: - level2-server - level2-workstation @@ -57,8 +55,7 @@ label: "{{ item.path }}" - name: "6.3.4.6 | PATCH | Ensure audit configuration files owner is configured" - when: - - rhel9cis_rule_6_3_4_6 + when: rhel9cis_rule_6_3_4_6 tags: - level2-server - level2-workstation @@ -75,8 +72,7 @@ label: "{{ item.path }}" - name: "6.3.4.7 | PATCH | Ensure audit configuration files group owner is configured" - when: - - rhel9cis_rule_6_3_4_7 + when: rhel9cis_rule_6_3_4_7 tags: - level2-server - level2-workstation @@ -93,8 +89,7 @@ label: "{{ item.path }}" - name: "6.3.4.8 | PATCH | Ensure audit tools mode is configured" - when: - - rhel9cis_rule_6_3_4_8 + when: rhel9cis_rule_6_3_4_8 tags: - level2-server - level2-workstation @@ -114,8 +109,7 @@ - /sbin/augenrules - name: "6.3.4.9 | PATCH | Ensure audit tools owner is configured" - when: - - rhel9cis_rule_6_3_4_9 + when: rhel9cis_rule_6_3_4_9 tags: - level2-server - level2-workstation @@ -135,8 +129,7 @@ - /sbin/augenrules - name: "6.3.4.10 | PATCH | Ensure audit tools group owner is configured" - when: - - rhel9cis_rule_6_3_4_10 + when: rhel9cis_rule_6_3_4_10 tags: - level2-server - level2-workstation diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 232b224..83c83a0 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -83,7 +83,7 @@ path: /etc/shadow owner: root group: root - mode: '0000' + mode: 'ugo-rwx' - name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" when: @@ -100,7 +100,7 @@ path: /etc/shadow- owner: root group: root - mode: '0000' + mode: 'ugo-rwx' - name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" when: @@ -117,7 +117,7 @@ path: /etc/gshadow owner: root group: root - mode: '0000' + mode: 'ugo-rwx' - name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" when: @@ -134,7 +134,7 @@ path: /etc/gshadow- owner: root group: root - mode: '0000' + mode: 'ugo-rwx' - name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured" when: @@ -196,7 +196,7 @@ - rhel9cis_no_world_write_adjust ansible.builtin.file: path: '{{ item }}' - mode: o-w + mode: 'o-w' state: touch loop: "{{ discovered_world_writable.stdout_lines }}" @@ -221,7 +221,7 @@ warn_control_id: '7.1.12' block: - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories" - ansible.builtin.shell: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs + ansible.builtin.command: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs changed_when: false failed_when: false check_mode: false @@ -283,7 +283,7 @@ warn_control_id: '7.1.13' block: - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID" - ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs + ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs changed_when: false failed_when: false check_mode: false diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index 47d48f6..28c7fc6 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -237,7 +237,7 @@ - users - rule_7.2.8 block: - - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent" + - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent" # noqa risky-file-permissions ansible.builtin.file: path: "{{ item.dir }}" state: directory diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index 98cd4b6..b70a836 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -1,5 +1,4 @@ --- - # This task is used to create variables used in giving a warning summary for manual tasks # that need attention # @@ -14,7 +13,7 @@ # # warn_count the main variable for the number of warnings and each time a warn_control_id is added # the count increases by a value of 1 -- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." +- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." # noqa name[template] ansible.builtin.set_fact: warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" warn_count: "{{ warn_count | int + 1 }}" diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index 0f4a4f9..70ebd03 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index bf2d191..e977e4e 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually diff --git a/templates/etc/cron.d/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 index db93323..4c1af92 100644 --- a/templates/etc/cron.d/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,7 +1,7 @@ # Run AIDE integrity check ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # CIS 1.3.2 diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 index efebeac..0e55b5a 100644 --- a/templates/etc/dconf/db/00-automount_lock.j2 +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop media-handling automount setting /org/gnome/desktop/media-handling/automount diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 index 4506f4f..cf9ed5d 100644 --- a/templates/etc/dconf/db/00-autorun_lock.j2 +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop media-handling settings /org/gnome/desktop/media-handling/autorun-never diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 index 78ad883..640538c 100644 --- a/templates/etc/dconf/db/00-media-automount.j2 +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/desktop/media-handling] automount=false diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 index 81bdfea..382469c 100644 --- a/templates/etc/dconf/db/00-media-autorun.j2 +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/desktop/media-handling] autorun-never=true diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index acfeaee..a747336 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Specify the dconf path [org/gnome/desktop/session] diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 index d6c5d70..5988316 100644 --- a/templates/etc/dconf/db/00-screensaver_lock.j2 +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop screensaver idle-delay setting /org/gnome/desktop/session/idle-delay diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 index c7ae76e..901e9e0 100644 --- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/login-screen] banner-message-enable=true diff --git a/templates/fs_with_cves.sh b/templates/fs_with_cves.sh index 89ba49b..a6d937c 100644 --- a/templates/fs_with_cves.sh +++ b/templates/fs_with_cves.sh @@ -1,11 +1,8 @@ -{% raw %} -#! /usr/bin/env bash +{% raw %}#! /usr/bin/env bash # Based on original Script provided by CIS # CVEs correct at time of creation - April2024 -#! /usr/bin/env bash - { a_output=(); a_output2=(); a_modprope_config=(); a_excluded=(); a_available_modules=() a_ignore=("xfs" "vfat" "ext2" "ext3" "ext4") diff --git a/vars/audit.yml b/vars/audit.yml index e54deb8..1dc1cf1 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -35,7 +35,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results}} + The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }} {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %} Full breakdown can be found in {{ audit_log_dir }} From 95cf8b94925ce868dd2ad6a96fd1c4f3883a223f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 10:09:46 +0000 Subject: [PATCH 17/42] updated auditd handlers for restart Signed-off-by: Mark Bolwell --- handlers/main.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 27e4a56..d7f49d9 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -107,8 +107,15 @@ msg: "Reboot required for auditd to apply new rules as immutable set" notify: Change_requires_reboot -- name: Restart auditd - ansible.builtin.shell: service auditd restart +- name: Stop auditd process + ansible.builtin.shell: systemctl kill auditd + listen: Restart auditd + +- name: Start auditd process + ansible.builtin.systemd_service: + name: auditd + state: started + listen: Restart auditd - name: Change_requires_reboot ansible.builtin.set_fact: From 0a8d8abf1e8a041cfa47501f1dff3d4490f86279 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 10:10:09 +0000 Subject: [PATCH 18/42] Changed warning if auditd template updated Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 502497c..7022e2c 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -26,7 +26,7 @@ ansible.builtin.import_tasks: file: warning_facts.yml vars: - warn_control_id: 'Auditd template updated, see diff output for details' + warn_control_id: 'Auditd template updated, validate as expected' - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file ansible.builtin.stat: From f3ef69d54c397a72960161b85481eb176008135b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 16:43:27 +0000 Subject: [PATCH 19/42] updated lint files Signed-off-by: Mark Bolwell --- .ansible-lint | 17 ++--------------- .pre-commit-config.yaml | 18 ++++++++++++------ .yamllint | 21 +++++++++++++-------- 3 files changed, 27 insertions(+), 29 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 3090307..3b7c373 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -3,20 +3,7 @@ parseable: true quiet: true skip_list: - - 'schema' - - 'no-changed-when' - - 'var-spacing' - - 'experimental' - - 'name[play]' - - 'name[casing]' - - 'name[template]' - - 'key-order[task]' - - '204' - - '305' - - '303' - - '403' - - '306' - - '602' - - '208' + - 'package-latest' + - 'risky-shell-pipe' use_default_rules: true verbosity: 0 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e53f665..acdd896 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,16 +7,21 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v5.0.0 hooks: # Safety - id: detect-aws-credentials + name: Detect AWS Credentials - id: detect-private-key + name: Detect Private Keys # git checks - id: check-merge-conflict + name: Check for merge conflicts - id: check-added-large-files + name: Check for Large files - id: check-case-conflict + name: Check case conflict # General checks - id: trailing-whitespace @@ -27,21 +32,21 @@ repos: types: [text] args: [--markdown-linebreak-ext=md] - id: end-of-file-fixer + name: Ensure line at end of file # Scan for passwords - repo: https://github.com/Yelp/detect-secrets rev: v1.5.0 hooks: - id: detect-secrets - exclude: templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.4 + rev: v8.21.2 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v24.7.0 + rev: v24.10.0 hooks: - id: ansible-lint name: Ansible-lint @@ -52,14 +57,15 @@ repos: # https://github.com/ansible/ansible-lint/issues/611 pass_filenames: false always_run: true - additional_dependencies: + # additional_dependencies: # https://github.com/pre-commit/pre-commit/issues/1526 # If you want to use specific version of ansible-core or ansible, feel # free to override `additional_dependencies` in your own hook config # file. - - ansible-core>=2.10.1 + # - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git rev: v1.35.1 # or higher tag hooks: - id: yamllint + name: Check YAML Lint diff --git a/.yamllint b/.yamllint index ec2d1cd..fa7b697 100644 --- a/.yamllint +++ b/.yamllint @@ -1,32 +1,37 @@ --- extends: default - ignore: | tests/ molecule/ .github/ .gitlab-ci.yml *molecule.yml - rules: - indentation: - # Requiring 4 space indentation - spaces: 2 - # Requiring consistent indentation within a file, either indented or not - indent-sequences: consistent braces: max-spaces-inside: 1 level: error brackets: max-spaces-inside: 1 level: error + comments: + ignore-shebangs: true + min-spaces-from-content: 1 # prettier compatibility + comments-indentation: enable empty-lines: max: 1 - line-length: disable + indentation: + # Requiring 2 space indentation + spaces: 2 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent key-duplicates: enable + line-length: disable new-line-at-end-of-file: enable new-lines: type: unix + octal-values: + forbid-implicit-octal: true # yamllint defaults to false + forbid-explicit-octal: true trailing-spaces: enable truthy: allowed-values: ['true', 'false'] From b4afeab63878df54cc1447f9898d3ddc9e75252a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 16:44:14 +0000 Subject: [PATCH 20/42] updated title Signed-off-by: Mark Bolwell --- LICENSE | 2 +- templates/audit/98_auditd_exception.rules.j2 | 2 +- templates/audit/99_auditd.rules.j2 | 2 +- templates/etc/cron.d/aide.cron.j2 | 2 +- templates/etc/dconf/db/00-automount_lock.j2 | 2 +- templates/etc/dconf/db/00-autorun_lock.j2 | 2 +- templates/etc/dconf/db/00-media-automount.j2 | 2 +- templates/etc/dconf/db/00-media-autorun.j2 | 2 +- templates/etc/dconf/db/00-screensaver.j2 | 2 +- templates/etc/dconf/db/00-screensaver_lock.j2 | 2 +- templates/etc/dconf/db/gdm.d/01-banner-message.j2 | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/LICENSE b/LICENSE index f6d2b57..bb487ce 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index 0f4a4f9..82f6555 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown ### YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index bf2d191..6d69976 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown ### YOUR CHANGES WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually diff --git a/templates/etc/cron.d/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 index db93323..f9324da 100644 --- a/templates/etc/cron.d/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,7 +1,7 @@ # Run AIDE integrity check ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown ### YOUR CHANGES WILL BE LOST! # CIS 1.3.2 diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 index efebeac..45989d0 100644 --- a/templates/etc/dconf/db/00-automount_lock.j2 +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown # Lock desktop media-handling automount setting /org/gnome/desktop/media-handling/automount diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 index 4506f4f..60265c4 100644 --- a/templates/etc/dconf/db/00-autorun_lock.j2 +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown # Lock desktop media-handling settings /org/gnome/desktop/media-handling/autorun-never diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 index 78ad883..96c122f 100644 --- a/templates/etc/dconf/db/00-media-automount.j2 +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown [org/gnome/desktop/media-handling] automount=false diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 index 81bdfea..0e371af 100644 --- a/templates/etc/dconf/db/00-media-autorun.j2 +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown [org/gnome/desktop/media-handling] autorun-never=true diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index acfeaee..95237fb 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown # Specify the dconf path [org/gnome/desktop/session] diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 index d6c5d70..1b99027 100644 --- a/templates/etc/dconf/db/00-screensaver_lock.j2 +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown # Lock desktop screensaver idle-delay setting /org/gnome/desktop/session/idle-delay diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 index c7ae76e..da31670 100644 --- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company / Ansible Lockdown [org/gnome/login-screen] banner-message-enable=true From 2827c752ac821b01eab3836caeed00be839c85ac Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 16:45:49 +0000 Subject: [PATCH 21/42] aide variablizing Signed-off-by: Mark Bolwell --- defaults/main.yml | 13 ++++++++++-- tasks/section_6/cis_6.1.x.yml | 37 ++++++++++++++++++++++++++++++----- vars/main.yml | 12 ++++++++++++ 3 files changed, 55 insertions(+), 7 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e210596..32bb5af 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1034,8 +1034,7 @@ min_int_uid: 1000 max_int_uid: 65533 ## Section6 vars - -## Control 6.1.1 - allow aide to be configured +## Control 6.1.x - allow aide to be configured # AIDE is a file integrity checking tool, similar in nature to Tripwire. # While it cannot prevent intrusions, it can detect unauthorized changes # to configuration files by alerting when the files are changed. Review @@ -1043,6 +1042,16 @@ max_int_uid: 65533 # By setting this variable to `true`, all of the settings related to AIDE will be applied! rhel9cis_config_aide: true +# If DB file older than below will automatically rebuild DB +# e.g. options:1w = 1 week, 1d = 1day 1h = 1 hour +rhel9cis_aide_db_file_age: 1w + +# If aide already setup this forces a new DB to be created +rhel9cis_aide_db_recreate: false + +# allows to change db file, not config need to be adjusted too +rhel9cis_aide_db_file: /var/lib/aide/aide.db + ## Control 6.1.2 AIDE cron settings ## How the aide schedule is run either cron or timer diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 898444f..950ca5e 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -12,17 +12,44 @@ - rule_6.1.1 - NIST800-53R5_AU-2 block: + block: - name: "6.1.1 | PATCH | Ensure AIDE is installed" + when: + - "'aide' not in ansible_facts.packages or + 'aide-common' not in ansible_facts.packages" ansible.builtin.package: - name: aide + name: ['aide', 'aide-common'] state: present - register: discovered_aide_installed + update_cache: true + register: discovered_aide_pkg_added - - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB" - when: discovered_aide_installed.changed # noqa: no-handler + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Recapture packages" + when: discovered_aide_pkg_added.skipped is not defined + ansible.builtin.package_facts: + manager: auto + + - name: "6.1.1 | AUDIT | Ensure AIDE is installed | Check file exists" + ansible.builtin.stat: + path: "{{ rhel9cis_aide_db_file }}" + register: discovered_aide_db_file + + - name: "6.1.1 | AUDIT | Ensure AIDE is installed | Check current db file age" + when: discovered_aide_db_file.stat.exists + ansible.builtin.find: + path: "{{ rhel9cis_aide_db_file | dirname }}" + pattern: "{{ rhel9cis_aide_db_file | basename }}" + age: "{{ rhel9cis_aide_db_file_age }}" + register: discovered_aide_db_age + + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Configure AIDE" + when: + - not ansible_check_mode + - not discovered_aide_db_file.stat.exists or + (discovered_aide_db_age.files | length > 0) or + rhel9cis_aide_db_recreate block: - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB" - ansible.builtin.shell: /usr/sbin/aide --init + ansible.builtin.shell: "{{ aide_initiate_command }}" - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB | Wait for file before continuing" ansible.builtin.wait_for: diff --git a/vars/main.yml b/vars/main.yml index ec72d0b..679c5b9 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -44,3 +44,15 @@ container_vars_file: is_container.yml # rhel9cis is left off the front of this var for consistency in testing pipeline # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks system_is_ec2: false + +# Aide initiate command for new DB creation +aide_initiate_command: aideinit -y -f + +# Audit vars +audit_bins: + - /sbin/auditctl + - /sbin/aureport + - /sbin/ausearch + - /sbin/autrace + - /sbin/auditd + - /sbin/augenrules From c5278da4e5a382438bd94575c94332c3e1e0c593 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 16:46:08 +0000 Subject: [PATCH 22/42] audit binaries variables Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.3.4.x.yml | 24 +++--------------------- 1 file changed, 3 insertions(+), 21 deletions(-) diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml index c89af87..d55b4e8 100644 --- a/tasks/section_6/cis_6.3.4.x.yml +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -105,13 +105,7 @@ ansible.builtin.file: path: "{{ item }}" mode: 'go-w' - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules + loop: "{{ audit_bins }}" - name: "6.3.4.9 | PATCH | Ensure audit tools owner is configured" when: @@ -126,13 +120,7 @@ path: "{{ item }}" owner: root group: root - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules + loop: "{{ audit_bins }}" - name: "6.3.4.10 | PATCH | Ensure audit tools group owner is configured" when: @@ -147,10 +135,4 @@ ansible.builtin.file: path: "{{ item }}" group: root - loop: - - /sbin/auditctl - - /sbin/aureport - - /sbin/ausearch - - /sbin/autrace - - /sbin/auditd - - /sbin/augenrules + loop: "{{ audit_bins }}" From a3f8d4fe1fc4276735d967b8526e36efb3eee7f2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 16:46:17 +0000 Subject: [PATCH 23/42] layout update Signed-off-by: Mark Bolwell --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 985dec7..7551cc9 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ## Configure a RHEL 9 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant -### Based on [ CIS RedHat Enterprise Linux 9 Benchmark v2.0.0 ](https://www.cisecurity.org/cis-benchmarks/) +### Based on [CIS RedHat Enterprise Linux 9 Benchmark v2.0.0](https://www.cisecurity.org/cis-benchmarks/) --- From bab28dda4518be1d8bcfdec8d49e26e1a312eacf Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 17:28:49 +0000 Subject: [PATCH 24/42] Added further aide variable Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 10 +++------- vars/main.yml | 6 +++++- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 950ca5e..f889cd4 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -12,13 +12,9 @@ - rule_6.1.1 - NIST800-53R5_AU-2 block: - block: - name: "6.1.1 | PATCH | Ensure AIDE is installed" - when: - - "'aide' not in ansible_facts.packages or - 'aide-common' not in ansible_facts.packages" ansible.builtin.package: - name: ['aide', 'aide-common'] + name: "{{ aide_packages }}" state: present update_cache: true register: discovered_aide_pkg_added @@ -48,10 +44,10 @@ (discovered_aide_db_age.files | length > 0) or rhel9cis_aide_db_recreate block: - - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB" + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB" ansible.builtin.shell: "{{ aide_initiate_command }}" - - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB | Wait for file before continuing" + - name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB | Wait for file before continuing" ansible.builtin.wait_for: path: /var/lib/aide/aide.db.new.gz diff --git a/vars/main.yml b/vars/main.yml index 679c5b9..93439ad 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -45,8 +45,12 @@ container_vars_file: is_container.yml # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks system_is_ec2: false +# Aide Packages + +aide_packages: + - aide # Aide initiate command for new DB creation -aide_initiate_command: aideinit -y -f +aide_initiate_command: /usr/sbin/aide --init # Audit vars audit_bins: From fd97459b6a7b9c194406880e6b07af5065fad464 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 17:29:27 +0000 Subject: [PATCH 25/42] Updated mountpoints controls Signed-off-by: Mark Bolwell --- defaults/main.yml | 5 + handlers/main.yml | 148 +++++++++++++++++++++++++++++- tasks/prelim.yml | 29 +++++- tasks/section_1/cis_1.1.2.1.x.yml | 118 ++++++++++++++++-------- tasks/section_1/cis_1.1.2.2.x.yml | 96 +++++++++++++------ tasks/section_1/cis_1.1.2.3.x.yml | 82 +++++++++++------ tasks/section_1/cis_1.1.2.4.x.yml | 77 ++++++++++------ tasks/section_1/cis_1.1.2.5.x.yml | 97 ++++++++++++++------ tasks/section_1/cis_1.1.2.6.x.yml | 95 +++++++++++++------ tasks/section_1/cis_1.1.2.7.x.yml | 95 +++++++++++++------ 10 files changed, 628 insertions(+), 214 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 32bb5af..816eb11 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -495,6 +495,11 @@ rhel9cis_rule_7_2_9: true ## Section 1 vars +## Ability to enabe debug on mounts to assist in troubleshooting +# Mount point changes are set based upon facts created in Prelim +# these then build the variable and options that is passed to the handler to set the mount point for the controls in section1. +rhel9cis_debug_mount_data: false + ## Control 1.1.2 # If set to `true`, rule will be implemented using the `tmp.mount` systemd-service, # otherwise fstab configuration will be used. diff --git a/handlers/main.yml b/handlers/main.yml index d7f49d9..96cc86e 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,6 +1,149 @@ --- # handlers file for RHEL9-CIS +- name: "Adding options for /tmp" + when: not rhel9cis_tmp_svc + vars: + mount_point: '/tmp' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /tmp" + +- name: "Remounting /tmp" + vars: + mount_point: '/tmp' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /tmp" + +- name: "Remounting /tmp systemd" + vars: + mount_point: '/tmp' + ansible.builtin.systemd: + name: tmp.mount + state: restarted + daemon_reload: true + listen: "Remount /tmp" + +- name: "Adding options for /dev/shm" + vars: + mount_point: '/dev/shm' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /dev/shm" + +- name: "Remounting /dev/shm" + vars: + mount_point: '/dev/shm' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /dev/shm" + +- name: "Adding options for /home" + vars: + mount_point: '/home' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /home" + +- name: "Remounting /home" + vars: + mount_point: '/home' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /home" + +- name: "Adding options for /var" + vars: + mount_point: '/var' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var" + +- name: "Remounting /var" + vars: + mount_point: '/var' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /var" + +- name: "Adding options for /var/tmp" + vars: + mount_point: '/var/tmp' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var/tmp" + +- name: "Remounting /var/tmp" + vars: + mount_point: '/var/tmp' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /var/tmp" + +- name: "Adding options for /var/log" + vars: + mount_point: '/var/log' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var/log" + +- name: "Remounting /var/log" + vars: + mount_point: '/var/log' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /var/log" + +- name: "Adding options for /var/log/audit" + vars: + mount_point: '/var/log/audit' + ansible.posix.mount: + path: "{{ mount_point }}" + src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + state: present + fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + listen: "Remount /var/log/audit" + +- name: "Remounting /var/log/audit" + vars: + mount_point: '/var/log/audit' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + listen: "Remount /var/log/audit" + - name: Reload sysctl ansible.builtin.shell: sysctl --system @@ -31,11 +174,6 @@ masked: false state: reloaded -- name: Remount tmp - ansible.posix.mount: - path: /tmp - state: remounted - - name: Update Crypto Policy ansible.builtin.set_fact: rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}{{ rhel9cis_crypto_policy_module }}{% endif %}" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 28292fb..36c70c8 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -58,12 +58,35 @@ name: python3-libselinux state: present -- name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points" - tags: - - Always +- name: PRELIM | AUDIT | Section 1.1 | Create list of mount points + tags: always ansible.builtin.set_fact: mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" +- name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options + tags: always + block: + - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - call mount # noqa command-instead-of-module + ansible.builtin.shell: | + mount | awk '{print $1, $3, $5, $6}' + changed_when: false + register: mount_output + + - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact + ansible.builtin.set_fact: + mount_point_fs_and_options: >- + {%- set mount_point_fs_and_options = {} -%} + {%- for line in mount_output.stdout_lines -%} + {%- set fields = line.split() -%} + {%- set _ = mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%} + {%- endfor -%} + {{ mount_point_fs_and_options }} + + - name: "PRELIM | AUDIT | Debug of mount variables to assist in troubleshooting" + when: rhel9cis_debug_mount_data + ansible.builtin.debug: + msg: "{{ mount_point_fs_and_options }}" + - name: "PRELIM | PATCH | Update to latest gpg keys" when: - rhel9cis_rule_1_2_1_1 diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index 5683cde..a2adce0 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -12,62 +12,104 @@ - rule_1.1.2.1.1 - NIST800-53R5_CM-7 vars: - warn_control_id: '1.1.2.1.1' - required_mount: '/tmp' + warn_control_id: "1.1.2.1.1" + required_mount: "/tmp" block: - - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_tmp_mount.rc not in [ 0, 1 ] + register: discovered_tmp_mount - - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Present" + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Absent" + when: discovered_tmp_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.1.1 | AUDIT | Ensure /tmp is a separate partition | Present" + when: discovered_tmp_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml # via fstab -- name: | - "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" - "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" - "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" - ansible.posix.mount: - name: /tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_1_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_1_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_1_4) %},noexec{% endif %}" - notify: Remount tmp - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" +- name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" when: - - item.mount == "/tmp" + - mount_point_fs_and_options[mount_point] is defined + - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" + - rhel9cis_rule_1_1_2_1_2 - not rhel9cis_tmp_svc - - rhel9cis_rule_1_1_2_1_2 or - rhel9cis_rule_1_1_2_1_3 or - rhel9cis_rule_1_1_2_1_4 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.1.2 - - rule_1.1.2.1.3 - - rule_1.1.2.1.4 - - NIST800-53R5_CM-7 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" + - rhel9cis_rule_1_1_2_1_3 + - not rhel9cis_tmp_svc + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.1.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" + - rhel9cis_rule_1_1_2_1_4 + - not rhel9cis_tmp_svc + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.1.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when # via systemd - name: | - "1.1.2.1.1 | PATCH | Ensure /tmp is configured" - "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" - "1.1.2.1.3 | PATCH | Ensure noexec option set on /tmp partition" - "1.1.2.1.4 | PATCH | Ensure nosuid option set on /tmp partition" + "1.1.2.1.1 | PATCH | Ensure /tmp is configured + 1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition + 1.1.2.1.3 | PATCH | Ensure noexec option set on /tmp partition + 1.1.2.1.4 | PATCH | Ensure nosuid option set on /tmp partition" when: - rhel9cis_tmp_svc - - rhel9cis_rule_1_1_2_1_1 or - rhel9cis_rule_1_1_2_1_2 or - rhel9cis_rule_1_1_2_1_3 or - rhel9cis_rule_1_1_2_1_4 + - rhel9cis_rule_1_1_2_1_1 or rhel9cis_rule_1_1_2_1_2 or rhel9cis_rule_1_1_2_1_3 or rhel9cis_rule_1_1_2_1_4 tags: - level1-server - level1-workstation @@ -79,10 +121,12 @@ - rule_1.1.2.1.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 + vars: + mount_point: "/tmp" ansible.builtin.template: src: etc/systemd/system/tmp.mount.j2 dest: /etc/systemd/system/tmp.mount owner: root group: root - mode: '0644' - notify: Systemd restart tmp.mount + mode: "go-wx" + notify: *mount_option_notify diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index eb82773..a2af00d 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -1,9 +1,9 @@ --- -# Skips if mount is absent -- name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition" +- name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition" when: - rhel9cis_rule_1_1_2_2_1 + - required_mount not in mount_names tags: - level1-server - level1-workstation @@ -12,46 +12,84 @@ - rule_1.1.2.2.1 - NIST800-53R5_CM-7 vars: - warn_control_id: '1.1.2.2.1' + warn_control_id: "1.1.2.2.1" + required_mount: "/dev/shm" block: - - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists" - ansible.builtin.shell: mount -l | grep -w /dev/shm + - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" changed_when: false - register: discovered_dev_shm_mount_check + failed_when: discovered_dev_shm_mount.rc not in [ 0, 1 ] + register: discovered_dev_shm_mount - - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition" - when: discovered_dev_shm_mount_check.rc == 1 - block: - - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent" + when: discovered_dev_shm_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" - - name: "1.1.2.2.1 | AUDIT | Ensure separate partition exists for /home | Present" - ansible.builtin.import_tasks: - file: warning_facts.yml + - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Present" + when: discovered_dev_shm_mount is undefined + ansible.builtin.import_tasks: + file: warning_facts.yml -- name: | - "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition - 1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition - 1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" +- name: "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition" when: - - rhel9cis_rule_1_1_2_2_2 or - rhel9cis_rule_1_1_2_2_3 or - rhel9cis_rule_1_1_2_2_4 + - mount_point_fs_and_options[mount_point] is defined + - rhel9cis_rule_1_1_2_2_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.2.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/dev/shm" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - rhel9cis_rule_1_1_2_2_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.2.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/dev/shm" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - rhel9cis_rule_1_1_2_2_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.2.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - ansible.posix.mount: - name: /dev/shm - src: tmpfs - fstype: tmpfs - state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_2_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_2_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_2_4 %}noexec{% endif %} - notify: Change_requires_reboot + vars: + mount_point: "/dev/shm" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index c7920cd..224bf38 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -1,52 +1,74 @@ --- - -- name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home" +- name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition" when: - - required_mount not in mount_names - rhel9cis_rule_1_1_2_3_1 + - required_mount not in mount_names tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation - audit - mounts - - rule_1_1_2.3.1 + - rule_1.1.2.3.1 - NIST800-53R5_CM-7 vars: - warn_control_id: '1.1.2.3.1' - required_mount: '/home' + warn_control_id: "1.1.2.3.1" + required_mount: "/home" block: - - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_home_mount.rc not in [ 0, 1 ] + register: discovered_home_mount - - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Present" + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Absent" + when: discovered_dev_shm_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.3.1 | AUDIT | Ensure /home is a separate partition | Present" + when: discovered_dev_shm_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -- name: | - "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition - 1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition" +- name: "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition" when: - - item.mount == "/home" - - rhel9cis_rule_1_1_2_3_2 or - rhel9cis_rule_1_1_2_3_3 + - mount_point_fs_and_options[mount_point] is defined + - rhel9cis_rule_1_1_2_3_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.3.2 - - rule_1.1.2.3.3 - - NIST800-53R5_CM-7 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - ansible.posix.mount: - name: /home - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_3_3) %},nosuid{% endif %}" - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - notify: Change_requires_reboot + vars: + mount_point: "/home" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - rhel9cis_rule_1_1_2_3_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts + - rule_1.1.2.3.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/home" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index 0aa4fa2..3a3aabf 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -1,52 +1,75 @@ --- -- name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var" +- name: "1.1.2.4.1 | PATCH | Ensure /var is a separate partition" when: - - required_mount not in mount_names - rhel9cis_rule_1_1_2_4_1 + - required_mount not in mount_names tags: - - level2-server - - level2-workstation - - patch + - level1-server + - level1-workstation + - audit - mounts - - rule_1_1_2.4.1 + - rule_1.1.2.4.1 - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.4.1' required_mount: '/var' block: - - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_mount.rc not in [ 0, 1 ] + register: discovered_var_mount - - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Present" + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Absent" + when: discovered_dev_shm_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.4.1 | AUDIT | Ensure /var is a separate partition | Present" + when: discovered_dev_shm_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition - 1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" +- name: "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition" when: - - item.mount == "/var" - - rhel9cis_rule_1_1_2_4_2 or - rhel9cis_rule_1_1_2_4_3 + - mount_point_fs_and_options[mount_point] is defined + - rhel9cis_rule_1_1_2_4_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.4.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - rhel9cis_rule_1_1_2_4_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.4.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - ansible.posix.mount: - name: /var - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_4_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_4_2) %},nosuid{% endif %}" - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - notify: Change_requires_reboot + vars: + mount_point: "/var" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index 449bc8b..2706d4b 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -1,56 +1,95 @@ --- -# Skips if mount is absent -- name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp" +- name: "1.1.2.5.1 | PATCH | Ensure /var/tmp is a separate partition" when: - - required_mount not in mount_names - rhel9cis_rule_1_1_2_5_1 + - required_mount not in mount_names tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation - audit - mounts - - rule_1_1_2.5.1 + - rule_1.1.2.5.1 - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.5.1' required_mount: '/var/tmp' block: - - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_tmp_mount.rc not in [ 0, 1 ] + register: discovered_var_tmp_mount - - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | Absent" + when: discovered_var_tmp_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.5.1 | AUDIT | Ensure /var/tmp is a separate partition | Present" + when: discovered_var_tmp_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -# skips if mount is absent -- name: | - "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition - 1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition - 1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" +- name: "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition" when: - - item.mount == "/var/tmp" - - rhel9cis_rule_1_1_2_5_2 or - rhel9cis_rule_1_1_2_5_3 or - rhel9cis_rule_1_1_2_5_4 + - mount_point_fs_and_options[mount_point] is defined + - rhel9cis_rule_1_1_2_5_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.5.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/tmp" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - rhel9cis_rule_1_1_2_5_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.5.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/tmp" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - rhel9cis_rule_1_1_2_5_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.5.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - ansible.posix.mount: - name: /var/tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_5_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_5_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_5_4) %},noexec{% endif %}" - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - notify: Change_requires_reboot + vars: + mount_point: "/var/tmp" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index c45da55..77da285 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -1,54 +1,95 @@ --- -- name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log" +- name: "1/.1 | PATCH | Ensure /var/log is a separate partition" when: - - required_mount not in mount_names - rhel9cis_rule_1_1_2_6_1 + - required_mount not in mount_names tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation - audit - mounts - - rule_1_1_2.6.1 + - rule_1.1.2.6.1 - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.6.1' required_mount: '/var/log' block: - - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_log_mount.rc not in [ 0, 1 ] + register: discovered_var_log_mount - - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Present" + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | Absent" + when: discovered_var_log_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.6.1 | AUDIT | Ensure /var/log is a separate partition | Present" + when: discovered_var_log_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -- name: | - "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition - 1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition - 1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" +- name: "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition" when: - - item.mount == "/var/log" - - rhel9cis_rule_1_1_2_6_2 or - rhel9cis_rule_1_1_2_6_3 or - rhel9cis_rule_1_1_2_6_4 + - mount_point_fs_and_options[mount_point] is defined + - rhel9cis_rule_1_1_2_6_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.6.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - rhel9cis_rule_1_1_2_6_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.6.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - rhel9cis_rule_1_1_2_6_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.6.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - ansible.posix.mount: - name: /var/log - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_6_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_6_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_6_4) %},noexec{% endif %}" - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - notify: Change_requires_reboot + vars: + mount_point: "/var/log" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index 4a8f67c..93bcb23 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -1,54 +1,95 @@ --- -- name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit" +- name: "1/.1 | PATCH | Ensure /var/log/audit is a separate partition" when: - - required_mount not in mount_names - rhel9cis_rule_1_1_2_7_1 + - required_mount not in mount_names tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation - audit - mounts - - rule_1_1_2.7.1 + - rule_1.1.2.7.1 - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.7.1' required_mount: '/var/log/audit' block: - - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" - ansible.builtin.debug: - msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | check for mount" + ansible.builtin.command: findmnt -kn "{{ required_mount }}" + changed_when: false + failed_when: discovered_var_log_audit_mount.rc not in [ 0, 1 ] + register: discovered_var_log_audit_mount - - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | Absent" + when: discovered_var_log_audit_mount is undefined + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} is not mounted on a separate partition" + + - name: "1.1.2.7.1 | AUDIT | Ensure /var/log/audit is a separate partition | Present" + when: discovered_var_log_audit_mount is undefined ansible.builtin.import_tasks: file: warning_facts.yml -- name: | - "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition - 1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition - 1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" +- name: "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition" when: - - item.mount == "/var/log/audit" - - rhel9cis_rule_1_1_2_7_2 or - rhel9cis_rule_1_1_2_7_3 or - rhel9cis_rule_1_1_2_7_4 + - mount_point_fs_and_options[mount_point] is defined + - rhel9cis_rule_1_1_2_7_2 tags: - level1-server - level1-workstation - patch - mounts - rule_1.1.2.7.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log/audit" + required_option: nodev + notify: &mount_option_notify + - "Remount {{ mount_point }}" + ansible.builtin.set_fact: &mount_option_set_fact + mount_point_fs_and_options: | + {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + changed_when: &mount_option_changed_when + - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + +- name: "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - rhel9cis_rule_1_1_2_7_3 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.7.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + mount_point: "/var/log/audit" + required_option: nosuid + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when + +- name: "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" + when: + - mount_point_fs_and_options[mount_point] is defined + - rhel9cis_rule_1_1_2_7_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.2.7.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - ansible.posix.mount: - name: /var/log/audit - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_7_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_7_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_7_4) %},noexec{% endif %}" - loop: "{{ ansible_facts.mounts }}" - loop_control: - label: "{{ item.device }}" - notify: Change_requires_reboot + vars: + mount_point: "/var/log/audit" + required_option: noexec + notify: *mount_option_notify + ansible.builtin.set_fact: + <<: *mount_option_set_fact + changed_when: *mount_option_changed_when From 7875e1f6b50199d068d1b81ac58291e0344da4eb Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 17:29:40 +0000 Subject: [PATCH 26/42] udpated output 1.1.1.9 Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.1.x.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index fb0f119..bd56bde 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -300,9 +300,7 @@ - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Output Warning" when: discovered_fs_modules_loaded.stdout | length > 0 ansible.builtin.debug: - msg: | - "Warning!! Discovered loaded Filesystem modules that need attention. This is a manual task - {{ discovered_fs_modules_loaded.stdout_lines}}" + msg: "{{ ['Warning!! Discovered loaded Filesystem modules that need attention. This is a manual task'] + discovered_fs_modules_loaded.stdout_lines }}" - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Capture Warning" when: discovered_fs_modules_loaded.stdout | length > 0 From d850fc58750627349736d911132eb42856731b1b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 10:09:31 +0000 Subject: [PATCH 27/42] Updated mountpoint vars correctly Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 16 ++++++++-------- tasks/section_1/cis_1.1.2.1.x.yml | 20 ++++++++++---------- tasks/section_1/cis_1.1.2.2.x.yml | 14 +++++++------- tasks/section_1/cis_1.1.2.3.x.yml | 12 ++++++------ tasks/section_1/cis_1.1.2.4.x.yml | 12 ++++++------ tasks/section_1/cis_1.1.2.5.x.yml | 14 +++++++------- tasks/section_1/cis_1.1.2.6.x.yml | 14 +++++++------- tasks/section_1/cis_1.1.2.7.x.yml | 14 +++++++------- 8 files changed, 58 insertions(+), 58 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 36c70c8..7896d58 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -61,7 +61,7 @@ - name: PRELIM | AUDIT | Section 1.1 | Create list of mount points tags: always ansible.builtin.set_fact: - mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" + prelim_mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options tags: always @@ -70,22 +70,22 @@ ansible.builtin.shell: | mount | awk '{print $1, $3, $5, $6}' changed_when: false - register: mount_output + register: prelim_mount_output - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact ansible.builtin.set_fact: - mount_point_fs_and_options: >- - {%- set mount_point_fs_and_options = {} -%} - {%- for line in mount_output.stdout_lines -%} + prelim_mount_point_fs_and_options: >- + {%- set prelim_mount_point_fs_and_options = {} -%} + {%- for line in prelim_mount_output.stdout_lines -%} {%- set fields = line.split() -%} - {%- set _ = mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%} + {%- set _ = prelim_mount_point_fs_and_options.update({fields[1]: {'src': fields[0], 'fs_type': fields[2], 'original_options': fields[3][1:-1].split(','), 'options': fields[3][1:-1].split(',')}}) -%} {%- endfor -%} - {{ mount_point_fs_and_options }} + {{ prelim_mount_point_fs_and_options }} - name: "PRELIM | AUDIT | Debug of mount variables to assist in troubleshooting" when: rhel9cis_debug_mount_data ansible.builtin.debug: - msg: "{{ mount_point_fs_and_options }}" + msg: "{{ prelim_mount_point_fs_and_options }}" - name: "PRELIM | PATCH | Update to latest gpg keys" when: diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index a2adce0..355c32b 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -2,7 +2,7 @@ - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition" when: - - required_mount not in mount_names + - required_mount not in prelim_mount_names - rhel9cis_rule_1_1_2_1_1 tags: - level1-server @@ -34,8 +34,8 @@ # via fstab - name: "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined - - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" + - prelim_mount_point_fs_and_options[mount_point] is defined + - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - rhel9cis_rule_1_1_2_1_2 - not rhel9cis_tmp_svc tags: @@ -52,15 +52,15 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined - - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" + - prelim_mount_point_fs_and_options[mount_point] is defined + - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - rhel9cis_rule_1_1_2_1_3 - not rhel9cis_tmp_svc tags: @@ -81,8 +81,8 @@ - name: "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined - - not mount_point_fs_and_options[mount_point]['src'] == "tmpfs" + - prelim_mount_point_fs_and_options[mount_point] is defined + - not prelim_mount_point_fs_and_options[mount_point]['src'] == "tmpfs" - rhel9cis_rule_1_1_2_1_4 - not rhel9cis_tmp_svc tags: diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index a2af00d..57e92eb 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -3,7 +3,7 @@ - name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition" when: - rhel9cis_rule_1_1_2_2_1 - - required_mount not in mount_names + - required_mount not in prelim_mount_names tags: - level1-server - level1-workstation @@ -33,7 +33,7 @@ - name: "1.1.2.2.2 | PATCH | Ensure nodev option set on /dev/shm partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - rhel9cis_rule_1_1_2_2_2 tags: - level1-server @@ -49,14 +49,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - rhel9cis_rule_1_1_2_2_3 tags: - level1-server @@ -76,7 +76,7 @@ - name: "1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - rhel9cis_rule_1_1_2_2_4 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index 224bf38..998d1ba 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -2,7 +2,7 @@ - name: "1.1.2.3.1 | PATCH | Ensure /home is a separate partition" when: - rhel9cis_rule_1_1_2_3_1 - - required_mount not in mount_names + - required_mount not in prelim_mount_names tags: - level1-server - level1-workstation @@ -32,7 +32,7 @@ - name: "1.1.2.3.2 | PATCH | Ensure nodev option set on /home partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - rhel9cis_rule_1_1_2_3_2 tags: - level1-server @@ -48,14 +48,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.3.3 | PATCH | Ensure nosuid option set on /home partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - rhel9cis_rule_1_1_2_3_3 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index 3a3aabf..e0afd4e 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -3,7 +3,7 @@ - name: "1.1.2.4.1 | PATCH | Ensure /var is a separate partition" when: - rhel9cis_rule_1_1_2_4_1 - - required_mount not in mount_names + - required_mount not in prelim_mount_names tags: - level1-server - level1-workstation @@ -33,7 +33,7 @@ - name: "1.1.2.4.2 | PATCH | Ensure nodev option set on /var partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - rhel9cis_rule_1_1_2_4_2 tags: - level1-server @@ -49,14 +49,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.4.3 | PATCH | Ensure nosuid option set on /var partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - rhel9cis_rule_1_1_2_4_3 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index 2706d4b..180d016 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -3,7 +3,7 @@ - name: "1.1.2.5.1 | PATCH | Ensure /var/tmp is a separate partition" when: - rhel9cis_rule_1_1_2_5_1 - - required_mount not in mount_names + - required_mount not in prelim_mount_names tags: - level1-server - level1-workstation @@ -33,7 +33,7 @@ - name: "1.1.2.5.2 | PATCH | Ensure nodev option set on /var/tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - rhel9cis_rule_1_1_2_5_2 tags: - level1-server @@ -49,14 +49,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.5.3 | PATCH | Ensure nosuid option set on /var/tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - rhel9cis_rule_1_1_2_5_3 tags: - level1-server @@ -76,7 +76,7 @@ - name: "1.1.2.5.4 | PATCH | Ensure noexec option set on /var/tmp partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - rhel9cis_rule_1_1_2_5_4 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index 77da285..765de3d 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -3,7 +3,7 @@ - name: "1/.1 | PATCH | Ensure /var/log is a separate partition" when: - rhel9cis_rule_1_1_2_6_1 - - required_mount not in mount_names + - required_mount not in prelim_mount_names tags: - level1-server - level1-workstation @@ -33,7 +33,7 @@ - name: "1.1.2.6.2 | PATCH | Ensure nodev option set on /var/log partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - rhel9cis_rule_1_1_2_6_2 tags: - level1-server @@ -49,14 +49,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.6.3 | PATCH | Ensure nosuid option set on /var/log partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - rhel9cis_rule_1_1_2_6_3 tags: - level1-server @@ -76,7 +76,7 @@ - name: "1.1.2.6.4 | PATCH | Ensure noexec option set on /var/log partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - rhel9cis_rule_1_1_2_6_4 tags: - level1-server diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index 93bcb23..2dc5939 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -3,7 +3,7 @@ - name: "1/.1 | PATCH | Ensure /var/log/audit is a separate partition" when: - rhel9cis_rule_1_1_2_7_1 - - required_mount not in mount_names + - required_mount not in prelim_mount_names tags: - level1-server - level1-workstation @@ -33,7 +33,7 @@ - name: "1.1.2.7.2 | PATCH | Ensure nodev option set on /var/log/audit partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - rhel9cis_rule_1_1_2_7_2 tags: - level1-server @@ -49,14 +49,14 @@ notify: &mount_option_notify - "Remount {{ mount_point }}" ansible.builtin.set_fact: &mount_option_set_fact - mount_point_fs_and_options: | - {{ mount_point_fs_and_options | combine({mount_point: {'options': (mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} + prelim_mount_point_fs_and_options: | + {{ prelim_mount_point_fs_and_options | combine({mount_point: {'options': (prelim_mount_point_fs_and_options[mount_point]['options'] + [required_option])}}, recursive=True) }} changed_when: &mount_option_changed_when - - required_option not in mount_point_fs_and_options[mount_point]['original_options'] + - required_option not in prelim_mount_point_fs_and_options[mount_point]['original_options'] - name: "1.1.2.7.3 | PATCH | Ensure nosuid option set on /var/log/audit partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - rhel9cis_rule_1_1_2_7_3 tags: - level1-server @@ -76,7 +76,7 @@ - name: "1.1.2.7.4 | PATCH | Ensure noexec option set on /var/log/audit partition" when: - - mount_point_fs_and_options[mount_point] is defined + - prelim_mount_point_fs_and_options[mount_point] is defined - rhel9cis_rule_1_1_2_7_4 tags: - level1-server From 834fa7a5eeeb9a815e9693b7c0bfac2ef36fe3f9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 10:22:33 +0000 Subject: [PATCH 28/42] Added comment on set_fact for mountpoints Signed-off-by: Mark Bolwell --- handlers/main.yml | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 96cc86e..c122eaa 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -7,10 +7,10 @@ mount_point: '/tmp' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /tmp" - name: "Remounting /tmp" @@ -35,10 +35,10 @@ mount_point: '/dev/shm' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /dev/shm" - name: "Remounting /dev/shm" @@ -54,10 +54,10 @@ mount_point: '/home' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /home" - name: "Remounting /home" @@ -73,10 +73,10 @@ mount_point: '/var' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /var" - name: "Remounting /var" @@ -92,10 +92,10 @@ mount_point: '/var/tmp' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /var/tmp" - name: "Remounting /var/tmp" @@ -111,10 +111,10 @@ mount_point: '/var/log' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /var/log" - name: "Remounting /var/log" @@ -130,10 +130,10 @@ mount_point: '/var/log/audit' ansible.posix.mount: path: "{{ mount_point }}" - src: "{{ mount_point_fs_and_options[mount_point]['src'] }}" + src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}" state: present - fstype: "{{ mount_point_fs_and_options[mount_point]['fs_type'] }}" - opts: "{{ mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" + fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}" + opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}" listen: "Remount /var/log/audit" - name: "Remounting /var/log/audit" From 3545620db8afe57bdc0ef85ccf746292a94a8f2a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 10:22:44 +0000 Subject: [PATCH 29/42] udpated variable Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 7896d58..4664879 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -72,7 +72,7 @@ changed_when: false register: prelim_mount_output - - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact + - name: PRELIM | AUDIT | Section 1.1 | Retrieve mount options - build fact # This is inherited and used in mountpoints tasks ansible.builtin.set_fact: prelim_mount_point_fs_and_options: >- {%- set prelim_mount_point_fs_and_options = {} -%} From 69e01b84f3fed923138b512654ceed7251a68250 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 11:20:00 +0000 Subject: [PATCH 30/42] Updated files to std Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 6 ++-- tasks/audit_only.yml | 10 +++--- tasks/post_remediation_audit.yml | 18 +++++----- tasks/pre_remediation_audit.yml | 58 +++++++++++++------------------- 4 files changed, 38 insertions(+), 54 deletions(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 4b407eb..52fc8bd 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -8,7 +8,7 @@ audit_pkg_arch_name: AMD64 - name: Pre Audit Setup | Set audit package name | ARM64 - when: ansible_facts.machine == "aarch64" + when: ansible_facts.machine == "arm64" ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 @@ -20,13 +20,13 @@ owner: root group: root checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}" - mode: '0555' + mode: 'u+x,go-w' - name: Pre Audit Setup | Copy audit binary when: get_audit_binary_method == 'copy' ansible.builtin.copy: src: "{{ audit_bin_copy_location }}" dest: "{{ audit_bin }}" - mode: '0555' owner: root group: root + mode: 'u+x,go-w' diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index b7dad08..008d358 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -3,7 +3,7 @@ - name: Audit_Only | Create local Directories for hosts when: fetch_audit_files ansible.builtin.file: - mode: '0755' + mode: 'u+x,go-w' path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}" recurse: true state: directory @@ -15,16 +15,14 @@ ansible.builtin.fetch: dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/" flat: true - mode: '0644' + mode: 'go-wx' src: "{{ pre_audit_outfile }}" - name: Audit_only | Show Audit Summary - when: - - audit_only + when: audit_only ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" - name: Audit_only | Stop Playbook Audit Only selected - when: - - audit_only + when: audit_only ansible.builtin.meta: end_play diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 8004ed3..54d5785 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,14 +1,14 @@ --- -- name: Post Audit | Run post_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" +- name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template] + ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml -- name: Post Audit | Ensure audit files readable by users +- name: Post Audit | ensure audit files readable by users ansible.builtin.file: path: "{{ item }}" mode: '0644' @@ -18,26 +18,24 @@ - "{{ pre_audit_outfile }}" - name: Post Audit | Capture audit data if json format - when: - - audit_format == "json" + when: audit_format == "json" block: - name: Post Audit | Capture audit data if json format ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4 - register: post_audit_summary changed_when: false + register: post_audit_summary - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: post_audit_results: "{{ post_audit_summary.stdout }}" - name: Post Audit | Capture audit data if documentation format - when: - - audit_format == "documentation" + when: audit_format == "documentation" block: - name: Post Audit | Capture audit data if documentation format - ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' ' - register: post_audit_summary + ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' changed_when: false + register: post_audit_summary - name: Post Audit | Set Fact for audit summary ansible.builtin.set_fact: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 3a3304c..91cc9b7 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,22 +1,19 @@ --- - name: Pre Audit Setup | Setup the LE audit - when: - - setup_audit - tags: - - setup_audit + when: setup_audit + tags: setup_audit ansible.builtin.include_tasks: file: LE_audit_setup.yml -- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists +- name: Pre Audit Setup | Ensure existence of {{ audit_conf_dir }} # noqa name[template] ansible.builtin.file: path: "{{ audit_conf_dir }}" + mode: 'go-w' state: directory - mode: '0755' - name: Pre Audit Setup | If using git for content set up - when: - - audit_content == 'git' + when: audit_content == 'git' block: - name: Pre Audit Setup | Install git ansible.builtin.package: @@ -30,57 +27,51 @@ version: "{{ audit_git_version }}" - name: Pre Audit Setup | Copy to audit content files to server - when: - - audit_content == 'copy' + when: audit_content == 'copy' ansible.builtin.copy: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" mode: preserve - name: Pre Audit Setup | Unarchive audit content files on server - when: - - audit_content == 'archive' + when: audit_content == 'archive' ansible.builtin.unarchive: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}" - name: Pre Audit Setup | Get audit content from url - when: - - audit_content == 'get_url' + when: audit_content == 'get_url' ansible.builtin.unarchive: src: "{{ audit_conf_source }}" dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit" - remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}" - extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}" + remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}" + extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}" - name: Pre Audit Setup | Check Goss is available - when: - - run_audit + when: run_audit block: - name: Pre Audit Setup | Check for goss file ansible.builtin.stat: path: "{{ audit_bin }}" - register: discovered_goss_available + register: prelim_goss_available - name: Pre Audit Setup | If audit ensure goss is available - when: - - not discovered_goss_available.stat.exists + when: not prelim_goss_available.stat.exists ansible.builtin.assert: msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit - when: - - run_audit + when: run_audit tags: - goss_template - run_audit ansible.builtin.template: src: ansible_vars_goss.yml.j2 dest: "{{ audit_vars_path }}" - mode: '0600' + mode: 'go-rwx' -- name: Pre Audit | Run pre_remediation {{ benchmark }} audit - ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" +- name: Pre Audit | Run pre_remediation audit {{ benchmark }} # noqa name[template] + ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length] changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" @@ -88,33 +79,30 @@ AUDIT_FILE: goss.yml - name: Pre Audit | Capture audit data if json format - when: - - audit_format == "json" + when: audit_format == "json" block: - name: Pre Audit | Capture audit data if json format ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 - register: pre_audit_summary changed_when: false + register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Pre Audit | Capture audit data if documentation format - when: - - audit_format == "documentation" + when: audit_format == "documentation" block: - name: Pre Audit | Capture audit data if documentation format - ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' - register: pre_audit_summary + ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' changed_when: false + register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary ansible.builtin.set_fact: pre_audit_results: "{{ pre_audit_summary.stdout }}" - name: Audit_Only | Run Audit Only - when: - - audit_only + when: audit_only ansible.builtin.import_tasks: file: audit_only.yml From fcf9eb674f5c1908e0373264709db1643408d4ea Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 11:20:19 +0000 Subject: [PATCH 31/42] lint and best practise Signed-off-by: Mark Bolwell --- handlers/main.yml | 21 ++++++++++++------- tasks/main.yml | 8 +++---- tasks/parse_etc_password.yml | 2 +- tasks/post.yml | 17 ++++++--------- tasks/prelim.yml | 11 ++++++---- .../pwquality.conf.d/50-pwcomplexity.conf.j2 | 4 ++-- 6 files changed, 33 insertions(+), 30 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index c122eaa..91181a1 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -145,7 +145,8 @@ listen: "Remount /var/log/audit" - name: Reload sysctl - ansible.builtin.shell: sysctl --system + ansible.builtin.command: sysctl --system + changed_when: true - name: Sysctl flush ipv4 route table when: @@ -181,8 +182,8 @@ - name: Set Crypto Policy when: prelim_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy - ansible.builtin.shell: | - update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" + ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}" + changed_when: true notify: - Change_requires_reboot - Restart sshd @@ -203,10 +204,12 @@ state: restarted - name: Reload dconf - ansible.builtin.shell: dconf update + ansible.builtin.command: dconf update + changed_when: true - name: Grub2cfg - ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" + ansible.builtin.command: "grub2-mkconfig -o /boot/grub2/grub.cfg" + changed_when: true ignore_errors: true # noqa ignore-errors - name: Restart rsyslog @@ -229,12 +232,13 @@ daemon-reload: true - name: Authselect update - ansible.builtin.shell: authselect apply-changes + ansible.builtin.command: authselect apply-changes + changed_when: true ## Auditd tasks note order for handlers to run - name: Auditd immutable check - ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules + ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules changed_when: false register: discovered_auditd_immutable_check @@ -246,7 +250,8 @@ notify: Change_requires_reboot - name: Stop auditd process - ansible.builtin.shell: systemctl kill auditd + ansible.builtin.command: systemctl kill auditd + changed_when: true listen: Restart auditd - name: Start auditd process diff --git a/tasks/main.yml b/tasks/main.yml index 4598f85..4cb6869 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -81,14 +81,14 @@ vars: sudo_password_rule: rhel9cis_rule_5_2_4 # pragma: allowlist secret block: - - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state" + - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state" # noqa name[template] ansible.builtin.shell: "(grep {{ ansible_env.SUDO_USER }} /etc/shadow || echo 'not found:not found') | awk -F: '{print $2}'" changed_when: false failed_when: false check_mode: false register: prelim_ansible_user_password_set - - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account" + - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account" # noqa name[template] when: prelim_ansible_user_password_set.stdout == "not found" ansible.builtin.debug: msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks." @@ -97,7 +97,7 @@ when: - prelim_ansible_user_password_set.stdout != "not found" block: - - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" + - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" # noqa name[template] ansible.builtin.assert: that: - prelim_ansible_user_password_set.stdout | length != 0 @@ -105,7 +105,7 @@ fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" - - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" + - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template] ansible.builtin.assert: that: - not prelim_ansible_user_password_set.stdout.startswith("!") diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 8270b5a..49941bf 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -5,7 +5,7 @@ - always block: - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd" - ansible.builtin.shell: cat /etc/passwd + ansible.builtin.command: cat /etc/passwd changed_when: false check_mode: false register: rhel9cis_passwd_file_audit diff --git a/tasks/post.yml b/tasks/post.yml index 198d9c0..4308727 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -29,28 +29,23 @@ ansible.builtin.meta: flush_handlers - name: POST | reboot system if changes require it and not skipped + when: change_requires_reboot tags: - always + vars: + warn_control_id: Reboot_required block: - name: POST | Reboot system if changes require it and not skipped + when: not skip_reboot ansible.builtin.reboot: - when: - - change_requires_reboot - - not skip_reboot - name: POST | Warning a reboot required but skip option set + when: skip_reboot ansible.builtin.debug: msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" changed_when: true - when: - - change_requires_reboot - - skip_reboot - name: "POST | Warning a reboot required but skip option set | warning count" + when: skip_reboot ansible.builtin.import_tasks: file: warning_facts.yml - when: - - change_requires_reboot - - skip_reboot - vars: - warn_control_id: Reboot_required diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 4664879..efa13d5 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -103,14 +103,14 @@ - ansible_facts.distribution == 'RedHat' block: - name: "PRELIM | AUDIT | Import gpg keys | get data" - ansible.builtin.shell: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' + ansible.builtin.command: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' # noqa command-instead-of-module changed_when: false failed_when: false register: prelim_check_gpg_imported - name: "PRELIM | AUDIT | Import gpg keys | Check Package" when: "'not installed' in prelim_check_gpg_imported.stdout" - ansible.builtin.shell: rpm -qi redhat-release | grep Signature + ansible.builtin.shell: rpm -qi redhat-release | grep Signature # noqa command-instead-of-module changed_when: false failed_when: false register: prelim_os_gpg_package_valid @@ -119,7 +119,9 @@ when: - "'not installed' in prelim_check_gpg_imported.stdout" - "'Key ID 199e2f91fd431d51' in prelim_os_gpg_package_valid.stdout" - ansible.builtin.shell: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + ansible.builtin.rpm_key: + key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release + state: present - name: "PRELIM | AUDIT | Check systemd coredump" when: @@ -150,7 +152,7 @@ state: present - name: "PRELIM | AUDIT | Gather system-wide crypto-policy" - ansible.builtin.shell: 'update-crypto-policies --show' + ansible.builtin.command: 'update-crypto-policies --show' changed_when: false check_mode: false register: prelim_system_wide_crypto_policy @@ -269,6 +271,7 @@ ansible.builtin.file: path: /etc/systemd/journald.conf.d state: directory + mode: 'u+x,g-w,o-rwx' - name: "PRELIM | PATCH | Configure System Accounting (auditd)" when: diff --git a/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 b/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 index 6a9855a..c223c84 100644 --- a/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 +++ b/templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2 @@ -1,9 +1,9 @@ # CIS Configurations # 5.3.3.2.3 Ensure password complexity is configured -{% if rhel9cis_passwd_complex_option == 'minclass' %} +{% if rhel9cis_passwd_complex_option == 'minclass' %} # pragma: allowlist secret minclass = {{ rhel9cis_passwd_minclass }} {% endif %} -{% if rhel9cis_passwd_complex_option == 'credits' %} +{% if rhel9cis_passwd_complex_option == 'credits' %} # pragma: allowlist secret dcredit = {{rhel9cis_passwd_dcredit }} ucredit = {{ rhel9cis_passwd_ucredit }} ocredit = {{ rhel9cis_passwd_ocredit }} From 88ac5c3d65f0481b8fe1c266c57525e3c1a3c3ff Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 11:49:02 +0000 Subject: [PATCH 32/42] Lint updates Signed-off-by: Mark Bolwell --- {templates => files}/fs_with_cves.sh | 5 +-- tasks/section_1/cis_1.1.1.x.yml | 6 +-- tasks/section_1/cis_1.2.1.x.yml | 8 ++-- tasks/section_2/cis_2.1.x.yml | 2 +- tasks/section_2/cis_2.4.x.yml | 2 +- tasks/section_3/cis_3.1.x.yml | 4 +- tasks/section_3/cis_3.2.x.yml | 12 ++++-- tasks/section_4/cis_4.1.x.yml | 2 +- tasks/section_4/cis_4.3.x.yml | 62 +++++++++++++++++++--------- tasks/section_5/cis_5.3.2.x.yml | 36 +++++++++------- tasks/section_5/cis_5.3.3.1.x.yml | 1 + tasks/section_5/cis_5.4.1.x.yml | 28 ++++++++----- tasks/section_5/cis_5.4.2.x.yml | 3 +- tasks/section_6/cis_6.1.x.yml | 10 +++-- tasks/section_6/cis_6.3.1.x.yml | 18 ++++---- tasks/section_7/cis_7.1.x.yml | 4 +- tasks/section_7/cis_7.2.x.yml | 4 +- tasks/warning_facts.yml | 2 +- vars/audit.yml | 2 +- 19 files changed, 127 insertions(+), 84 deletions(-) rename {templates => files}/fs_with_cves.sh (98%) diff --git a/templates/fs_with_cves.sh b/files/fs_with_cves.sh similarity index 98% rename from templates/fs_with_cves.sh rename to files/fs_with_cves.sh index 89ba49b..a6d937c 100644 --- a/templates/fs_with_cves.sh +++ b/files/fs_with_cves.sh @@ -1,11 +1,8 @@ -{% raw %} -#! /usr/bin/env bash +{% raw %}#! /usr/bin/env bash # Based on original Script provided by CIS # CVEs correct at time of creation - April2024 -#! /usr/bin/env bash - { a_output=(); a_output2=(); a_modprope_config=(); a_excluded=(); a_available_modules=() a_ignore=("xfs" "vfat" "ext2" "ext3" "ext4") diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index bd56bde..02a387e 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -284,15 +284,15 @@ warn_control_id: '1.1.1.9' block: - name: "1.1.1.9 | PATCH | Ensure unused filesystems kernel modules are not available | Add discovery script" - ansible.builtin.template: + ansible.builtin.copy: src: fs_with_cves.sh dest: /var/fs_with_cves.sh owner: root group: root - mode: '0744' + mode: 'u+x,go-wx' - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Run discovery script" - ansible.builtin.shell: /var/fs_with_cves.sh + ansible.builtin.command: /var/fs_with_cves.sh changed_when: false failed_when: discovered_fs_modules_loaded.rc not in [ 0, 99 ] register: discovered_fs_modules_loaded diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml index dca12b0..454fd95 100644 --- a/tasks/section_1/cis_1.2.1.x.yml +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -15,13 +15,15 @@ - NIST800-53R5_SI-2 block: - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" - ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" + ansible.builtin.shell: | + "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" changed_when: false failed_when: false register: discovered_os_installed_pub_keys - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys" - ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"' + ansible.builtin.shell: | + 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"' changed_when: false failed_when: false register: discovered_os_gpg_key_check @@ -107,7 +109,7 @@ warn_control_id: '1.2.1.4' block: - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Get repo list" - ansible.builtin.shell: dnf repolist + ansible.builtin.command: dnf repolist changed_when: false failed_when: false register: discovered_dnf_configured diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index 73e7986..bf6a81d 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -718,7 +718,7 @@ warn_control_id: '2.1.22' block: - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" - ansible.builtin.shell: systemctl list-units --type=service + ansible.builtin.command: systemctl list-units --type=service # noqa command-instead-of-module changed_when: false failed_when: discovered_running_services.rc not in [ 0, 1 ] check_mode: false diff --git a/tasks/section_2/cis_2.4.x.yml b/tasks/section_2/cis_2.4.x.yml index 16ed0e9..3789aae 100644 --- a/tasks/section_2/cis_2.4.x.yml +++ b/tasks/section_2/cis_2.4.x.yml @@ -146,7 +146,7 @@ - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users" ansible.builtin.file: path: /etc/cron.allow - state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}' + state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}' owner: root group: root mode: u-x,g-wx,o-rwx diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 98e3a93..84d8784 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -40,7 +40,7 @@ block: - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" when: "'network-manager' in ansible_facts.packages" - ansible.builtin.shell: nmcli radio wifi + ansible.builtin.command: nmcli radio wifi changed_when: false failed_when: false check_mode: false @@ -50,7 +50,7 @@ when: - "'network-manager' in ansible_facts.packages" - "'enabled' in discovered_wifi_status.stdout" - ansible.builtin.shell: nmcli radio all off + ansible.builtin.command: nmcli radio all off changed_when: discovered_nmcli_radio_off.rc == 0 register: discovered_nmcli_radio_off diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index bc210ae..4413d59 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -18,6 +18,7 @@ regexp: '^(#)?install dccp(\\s|$)' line: "{{ item }}" create: true + mode: 'u-x,go-rwx' loop: - install dccp /bin/true - blacklist dccp @@ -28,7 +29,7 @@ regexp: "^(#)?blacklist cramfs(\\s|$)" line: "blacklist cramfs" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available" when: @@ -48,6 +49,7 @@ regexp: '^(#)?install tipc(\\s|$)' line: "{{ item }}" create: true + mode: 'u-x,go-rwx' loop: - install tipc /bin/true - blacklist tipc @@ -58,7 +60,7 @@ regexp: "^(#)?blacklist tipc(\\s|$)" line: "blacklist tipc" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "3.2.3 | PATCH | Ensure rds kernel module is not available" when: @@ -78,6 +80,7 @@ regexp: '^(#)?install rds(\\s|$)' line: "{{ item }}" create: true + mode: 'u-x,go-rwx' loop: - install rds /bin/true - blacklist rds @@ -88,7 +91,7 @@ regexp: "^(#)?blacklist rds(\\s|$)" line: "blacklist rds" create: true - mode: '0600' + mode: 'u-x,go-rwx' - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available" when: @@ -108,6 +111,7 @@ regexp: '^(#)?install sctp(\\s|$)' line: "{{ item }}" create: true + mode: 'u-x,go-rwx' loop: - install sctp /bin/true - blacklist sctp @@ -118,4 +122,4 @@ regexp: "^(#)?blacklist sctp(\\s|$)" line: "blacklist sctp" create: true - mode: '0600' + mode: 'u-x,go-rwx' diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml index f0a6636..06cffbd 100644 --- a/tasks/section_4/cis_4.1.x.yml +++ b/tasks/section_4/cis_4.1.x.yml @@ -52,7 +52,7 @@ name: "{{ rhel9cis_firewall }}" state: installed - - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" + - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" # noqa name[template] ansible.builtin.systemd: name: "{{ rhel9cis_firewall }}" enabled: true diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml index 4e85deb..9cab1b4 100644 --- a/tasks/section_4/cis_4.3.x.yml +++ b/tasks/section_4/cis_4.3.x.yml @@ -8,7 +8,8 @@ - rhel9cis_rule_4_3_3 - rhel9cis_rule_4_3_4 tags: always - ansible.builtin.shell: "nft add table inet {{ rhel9cis_nft_tables_tablename }}" + ansible.builtin.command: "nft add table inet {{ rhel9cis_nft_tables_tablename }}" + changed_when: true - name: "4.3.1 | PATCH | Ensure nftables base chains exist" when: @@ -22,19 +23,22 @@ - NIST800-55_CA-9 block: - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT" - ansible.builtin.shell: nft list ruleset | grep 'hook input' + ansible.builtin.shell: | + nft list ruleset | grep 'hook input' changed_when: false failed_when: false register: discovered_nftables_input_chains - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" - ansible.builtin.shell: nft list ruleset | grep 'hook forward' + ansible.builtin.shell: | + nft list ruleset | grep 'hook forward' changed_when: false failed_when: false register: discovered_nftables_forward_chains - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" - ansible.builtin.shell: nft list ruleset | grep 'hook output' + ansible.builtin.shell: | + nft list ruleset | grep 'hook output' changed_when: false failed_when: false register: discovered_nftables_output_chains @@ -52,7 +56,8 @@ - name: "4.3.1 | PATCH | Ensure nftables base chains exist | Create chains if needed" when: rhel9cis_nft_tables_autochaincreate - ansible.builtin.shell: "{{ item }}" + ansible.builtin.command: "{{ item }}" + changed_when: true failed_when: false loop: - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } @@ -71,44 +76,50 @@ - NIST800-55_CA-9 block: - name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather incoming connection rules" - ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + ansible.builtin.shell: | + nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' changed_when: false failed_when: false register: discovered_nftables_inconnectionrule - name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules" - ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + ansible.builtin.command: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' changed_when: false failed_when: false register: discovered_nftables_outconnectionrule - name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy" when: '"ip protocol tcp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' - ansible.builtin.shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + changed_when: true - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy" when: '"ip protocol udp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept + changed_when: true - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy" when: '"ip protocol icmp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept + changed_when: true - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy" when: '"ip protocol tcp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept + changed_when: true - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy" when: '"ip protocol udp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept + changed_when: true - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy" when: '"ip protocol icmp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept + changed_when: true - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy" - when: - - rhel9cis_rule_4_3_3 + when: rhel9cis_rule_4_3_3 tags: - level1-server - level1-workstation @@ -118,25 +129,29 @@ - NIST800-55_CA-9 block: - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" - ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' + ansible.builtin.shell: | + nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' failed_when: false changed_when: false register: discovered_nftables_inputpolicy - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" - ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' + ansible.builtin.shell: | + nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' failed_when: false changed_when: false register: discovered_nftables_forwardpolicy - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" - ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' + ansible.builtin.shell: | + nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' failed_when: false changed_when: false register: discovered_nftables_outputpolicy - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" - ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' + ansible.builtin.shell: | + nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' failed_when: false changed_when: false register: discovered_nftables_sshallowcheck @@ -144,22 +159,25 @@ - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" when: '"tcp dport ssh accept" not in discovered_nftables_sshallowcheck.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept + changed_when: true - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" when: '"type filter hook input priority 0; policy drop;" not in discovered_nftables_inputpolicy.stdout' ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } + changed_when: true - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" when: '"type filter hook forward priority 0; policy drop;" not in discovered_nftables_forwardpolicy.stdout' ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } + changed_when: true - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" when: '"type filter hook output priority 0; policy drop;" not in discovered_nftables_outputpolicy.stdout' ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } + changed_when: true - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured" - when: - - rhel9cis_rule_4_3_4 + when: rhel9cis_rule_4_3_4 tags: - level1-server - level1-workstation @@ -169,19 +187,22 @@ - NIST800-55_CA-9 block: - name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence | nftables" - ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + ansible.builtin.shell: | + nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' changed_when: false failed_when: false register: discovered_nftables_iiflo - name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence | nftables" - ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + ansible.builtin.shell: | + nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' changed_when: false failed_when: false register: discovered_nftables_ipsaddr - name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence | nftables" - ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + ansible.builtin.shell: | + nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' changed_when: false failed_when: false register: discovered_nftables_ip6saddr @@ -189,11 +210,14 @@ - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule | nftables" when: '"iif \"lo\" accept" not in discovered_nftables_iiflo.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept + changed_when: true - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule | nftables" when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in discovered_nftables_ipsaddr.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop + changed_when: true - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule | nftables" when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in discovered_nftables_ip6saddr.stdout' ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop + changed_when: true diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 18e9cfd..696010f 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -17,12 +17,13 @@ when: - rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or prelim_authselect_current_profile.stdout is not defined - ansible.builtin.shell: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}" + ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}" + changed_when: false args: creates: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}" - name: "5.3.2.1 | AUDIT | Ensure active authselect profile includes pam modules | get profile features" - ansible.builtin.shell: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}" + ansible.builtin.command: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}" changed_when: false register: discovered_authselect_profile_features @@ -37,7 +38,8 @@ - password - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Backup and Add pam modules" - ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}" + ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}" + changed_when: true - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled" when: @@ -59,14 +61,16 @@ notify: Authselect update block: - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config" - ansible.builtin.shell: authselect current | grep faillock + ansible.builtin.shell: | + authselect current | grep faillock changed_when: false failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ] register: discovered_authselect_current_faillock - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" when: discovered_authselect_current_faillock.rc != 0 - ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + changed_when: true - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled" when: @@ -83,14 +87,16 @@ - rule_5.3.2.3 block: - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Get current config" - ansible.builtin.shell: authselect current | grep quality + ansible.builtin.shell: | + authselect current | grep quality changed_when: false failed_when: discovered_authselect_current_quality.rc not in [ 0, 1 ] register: discovered_authselect_current_quality - - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Add feature if missing" + - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled | Add feature if missing" when: discovered_authselect_current_quality.rc != 0 - ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + changed_when: true notify: Authselect update - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled" @@ -108,14 +114,16 @@ - rule_5.3.2.4 block: - name: "5.3.2.4 | AUDIT | Ensure pam_pwhistory module is enabled | Get current config" - ansible.builtin.shell: authselect current | grep pwhistory + ansible.builtin.shell: | + authselect current | grep pwhistory changed_when: false failed_when: discovered_authselect_current_history.rc not in [ 0, 1 ] register: discovered_authselect_current_history - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled | enable feature" when: discovered_authselect_current_history.rc != 0 - ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" + changed_when: true notify: Authselect update - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled" @@ -146,8 +154,8 @@ regexp: "{{ item.regexp }}" line: "{{ item.line }}" backrefs: true - insertafter: "{{ item.after | default (omit) }}" - insertbefore: "{{ item.before | default (omit) }}" + insertafter: "{{ item.after | default(omit) }}" + insertbefore: "{{ item.before | default(omit) }}" loop: - { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', after: '^auth.*pam_faillock.*preauth' } - { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' } @@ -160,8 +168,8 @@ line: "{{ item.line }}" regexp: "{{ item.regexp }}" backrefs: true - insertafter: "{{ item.after | default (omit) }}" - insertbefore: "{{ item.before | default (omit) }}" + insertafter: "{{ item.after | default(omit) }}" + insertbefore: "{{ item.before | default(omit) }}" loop: - { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\2', after: '^auth.*pam_faillock.*preauth' } - { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' } diff --git a/tasks/section_5/cis_5.3.3.1.x.yml b/tasks/section_5/cis_5.3.3.1.x.yml index 8206074..d625cac 100644 --- a/tasks/section_5/cis_5.3.3.1.x.yml +++ b/tasks/section_5/cis_5.3.3.1.x.yml @@ -104,6 +104,7 @@ line: "{{ rhel9cis_pamroot_lock_option }}" insertafter: '^# end of pam-auth-update config' create: true + mode: 'u-x,go-wx' - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | remove lockout from pam files NOT AuthSelect" when: diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 9e92e86..732fc5c 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -96,7 +96,8 @@ - discovered_warn_days.stdout_lines | length > 0 - item in prelim_interactive_usernames.stdout - rhel9cis_force_user_warnage - ansible.builtin.shell: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}" + ansible.builtin.command: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}" + changed_when: true loop: "{{ discovered_warn_days.stdout_lines }}" - name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured" @@ -125,25 +126,29 @@ - rule_5.4.1.5 block: - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | Check current settings" - ansible.builtin.shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= + ansible.builtin.shell: | + useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= changed_when: false failed_when: false check_mode: false register: discovered_passwdlck_inactive_settings - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set default inactive setting" - ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} when: discovered_passwdlck_inactive_settings.stdout | length == 0 + ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + changed_when: true - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" + ansible.builtin.shell: | + "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false check_mode: false register: discovered_passwdlck_user_list - name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" when: item in prelim_interactive_usernames.stdout - ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + changed_when: true loop: "{{ discovered_passwdlck_user_list.stdout_lines }}" - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past" @@ -172,22 +177,23 @@ register: discovered_passwdlck_user_future - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" + when: + - discovered_passwdlck_user_future.stdout | length > 0 + - not rhel9cis_futurepwchgdate_autofix ansible.builtin.debug: msg: "Warning!! The following accounts have the last PW change date in the future: {{ discovered_passwdlck_user_future.stdout_lines }}" - when: - - discovered_passwdlck_user_future.stdout | length > 0 - - not rhel9cis_futurepwchgdate_autofix - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml when: - discovered_passwdlck_user_future.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix + ansible.builtin.import_tasks: + file: warning_facts.yml - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - ansible.builtin.shell: passwd --expire {{ item }} + changed_when: true when: - discovered_passwdlck_user_future.stdout | length > 0 - rhel9cis_futurepwchgdate_autofix loop: "{{ discovered_passwdlck_user_future.stdout_lines }}" + ansible.builtin.command: passwd --expire {{ item }} diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index 2cf378c..a367f72 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -17,7 +17,7 @@ - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - ansible.builtin.shell: passwd -l {{ item }} + ansible.builtin.command: passwd -l {{ item }} changed_when: false failed_when: false loop: "{{ prelim_uid_zero_accounts_except_root.stdout_lines }}" @@ -194,6 +194,7 @@ regexp: \s*umask line: "umask {{ rhel9cis_root_umask }}" create: true + mode: 'u+x,go-rwx' - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell" when: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index f889cd4..c000fe1 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -45,7 +45,8 @@ rhel9cis_aide_db_recreate block: - name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB" - ansible.builtin.shell: "{{ aide_initiate_command }}" + ansible.builtin.command: "{{ aide_initiate_command }}" + changed_when: true - name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB | Wait for file before continuing" ansible.builtin.wait_for: @@ -56,6 +57,7 @@ src: /var/lib/aide/aide.db.new.gz dest: /var/lib/aide/aide.db.gz remote_src: true + mode: 'ug-wx,o-rwx' - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked" when: @@ -85,15 +87,15 @@ - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service" when: rhel9cis_aide_scan == "timer" - ansible.builtin.systemd: + ansible.builtin.systemd_service: name: aidecheck.service enabled: true - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service" when: rhel9cis_aide_scan == "timer" - ansible.builtin.systemd: + ansible.builtin.systemd_service: name: aidecheck.timer - state: running + state: started enabled: true - name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" diff --git a/tasks/section_6/cis_6.3.1.x.yml b/tasks/section_6/cis_6.3.1.x.yml index 3039f2c..b054848 100644 --- a/tasks/section_6/cis_6.3.1.x.yml +++ b/tasks/section_6/cis_6.3.1.x.yml @@ -1,8 +1,7 @@ --- - name: "6.3.1.1 | PATCH | Ensure auditd is installed" - when: - - rhel9cis_rule_6_3_1_1 + when: rhel9cis_rule_6_3_1_1 tags: - level2-server - level2-workstation @@ -27,8 +26,7 @@ state: present - name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" - when: - - rhel9cis_rule_6_3_1_2 + when: rhel9cis_rule_6_3_1_2 tags: - level2-server - level2-workstation @@ -49,7 +47,8 @@ - discovered_grubby_curr_value_audit_linux.stdout == '' or '0' in discovered_grubby_curr_value_audit_linux.stdout or 'off' in discovered_grubby_curr_value_audit_linux.stdout|lower - ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" + ansible.builtin.command: grubby --update-kernel=ALL --args="audit=1" + changed_when: true - name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" when: @@ -81,17 +80,16 @@ discovered_reset_backlog_limits: true - name: "6.3.1.3 | AUDIT | Check to see if any limits are too low" - when: - - (item | int < rhel9cis_audit_back_log_limit) + when: (item | int < rhel9cis_audit_back_log_limit) ansible.builtin.set_fact: discovered_reset_backlog_limits: true loop: "{{ discovered_grubby_curr_value_backlog_linux.stdout_lines }}" - name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied" - when: - - discovered_reset_backlog_limits is defined - ansible.builtin.shell: + when: discovered_reset_backlog_limits is defined + ansible.builtin.command: cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' + changed_when: true - name: "6.3.1.4 | PATCH | Ensure auditd service is enabled and active" when: diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 232b224..d70bf5f 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -221,7 +221,7 @@ warn_control_id: '7.1.12' block: - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories" - ansible.builtin.shell: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs + ansible.builtin.command: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs changed_when: false failed_when: false check_mode: false @@ -283,7 +283,7 @@ warn_control_id: '7.1.13' block: - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID" - ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs + ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs changed_when: false failed_when: false check_mode: false diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index 47d48f6..2a33f33 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -237,13 +237,13 @@ - users - rule_7.2.8 block: - - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent" + - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent" # noqa risky-file-permissions ansible.builtin.file: path: "{{ item.dir }}" state: directory owner: "{{ item.id }}" group: "{{ item.gid }}" - loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | list }}" + loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', prelim_max_int_uid | int) | list }}" loop_control: label: "{{ item.id }}" diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index 98cd4b6..36f61cb 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -14,7 +14,7 @@ # # warn_count the main variable for the number of warnings and each time a warn_control_id is added # the count increases by a value of 1 -- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." +- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." # noqa name[template] ansible.builtin.set_fact: warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" warn_count: "{{ warn_count | int + 1 }}" diff --git a/vars/audit.yml b/vars/audit.yml index e54deb8..1dc1cf1 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -35,7 +35,7 @@ audit_format: json audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_results: | - The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results}} + The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }} {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %} Full breakdown can be found in {{ audit_log_dir }} From 67df5b77b2633966caf0af79baf5e8c32be3c6b2 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 12:03:54 +0000 Subject: [PATCH 33/42] file updated and moved from templates Signed-off-by: Mark Bolwell --- {files => templates}/fs_with_cves.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {files => templates}/fs_with_cves.sh (100%) diff --git a/files/fs_with_cves.sh b/templates/fs_with_cves.sh similarity index 100% rename from files/fs_with_cves.sh rename to templates/fs_with_cves.sh From 51de8bf7c9931ffc038eb55f5cb70fffa5a693ec Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 12:06:45 +0000 Subject: [PATCH 34/42] update var naming Signed-off-by: Mark Bolwell --- tasks/parse_etc_password.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/parse_etc_password.yml b/tasks/parse_etc_password.yml index 49941bf..337889c 100644 --- a/tasks/parse_etc_password.yml +++ b/tasks/parse_etc_password.yml @@ -8,12 +8,12 @@ ansible.builtin.command: cat /etc/passwd changed_when: false check_mode: false - register: rhel9cis_passwd_file_audit + register: prelim_passwd_file_audit - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries" ansible.builtin.set_fact: - rhel9cis_passwd: "{{ rhel9cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" - loop: "{{ rhel9cis_passwd_file_audit.stdout_lines }}" + rhel9cis_passwd: "{{ prelim_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}" + loop: "{{ prelim_passwd_file_audit.stdout_lines }}" vars: ld_passwd_regex: >- ^(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*):(?P[^:]*) From 148165ad4d578e43054b3174ae9277ca640c109e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 12:32:59 +0000 Subject: [PATCH 35/42] tidy up script as copy not template Signed-off-by: Mark Bolwell --- {templates => files}/fs_with_cves.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) rename {templates => files}/fs_with_cves.sh (98%) diff --git a/templates/fs_with_cves.sh b/files/fs_with_cves.sh similarity index 98% rename from templates/fs_with_cves.sh rename to files/fs_with_cves.sh index a6d937c..a2bc1b7 100644 --- a/templates/fs_with_cves.sh +++ b/files/fs_with_cves.sh @@ -1,4 +1,4 @@ -{% raw %}#! /usr/bin/env bash +#! /usr/bin/env bash # Based on original Script provided by CIS # CVEs correct at time of creation - April2024 @@ -54,4 +54,3 @@ #[ "${#a_output[@]}" -gt 0 ] && printf '%s\n' "" "-- Correctly set: --" "${a_output[@]}" "" fi } -{% endraw %} From 8cbf82bbc9e2c2cf7d2b23b7293870be570d0979 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 12:35:48 +0000 Subject: [PATCH 36/42] improve layout 1.2.1.1 Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.1.x.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml index 454fd95..960b495 100644 --- a/tasks/section_1/cis_1.2.1.x.yml +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -14,9 +14,8 @@ - rule_1.2.1.1 - NIST800-53R5_SI-2 block: - - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" - ansible.builtin.shell: | - "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" + - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | List installed pubkey keys" + ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" # noqa command-instead-of-module changed_when: false failed_when: false register: discovered_os_installed_pub_keys @@ -29,7 +28,7 @@ register: discovered_os_gpg_key_check when: discovered_os_installed_pub_keys.rc == 0 - - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | expected keys fail" + - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | If expected keys fail" when: - discovered_os_installed_pub_keys.rc == 1 or discovered_os_gpg_key_check.rc == 1 From ae228e3f96ea776627239810e218bfdc8b388eb9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 12:37:40 +0000 Subject: [PATCH 37/42] 5.4.1.5 improvemet Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.1.x.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 732fc5c..72dc50f 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -139,8 +139,7 @@ changed_when: true - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - ansible.builtin.shell: | - "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" + ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" changed_when: false check_mode: false register: discovered_passwdlck_user_list From 6cc43202c85758e65e7cdd41f660d0a42e90b14a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 13:11:39 +0000 Subject: [PATCH 38/42] removed empty line Signed-off-by: Mark Bolwell --- tasks/section_2/cis_2.1.x.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml index fb0351f..eaa0c60 100644 --- a/tasks/section_2/cis_2.1.x.yml +++ b/tasks/section_2/cis_2.1.x.yml @@ -34,7 +34,6 @@ - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use" when: rhel9cis_rule_2_1_2 - tags: - level1-server - level2-workstation From c65e9cabb86dde67aef636be46ea5426f5c89eba Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 Dec 2024 13:39:16 +0000 Subject: [PATCH 39/42] updated mode for line 131 Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index 355c32b..9cca1ec 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -128,5 +128,5 @@ dest: /etc/systemd/system/tmp.mount owner: root group: root - mode: "go-wx" + mode: 'go-wx' notify: *mount_option_notify From b6fad79a21b531683a5777b5e0a1f5741b23ea0d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 17 Dec 2024 13:42:38 +0000 Subject: [PATCH 40/42] fixed typo in example Signed-off-by: Mark Bolwell --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0a4b4ff..2b6a5fb 100644 --- a/README.md +++ b/README.md @@ -152,8 +152,8 @@ Below is an example of the tag section from a control within this role. Using th ```sh tags: - - level1-server - - level1-workstation + - level1_server + - level1_workstation - scored - avahi - services From 52c1a41434e24c2a6a7ef3757ea61601e0f9c58f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 18 Dec 2024 08:51:13 +0000 Subject: [PATCH 41/42] fixed aide db name Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 816eb11..3f6202b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1055,7 +1055,7 @@ rhel9cis_aide_db_file_age: 1w rhel9cis_aide_db_recreate: false # allows to change db file, not config need to be adjusted too -rhel9cis_aide_db_file: /var/lib/aide/aide.db +rhel9cis_aide_db_file: /var/lib/aide/aide.db.gz ## Control 6.1.2 AIDE cron settings From 5d7bbe67b0eed4dae89aa09542b682fb25551283 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Dec 2024 15:18:27 +0000 Subject: [PATCH 42/42] fix typo in tags Signed-off-by: Mark Bolwell --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 2b6a5fb..745039d 100644 --- a/README.md +++ b/README.md @@ -63,10 +63,10 @@ This role **will make changes to the system** which may have unintended conseque It is possible to to only run level 1 or level 2 controls for CIS. This is managed using tags: -- level1_server -- level1_workstation -- level2_server -- level2_workstation +- level1-server +- level1-workstation +- level2-server +- level2-workstation The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. @@ -152,8 +152,8 @@ Below is an example of the tag section from a control within this role. Using th ```sh tags: - - level1_server - - level1_workstation + - level1-server + - level1-workstation - scored - avahi - services