ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 22:23:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

April_24 updates (#201)

Browse source 
* Issue #170, PR #181 thanks to @ipruteanu-sie

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* issue #182, PR #183 thansk to @ipruteanu-sie

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* PR #180 thanks to @ipruteanu-sie and @raabf

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Addressed PR #165 thanks to @ipruteanu-sie

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* PT #184 addressed thansk to @ipruteanu-sie

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated credits

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* typo and ssh allow_deny comments

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* enable OS check

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* PR - #198 addressed thanks to @brakkio86

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Addressed issue #190

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Additional vars for issue #190

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated pre-commit version

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* consistent quotes around mode

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* moved audit added discoveries

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* removed unneeded vars

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* audit moved to prelim

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* tidy up

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* improved new variable usage

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fixed logic 6.2.10

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* addressed #197 thanks to @mark-tomich

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updates for audit section

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fixed naming

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* added prelim to includes

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

---------

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
uk-bolly 2024-04-15 14:02:07 +01:00 committed by GitHub
parent e87d637eb2
commit f8fcfe0e78
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
12 changed files with 250 additions and 195 deletions
Download patch file Download diff file Expand all files Collapse all files

17
tasks/main.yml
View file

@ -151,23 +151,6 @@
- prelim_tasks
- always
- name: Include audit specific variables
when:
- run_audit or audit_only
- setup_audit
tags:
- setup_audit
- run_audit
ansible.builtin.include_vars: audit.yml
- name: Include pre-remediation audit tasks
when:
- run_audit or audit_only
- setup_audit
tags:
- run_audit
ansible.builtin.import_tasks: pre_remediation_audit.yml
- name: Run Section 1 tasks
ansible.builtin.import_tasks:
file: section_1/main.yml

10
tasks/post_remediation_audit.yml
View file

@ -1,11 +1,11 @@
---
- name: Post Audit | Run post_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}"
AUDIT_FILE: goss.yml
- name: Post Audit | ensure audit files readable by users
@ -22,13 +22,13 @@
- audit_format == "json"
block:
- name: capture data {{ post_audit_outfile }}
ansible.builtin.shell: cat {{ post_audit_outfile }}
ansible.builtin.shell: "cat {{ post_audit_outfile }}"
register: post_audit
changed_when: false
- name: Capture post-audit result
ansible.builtin.set_fact:
post_audit_summary: "{{ post_audit.stdout | from_json | community.general.json_query(summary) }}"
post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
vars:
summary: summary."summary-line"
@ -37,7 +37,7 @@
- audit_format == "documentation"
block:
- name: Post Audit | capture data {{ post_audit_outfile }}
ansible.builtin.shell: tail -2 {{ post_audit_outfile }}
ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}"
register: post_audit
changed_when: false

35
tasks/pre_remediation_audit.yml
View file

@ -5,7 +5,8 @@
- setup_audit
tags:
- setup_audit
ansible.builtin.include_tasks: LE_audit_setup.yml
ansible.builtin.include_tasks:
file: LE_audit_setup.yml
- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists
ansible.builtin.file:
@ -32,23 +33,25 @@
when:
- audit_content == 'copy'
ansible.builtin.copy:
src: "{{ audit_conf_copy }}"
dest: "{{ audit_conf_dir }}"
src: "{{ audit_conf_source }}"
dest: "{{ audit_conf_dest }}"
mode: preserve
- name: Pre Audit Setup | Unarchive audit content files on server
when:
- audit_content == 'archived'
- audit_content == 'archive'
ansible.builtin.unarchive:
src: "{{ audit_conf_copy }}"
dest: "{{ audit_conf_dir }}"
src: "{{ audit_conf_source }}"
dest: "{{ audit_conf_dest }}"
- name: Pre Audit Setup | Get audit content from url
when:
- audit_content == 'get_url'
ansible.builtin.get_url:
url: "{{ audit_files_url }}"
dest: "{{ audit_conf_dir }}"
ansible.builtin.unarchive:
src: "{{ audit_conf_source }}"
dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit"
remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}"
extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}"
- name: Pre Audit Setup | Check Goss is available
when:
@ -77,25 +80,25 @@
mode: '0600'
- name: Pre Audit | Run pre_remediation {{ benchmark }} audit
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
changed_when: true
environment:
AUDIT_BIN: "{{ audit_bin }}"
AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}"
AUDIT_FILE: goss.yml
- name: Pre Audit | Capture audit data if json format
when:
- audit_format == "json"
block:
- name: capture data {{ pre_audit_outfile }}
ansible.builtin.shell: cat {{ pre_audit_outfile }}
- name: Pre Audit | Capture data {{ pre_audit_outfile }}
ansible.builtin.shell: "cat {{ pre_audit_outfile }}"
register: pre_audit
changed_when: false
- name: Pre Audit | Capture pre-audit result
ansible.builtin.set_fact:
pre_audit_summary: "{{ pre_audit.stdout | from_json | community.general.json_query(summary) }}"
pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
vars:
summary: summary."summary-line"
@ -103,8 +106,8 @@
when:
- audit_format == "documentation"
block:
- name: Pre Audit | capture data {{ pre_audit_outfile }} | documentation format
ansible.builtin.shell: tail -2 {{ pre_audit_outfile }}
- name: Pre Audit | Capture data {{ pre_audit_outfile }} | documentation format
ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}"
register: pre_audit
changed_when: false

67
tasks/prelim.yml
View file

@ -2,6 +2,54 @@
# Preliminary tasks that should always be run
# List users in order to look files inside each home directory
- name: PRELIM | Include audit specific variables
when:
- run_audit or audit_only
- setup_audit
tags:
- setup_audit
- run_audit
ansible.builtin.include_vars: audit.yml
- name: PRELIM | Include pre-remediation audit tasks
when:
- run_audit or audit_only
- setup_audit
tags:
- run_audit
ansible.builtin.import_tasks: pre_remediation_audit.yml
- name: "PRELIM | AUDIT | Interactive Users"
tags:
- always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $1 }'
changed_when: false
register: discovered_interactive_usernames
- name: "PRELIM | AUDIT | Interactive User accounts home directories"
tags:
- always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }'
changed_when: false
register: discovered_interactive_users_home
- name: "PRELIM | AUDIT | Interactive UIDs"
tags:
- always
ansible.builtin.shell: >
grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }'
changed_when: false
register: discovered_interactive_uids
- name: "PRELIM | capture /etc/password variables"
ansible.builtin.include_tasks:
file: parse_etc_password.yml
tags:
- always
- name: "PRELIM | List users accounts"
ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd"
changed_when: false
@ -12,25 +60,6 @@
- level1-workstation
- users
- name: "PRELIM | capture /etc/password variables"
ansible.builtin.include_tasks: parse_etc_password.yml
tags:
- rule_5.5.2
- rule_5.6.2
- rule_6.2.9
- rule_6.2.10
- rule_6.2.11
- rhel9cis_section5
- rhel9cis_section6
- level1-server
- name: "PRELIM | Interactive User accounts"
ansible.builtin.shell: 'cat /etc/passwd | grep -Ev "nologin|/sbin" | cut -d: -f6'
changed_when: false
register: interactive_users_home
tags:
- always
- name: "PRELIM | Gather accounts with empty password fields"
ansible.builtin.shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'"
changed_when: false

20
tasks/section_1/cis_1.3.x.yml
View file

@ -9,14 +9,14 @@
- name: "1.3.1 | PATCH | Ensure AIDE is installed | Build AIDE DB"
ansible.builtin.shell: /usr/sbin/aide --init
changed_when: false
failed_when: false
async: 45
poll: 0
args:
creates: /var/lib/aide/aide.db.new.gz
when: not ansible_check_mode
- name: "1.3.1 | PATCH | Ensure AIDE is installed | Wait for file before continuing"
ansible.builtin.wait_for:
path: /var/lib/aide/aide.db.new.gz
- name: "1.3.1 | PATCH | Ensure AIDE is installed | copy AIDE DB"
ansible.builtin.copy:
src: /var/lib/aide/aide.db.new.gz
@ -59,12 +59,12 @@
path: /etc/aide.conf
marker: "# {mark} Audit tools - CIS benchmark - Ansible-lockdown"
block: |
/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
/usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
validate: aide -D --config %s
when:
- rhel9cis_rule_1_3_3

2
tasks/section_3/cis_3.1.x.yml
View file

@ -60,7 +60,7 @@
ansible.builtin.template:
src: "etc/modprobe.d/modprobe.conf.j2"
dest: "/etc/modprobe.d/{{ item }}.conf"
mode: "0600"
mode: '0600'
owner: root
group: root
loop:

76
tasks/section_5/cis_5.6.1.x.yml
View file

@ -1,10 +1,28 @@
---
- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
block:
- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MAX_DAYS'
line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
- name: "5.6.1.1 | AUDIT | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS"
ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass['max_days'] }} || $5< {{ rhel9cis_pass['max_days'] }} || $5 == -1)){print $1}' /etc/shadow"
changed_when: false
failed_when: false
register: discovered_max_days
- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"
ansible.builtin.user:
name: "{{ item }}"
password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
loop: "{{ discovered_max_days.stdout_lines }}"
when:
- discovered_max_days.stdout_lines | length > 0
- item in discovered_interactive_usernames.stdout
- rhel9cis_force_user_maxdays
when:
- rhel9cis_rule_5_6_1_1
tags:
@ -15,10 +33,28 @@
- rule_5.6.1.1
- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MIN_DAYS'
line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
block:
- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is configured | set login.defs"
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_MIN_DAYS'
line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
- name: "5.6.1.2 | AUDIT | Ensure minimum days between password changes is configured | Get existing users PASS_MIN_DAYS"
ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $4< {{ rhel9cis_pass['min_days'] }} {print $1}' /etc/shadow"
changed_when: false
failed_when: false
register: discovered_min_days
- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS"
ansible.builtin.user:
name: "{{ item }}"
password_expire_max: "{{ rhel9cis_pass['min_days'] }}"
loop: "{{ discovered_min_days.stdout_lines }}"
when:
- discovered_min_days.stdout_lines | length > 0
- item in discovered_interactive_usernames.stdout
- rhel9cis_force_user_mindays
when:
- rhel9cis_rule_5_6_1_2
tags:
@ -29,10 +65,26 @@
- rule_5.6.1.2
- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more"
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_WARN_AGE'
line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
block:
- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | set login.defs"
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: '^PASS_WARN_AGE'
line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
- name: "5.6.1.3 | AUDIT | Ensure password expiration warning days is 7 or more | Get existing users WARN_DAYS"
ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel9cis_pass['warn_age'] }} {print $1}' /etc/shadow"
changed_when: false
failed_when: false
register: discovered_warn_days
- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users WARN_DAYS"
ansible.builtin.shell: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}"
loop: "{{ discovered_warn_days.stdout_lines }}"
when:
- discovered_warn_days.stdout_lines | length > 0
- item in discovered_interactive_usernames.stdout
- rhel9cis_force_user_warnage
when:
- rhel9cis_rule_5_6_1_3
tags:

27
tasks/section_6/cis_6.2.x.yml
View file

@ -235,7 +235,7 @@
state: directory
owner: root
group: root
mode: "0755"
mode: '0755'
follow: false
loop: "{{ root_path_perms.results }}"
loop_control:
@ -278,7 +278,7 @@
owner: "{{ item.id }}"
group: "{{ item.gid }}"
register: rhel_09_6_2_10_home_dir
loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}"
loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}"
loop_control:
label: "{{ item.id }}"
@ -290,7 +290,7 @@
etype: group
permissions: rx
state: present
loop: "{{ interactive_users_home.stdout_lines }}"
loop: "{{ discovered_interactive_users_home.stdout_lines }}"
when: not system_is_container
- name: "6.2.10 | PATCH | Ensure local interactive user home directories exist | Set other ACL"
@ -300,7 +300,7 @@
etype: other
permissions: 0
state: present
loop: "{{ interactive_users_home.stdout_lines }}"
loop: "{{ discovered_interactive_users_home.stdout_lines }}"
when: not system_is_container
when:
- rhel9cis_rule_6_2_10
@ -320,10 +320,7 @@
loop_control:
label: "{{ item.id }}"
when:
- item.uid >= min_int_uid | int
- item.id != 'nobody'
- (item.id != 'tss' and item.dir != '/dev/null')
- item.shell != '/sbin/nologin'
- item.id in discovered_interactive_usernames.stdout
- rhel9cis_rule_6_2_11
tags:
- level1-server
@ -338,13 +335,13 @@
ansible.builtin.stat:
path: "{{ item }}"
register: rhel_09_6_2_12_home_dir_perms
loop: "{{ interactive_users_home.stdout_lines }}"
loop: "{{ discovered_interactive_users_home.stdout_lines }}"
- name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | amend if needed"
ansible.builtin.file:
path: "{{ item.stat.path }}"
state: directory
mode: "0750"
mode: '0750'
loop: "{{ rhel_09_6_2_12_home_dir_perms.results }}"
loop_control:
label: "{{ item }}"
@ -359,7 +356,7 @@
etype: group
permissions: rx
state: present
loop: "{{ interactive_users_home.stdout_lines }}"
loop: "{{ discovered_interactive_users_home.stdout_lines }}"
when: not system_is_container
- name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive | Set other ACL"
@ -369,7 +366,7 @@
etype: other
permissions: 0
state: present
loop: "{{ interactive_users_home.stdout_lines }}"
loop: "{{ discovered_interactive_users_home.stdout_lines }}"
when: not system_is_container
when:
- rhel9cis_rule_6_2_12
@ -385,7 +382,7 @@
ansible.builtin.file:
path: "{{ item }}/.netrc"
state: absent
loop: "{{ interactive_users_home.stdout_lines }}"
loop: "{{ discovered_interactive_users_home.stdout_lines }}"
when:
- rhel9cis_rule_6_2_13
tags:
@ -400,7 +397,7 @@
ansible.builtin.file:
path: "{{ item }}/.forward"
state: absent
loop: "{{ interactive_users_home.stdout_lines }}"
loop: "{{ discovered_interactive_users_home.stdout_lines }}"
when:
- rhel9cis_rule_6_2_14
tags:
@ -415,7 +412,7 @@
ansible.builtin.file:
path: "~{{ item }}/.rhosts"
state: absent
loop: "{{ interactive_users_home.stdout_lines }}"
loop: "{{ discovered_interactive_users_home.stdout_lines }}"
when:
- rhel9cis_rule_6_2_15
tags: