sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Merge pull request #93 from ansible-lockdown/sept23

Browse source 
Sept23 to devel
This commit is contained in:
uk-bolly 2023-09-13 14:32:39 +01:00 committed by GitHub
commit 18a44fc18e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
18 changed files with 209 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

174
.config/.secrets.baseline
View file

@ -109,15 +109,171 @@
}, },
{ {
"path": "detect_secrets.filters.heuristic.is_templated_secret" "path": "detect_secrets.filters.heuristic.is_templated_secret"
},
{
"path": "detect_secrets.filters.regex.should_exclude_file",
"pattern": [
".config/.gitleaks-report.json"
]
} }
], ],
"results": { "results": {
".config/.gitleaks-report.json": [
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b",
"is_verified": false,
"line_number": 9,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "353e8061f2befecb6818ba0c034c632fb0bcae1b",
"is_verified": false,
"line_number": 9,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "cd6f8dc4b799af818fedddd7c83e5df8bf770555",
"is_verified": false,
"line_number": 12,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb",
"is_verified": false,
"line_number": 29,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "04caa64e36fc280406f82a558baea4e4e9dfdefb",
"is_verified": false,
"line_number": 29,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657",
"is_verified": false,
"line_number": 49,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "a958aae73567ae14f8ab96593cbf9086a7f0c657",
"is_verified": false,
"line_number": 49,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9",
"is_verified": false,
"line_number": 69,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "826978d8598b4f45be97f946856e34aa95676ef9",
"is_verified": false,
"line_number": 69,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7",
"is_verified": false,
"line_number": 89,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "36927a289d8550ba3d1055d9b5e1148e641cfaf7",
"is_verified": false,
"line_number": 89,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b",
"is_verified": false,
"line_number": 109,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "0d1a728e5fa06b415885bee520ac58b10d5c643b",
"is_verified": false,
"line_number": 109,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "cb5e191d260065309ce16cd3675837069c8734c8",
"is_verified": false,
"line_number": 132,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "976b057e0978bf8956e05b173f070cd7757c38c6",
"is_verified": false,
"line_number": 249,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "bdb4ffe72f980b517d691e83c9eb50219a63fe91",
"is_verified": false,
"line_number": 252,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "95f603d65dd6aec15f75185df59f92e90737da49",
"is_verified": false,
"line_number": 269,
"is_secret": false
},
{
"type": "Hex High Entropy String",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "72172e3578dc29c275e5a39bdf7a1a038bdc03c4",
"is_verified": false,
"line_number": 272,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "08f0ac7a7bbbb1819417e5a47aa0eebbd5fe4e86",
"is_verified": false,
"line_number": 289,
"is_secret": false
},
{
"type": "Secret Keyword",
"filename": ".config/.gitleaks-report.json",
"hashed_secret": "23fdd48a76e5b32e85c6698062f1489d6fbac450",
"is_verified": false,
"line_number": 309,
"is_secret": false
}
],
"defaults/main.yml": [ "defaults/main.yml": [
{ {
"type": "Secret Keyword", "type": "Secret Keyword",
@ -132,7 +288,7 @@
"filename": "defaults/main.yml", "filename": "defaults/main.yml",
"hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e", "hashed_secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e",
"is_verified": false, "is_verified": false,
"line_number": 375, "line_number": 376,
"is_secret": false "is_secret": false
}, },
{ {
@ -140,7 +296,7 @@
"filename": "defaults/main.yml", "filename": "defaults/main.yml",
"hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4", "hashed_secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4",
"is_verified": false, "is_verified": false,
"line_number": 376, "line_number": 377,
"is_secret": false "is_secret": false
} }
], ],
@ -172,5 +328,5 @@
} }
] ]
}, },
"generated_at": "2023-08-10T12:54:13Z" "generated_at": "2023-09-07T13:18:00Z"
} }

12
Changelog.md
View file

@ -1,5 +1,13 @@
# Changes to rhel9CIS # Changes to rhel9CIS
## 1.1.1 - Based on CIS v1.0.0
- thanks to @agbrowne
- [#90](https://github.com/ansible-lockdown/RHEL9-CIS/issues/90)
- thanks to @mnasiadka
- [#54](https://github.com/ansible-lockdown/RHEL9-CIS/pull/54)
## 1.1.0 ## 1.1.0
- new workflow configuration - new workflow configuration
@ -81,8 +89,8 @@ Aligned benchmark audit version with remediate release
## 1.0.1 ## 1.0.1
Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8
Will not follow ynlink in hoe directoris and amend permissions. Will not follow symlink in home directories and amend permissions.
- rhel_09_6_2_16_home_follow_symlink: false - rhel_09_6_2_16_home_follow_symlink: false

7
defaults/main.yml
View file

@ -370,6 +370,7 @@ rhel9cis_rhnsd_required: false
# 1.2.4 repo_gpgcheck # 1.2.4 repo_gpgcheck
rhel9cis_rhel_default_repo: true rhel9cis_rhel_default_repo: true
rhel9cis_rule_enable_repogpg: true
# 1.4.1 Bootloader password # 1.4.1 Bootloader password
rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B'
@ -696,12 +697,12 @@ audit_files_url: "some url maybe s3?"
# Where the goss configs and outputs are stored # Where the goss configs and outputs are stored
audit_out_dir: '/opt' audit_out_dir: '/opt'
audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"
pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_facts.hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
## The following should not need changing ## The following should not need changing
goss_file: "{{ audit_conf_dir }}goss.yml" goss_file: "{{ audit_conf_dir }}goss.yml"
audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_hostname }}.yml" audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml"
audit_results: | audit_results: |
The pre remediation results are: {{ pre_audit_summary }}. The pre remediation results are: {{ pre_audit_summary }}.
The post remediation results are: {{ post_audit_summary }}. The post remediation results are: {{ post_audit_summary }}.

8
tasks/main.yml
View file

@ -3,9 +3,9 @@
- name: Check OS version and family - name: Check OS version and family
ansible.builtin.assert: ansible.builtin.assert:
that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==') that: (ansible_facts.distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
when: when:
- os_check - os_check
- not system_is_ec2 - not system_is_ec2
@ -122,7 +122,7 @@
- always - always
- name: Include OS specific variables - name: Include OS specific variables
ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" ansible.builtin.include_vars: "{{ ansible_facts.distribution }}.yml"
tags: tags:
- always - always

4
tasks/prelim.yml
View file

@ -133,8 +133,8 @@
state: latest state: latest
when: when:
- rhel9cis_rule_1_2_4 - rhel9cis_rule_1_2_4
- ansible_distribution != 'RedHat' - ansible_facts.distribution != 'RedHat'
- ansible_distribution != 'OracleLinux' - ansible_facts.distribution != 'OracleLinux'
- name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
ansible.builtin.package: ansible.builtin.package:

2
tasks/section_1/cis_1.1.2.x.yml
View file

@ -33,7 +33,7 @@
state: present state: present
opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %}
notify: Remount tmp notify: Remount tmp
loop: "{{ ansible_mounts }}" loop: "{{ ansible_facts.mounts }}"
loop_control: loop_control:
label: "{{ item.device }}" label: "{{ item.device }}"
when: when:

2
tasks/section_1/cis_1.1.3.x.yml
View file

@ -31,7 +31,7 @@
fstype: "{{ item.fstype }}" fstype: "{{ item.fstype }}"
state: present state: present
opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %} opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %}
loop: "{{ ansible_mounts }}" loop: "{{ ansible_facts.mounts }}"
loop_control: loop_control:
label: "{{ item.device }}" label: "{{ item.device }}"
notify: Change_requires_reboot notify: Change_requires_reboot

2
tasks/section_1/cis_1.1.4.x.yml
View file

@ -33,7 +33,7 @@
fstype: "{{ item.fstype }}" fstype: "{{ item.fstype }}"
state: present state: present
opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %}
loop: "{{ ansible_mounts }}" loop: "{{ ansible_facts.mounts }}"
loop_control: loop_control:
label: "{{ item.device }}" label: "{{ item.device }}"
notify: Change_requires_reboot notify: Change_requires_reboot

2
tasks/section_1/cis_1.1.5.x.yml
View file

@ -33,7 +33,7 @@
fstype: "{{ item.fstype }}" fstype: "{{ item.fstype }}"
state: present state: present
opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %}
loop: "{{ ansible_mounts }}" loop: "{{ ansible_facts.mounts }}"
loop_control: loop_control:
label: "{{ item.device }}" label: "{{ item.device }}"
notify: Change_requires_reboot notify: Change_requires_reboot

2
tasks/section_1/cis_1.1.6.x.yml
View file

@ -32,7 +32,7 @@
fstype: "{{ item.fstype }}" fstype: "{{ item.fstype }}"
state: present state: present
opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %}
loop: "{{ ansible_mounts }}" loop: "{{ ansible_facts.mounts }}"
loop_control: loop_control:
label: "{{ item.device }}" label: "{{ item.device }}"
notify: Change_requires_reboot notify: Change_requires_reboot

2
tasks/section_1/cis_1.1.7.x.yml
View file

@ -32,7 +32,7 @@
fstype: "{{ item.fstype }}" fstype: "{{ item.fstype }}"
state: present state: present
opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %} opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}
loop: "{{ ansible_mounts }}" loop: "{{ ansible_facts.mounts }}"
loop_control: loop_control:
label: "{{ item.device }}" label: "{{ item.device }}"
notify: Change_requires_reboot notify: Change_requires_reboot

10
tasks/section_1/cis_1.2.x.yml
View file

@ -23,9 +23,9 @@
os_gpg_key_check.rc == 1 os_gpg_key_check.rc == 1
when: when:
- rhel9cis_rule_1_2_1 - rhel9cis_rule_1_2_1
- ansible_distribution == "RedHat" or - ansible_facts.distribution == "RedHat" or
ansible_distribution == "Rocky" or ansible_facts.distribution == "Rocky" or
ansible_distribution == "AlmaLinux" ansible_facts.distribution == "AlmaLinux"
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -111,8 +111,8 @@
when: when:
- rhel9cis_rule_1_2_4 - rhel9cis_rule_1_2_4
- not rhel9cis_rhel_default_repo or ansible_distribution != 'RedHat' - rhel9cis_rule_enable_repogpg
- ansible_distribution != 'OracleLinux' - not rhel9cis_rhel_default_repo
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation

8
tasks/section_6/cis_6.1.x.yml
View file

@ -155,7 +155,7 @@
failed_when: false failed_when: false
check_mode: false check_mode: false
register: rhel_09_6_1_10_audit register: rhel_09_6_1_10_audit
loop: "{{ ansible_mounts }}" loop: "{{ ansible_facts.mounts }}"
loop_control: loop_control:
label: "{{ item.mount }}" label: "{{ item.mount }}"
when: when:
@ -201,7 +201,7 @@
failed_when: false failed_when: false
changed_when: false changed_when: false
register: rhel_09_6_1_11_audit register: rhel_09_6_1_11_audit
loop: "{{ ansible_mounts }}" loop: "{{ ansible_facts.mounts }}"
loop_control: loop_control:
label: "{{ item.mount }}" label: "{{ item.mount }}"
when: when:
@ -260,7 +260,7 @@
failed_when: false failed_when: false
changed_when: false changed_when: false
register: rhel_09_6_1_13_suid_perms register: rhel_09_6_1_13_suid_perms
loop: "{{ ansible_mounts }}" loop: "{{ ansible_facts.mounts }}"
loop_control: loop_control:
label: "{{ item.mount }}" label: "{{ item.mount }}"
@ -302,7 +302,7 @@
failed_when: false failed_when: false
changed_when: false changed_when: false
register: rhel_09_6_1_14_sgid_perms register: rhel_09_6_1_14_sgid_perms
loop: "{{ ansible_mounts }}" loop: "{{ ansible_facts.mounts }}"
loop_control: loop_control:
label: "{{ item.mount }}" label: "{{ item.mount }}"

2
templates/ansible_vars_goss.yml.j2
View file

@ -7,7 +7,7 @@ benchmark_version: '1.0.0'
# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS # Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS
# If run via script this is discovered and set # If run via script this is discovered and set
host_os_distribution: {{ ansible_distribution | lower }} host_os_distribution: {{ ansible_facts.distribution | lower }}
# timeout for each command to run where set - default = 10seconds/10000ms # timeout for each command to run where set - default = 10seconds/10000ms
timeout_ms: 60000 timeout_ms: 60000

2
templates/etc/sysctl.d/60-disable_ipv6.conf.j2
View file

@ -1,7 +1,7 @@
## This file is managed by Ansible, YOUR CHANGES WILL BE LOST! ## This file is managed by Ansible, YOUR CHANGES WILL BE LOST!
# IPv6 disable # IPv6 disable
{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} {% if rhel9cis_rule_3_1_1 and not rhel9cis_ipv6_required %}
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
{% endif %} {% endif %}

2
vars/AlmaLinux.yml
View file

@ -3,3 +3,5 @@
os_gpg_key_pubkey_name: gpg-pubkey-b86b3716-61e69f29 os_gpg_key_pubkey_name: gpg-pubkey-b86b3716-61e69f29
os_gpg_key_pubkey_content: "AlmaLinux OS 9 <packager@almalinux.org> b86b3716" os_gpg_key_pubkey_content: "AlmaLinux OS 9 <packager@almalinux.org> b86b3716"
# disable repo_gpgcheck due to OS default repos
rhel9cis_rule_enable_repogpg: false

2
vars/OracleLinux.yml
View file

@ -2,3 +2,5 @@
# OS Specific Settings # OS Specific Settings
os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec os_gpg_key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec
os_gpg_key_pubkey_content: "Oracle Linux (release key 1) <secalert_us@oracle.com>" os_gpg_key_pubkey_content: "Oracle Linux (release key 1) <secalert_us@oracle.com>"
# disable repo_gpgcheck due to OS default repos
rhel9cis_rule_enable_repogpg: false

3
vars/RedHat.yml
View file

@ -3,3 +3,6 @@
os_gpg_key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b os_gpg_key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b
os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) <security@redhat.com> fd431d51" os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) <security@redhat.com> fd431d51"
# disable repo_gpgcheck due to OS default repos
rhel9cis_rule_enable_repogpg: false