forked from ansible-lockdown/RHEL9-CIS
Merge pull request #228 from ansible-lockdown/august_issues
August issues
This commit is contained in:
uk-bolly
GitHub
commit
0bcb867ef4
8 changed files with 29 additions and 36 deletions
|
|
@ -1,5 +1,4 @@
|
||||||
passlib
|
passlib
|
||||||
lxml
|
lxml
|
||||||
xmltodict
|
xmltodict
|
||||||
jmespath
|
|
||||||
yamllint
|
yamllint
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@
|
||||||
- name: Pre Audit Setup | Set audit package name | ARM64
|
- name: Pre Audit Setup | Set audit package name | ARM64
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
audit_pkg_arch_name: ARM64
|
audit_pkg_arch_name: ARM64
|
||||||
when: ansible_facts.machine == "arm64"
|
when: ansible_facts.machine == "aarch64"
|
||||||
|
|
||||||
- name: Pre Audit Setup | Download audit binary
|
- name: Pre Audit Setup | Download audit binary
|
||||||
ansible.builtin.get_url:
|
ansible.builtin.get_url:
|
||||||
|
|
|
||||||
|
|
@ -22,7 +22,7 @@
|
||||||
when:
|
when:
|
||||||
- audit_only
|
- audit_only
|
||||||
ansible.builtin.debug:
|
ansible.builtin.debug:
|
||||||
msg: "The Audit results are: {{ pre_audit_summary }}."
|
msg: "{{ audit_results.split('\n') }}"
|
||||||
|
|
||||||
- name: Audit_only | Stop Playbook Audit Only selected
|
- name: Audit_only | Stop Playbook Audit Only selected
|
||||||
when:
|
when:
|
||||||
|
|
|
||||||
|
|
@ -35,7 +35,7 @@
|
||||||
- audit_format == "documentation"
|
- audit_format == "documentation"
|
||||||
block:
|
block:
|
||||||
- name: Post Audit | Capture audit data if documentation format
|
- name: Post Audit | Capture audit data if documentation format
|
||||||
ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation"
|
ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' '
|
||||||
register: post_audit_summary
|
register: post_audit_summary
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,7 @@
|
||||||
"4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
|
"4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ audit_discovered_logfile.stdout }}"
|
path: "{{ audit_discovered_logfile.stdout }}"
|
||||||
mode: "{% if auditd_logfile.stat.mode != '0600' %}0640{% endif %}"
|
mode: 'u-x,g-rw,o-rwx'
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
when:
|
when:
|
||||||
|
|
@ -50,7 +50,7 @@
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ audit_discovered_logfile.stdout | dirname }}"
|
path: "{{ audit_discovered_logfile.stdout | dirname }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: '0750'
|
mode: 'g-w,o-rwx'
|
||||||
when: not auditlog_dir.stat.mode is match('07(0|5)0')
|
when: not auditlog_dir.stat.mode is match('07(0|5)0')
|
||||||
when:
|
when:
|
||||||
- rhel9cis_rule_4_1_4_4
|
- rhel9cis_rule_4_1_4_4
|
||||||
|
|
@ -64,7 +64,9 @@
|
||||||
- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
|
- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ item.path }}"
|
path: "{{ item.path }}"
|
||||||
mode: "{{ '0600' if item.mode == '0600' else '0640' }}"
|
mode: 'u-x,g-wx,o-rwx'
|
||||||
|
failed_when: rhel9cis_4_1_4_5_file_list.state not in '[ file, absent ]'
|
||||||
|
register: rhel9cis_4_1_4_5_file_list
|
||||||
loop: "{{ auditd_conf_files.files }}"
|
loop: "{{ auditd_conf_files.files }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.path }}"
|
label: "{{ item.path }}"
|
||||||
|
|
@ -81,6 +83,8 @@
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ item.path }}"
|
path: "{{ item.path }}"
|
||||||
owner: root
|
owner: root
|
||||||
|
failed_when: rhel9cis_4_1_4_6_file_list.state not in '[ file, absent ]'
|
||||||
|
register: rhel9cis_4_1_4_6_file_list
|
||||||
loop: "{{ auditd_conf_files.files | default([]) }}"
|
loop: "{{ auditd_conf_files.files | default([]) }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.path }}"
|
label: "{{ item.path }}"
|
||||||
|
|
@ -97,6 +101,8 @@
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ item.path }}"
|
path: "{{ item.path }}"
|
||||||
group: root
|
group: root
|
||||||
|
failed_when: rhel9cis_4_1_4_7_file_list.state not in '[ file, absent ]'
|
||||||
|
register: rhel9cis_4_1_4_7_file_list
|
||||||
loop: "{{ auditd_conf_files.files | default([]) }}"
|
loop: "{{ auditd_conf_files.files | default([]) }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.path }}"
|
label: "{{ item.path }}"
|
||||||
|
|
@ -126,8 +132,7 @@
|
||||||
- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required"
|
- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required"
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ item.item }}"
|
path: "{{ item.item }}"
|
||||||
mode: '0750'
|
mode: 'go-w'
|
||||||
|
|
||||||
loop: "{{ audit_bins.results }}"
|
loop: "{{ audit_bins.results }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.item }}"
|
label: "{{ item.item }}"
|
||||||
|
|
|
||||||
|
|
@ -14,6 +14,8 @@
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ item.path }}"
|
path: "{{ item.path }}"
|
||||||
mode: "{{ '0600' if item.mode == '0600' else '0640' }}"
|
mode: "{{ '0600' if item.mode == '0600' else '0640' }}"
|
||||||
|
failed_when: rhel9cis_4_2_3_file_list.state not in '[ file, absent ]'
|
||||||
|
register: rhel9cis_4_2_3_file_list
|
||||||
loop: "{{ logfiles.files }}"
|
loop: "{{ logfiles.files }}"
|
||||||
loop_control:
|
loop_control:
|
||||||
label: "{{ item.path }}"
|
label: "{{ item.path }}"
|
||||||
|
|
|
||||||
|
|
@ -150,7 +150,7 @@
|
||||||
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist"
|
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist"
|
||||||
block:
|
block:
|
||||||
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories"
|
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories"
|
||||||
ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser
|
ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser -not -fstype nfs
|
||||||
changed_when: false
|
changed_when: false
|
||||||
failed_when: false
|
failed_when: false
|
||||||
check_mode: false
|
check_mode: false
|
||||||
|
|
@ -162,28 +162,21 @@
|
||||||
- item['device'].startswith('/dev')
|
- item['device'].startswith('/dev')
|
||||||
- not 'bind' in item['options']
|
- not 'bind' in item['options']
|
||||||
|
|
||||||
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | set fact"
|
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use"
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
rhel_09_6_1_10_unowned_files_found: true
|
discovered_unowned_files_flatten: "{{ rhel_09_6_1_10_audit.results | map(attribute='stdout_lines') | flatten }}"
|
||||||
loop: "{{ rhel_09_6_1_10_audit.results }}"
|
|
||||||
when:
|
|
||||||
- item | length > 0
|
|
||||||
- item.stdout is defined # skipped items are part of results list, but don't have the registered module properties
|
|
||||||
- item.stdout | length > 0
|
|
||||||
|
|
||||||
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
|
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
|
||||||
ansible.builtin.debug:
|
ansible.builtin.debug:
|
||||||
msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit.stdout_lines }}"
|
msg: "Warning!! Missing owner on items in {{ discovered_unowned_files_flatten }}"
|
||||||
when: rhel_09_6_1_10_unowned_files_found
|
when: discovered_unowned_files_flatten | length > 0
|
||||||
|
|
||||||
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning"
|
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning"
|
||||||
ansible.builtin.import_tasks:
|
ansible.builtin.import_tasks:
|
||||||
file: warning_facts.yml
|
file: warning_facts.yml
|
||||||
vars:
|
vars:
|
||||||
warn_control_id: '6.1.10'
|
warn_control_id: '6.1.10'
|
||||||
when: rhel_09_6_1_10_unowned_files_found
|
when: discovered_unowned_files_flatten | length > 0
|
||||||
vars:
|
|
||||||
rhel_09_6_1_10_unowned_files_found: false
|
|
||||||
when:
|
when:
|
||||||
- rhel9cis_rule_6_1_10
|
- rhel9cis_rule_6_1_10
|
||||||
tags:
|
tags:
|
||||||
|
|
@ -209,28 +202,21 @@
|
||||||
- item['device'].startswith('/dev')
|
- item['device'].startswith('/dev')
|
||||||
- not 'bind' in item['options']
|
- not 'bind' in item['options']
|
||||||
|
|
||||||
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | set fact"
|
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Flatten no_user_items results for easier use"
|
||||||
ansible.builtin.set_fact:
|
ansible.builtin.set_fact:
|
||||||
rhel_09_6_1_11_ungrouped_files_found: true
|
discovered_ungrouped_files_flatten: "{{ rhel_09_6_1_11_audit.results | map(attribute='stdout_lines') | flatten }}"
|
||||||
loop: "{{ rhel_09_6_1_11_audit.results }}"
|
|
||||||
when:
|
|
||||||
- item | length > 0
|
|
||||||
- item.stdout is defined # skipped items are part of results list, but don't have the registered module properties
|
|
||||||
- item.stdout | length > 0
|
|
||||||
|
|
||||||
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
|
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
|
||||||
ansible.builtin.debug:
|
ansible.builtin.debug:
|
||||||
msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit.stdout_lines }}"
|
msg: "Warning!! Missing group on items in {{ discovered_ungrouped_files_flatten }}"
|
||||||
when: rhel_09_6_1_11_ungrouped_files_found
|
when: discovered_ungrouped_files_flatten | length > 0
|
||||||
|
|
||||||
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
|
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
|
||||||
ansible.builtin.import_tasks:
|
ansible.builtin.import_tasks:
|
||||||
file: warning_facts.yml
|
file: warning_facts.yml
|
||||||
vars:
|
vars:
|
||||||
warn_control_id: '6.1.11'
|
warn_control_id: '6.1.11'
|
||||||
when: rhel_09_6_1_11_ungrouped_files_found
|
when: discovered_ungrouped_files_flatten | length > 0
|
||||||
vars:
|
|
||||||
rhel_09_6_1_11_ungrouped_files_found: false
|
|
||||||
when:
|
when:
|
||||||
- rhel9cis_rule_6_1_11
|
- rhel9cis_rule_6_1_11
|
||||||
tags:
|
tags:
|
||||||
|
|
|
||||||
|
|
@ -26,8 +26,9 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma
|
||||||
|
|
||||||
### Audit binary settings ###
|
### Audit binary settings ###
|
||||||
audit_bin_version:
|
audit_bin_version:
|
||||||
release: v0.4.4
|
release: v0.4.8
|
||||||
AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5'
|
AMD64_checksum: 'sha256:85d00b7bba5f175bec95de7dfe1f71f8f25204914aad4c6f03c8457868eb6e2f'
|
||||||
|
ARM64_checksum: 'sha256:bca8c898bfd35b94c51455ece6193c95e2cd7b2b183ac2047b2d76291e73e47d'
|
||||||
audit_bin_path: /usr/local/bin/
|
audit_bin_path: /usr/local/bin/
|
||||||
audit_bin: "{{ audit_bin_path }}goss"
|
audit_bin: "{{ audit_bin_path }}goss"
|
||||||
audit_format: json
|
audit_format: json
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue