From 06a1f2997c1a9eb846be25e8b58de1b8e9fd4914 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 24 Jul 2024 14:01:10 +0100 Subject: [PATCH] section 7 v2 initial Signed-off-by: Mark Bolwell --- tasks/section_7/cis_7.1.x.yml | 321 +++++++++++++++++++++++++++++++ tasks/section_7/cis_7.2.x.yml | 346 ++++++++++++++++++++++++++++++++++ tasks/section_7/main.yml | 9 + 3 files changed, 676 insertions(+) create mode 100644 tasks/section_7/cis_7.1.x.yml create mode 100644 tasks/section_7/cis_7.2.x.yml create mode 100644 tasks/section_7/main.yml diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml new file mode 100644 index 0000000..7517062 --- /dev/null +++ b/tasks/section_7/cis_7.1.x.yml @@ -0,0 +1,321 @@ +--- + +- name: "7.1.1 | PATCH | Ensure permissions on /etc/passwd are configured" + when: + - rhel9cis_rule_7_1_1 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.1 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/passwd + owner: root + group: root + mode: 'u-x,go-wx' + +- name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured" + when: + - rhel9cis_rule_7_1_2 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/passwd- + owner: root + group: root + mode: 'u-x,go-wx' + +- name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured" + when: + - rhel9cis_rule_7_1_3 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/group + owner: root + group: root + mode: 'u-x,go-wx' + +- name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured" + when: + - rhel9cis_rule_7_1_4 + tags: + - level1-server + - level1-workstation + - patch + - permissionss + - rule_7.1.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/group- + owner: root + group: root + mode: 'u-x,go-wx' + +- name: "7.1.5 | PATCH | Ensure permissions on /etc/shadow are configured" + when: + - rhel9cis_rule_7_1_5 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.5 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/shadow + owner: root + group: root + mode: '0000' + +- name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" + when: + - rhel9cis_rule_7_1_6 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.6 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/shadow- + owner: root + group: root + mode: '0000' + +- name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured" + when: + - rhel9cis_rule_7_1_7 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.7 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/gshadow + owner: root + group: root + mode: '0000' + +- name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured" + when: + - rhel9cis_rule_7_1_8 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.8 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/gshadow- + owner: root + group: root + mode: '0000' + +- name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured" + when: + - rhel9cis_rule_7_1_9 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.9 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/shells + owner: root + group: root + mode: 'u-x,go-wx' + +- name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured" + when: + - rhel9cis_rule_7_1_10 + tags: + - level1-server + - level1-workstation + - patch + - permissions + - rule_7.1.10 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + ansible.builtin.file: + path: /etc/security/opasswd + owner: root + group: root + mode: 'u-x,go-wx' + +- name: "7.1.11 | PATCH | Ensure world writable files and directories are secured" + when: + - rhel9cis_rule_7_1_11 + tags: + - level1-server + - level1-workstation + - patch + - files + - permissions + - rule_7.1.11 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + block: + - name: "7.1.11 | AUDIT | Ensure world writable files and directories are secured | Get list of world-writable files" + ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 + failed_when: false + changed_when: false + register: rhel_09_7_1_11_perms_results + + - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" + when: + - rhel_09_7_1_11_perms_results.stdout_lines is defined + - rhel9cis_no_world_write_adjust + ansible.builtin.file: + path: '{{ item }}' + mode: o-w + state: touch + loop: "{{ rhel_09_7_1_11_perms_results.stdout_lines }}" + + - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit" + ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + +- name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist" + when: + - rhel9cis_rule_7_1_12 + tags: + - level1-server + - level1-workstation + - patch + - rule_7.1.12 + - permissions + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + warn_control_id: '7.1.12' + block: + - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories" + ansible.builtin.shell: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs + changed_when: false + failed_when: false + check_mode: false + register: discovered_unowned_files + with_items: + - "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.mount }}" + + - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Flatten no_user_items results for easier use" + ansible.builtin.set_fact: + discovered_unowned_files_flatten: "{{ discovered_unowned_files.results | map(attribute='stdout_lines') | flatten }}" + + - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Alert on unowned files and directories" + when: + - not rhel9cis_ownership_adjust + - discovered_unowned_files_flatten | length > 0 + ansible.builtin.debug: + msg: + - "Warning!! You have unowned files and are configured to not auto-remediate for this task" + - "Please review the files/directories below and assign an owner" + - "{{ discovered_unowned_files_flatten }}" + + - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist | Set files/directories to configured owner and group" + when: + - rhel9cis_ownership_adjust + - discovered_unowned_files_flatten | length > 0 + ansible.builtin.file: + path: "{{ item }}" + owner: "{{ rhel9cis_unowned_owner }}" + group: "{{ rhel9cis_unowned_group }}" + with_items: + - "{{ udiscovered_unowned_files_flatten }}" + + - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Warn Count" + when: + - not rhel9cis_ownership_adjust + - discovered_unowned_files_flatten | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed" + when: + - rhel9cis_rule_7_1_13 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.1.13 + - permissions + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 + vars: + warn_control_id: '7.1.13' + block: + - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID" + ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs + changed_when: false + failed_when: false + check_mode: false + register: discovered_suid_sgid_files + with_items: + - "{{ ansible_facts.mounts }}" + loop_control: + label: "{{ item.mount }}" + + - name: "7.1.13 | AUDIT | Audit SUID executables | Flatten suid_executables results for easier use" + ansible.builtin.set_fact: + discovered_suid_sgid_files_flatten: "{{ discovered_suid_sgid_files.results | map(attribute='stdout_lines') | flatten }}" + + - name: "7.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" + when: + - discovered_suid_sgid_files_flatten | length > 0 + - not rhel9cis_suid_sgid_adjust + ansible.builtin.debug: + msg: + - "Warning!! You have SUID executables" + - "The files are listed below, please confirm the integrity of these binaries" + - "{{ discovered_suid_sgid_files_flatten }}" + + - name: "7.1.13 | PATCH | Audit SUID executables | Remove SUID bit" + when: + - rhel9cis_suid_sgid_adjust + - discovered_suid_sgid_files_flatten | length > 0 + ansible.builtin.file: + path: "{{ item }}" + mode: 'u-s' + with_items: + - "{{ discovered_suid_sgid_files_flatten }}" + + - name: "7.1.13 | AUDIT | Audit SUID executables | Warn Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + when: + - discovered_suid_sgid_files_flatten | length > 0 + - not rhel9cis_suid_sgid_adjust diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml new file mode 100644 index 0000000..5cfbbc3 --- /dev/null +++ b/tasks/section_7/cis_7.2.x.yml @@ -0,0 +1,346 @@ +--- + +- name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" + when: + - rhel9cis_rule_7_2_1 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.1 + - user_accounts + - NIST800-53R5_IA-5 + vars: + warn_control_id: '7.2.1' + block: + - name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Get users not using shadowed passwords" + ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1}' /etc/passwd + changed_when: false + failed_when: false + register: discovered_nonshadowed_users + + - name: "7.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Warn on findings" + when: discovered_nonshadowed_users.stdout | length > 0 + ansible.builtin.debug: + msg: + - "Warning!! You have users that are not using a shadowed password. Please convert the below accounts to use a shadowed password" + - "{{ discovered_nonshadowed_users.stdout_lines }}" + + - name: "7.2.1 | WARNING | Ensure accounts in /etc/passwd use shadowed passwords | warn_count" + when: discovered_nonshadowed_users.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty" + when: + - rhel9cis_rule_7_2_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_7.2.2 + - user + - permissions + - NIST800-53R5_IA-5 + block: + - name: "7.2.2 | AUDIT | Ensure /etc/shadow password fields are not empty | Find users with no password" + ansible.builtin.shell: awk -F":" '($2 == "" ) { print $1 }' /etc/shadow + changed_when: false + check_mode: false + register: discovered_empty_password_acct + + - name: "7.2.2 | PATCH | Ensure /etc/shadow password fields are not empty | Lock users with empty password" + when: discovered_empty_password_acct.stdout | length > 0 + ansible.builtin.user: + name: "{{ item }}" + password_lock: true + loop: + - "{{ discovered_empty_password_acct.stdout_lines }}" + +- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" + when: + - rhel9cis_rule_7_2_3 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.3 + - groups + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + vars: + warn_control_id: '7.2.3' + block: + - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" + ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + changed_when: false + failed_when: false + check_mode: false + register: discovered_passwd_gid_check + + - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" + when: discovered_passwd_gid_check.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join (', ') }}" + + - name: "7.2.3 | WARNING | Ensure all groups in /etc/passwd exist in /etc/group | warn_count" + when: discovered_passwd_gid_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist" + when: + - rhel9cis_rule_7_2_4 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.4 + - user + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + vars: + warn_control_id: '7.2.4' + block: + - name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" + changed_when: false + failed_when: false + check_mode: false + register: discovered_user_uid_check + + - name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" + when: discovered_user_uid_check.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! The following users have UIDs that are duplicates: {{ discovered_user_uid_check.stdout_lines }}" + + - name: "7.2.4 | AUDIT | Ensure no duplicate UIDs exist | Set warning count" + when: discovered_user_uid_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist" + when: + - rhel9cis_rule_7_2_5 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.5 + - groups + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + vars: + warn_control_id: '7.2.5' + block: + - name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" + changed_when: false + failed_when: false + check_mode: false + register: discovered_user_gid_check + + - name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" + when: discovered_user_gid_check.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! The following groups have duplicate GIDs: {{ discovered_user_gid_check.stdout_lines }}" + + - name: "7.2.5 | AUDIT | Ensure no duplicate GIDs exist | Set warning count" + when: discovered_user_gid_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.6 | AUDIT | Ensure no duplicate user names exist" + vars: + warn_control_id: '7.2.6' + when: + - rhel9cis_rule_7_2_6 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.6 + - user + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + block: + - name: "7.2.6 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" + changed_when: false + failed_when: false + check_mode: false + register: discovered_username_check + + - name: "7.2.6 | WARNING | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" + when: discovered_username_check.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! The following user names are duplicates: {{ discovered_user_username_check.stdout_lines }}" + + - name: "7.2.6 | WARNING | Ensure no duplicate user names exist | Set warning count" + when: discovered_username_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.7 | AUDIT | Ensure no duplicate group names exist" + when: + - rhel9cis_rule_7_2_7 + tags: + - level1-server + - level1-workstation + - audit + - rule_7.2.7 + - groups + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + vars: + warn_control_id: '7.2.7' + block: + - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" + ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' + changed_when: false + failed_when: false + check_mode: false + register: discovered_group_check + + - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" + when: discovered_group_check.stdout | length > 0 + ansible.builtin.debug: + msg: "Warning!! The following group names are duplicates: {{ discovered_group_group_check.stdout_lines }}" + + - name: "7.2.7 | AUDIT | Ensure no duplicate group names exist | Set warning count" + when: discovered_group_check.stdout | length > 0 + ansible.builtin.import_tasks: + file: warning_facts.yml + +- name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured" + when: + - rhel9cis_rule_7_2_8 + tags: + - level1-server + - level1-workstation + - patch + - users + - rule_7.2.8 + block: + - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent" + ansible.builtin.file: + path: "{{ item.dir }}" + state: directory + owner: "{{ item.id }}" + group: "{{ item.gid }}" + loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" + loop_control: + label: "{{ item.id }}" + + # set default ACLs so the homedir has an effective umask of 0027 + - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Set group ACL" + when: not system_is_container + ansible.posix.acl: + path: "{{ item }}" + default: true + etype: group + permissions: rx + state: present + loop: "{{ prelim_interactive_users_home.stdout_lines }}" + + - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Set other ACL" + when: not system_is_container + ansible.posix.acl: + path: "{{ item }}" + default: true + etype: other + permissions: 0 + state: present + loop: "{{ prelim_interactive_users_home.stdout_lines }}" + +- name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured" + when: + - rhel9cis_rule_7_2_9 + - rhel9cis_disruption_high + tags: + - level1-server + - level1-workstation + - patch + - rule_7.2.9 + - user + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-2 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-7 + - NIST800-53R5_IA-5 + vars: + warn_control_id: '7.2.9' + block: + - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Check for files" + ansible.builtin.shell: find /home/ -name "\.*" -perm /g+w,o+w + changed_when: false + failed_when: discovered_homedir_dot_files.rc not in [ 0, 1 ] + check_mode: false + register: discovered_homedir_dot_files + + - name: "7.2.9 | AUDIT | Ensure local interactive user dot files access is configured | Warning on files found" + when: + - discovered_homedir_dot_files.stdout | length > 0 + - rhel9cis_dotperm_ansiblemanaged + ansible.builtin.debug: + msg: + - "Warning!! We have discovered group or world-writable dot files on your system and this host is configured for manual intervention. Please investigate these files further." + + - name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Set warning count" + when: + - discovered_homedir_dot_files.stdout | length > 0 + - rhel9cis_dotperm_ansiblemanaged + ansible.builtin.import_tasks: + file: warning_facts.yml + + - name: "7.2.9 | PATCH | Ensure local interactive user dot files access is configured | Changes files if configured" + when: + - discovered_homedir_dot_files.stdout | length > 0 + - rhel9cis_dotperm_ansiblemanaged + ansible.builtin.file: + path: '{{ item }}' + mode: 'go-w' + with_items: "{{ discovered_homedir_dot_files.stdout_lines }}" + +- name: "7.2.4 | PATCH | Ensure shadow group is empty" + when: + - rhel9cis_rule_7_2_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_6.2.4 + - user + vars: + warn_control_id: '7.2.4' + block: + - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group" + ansible.builtin.getent: + database: group + split: ':' + key: shadow + + - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group" + ansible.builtin.debug: + msg: "Warning!! - You have users in the shadow group" + when: ansible_facts.getent_group.shadow[2] | length > 0 + + - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group" + ansible.builtin.import_tasks: + file: warning_facts.yml + when: ansible_facts.getent_group.shadow[2] | length > 0 diff --git a/tasks/section_7/main.yml b/tasks/section_7/main.yml new file mode 100644 index 0000000..2d1247a --- /dev/null +++ b/tasks/section_7/main.yml @@ -0,0 +1,9 @@ +--- + +- name: "SECTION | 7.1 | System File Permissions" + ansible.builtin.import_tasks: + file: cis_7.1.x.yml + +- name: "SECTION | 7.2 | Local User and Group Settings" + ansible.builtin.import_tasks: + file: cis_7.2.x.yml