mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-24 22:23:06 +00:00
f8fcfe0e78
* Issue #170, PR #181 thanks to @ipruteanu-sie Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * issue #182, PR #183 thansk to @ipruteanu-sie Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * PR #180 thanks to @ipruteanu-sie and @raabf Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Addressed PR #165 thanks to @ipruteanu-sie Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * PT #184 addressed thansk to @ipruteanu-sie Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated credits Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * typo and ssh allow_deny comments Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * enable OS check Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * PR - #198 addressed thanks to @brakkio86 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Addressed issue #190 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * Additional vars for issue #190 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated pre-commit version Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * consistent quotes around mode Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * moved audit added discoveries Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * removed unneeded vars Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * audit moved to prelim Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * tidy up Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * improved new variable usage Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed logic 6.2.10 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * addressed #197 thanks to @mark-tomich Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updates for audit section Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * fixed naming Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * updated Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> * added prelim to includes Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
172 lines
7.5 KiB
YAML
172 lines
7.5 KiB
YAML
---
|
|
|
|
- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
|
|
block:
|
|
- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/login.defs
|
|
regexp: '^PASS_MAX_DAYS'
|
|
line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
|
|
|
|
- name: "5.6.1.1 | AUDIT | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS"
|
|
ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass['max_days'] }} || $5< {{ rhel9cis_pass['max_days'] }} || $5 == -1)){print $1}' /etc/shadow"
|
|
changed_when: false
|
|
failed_when: false
|
|
register: discovered_max_days
|
|
|
|
- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS"
|
|
ansible.builtin.user:
|
|
name: "{{ item }}"
|
|
password_expire_max: "{{ rhel9cis_pass['max_days'] }}"
|
|
loop: "{{ discovered_max_days.stdout_lines }}"
|
|
when:
|
|
- discovered_max_days.stdout_lines | length > 0
|
|
- item in discovered_interactive_usernames.stdout
|
|
- rhel9cis_force_user_maxdays
|
|
when:
|
|
- rhel9cis_rule_5_6_1_1
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- password
|
|
- rule_5.6.1.1
|
|
|
|
- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
|
|
block:
|
|
- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is configured | set login.defs"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/login.defs
|
|
regexp: '^PASS_MIN_DAYS'
|
|
line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
|
|
|
|
- name: "5.6.1.2 | AUDIT | Ensure minimum days between password changes is configured | Get existing users PASS_MIN_DAYS"
|
|
ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $4< {{ rhel9cis_pass['min_days'] }} {print $1}' /etc/shadow"
|
|
changed_when: false
|
|
failed_when: false
|
|
register: discovered_min_days
|
|
|
|
- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS"
|
|
ansible.builtin.user:
|
|
name: "{{ item }}"
|
|
password_expire_max: "{{ rhel9cis_pass['min_days'] }}"
|
|
loop: "{{ discovered_min_days.stdout_lines }}"
|
|
when:
|
|
- discovered_min_days.stdout_lines | length > 0
|
|
- item in discovered_interactive_usernames.stdout
|
|
- rhel9cis_force_user_mindays
|
|
when:
|
|
- rhel9cis_rule_5_6_1_2
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- password
|
|
- rule_5.6.1.2
|
|
|
|
- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more"
|
|
block:
|
|
- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | set login.defs"
|
|
ansible.builtin.lineinfile:
|
|
path: /etc/login.defs
|
|
regexp: '^PASS_WARN_AGE'
|
|
line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
|
|
|
|
- name: "5.6.1.3 | AUDIT | Ensure password expiration warning days is 7 or more | Get existing users WARN_DAYS"
|
|
ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel9cis_pass['warn_age'] }} {print $1}' /etc/shadow"
|
|
changed_when: false
|
|
failed_when: false
|
|
register: discovered_warn_days
|
|
|
|
- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users WARN_DAYS"
|
|
ansible.builtin.shell: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}"
|
|
loop: "{{ discovered_warn_days.stdout_lines }}"
|
|
when:
|
|
- discovered_warn_days.stdout_lines | length > 0
|
|
- item in discovered_interactive_usernames.stdout
|
|
- rhel9cis_force_user_warnage
|
|
when:
|
|
- rhel9cis_rule_5_6_1_3
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- password
|
|
- rule_5.6.1.3
|
|
|
|
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less"
|
|
block:
|
|
- name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings"
|
|
ansible.builtin.shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: rhel9cis_5_6_1_4_inactive_settings
|
|
|
|
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
|
|
ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
|
|
when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0
|
|
|
|
- name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
|
|
ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
|
|
changed_when: false
|
|
check_mode: false
|
|
register: rhel9cis_5_6_1_4_user_list
|
|
|
|
- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
|
|
ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
|
|
loop: "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}"
|
|
when:
|
|
- rhel9cis_rule_5_6_1_4
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- password
|
|
- rule_5.6.1.4
|
|
|
|
- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past"
|
|
block:
|
|
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time"
|
|
ansible.builtin.shell: echo $(($(date --utc --date "$1" +%s)/86400))
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: rhel9cis_5_6_1_5_currentut
|
|
|
|
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
|
|
ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'"
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: rhel9cis_5_6_1_5_user_list
|
|
|
|
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
|
|
ansible.builtin.debug:
|
|
msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
|
|
when:
|
|
- rhel9cis_5_6_1_5_user_list.stdout | length > 0
|
|
- not rhel9cis_futurepwchgdate_autofix
|
|
|
|
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count"
|
|
ansible.builtin.import_tasks:
|
|
file: warning_facts.yml
|
|
when:
|
|
- rhel9cis_5_6_1_5_user_list.stdout | length > 0
|
|
- not rhel9cis_futurepwchgdate_autofix
|
|
|
|
- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
|
|
ansible.builtin.shell: passwd --expire {{ item }}
|
|
when:
|
|
- rhel9cis_5_6_1_5_user_list.stdout | length > 0
|
|
- rhel9cis_futurepwchgdate_autofix
|
|
loop: "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
|
|
vars:
|
|
warn_control_id: '5.6.1.5'
|
|
when:
|
|
- rhel9cis_rule_5_6_1_5
|
|
tags:
|
|
- level1-server
|
|
- level1-workstation
|
|
- patch
|
|
- rule_5.6.1.5
|