diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 1c99b62..cc2156c 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -1,76 +1,49 @@ --- -- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" +- name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled" block: - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" - lineinfile: - path: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install cramfs(\\s|$)" - line: "install cramfs /bin/true" - create: true - mode: 0600 - - - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" - modprobe: - name: cramfs - state: absent - when: not system_is_container - when: - - rhel9cis_rule_1_1_1_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.1.1.1 - - cramfs - -- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled" - block: - - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" - lineinfile: + - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" + ansible.builtin.lineinfile: path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" create: true mode: 0600 - - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" + - name: "1.1.1.1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" modprobe: name: squashfs state: absent when: not system_is_container + when: + - rhel9cis_rule_1_1_1_1 + tags: + - level2-server + - level2-workstation + - patch + - rule_1.1.1.1 + - squashfs + +- name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disabled" + block: + - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" + ansible.builtin.lineinfile: + path: /etc/modprobe.d/CIS.conf + regexp: "^(#)?install udf(\\s|$)" + line: "install udf /bin/true" + create: true + mode: 0600 + + - name: "1.1.1.2 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" + modprobe: + name: udf + state: absent + when: not system_is_container when: - rhel9cis_rule_1_1_1_2 tags: - level2-server - level2-workstation - - automated - patch - rule_1.1.1.2 - - squashfs - -- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled" - block: - - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" - lineinfile: - path: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install udf(\\s|$)" - line: "install udf /bin/true" - create: true - mode: 0600 - - - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" - modprobe: - name: udf - state: absent - when: not system_is_container - when: - - rhel9cis_rule_1_1_1_3 - tags: - - level2-server - - level2-workstation - - automated - - patch - - rule_1.1.1.3 - udf diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index d7db5a6..ab737cc 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -3,13 +3,13 @@ - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition" block: - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! /tmp is not mounted on a separate partition" when: - required_mount not in mount_names - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.2.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: @@ -28,7 +28,6 @@ tags: - level1-server - level1-workstation - - automated - audit - mounts - rule_1.1.2.1 @@ -38,7 +37,7 @@ "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" - mount: + ansible.builtin.mount: name: /tmp src: "{{ item.device }}" fstype: "{{ item.fstype }}" @@ -58,7 +57,6 @@ tags: - level1-server - level1-workstation - - automated - patch - mounts - rule_1.1.2.2 @@ -71,7 +69,7 @@ "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" - template: + ansible.builtin.template: src: etc/systemd/system/tmp.mount.j2 dest: /etc/systemd/system/tmp.mount owner: root diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 9e4feb8..3780e2f 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -3,7 +3,7 @@ - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var" block: - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_mount_absent changed_when: var_mount_absent.skipped is undefined @@ -11,14 +11,14 @@ - required_mount not in mount_names - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" - debug: + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: var_mount_present when: @@ -30,7 +30,6 @@ tags: - level2-server - level2-workstation - - automated - patch - mounts - rule_1.1.3.1 @@ -38,14 +37,13 @@ # skips if mount is absent - name: | "1.1.3.2 | PATCH | Ensure nodev option set on /var partition" - "1.1.3.3 | PATCH | Ensure noexec option set on /var partition" - "1.1.3.4 | PATCH | Ensure nosuid option set on /var partition" - mount: + "1.1.3.3 | PATCH | Ensure nosuid option set on /var partition" + ansible.builtin.mount: name: /var src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid,{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -56,15 +54,13 @@ - item.mount == "/var" - rhel9cis_rule_1_1_3_1 # This is required so the check takes place - rhel9cis_rule_1_1_3_2 or - rhel9cis_rule_1_1_3_3 or - rhel9cis_rule_1_1_3_4 + rhel9cis_rule_1_1_3_3 tags: - level1-server - level1-workstation - - automated - patch - mounts - skip_ansible_lint - rule_1.1.3.2 - rule_1.1.3.3 - - rule_1.1.3.4 + diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index d05db6a..742a5d7 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -4,7 +4,7 @@ - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp" block: - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_tmp_mount_absent changed_when: var_tmp_mount_absent.skipped is undefined @@ -12,14 +12,14 @@ - required_mount not in mount_names - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - debug: + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: var_tmp_mount_present when: @@ -31,7 +31,6 @@ tags: - level2-server - level2-workstation - - automated - audit - mounts - rule_1.1.4.1 @@ -41,12 +40,12 @@ "1.1.4.2 | PATCH | Ensure noexec option set on /var/tmp partition" "1.1.4.3 | PATCH | Ensure nosuid option set on /var/tmp partition" "1.1.4.4 | PATCH | Ensure nodev option set on /var/tmp partition" - mount: + ansible.builtin.mount: name: /var/tmp src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nodev{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -62,7 +61,6 @@ tags: - level1-server - level1-workstation - - automated - patch - mounts - skip_ansible_lint diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index dd4ab9f..0fa245b 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -3,7 +3,7 @@ - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log" block: - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_log_mount_absent changed_when: var_log_mount_absent.skipped is undefined @@ -11,14 +11,14 @@ - required_mount not in mount_names - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" - debug: + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: var_log_mount_present when: @@ -30,7 +30,6 @@ tags: - level2-server - level2-workstation - - automated - audit - mounts - rule_1.1.5.1 @@ -40,12 +39,12 @@ "1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition" "1.1.5.3 | PATCH | Ensure noexec option set on /var/log partition" "1.1.5.4 | PATCH | Ensure nosuid option set on /var/log partition" - mount: + ansible.builtin.mount: name: /var/log src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -61,7 +60,6 @@ tags: - level1-server - level1-workstation - - automated - patch - mounts - skip_ansible_lint diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index afbe41a..a496f43 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -3,7 +3,7 @@ - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit" block: - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_log_audit_mount_absent changed_when: var_log_audit_mount_absent.skipped is undefined @@ -11,14 +11,14 @@ - required_mount not in mount_names - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - debug: + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: var_log_audit_mount_present when: @@ -30,7 +30,6 @@ tags: - level2-server - level2-workstation - - automated - audit - mounts - rule_1.1.6.1 @@ -39,7 +38,7 @@ "1.1.6.2 | PATCH | Ensure noexec option set on /var/log/audit partition" "1.1.6.3 | PATCH | Ensure nodev option set on /var/log/audit partition" "1.1.6.4 | PATCH | Ensure nosuid option set on /var/log/audit partition" - mount: + ansible.builtin.mount: name: /var/log/audit src: "{{ item.device }}" fstype: "{{ item.fstype }}" @@ -60,7 +59,6 @@ tags: - level1-server - level1-workstation - - automated - patch - mounts - skip_ansible_lint diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 59f28ba..dc9ea6a 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -3,7 +3,7 @@ - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home" block: - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" - debug: + ansible.builtin.debug: msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: home_mount_absent changed_when: home_mount_absent.skipped is undefined @@ -11,14 +11,14 @@ - required_mount not in mount_names - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" - set_fact: + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]" warn_count: "{{ warn_count | int + 1 }}" when: - required_mount not in mount_names - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" - debug: + ansible.builtin.debug: msg: "Congratulations: {{ required_mount }} exists." register: home_mount_present when: @@ -30,7 +30,6 @@ tags: - level2-server - level2-workstation - - automated - audit - mounts - rule_1.1.7.1 @@ -38,15 +37,13 @@ - name: | "1.1.7.2 | PATCH | Ensure nodev option set on /home partition - 1.1.7.3 | PATCH | Ensure nosuid option set on /home partition - 1.1.7.4 | PATCH | Ensure usrquota option set on /home partition - 1.1.7.5 | PATCH | Ensure grpquota option set on /home partition" - mount: + 1.1.7.3 | PATCH | Ensure nosuid option set on /home partition" + ansible.builtin.mount: name: /home src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel9cis_rule_1_1_7_5 %}grpquota{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -57,13 +54,10 @@ - item.mount == "/home" - rhel9cis_rule_1_1_7_1 - rhel9cis_rule_1_1_7_2 or - rhel9cis_rule_1_1_7_3 or - rhel9cis_rule_1_1_7_4 or - rhel9cis_rule_1_1_7_5 + rhel9cis_rule_1_1_7_3 tags: - level1-server - level1-workstation - - automated - patch - mounts - rule_1.1.7.2 diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 26ae877..c9a6394 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -1,43 +1,61 @@ --- # Skips if mount is absent -- name: | - "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition - 1.1.8.2 | PATCH | Ensure nosuid option set on /dev/shm partition - 1.1.8.3 | PATCH | Ensure noexec option set on /dev/shm partition" +- name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a sepretae partition" block: - - name: | - "1.1.8.1 | AUDIT | Ensure nodev option set on /dev/shm partition | Check for /dev/shm existence - 1.1.8.2 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence - 1.1.8.3 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence" - shell: mount -l | grep -E '\s/dev/shm\s' - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_1_1_8_x_dev_shm_status + - name: "1.1.8.1 | AUDIT | Ensure /dev/shm is a sepretae partition | Absent" + ansible.builtin.debug: + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" + register: home_mount_absent + changed_when: home_mount_absent.skipped is undefined + when: + - required_mount not in mount_names - - name: | - "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option - 1.1.8.2 | PATCH | Ensure noexec option set on /dev/shm partition | Set nosuid option - 1.1.8.3 | PATCH | Ensure nosuid option set on /dev/shm partition | Set noexec option" - mount: - name: /dev/shm - src: tmpfs - fstype: tmpfs - state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} - when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" - notify: change_requires_reboot + - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" + ansible.builtin.set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.8.1' ]" + warn_count: "{{ warn_count | int + 1 }}" + when: + - required_mount not in mount_names + + - name: "1.1.8.1 | AUDIT | Ensure separate partition exists for /home | Present" + ansible.builtin.debug: + msg: "Congratulations: {{ required_mount }} exists." + register: home_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/dev/shm' when: - - rhel9cis_rule_1_1_8_1 or - rhel9cis_rule_1_1_8_2 or - rhel9cis_rule_1_1_8_3 + - rhel9cis_rule_1_1_8_1 tags: - level1-server - level1-workstation - - automated - - patch + - audit - mounts - rule_1.1.8.1 + - skip_ansible_lint + +- name: | + "1.1.8.2 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option + 1.1.8.3 | PATCH | Ensure noexec option set on /dev/shm partition | Set nosuid option + 1.1.8.4 | PATCH | Ensure nosuid option set on /dev/shm partition | Set noexec option" + ansible.builtin.mount: + name: /dev/shm + src: tmpfs + fstype: tmpfs + state: mounted + opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_4 %}nosuid{% endif %} + notify: change_requires_reboot + when: + - rhel9cis_rule_1_1_8_2 or + rhel9cis_rule_1_1_8_3 or + rhel9cis_rule_1_1_8_4 + tags: + - level1-server + - level1-workstation + - patch + - mounts - rule_1.1.8.2 - rule_1.1.8.3 + - rule_1.1.8.4 diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index ea5c862..77cbf0f 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -1,26 +1,9 @@ --- -- name: "1.1.9 | PATCH | Disable Automounting" - service: - name: autofs - enabled: false - when: - - not rhel9cis_allow_autofs - - "'autofs' in ansible_facts.packages" - - rhel9cis_rule_1_1_9 - tags: - - level1-server - - level2-workstation - - automated - - patch - - mounts - - automounting - - rule_1.1.9 - -- name: "1.1.10 | PATCH | Disable USB Storage" +- name: "1.1.9 | PATCH | Disable USB Storage" block: - - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" - lineinfile: + - name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config" + ansible.builtin.lineinfile: path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" @@ -29,12 +12,12 @@ group: root mode: 0600 - - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" - modprobe: + - name: "1.1.9 | PATCH | Disable USB Storage | Edit modprobe config" + ansible.builtin.modprobe: name: usb-storage state: absent when: - - rhel9cis_rule_1_1_10 + - rhel9cis_rule_1_1_9 tags: - level1-server - level2-workstation @@ -42,4 +25,4 @@ - patch - mounts - removable_storage - - rule_1.1.10 + - rule_1.1.9 diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index 19ddc3f..1b0d2a2 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -1,7 +1,7 @@ --- - name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" - shell: | + ansible.builtin.shell: | update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" update-crypto-policies notify: change_requires_reboot @@ -11,7 +11,6 @@ tags: - level1-server - level1-workstation - - automated - no system_is_ec2 - patch - rule_1.10 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 9445d15..9a1a6c2 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -1,54 +1,35 @@ --- -- name: "1.2.1 | PATCH | Ensure Red Hat Subscription Manager connection is configured" - redhat_subscription: - state: present - username: "{{ rhel9cis_rh_sub_user }}" - password: "{{ rhel9cis_rh_sub_password }}" - auto_attach: true - no_log: true - when: - - ansible_distribution == "RedHat" - - rhel9cis_rhnsd_required - - rhel9cis_rule_1_2_1 - tags: - - level1-server - - level1-workstation - - manual - - patch - - rule_1.2.1 - - skip_ansible_lint # Added as no_log still errors on ansuible-lint - -- name: "1.2.2 | AUDIT | Ensure GPG keys are configured" +- name: "1.2.1 | AUDIT | Ensure GPG keys are configured" block: - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" - shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" + - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" + ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" changed_when: false failed_when: false register: os_installed_pub_keys - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | Query found keys" - shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\"" + - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys" + ansible.builtin.shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\"" changed_when: false failed_when: false register: os_gpg_key_check when: os_installed_pub_keys.rc == 0 - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys pass" - debug: + - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys pass" + ansible.builtin.debug: msg: "Congratulations !! - The installed gpg keys match expected values" when: - os_installed_pub_keys.rc == 0 - os_gpg_key_check.rc == 0 - - name: "1.2.2 | AUDIT | Ensure GPG keys are configured | expected keys fail" - fail: + - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | expected keys fail" + ansible.builtin.fail: msg: Installed GPG Keys do not meet expected values or keys installed that are not expected when: - os_installed_pub_keys.rc == 1 or os_gpg_key_check.rc == 1 when: - - rhel9cis_rule_1_2_2 + - rhel9cis_rule_1_2_1 - ansible_distribution == "RedHat" or ansible_distribution == "Rocky" or ansible_distribution == "AlmaLinux" @@ -57,19 +38,19 @@ - level1-workstation - manual - patch - - rule_1.2.2 + - rule_1.2.1 -- name: "1.2.3| PATCH | Ensure gpgcheck is globally activated" +- name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated" block: - - name: "1.2.3 | AUDIT | Ensure gpgcheck is globally activated | Find repos" - find: + - name: "1.2.2 | AUDIT | Ensure gpgcheck is globally activated | Find repos" + ansible.builtin.find: paths: /etc/yum.repos.d patterns: "*.repo" register: yum_repos changed_when: false - - name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" - replace: + - name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" + ansible.builtin.replace: name: "{{ item.path }}" regexp: "^gpgcheck=0" replace: "gpgcheck=1" @@ -78,35 +59,63 @@ loop_control: label: "{{ item.path }}" when: - - rhel9cis_rule_1_2_3 + - rhel9cis_rule_1_2_2 tags: - level1-server - level1-workstation - automated - patch - - rule_1.2.3 + - rule_1.2.2 -- name: "1.2.4 | AUDIT | Ensure package manager repositories are configured" +- name: "1.2.3 | AUDIT | Ensure package manager repositories are configured" block: - - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Get repo list" - command: dnf repolist + - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Get repo list" + ansible.builtin.command: dnf repolist changed_when: false failed_when: false register: dnf_configured check_mode: false - args: - warn: false - - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" - debug: + - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Display repo list" + ansible.builtin.debug: msg: - "Warning!! Below are the configured repos. Please review and make sure all align with site policy" - "{{ dnf_configured.stdout_lines }}" - - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Warn Count" - set_fact: - control_number: "{{ control_number }} + ['rule_1.2.4']" + - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Warn Count" + ansible.builtin.set_fact: + control_number: "{{ control_number }} + ['rule_1.2.3']" warn_count: "{{ warn_count | int + 1 }}" + when: + - rhel9cis_rule_1_2_3 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_1.2.3 + - skip_ansible_lint + +- name: "1.2.4 | AUDIT | Ensure repo_gpgcheck is globally activated" + block: + - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | dnf.conf" + ansible.builtin.lineinfile: + path: /etc/dnf/dnf.conf + regexp: '^repo_gpgcheck' + line: repo_gpgcheck 1 + + - name: "1.2.4 | AUDIT| Ensure repo_gpgcheck is globally activated | get repo files" + ansible.builtin.find: + path: /etc/yum.repos.d + patterns: '*.repo' + register: repo_files + + - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" + ansible.builtin.lineinfile: + path: "{{ item }}" + regexp: '^repo_gpgcheck' + line: repo_gpgcheck=1 + loop: "{{ repo_files.files }}" when: - rhel9cis_rule_1_2_4 tags: @@ -115,4 +124,3 @@ - manual - audit - rule_1.2.4 - - skip_ansible_lint diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 4dd7bcd..1fce7fa 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -3,12 +3,12 @@ - name: "1.3.1 | PATCH | Ensure AIDE is installed" block: - name: "1.3.1 | PATCH | Ensure AIDE is installed | Install AIDE" - package: + ansible.builtin.package: name: aide state: present - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" - command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + ansible.builtin.command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' changed_when: false failed_when: false async: 45 @@ -22,13 +22,12 @@ tags: - level1-server - level1-workstation - - automated - aide - patch - rule_1.3.1 - name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" - cron: + ansible.builtin.cron: name: Run AIDE integrity check cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}" user: "{{ rhel9cis_aide_cron['cron_user'] }}" @@ -44,8 +43,24 @@ tags: - level1-server - level1-workstation - - automated - aide - file_integrity - patch - rule_1.3.2 + +- name: "1.3.3 Ensure cryptographic mechanisms are used to protect the integrity of audit tools" + ansible.builtin.template: + src: etc/aide.conf.d/crypt_audit_procs.conf.j2 + dest: /etc/aide.conf.d/crypt_audit_procs.conf + owner: root + group: 0640 + when: + - rhel9cis_rule_1_3_2 + - not system_is_ec2 + tags: + - level1-server + - level1-workstation + - aide + - file_integrity + - patch + - rule_1.3.3 diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index cdad67f..61174d2 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -1,7 +1,7 @@ --- - name: "1.4.1 | PATCH | Ensure bootloader password is set" - copy: + ansible.builtin.copy: dest: /boot/grub2/user.cfg content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy owner: root @@ -14,7 +14,6 @@ tags: - level1-server - level1-workstation - - automated - grub - patch - rule_1.4.1 @@ -22,51 +21,21 @@ - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" block: - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" - file: + ansible.builtin.file: path: /boot/grub2/grub.cfg owner: root group: root mode: 0600 + loop: + - grub.cfg + - grubenv + - user.cfg - - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | UEFI" - mount: - name: /boot/efi - src: "UUID={{ item.uuid }}" - fstype: vfat - state: present - opts: defaults,umask=0027,fmask=0077,uid=0,gid=0 - passno: '0' - with_items: - - "{{ ansible_mounts }}" - loop_control: - label: "{{ item.mount }}" - when: - - not rhel9cis_legacy_boot - - item.mount == "/boot/efi" when: - rhel9cis_rule_1_4_2 tags: - level1-server - level1-workstation - - automated - grub - patch - rule_1.4.2 - -- name: "1.4.3 | PATCH | Ensure authentication is required when booting into rescue mode" - lineinfile: - path: /etc/systemd/system/rescue.service.d/00-require-auth.conf - regexp: '^ExecStart=' - line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" - create: true - owner: root - group: root - mode: 0644 - when: - - rhel9cis_rule_1_4_3 - tags: - - level1-server - - level1-workstation - - automated - - patch - - rule_1.4.3 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 031ba5c..d025981 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,7 +1,7 @@ --- - name: "1.5.1 | PATCH | Ensure core dump storage is disabled" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/coredump.conf regexp: '^Storage\s*=\s*(?!none).*' line: 'Storage=none' @@ -12,12 +12,11 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_1.5.1 - name: "1.5.2 | PATCH | Ensure core dump backtraces are disabled" - lineinfile: + ansible.builtin.lineinfile: path: /etc/systemd/coredump.conf regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$' line: 'ProcessSizeMax=0' @@ -26,7 +25,6 @@ tags: - level1-server - level1-workstation - - automated - patch - sysctl - rule_1.5.2 @@ -34,17 +32,17 @@ - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" block: - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - set_fact: + ansible.builtin.set_fact: sysctl_update: true + - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - debug: + ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" when: - rhel9cis_rule_1_5_3 tags: - level1-server - level1-workstation - - automated - patch - sysctl - rule_1.5.3 diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index 9a8d134..bfb9c91 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -1,7 +1,7 @@ --- - name: "1.6.1.1 | PATCH | Ensure SELinux is installed" - package: + ansible.builtin.package: name: libselinux state: present when: @@ -14,10 +14,13 @@ - rule_1.6.1.1 - name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" - replace: + ansible.builtin.replace: dest: /etc/default/grub - regexp: 'selinux=0' + regexp: '{{ item }}' replace: '' + loop: + - selinux=0 + - enforcing=0 register: selinux_grub_patch ignore_errors: true # noqa ignore-errors notify: grub2cfg @@ -32,10 +35,10 @@ # State set to enforcing because control 1.6.1.5 requires enforcing to be set - name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured" - selinux: + ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" - state: enforcing + state: "{{ rhel9cis_selinux_enforce }}" when: - not rhel9cis_selinux_disable - rhel9cis_rule_1_6_1_3 @@ -47,78 +50,95 @@ - patch - rule_1.6.1.3 -- name: "1.6.1.4 | PATCH | Ensure the SELinux state is enforcing" - selinux: +- name: "1.6.1.4 | PATCH | Ensure the SELinux state is not disabled" + ansible.posix.selinux: + conf: /etc/selinux/config + policy: "{{ rhel9cis_selinux_pol }}" + state: "{{ rhel9cis_selinux_enforce }}" + when: + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_4 + tags: + - level1-server + - level1-workstation + - automated + - selinux + - patch + - rule_1.6.1.4 + +- name: "1.6.1.5 | PATCH | Ensure the SELinux state is enforcing" + ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" state: enforcing when: - not rhel9cis_selinux_disable - - rhel9cis_rule_1_6_1_4 + - rhel9cis_selinux_enforce == 'enforcing' + - rhel9cis_rule_1_6_1_5 tags: - level2-server - level2-workstation - automated - selinux - patch - - rule_1.6.1.4 + - rule_1.6.1.5 -- name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist" +- name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist" block: - - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" - shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' - register: rhelcis_1_6_1_5_unconf_services + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" + ansible.builtin.shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' + register: rhelcis_1_6_1_6_unconf_services failed_when: false changed_when: false - - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" - debug: + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" + ansible.builtin.debug: msg: "Good News! There are no services found on your system" - when: rhelcis_1_6_1_5_unconf_services.stdout | length == 0 + when: rhelcis_1_6_1_6_unconf_services.stdout | length == 0 - - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" - debug: + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" + ansible.builtin.debug: msg: "Warning!! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" - when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 + when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 - - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | warning count" - set_fact: + - name: "1.6.1.6 | AUDIT | Ensure no unconfined services exist | warning count" + ansible.builtin.set_fact: control_number: "{{ control_number }} + [ 'rule_1.6.1.5' ]" warn_count: "{{ warn_count | int + 1 }}" - when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 + when: rhelcis_1_6_1_6_unconf_services.stdout | length > 0 when: - - rhel9cis_rule_1_6_1_5 + - rhel9cis_rule_1_6_1_6 tags: - level1-server - level1-workstation - automated - audit - services - - rule_1.6.1.5 + - rule_1.6.1.6 -- name: "1.6.1.6 | PATCH | Ensure SETroubleshoot is not installed" - package: +- name: "1.6.1.7 | PATCH | Ensure SETroubleshoot is not installed" + ansible.builtin.package: name: setroubleshoot state: absent when: - - rhel9cis_rule_1_6_1_6 + - rhel9cis_rule_1_6_1_7 - "'setroubleshoot' in ansible_facts.packages" tags: - level1-server - automated - selinux - patch - - rule_1.6.1.6 + - rule_1.6.1.7 -- name: "1.6.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" - package: +- name: "1.6.1.8 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" + ansible.builtin.package: name: mcstrans state: absent when: - - rhel9cis_rule_1_6_1_7 + - rhel9cis_rule_1_6_1_8 tags: - level1-server - level1-workstation - automated - patch - - rule_1.6.1.7 + - rule_1.6.1.8 diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index 1ee5579..a66cb6c 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -1,7 +1,7 @@ --- - name: "1.7.1 | PATCH | Ensure message of the day is configured properly" - template: + ansible.builtin.template: src: etc/motd.j2 dest: /etc/motd owner: root @@ -12,13 +12,12 @@ tags: - level1-server - level1-workstation - - automated - banner - patch - rule_1.7.1 - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" - template: + ansible.builtin.template: src: etc/issue.j2 dest: /etc/issue owner: root @@ -29,12 +28,11 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_1.7.2 - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" - template: + ansible.builtin.template: src: etc/issue.net.j2 dest: /etc/issue.net owner: root @@ -45,13 +43,12 @@ tags: - level1-server - level1-workstation - - automated - banner - patch - rule_1.7.3 - name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" - file: + ansible.builtin.file: dest: /etc/motd state: file owner: root @@ -62,13 +59,12 @@ tags: - level1-server - level1-workstation - - automated - perms - patch - rule_1.7.4 - name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" - file: + ansible.builtin.file: dest: /etc/issue state: file owner: root @@ -79,13 +75,12 @@ tags: - level1-server - level1-workstation - - automated - perms - patch - rule_1.7.5 - name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" - file: + ansible.builtin.file: dest: /etc/issue.net state: file owner: root @@ -96,7 +91,6 @@ tags: - level1-server - level1-workstation - - automated - perms - patch - rule_1.7.6 diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index f47d2a1..fe690c5 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -1,7 +1,7 @@ --- - name: "1.8.1 | PATCH | Ensure GNOME Display Manager is removed" - package: + ansible.builtin.package: name: gdm state: absent when: @@ -16,7 +16,7 @@ - rule_1.8.1 - name: "1.8.2 | PATCH | Ensure GDM login banner is configured" - lineinfile: + ansible.builtin.lineinfile: path: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -45,8 +45,8 @@ - gdm - rule_1.8.2 -- name: "1.8.3 | PATCH | Ensure last logged in user display is disabled" - lineinfile: +- name: "1.8.3 | PATCH | Ensure GDM disable-user-list option is enabled" + ansible.builtin.lineinfile: path: "{{ item.file }}" regexp: "{{ item.regexp }}" line: "{{ item.line }}" @@ -72,24 +72,8 @@ - gui - rule_1.8.3 -- name: "1.8.4 | PATCH | Ensure XDMCP is not enabled" - lineinfile: - path: /etc/gdm/custom.conf - regexp: 'Enable=true' - state: absent - when: - - rhel9cis_rule_1_8_4 - - rhel9cis_gui - tags: - - level1-server - - level1-workstation - - automated - - patch - - gui - - rule_1.8.4 - -- name: "1.8.5 | PATCH | Ensure automatic mounting of removable media is disabled" - lineinfile: +- name: "1.8.6 | PATCH | Ensure automatic mounting of removable media is disabled" + ansible.builtin.lineinfile: path: /etc/dconf/db/local.d/00-media-automount regexp: "{{ item.regex }}" line: "{{ item.line }}" @@ -103,7 +87,7 @@ - { regex: 'automount=', line: 'automount=false' } - { regex: 'automount-open=', line: 'automount-open=false'} when: - - rhel9cis_rule_1_8_5 + - rhel9cis_rule_1_8_6 - rhel9cis_gui tags: - level1-server @@ -111,4 +95,21 @@ - automated - patch - gui - - rule_1.8.5 + - rule_1.8.6 + + +- name: "1.8.10 | PATCH | Ensure XDMCP is not enabled" + ansible.builtin.lineinfile: + path: /etc/gdm/custom.conf + regexp: 'Enable=true' + state: absent + when: + - rhel9cis_rule_1_8_10 + - rhel9cis_gui + tags: + - level1-server + - level1-workstation + - automated + - patch + - gui + - rule_1.8.4 diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml index 42c27b1..37ede1b 100644 --- a/tasks/section_1/cis_1.9.yml +++ b/tasks/section_1/cis_1.9.yml @@ -1,7 +1,7 @@ --- - name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed" - package: + ansible.builtin.package: name: "*" state: latest notify: change_requires_reboot @@ -11,7 +11,6 @@ tags: - level1-server - level1-workstation - - automated - patch - rule_1.9 - skip_ansible_lint