From 02a36f7f8d3acb4fe2f83cbdb0d6df5124c9024b Mon Sep 17 00:00:00 2001 From: uk-bolly <69214557+uk-bolly@users.noreply.github.com> Date: Wed, 2 Feb 2022 11:25:03 +0000 Subject: [PATCH] Fix in logic for Alma (#4) * container standards Signed-off-by: Mark Bolwell * logic on handlers Signed-off-by: Mark Bolwell * initial container ignore Signed-off-by: Mark Bolwell * tags and containder discovery Signed-off-by: Mark Bolwell * logic on auditd task Signed-off-by: Mark Bolwell * tags and crypto logic Signed-off-by: Mark Bolwell * distro update for rocky Signed-off-by: Mark Bolwell * system_is_container updates Signed-off-by: Mark Bolwell * ssh pkg check Signed-off-by: Mark Bolwell * logrotate pkg check Signed-off-by: Mark Bolwell * logic in container check Signed-off-by: Mark Bolwell * add pkg fact and audit conditionals Signed-off-by: Mark Bolwell * tidy up crypto step Signed-off-by: Mark Bolwell * Added missing tags Signed-off-by: Mark Bolwell * container vars file now a variable Signed-off-by: Mark Bolwell * added uid discovery and usage Signed-off-by: Mark Bolwell * Updated OS checks and conditionals Signed-off-by: Mark Bolwell * fixed empty become Signed-off-by: Mark Bolwell * change audit to include task Signed-off-by: Mark Bolwell * Added OS_specific vars Signed-off-by: Mark Bolwell * updated import/include Signed-off-by: Mark Bolwell * OS Specific vars Signed-off-by: Mark Bolwell * updated tags Signed-off-by: Mark Bolwell * updated changed_when Signed-off-by: Mark Bolwell * fixed UID logic Signed-off-by: Mark Bolwell * changed reboot var Signed-off-by: Mark Bolwell * changed skip_reboot var name Signed-off-by: Mark Bolwell * masked only Signed-off-by: Mark Bolwell * fix logic Signed-off-by: Mark Bolwell * remove debug update logic 6.2.8 Signed-off-by: Mark Bolwell * initial Signed-off-by: Mark Bolwell * removed CentOS Signed-off-by: Mark Bolwell --- defaults/main.yml | 16 +++- handlers/main.yml | 8 +- local.yml | 5 +- site.yml | 4 - tasks/main.yml | 72 ++++++++++++---- tasks/post.yml | 16 +++- tasks/prelim.yml | 127 +++++++++++++++++++++++++---- tasks/section_1/cis_1.2.x.yml | 5 +- tasks/section_1/main.yml | 24 +++--- tasks/section_2/cis_2.2.1.x.yml | 4 +- tasks/section_2/main.yml | 8 +- tasks/section_3/cis_3.4.1.1.yml | 1 + tasks/section_3/cis_3.4.2.x.yml | 1 - tasks/section_3/main.yml | 20 ++--- tasks/section_4/cis_4.1.1.x.yml | 4 +- tasks/section_4/cis_4.3.yml | 1 + tasks/section_4/main.yml | 12 +-- tasks/section_5/cis_5.5.x.yml | 4 +- tasks/section_5/main.yml | 18 ++-- tasks/section_6/cis_6.2.x.yml | 12 +-- tasks/section_6/main.yml | 4 +- templates/audit/99_auditd.rules.j2 | 30 +++---- vars/AlmaLinux.yml | 4 + vars/RedHat.yml | 4 + vars/Rocky.yml | 4 + vars/is_container.yml | 95 +++++++++++++++++++++ vars/main.yml | 2 + 27 files changed, 392 insertions(+), 113 deletions(-) create mode 100644 vars/AlmaLinux.yml create mode 100644 vars/RedHat.yml create mode 100644 vars/Rocky.yml create mode 100644 vars/is_container.yml diff --git a/defaults/main.yml b/defaults/main.yml index 1bffc3f..23f8efd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,11 +2,15 @@ # defaults file for rhel9-cis rhel9cis_skip_for_travis: false -rhel9cis_system_is_container: false +system_is_container: false +container_vars_file: is_container.yml # rhel9cis is left off the front of this var for consistency in testing pipeline # system_is_ec2 toggle will disable tasks that fail on Amazon EC2 instances. Set true to skip and false to run tasks system_is_ec2: false +# Run the OS validation check +os_check: true + rhel9cis_notauto: false rhel9cis_section1: true rhel9cis_section2: true @@ -30,7 +34,7 @@ python2_bin: /bin/python2.7 benchmark: RHEL9-CIS # Whether to skip the reboot -rhel9cis_skip_reboot: true +skip_reboot: true #### Basic external goss audit enablement settings #### #### Precise details - per setting can be found at the bottom of this file #### @@ -545,8 +549,12 @@ rhel9cis_pam_password: minlen: "14" minclass: "4" -# Starting GID for interactive users -rhel9cis_int_gid: 1000 +# UID settings for interactive users +# These are discovered via logins.def is set true +discover_int_uid: false +min_int_uid: 1000 +max_int_uid: 65533 + # RHEL-09-5.4.5 # Session timeout setting file (TMOUT setting can be set in multiple files) diff --git a/handlers/main.yml b/handlers/main.yml index d96737d..ad56e8b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -28,7 +28,9 @@ group: root mode: 0600 notify: reload sysctl - when: ansible_virtualization_type != "docker" + when: + - ansible_virtualization_type != "docker" + - "'procps-ng' in ansible_facts.packages" - name: reload sysctl sysctl: @@ -37,7 +39,9 @@ state: present reload: true ignoreerrors: true - when: ansible_virtualization_type != "docker" + when: + - ansible_virtualization_type != "docker" + - "'systemd' in ansible_facts.packages" - name: systemd restart tmp.mount become: true diff --git a/local.yml b/local.yml index 2c649b2..3f17560 100644 --- a/local.yml +++ b/local.yml @@ -3,10 +3,7 @@ - hosts: localhost connection: local become: true - vars: - is_container: false roles: - role: "{{ playbook_dir }}" - rhel9cis_system_is_container: "{{ is_container | default(false) }}" - rhel9cis_skip_for_travis: false + diff --git a/site.yml b/site.yml index 2763e43..379549f 100644 --- a/site.yml +++ b/site.yml @@ -1,11 +1,7 @@ --- - hosts: all become: true - vars: - is_container: false roles: - role: "{{ playbook_dir }}" - rhel9cis_system_is_container: "{{ is_container | default(false) }}" - rhel9cis_skip_for_travis: false diff --git a/tasks/main.yml b/tasks/main.yml index 29e0a19..b316f67 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,23 +1,46 @@ --- # tasks file for RHEL9-CIS + - name: Check OS version and family assert: - that: - - ansible_os_family == 'RedHat' - - ansible_distribution_major_version |int >= 8 - fail_msg: "This role can only be run against RHEL 8 or 9. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." - success_msg: "Supported OS release and version" + that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') + fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" + when: + - os_check + - not system_is_ec2 tags: - - always + - always - name: Check ansible version assert: - that: - - "ansible_version.full is version_compare ('2.9', '>=')" - fail_msg: "You must use ansible 2.9 or greater" - success_msg: "Supported ansible_version" + that: ansible_version.full is version_compare(min_ansible_version, '>=') + fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" + success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}" tags: - - always + - always + +- name: Setup rules if container + block: + - name: Discover and set container variable if required + set_fact: + system_is_container: true + + - name: Load variable for container + include_vars: + file: "{{ container_vars_file }}" + + - name: output if discovered is a container + debug: + msg: system has been discovered as a container + when: + - system_is_container + when: + - ansible_connection == 'docker' or + ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - container_discovery + - always - name: Check crypto-policy input assert: @@ -61,15 +84,19 @@ tags: - always +- name: Include OS specific variables + include_vars: "{{ ansible_distribution }}.yml" + tags: + - always + - name: Include preliminary steps import_tasks: prelim.yml - become: tags: - prelim_tasks - always - name: run pre_remediation audit - import_tasks: pre_remediation_audit.yml + include_tasks: pre_remediation_audit.yml when: - run_audit @@ -81,7 +108,14 @@ - name: capture /etc/password variables include_tasks: parse_etc_password.yml - when: rhel9cis_section6 + when: + - rhel9cis_section6 + tags: + - rule_5.5.2 + - rule_6.2.7 + - rule_6.2.8 + - rule_6.2.20 + - rhel9cis_section6 - name: run Section 1 tasks import_tasks: section_1/main.yml @@ -94,26 +128,36 @@ import_tasks: section_2/main.yml become: true when: rhel9cis_section2 + tags: + - rhel9cis_section2 - name: run Section 3 tasks import_tasks: section_3/main.yml become: true when: rhel9cis_section3 + tags: + - rhel9cis_section3 - name: run Section 4 tasks import_tasks: section_4/main.yml become: true when: rhel9cis_section4 + tags: + - rhel9cis_section4 - name: run Section 5 tasks import_tasks: section_5/main.yml become: true when: rhel9cis_section5 + tags: + - rhel9cis_section5 - name: run Section 6 tasks import_tasks: section_6/main.yml become: true when: rhel9cis_section6 + tags: + - rhel9cis_section6 - name: run post remediation tasks import_tasks: post.yml diff --git a/tasks/post.yml b/tasks/post.yml index c5f225f..5f54737 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -6,6 +6,12 @@ autoremove: true changed_when: false +- name: Gather the package facts after remediation + package_facts: + manager: auto + tags: + - always + - name: trigger update sysctl shell: /bin/true args: @@ -38,7 +44,13 @@ changed_when: true check_mode: false when: - - rhel9cis_rule_4_1_3 or + - rhel9cis_rule_4_1_1_1 or + rhel9cis_rule_4_1_1_2 or + rhel9cis_rule_4_1_1_3 or + rhel9cis_rule_4_1_2_1 or + rhel9cis_rule_4_1_2_2 or + rhel9cis_rule_4_1_2_3 or + rhel9cis_rule_4_1_3 or rhel9cis_rule_4_1_4 or rhel9cis_rule_4_1_5 or rhel9cis_rule_4_1_6 or @@ -57,4 +69,4 @@ - name: Reboot host reboot: when: - - not rhel9cis_skip_reboot + - not skip_reboot diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 43206cb..5521a8d 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,4 +1,5 @@ --- + # Preliminary tasks that should always be run # List users in order to look files inside each home directory - name: "PRELIM | List users accounts" @@ -8,6 +9,10 @@ changed_when: false check_mode: false register: users + tags: + - level1-server + - level1-workstation + - users - name: "PRELIM | Gather accounts with empty password fields" shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" @@ -16,6 +21,10 @@ changed_when: false check_mode: false register: empty_password_accounts + tags: + - level1-server + - level1-workstation + - passwords - name: "PRELIM | Gather UID 0 accounts other than root" shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" @@ -24,14 +33,36 @@ changed_when: false check_mode: false register: uid_zero_accounts_except_root + tags: + - level1-server + - level1-workstation + - users -- name: "PRELIM | Gather system-wide crypto-policy" - shell: update-crypto-policies --show - args: - warn: false - changed_when: false - check_mode: false - register: system_wide_crypto_policy +- name: "PRELIM | Setup crypto-policy" + block: + - name: "PRELIM | Install crypto-policies" + dnf: + name: + - crypto-policies + - crypto-policies-scripts + state: present + + - name: "PRELIM | Gather system-wide crypto-policy" + shell: update-crypto-policies --show + args: + warn: false + changed_when: false + check_mode: false + register: system_wide_crypto_policy + when: + - rhel9cis_rule_1_10 or + rhel9cis_rule_1_11 + tags: + - level1-server + - level1-workstation + - rule_1.10 or + rule_1.11 + - crypto - name: "PRELIM | if systemd coredump" stat: @@ -39,10 +70,18 @@ register: systemd_coredump when: - rhel9cis_rule_1_6_1 + tags: + - level1-server + - level1-workstation + - rule_1.6.1 + - systemd - name: "PRELIM | Section 1.1 | Create list of mount points" set_fact: mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" + tags: + - level1-server + - level1-workstation - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" package: @@ -51,9 +90,13 @@ become: true when: - '"auditd" not in ansible_facts.packages' - - rhel9cis_level_2 or - rhel9cis_rule_4_1_1_1 - + - rhel9cis_rule_4_1_1_1 + tags: + - level2-server + - level2-workstation + - patch + - rule_4.1.1.1 + - auditd - name: "PRELIM | 4.1.12 | Ensure successful file system mounts are collected" shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done @@ -62,16 +105,23 @@ check_mode: false register: priv_procs tags: - - always + - level1-server + - level1-workstation + - always - name: "PRELIM | Section 5.1 | Configure cron" package: name: cronie state: present become: true - when: + when: - rhel9cis_rule_5_1_1 - '"cronie" not in ansible_facts.packages' + tags: + - level1-server + - level1-workstation + - rule_5.1.1 + - cron - name: "PRELIM | Install authconfig" package: @@ -83,8 +133,16 @@ - rhel9cis_rule_5_3_1 or rhel9cis_rule_5_3_2 or rhel9cis_rule_5_3_3 or - '"authconfig" not in ansible_facts.packages' or - '"auditd-lib" not in ansible_facts.packages' + '"authconfig" not in ansible_facts.packages or + "auditd-lib" not in ansible_facts.packages' + tags: + - level1-server + - level1-workstation + - rule_5.3.1 or + rule_5.3.2 or + rule_5.3.3 + - authconfig + - auditd - name: "PRELIM | Set facts based on boot type" block: @@ -103,12 +161,22 @@ set_fact: grub2_path: /etc/grub2-efi.cfg when: rhel_09_efi_boot.stat.exists + when: + - not system_is_container + tags: + - bootloader + - grub - name: "PRELIM | AUDIT | Ensure permissions on bootloader config are configured | Get grub config file stats" stat: path: "{{ grub2_path }}" changed_when: false register: grub_cfg + when: + - not system_is_container + tags: + - bootloader + - grub - name: "PRELIM | Check for rhnsd service" shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" @@ -118,5 +186,36 @@ register: rhnsd_service_status when: - rhel9cis_rule_1_2_2 + - ansible_distribution == "RedHat" tags: + - rule_1.2.2 - skip_ansible_lint + +- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" + block: + - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" + shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' + changed_when: false + register: uid_min_id + + - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" + shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' + changed_when: false + register: uid_max_id + + - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def" + shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' + changed_when: false + register: gid_min_id + + - name: "PRELIM | AUDIT | set_facts for interactive uid/gid" + set_fact: + min_int_uid: "{{ uid_min_id.stdout }}" + max_int_uid: "{{ uid_max_id.stdout }}" + min_int_gid: "{{ gid_min_id.stdout }}" +- debug: + msg: "{{ min_int_uid }} {{ max_int_uid }}" + + when: + - not discover_int_uid + diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 9580f53..52372a3 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -37,12 +37,13 @@ - rule_1.2.2 - name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured" - shell: gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release + shell: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}" args: warn: false when: - rhel9cis_rule_1_2_3 - - ansible_distribution == "RedHat" + - ansible_distribution == "RedHat" or + ansible_distribution == "Rocky" tags: - level1-server - level1-workstation diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index b8c8e8e..933804e 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -2,41 +2,41 @@ - name: "SECTION | 1.1 | FileSystem Configurations\n SECTION | 1.1.1.x | Disable unused filesystems" - include_tasks: cis_1.1.1.x.yml -- include_tasks: cis_1.1.x.yml + import_tasks: cis_1.1.1.x.yml +- import_tasks: cis_1.1.x.yml - name: "SECTION | 1.2 | Configure Software Updates" - include_tasks: cis_1.2.x.yml + import_tasks: cis_1.2.x.yml - name: "SECTION | 1.3 | Configure sudo" - include_tasks: cis_1.3.x.yml + import_tasks: cis_1.3.x.yml - name: "SECTION | 1.4 | Filesystem Integrity" - import_tasks: cis_1.4.x.yml + include_tasks: cis_1.4.x.yml when: rhel9cis_config_aide - name: "SECTION | 1.5 | Secure Boot Settings" - include_tasks: cis_1.5.x.yml + import_tasks: cis_1.5.x.yml - name: "SECTION | 1.6 | Additional Process Hardening" - include_tasks: cis_1.6.x.yml + import_tasks: cis_1.6.x.yml - name: "SECTION | 1.7 | bootloader and Mandatory Access Control" - import_tasks: cis_1.7.1.x.yml + include_tasks: cis_1.7.1.x.yml when: not rhel9cis_selinux_disable - name: "SECTION | 1.8 | Warning Banners" - include_tasks: cis_1.8.1.x.yml + import_tasks: cis_1.8.1.x.yml - name: "SECTION | 1.9 | Updated and Patches" - include_tasks: cis_1.9.yml + import_tasks: cis_1.9.yml - name: "SECTION | 1.10 | Crypto policies" - import_tasks: cis_1.10.yml + include_tasks: cis_1.10.yml when: - not system_is_ec2 - name: "SECTION | 1.11 | FIPS/FUTURE Crypto policies" - import_tasks: cis_1.11.yml + include_tasks: cis_1.11.yml when: - not system_is_ec2 diff --git a/tasks/section_2/cis_2.2.1.x.yml b/tasks/section_2/cis_2.2.1.x.yml index 78f52ae..8b8b39c 100644 --- a/tasks/section_2/cis_2.2.1.x.yml +++ b/tasks/section_2/cis_2.2.1.x.yml @@ -6,7 +6,7 @@ state: present when: - rhel9cis_rule_2_2_1_1 - - not rhel9cis_system_is_container + - not system_is_container tags: - level1-server - level1-workstation @@ -34,7 +34,7 @@ when: - rhel9cis_time_synchronization == "chrony" - rhel9cis_rule_2_2_1_2 - - not rhel9cis_system_is_container + - not system_is_container tags: - level1-server - level1-workstation diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index f2ed232..2b705ae 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,13 @@ --- - name: "SECTION | 2.1 | xinetd" - include_tasks: cis_2.1.1.yml + import_tasks: cis_2.1.1.yml - name: "SECTION | 2.2.1 | Time Synchronization" - include_tasks: cis_2.2.1.x.yml + import_tasks: cis_2.2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" - include_tasks: cis_2.2.x.yml + import_tasks: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" - include_tasks: cis_2.3.x.yml + import_tasks: cis_2.3.x.yml diff --git a/tasks/section_3/cis_3.4.1.1.yml b/tasks/section_3/cis_3.4.1.1.yml index 3373d97..fc78b06 100644 --- a/tasks/section_3/cis_3.4.1.1.yml +++ b/tasks/section_3/cis_3.4.1.1.yml @@ -6,6 +6,7 @@ state: present when: - rhel9cis_rule_3_4_1_1 + - not system_is_container tags: - level1-server - level1-workstation diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index b199ac9..68b08dc 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -17,7 +17,6 @@ - name: "3.4.2.2 | L1 | PATCH | Ensure iptables is not enabled with firewalld" systemd: name: iptables - enabled: false masked: true when: - rhel9cis_firewall == "firewalld" diff --git a/tasks/section_3/main.yml b/tasks/section_3/main.yml index 7d6af68..13b42fc 100644 --- a/tasks/section_3/main.yml +++ b/tasks/section_3/main.yml @@ -1,41 +1,41 @@ --- - name: "SECTION | 3.1.x | Packet and IP redirection" - include_tasks: cis_3.1.x.yml + import_tasks: cis_3.1.x.yml - name: "SECTION | 3.2.x | Network Parameters (Host Only)" - include_tasks: cis_3.2.x.yml + import_tasks: cis_3.2.x.yml - name: "SECTION | 3.3.x | Uncommon Network Protocols" - include_tasks: cis_3.3.x.yml + import_tasks: cis_3.3.x.yml - name: "SECTION | 3.4.1.x | firewall defined" - include_tasks: cis_3.4.1.1.yml + import_tasks: cis_3.4.1.1.yml - name: "SECTION | 3.4.2.x | firewalld firewall" - import_tasks: cis_3.4.2.x.yml + include_tasks: cis_3.4.2.x.yml when: - rhel9cis_firewall == "firewalld" - name: "SECTION | 3.4.3.x | Configure nftables firewall" - import_tasks: cis_3.4.3.x.yml + include_tasks: cis_3.4.3.x.yml when: - rhel9cis_firewall == "nftables" - name: "SECTION | 3.4.4.1.x | Configure iptables IPv4" - import_tasks: cis_3.4.4.1.x.yml + include_tasks: cis_3.4.4.1.x.yml when: - rhel9cis_firewall == "iptables" - name: "SECTION | 3.4.4.2.x | Configure iptables IPv6" - import_tasks: cis_3.4.4.2.x.yml + include_tasks: cis_3.4.4.2.x.yml when: - ( rhel9cis_firewall == "iptables" and rhel9cis_ipv6_required ) - name: "SECTION | 3.5 | Configure wireless" - include_tasks: cis_3.5.yml + import_tasks: cis_3.5.yml - name: "SECTION | 3.5 | disable IPv6" - import_tasks: cis_3.5.yml + include_tasks: cis_3.5.yml when: - not rhel9cis_ipv6_required diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index 13b49d9..0257bf8 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -20,6 +20,7 @@ - level2-workstation - patch - rule_4.1.1.1 + - auditd - name: "4.1.1.2 | L2 | PATCH | Ensure auditd service is enabled" service: @@ -29,7 +30,7 @@ when: - not rhel9cis_skip_for_travis - rhel9cis_rule_4_1_1_2 - - ansible_connection != 'docker' + - not system_is_container tags: - level2-server - level2-workstation @@ -104,4 +105,5 @@ - level2-server - level2-workstation - patch + - auditd - rule_4.1.1.4 diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 853a215..7e7fafb 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -17,6 +17,7 @@ - { path: "/etc/logrotate.conf" } when: - rhel9cis_rule_4_3 + - "'logrotate' in ansible_facts.packages" tags: - level1-server - level1-workstation diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index 910a9e2..8e84241 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -2,22 +2,24 @@ - name: "SECTION | 4.1| Configure System Accounting (auditd)" include_tasks: cis_4.1.1.x.yml + when: + - not system_is_container - name: "SECTION | 4.1.2.x| Configure Data Retention" - include_tasks: cis_4.1.2.x.yml + import_tasks: cis_4.1.2.x.yml - name: "SECTION | 4.1.x| Auditd rules" - include_tasks: cis_4.1.x.yml + import_tasks: cis_4.1.x.yml - name: "SECTION | 4.2.x| Configure Logging" import_tasks: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' - name: "SECTION | 4.2.2.x| Configure journald" - include_tasks: cis_4.2.2.x.yml + import_tasks: cis_4.2.2.x.yml - name: "SECTION | 4.2.3 | Configure logile perms" - include_tasks: cis_4.2.3.yml + import_tasks: cis_4.2.3.yml - name: "SECTION | 4.3 | Configure logrotate" - include_tasks: cis_4.3.yml + import_tasks: cis_4.3.yml diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 0d8cfa0..ebed1bd 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -13,7 +13,7 @@ - item.id != "sync" - item.id != "shutdown" - item.id != "halt" - - item.gid < rhel9cis_int_gid + - item.uid < 1000 - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" @@ -28,7 +28,7 @@ - item.id != "shutdown" - item.id != "sync" - item.id != "root" - - item.gid < rhel9cis_int_gid + - min_int_uid | int >= item.uid - item.shell != " /bin/false" - item.shell != " /usr/sbin/nologin" when: diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 6195af5..08e5c45 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -1,27 +1,29 @@ --- - name: "SECTION | 5.1 | Configure time-based job schedulers" - include_tasks: cis_5.1.x.yml + import_tasks: cis_5.1.x.yml - name: "SECTION | 5.2 | Configure SSH Server" include_tasks: cis_5.2.x.yml + when: + - "'openssh-server' in ansible_facts.packages" - name: "SECTION | 5.3 | Configure Profiles" - import_tasks: cis_5.3.x.yml + include_tasks: cis_5.3.x.yml when: - - rhel9cis_use_authconfig + - rhel9cis_use_authconfig - name: "SECTION | 5.4 | Configure PAM " - include_tasks: cis_5.4.x.yml + import_tasks: cis_5.4.x.yml - name: "SECTION | 5.5.1.x | Passwords and Accounts" - include_tasks: cis_5.5.1.x.yml + import_tasks: cis_5.5.1.x.yml - name: "SECTION | 5.5.x | System Accounts and User Settings" - include_tasks: cis_5.5.x.yml + import_tasks: cis_5.5.x.yml - name: "SECTION | 5.6 | Root Login" - include_tasks: cis_5.6.yml + import_tasks: cis_5.6.yml - name: Section | 5.7 | su Command Restriction - include_tasks: cis_5.7.yml + import_tasks: cis_5.7.yml diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index b618417..c825229 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -134,7 +134,7 @@ - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" stat: path: "{{ item }}" - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}" register: rhel_09_6_2_7_audit - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" @@ -177,7 +177,8 @@ recursive: true etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: not rhel9cis_system_is_container + when: + - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_09_6_2_7_patch_audit, rhel_09_6_2_7_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" @@ -203,7 +204,7 @@ loop_control: label: "{{ rhel9cis_passwd_label }}" when: - - item.uid >= rhel9cis_int_gid + - min_int_uid | int >= item.uid - rhel9cis_rule_6_2_8 tags: - skip_ansible_lint # settings found on 6_2_7 @@ -499,7 +500,7 @@ stat: path: "{{ item }}" register: rhel_09_6_2_20_audit - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}" - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist" shell: find -H {{ item.0 | quote }} -not -type l -perm /027 @@ -541,7 +542,8 @@ recursive: true etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: not rhel9cis_system_is_container + when: + - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_09_6_2_20_patch_audit, rhel_09_6_2_20_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index 479b9c8..b6acabf 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -1,7 +1,7 @@ --- - name: "SECTION | 6.1 | System File Permissions" - include_tasks: cis_6.1.x.yml + import_tasks: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - include_tasks: cis_6.2.x.yml + import_tasks: cis_6.2.x.yml diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index da5664b..43897d7 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -32,18 +32,18 @@ -w /etc/sysconfig/network -p wa -k system-locale {% endif %} {% if rhel9cis_rule_4_1_9 %} --a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod +-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod {% endif %} {% if rhel9cis_rule_4_1_10 %} --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access +-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access {% endif %} {% if rhel9cis_rule_4_1_11 %} -w /etc/group -p wa -k identity @@ -53,17 +53,17 @@ -w /etc/security/opasswd -p wa -k identity {% endif %} {% if rhel9cis_rule_4_1_12 %} --a always,exit -F arch=b32 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts --a always,exit -F arch=b64 -S mount -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k mounts +-a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts +-a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts {% endif %} {% if rhel9cis_rule_4_1_13 %} {% for proc in priv_procs.stdout_lines -%} --a always,exit -F path={{ proc }} -F perm=x -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -k privileged +-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=4294967295 -k privileged {% endfor %} {% endif %} {% if rhel9cis_rule_4_1_14 %} --a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete --a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ rhel9cis_int_gid }} -F auid!=4294967295 -F key=delete +-a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete +-a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete {% endif %} {% if rhel9cis_rule_4_1_15 %} -w /usr/sbin/insmod -p x -k modules diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml new file mode 100644 index 0000000..8f9f4b7 --- /dev/null +++ b/vars/AlmaLinux.yml @@ -0,0 +1,4 @@ +--- +# OS Specific Settings + +rpm_gpg_key: RPM-GPG-KEY-AlmaLinux \ No newline at end of file diff --git a/vars/RedHat.yml b/vars/RedHat.yml new file mode 100644 index 0000000..d67cedc --- /dev/null +++ b/vars/RedHat.yml @@ -0,0 +1,4 @@ +--- +# OS Specific Settings + +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-official diff --git a/vars/Rocky.yml b/vars/Rocky.yml new file mode 100644 index 0000000..7c8ae0b --- /dev/null +++ b/vars/Rocky.yml @@ -0,0 +1,4 @@ +--- +# OS Specific Settings + +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial diff --git a/vars/is_container.yml b/vars/is_container.yml new file mode 100644 index 0000000..a8ac4fb --- /dev/null +++ b/vars/is_container.yml @@ -0,0 +1,95 @@ +--- + +# File to skip controls if container +# Based on standard image no changes +# it expected all pkgs required for the container are alreday installed + +## controls + +# Authconfig +rhel9cis_use_authconfig: false + +# Firewall +rhel9cis_firewall: None + +# SElinux +rhel9cis_selinux_disable: true + + +## Related individual rules +# Aide +rhel9cis_rule_1_4_1: false +rhel9cis_rule_1_4_2: false + +# auditd +rhel9cis_rule_4_1_1_1: false +rhel9cis_rule_4_1_2_1: false +rhel9cis_rule_4_1_2_2: false +rhel9cis_rule_4_1_2_3: false + +# time sync +rhel9cis_rule_2_2_1_1: false +rhel9cis_rule_2_2_1_2: false + +# cron +rhel9cis_rule_5_1_1: false +rhel9cis_rule_5_1_2: false +rhel9cis_rule_5_1_3: false +rhel9cis_rule_5_1_4: false +rhel9cis_rule_5_1_5: false +rhel9cis_rule_5_1_6: false +rhel9cis_rule_5_1_7: false +rhel9cis_rule_5_1_8: false + +# crypto +rhel9cis_rule_1_10: false +rhel9cis_rule_1_11: false + +# grub +rhel9cis_rule_1_5_1: false +rhel9cis_rule_1_5_2: false +rhel9cis_rule_1_5_3: false + +## mounts +# /tmp +rhel9cis_rule_1_1_2: false +rhel9cis_rule_1_1_3: false +rhel9cis_rule_1_1_4: false +rhel9cis_rule_1_1_5: false +#/var +rhel9cis_rule_1_1_6: false +# /var/tmp +rhel9cis_rule_1_1_7: false +rhel9cis_rule_1_1_8: false +rhel9cis_rule_1_1_9: false +rhel9cis_rule_1_1_10: false +# /var/log +rhel9cis_rule_1_1_11: false +# /var/log/audit +rhel9cis_rule_1_1_12: false +# /home +rhel9cis_rule_1_1_13: false +rhel9cis_rule_1_1_14: false +# /dev/shm +rhel9cis_rule_1_1_15: false +rhel9cis_rule_1_1_16: false +rhel9cis_rule_1_1_17: false +# usb-storage +rhel9cis_rule_1_1_23: false + +# logging +rhel9cis_rule_4_2_1_1: false +rhel9cis_rule_4_2_1_2: false +rhel9cis_rule_4_2_1_3: false +rhel9cis_rule_4_2_1_4: false +rhel9cis_rule_4_2_1_5: false +rhel9cis_rule_4_2_1_6: false +rhel9cis_rule_4_2_2_1: false +rhel9cis_rule_4_2_2_2: false +rhel9cis_rule_4_2_2_3: false + +# systemd +rhel9cis_rule_1_6_1: false + +# Users/passwords/accounts +rhel9cis_rule_5_5_2: false diff --git a/vars/main.yml b/vars/main.yml index 83b0489..b18097b 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,5 +1,7 @@ --- # vars file for RHEL9-CIS + +min_ansible_version: 2.9 rhel9cis_allowed_crypto_policies: - 'FUTURE' - 'FIPS'