sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Merge pull request #84 from ansible-lockdown/devel

Browse source 
devel to main release
This commit is contained in:
uk-bolly 2023-08-09 14:34:53 +01:00 committed by GitHub
commit 10dc297e9a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
57 changed files with 1141 additions and 795 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.ansible-lint
View file

@ -12,6 +12,7 @@ skip_list:
- 'name[casing]' - 'name[casing]'
- 'name[template]' - 'name[template]'
- 'fqcn[action]' - 'fqcn[action]'
- 'key-order[task]'
- '204' - '204'
- '305' - '305'
- '303' - '303'

322
.config/.gitleaks-report.json Normal file
View file

@ -0,0 +1,322 @@
[
{
"Description": "Generic API Key",
"StartLine": 119,
"EndLine": 119,
"StartColumn": 18,
"EndColumn": 68,
"Match": "secret\": \"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8\"",
"Secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
"File": ".secrets.baseline",
"SymlinkFile": "",
"Commit": "495f942b7d26ee82690dc16eb4f231c587a57687",
"Entropy": 3.853056,
"Author": "Mark Bolwell",
"Email": "mark.bollyuk@gmail.com",
"Date": "2023-07-26T15:51:17Z",
"Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:119"
},
{
"Description": "Generic API Key",
"StartLine": 127,
"EndLine": 127,
"StartColumn": 18,
"EndColumn": 68,
"Match": "secret\": \"fe96f7cfa2ab2224e7d015067a6f6cc713f7012e\"",
"Secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e",
"File": ".secrets.baseline",
"SymlinkFile": "",
"Commit": "495f942b7d26ee82690dc16eb4f231c587a57687",
"Entropy": 3.6568441,
"Author": "Mark Bolwell",
"Email": "mark.bollyuk@gmail.com",
"Date": "2023-07-26T15:51:17Z",
"Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:127"
},
{
"Description": "Generic API Key",
"StartLine": 135,
"EndLine": 135,
"StartColumn": 18,
"EndColumn": 68,
"Match": "secret\": \"a415ab5cc17c8c093c015ccdb7e552aee7911aa4\"",
"Secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4",
"File": ".secrets.baseline",
"SymlinkFile": "",
"Commit": "495f942b7d26ee82690dc16eb4f231c587a57687",
"Entropy": 3.5221736,
"Author": "Mark Bolwell",
"Email": "mark.bollyuk@gmail.com",
"Date": "2023-07-26T15:51:17Z",
"Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:135"
},
{
"Description": "Generic API Key",
"StartLine": 145,
"EndLine": 145,
"StartColumn": 18,
"EndColumn": 68,
"Match": "secret\": \"2478fefdceefe2847c3aa36dc731aaad5b3cc2fb\"",
"Secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb",
"File": ".secrets.baseline",
"SymlinkFile": "",
"Commit": "495f942b7d26ee82690dc16eb4f231c587a57687",
"Entropy": 3.6348295,
"Author": "Mark Bolwell",
"Email": "mark.bollyuk@gmail.com",
"Date": "2023-07-26T15:51:17Z",
"Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:145"
},
{
"Description": "Generic API Key",
"StartLine": 153,
"EndLine": 153,
"StartColumn": 18,
"EndColumn": 68,
"Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"",
"Secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
"File": ".secrets.baseline",
"SymlinkFile": "",
"Commit": "495f942b7d26ee82690dc16eb4f231c587a57687",
"Entropy": 3.646039,
"Author": "Mark Bolwell",
"Email": "mark.bollyuk@gmail.com",
"Date": "2023-07-26T15:51:17Z",
"Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:153"
},
{
"Description": "Generic API Key",
"StartLine": 163,
"EndLine": 163,
"StartColumn": 18,
"EndColumn": 68,
"Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"",
"Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
"File": ".secrets.baseline",
"SymlinkFile": "",
"Commit": "495f942b7d26ee82690dc16eb4f231c587a57687",
"Entropy": 3.8439426,
"Author": "Mark Bolwell",
"Email": "mark.bollyuk@gmail.com",
"Date": "2023-07-26T15:51:17Z",
"Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:163"
},
{
"Description": "Generic API Key",
"StartLine": 119,
"EndLine": 119,
"StartColumn": 18,
"EndColumn": 68,
"Match": "secret\": \"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8\"",
"Secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
"File": ".secrets.baseline",
"SymlinkFile": "",
"Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389",
"Entropy": 3.853056,
"Author": "Mark Bolwell",
"Email": "mark.bollyuk@gmail.com",
"Date": "2023-07-04T16:08:02Z",
"Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:119"
},
{
"Description": "Generic API Key",
"StartLine": 127,
"EndLine": 127,
"StartColumn": 18,
"EndColumn": 68,
"Match": "secret\": \"fe96f7cfa2ab2224e7d015067a6f6cc713f7012e\"",
"Secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e",
"File": ".secrets.baseline",
"SymlinkFile": "",
"Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389",
"Entropy": 3.6568441,
"Author": "Mark Bolwell",
"Email": "mark.bollyuk@gmail.com",
"Date": "2023-07-04T16:08:02Z",
"Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:127"
},
{
"Description": "Generic API Key",
"StartLine": 135,
"EndLine": 135,
"StartColumn": 18,
"EndColumn": 68,
"Match": "secret\": \"a415ab5cc17c8c093c015ccdb7e552aee7911aa4\"",
"Secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4",
"File": ".secrets.baseline",
"SymlinkFile": "",
"Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389",
"Entropy": 3.5221736,
"Author": "Mark Bolwell",
"Email": "mark.bollyuk@gmail.com",
"Date": "2023-07-04T16:08:02Z",
"Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:135"
},
{
"Description": "Generic API Key",
"StartLine": 145,
"EndLine": 145,
"StartColumn": 18,
"EndColumn": 68,
"Match": "secret\": \"2478fefdceefe2847c3aa36dc731aaad5b3cc2fb\"",
"Secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb",
"File": ".secrets.baseline",
"SymlinkFile": "",
"Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389",
"Entropy": 3.6348295,
"Author": "Mark Bolwell",
"Email": "mark.bollyuk@gmail.com",
"Date": "2023-07-04T16:08:02Z",
"Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:145"
},
{
"Description": "Generic API Key",
"StartLine": 153,
"EndLine": 153,
"StartColumn": 18,
"EndColumn": 68,
"Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"",
"Secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
"File": ".secrets.baseline",
"SymlinkFile": "",
"Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389",
"Entropy": 3.646039,
"Author": "Mark Bolwell",
"Email": "mark.bollyuk@gmail.com",
"Date": "2023-07-04T16:08:02Z",
"Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:153"
},
{
"Description": "Generic API Key",
"StartLine": 163,
"EndLine": 163,
"StartColumn": 18,
"EndColumn": 68,
"Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"",
"Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
"File": ".secrets.baseline",
"SymlinkFile": "",
"Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389",
"Entropy": 3.8439426,
"Author": "Mark Bolwell",
"Email": "mark.bollyuk@gmail.com",
"Date": "2023-07-04T16:08:02Z",
"Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:163"
},
{
"Description": "Generic API Key",
"StartLine": 3,
"EndLine": 4,
"StartColumn": 9,
"EndColumn": 1,
"Match": "key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec",
"Secret": "gpg-pubkey-8d8b756f-629e59ec",
"File": "vars/OracleLinux.yml",
"SymlinkFile": "",
"Commit": "e04da88df42da0108d489f359513c574fbe5c87a",
"Entropy": 3.96772,
"Author": "Mark Bolwell",
"Email": "mark.bollyuk@gmail.com",
"Date": "2023-03-06T11:22:08Z",
"Message": "Added OracleLinux support\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "e04da88df42da0108d489f359513c574fbe5c87a:vars/OracleLinux.yml:generic-api-key:3"
},
{
"Description": "Generic API Key",
"StartLine": 4,
"EndLine": 5,
"StartColumn": 8,
"EndColumn": 1,
"Match": "key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b",
"Secret": "gpg-pubkey-fd431d51-4ae0493b",
"File": "vars/RedHat.yml",
"SymlinkFile": "",
"Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a",
"Entropy": 3.96772,
"Author": "Mark Bolwell",
"Email": "mark.bollyuk@gmail.com",
"Date": "2022-07-25T10:26:27Z",
"Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/RedHat.yml:generic-api-key:4"
},
{
"Description": "Generic API Key",
"StartLine": 4,
"EndLine": 5,
"StartColumn": 8,
"EndColumn": 1,
"Match": "key_pubkey_name: gpg-pubkey-b86b3716-61e69f29",
"Secret": "gpg-pubkey-b86b3716-61e69f29",
"File": "vars/AlmaLinux.yml",
"SymlinkFile": "",
"Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a",
"Entropy": 3.824863,
"Author": "Mark Bolwell",
"Email": "mark.bollyuk@gmail.com",
"Date": "2022-07-25T10:26:27Z",
"Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/AlmaLinux.yml:generic-api-key:4"
},
{
"Description": "Generic API Key",
"StartLine": 4,
"EndLine": 5,
"StartColumn": 8,
"EndColumn": 1,
"Match": "key_pubkey_name: gpg-pubkey-350d275d-6279464b",
"Secret": "gpg-pubkey-350d275d-6279464b",
"File": "vars/Rocky.yml",
"SymlinkFile": "",
"Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a",
"Entropy": 3.9946804,
"Author": "Mark Bolwell",
"Email": "mark.bollyuk@gmail.com",
"Date": "2022-07-25T10:26:27Z",
"Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
"Tags": [],
"RuleID": "generic-api-key",
"Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/Rocky.yml:generic-api-key:4"
}
]

176
.config/.secrets.baseline Normal file
View file

@ -0,0 +1,176 @@
{
"version": "1.4.0",
"plugins_used": [
{
"name": "ArtifactoryDetector"
},
{
"name": "AWSKeyDetector"
},
{
"name": "AzureStorageKeyDetector"
},
{
"name": "Base64HighEntropyString",
"limit": 4.5
},
{
"name": "BasicAuthDetector"
},
{
"name": "CloudantDetector"
},
{
"name": "DiscordBotTokenDetector"
},
{
"name": "GitHubTokenDetector"
},
{
"name": "HexHighEntropyString",
"limit": 3.0
},
{
"name": "IbmCloudIamDetector"
},
{
"name": "IbmCosHmacDetector"
},
{
"name": "JwtTokenDetector"
},
{
"name": "KeywordDetector",
"keyword_exclude": ""
},
{
"name": "MailchimpDetector"
},
{
"name": "NpmDetector"
},
{
"name": "PrivateKeyDetector"
},
{
"name": "SendGridDetector"
},
{
"name": "SlackDetector"
},
{
"name": "SoftlayerDetector"
},
{
"name": "SquareOAuthDetector"
},
{
"name": "StripeDetector"
},
{
"name": "TwilioKeyDetector"
}
],
"filters_used": [
{
"path": "detect_secrets.filters.allowlist.is_line_allowlisted"
},
{
"path": "detect_secrets.filters.common.is_baseline_file",
"filename": ".config/.secrets.baseline"
},
{
"path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
"min_level": 2
},
{
"path": "detect_secrets.filters.heuristic.is_indirect_reference"
},
{
"path": "detect_secrets.filters.heuristic.is_likely_id_string"
},
{
"path": "detect_secrets.filters.heuristic.is_lock_file"
},
{
"path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
},
{
"path": "detect_secrets.filters.heuristic.is_potential_uuid"
},
{
"path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
},
{
"path": "detect_secrets.filters.heuristic.is_sequential_string"
},
{
"path": "detect_secrets.filters.heuristic.is_swagger_file"
},
{
"path": "detect_secrets.filters.heuristic.is_templated_secret"
},
{
"path": "detect_secrets.filters.regex.should_exclude_file",
"pattern": [
".config/.gitleaks-report.json"
]
}
],
"results": {
"defaults/main.yml": [
{
"type": "Secret Keyword",
"filename": "defaults/main.yml",
"hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
"is_verified": false,
"line_number": 363,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": "defaults/main.yml",
"hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e",
"is_verified": false,
"line_number": 374,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": "defaults/main.yml",
"hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4",
"is_verified": false,
"line_number": 375,
"is_secret": false
}
],
"tasks/main.yml": [
{
"type": "Secret Keyword",
"filename": "tasks/main.yml",
"hashed_secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb",
"is_verified": false,
"line_number": 38,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": "tasks/main.yml",
"hashed_secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
"is_verified": false,
"line_number": 110,
"is_secret": false
}
],
"tasks/parse_etc_password.yml": [
{
"type": "Secret Keyword",
"filename": "tasks/parse_etc_password.yml",
"hashed_secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
"is_verified": false,
"line_number": 18
}
]
},
"generated_at": "2023-08-09T08:11:03Z"
}

0
requirements.txt → .config/requirements.txt
View file

34
.github/ISSUE_TEMPLATE/bug_report.md vendored
View file

@ -1,34 +0,0 @@
---
name: Report Issue
about: Create a bug issue ticket to help us improve
title: ''
labels: bug
assignees: ''
---
**Describe the Issue**
A clear and concise description of what the bug is.
**Expected Behavior**
A clear and concise description of what you expected to happen.
**Actual Behavior**
A clear and concise description of what's happening.
**Control(s) Affected**
What controls are being affected by the issue
**Environment (please complete the following information):**
- branch being used: [e.g. devel]
- Ansible Version: [e.g. 2.10]
- Host Python Version: [e.g. Python 3.7.6]
- Ansible Server Python Version: [e.g. Python 3.7.6]
- Additional Details:
**Additional Notes**
Anything additional goes here
**Possible Solution**
Enter a suggested fix here

22
.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md vendored
View file

@ -1,22 +0,0 @@
---
name: Feature Request or Enhancement
about: Suggest an idea for this project
title: ''
labels: enhancement
assignees: ''
---
## Feature Request or Enhancement
- Feature []
- Enhancement []
**Summary of Request**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Suggested Code**
Please provide any code you have in mind to fulfill the request

18
.github/ISSUE_TEMPLATE/question.md vendored
View file

@ -1,18 +0,0 @@
---
name: Question
about: Ask away.......
title: ''
labels: question
assignees: ''
---
**Question**
Pose question here.
**Environment (please complete the following information):**
- Ansible Version: [e.g. 2.10]
- Host Python Version: [e.g. Python 3.7.6]
- Ansible Server Python Version: [e.g. Python 3.7.6]
- Additional Details:

12
.github/pull_request_template.md vendored
View file

@ -1,12 +0,0 @@
**Overall Review of Changes:**
A general description of the changes made that are being requested for merge
**Issue Fixes:**
Please list (using linking) any open issues this PR addresses
**Enhancements:**
Please list any enhancements/features that are not open issue tickets
**How has this been tested?:**
Please give an overview of how these changes were tested. If they were not please use N/A

9
.github/workflows/OS.tfvars vendored
View file

@ -1,9 +0,0 @@
#Ami Alma 9
ami_id = "ami-0845395779540e3cb"
ami_os = "rhel9"
ami_username = "ec2-user"
ami_user_home = "/home/ec2-user"
instance_tags = {
Name = "RHEL9-CIS"
Environment = "lockdown_github_repo_workflow"
}

138
.github/workflows/devel_pipeline_validation.yml vendored Normal file
View file

@ -0,0 +1,138 @@
---
name: Devel pipeline
on: # yamllint disable-line rule:truthy
pull_request_target:
types: [opened, reopened, synchronize]
branches:
- devel
paths:
- '**.yml'
- '**.sh'
- '**.j2'
- '**.ps1'
- '**.cfg'
# A workflow run is made up of one or more jobs
# that can run sequentially or in parallel
jobs:
# This will create messages for first time contributers and direct them to the Discord server
welcome:
runs-on: ubuntu-latest
steps:
- uses: actions/first-interaction@main
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
# This workflow contains a single job which tests the playbook
playbook-test:
# The type of runner that the job will run on
runs-on: ubuntu-latest
env:
ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
# Imported as a variable by terraform
TF_VAR_repository: ${{ github.event.repository.name }}
defaults:
run:
shell: bash
working-directory: .github/workflows/github_linux_IaC
steps:
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
# Pull in terraform code for linux servers
- name: Clone github IaC plan
uses: actions/checkout@v3
with:
repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC
- name: Add_ssh_key
working-directory: .github/workflows
env:
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
run: |
mkdir .ssh
chmod 700 .ssh
echo $PRIVATE_KEY > .ssh/github_actions.pem
chmod 600 .ssh/github_actions.pem
- name: DEBUG - Show IaC files
if: env.ENABLE_DEBUG == 'true'
run: |
echo "OSVAR = $OSVAR"
echo "benchmark_type = $benchmark_type"
pwd
ls
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
benchmark_type: ${{ vars.BENCHMARK_TYPE }}
- name: Terraform_Init
id: init
run: terraform init
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
- name: Terraform_Validate
id: validate
run: terraform validate
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
- name: Terraform_Apply
id: apply
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
## Debug Section
- name: DEBUG - Show Ansible hostfile
if: env.ENABLE_DEBUG == 'true'
run: cat hosts.yml
# Aws deployments taking a while to come up insert sleep or playbook fails
- name: Sleep for 60 seconds
run: sleep 60s
# Run the ansible playbook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
playbook: site.yml
inventory: .github/workflows/github_linux_IaC/hosts.yml
galaxy_file: collections/requirements.yml
private_key: ${{ secrets.SSH_PRV_KEY }}
# verbose: 3
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_DEPRECATION_WARNINGS: "false"
# Remove test system - User secrets to keep if necessary
- name: Terraform_Destroy
if: always() && env.ENABLE_DEBUG == 'false'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false

53
.github/workflows/github_networks.tf vendored
View file

@ -1,53 +0,0 @@
resource "aws_vpc" "Main" {
cidr_block = var.main_vpc_cidr
instance_tenancy = "default"
tags = {
Environment = "${var.environment}"
Name = "${var.namespace}-VPC"
}
}
resource "aws_internet_gateway" "IGW" {
vpc_id = aws_vpc.Main.id
tags = {
Environment = "${var.environment}"
Name = "${var.namespace}-IGW"
}
}
resource "aws_subnet" "publicsubnets" {
vpc_id = aws_vpc.Main.id
cidr_block = var.public_subnets
availability_zone = var.availability_zone
tags = {
Environment = "${var.environment}"
Name = "${var.namespace}-pubsub"
}
}
resource "aws_subnet" "Main" {
vpc_id = aws_vpc.Main.id
cidr_block = var.private_subnets
availability_zone = var.availability_zone
tags = {
Environment = "${var.environment}"
Name = "${var.namespace}-prvsub"
}
}
resource "aws_route_table" "PublicRT" {
vpc_id = aws_vpc.Main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.IGW.id
}
tags = {
Environment = "${var.environment}"
Name = "${var.namespace}-publicRT"
}
}
resource "aws_route_table_association" "rt_associate_public" {
subnet_id = aws_subnet.Main.id
route_table_id = aws_route_table.PublicRT.id
}

14
.github/workflows/github_vars.tfvars vendored
View file

@ -1,14 +0,0 @@
// github_actions variables
// Resourced in github_networks.tf
// Declared in variables.tf
//
namespace = "github_actions"
environment = "lockdown_github_repo_workflow"
// Matching pair name found in AWS for keypairs PEM key
ami_key_pair_name = "github_actions"
private_key = ".ssh/github_actions.pem"
main_vpc_cidr = "172.22.0.0/24"
public_subnets = "172.22.0.128/26"
private_subnets = "172.22.0.192/26"

111
.github/workflows/linux_benchmark_testing.yml vendored
View file

@ -1,111 +0,0 @@
# This is a basic workflow to help you get started with Actions
name: linux_benchmark_pipeline
# Controls when the action will run.
# Triggers the workflow on push or pull request
# events but only for the devel branch
on: # yamllint disable-line rule:truthy
pull_request_target:
types: [opened, reopened, synchronize]
branches:
- devel
- main
paths:
- '**.yml'
- '**.sh'
- '**.j2'
- '**.ps1'
- '**.cfg'
# A workflow run is made up of one or more jobs
# that can run sequentially or in parallel
jobs:
# This will create messages for first time contributers and direct them to the Discord server
welcome:
runs-on: ubuntu-latest
steps:
- uses: actions/first-interaction@main
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well.
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
env:
ENABLE_DEBUG: false
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE,
# so your job can access it
- uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Add_ssh_key
working-directory: .github/workflows
env:
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
run: |
mkdir .ssh
chmod 700 .ssh
echo $PRIVATE_KEY > .ssh/github_actions.pem
chmod 600 .ssh/github_actions.pem
### Build out the server
- name: Terraform_Init
working-directory: .github/workflows
run: terraform init
- name: Terraform_Validate
working-directory: .github/workflows
run: terraform validate
- name: Terraform_Apply
working-directory: .github/workflows
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: terraform apply -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false
## Debug Section
- name: DEBUG - Show Ansible hostfile
if: env.ENABLE_DEBUG == 'true'
working-directory: .github/workflows
run: cat hosts.yml
# Aws deployments taking a while to come up insert sleep or playbook fails
- name: Sleep for 60 seconds
run: sleep 60s
shell: bash
# Run the ansible playbook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
playbook: site.yml
inventory: .github/workflows/hosts.yml
galaxy_file: collections/requirements.yml
private_key: ${{ secrets.SSH_PRV_KEY }}
# verbose: 3
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_DEPRECATION_WARNINGS: "false"
# Remove test system - User secrets to keep if necessary
- name: Terraform_Destroy
working-directory: .github/workflows
if: always() && env.ENABLE_DEBUG == 'false'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: terraform destroy -var-file "github_vars.tfvars" -var-file "OS.tfvars" --auto-approve -input=false

83
.github/workflows/main.tf vendored
View file

@ -1,83 +0,0 @@
provider "aws" {
profile = ""
region = var.aws_region
}
// Create a security group with access to port 22 and port 80 open to serve HTTP traffic
resource "random_id" "server" {
keepers = {
# Generate a new id each time we switch to a new AMI id
ami_id = "${var.ami_id}"
}
byte_length = 8
}
resource "aws_security_group" "github_actions" {
name = "${var.namespace}-${random_id.server.hex}-SG"
vpc_id = aws_vpc.Main.id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Environment = "${var.environment}"
Name = "${var.namespace}-SG"
}
}
// instance setup
resource "aws_instance" "testing_vm" {
ami = var.ami_id
availability_zone = var.availability_zone
associate_public_ip_address = true
key_name = var.ami_key_pair_name # This is the key as known in the ec2 key_pairs
instance_type = var.instance_type
tags = var.instance_tags
vpc_security_group_ids = [aws_security_group.github_actions.id]
subnet_id = aws_subnet.Main.id
root_block_device {
delete_on_termination = true
}
}
// generate inventory file
resource "local_file" "inventory" {
filename = "./hosts.yml"
directory_permission = "0755"
file_permission = "0644"
content = <<EOF
# benchmark host
all:
hosts:
${var.ami_os}:
ansible_host: ${aws_instance.testing_vm.public_ip}
ansible_user: ${var.ami_username}
vars:
setup_audit: true
run_audit: true
system_is_ec2: true
skip_reboot: false
rhel9cis_rule_5_6_6: false # skip root passwd check and keys only
EOF
}

127
.github/workflows/main_pipeline_validation.yml vendored Normal file
View file

@ -0,0 +1,127 @@
---
name: Main pipeline
on: # yamllint disable-line rule:truthy
pull_request_target:
types: [opened, reopened, synchronize]
branches:
- main
paths:
- '**.yml'
- '**.sh'
- '**.j2'
- '**.ps1'
- '**.cfg'
# A workflow run is made up of one or more jobs
# that can run sequentially or in parallel
jobs:
# This workflow contains a single job which tests the playbook
playbook-test:
# The type of runner that the job will run on
runs-on: ubuntu-latest
env:
ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
# Imported as a variable by terraform
TF_VAR_repository: ${{ github.event.repository.name }}
defaults:
run:
shell: bash
working-directory: .github/workflows/github_linux_IaC
steps:
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
# Pull in terraform code for linux servers
- name: Clone github IaC plan
uses: actions/checkout@v3
with:
repository: ansible-lockdown/github_linux_IaC
path: .github/workflows/github_linux_IaC
- name: Add_ssh_key
working-directory: .github/workflows
env:
SSH_AUTH_SOCK: /tmp/ssh_agent.sock
PRIVATE_KEY: "${{ secrets.SSH_PRV_KEY }}"
run: |
mkdir .ssh
chmod 700 .ssh
echo $PRIVATE_KEY > .ssh/github_actions.pem
chmod 600 .ssh/github_actions.pem
- name: DEBUG - Show IaC files
if: env.ENABLE_DEBUG == 'true'
run: |
echo "OSVAR = $OSVAR"
echo "benchmark_type = $benchmark_type"
pwd
ls
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
benchmark_type: ${{ vars.BENCHMARK_TYPE }}
- name: Terraform_Init
id: init
run: terraform init
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
- name: Terraform_Validate
id: validate
run: terraform validate
env:
# Imported from github variables this is used to load the relvent OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
- name: Terraform_Apply
id: apply
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: terraform apply -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false
## Debug Section
- name: DEBUG - Show Ansible hostfile
if: env.ENABLE_DEBUG == 'true'
run: cat hosts.yml
# Aws deployments taking a while to come up insert sleep or playbook fails
- name: Sleep for 60 seconds
run: sleep 60s
# Run the ansible playbook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
playbook: site.yml
inventory: .github/workflows/github_linux_IaC/hosts.yml
galaxy_file: collections/requirements.yml
private_key: ${{ secrets.SSH_PRV_KEY }}
# verbose: 3
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_DEPRECATION_WARNINGS: "false"
# Remove test system - User secrets to keep if necessary
- name: Terraform_Destroy
if: always() && env.ENABLE_DEBUG == 'false'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: terraform destroy -var-file "github_vars.tfvars" -var-file "${OSVAR}.tfvars" --auto-approve -input=false

6
.github/workflows/terraform.tfvars vendored
View file

@ -1,6 +0,0 @@
// vars should be loaded by OSname.tfvars
availability_zone = "us-east-1b"
aws_region = "us-east-1"
ami_os = var.ami_os
ami_username = var.ami_username
instance_tags = var.instance_tags

81
.github/workflows/variables.tf vendored
View file

@ -1,81 +0,0 @@
// Taken from the OSname.tfvars
variable "aws_region" {
description = "AWS region"
default = "us-east-1"
type = string
}
variable "availability_zone" {
description = "List of availability zone in the region"
default = "us-east-1b"
type = string
}
variable "instance_type" {
description = "EC2 Instance Type"
default = "t3.micro"
type = string
}
variable "instance_tags" {
description = "Tags to set for instances"
type = map(string)
}
variable "ami_key_pair_name" {
description = "Name of key pair in AWS thats used"
type = string
}
variable "private_key" {
description = "path to private key for ssh"
type = string
}
variable "ami_os" {
description = "AMI OS Type"
type = string
}
variable "ami_id" {
description = "AMI ID reference"
type = string
}
variable "ami_username" {
description = "Username for the ami id"
type = string
}
variable "ami_user_home" {
description = "home dir for the username"
type = string
}
variable "namespace" {
description = "Name used across all tags"
type = string
}
variable "environment" {
description = "Env Name used across all tags"
type = string
}
// taken from github_vars.tfvars &
variable "main_vpc_cidr" {
description = "Private cidr block to be used for vpc"
type = string
}
variable "public_subnets" {
description = "public subnet cidr block"
type = string
}
variable "private_subnets" {
description = "private subnet cidr block"
type = string
}

67
.pre-commit-config.yaml Normal file
View file

@ -0,0 +1,67 @@
---
##### CI for use by github no need for action to be added
##### Inherited
ci:
autofix_prs: false
skip: [detect-aws-credentials, ansible-lint ]
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.2.0
hooks:
# Safety
- id: detect-aws-credentials
- id: detect-private-key
# git checks
- id: check-merge-conflict
- id: check-added-large-files
- id: check-case-conflict
# General checks
- id: trailing-whitespace
name: Trim Trailing Whitespace
description: This hook trims trailing whitespace.
entry: trailing-whitespace-fixer
language: python
types: [text]
args: [--markdown-linebreak-ext=md]
- id: end-of-file-fixer
# Scan for passwords
- repo: https://github.com/Yelp/detect-secrets
rev: v1.4.0
hooks:
- id: detect-secrets
args: [ '--baseline', '.config/.secrets.baseline' ]
exclude: .config/.gitleaks-report.json
- repo: https://github.com/gitleaks/gitleaks
rev: v8.17.0
hooks:
- id: gitleaks
args: ['--baseline-path', '.config/.gitleaks-report.json']
- repo: https://github.com/ansible-community/ansible-lint
rev: v6.17.2
hooks:
- id: ansible-lint
name: Ansible-lint
description: This hook runs ansible-lint.
entry: python3 -m ansiblelint --force-color site.yml -c .ansible-lint
language: python
# do not pass files to ansible-lint, see:
# https://github.com/ansible/ansible-lint/issues/611
pass_filenames: false
always_run: true
additional_dependencies:
# https://github.com/pre-commit/pre-commit/issues/1526
# If you want to use specific version of ansible-core or ansible, feel
# free to override `additional_dependencies` in your own hook config
# file.
- ansible-core>=2.10.1
- repo: https://github.com/adrienverge/yamllint.git
rev: v1.32.0 # or higher tag
hooks:
- id: yamllint

38
Changelog.md
View file

@ -1,5 +1,41 @@
# Changes to rhel9CIS # Changes to rhel9CIS
## 1.1.0
- new workflow configuration
- Allowing devel and main configs
- IaC code found in alternate repo for easier mgmt
- Added pre-commit config - Does not have to be used but can improve things
- .pre-commit-config.yaml
- .secrets.baseline
- gitleaks and secrets detection
- updated to logic in 5.6.5
- lint updates to 6.1.x
- readme updates
- audit control updates and variable name changes
- ability to run audit on arm64(e.g. pi or M1/2) too thanks to @lucab85 #77
- tidy up README adopted PR #78 thanks to @lucab85
- moved Makefile requirements to .config/
- removed .ansible.cfg and local.yml
## 1.0.10
- [#72](https://github.com/ansible-lockdown/RHEL9-CIS/issues/72)
- Only run check when paybook user not a superuser
- fix for 5.5.3 thanks to @nrg-fv
## 1.0.9
fixed assert for user password set
thanks to @byjunks
[#66](https://github.com/ansible-lockdown/RHEL9-CIS/issues/66)
## 1.0.8
rule_1.10 improvements allowing for module checking (useful for AD)
## 1.0.7 ## 1.0.7
lint and yaml updates lint and yaml updates
@ -8,7 +44,7 @@ improvements to 6.1.10, 6.1.11, 6.1.13, 6.1.14
## 1.0.6 ## 1.0.6
updated ymlalint as galaxy doenst honouyr local settings updated yamllint as galaxy doesn't honour local settings
removed empty lines in files removed empty lines in files
## 1.0.5 ## 1.0.5

2
Makefile
View file

@ -25,5 +25,5 @@ yamllint:
pip-requirements: pip-requirements:
@echo 'Python dependencies:' @echo 'Python dependencies:'
@cat requirements.txt @cat .config/requirements.txt
pip3 install -r requirements.txt pip3 install -r requirements.txt

182
README.md
View file

@ -15,13 +15,14 @@
![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61781?label=Quality&&logo=ansible) ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61781?label=Quality&&logo=ansible)
![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/RHEL9-CIS/linux_benchmark_testing.yml?label=Devel%20Build%20Status)
![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits)
![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/RHEL9-CIS/linux_benchmark_testing.yml?label=Build%20Status) ![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS)
![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS?label=Release%20Date) ![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS)
![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/RHEL9-CIS?label=Release%20Tag&&color=success)
[![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml)
[![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml)
![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits)
![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues) ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues)
![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success) ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success)
@ -41,6 +42,11 @@
Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users.
### Contributing
Issues and Pull requests are welcome please ensure that all commits are signed-off-by and gpg-signed.
Refer to [Contributing Guide](./CONTRIBUTING.rst)
--- ---
## Caution(s) ## Caution(s)
@ -51,37 +57,37 @@ Check Mode is not supported! The role will complete in check mode without errors
This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed.
To use release version please point to main branch and relevant release for the cis benchmark you wish to work with. To use the release version, please point to the `main` branch and relevant release for the cis benchmark you wish to work with.
--- ---
## Matching a security Level for CIS ## Matching a security Level for CIS
It is possible to to only run level 1 or level 2 controls for CIS. It is possible to only run level 1 or level 2 controls for CIS.
This is managed using tags: This is managed using tags:
- level1_server - level1-server
- level1_workstation - level1-workstation
- level2_server - level2-server
- level2_workstation - level2-workstation
The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. The control found in the `defaults` main also needs to reflect this, as this control is the testing that takes place if you are using the audit component.
## Coming from a previous release ## Coming from a previous release
CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release. CIS release always contains changes, it is highly recommended to review the new references and available variables. This has changed significantly since the ansible-lockdown initial release.
This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites which configure the system accordingly.
Further details can be seen in the [Changelog](./ChangeLog.md) Further details can be seen in the [Changelog](./ChangeLog.md)
## Auditing (new) ## Auditing (new)
This can be turned on or off within the defaults/main.yml file with the variable rhel8cis_run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. This can be turned on or off within the `defaults/main.yml` file with the variables `setup_audit` and `run_audit`. The value is `false` by default. Please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role.
This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings. This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings.
A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling. A new form of auditing has been developed by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check without the need for infrastructure or other tooling.
This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process. This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also try to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process.
Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit). Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit).
@ -100,12 +106,14 @@ Almalinux 9
Rocky 9 Rocky 9
OracleLinux 9 OracleLinux 9
ansible 2.10
jmespath
relevant collections
- Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.) - Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.)
CentOS stream - while this will generally work it is not supported and requires the following variable setting
```sh
check_os: false
```
**General:** **General:**
- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible - Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
@ -120,13 +128,15 @@ relevant collections
**Technical Dependencies:** **Technical Dependencies:**
- Python3 - Python3
- Ansible 2.9+ - Ansible 2.10+
- python-def (should be included in RHEL 9) - python-def (should be included in RHEL 9)
- libselinux-python - libselinux-python
- pip packages - pip packages
- jmespath ( complete list found in requirements.txt) - jmespath ( complete list found in requirements.txt)
- collections found in collections/requirememnts.yml - collections found in collections/requirememnts.yml
pre-commit is available if installed on your host for pull request testing.
## Role Variables ## Role Variables
This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done by overriding the required varaibles as found in defaults/main.yml file. e.g. using inventory, group_vars, extra_vars This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done by overriding the required varaibles as found in defaults/main.yml file. e.g. using inventory, group_vars, extra_vars
@ -170,124 +180,20 @@ uses:
- ansible-core 2.12 - ansible-core 2.12
- ansible collections - pulls in the latest version based on requirements file - ansible collections - pulls in the latest version based on requirements file
- runs the audit using the devel branch - Runs the audit using the devel branch
- Runs the pre-commit setup on the PR to ensure everything is in place as expected.
- This is an automated test that occurs on pull requests into devel - This is an automated test that occurs on pull requests into devel
## Local Testing ## Local Testing
ansible-base 2.10.17 - python 3.8 - ansible-base 2.10.17 - python 3.8
ansible-core 2.13.4 - python 3.10 - ansible-core 2.13.4 - python 3.10
- ansible-core 2.15.1 - python 3.11
- makefile - this is there purely for testing and initial setup purposes. makefile - this is there purely for testing and initial setup purposes.
pre-commit can be tested
Is run from with the directory
```sh
pre-commit run
```
## v1.0.0 - released Dec 2022
![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL9-CIS/CommunityToDevel?label=Devel%20Build%20Status&style=plastic)
![Build Status](https://img.shields.io/github/workflow/status/ansible-lockdown/RHEL9-CIS/DevelToMain?label=Main%20Build%20Status&style=plastic)
![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS?style=plastic)
## Join us
On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
## Caution(s)
This role **will make changes to the system** which may have unintended concequences.
This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed.
To use release version please point to main branch
## Documentation
- [Readthedocs](https://ansible-lockdown.readthedocs.io/en/latest/)
- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)
- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)
- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)
- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)
## Requirements
RHEL 9
Almalinux 9
Rocky 9
OracleLinux 9
ansible 2.10
jmespath
relevant collections
- Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.)
## Tested with
ansible-base 2.10.17 - python 3.8
ansible-core 2.13.4 - python 3.10
- makefile - this is there purely for testing and initial setup purposes.
## General
- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
- [Main Ansible documentation page](https://docs.ansible.com)
- [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html)
- [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
- [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
- Please read through the tasks in this role to gain an understanding of what each control is doing.
- Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file
## Dependencies
- Python3
- Ansible 2.9+
- python-def (should be included in RHEL 9)
- libselinux-python
- pip packages
- jmespath ( complete list found in requirements.txt)
- collections found in collections/requirememnts.yml
### Known Issues
CIS 1.2.4 - repo_gpgcheck is not carried out for RedHat hosts as the default repos do not have this function. This also affect EPEL(not covered by var).
- Rocky and Alma not affected.
Variable used to unset.
rhel9cis_rhel_default_repo: true # to be set to false if using repo that does have this ability

30
ansible.cfg
View file

@ -1,30 +0,0 @@
[defaults]
host_key_checking=False
display_skipped_hosts=True
system_warnings=False
command_warnings=False
nocows=1
retry_files_save_path=/dev/null
pipelining=true
# Use the YAML callback plugin.
stdout_callback = yaml
# Use the stdout_callback when running ad-hoc commands.
bin_ansible_callbacks = True
[privilege_escalation]
[paramiko_connection]
record_host_keys=False
[ssh_connection]
transfer_method=scp
ssh_args = -o ControlMaster=auto -o ControlPersist=60s
[accelerate]
[selinux]
[colors]
[diff]

21
defaults/main.yml
View file

@ -52,7 +52,7 @@ setup_audit: false
# How to retrive goss # How to retrive goss
# Options are copy or download - detailed settings at the bottom of this file # Options are copy or download - detailed settings at the bottom of this file
# you will need to access to either github or the file already dowmloaded # you will need to access to either github or the file already dowmloaded
get_goss_file: download get_audit_binary_method: download
# how to get audit files onto host options # how to get audit files onto host options
# options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly) # options are git/copy/get_url - use local if already available to to the host (adjust paths accordingly)
@ -380,9 +380,11 @@ rhel9cis_dconf_db_name: local
rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900) rhel9cis_screensaver_idle_delay: 900 # Set max value for idle-delay in seconds (between 1 and 900)
rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5) rhel9cis_screensaver_lock_delay: 5 # Set max value for lock-delay in seconds (between 0 and 5)
# 1.10 Set crypto policy DEFAULT # 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS)
# Control 1.10 states not to use LEGACY # Control 1.10 states do not use LEGACY and control 1.11 says to use FUTURE or FIPS.
rhel9cis_crypto_policy: "DEFAULT" rhel9cis_crypto_policy: 'DEFAULT'
# Added module to be allowed as default setting (Allowed options in vars/main.yml)
rhel9cis_crypto_policy_module: ''
# System network parameters (host only OR host and router) # System network parameters (host only OR host and router)
rhel9cis_is_router: false rhel9cis_is_router: false
@ -475,7 +477,7 @@ rhel9cis_firewall: firewalld
##### firewalld ##### firewalld
rhel9cis_default_zone: public rhel9cis_default_zone: public
# These are added to demonstrate how this can be done # These settings are added to demonstrate how this update can be done (eventually will require a new control)
rhel9cis_firewalld_ports: rhel9cis_firewalld_ports:
- number: 80 - number: 80
protocol: tcp protocol: tcp
@ -661,15 +663,16 @@ audit_run_script_environment:
AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}" AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
### Goss binary settings ### ### Goss binary settings ###
goss_version: audit_bin_release: v0.3.23
release: v0.3.21 audit_bin_version:
checksum: 'sha256:9a9200779603acf0353d2c0e85ae46e083596c10838eaf4ee050c924678e4fe3' AMD64_checksum: 'sha256:9e9f24e25f86d6adf2e669a9ffbe8c3d7b9b439f5f877500dea02ba837e10e4d'
ARM64_checksum: 'sha256:7b0794fa590857e7d64ef436e1a100ca26f6039f269a6138009aa837d27d7f9e'
audit_bin_path: /usr/local/bin/ audit_bin_path: /usr/local/bin/
audit_bin: "{{ audit_bin_path }}goss" audit_bin: "{{ audit_bin_path }}goss"
audit_format: json audit_format: json
# if get_goss_file == download change accordingly # if get_goss_file == download change accordingly
goss_url: "https://github.com/goss-org/goss/releases/download/{{ goss_version.release }}/goss-linux-amd64" audit_bin_url: "https://github.com/goss-org/goss/releases/download/{{ audit_bin_release }}/goss-linux-"
## if get_goss_file - copy the following needs to be updated for your environment ## if get_goss_file - copy the following needs to be updated for your environment
## it is expected that it will be copied from somewhere accessible to the control node ## it is expected that it will be copied from somewhere accessible to the control node

2
handlers/main.yml
View file

@ -3,8 +3,6 @@
- name: Reload sysctl - name: Reload sysctl
ansible.builtin.shell: sysctl --system ansible.builtin.shell: sysctl --system
when:
- sysctl_updated.changed
- name: Sysctl flush ipv4 route table - name: Sysctl flush ipv4 route table
ansible.posix.sysctl: ansible.posix.sysctl:

8
local.yml
View file

@ -1,8 +0,0 @@
---
- hosts: localhost
connection: local
become: true
roles:
- role: "{{ playbook_dir }}"

34
tasks/LE_audit_setup.yml
View file

@ -1,30 +1,34 @@
--- ---
- name: Download audit binary - name: Pre Audit Setup | Set audit package name
block:
- name: Pre Audit Setup | Set audit package name | 64bit
ansible.builtin.set_fact:
audit_pkg_arch_name: AMD64
when: ansible_machine == "x86_64"
- name: Pre Audit Setup | Set audit package name | ARM64
ansible.builtin.set_fact:
audit_pkg_arch_name: ARM64
when: ansible_machine == "arm64"
- name: Pre Audit Setup | Download audit binary
ansible.builtin.get_url: ansible.builtin.get_url:
url: "{{ goss_url }}" url: "{{ audit_bin_url }}{{ audit_pkg_arch_name }}"
dest: "{{ audit_bin }}" dest: "{{ audit_bin }}"
owner: root owner: root
group: root group: root
checksum: "{{ goss_version.checksum }}" checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}"
mode: 0555 mode: 0555
when: when:
- get_goss_file == 'download' - get_audit_binary_method == 'download'
- name: Copy audit binary - name: Pre Audit Setup | copy audit binary
ansible.builtin.copy: ansible.builtin.copy:
src: src: "{{ audit_bin_copy_location }}"
dest: "{{ audit_bin }}" dest: "{{ audit_bin }}"
mode: 0555 mode: 0555
owner: root owner: root
group: root group: root
when: when:
- get_goss_file == 'copy' - get_audit_binary_method == 'copy'
- name: Install git if not present
ansible.builtin.package:
name: git
state: present
register: git_installed
when:
- '"git" not in ansible_facts.packages'

2
tasks/auditd.yml
View file

@ -19,7 +19,7 @@
- Audit immutable fact - Audit immutable fact
- Restart auditd - Restart auditd
- name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa: no-handler - name: POST | AUDITD | Add Warning count for changes to template file | Warn Count # noqa no-handler
ansible.builtin.import_tasks: warning_facts.yml ansible.builtin.import_tasks: warning_facts.yml
vars: vars:
warn_control_id: 'Auditd template updated, see diff output for details' warn_control_id: 'Auditd template updated, see diff output for details'

29
tasks/main.yml
View file

@ -20,27 +20,29 @@
tags: tags:
- always - always
- name: "Check password set for {{ ansible_user }}" - name: "Check password set for {{ ansible_env.SUDO_USER }}"
block: block:
- name: Capture current password state of "{{ ansible_user }}" - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state"
ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'" ansible.builtin.shell: "grep {{ ansible_env.SUDO_USER }} /etc/shadow | awk -F: '{print $2}'"
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: ansible_user_password_set register: rhel9cis_ansible_user_password_set
- name: "Assert that password set for {{ ansible_user }} and account not locked" - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert password set and not locked"
ansible.builtin.assert: ansible.builtin.assert:
that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!" that: rhel9cis_ansible_user_password_set.stdout | length != 0 and rhel9cis_ansible_user_password_set.stdout != "!!"
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
success_msg: "You a password set for the {{ ansible_user }}" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
vars: vars:
sudo_password_rule: rhel9cis_rule_5_3_4 sudo_password_rule: rhel9cis_rule_5_3_4
when: when:
- rhel9cis_rule_5_3_4 - rhel9cis_rule_5_3_4
- ansible_env.SUDO_USER is defined
- not system_is_ec2 - not system_is_ec2
tags: tags:
- user_passwd - user_passwd
- rule_5.3.4
- name: "Ensure root password is set" - name: "Ensure root password is set"
block: block:
@ -92,6 +94,17 @@
fail_msg: "Crypto policy is not a permitted version" fail_msg: "Crypto policy is not a permitted version"
success_msg: "Crypto policy is a permitted version" success_msg: "Crypto policy is a permitted version"
- name: Check crypto-policy module input
ansible.builtin.assert:
that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
fail_msg: "Crypto policy module is not a permitted version"
success_msg: "Crypto policy module is a permitted version"
when:
- rhel9cis_rule_1_10
- rhel9cis_crypto_policy_module | length > 0
tags:
- rule_1.10
- name: Check rhel9cis_bootloader_password_hash variable has been changed - name: Check rhel9cis_bootloader_password_hash variable has been changed
ansible.builtin.assert: ansible.builtin.assert:
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'

10
tasks/post_remediation_audit.yml
View file

@ -2,9 +2,11 @@
- name: "Post Audit | Run post_remediation {{ benchmark }} audit" - name: "Post Audit | Run post_remediation {{ benchmark }} audit"
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
environment: "{{ audit_run_script_environment | default({}) }}" changed_when: true
changed_when: audit_run_post_remediation.rc == 0 environment:
register: audit_run_post_remediation AUDIT_BIN: "{{ audit_bin }}"
AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
AUDIT_FILE: "goss.yml"
- name: Post Audit | ensure audit files readable by users - name: Post Audit | ensure audit files readable by users
ansible.builtin.file: ansible.builtin.file:
@ -17,7 +19,7 @@
- name: Post Audit | Capture audit data if json format - name: Post Audit | Capture audit data if json format
block: block:
- name: "Capture data {{ post_audit_outfile }}" - name: "capture data {{ post_audit_outfile }}"
ansible.builtin.shell: "cat {{ post_audit_outfile }}" ansible.builtin.shell: "cat {{ post_audit_outfile }}"
register: post_audit register: post_audit
changed_when: false changed_when: false

132
tasks/pre_remediation_audit.yml
View file

@ -1,109 +1,113 @@
--- ---
- name: Pre Audit | Setup the audit - name: Pre Audit Binary Setup | Setup the LE audit
ansible.builtin.include_tasks: LE_audit_setup.yml ansible.builtin.include_tasks: LE_audit_setup.yml
when: when:
- setup_audit - setup_audit
tags: tags:
- setup_audit - setup_audit
- name: "Pre Audit | Ensure {{ audit_conf_dir }} exists" - name: "Pre Audit Setup | Ensure {{ audit_conf_dir }} exists"
ansible.builtin.file: ansible.builtin.file:
path: "{{ audit_conf_dir }}" path: "{{ audit_conf_dir }}"
state: directory state: directory
mode: '0755' mode: '0755'
- name: Pre Audit | retrieve audit content files from git - name: Pre Audit Setup | If using git for content set up
ansible.builtin.git: block:
repo: "{{ audit_file_git }}" - name: Pre Audit Setup | Install git
dest: "{{ audit_conf_dir }}" ansible.builtin.package:
version: "{{ audit_git_version }}" name: git
state: present
- name: Pre Audit Setup | retrieve audit content files from git
ansible.builtin.git:
repo: "{{ audit_file_git }}"
dest: "{{ audit_conf_dir }}"
version: "{{ audit_git_version }}"
when: when:
- audit_content == 'git' - audit_content == 'git'
- name: Pre Audit | confirm audit branch vs benchmark version - name: Pre Audit Setup | copy to audit content files to server
ansible.builtin.debug:
msg: "Audit will run the branch {{ audit_git_version }} for this Benchmark {{ benchmark_version }}"
- name: Pre Audit | copy to audit content files to server
ansible.builtin.copy: ansible.builtin.copy:
src: "{{ audit_local_copy }}" src: "{{ audit_local_copy }}"
dest: "{{ audit_conf_dir }}" dest: "{{ audit_conf_dest }}"
mode: 0644 mode: preserve
when: when:
- audit_content == 'copy' - audit_content == 'copy'
- name: Pre Audit | get audit content from url - name: Pre Audit Setup | unarchive audit content files on server
ansible.builtin.unarchive:
src: "{{ audit_conf_copy }}"
dest: "{{ audit_conf_dir }}"
when:
- audit_content == 'archived'
- name: Pre Audit Setup | get audit content from url
ansible.builtin.get_url: ansible.builtin.get_url:
url: "{{ audit_files_url }}" url: "{{ audit_files_url }}"
dest: "{{ audit_conf_dir }}" dest: "{{ audit_conf_dir }}"
owner: root
group: root
mode: 0755
when: when:
- audit_content == 'get_url' - audit_content == 'get_url'
- name: Pre Audit | Check Goss is available - name: Pre Audit Setup | Check Goss is available
block: block:
- name: Pre Audit | Check for goss file - name: Pre Audit Setup | Check for goss file
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ audit_bin }}" path: "{{ audit_bin }}"
register: goss_available register: goss_available
- name: Pre Audit | Alert if goss not available - name: Pre Audit Setup | If audit ensure goss is available
ansible.builtin.assert: ansible.builtin.assert:
that: goss_available.stat.exists msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
fail_msg: "Audit binary file {{ audit_bin }} does not exist" when:
- not goss_available.stat.exists
when: when:
- run_audit - run_audit
- name: "Pre Audit | Check whether machine is UEFI-based" - name: Pre Audit Setup | Copy ansible default vars values to test audit
ansible.builtin.stat:
path: /sys/firmware/efi
register: rhel9_efi_boot
tags:
- goss_template
- name: Pre Audit | Copy ansible default vars values to test audit
ansible.builtin.template: ansible.builtin.template:
src: ansible_vars_goss.yml.j2 src: ansible_vars_goss.yml.j2
dest: "{{ audit_vars_path }}" dest: "{{ audit_vars_path }}"
mode: 0600 mode: 0600
when: when:
- run_audit - run_audit
tags: tags:
- goss_template - goss_template
- always
- name: "Pre Audit | Run pre_remediation {{ benchmark }} audit" - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit"
ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}" ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
environment: "{{ audit_run_script_environment | default({}) }}" changed_when: true
changed_when: audit_run_pre_remediation.rc == 0 environment:
register: audit_run_pre_remediation AUDIT_BIN: "{{ audit_bin }}"
AUDIT_CONTENT_LOCATION: "{{ audit_out_dir }}"
AUDIT_FILE: "goss.yml"
- name: Pre Audit | Capture audit data if json format - name: Pre Audit | Capture audit data if json format
block: block:
- name: "Pre Audit | capture data {{ pre_audit_outfile }}" - name: "capture data {{ pre_audit_outfile }}"
ansible.builtin.shell: "cat {{ pre_audit_outfile }}" ansible.builtin.shell: "cat {{ pre_audit_outfile }}"
register: pre_audit register: pre_audit
changed_when: false changed_when: false
- name: Pre Audit | Capture pre-audit result - name: Pre Audit | Capture pre-audit result
ansible.builtin.set_fact: ansible.builtin.set_fact:
pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
vars: vars:
summary: 'summary."summary-line"' summary: 'summary."summary-line"'
when: when:
- audit_format == "json" - audit_format == "json"
- name: Pre Audit | Capture audit data if documentation format - name: Pre Audit | Capture audit data if documentation format
block: block:
- name: "Pre Audit | capture data {{ pre_audit_outfile }}" - name: "Pre Audit | capture data {{ pre_audit_outfile }} | documentation format"
ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}" ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}"
register: pre_audit register: pre_audit
changed_when: false changed_when: false
- name: Pre Audit | Capture pre-audit result - name: Pre Audit | Capture pre-audit result | documentation format
ansible.builtin.set_fact: ansible.builtin.set_fact:
pre_audit_summary: "{{ pre_audit.stdout_lines }}" pre_audit_summary: "{{ pre_audit.stdout_lines }}"
when: when:
- audit_format == "documentation" - audit_format == "documentation"

15
tasks/prelim.yml
View file

@ -54,7 +54,7 @@
- name: "PRELIM | Setup crypto-policy" - name: "PRELIM | Setup crypto-policy"
block: block:
- name: "PRELIM | Install crypto-policies" - name: "PRELIM | Install crypto-policies | pkgs present"
ansible.builtin.package: ansible.builtin.package:
name: name:
- crypto-policies - crypto-policies
@ -62,10 +62,19 @@
state: present state: present
- name: "PRELIM | Gather system-wide crypto-policy" - name: "PRELIM | Gather system-wide crypto-policy"
ansible.builtin.shell: update-crypto-policies --show ansible.builtin.shell: 'update-crypto-policies --show'
changed_when: false changed_when: false
check_mode: false check_mode: false
register: system_wide_crypto_policy register: rhel9cis_system_wide_crypto_policy
- name: "PRELIM | Gather system-wide crypto-policy | set fact system policy"
ansible.builtin.set_fact:
current_crypto_policy: "{{ rhel9cis_system_wide_crypto_policy.stdout.split(':')[0] }}"
- name: "PRELIM | Gather system-wide crypto-policy module | set fact system policy submodule"
ansible.builtin.set_fact:
current_crypto_module: "{{ rhel9cis_system_wide_crypto_policy.stdout.split(':')[1] }}"
when: "':' in rhel9cis_system_wide_crypto_policy.stdout"
when: when:
- rhel9cis_rule_1_10 - rhel9cis_rule_1_10
tags: tags:

19
tasks/section_1/cis_1.10.yml
View file

@ -1,16 +1,25 @@
--- ---
- name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy"
ansible.builtin.shell: | block:
update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy | set_fact"
update-crypto-policies ansible.builtin.set_fact:
notify: Change_requires_reboot rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}:{{ rhel9cis_crypto_policy_module }}{% endif %}"
- name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy"
ansible.builtin.shell: |
update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
update-crypto-policies
notify: Change_requires_reboot
when:
- rhel9cis_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy
when: when:
- rhel9cis_rule_1_10 - rhel9cis_rule_1_10
- system_wide_crypto_policy['stdout'] == 'LEGACY'
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- automated
- no system_is_ec2 - no system_is_ec2
- patch - patch
- rule_1.10 - rule_1.10

2
tasks/section_1/cis_1.2.x.yml
View file

@ -17,7 +17,7 @@
- name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail" - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail"
ansible.builtin.fail: ansible.builtin.fail:
msg: Installed GPG Keys do not meet expected values or keys installed that are not expected msg: Installed GPG Keys do not meet expected values or expected keys are not installed
when: when:
- os_installed_pub_keys.rc == 1 or - os_installed_pub_keys.rc == 1 or
os_gpg_key_check.rc == 1 os_gpg_key_check.rc == 1

2
tasks/section_1/cis_1.3.x.yml
View file

@ -65,7 +65,7 @@
/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512 /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
validate: aide -D --config %s validate: aide -D --config %s
when: when:
- rhel9cis_rule_1_3_2 - rhel9cis_rule_1_3_2
- not system_is_ec2 - not system_is_ec2

3
tasks/section_2/cis_2.2.x.yml
View file

@ -228,9 +228,8 @@
ansible.builtin.package: ansible.builtin.package:
name: dnsmasq name: dnsmasq
state: absent state: absent
notify: Restart postfix
when: when:
- not rhel9cis_is_mail_server - not rhel9cis_dnsmasq_server
- "'dnsmasq' in ansible_facts.packages" - "'dnsmasq' in ansible_facts.packages"
- rhel9cis_rule_2_2_14 - rhel9cis_rule_2_2_14
tags: tags:

2
tasks/section_3/cis_3.1.x.yml
View file

@ -44,7 +44,7 @@
ansible.builtin.shell: nmcli radio all off ansible.builtin.shell: nmcli radio all off
changed_when: false changed_when: false
failed_when: false failed_when: false
when: rhel_09_wifi_enabled is changed when: rhel_09_wifi_enabled is changed # noqa no-handler
when: when:
- rhel9cis_rule_3_1_2 - rhel9cis_rule_3_1_2
tags: tags:

2
tasks/section_3/cis_3.4.2.x.yml
View file

@ -202,7 +202,7 @@
- name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured" - name: "3.4.2.6 | PATCH | Ensure nftables established connections are configured"
block: block:
- name: "3.4.2.6 | AUDIT | EEnsure nftables established connections are configured | Gather incoming connection rules" - name: "3.4.2.6 | AUDIT | Ensure nftables established connections are configured | Gather incoming connection rules"
ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
changed_when: false changed_when: false
failed_when: false failed_when: false

18
tasks/section_5/cis_5.5.x.yml
View file

@ -77,19 +77,11 @@
- patch - patch
- rule_5.5.2 - rule_5.5.2
- name: "5.5.3 | PATCH | Ensure password reuse is limited" - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
block: ansible.builtin.lineinfile:
- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality" path: /etc/pam.d/system-auth
ansible.builtin.lineinfile: line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
path: /etc/pam.d/system-auth insertafter: '^password\s*requisite\s*pam_pwquality.so'
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
- name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix"
ansible.builtin.replace:
path: /etc/pam.d/system-auth
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
when: when:
- rhel9cis_rule_5_5_3 - rhel9cis_rule_5_5_3
tags: tags:

28
tasks/section_5/cis_5.6.x.yml
View file

@ -83,25 +83,21 @@
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive"
block: block:
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings" - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings"
ansible.builtin.replace: ansible.builtin.lineinfile:
path: /etc/login.defs path: "{{ item.path }}"
regexp: "{{ item.regexp }}" regexp: '(?i)(umask\s*)'
replace: "{{ item.replace }}" line: '{{ item.line }} 027'
loop: with_items:
- { regexp: '(UMASK\s+)0[012][0-6]', replace: '\1 027' } - { path: '/etc/bashrc', line: 'umask' }
- { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' } - { path: '/etc/profile', line: 'umask' }
- { path: '/etc/login.defs', line: 'UMASK' }
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
ansible.builtin.replace: ansible.builtin.lineinfile:
path: /etc/bashrc path: /etc/login.defs
regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' regexp: '^USERGROUPS_ENAB'
replace: '\1 027' line: USERGROUPS_ENAB no
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile"
ansible.builtin.replace:
path: /etc/profile
regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]'
replace: '\1 027'
when: when:
- rhel9cis_rule_5_6_5 - rhel9cis_rule_5_6_5
tags: tags:

36
tasks/section_6/cis_6.1.x.yml
View file

@ -158,17 +158,22 @@
loop: "{{ ansible_mounts }}" loop: "{{ ansible_mounts }}"
loop_control: loop_control:
label: "{{ item.mount }}" label: "{{ item.mount }}"
when: item['device'].startswith('/dev') and not 'bind' in item['options'] when:
- item['device'].startswith('/dev')
- not 'bind' in item['options']
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | set fact" - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | set fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel_09_6_1_10_unowned_files_found: true rhel_09_6_1_10_unowned_files_found: true
loop: "{{ rhel_09_6_1_10_audit.results }}" loop: "{{ rhel_09_6_1_10_audit.results }}"
when: item.stdout | length > 0 when:
- item | length > 0
- item.stdout is defined # skipped items are part of results list, but don't have the registered module properties
- item.stdout | length > 0
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | json_query('results[*].stdout_lines[*]') | flatten }}" msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid]
when: rhel_09_6_1_10_unowned_files_found when: rhel_09_6_1_10_unowned_files_found
- name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning"
@ -199,17 +204,22 @@
loop: "{{ ansible_mounts }}" loop: "{{ ansible_mounts }}"
loop_control: loop_control:
label: "{{ item.mount }}" label: "{{ item.mount }}"
when: item['device'].startswith('/dev') and not 'bind' in item['options'] when:
- item['device'].startswith('/dev')
- not 'bind' in item['options']
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | set fact" - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | set fact"
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel_09_6_1_11_ungrouped_files_found: true rhel_09_6_1_11_ungrouped_files_found: true
loop: "{{ rhel_09_6_1_11_audit.results }}" loop: "{{ rhel_09_6_1_11_audit.results }}"
when: item.stdout | length > 0 when:
- item | length > 0
- item.stdout is defined # skipped items are part of results list, but don't have the registered module properties
- item.stdout | length > 0
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | json_query('results[*].stdout_lines[*]') | flatten }}" msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid]
when: rhel_09_6_1_11_ungrouped_files_found when: rhel_09_6_1_11_ungrouped_files_found
- name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
@ -258,11 +268,14 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9_6_1_13_suid_found: true rhel9_6_1_13_suid_found: true
loop: "{{ rhel_09_6_1_13_suid_perms.results }}" loop: "{{ rhel_09_6_1_13_suid_perms.results }}"
when: item.stdout | length > 0 when:
- item | length > 0
- item.stdout is defined # skipped items are part of results list, but don't have the registered module properties
- item.stdout | length > 0
- name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid]
when: rhel9_6_1_13_suid_found when: rhel9_6_1_13_suid_found
- name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning"
@ -297,11 +310,14 @@
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9_6_1_14_sgid_found: true rhel9_6_1_14_sgid_found: true
loop: "{{ rhel_09_6_1_14_sgid_perms.results }}" loop: "{{ rhel_09_6_1_14_sgid_perms.results }}"
when: item.stdout | length > 0 when:
- item | length > 0
- item.stdout is defined # skipped items are part of results list, but don't have the registered module properties
- item.stdout | length > 0
- name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid]
when: rhel9_6_1_14_sgid_found when: rhel9_6_1_14_sgid_found
- name: "6.1.14 | AUDIT | Audit SGID executables| warning" - name: "6.1.14 | AUDIT | Audit SGID executables| warning"

4
vars/CentOS.yml Normal file
View file

@ -0,0 +1,4 @@
---
os_gpg_key_pubkey_name: centos-gpg-keys
os_gpg_key_pubkey_content: "builder@centos.org 9.0"

5
vars/main.yml
View file

@ -7,6 +7,11 @@ rhel9cis_allowed_crypto_policies:
- 'FUTURE' - 'FUTURE'
- 'FIPS' - 'FIPS'
rhel9cis_allowed_crypto_policies_modules:
- 'OSPP'
- 'AD-SUPPORT'
- 'AD-SUPPORT-LEGACY'
# Used to control warning summary # Used to control warning summary
warn_control_list: "" warn_control_list: ""
warn_count: 0 warn_count: 0