mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-24 14:23:05 +00:00
358 lines
14 KiB
YAML
358 lines
14 KiB
YAML
---
|
|
|
|
- name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords"
|
|
when:
|
|
- rhel9cis_rule_7_2_1
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- audit
|
|
- rule_7.2.1
|
|
- user_accounts
|
|
- NIST800-53R5_IA-5
|
|
vars:
|
|
warn_control_id: '7.2.1'
|
|
block:
|
|
- name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Get users not using shadowed passwords"
|
|
ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd
|
|
changed_when: false
|
|
failed_when: false
|
|
register: discovered_nonshadowed_users
|
|
|
|
- name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Warn on findings"
|
|
when: discovered_nonshadowed_users.stdout | length > 0
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "Warning!! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password"
|
|
- "{{ discovered_nonshadowed_users.stdout_lines }}"
|
|
|
|
- name: "7.2.1 | WARNING | Ensure accounts in /etc/passwd use shadowed passwords | warn_count"
|
|
when: discovered_nonshadowed_users.stdout | length > 0
|
|
ansible.builtin.import_tasks:
|
|
file: warning_facts.yml
|
|
|
|
- name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty"
|
|
when:
|
|
- rhel9cis_rule_7_2_2
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_7.2.2
|
|
- user
|
|
- permissions
|
|
- NIST800-53R5_IA-5
|
|
block:
|
|
- name: "7.2.2 | AUDIT | Ensure /etc/shadow password fields are not empty | Find users with no password"
|
|
ansible.builtin.shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow
|
|
changed_when: false
|
|
check_mode: false
|
|
register: discovered_empty_password_acct
|
|
|
|
- name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty | Lock users with empty password"
|
|
when: discovered_empty_password_acct.stdout | length > 0
|
|
ansible.builtin.user:
|
|
name: "{{ item }}"
|
|
password_lock: true
|
|
loop:
|
|
- "{{ discovered_empty_password_acct.stdout_lines }}"
|
|
|
|
- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group"
|
|
when:
|
|
- rhel9cis_rule_7_2_3
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- audit
|
|
- rule_7.2.3
|
|
- groups
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
vars:
|
|
warn_control_id: '7.2.3'
|
|
block:
|
|
- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries"
|
|
ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}'
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: discovered_passwd_gid_check
|
|
|
|
- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
|
|
when: discovered_passwd_gid_check.stdout | length > 0
|
|
ansible.builtin.debug:
|
|
msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join(', ') }}"
|
|
|
|
- name: "7.2.3 | WARNING | Ensure all groups in /etc/passwd exist in /etc/group | warn_count"
|
|
when: discovered_passwd_gid_check.stdout | length > 0
|
|
ansible.builtin.import_tasks:
|
|
file: warning_facts.yml
|
|
|
|
- name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist"
|
|
when:
|
|
- rhel9cis_rule_7_2_4
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- audit
|
|
- rule_7.2.4
|
|
- user
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
vars:
|
|
warn_control_id: '7.2.4'
|
|
block:
|
|
- name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
|
|
ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: discovered_user_uid_check
|
|
|
|
- name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs"
|
|
when: discovered_user_uid_check.stdout | length > 0
|
|
ansible.builtin.debug:
|
|
msg: "Warning!! The following users have UIDs that are duplicates: {{ discovered_user_uid_check.stdout_lines }}"
|
|
|
|
- name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist | Set warning count"
|
|
when: discovered_user_uid_check.stdout | length > 0
|
|
ansible.builtin.import_tasks:
|
|
file: warning_facts.yml
|
|
|
|
- name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist"
|
|
when:
|
|
- rhel9cis_rule_7_2_5
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- audit
|
|
- rule_7.2.5
|
|
- groups
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
vars:
|
|
warn_control_id: '7.2.5'
|
|
block:
|
|
- name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs"
|
|
ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: discovered_user_gid_check
|
|
|
|
- name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs"
|
|
when: discovered_user_gid_check.stdout | length > 0
|
|
ansible.builtin.debug:
|
|
msg: "Warning!! The following groups have duplicate GIDs: {{ discovered_user_gid_check.stdout_lines }}"
|
|
|
|
- name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist | Set warning count"
|
|
when: discovered_user_gid_check.stdout | length > 0
|
|
ansible.builtin.import_tasks:
|
|
file: warning_facts.yml
|
|
|
|
- name: "7.2.6 | AUDIT | Ensure no duplicate user names exist"
|
|
vars:
|
|
warn_control_id: '7.2.6'
|
|
when:
|
|
- rhel9cis_rule_7_2_6
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- audit
|
|
- rule_7.2.6
|
|
- user
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
block:
|
|
- name: "7.2.6 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
|
|
ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: discovered_username_check
|
|
|
|
- name: "7.2.6 | WARNING | Ensure no duplicate user names exist | Print warning about users with duplicate User Names"
|
|
when: discovered_username_check.stdout | length > 0
|
|
ansible.builtin.debug:
|
|
msg: "Warning!! The following user names are duplicates: {{ discovered_user_username_check.stdout_lines }}"
|
|
|
|
- name: "7.2.6 | WARNING | Ensure no duplicate user names exist | Set warning count"
|
|
when: discovered_username_check.stdout | length > 0
|
|
ansible.builtin.import_tasks:
|
|
file: warning_facts.yml
|
|
|
|
- name: "7.2.7 | AUDIT | Ensure no duplicate group names exist"
|
|
when:
|
|
- rhel9cis_rule_7_2_7
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- audit
|
|
- rule_7.2.7
|
|
- groups
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
vars:
|
|
warn_control_id: '7.2.7'
|
|
block:
|
|
- name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names"
|
|
ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: discovered_group_check
|
|
|
|
- name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
|
|
when: discovered_group_check.stdout | length > 0
|
|
ansible.builtin.debug:
|
|
msg: "Warning!! The following group names are duplicates: {{ discovered_group_check.stdout_lines }}"
|
|
|
|
- name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Set warning count"
|
|
when: discovered_group_check.stdout | length > 0
|
|
ansible.builtin.import_tasks:
|
|
file: warning_facts.yml
|
|
|
|
- name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured"
|
|
when:
|
|
- rhel9cis_rule_7_2_8
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- users
|
|
- rule_7.2.8
|
|
block:
|
|
- name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent" # noqa risky-file-permissions
|
|
ansible.builtin.file:
|
|
path: "{{ item.dir }}"
|
|
state: directory
|
|
owner: "{{ item.id }}"
|
|
group: "{{ item.gid }}"
|
|
loop: "{{ prelim_captured_passwd_data | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', prelim_max_int_uid | int) | list }}"
|
|
loop_control:
|
|
label: "{{ item.id }}"
|
|
|
|
# set default ACLs so the homedir has an effective umask of 0027
|
|
- name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Set group ACL"
|
|
when: not system_is_container
|
|
ansible.posix.acl:
|
|
path: "{{ item }}"
|
|
default: true
|
|
etype: group
|
|
permissions: rx
|
|
state: present
|
|
loop: "{{ prelim_interactive_users | map(attribute='home') | list }}"
|
|
|
|
- name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Set other ACL"
|
|
when: not system_is_container
|
|
ansible.posix.acl:
|
|
path: "{{ item }}"
|
|
default: true
|
|
etype: other
|
|
permissions: 0
|
|
state: present
|
|
loop: "{{ prelim_interactive_users | map(attribute='home') | list }}"
|
|
|
|
- name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured"
|
|
when:
|
|
- rhel9cis_rule_7_2_9
|
|
- rhel9cis_disruption_high
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_7.2.9
|
|
- user
|
|
- NIST800-53R5_CM-1
|
|
- NIST800-53R5_CM-2
|
|
- NIST800-53R5_CM-6
|
|
- NIST800-53R5_CM-7
|
|
- NIST800-53R5_IA-5
|
|
vars:
|
|
warn_control_id: '7.2.9'
|
|
block:
|
|
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured"
|
|
ansible.builtin.shell: find {{ prelim_interactive_users_home.stdout_lines | list | join(' ') }} -name "\.*" -type f
|
|
changed_when: false
|
|
failed_when: discovered_homedir_hidden_files.rc not in [ 0, 1 ]
|
|
check_mode: false
|
|
register: discovered_homedir_hidden_files
|
|
|
|
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Warning on files found"
|
|
when:
|
|
- discovered_homedir_hidden_files.stdout | length > 0
|
|
- not rhel9cis_dotperm_ansiblemanaged
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "Warning!! Please investigate that hidden files found in users home directories match control requirements."
|
|
|
|
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Set warning count"
|
|
when:
|
|
- discovered_homedir_hidden_files.stdout | length > 0
|
|
- not rhel9cis_dotperm_ansiblemanaged
|
|
ansible.builtin.import_tasks:
|
|
file: warning_facts.yml
|
|
|
|
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured"
|
|
when:
|
|
- discovered_homedir_hidden_files.stdout | length > 0
|
|
- rhel9cis_dotperm_ansiblemanaged
|
|
block:
|
|
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Changes files if configured .bash_history & .netrc"
|
|
when:
|
|
- discovered_homedir_hidden_files.stdout | length > 0
|
|
- item | basename in ['.bash_history','.netrc']
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
mode: 'u-x,go-rwx'
|
|
failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]'
|
|
register: discovered_dot_bash_history_to_change
|
|
loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"
|
|
|
|
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Changes files if configured file mode"
|
|
ansible.builtin.file:
|
|
path: '{{ item }}'
|
|
mode: 'u-x,go-wx'
|
|
failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]'
|
|
register: discovered_dot_bash_history_to_change
|
|
loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"
|
|
|
|
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Changes files ownerships"
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
owner: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}"
|
|
group: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}"
|
|
failed_when: discovered_dot_bash_history_to_change.state not in '[ file, absent ]'
|
|
register: discovered_dot_bash_history_to_change
|
|
loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"
|
|
|
|
- name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured"
|
|
ansible.builtin.file:
|
|
path: '{{ item }}'
|
|
mode: 'go-w'
|
|
owner: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='uid') | last }}"
|
|
group: "{{ prelim_captured_passwd_data | selectattr('dir', 'in', prelim_interactive_users_home.stdout_lines) | selectattr('dir', 'in', item) | map(attribute='gid') | last }}"
|
|
with_items: "{{ discovered_homedir_hidden_files.stdout_lines }}"
|
|
|
|
- name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | rename .forward or .rhosts files"
|
|
when:
|
|
- item | basename in ['.forward','.rhosts']
|
|
- item is not search ("CIS")
|
|
ansible.builtin.command: "mv {{ item }} {{ item }}_CIS_TOBEREVIEWED"
|
|
changed_when: true
|
|
loop: "{{ discovered_homedir_hidden_files.stdout_lines }}"
|