2022-01-07 09:06:18 +00:00
|
|
|
---
|
|
|
|
|
|
2024-07-24 14:00:45 +01:00
|
|
|
- name: "5.2.1 | PATCH | Ensure sudo is installed"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_2_1
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
|
|
|
|
- sudo
|
|
|
|
|
- rule_5.2.1
|
|
|
|
|
- NIST800-53R5_AC-6
|
|
|
|
|
ansible.builtin.package:
|
|
|
|
|
name: sudo
|
|
|
|
|
state: present
|
|
|
|
|
|
|
|
|
|
- name: "5.2.2 | PATCH | Ensure sudo commands use pty"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_2_2
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
|
|
|
|
- sudo
|
|
|
|
|
- rule_5.2.2
|
|
|
|
|
- NIST800-53R5_AC-6
|
2023-01-13 11:05:25 +00:00
|
|
|
ansible.builtin.lineinfile:
|
2024-07-24 14:00:45 +01:00
|
|
|
path: /etc/sudoers
|
|
|
|
|
line: "Defaults use_pty"
|
|
|
|
|
validate: '/usr/sbin/visudo -cf %s'
|
2024-02-09 22:32:09 +01:00
|
|
|
|
2024-07-24 14:00:45 +01:00
|
|
|
- name: "5.2.3 | PATCH | Ensure sudo log file exists"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_2_3
|
2022-01-07 09:06:18 +00:00
|
|
|
tags:
|
2024-07-24 14:00:45 +01:00
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
|
|
|
|
- sudo
|
|
|
|
|
- rule_5.2.3
|
|
|
|
|
- NIST800-53R5_AU-3
|
|
|
|
|
- NIST800-53R5_AU-12
|
2023-01-13 11:05:25 +00:00
|
|
|
ansible.builtin.lineinfile:
|
2024-07-24 14:00:45 +01:00
|
|
|
path: /etc/sudoers
|
|
|
|
|
regexp: '^Defaults logfile='
|
|
|
|
|
line: 'Defaults logfile="{{ rhel9cis_sudolog_location }}"'
|
|
|
|
|
validate: '/usr/sbin/visudo -cf %s'
|
2022-01-07 09:06:18 +00:00
|
|
|
|
2024-07-24 14:00:45 +01:00
|
|
|
- name: "5.2.4 | PATCH | Ensure users must provide password for escalation"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_2_4
|
2022-01-07 09:06:18 +00:00
|
|
|
tags:
|
2024-07-24 14:00:45 +01:00
|
|
|
- level2-server
|
|
|
|
|
- level2-workstation
|
|
|
|
|
- patch
|
|
|
|
|
- sudo
|
|
|
|
|
- rule_5.2.4
|
|
|
|
|
- NIST800-53R5_AC-6
|
2024-02-10 00:27:33 +01:00
|
|
|
block:
|
2024-09-05 16:04:47 +01:00
|
|
|
- name: "5.2.4 | AUDIT | Ensure users must provide password for escalation | Discover accts with NOPASSWD"
|
2024-07-24 14:00:45 +01:00
|
|
|
ansible.builtin.shell: grep -Ei '(nopasswd)' /etc/sudoers /etc/sudoers.d/* | cut -d':' -f1
|
|
|
|
|
become: true
|
|
|
|
|
changed_when: false
|
|
|
|
|
failed_when: false
|
2024-09-05 16:04:47 +01:00
|
|
|
register: discovered_nopasswd_sudoers
|
2024-07-24 14:00:45 +01:00
|
|
|
|
2024-09-05 16:04:47 +01:00
|
|
|
- name: "5.2.4 | PATCH | Ensure users must provide password for escalation | Remove nopasswd for accounts not excluded"
|
|
|
|
|
when: discovered_nopasswd_sudoers.stdout | length > 0
|
2024-07-24 14:00:45 +01:00
|
|
|
ansible.builtin.replace:
|
|
|
|
|
path: "{{ item }}"
|
|
|
|
|
regexp: '^((?!#|{% for name in rhel9cis_sudoers_exclude_nopasswd_list %}{{ name }}{% if not loop.last -%}|{%- endif -%}{% endfor %}).*)NOPASSWD(.*)'
|
|
|
|
|
replace: '\1PASSWD\2'
|
|
|
|
|
validate: '/usr/sbin/visudo -cf %s'
|
2024-09-05 16:04:47 +01:00
|
|
|
loop: "{{ discovered_nopasswd_sudoers.stdout_lines }}"
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_2_5
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
|
|
|
|
- sudo
|
|
|
|
|
- rule_5.2.5
|
|
|
|
|
- NIST800-53R5_AC-6
|
2022-06-20 17:04:44 +01:00
|
|
|
block:
|
2024-07-24 14:00:45 +01:00
|
|
|
- name: "5.2.5 | AUDIT | Ensure re-authentication for privilege escalation is not disabled globally"
|
|
|
|
|
ansible.builtin.shell: grep -Ei '(!authenticate)' /etc/sudoers /etc/sudoers.d/* | cut -d':' -f1
|
|
|
|
|
become: true
|
|
|
|
|
changed_when: false
|
|
|
|
|
failed_when: false
|
2024-11-04 18:39:01 +00:00
|
|
|
register: discovered_priv_reauth
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
|
2024-11-04 18:39:01 +00:00
|
|
|
when: discovered_priv_reauth.stdout | length > 0
|
2024-07-24 14:00:45 +01:00
|
|
|
ansible.builtin.replace:
|
|
|
|
|
path: "{{ item }}"
|
|
|
|
|
regexp: '^([^#].*)!authenticate(.*)'
|
|
|
|
|
replace: '\1authenticate\2'
|
|
|
|
|
validate: '/usr/sbin/visudo -cf %s'
|
2024-11-04 18:39:01 +00:00
|
|
|
loop: "{{ discovered_priv_reauth.stdout_lines }}"
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_2_6
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
|
|
|
|
- sudo
|
|
|
|
|
- rule_5.2.6
|
2022-03-30 16:18:11 +01:00
|
|
|
block:
|
2024-07-24 14:00:45 +01:00
|
|
|
- name: "5.2.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set"
|
|
|
|
|
ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
|
|
|
|
|
changed_when: false
|
|
|
|
|
failed_when: false
|
2024-09-05 17:36:07 +01:00
|
|
|
register: discovered_sudo_timeout_files
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results"
|
2024-09-05 17:36:07 +01:00
|
|
|
when: discovered_sudo_timeout_files.stdout | length == 0
|
2024-07-24 14:00:45 +01:00
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
|
path: /etc/sudoers
|
|
|
|
|
regexp: 'Defaults timestamp_timeout='
|
|
|
|
|
line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}"
|
|
|
|
|
validate: '/usr/sbin/visudo -cf %s'
|
|
|
|
|
|
|
|
|
|
- name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results"
|
2024-09-05 17:36:07 +01:00
|
|
|
when: discovered_sudo_timeout_files.stdout | length > 0
|
2024-07-24 14:00:45 +01:00
|
|
|
ansible.builtin.replace:
|
|
|
|
|
path: "{{ item }}"
|
|
|
|
|
regexp: 'timestamp_timeout=(\d+)'
|
|
|
|
|
replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}"
|
|
|
|
|
validate: '/usr/sbin/visudo -cf %s'
|
2024-09-05 17:36:07 +01:00
|
|
|
loop: "{{ discovered_sudo_timeout_files.stdout_lines }}"
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.2.7 | PATCH | Ensure access to the su command is restricted"
|
2024-12-04 11:45:13 +00:00
|
|
|
when: rhel9cis_rule_5_2_7
|
2024-07-24 14:00:45 +01:00
|
|
|
tags:
|
|
|
|
|
- level1-server
|
|
|
|
|
- level1-workstation
|
|
|
|
|
- patch
|
|
|
|
|
- sudo
|
|
|
|
|
- rule_5.2.7
|
|
|
|
|
- NIST800-53R5_AC-3
|
|
|
|
|
- NIST800-53R5_MP-2
|
|
|
|
|
block:
|
|
|
|
|
- name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists"
|
|
|
|
|
ansible.builtin.group:
|
|
|
|
|
name: "{{ rhel9cis_sugroup }}"
|
|
|
|
|
state: present
|
2024-09-05 17:36:07 +01:00
|
|
|
register: discovered_sugroup
|
2024-07-24 14:00:45 +01:00
|
|
|
|
|
|
|
|
- name: "5.2.7 | PATCH | Ensure access to the su command is restricted | remove users from group"
|
|
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
|
path: /etc/group
|
|
|
|
|
regexp: '^{{ rhel9cis_sugroup }}(:.:.*:).*$'
|
|
|
|
|
line: '{{ rhel9cis_sugroup }}\g<1>'
|
|
|
|
|
backrefs: true
|
|
|
|
|
|
|
|
|
|
- name: "5.2.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
|
|
|
|
|
ansible.builtin.lineinfile:
|
|
|
|
|
path: /etc/pam.d/su
|
|
|
|
|
regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
|
|
|
|
|
line: 'auth required pam_wheel.so use_uid group={{ rhel9cis_sugroup }}'
|
