diff --git a/Changelog.md b/Changelog.md index 68ba2d4..ec3d9aa 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,7 +1,11 @@ # Changes to rhel9CIS ## 2.0.3 - Based on CIS v2.0.0 - +- addressed issue #387, thank you @fragglexarmy +- addressed issue #382 to improve regex logic on 5.4.2.4 +- improvement on crypto policy managed controls with var logic +- addressed issue #384 thank you @polski-g +- update command to shell module on tasks - addressed issue 371 thanks to @bgro and kodebach - addressed issue 350 thanks to @chrispipo - addressed issue 364 thanks to @polski-g diff --git a/defaults/main.yml b/defaults/main.yml index 98efbba..c46ece3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -586,7 +586,9 @@ rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pr # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. rhel9cis_set_boot_pass: true -## Controls 1.6.x +## Controls 1.6.x and Controls 5.1.x +# This variable governs if current Ansible role should manage system-wide crypto policy. +rhel9cis_crypto_policy_ansiblemanaged: true # This variable contains the value to be set as the system-wide crypto policy. Current rule enforces NOT USING # 'LEGACY' value(as it is less secure, it just ensures compatibility with legacy systems), therefore # possible values for this variable are, as explained by RedHat docs: @@ -594,7 +596,6 @@ rhel9cis_set_boot_pass: true # -'FUTURE': conservative security level that is believed to withstand any near-term future attacks # -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' -## Controls 1.6.x and Controls 5.1.x # This variable contains the value of the crypto policy module(combinations of policies and # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, # using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are: @@ -618,7 +619,7 @@ rhel9cis_warning_banner: Authorized users only. All activity may be monitored an ## Control 1.8.x - Settings for GDM # do not run Control 1.8.x if using a display manager different than gdm -rhel10cis_display_manager: "gdm" +rhel9cis_display_manager: "gdm" # This variable governs whether rules dealing with GUI specific packages(and/or their settings) should # be executed either to: # - secure GDM, if GUI is needed('rhel9cis_gui: true') diff --git a/tasks/main.yml b/tasks/main.yml index 83aff0c..760ee1b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -97,7 +97,7 @@ ( ((prelim_ansible_user_password_set.stdout | length != 0) and (prelim_ansible_user_password_set.stdout != "!!" )) or - (ansible_env.SUDO_USER in rhel10cis_sudoers_exclude_nopasswd_list) + (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list) ) fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4" @@ -134,7 +134,7 @@ - rule_5.4.2.4 block: - name: "Ensure root password is set" - ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)" + ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)" changed_when: false failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ] register: prelim_root_passwd_set diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 715b0cb..7321267 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -136,8 +136,7 @@ register: prelim_systemd_coredump - name: "PRELIM | PATCH | Setup crypto-policy" - when: - - rhel9cis_rule_1_6_1 + when: rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -167,6 +166,7 @@ current_crypto_module: "{{ prelim_system_wide_crypto_policy.stdout.split(':')[1] }}" - name: "PRELIM | AUDIT | Set facts based on boot type" + tags: always block: - name: "PRELIM | AUDIT | Check whether machine is UEFI-based" ansible.builtin.stat: @@ -185,17 +185,14 @@ grub2_path: /etc/grub2-efi.cfg - name: "PRELIM | AUDIT | Discover Gnome Desktop Environment" - tags: - - always + tags: always ansible.builtin.stat: path: /usr/share/gnome/gnome-version.xml register: prelim_gnome_present - name: "PRELIM | PATCH | Install dconf if gui installed" - when: - - rhel9cis_gui - tags: - - always + when: rhel9cis_gui + tags: always ansible.builtin.package: name: dconf state: present @@ -204,8 +201,7 @@ when: - rhel9cis_rule_3_1_2 - not system_is_container - tags: - - always + tags: always block: - name: "PRELIM | AUDIT | Discover is wireless adapter on system" ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless @@ -251,9 +247,7 @@ state: touch - name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists" - when: - - rhel9cis_rule_5_1_10 or - rhel9cis_rule_5_1_11 + when: rhel9cis_rule_5_1_10 or rhel9cis_rule_5_1_11 ansible.builtin.stat: path: /etc/ssh/sshd_config.d/50-redhat.conf register: prelim_sshd_50_redhat_file @@ -361,7 +355,6 @@ prelim_max_int_uid: "{{ prelim_uid_max_id.stdout | default(max_int_uid) }}" - name: "PRELIM | AUDIT | Gather the package facts after prelim" - tags: - - always + tags: always ansible.builtin.package_facts: manager: auto diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index c418324..8aace04 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -1,7 +1,9 @@ --- - name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy" - when: rhel9cis_rule_1_6_1 + when: + - rhel9cis_rule_1_6_1 + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -21,12 +23,14 @@ tags: - level1-server - level1-workstation + - sshd - automated - patch - rule_1.6.2 - NIST800-53R5_SC-8 - NIST800-53R5_IA-5 - - NIST800-53R5_AC-17- NIST800-53R5_SC-6 + - NIST800-53R5_AC-17 + - NIST800-53R5_SC-6 ansible.builtin.lineinfile: path: /etc/sysconfig/sshd regexp: ^CRYPTO_POLICY\s*= @@ -37,6 +41,7 @@ when: - rhel9cis_rule_1_6_3 - "'NO-SHA1' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -67,6 +72,7 @@ when: - rhel9cis_rule_1_6_4 - "'NO-WEAKMAC' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -76,7 +82,6 @@ - rule_1.6.4 - NIST800-53R5_SC-6 block: - - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion" ansible.builtin.template: src: etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 @@ -98,6 +103,7 @@ when: - rhel9cis_rule_1_6_5 - "'NO-SSHCBC' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -128,6 +134,7 @@ when: - rhel9cis_rule_1_6_6 - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -158,6 +165,7 @@ when: - rhel9cis_rule_1_6_7 - "'NO-SSHETM' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 29687b3..fff557b 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -61,6 +61,6 @@ file: cis_1.7.x.yml - name: "SECTION | 1.8 | Gnome Display Manager" - when: rhel10cis_display_manager == 'gdm' + when: rhel9cis_display_manager == 'gdm' ansible.builtin.import_tasks: file: cis_1.8.x.yml diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml index 4e23998..4398df2 100644 --- a/tasks/section_4/cis_4.3.x.yml +++ b/tasks/section_4/cis_4.3.x.yml @@ -81,7 +81,7 @@ register: discovered_nftables_inconnectionrule - name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules" - ansible.builtin.command: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' changed_when: false failed_when: false register: discovered_nftables_outconnectionrule diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 3fd366c..42ca036 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -80,6 +80,7 @@ when: - rhel9cis_rule_5_1_4 - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -108,6 +109,7 @@ when: - rhel9cis_rule_5_1_5 - "'NO-SHA1' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -136,6 +138,7 @@ when: - rhel9cis_rule_5_1_6 - "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 7fcfb0b..3ea1c99 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -64,7 +64,7 @@ - rhel9cis_force_user_mindays ansible.builtin.user: name: "{{ item }}" - password_expire_max: "{{ rhel9cis_pass_min_days }}" + password_expire_min: "{{ rhel9cis_pass_min_days }}" loop: "{{ discovered_min_days.stdout_lines }}" - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"