sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Merge pull request #16 from ansible-lockdown/improvements

Browse source 
Improvements
removed all legacy OS checks
This commit is contained in:
uk-bolly 2022-05-17 14:49:52 +01:00 committed by GitHub
commit 0212c6aec3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 40 additions and 104 deletions
Download patch file Download diff file Expand all files Collapse all files

8
tasks/LE_audit_setup.yml
View file

@ -20,3 +20,11 @@
group: root
when:
- get_goss_file == 'copy'
- name: install git if not present
package:
name: git
state: present
register: git_installed
when:
- '"git" not in ansible_facts.packages'

40
tasks/check_prereqs.yml
View file

@ -1,38 +1,8 @@
---
- name: "PREREQ | Add the required packages | Python 3"
block:
- name: Check if python36-rpm package installed
shell: rpm -q python36-rpm
args:
warn: false
failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] )
changed_when: false
register: python36_rpm_present
- name: Add the EPEL repository required for the python36-rpm pkg
package:
name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
state: present
register: epel_installed
when:
- python36_rpm_present.rc != '0'
- name: "PREREQ | Check required packages installed | Python3 "
package:
name: "{{ item }}"
state: present
register: python3reqs_installed
loop:
- python36-rpm
- libselinux-python3
- name: Disable Epel repo if installed earlier
shell: yum-config-manager disable epel
args:
warn: false
when: epel_installed.changed
- name: "PREREQ | If required install libselinux package to manage file changes."
package:
name: libselinux-python3
state: present
when:
- ( ansible_python.version.major == 3 and ansible_python.version.minor == 6 )
vars:
ansible_python_interpreter: "{{ python2_bin }}"
- '"libselinux-python3" not in ansible_facts.packages'

2
tasks/post.yml
View file

@ -77,7 +77,7 @@
- name: POST | Warning a reboot required but skip option set
debug:
msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
msg: "Warning! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
changed_when: true
when:
- change_requires_reboot

26
tasks/pre_remediation_audit.yml
View file

@ -13,27 +13,11 @@
state: directory
mode: '0755'
- name: Pre Audit | If using git for content set up
block:
- name: Pre Audit | Install git (rh8 python3)
package:
name: git
state: present
when: ansible_distribution_major_version == 8
- name: Pre Audit | Install git (rh7 python2)
package:
name: git
state: present
vars:
ansible_python_interpreter: "{{ python2_bin }}"
when: ansible_distribution_major_version == 7
- name: Pre Audit | retrieve audit content files from git
git:
repo: "{{ audit_file_git }}"
dest: "{{ audit_conf_dir }}"
version: "{{ audit_git_version }}"
- name: Pre Audit | retrieve audit content files from git
git:
repo: "{{ audit_file_git }}"
dest: "{{ audit_conf_dir }}"
version: "{{ audit_git_version }}"
when:
- audit_content == 'git'

2
tasks/section_1/cis_1.1.2.x.yml
View file

@ -2,7 +2,7 @@
- name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition"
debug:
msg: "WARNING!! /tmp is not mounted on a separate partition"
msg: "Warning! /tmp is not mounted on a separate partition"
when:
- rhel9cis_rule_1_1_2_1
- ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0

2
tasks/section_1/cis_1.2.x.yml
View file

@ -74,7 +74,7 @@
- name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list"
debug:
msg:
- "Alert! Below are the configured repos. Please review and make sure all align with site policy"
- "Warning! Below are the configured repos. Please review and make sure all align with site policy"
- "{{ dnf_configured.stdout_lines }}"
when:
- rhel9cis_rule_1_2_4

2
tasks/section_2/cis_2.4.yml
View file

@ -12,7 +12,7 @@
- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services"
debug:
msg:
- "Alert! Below are the list of services, both active and inactive"
- "Warning! Below are the list of services, both active and inactive"
- "Please review to make sure all are essential"
- "{{ rhel9cis_2_4_services.stdout_lines }}"
when:

4
tasks/section_4/cis_4.2.2.x.yml
View file

@ -83,7 +83,7 @@
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status"
debug:
msg:
- "ALERT! The status of systemd-journald should be static and it is not. Please investigate"
- "Warning! The status of systemd-journald should be static and it is not. Please investigate"
when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
when:
- rhel9cis_rule_4_2_2_2
@ -190,7 +190,7 @@
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings"
debug:
msg:
- "Alert! Below are the current default settings for journald, please confirm they align with your site policies"
- "Warning! Below are the current default settings for journald, please confirm they align with your site policies"
# - "{{ rhel9cis_4_2_2_7_override_settings.stdout_lines }}"
- "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}"
when:

28
tasks/section_5/cis_5.5.x.yml
View file

@ -32,32 +32,7 @@
- patch
- rule_5.5.1
- name: "5.5.2 | PATCH | Ensure system accounts are secured | pre RHEL8.2"
block:
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock time for preauth"
lineinfile:
path: /etc/pam.d/{{ item }}
regexp: '^auth\s*required\s*pam_faillock.so preauth'
line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"
insertafter: '^#?auth ?'
with_items:
- "system-auth"
- "password-auth"
- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock times for authfail"
lineinfile:
path: /etc/pam.d/{{ item }}
regexp: '^auth\s*required\s*pam_faillock.so authfail'
line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}"
insertafter: '^#?auth ?'
with_items:
- "system-auth"
- "password-auth"
when:
- ansible_distribution_version <= "8.1"
- rhel9cis_rule_5_5_2
- name: "5.5.2 | PATCH | Ensure system accounts are secured | RHEL8.2+ "
- name: "5.5.2 | PATCH | Ensure system accounts are secured"
lineinfile:
path: /etc/security/faillock.conf
regexp: "{{ item.regexp }}"
@ -66,7 +41,6 @@
- { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' }
- { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' }
when:
- ansible_distribution_version >= "8.2"
- rhel9cis_rule_5_5_2
- name: "5.5.3 | PATCH | Ensure password reuse is limited"

30
tasks/section_6/cis_6.2.x.yml
View file

@ -29,12 +29,12 @@
- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files"
debug:
msg: "Good News! There are no users that have non-existent GUIDs (Groups)"
when: rhel9cis_6_2_2_passwd_gid_check.stdout is not defined
when: rhel9cis_6_2_2_passwd_gid_check.stdout | length == 0
- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
debug:
msg: "WARNING: The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}"
when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined
msg: "Warning! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}"
when: rhel9cis_6_2_2_passwd_gid_check.stdout | length > 0
when:
- rhel9cis_rule_6_2_2
tags:
@ -57,12 +57,12 @@
- name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist"
debug:
msg: "Good News! There are no duplicate UID's in the system"
when: rhel9cis_6_2_3_user_uid_check.stdout is not defined
when: rhel9cis_6_2_3_user_uid_check.stdout | length == 0
- name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs"
debug:
msg: "Warning: The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}"
when: rhel9cis_6_2_3_user_uid_check.stdout is defined
msg: "Warning! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}"
when: rhel9cis_6_2_3_user_uid_check.stdout | length > 0
when:
- rhel9cis_rule_6_2_3
tags:
@ -85,12 +85,12 @@
- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist"
debug:
msg: "Good News! There are no duplicate GIDs in the system"
when: rhel9cis_6_2_4_user_user_check.stdout is not defined
when: rhel9cis_6_2_4_user_user_check.stdout | length == 0
- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs"
debug:
msg: "Warning: The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}"
when: rhel9cis_6_2_4_user_user_check.stdout is defined
msg: "Warning! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}"
when: rhel9cis_6_2_4_user_user_check.stdout | length > 0
when:
- rhel9cis_rule_6_2_4
tags:
@ -113,12 +113,12 @@
- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist"
debug:
msg: "Good News! There are no duplicate user names in the system"
when: rhel9cis_6_2_5_user_username_check.stdout is not defined
when: rhel9cis_6_2_5_user_username_check.stdout | length == 0
- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names"
debug:
msg: "Warning: The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}"
when: rhel9cis_6_2_5_user_username_check.stdout is defined
msg: "Warning! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}"
when: rhel9cis_6_2_5_user_username_check.stdout | length > 0
when:
- rhel9cis_rule_6_2_5
tags:
@ -142,12 +142,12 @@
- name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist"
debug:
msg: "Good News! There are no duplicate group names in the system"
when: rhel9cis_6_2_6_group_group_check.stdout is defined
when: rhel9cis_6_2_6_group_group_check.stdout | length == 0
- name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
debug:
msg: "Warning: The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}"
when: rhel9cis_6_2_6_group_group_check.stdout is not defined
msg: "Warning! The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}"
when: rhel9cis_6_2_6_group_group_check.stdout | length > 0
when:
- rhel9cis_rule_6_2_6
tags: