Merge pull request #303 from ansible-lockdown/feb25_more_updates

Issues resolved enhancements

README.md

@@ -27,6 +27,7 @@
 ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues)
 ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success)
 ![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/RHEL9-CIS?label=Pull%20Requests)
+[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit)
 
 ![License](https://img.shields.io/github/license/ansible-lockdown/RHEL9-CIS?label=License)
 

defaults/main.yml

@@ -923,7 +923,7 @@ rhel9cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf
 # Options are: minclass or credits
 # ensure only one is selected
 rhel9cis_passwd_complex_option: minclass  # pragma: allowlist secret
-rhel9cis_passwd_minclass: 3
+rhel9cis_passwd_minclass: 4
 # rhel9cis_passwd_complex: credits
 rhel9cis_passwd_dcredit: -1
 rhel9cis_passwd_ucredit: -2

handlers/main.yml

@@ -144,6 +144,15 @@
     state: remounted
   listen: "Remount /var/log/audit"
 
+- name: "Remounting /boot/efi"
+  vars:
+    mount_point: '/boot/efi'
+  ansible.posix.mount:
+    path: "{{ mount_point }}"
+    state: remounted
+  notify: Change_requires_reboot
+  listen: "Remount /boot/efi"
+
 - name: Reload sysctl
   ansible.builtin.command: sysctl --system
   changed_when: true

tasks/main.yml

@@ -116,17 +116,11 @@
         fail_msg: "You still have the default name for your authselect profile"
 
     - name: "Check authselect profile is selected | Check current profile"
-      ansible.builtin.shell: authselect current | head -1 | awk '{print $NF}'
+      ansible.builtin.shell: authselect list
       changed_when: false
       failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
       register: prelim_authselect_current_profile
 
-    - name: "Check authselect profile is selected | Ensure profile name is set"
-      ansible.builtin.assert:
-        that: prelim_authselect_current_profile is defined
-        success_msg: "Authselect is running and profile is selected"
-        fail_msg: Authselect updates have been selected there are issues with profile selection"
-
 - name: "Ensure root password is set"
   when: rhel9cis_rule_5_4_2_4
   tags:

tasks/section_1/cis_1.4.x.yml

@@ -29,7 +29,8 @@
     - rule_1.4.2
     - NIST800-53R5_AC-3
   block:
-    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
+    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | bios based system"
+      when: rhel9cis_legacy_boot
       ansible.builtin.file:
         path: "/boot/grub2/{{ item.path }}"
         owner: root
@@ -39,6 +40,31 @@
         modification_time: preserve
         access_time: preserve
       loop:
-        - { path: 'grub.cfg', mode: '0700' }
-        - { path: 'grubenv', mode: 'go-rwx' }
-        - { path: 'user.cfg', mode: 'go-rwx' }
+        - { path: 'grub.cfg', mode: 'u-x,go-rwx' }
+        - { path: 'grubenv', mode: 'u-x,go-rwx' }
+        - { path: 'user.cfg', mode: 'u-x,go-rwx' }
+
+    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system"
+      when: not rhel9cis_legacy_boot
+      vars:
+        efi_mount_options: ['umask=0077', 'fmask=0077', 'uid=0', 'gid=0']
+      block:
+        - name: "1.4.2 | AUDIT | Ensure permissions on bootloader config are configured | efi based system | capture current state"
+          ansible.builtin.shell: grep "^[^#;]" /etc/fstab | grep '/boot/efi' | awk -F" " '{print $4}'
+          changed_when: false
+          register: discovered_efi_fstab
+
+        - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Build Options"
+          when: item not in discovered_efi_fstab.stdout
+          ansible.builtin.set_fact:
+            efi_mount_opts_addition: "{{ efi_mount_opts_addition + ',' + item  }}"
+          loop: "{{ efi_mount_options }}"
+
+        - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Add mount options"
+          when: efi_mount_opts_addition | length > 0
+          ansible.builtin.lineinfile:
+            path: /etc/fstab
+            regexp: (.*/boot/efi\s*\w*\s*){{ discovered_efi_fstab.stdout }}(.*)
+            line: \1{{ discovered_efi_fstab.stdout + efi_mount_opts_addition }}\2
+            backrefs: true
+          notify: Remount /boot/efi

tasks/section_5/cis_5.3.2.x.yml

@@ -14,9 +14,7 @@
     - rule_5.3.2.1
   block:
     - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles"
-      when:
-        - rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or
-          prelim_authselect_current_profile.stdout is not defined
+      when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout
       ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
       changed_when: false
       args:

tasks/section_5/cis_5.4.2.x.yml

@@ -190,7 +190,7 @@
     regexp: \s*umask
     line: "umask {{ rhel9cis_root_umask }}"
     create: true
-    mode: 'u+x,go-rwx'
+    mode: 'u-x,go-rwx'
 
 - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell"
   when:

tasks/section_6/cis_6.2.2.1.x.yml

@@ -17,7 +17,7 @@
     name: systemd-journal-remote
     state: present
 
-- name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-remote authentication is configured"
+- name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-upload authentication is configured"
   when:
     - rhel9cis_rule_6_2_2_1_2
     - not rhel9cis_system_is_log_server
@@ -40,7 +40,7 @@
     - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'}
     - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'}
 
-- name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled and active"
+- name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-upload is enabled and active"
   when:
     - not rhel9cis_system_is_log_server
     - rhel9cis_rule_6_2_2_1_3

tasks/section_6/cis_6.2.4.1.yml

@@ -8,6 +8,8 @@
     - patch
     - logfiles
     - rule_6.2.4.1
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
   block:
     - name: "6.2.4.1 | AUDIT | Ensure access to all logfiles has been configured | find log files"
       ansible.builtin.shell: find /var/log/ -type f -exec ls {} \;
@@ -15,43 +17,35 @@
       failed_when: false
       register: discovered_logfiles
 
-    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
+    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions SSSD min 660"
       when:
         - discovered_logfiles.stdout_lines | length > 0
-        - ('audit.log' in item or 'journal' in item) or
-          item == '/var/log/secure' or
-          item == '/var/log/syslog' or
-          item == '/var/log/messages' or
-          item == '/var/log/auth.log'
+        - item is match("/var/log/(gdm|sssd)")
       ansible.builtin.file:
         path: "{{ item }}"
-        mode: 'u-x,g-wx,o-rwx'
+        mode: 'ug-x,o-rwx'
       failed_when: discovered_logfile_list.state not in '[ file, absent ]'
       register: discovered_logfile_list
       loop: "{{ discovered_logfiles.stdout_lines }}"
 
-    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
+    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions tmp min 664"
       when:
         - discovered_logfiles.stdout_lines | length > 0
-        - ('anaconda' in item or 'dnf' in item or 'secure' in item  or 'messages' in item or 'hawkey' in item)
-      ansible.builtin.file:
-        path: "{{ item }}"
-        mode: 'u-x,g-x,o-rwx'
-      failed_when: discovered_logfile_list.state not in '[ file, absent ]'
-      register: discovered_logfile_list
-      loop: "{{ discovered_logfiles.stdout_lines }}"
-
-    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
-      when:
-        - discovered_logfiles.stdout_lines | length > 0
-        - ('sssd' in item or 'lastlog' in item) or
-          item == "/var/log/btmp" or
-          item == "/var/log/utmp" or
-          item == "/var/log/wtmp" or
-          item == "/var/log/lastlog"
+        - item is match("/var/log/((u|b|w)tmp*|lastlog)")
       ansible.builtin.file:
         path: "{{ item }}"
         mode: 'ug-x,o-wx'
       failed_when: discovered_logfile_list.state not in '[ file, absent ]'
       register: discovered_logfile_list
       loop: "{{ discovered_logfiles.stdout_lines }}"
+
+    - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions else all 640"
+      when:
+        - discovered_logfiles.stdout_lines | length > 0
+        - item is not match("/var/log/((u|b|w)tmp*|lastlog|sssd)")
+      ansible.builtin.file:
+        path: "{{ item }}"
+        mode: 'u-x,g-wx,o-rwx'
+      failed_when: discovered_logfile_list.state not in '[ file, absent ]'
+      register: discovered_logfile_list
+      loop: "{{ discovered_logfiles.stdout_lines }}"

tasks/section_7/cis_7.1.x.yml

@@ -169,6 +169,8 @@
     owner: root
     group: root
     mode: 'u-x,go-wx'
+  failed_when: discovered_file_exists.state not in '[ file, absent ]'
+  register: discovered_file_exists
 
 - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured"
   when:

templates/audit/99_auditd.rules.j2

@@ -23,6 +23,7 @@
 -w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file
 {% endif %}
 {% if rhel9cis_rule_6_3_3_4 %}
+{% set syscalls = ["adjtimex","settimeofday"]  %}
 {% set arch_syscalls = [] %}
 {% for syscall in syscalls  %}
 {% if syscall in supported_syscalls %}
@@ -31,6 +32,15 @@
 {% endfor %}
 -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change
 -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change
+{% set syscalls = ["clock_settime"] %}
+{% set arch_syscalls = [] %}
+{% for syscall in syscalls  %}
+{% if syscall in supported_syscalls %}
+{{ arch_syscalls.append(syscall) }}
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
+{% endif %}
+{% endfor %}
 -w /etc/localtime -p wa -k time-change
 {% endif %}
 {% if rhel9cis_rule_6_3_3_5 %}
@@ -41,8 +51,8 @@
 {{ arch_syscalls.append(syscall) }}
 {% endif %}
 {% endfor %}
--a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }}  -k system-locale
--a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }}  -k system-locale
+-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
+-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
 -w /etc/issue -p wa -k system-locale
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale
@@ -169,7 +179,7 @@
 -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng
 {% endif %}
 {% if rhel9cis_rule_6_3_3_17 %}
--a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k priv_chng
+-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng
 {% endif %}
 {% if rhel9cis_rule_6_3_3_18 %}
 -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod

vars/main.yml

@@ -22,6 +22,9 @@ rhel9cis_allowed_crypto_policies_modules:
 warn_control_list: ""
 warn_count: 0
 
+# Default empty values for 1.4.2
+efi_mount_opts_addition: ''
+
 gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"
 
 ## Controls 6.3.3.x - Audit template