ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-25 14:43:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
RHEL9-CIS/tasks/section_6/cis_6.2.x.yml
Mark Bolwell 0c460d4b70
updated task 6.2.8 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2023-01-26 08:31:12 +00:00

493 lines
18 KiB
YAML
Raw Blame History

---
- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords"
block:
- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | discover"
ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd
changed_when: false
register: shadow_passwd
- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Output"
ansible.builtin.debug:
msg: |
- "Warning!! Below are the accounts that do not have shadowed passwords set"
- "{{ shadow_passwd.stdout_line }}"
when: shadow_passwd.stdout | length > 0
- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.2.1'
when: shadow_passwd.stdout | length >= 1
when:
- rhel9cis_rule_6_2_1
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_6.2.1
- name: "6.2.2 | PATCH | Ensure password fields are not empty"
ansible.builtin.shell: passwd -l {{ item }}
changed_when: false
failed_when: false
loop: "{{ empty_password_accounts.stdout_lines }}"
when:
- empty_password_accounts.rc
- rhel9cis_rule_6_2_2
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_6.2.2
- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group"
block:
- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries"
ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}'
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_6_2_3_passwd_gid_check
- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
ansible.builtin.debug:
msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_3_passwd_gid_check.stdout_lines | join (', ') }}"
when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1
- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.2.3'
when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1
when:
- rhel9cis_rule_6_2_3
tags:
- level1-server
- level1-workstation
- audit
- accounts
- groups
- rule_6.2.2
- name: "6.2.4 | AUDIT Ensure no duplicate UIDs exist"
block:
- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
changed_when: false
failed_when: false
register: rhel9cis_6_2_4_user_uid_check
- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs"
ansible.builtin.debug:
msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_4_user_uid_check.stdout_lines }}"
when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1
- name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count"
ansible.builtin.import_tasks: warning_facts.yml
when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1
vars:
warn_control_id: '6.2.4'
when:
- rhel9cis_rule_6_2_4
tags:
- level1-server
- level1-workstation
- audit
- accounts
- users
- rule_6.2.4
- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist"
block:
- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"
changed_when: false
failed_when: false
register: rhel9cis_6_2_5_user_user_check
- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs"
ansible.builtin.debug:
msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_5_user_user_check.stdout_lines }}"
when: rhel9cis_6_2_5_user_user_check.stdout | length >= 1
- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.2.5'
when: rhel9cis_6_2_5_user_user_check.stdout_lines | length >= 1
when:
- rhel9cis_rule_6_2_5
tags:
- level1-server
- level1-workstation
- audit
- accounts
- groups
- rule_6.2.5
- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist"
block:
- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
changed_when: false
failed_when: false
register: rhel9cis_6_2_6_user_username_check
- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names"
ansible.builtin.debug:
msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_6_user_username_check.stdout_lines }}"
when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1
- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.2.6'
when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1
when:
- rhel9cis_rule_6_2_6
tags:
- level1-server
- level1-workstation
- audit
- accounts
- users
- rule_6.2.6
- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist"
block:
- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names"
ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_6_2_7_group_group_check
- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
ansible.builtin.debug:
msg: "Warning!! The following group names are duplicates: {{ rhel9cis_6_2_7_group_group_check.stdout_lines }}"
when: rhel9cis_6_2_7_group_group_check.stdout is not defined
- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.2.7'
when: rhel9cis_6_2_7_group_group_check.stdout is not defined
when:
- rhel9cis_rule_6_2_7
tags:
- level1-server
- level1-workstation
- audit
- accounts
- groups
- rule_6.2.7
- name: "6.2.8 | PATCH | Ensure root PATH Integrity"
block:
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Get root paths"
ansible.builtin.shell: sudo -Hiu root env | grep '^PATH' | cut -d= -f2
changed_when: false
register: rhel9cis_6_2_8_root_paths
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Set fact"
ansible.builtin.set_fact:
root_paths: "{{ rhel9cis_6_2_8_root_paths.stdout }}"
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for empty dirs"
ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"'
changed_when: false
failed_when: root_path_empty_dir.rc not in [ 0, 1 ]
register: root_path_empty_dir
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for trailing ':'"
ansible.builtin.shell: '{{ root_paths }} | cut -d= -f2 | grep -q ":$" && echo "roots path contains a trailing (:)"'
changed_when: false
failed_when: root_path_trailing_colon.rc not in [ 0, 1 ]
register: root_path_trailing_colon
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions"
block:
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions"
ansible.builtin.stat:
path: "{{ item }}"
register: root_path_perms
loop: "{{ root_paths | split(':') }}"
- ansible.builtin.debug:
msg: "{{ root_path_perms.results }}"
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Check for owner and permissions"
ansible.builtin.file:
path: "{{ item.stat.path }}"
state: directory
owner: root
group: root
mode: 0755
follow: true
loop: "{{ root_path_perms.results }}"
loop_control:
label: "{{ item.stat }}"
when:
- item.stat.pw_name != 'root' or
item.stat.gr_name != 'root' or
item.stat.woth or
item.stat.wgrp
when:
- rhel9cis_rule_6_2_8
tags:
- level1-server
- level1-workstation
- patch
- paths
- rule_6.2.8
- name: "6.2.9 | PATCH | Ensure root is the only UID 0 account"
ansible.builtin.shell: passwd -l {{ item }}
changed_when: false
failed_when: false
loop: "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}"
when:
- rhel9cis_uid_zero_accounts_except_root.rc
- rhel9cis_rule_6_2_9
tags:
- level1-server
- level1-workstation
- patch
- accounts
- users
- rule_6.2.9
- name: "6.2.10 | PATCH | Ensure local interactive user home directories exist"
block:
- name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist"
ansible.builtin.stat:
path: "{{ item }}"
register: rhel_09_6_2_10_audit
loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}"
- name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist"
ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027
check_mode: false
changed_when: rhel_09_6_2_10_patch_audit.stdout | length > 0
register: rhel_09_6_2_10_patch_audit
with_together:
- "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}"
- "{{ rhel_09_6_2_10_audit.results | map(attribute='stat') | list }}"
loop_control:
label: "{{ item.0 }}"
when:
- ansible_check_mode
- item.1.exists
- name: "6.2.10 | PATCH | Ensure local interactive user home directories exist"
ansible.builtin.file:
path: "{{ item.0 }}"
recurse: true
mode: a-st,g-w,o-rwx
register: rhel_09_6_2_10_patch
with_together:
- "{{ rhel_09_6_2_10_audit.results | map(attribute='item') | list }}"
- "{{ rhel_09_6_2_10_audit.results | map(attribute='stat') | list }}"
loop_control:
label: "{{ item.0 }}"
when:
- not ansible_check_mode
- item.1.exists
# set default ACLs so the homedir has an effective umask of 0027
- name: "6.2.10 | PATCH | Ensure local interactive user home directories exist"
ansible.posix.acl:
path: "{{ item.0 }}"
default: true
state: present
recursive: true
etype: "{{ item.1.etype }}"
permissions: "{{ item.1.mode }}"
with_nested:
- "{{ (ansible_check_mode | ternary(rhel_09_6_2_10_patch_audit, rhel_09_6_2_10_patch)).results |
rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
-
- etype: group
mode: rx
- etype: other
mode: '0'
when:
- not system_is_container
when:
- rhel9cis_rule_6_2_10
tags:
- level1-server
- level1-workstation
- patch
- users
- rule_6.2.10
- name: "6.2.11 | PATCH | Ensure local interactive users own their home directories"
ansible.builtin.file:
path: "{{ item.dir }}"
owner: "{{ item.id }}"
state: directory
loop: "{{ rhel9cis_passwd }}"
loop_control:
label: "{{ rhel9cis_passwd_label }}"
when:
- item.uid >= min_int_uid | int
- item.id != 'nobody'
- (item.id != 'tss' and item.dir != '/dev/null')
- item.shell != '/sbin/nologin'
- rhel9cis_rule_6_2_11
tags:
- level1-server
- level1-workstation
- patch
- users
- rule_6.2.11
- name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive"
block:
- name: "6.2.12 | AUDIT | Ensure local interactive user home directories are mode 750 or more restrictive"
ansible.builtin.stat:
path: "{{ item }}"
loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}"
register: rhel_09_6_2_12_audit
- name: "6.2.12 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027
check_mode: false
changed_when: rhel_09_6_2_12_patch_audit.stdout | length > 0
register: rhel_09_6_2_12_patch_audit
with_together:
- "{{ rhel_09_6_2_12_audit.results | map(attribute='item') | list }}"
- "{{ rhel_09_6_2_12_audit.results | map(attribute='stat') | list }}"
loop_control:
label: "{{ item.0 }}"
when:
- ansible_check_mode
- item.1.exists
- name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive"
ansible.builtin.file:
path: "{{ item.0 }}"
recurse: true
mode: a-st,g-w,o-rwx
register: rhel_09_6_2_12_patch
with_together:
- "{{ rhel_09_6_2_12_audit.results | map(attribute='item') | list }}"
- "{{ rhel_09_6_2_12_audit.results | map(attribute='stat') | list }}"
loop_control:
label: "{{ item.0 }}"
when:
- not ansible_check_mode
- item.1.exists
# set default ACLs so the homedir has an effective umask of 0027
- name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive"
ansible.posix.acl:
path: "{{ item.0 }}"
default: true
state: present
recursive: true
etype: "{{ item.1.etype }}"
permissions: "{{ item.1.mode }}"
with_nested:
- "{{ (ansible_check_mode | ternary(rhel_09_6_2_12_patch_audit, rhel_09_6_2_12_patch)).results |
rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
-
- etype: group
mode: rx
- etype: other
mode: '0'
when:
- not system_is_container
when:
- rhel9cis_rule_6_2_12
tags:
- level1-server
- level1-workstation
- patch
- users
- permissions
- rule_6.2.12
- name: "6.2.13 | PATCH | Ensure no local interactive user has .netrc files"
ansible.builtin.file:
path: "{{ item }}/.netrc"
state: absent
loop: "{{ interactive_users_home.stdout_lines }}"
when:
- rhel9cis_rule_6_2_13
tags:
- level1-server
- level1-workstation
- patch
- users
- permissions
- rule_6.2.13
- name: "6.2.14 | PATCH | Ensure no local interactive user has .forward files"
ansible.builtin.file:
path: "{{ item }}/.forward"
state: absent
loop: "{{ interactive_users_home.stdout_lines }}"
when:
- rhel9cis_rule_6_2_14
tags:
- level1-server
- level1-workstation
- patch
- users
- files
- rule_6.2.14
- name: "6.2.15 | PATCH | Ensure no local interactive user has .rhosts files"
ansible.builtin.file:
path: "~{{ item }}/.rhosts"
state: absent
loop: "{{ interactive_users_home.stdout_lines }}"
when:
- rhel9cis_rule_6_2_15
tags:
- level1-server
- level1-workstation
- patch
- users
- files
- rule_6.2.15
- name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable"
block:
- name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Check for files"
ansible.builtin.find:
path: /home
depth: 3
patterns: ".*"
hidden: true
recurse: true
file_type: file
register: user_dot_files
- name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | update permissions"
ansible.builtin.file:
path: "{{ item.path }}"
mode: go-w
loop: "{{ user_dot_files.files }}"
loop_control:
label: "{{ item.path }}"
when:
- rhel9cis_rule_6_2_16
tags:
- level1-server
- level1-workstation
- patch
- users
- permissions
- rule_6.2.16
Reference in a new issue View git blame Copy permalink