From 63c82f8305cf65eb95a26bb4696c8d8b71e0444c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 May 2022 09:42:31 +0100 Subject: [PATCH 1/6] Removed python 2/3 checks for rh7/8 Signed-off-by: Mark Bolwell --- tasks/pre_remediation_audit.yml | 26 +++++--------------------- 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 0111a39..bb9344a 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -13,27 +13,11 @@ state: directory mode: '0755' -- name: Pre Audit | If using git for content set up - block: - - name: Pre Audit | Install git (rh8 python3) - package: - name: git - state: present - when: ansible_distribution_major_version == 8 - - - name: Pre Audit | Install git (rh7 python2) - package: - name: git - state: present - vars: - ansible_python_interpreter: "{{ python2_bin }}" - when: ansible_distribution_major_version == 7 - - - name: Pre Audit | retrieve audit content files from git - git: - repo: "{{ audit_file_git }}" - dest: "{{ audit_conf_dir }}" - version: "{{ audit_git_version }}" +- name: Pre Audit | retrieve audit content files from git + git: + repo: "{{ audit_file_git }}" + dest: "{{ audit_conf_dir }}" + version: "{{ audit_git_version }}" when: - audit_content == 'git' From 5ce4b873d7232570b630cbdf77b45aa5cfbc9e21 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 May 2022 09:57:33 +0100 Subject: [PATCH 2/6] removed rh8 checks Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 28 +--------------------------- 1 file changed, 1 insertion(+), 27 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 9b4c7d3..d16d91f 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -32,32 +32,7 @@ - patch - rule_5.5.1 -- name: "5.5.2 | PATCH | Ensure system accounts are secured | pre RHEL8.2" - block: - - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock time for preauth" - lineinfile: - path: /etc/pam.d/{{ item }} - regexp: '^auth\s*required\s*pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" - insertafter: '^#?auth ?' - with_items: - - "system-auth" - - "password-auth" - - - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock times for authfail" - lineinfile: - path: /etc/pam.d/{{ item }} - regexp: '^auth\s*required\s*pam_faillock.so authfail' - line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" - insertafter: '^#?auth ?' - with_items: - - "system-auth" - - "password-auth" - when: - - ansible_distribution_version <= "8.1" - - rhel9cis_rule_5_5_2 - -- name: "5.5.2 | PATCH | Ensure system accounts are secured | RHEL8.2+ " +- name: "5.5.2 | PATCH | Ensure system accounts are secured" lineinfile: path: /etc/security/faillock.conf regexp: "{{ item.regexp }}" @@ -66,7 +41,6 @@ - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' } - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' } when: - - ansible_distribution_version >= "8.2" - rhel9cis_rule_5_5_2 - name: "5.5.3 | PATCH | Ensure password reuse is limited" From 9368c1e17e89920044610059e3b9596ac0f21c72 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 May 2022 09:57:44 +0100 Subject: [PATCH 3/6] updated for rh9 Signed-off-by: Mark Bolwell --- tasks/check_prereqs.yml | 40 +++++----------------------------------- 1 file changed, 5 insertions(+), 35 deletions(-) diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml index 36f1999..abe6248 100644 --- a/tasks/check_prereqs.yml +++ b/tasks/check_prereqs.yml @@ -1,38 +1,8 @@ --- -- name: "PREREQ | Add the required packages | Python 3" - block: - - name: Check if python36-rpm package installed - shell: rpm -q python36-rpm - args: - warn: false - failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] ) - changed_when: false - register: python36_rpm_present - - - name: Add the EPEL repository required for the python36-rpm pkg - package: - name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm - state: present - register: epel_installed - when: - - python36_rpm_present.rc != '0' - - - name: "PREREQ | Check required packages installed | Python3 " - package: - name: "{{ item }}" - state: present - register: python3reqs_installed - loop: - - python36-rpm - - libselinux-python3 - - - name: Disable Epel repo if installed earlier - shell: yum-config-manager disable epel - args: - warn: false - when: epel_installed.changed +- name: "PREREQ | If required install libselinux package to manage file changes." + package: + name: libselinux-python3 + state: present when: - - ( ansible_python.version.major == 3 and ansible_python.version.minor == 6 ) - vars: - ansible_python_interpreter: "{{ python2_bin }}" + - '"libselinux-python3" not in ansible_facts.packages' From cbb5ff7cc26078308012d0749105f73403a97c65 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 May 2022 11:19:33 +0100 Subject: [PATCH 4/6] Added git install to step Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 61a4cdf..e4cac49 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -20,3 +20,11 @@ group: root when: - get_goss_file == 'copy' + +- name: install git if not present + package: + name: git + state: present + register: git_installed + when: + - '"git" not in ansible_facts.packages' From 2ecc61649e6bc457dc874d57aa1d3fb215f304b1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 May 2022 11:19:50 +0100 Subject: [PATCH 5/6] Std Warning msg Signed-off-by: Mark Bolwell --- tasks/post.yml | 2 +- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.2.x.yml | 2 +- tasks/section_2/cis_2.4.yml | 2 +- tasks/section_4/cis_4.2.2.x.yml | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/tasks/post.yml b/tasks/post.yml index 69783ab..c0f6be8 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -77,7 +77,7 @@ - name: POST | Warning a reboot required but skip option set debug: - msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" + msg: "Warning! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" changed_when: true when: - change_requires_reboot diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index bb18993..a50797d 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -2,7 +2,7 @@ - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition" debug: - msg: "WARNING!! /tmp is not mounted on a separate partition" + msg: "Warning! /tmp is not mounted on a separate partition" when: - rhel9cis_rule_1_1_2_1 - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 0023f2d..960815f 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -74,7 +74,7 @@ - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" debug: msg: - - "Alert! Below are the configured repos. Please review and make sure all align with site policy" + - "Warning! Below are the configured repos. Please review and make sure all align with site policy" - "{{ dnf_configured.stdout_lines }}" when: - rhel9cis_rule_1_2_4 diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index 5db134e..e17ab76 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -12,7 +12,7 @@ - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" debug: msg: - - "Alert! Below are the list of services, both active and inactive" + - "Warning! Below are the list of services, both active and inactive" - "Please review to make sure all are essential" - "{{ rhel9cis_2_4_services.stdout_lines }}" when: diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 8523066..9660670 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -83,7 +83,7 @@ - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" debug: msg: - - "ALERT! The status of systemd-journald should be static and it is not. Please investigate" + - "Warning! The status of systemd-journald should be static and it is not. Please investigate" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" when: - rhel9cis_rule_4_2_2_2 @@ -190,7 +190,7 @@ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings" debug: msg: - - "Alert! Below are the current default settings for journald, please confirm they align with your site policies" + - "Warning! Below are the current default settings for journald, please confirm they align with your site policies" # - "{{ rhel9cis_4_2_2_7_override_settings.stdout_lines }}" - "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}" when: From 93e3f7bf463e02f3b4ba23b209e44c2a2ece7444 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 11 May 2022 11:20:12 +0100 Subject: [PATCH 6/6] conditional and warning msg std Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 096a310..a1558db 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -29,12 +29,12 @@ - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" debug: msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: rhel9cis_6_2_2_passwd_gid_check.stdout is not defined + when: rhel9cis_6_2_2_passwd_gid_check.stdout | length == 0 - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" debug: - msg: "WARNING: The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" - when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined + msg: "Warning! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" + when: rhel9cis_6_2_2_passwd_gid_check.stdout | length > 0 when: - rhel9cis_rule_6_2_2 tags: @@ -57,12 +57,12 @@ - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" debug: msg: "Good News! There are no duplicate UID's in the system" - when: rhel9cis_6_2_3_user_uid_check.stdout is not defined + when: rhel9cis_6_2_3_user_uid_check.stdout | length == 0 - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" debug: - msg: "Warning: The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" - when: rhel9cis_6_2_3_user_uid_check.stdout is defined + msg: "Warning! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" + when: rhel9cis_6_2_3_user_uid_check.stdout | length > 0 when: - rhel9cis_rule_6_2_3 tags: @@ -85,12 +85,12 @@ - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" debug: msg: "Good News! There are no duplicate GIDs in the system" - when: rhel9cis_6_2_4_user_user_check.stdout is not defined + when: rhel9cis_6_2_4_user_user_check.stdout | length == 0 - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" debug: - msg: "Warning: The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" - when: rhel9cis_6_2_4_user_user_check.stdout is defined + msg: "Warning! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" + when: rhel9cis_6_2_4_user_user_check.stdout | length > 0 when: - rhel9cis_rule_6_2_4 tags: @@ -113,12 +113,12 @@ - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" debug: msg: "Good News! There are no duplicate user names in the system" - when: rhel9cis_6_2_5_user_username_check.stdout is not defined + when: rhel9cis_6_2_5_user_username_check.stdout | length == 0 - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" debug: - msg: "Warning: The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" - when: rhel9cis_6_2_5_user_username_check.stdout is defined + msg: "Warning! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" + when: rhel9cis_6_2_5_user_username_check.stdout | length > 0 when: - rhel9cis_rule_6_2_5 tags: @@ -142,12 +142,12 @@ - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" debug: msg: "Good News! There are no duplicate group names in the system" - when: rhel9cis_6_2_6_group_group_check.stdout is defined + when: rhel9cis_6_2_6_group_group_check.stdout | length == 0 - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" debug: - msg: "Warning: The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}" - when: rhel9cis_6_2_6_group_group_check.stdout is not defined + msg: "Warning! The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}" + when: rhel9cis_6_2_6_group_group_check.stdout | length > 0 when: - rhel9cis_rule_6_2_6 tags: