From 223254b5c964059d25ff75689af17cc73c1df2ee Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Apr 2022 19:30:52 +0100 Subject: [PATCH] rewrite Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 172 ++++++++++++++++++++-------------- 1 file changed, 102 insertions(+), 70 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 71a37e5..24288bb 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -1,59 +1,91 @@ --- -- name: "5.5.2 | PATCH | Ensure system accounts are secured" +- name: "5.5.1 | PATCH | " block: - - name: "5.5.2 | Ensure system accounts are secured | Set nologin" - user: - name: "{{ item.id }}" - shell: /usr/sbin/nologin - with_items: - - "{{ rhel9cis_passwd }}" - when: - - item.id != "root" - - item.id != "sync" - - item.id != "shutdown" - - item.id != "halt" - - min_int_uid | int > item.gid - - item.shell != " /bin/false" - - item.shell != " /usr/sbin/nologin" + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" + blockinfile: + path: /etc/security/pwquality.conf + marker: "" + block: "{{ rhel9cis_pam_password }}" - - name: "5.5.2 | PATCH | Ensure system accounts are secured | Lock accounts" - user: - name: "{{ item.id }}" - password_lock: true - with_items: - - "{{ rhel9cis_passwd }}" - when: - - item.id != "halt" - - item.id != "shutdown" - - item.id != "sync" - - item.id != "root" - - min_int_uid | int > item.gid - - item.shell != " /bin/false" - - item.shell != " /usr/sbin/nologin" + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" + lineinfile: + dest: /etc/pam.d/system-auth + state: present + regexp: '^password\s*requisite\s*pam_pwquality.so' + line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" + insertbefore: '^#?password ?' + + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" + lineinfile: + dest: /etc/pam.d/password-auth + state: present + regexp: '^password\s*requisite\s*pam_pwquality.so' + line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" + insertbefore: '^#?password ?' when: - - rhel9cis_rule_5_5_2 + - rhel9cis_rule_5_5_1 tags: - level1-server - level1-workstation - patch - - rule_5.5.2 + - rule_5.5.1 -- name: "5.5.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" - blockinfile: - create: yes - mode: 0644 - dest: "{{ item.dest }}" - state: "{{ item.state }}" - marker: "# {mark} ANSIBLE MANAGED" - block: | - # Set session timeout - CIS ID RHEL-08-5.4.5 - TMOUT={{ rhel9cis_shell_session_timeout.timeout }} - export TMOUT - readonly TMOUT +- name: "5.5.2 | PATCH | Ensure system accounts are secured | pre RHEL8.2" + block: + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock time for preauth" + lineinfile: + dest: /etc/pam.d/{{ item }} + state: present + regexp: '^auth\s*required\s*pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" + insertafter: '^#?auth ?' + with_items: + - "system-auth" + - "password-auth" + + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock times for authfail" + lineinfile: + dest: /etc/pam.d/{{ item }} + state: present + regexp: '^auth\s*required\s*pam_faillock.so authfail' + line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" + insertafter: '^#?auth ?' + with_items: + - "system-auth" + - "password-auth" + when: + - ansible_distribution_version <= "8.1" + - rhel9cis_rule_5_5_2 + +- name: "5.5.2 | PATCH | Ensure system accounts are secured | RHEL8.2+ " + lineinfile: + dest: /etc/security/faillock.conf + state: present + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" with_items: - - { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present } - - { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } + - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' } + - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' } + when: + - ansible_distribution_version >= "8.2" + - rhel9cis_rule_5_5_2 + +- name: "5.5.3 | PATCH | Ensure password reuse is limited" + block: + - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwhistory" + lineinfile: + path: /etc/pam.d/system-auth + state: present + line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" + insertafter: '^password\s*requisite\s*pam_pwquality.so' + + - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" + replace: + path: /etc/pam.d/system-auth + regexp: '^password\s*sufficient\s*pam_unix.so.*$' + #after: '^password\s*requisite\s*pam_pwhistory.so' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_3 tags: @@ -62,10 +94,31 @@ - patch - rule_5.5.3 -- name: "5.5.4 | PATCH | Ensure default group for the root account is GID 0" - command: usermod -g 0 root - changed_when: false - failed_when: false +- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512" + block: + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" + replace: + path: /etc/libuser.conf + regexp: '^crypt_style\s*=\s*.*$' + replace: 'crypt_style = sha512' + + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs" + replace: + path: /etc/login.defs + regexp: '^ENCRYPT_METHOD.*' + replace: 'ENCRYPT_METHOD SHA512' + + - name: "5.5.4 | PATCH | Ensure password reuse is limited | pwhistory" + replace: + path: /etc/pam.d/password-auth + regexp: '^password\s*sufficient\s*pam_unix.so.*$' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' + + - name: "5.5.4 | PATCH | Ensure password reuse is limited | pam_unix" + replace: + path: /etc/pam.d/system-auth + regexp: '^password\s*sufficient\s*pam_unix.so.*' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_4 tags: @@ -73,24 +126,3 @@ - level1-workstation - patch - rule_5.5.4 - -- name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive" - block: - - name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" - replace: - path: /etc/bashrc - regexp: '(^\s+umask) 0[012][0-6]' - replace: '\1 027' - - - name: "5.5.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" - replace: - path: /etc/profile - regexp: '(^\s+umask) 0[012][0-6]' - replace: '\1 027' - when: - - rhel9cis_rule_5_5_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.5