From 2a7d08da0892502f9dcf39771e1fee761354c6a1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 7 Aug 2024 10:31:31 +0100 Subject: [PATCH] improvements Signed-off-by: Mark Bolwell --- tasks/main.yml | 174 +++++++++++------------ tasks/prelim.yml | 238 +++++++++++++++----------------- tasks/section_6/cis_6.3.4.x.yml | 43 ++---- tasks/section_7/cis_7.1.x.yml | 8 +- tasks/section_7/cis_7.2.x.yml | 32 +---- 5 files changed, 211 insertions(+), 284 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 2aee086..6a28be4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,7 +1,7 @@ --- # tasks file for RHEL9-CIS -- name: Check OS version and family +- name: "Check OS version and family" ansible.builtin.assert: that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." @@ -11,7 +11,7 @@ tags: - always -- name: Check ansible version +- name: "Check ansible version" ansible.builtin.assert: that: ansible_version.full is version_compare(min_ansible_version, '>=') fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" @@ -19,16 +19,67 @@ tags: - always +- name: "Setup rules if container" + when: + - ansible_connection == 'docker' or + ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + tags: + - container_discovery + - always + block: + - name: "Discover and set container variable if required" + ansible.builtin.set_fact: + system_is_container: true + + - name: "Load variable for container" + ansible.builtin.include_vars: + file: "{{ container_vars_file }}" + + - name: "Output if discovered is a container" + when: + - system_is_container + ansible.builtin.debug: + msg: system has been discovered as a container + +- name: "Check crypto-policy input" + ansible.builtin.assert: + that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies + fail_msg: "Crypto policy is not a permitted version" + success_msg: "Crypto policy is a permitted version" + +- name: "Check rhel9cis_bootloader_password_hash variable has been changed" + when: + - rhel9cis_set_boot_pass + - rhel9cis_rule_1_4_1 + tags: + - always + ansible.builtin.assert: + that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret + msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" + +- name: "Check crypto-policy module input" + when: + - rhel9cis_rule_1_6_1 + - rhel9cis_crypto_policy_module | length > 0 + tags: + - rule_1.6.1 + - crypto + - NIST800-53R5_SC-6 + ansible.builtin.assert: + that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules + fail_msg: "Crypto policy module is not a permitted version" + success_msg: "Crypto policy module is a permitted version" + - name: "Check password set for {{ ansible_env.SUDO_USER }}" when: - - rhel9cis_rule_5_3_4 + - rhel9cis_rule_5_2_4 - ansible_env.SUDO_USER is defined - not system_is_ec2 tags: - user_passwd - - rule_5.3.4 + - rule_5.2.4 vars: - sudo_password_rule: rhel9cis_rule_5_3_4 # pragma: allowlist secret + sudo_password_rule: rhel9cis_rule_5_2_4 # pragma: allowlist secret block: - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state" ansible.builtin.shell: "(grep {{ ansible_env.SUDO_USER }} /etc/shadow || echo 'not found:not found') | awk -F: '{print $2}'" @@ -61,173 +112,108 @@ fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access" success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" -- name: Ensure root password is set +- name: "Ensure root password is set" when: - - rhel9cis_rule_5_6_6 + - rhel9cis_rule_5_4_2_4 tags: - level1-server - level1-workstation - patch - accounts - root - - rule_5.6.6 + - rule_5.4.2.4 block: - - name: Ensure root password is set + - name: "Ensure root password is set" ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)" changed_when: false register: root_passwd_set - - name: Ensure root password is set + - name: "Ensure root password is set" ansible.builtin.assert: that: root_passwd_set.rc == 0 - fail_msg: "You have rule 5.6.6 enabled this requires that you have a root password set" + fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set" success_msg: "You have a root password set" -- name: Setup rules if container - when: - - ansible_connection == 'docker' or - ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] - tags: - - container_discovery - - always - block: - - name: Discover and set container variable if required - ansible.builtin.set_fact: - system_is_container: true - - - name: Load variable for container - ansible.builtin.include_vars: - file: "{{ container_vars_file }}" - - - name: Output if discovered is a container - when: - - system_is_container - ansible.builtin.debug: - msg: system has been discovered as a container - -- name: Check crypto-policy input - ansible.builtin.assert: - that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies - fail_msg: "Crypto policy is not a permitted version" - success_msg: "Crypto policy is a permitted version" - -- name: Check crypto-policy module input - when: - - rhel9cis_rule_1_6_1 - - rhel9cis_crypto_policy_module | length > 0 - tags: - - rule_1.6.1 - - crypto - - NIST800-53R5_SC-6 - ansible.builtin.assert: - that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules - fail_msg: "Crypto policy module is not a permitted version" - success_msg: "Crypto policy module is a permitted version" - -- name: Check rhel9cis_bootloader_password_hash variable has been changed - when: - - rhel9cis_set_boot_pass - - rhel9cis_rule_1_4_1 - tags: - - always - ansible.builtin.assert: - that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret - msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" - -- name: Gather the package facts +- name: "Gather the package facts" tags: - always ansible.builtin.package_facts: manager: auto -- name: Include OS specific variables +- name: "Include OS specific variables" tags: - always ansible.builtin.include_vars: file: "{{ ansible_facts.distribution }}.yml" -- name: Include preliminary steps +- name: "Include preliminary steps" tags: - prelim_tasks - always ansible.builtin.import_tasks: file: prelim.yml -- name: Run Section 1 tasks +- name: "Run Section 1 tasks" when: rhel9cis_section1 - tags: - - rhel9cis_section1 ansible.builtin.import_tasks: file: section_1/main.yml -- name: Run Section 2 tasks +- name: "Run Section 2 tasks" when: rhel9cis_section2 - tags: - - rhel9cis_section2 ansible.builtin.import_tasks: file: section_2/main.yml -- name: Run Section 3 tasks +- name: "Run Section 3 tasks" when: rhel9cis_section3 - tags: - - rhel9cis_section3 ansible.builtin.import_tasks: file: section_3/main.yml -- name: Run Section 4 tasks +- name: "Run Section 4 tasks" when: rhel9cis_section4 - tags: - - rhel9cis_section4 ansible.builtin.import_tasks: file: section_4/main.yml -- name: Run Section 5 tasks +- name: "Run Section 5 tasks" when: rhel9cis_section5 - tags: - - rhel9cis_section5 ansible.builtin.import_tasks: file: section_5/main.yml -- name: Run Section 6 tasks +- name: "Run Section 6 tasks" when: rhel9cis_section6 - tags: - - rhel9cis_section6 ansible.builtin.import_tasks: file: section_6/main.yml -# - name: Run Section 7 tasks -# when: rhel9cis_section7 -# tags: -# - rhel9cis_section7 -# ansible.builtin.import_tasks: -# file: section_7/main.yml +- name: "Run Section 7 tasks" + when: rhel9cis_section7 + ansible.builtin.import_tasks: + file: section_7/main.yml -- name: Run auditd logic +- name: "Run auditd logic" when: update_audit_template tags: - always ansible.builtin.import_tasks: file: auditd.yml -- name: Run post remediation tasks +- name: "Run post remediation tasks" tags: - post_tasks - always ansible.builtin.import_tasks: file: post.yml -- name: Run post_remediation audit +- name: "Run post_remediation audit" when: - run_audit ansible.builtin.import_tasks: file: post_remediation_audit.yml -- name: Show Audit Summary +- name: "Show Audit Summary" when: run_audit ansible.builtin.debug: msg: "{{ audit_results.split('\n') }}" -- name: If Warnings found Output count and control IDs affected +- name: "If Warnings found Output count and control IDs affected" when: warn_count != 0 tags: - always diff --git a/tasks/prelim.yml b/tasks/prelim.yml index bd8bf48..96e9657 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -3,7 +3,7 @@ # Preliminary tasks that should always be run # List users in order to look files inside each home directory -- name: PRELIM | Include audit specific variables +- name: "PRELIM | Include audit specific variables" when: - run_audit or audit_only - setup_audit @@ -13,7 +13,7 @@ ansible.builtin.include_vars: file: audit.yml -- name: PRELIM | Include pre-remediation audit tasks +- name: "PRELIM | Include pre-remediation audit tasks" when: - run_audit or audit_only - setup_audit @@ -45,47 +45,26 @@ changed_when: false register: prelim_interactive_uids -- name: "PRELIM | capture /etc/password variables" +- name: "PRELIM | AUDIT | Capture /etc/password variables" ansible.builtin.include_tasks: file: parse_etc_password.yml tags: - always -- name: "PRELIM | List users accounts" - ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd" - changed_when: false - check_mode: false - register: users - tags: - - level1-server - - level1-workstation - - users - -- name: "PRELIM | Gather accounts with empty password fields" - ansible.builtin.shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'" - changed_when: false - check_mode: false - register: empty_password_accounts - tags: - - level1-server - - level1-workstation - - passwords - -- name: "PRELIM | Ensure python3-libselinux is installed" +- name: "PRELIM | PATCH | Ensure python3-libselinux is installed" when: - '"python3-libselinux" not in ansible_facts.packages' ansible.builtin.package: name: python3-libselinux state: present -- name: "PRELIM | Section 1.1 | Create list of mount points" +- name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points" + tags: + - Always ansible.builtin.set_fact: mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" - tags: - - level1-server - - level1-workstation -- name: "PRELIM | Update to latest gpg keys" +- name: "PRELIM | PATCH | Update to latest gpg keys" when: - rhel9cis_rule_1_2_1_1 - ansible_facts.distribution != 'RedHat' @@ -94,32 +73,32 @@ name: "{{ gpg_key_package }}" state: latest -- name: "PRELIM | Check gpg keys are imported will cause 1.2.1.1 to fail if not | RedHat Only" +- name: "PRELIM | AUDIT | Import gpg keys | RedHat Only" when: - rhel9cis_rule_1_2_1_1 - rhel9cis_force_gpg_key_import - ansible_facts.distribution == 'RedHat' block: - - name: "PRELIM | Check gpg keys are imported will cause 1.2.1.1 to fail if not" + - name: "PRELIM | AUDIT | Import gpg keys | get data" ansible.builtin.shell: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' changed_when: false failed_when: false - register: check_gpg_imported + register: prelim_check_gpg_imported - - name: "PRELIM | Check key package matches RedHat" - when: "'not installed' in check_gpg_imported.stdout" + - name: "PRELIM | AUDIT | Import gpg keys | Check Package" + when: "'not installed' in prelim_check_gpg_imported.stdout" ansible.builtin.shell: rpm -qi redhat-release | grep Signature changed_when: false failed_when: false - register: os_gpg_package_valid + register: prelim_os_gpg_package_valid - - name: "PRELIM | Force keys to be imported" + - name: "PRELIM | PATCH | Force keys to be imported" when: - - "'not installed' in check_gpg_imported.stdout" - - "'Key ID 199e2f91fd431d51' in os_gpg_package_valid.stdout" + - "'not installed' in prelim_check_gpg_imported.stdout" + - "'Key ID 199e2f91fd431d51' in prelim_os_gpg_package_valid.stdout" ansible.builtin.shell: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release -- name: "PRELIM | if systemd coredump" +- name: "PRELIM | AUDIT | Check systemd coredump" when: - rhel9cis_rule_1_5_4 tags: @@ -129,9 +108,9 @@ - systemd ansible.builtin.stat: path: /etc/systemd/coredump.conf - register: systemd_coredump + register: prelim_systemd_coredump -- name: "PRELIM | Setup crypto-policy" +- name: "PRELIM | PATCH | Setup crypto-policy" when: - rhel9cis_rule_1_6_1 tags: @@ -140,43 +119,43 @@ - rule_1.6.1 - crypto block: - - name: "PRELIM | Install crypto-policies | pkgs present" + - name: "PRELIM | PATCH | Install crypto-policies | pkgs present" ansible.builtin.package: name: - crypto-policies - crypto-policies-scripts state: present - - name: "PRELIM | Gather system-wide crypto-policy" + - name: "PRELIM | AUDIT | Gather system-wide crypto-policy" ansible.builtin.shell: 'update-crypto-policies --show' changed_when: false check_mode: false - register: rhel9cis_system_wide_crypto_policy + register: prelim_system_wide_crypto_policy - - name: "PRELIM | Gather system-wide crypto-policy | set fact system policy" + - name: "PRELIM | AUDIT | Gather system-wide crypto-policy | set fact system policy" ansible.builtin.set_fact: - current_crypto_policy: "{{ rhel9cis_system_wide_crypto_policy.stdout.split(':')[0] }}" + current_crypto_policy: "{{ prelim_system_wide_crypto_policy.stdout.split(':')[0] }}" - - name: "PRELIM | Gather system-wide crypto-policy module | set fact system policy submodule" - when: "':' in rhel9cis_system_wide_crypto_policy.stdout" + - name: "PRELIM | AUDIT | Gather system-wide crypto-policy module | set fact system policy submodule" + when: "':' in prelim_system_wide_crypto_policy.stdout" ansible.builtin.set_fact: - current_crypto_module: "{{ rhel9cis_system_wide_crypto_policy.stdout.split(':')[1] }}" + current_crypto_module: "{{ prelim_system_wide_crypto_policy.stdout.split(':')[1] }}" -- name: "PRELIM | Set facts based on boot type" +- name: "PRELIM | AUDIT | Set facts based on boot type" block: - - name: "PRELIM | Check whether machine is UEFI-based" + - name: "PRELIM | AUDIT | Check whether machine is UEFI-based" ansible.builtin.stat: path: /sys/firmware/efi - register: rhel_09_efi_boot + register: prelim_efi_boot - - name: "PRELIM | set legacy boot and grub path | Bios" - when: not rhel_09_efi_boot.stat.exists + - name: "PRELIM | AUDIT | Set legacy boot and grub path | Bios" + when: not prelim_efi_boot.stat.exists ansible.builtin.set_fact: rhel9cis_legacy_boot: true grub2_path: /etc/grub2.cfg - - name: "PRELIM | set grub fact | UEFI" - when: rhel_09_efi_boot.stat.exists + - name: "PRELIM | AUDIT | Set grub fact | UEFI" + when: prelim_efi_boot.stat.exists ansible.builtin.set_fact: grub2_path: /etc/grub2-efi.cfg @@ -193,51 +172,15 @@ changed_when: false failed_when: discover_wireless_adapters.rc not in [ 0, 1 ] - - name: "PRELIM | PATCH | Install Network-Manager | if wireless adpater present" + - name: "PRELIM | PATCH | Install Network-Manager | if wireless adapter present" when: - - rhel9cis_install_network_manager - discover_wireless_adapters.rc == 0 - - "'network-manager' not in ansible_facts.packages" + - "'NetworkManager' not in ansible_facts.packages" ansible.builtin.package: - name: network-manager + name: NetworkManager state: present -- name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" - ansible.builtin.package: - name: audit - state: present - become: true - when: - - '"auditd" not in ansible_facts.packages' - - rhel9cis_rule_4_1_1_1 - tags: - - level2-server - - level2-workstation - - patch - - rule_4.1.1.1 - - auditd - -- name: "PRELIM | 4.1.4.5 | Audit conf and rules files | list files" - when: - - rhel9cis_rule_4_1_4_5 or - rhel9cis_rule_4_1_4_6 or - rhel9cis_rule_4_1_4_7 - tags: - - level2-server - - level2-workstation - - patch - - auditd - - rule_4.1.4.5 - - rule_4.1.4.6 - - rule_4.1.4.7 - ansible.builtin.find: - path: /etc/audit - file_type: file - recurse: true - patterns: '*.conf,*.rules' - register: auditd_conf_files - -- name: "PRELIM | Section 5.1 | Configure cron" +- name: "PRELIM | PATCH | Install Cronie" when: - rhel9cis_rule_5_1_1 - '"cronie" not in ansible_facts.packages' @@ -251,7 +194,7 @@ state: present # Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config -- name: "PRELIM | Section 5.2 | SSH" +- name: "PRELIM | PATCH | SSH Config file is not exist" when: - rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config' - "'openssh-server' in ansible_facts.packages" @@ -266,55 +209,94 @@ mode: '0600' state: touch -- name: "PRELIM | 5.3.4 | Find all sudoers files." - when: - - rhel9cis_rule_5_3_4 or - rhel9cis_rule_5_3_5 +- name: "PRELIM | AUDIT | Gather UID 0 accounts other than root" + when: rhel9cis_rule_5_4_2_1 tags: - - rule_5.3.4 - - rule_5.3.5 - ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_sudoers_files - -- name: "PRELIM | Gather UID 0 accounts other than root" - tags: - - rule_6.2.9 + - rule_5.4.2.1 - level1-server - level1-workstation - users ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" changed_when: false check_mode: false - register: rhel9cis_uid_zero_accounts_except_root + register: prelim_uid_zero_accounts_except_root -- name: "PRELIM | Discover Interactive UID MIN and MIN from logins.def" +- name: "PRELIM | PATCH | Create journald config directory" + when: + - rhel9cis_syslog == 'journald' + - rhel9cis_rule_6_2_1_3 or + rhel9cis_rule_6_2_1_4 + tags: always + ansible.builtin.file: + path: /etc/systemd/journald.conf.d + state: directory + +- name: "PRELIM | PATCH | Configure System Accounting (auditd)" + when: + - '"auditd" not in ansible_facts.packages' + - rhel9cis_rule_6_3_1_1 + tags: + - level2-server + - level2-workstation + - patch + - rule_6.3.1.1 + - auditd + ansible.builtin.package: + name: audit + state: present + become: true + +- name: "PRELIM | AUDIT | Discover audit logfile" + when: + - rhel9cis_rule_6_3_4_1 or + rhel9cis_rule_6_3_4_2 or + rhel9cis_rule_6_3_4_3 or + rhel9cis_rule_6_3_4_4 + tags: always + ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' + changed_when: false + register: prelim_auditd_logfile + +- name: "PRELIM | AUDIT | Audit conf and rules files | list files" + when: + - rhel9cis_rule_6_3_4_5 or + rhel9cis_rule_6_3_4_6 or + rhel9cis_rule_6_3_4_7 + tags: + - level2-server + - level2-workstation + - patch + - auditd + - rule_6.3.4.5 + - rule_6.3.4.6 + - rule_6.3.4.7 + ansible.builtin.find: + path: /etc/audit + file_type: file + recurse: true + patterns: '*.conf,*.rules' + register: prelim_auditd_conf_files + +- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def" when: rhel9cis_discover_int_uid + tags: always block: - - name: "PRELIM | Capture UID_MIN information from logins.def" + - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def" ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false - register: uid_min_id + register: prelim_uid_min_id - - name: "PRELIM | Capture UID_MAX information from logins.def" + - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' changed_when: false - register: uid_max_id + register: prelim_uid_max_id - - name: "PRELIM | Capture GID_MIN information from logins.def" - ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}' - changed_when: false - register: gid_min_id - - - name: "PRELIM | set_facts for interactive uid/gid" + - name: "PRELIM | AUDIT | set_facts for interactive uid/gid" ansible.builtin.set_fact: - min_int_uid: "{{ uid_min_id.stdout }}" - max_int_uid: "{{ uid_max_id.stdout }}" - min_int_gid: "{{ gid_min_id.stdout }}" + prelim_min_int_uid: "{{ prelim_uid_min_id.stdout }}" + prelim_max_int_uid: "{{ prelim_uid_max_id.stdout }}" -- name: "PRELIM | Gather the package facts after prelim" +- name: "PRELIM | AUDIT | Gather the package facts after prelim" tags: - always ansible.builtin.package_facts: diff --git a/tasks/section_6/cis_6.3.4.x.yml b/tasks/section_6/cis_6.3.4.x.yml index 144adec..db66377 100644 --- a/tasks/section_6/cis_6.3.4.x.yml +++ b/tasks/section_6/cis_6.3.4.x.yml @@ -10,17 +10,10 @@ - auditd - rule_6.3.4.1 - NIST800-53R5_AU-3 - block: - - name: "6.3.4.1 | AUDIT | Ensure the audit log file directory mode is configured | get current permissions" - ansible.builtin.stat: - path: "{{ audit_discovered_logfile.stdout | dirname }}" - register: auditlog_dir - - - name: "6.3.4.1 | PATCH | Ensure the audit log file directory mode is configured | set" - ansible.builtin.file: - path: "{{ audit_discovered_logfile.stdout | dirname }}" - state: directory - mode: 'g-w,o-rwx' + ansible.builtin.file: + path: "{{ prelim_auditd_logfile.stdout | dirname }}" + state: directory + mode: 'g-w,o-rwx' - name: | "6.3.4.2 | PATCH | Ensure audit log files mode is configured" @@ -39,21 +32,11 @@ - rule_6.3.4.2 - rule_6.3.4.3 - NIST800-53R5_AU-3 - block: - - name: "6.3.4.2 | AUDIT | Ensure audit log files mode is configured | discover file" - ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' - changed_when: false - register: audit_discovered_logfile - - - name: | - "6.3.4.2 | PATCH | Ensure audit log files mode is configured" - "6.3.4.3 | PATCH | Ensure audit log files owner is configured" - "6.3.4.4 | PATCH | Ensure audit log files group owner is configured" - ansible.builtin.file: - path: "{{ audit_discovered_logfile.stdout }}" - mode: 'o-x,g-wx,o-rwx' - owner: root - group: root + ansible.builtin.file: + path: "{{ prelim_auditd_logfile.stdout }}" + mode: 'o-x,g-wx,o-rwx' + owner: root + group: root - name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured" when: @@ -67,7 +50,7 @@ ansible.builtin.file: path: "{{ item.path }}" mode: 'u-x,g-wx,o-rwx' - loop: "{{ auditd_conf_files.files }}" + loop: "{{ prelim_auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -83,7 +66,7 @@ ansible.builtin.file: path: "{{ item.path }}" owner: root - loop: "{{ auditd_conf_files.files | default([]) }}" + loop: "{{ prelim_auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" @@ -99,7 +82,7 @@ ansible.builtin.file: path: "{{ item.path }}" group: root - loop: "{{ auditd_conf_files.files | default([]) }}" + loop: "{{ prelim_auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" @@ -114,7 +97,7 @@ - rule_6.3.4.8 - NIST800-53R5_AU-3 ansible.builtin.file: - path: "{{ item.item }}" + path: "{{ item }}" mode: 'go-w' loop: - /sbin/auditctl diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 7517062..4c95687 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -192,6 +192,7 @@ - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" when: - rhel_09_7_1_11_perms_results.stdout_lines is defined + - rhel_09_7_1_11_perms_results.stdout_lines | length > 0 - rhel9cis_no_world_write_adjust ansible.builtin.file: path: '{{ item }}' @@ -200,7 +201,10 @@ loop: "{{ rhel_09_7_1_11_perms_results.stdout_lines }}" - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit" - ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -o+w ! -perm -1002 2>/dev/null | xargs chmod a+t + failed_when: rhel9cis_set_stickybit.rc not in [ 0, 123 ] + changed_when: rhel9cis_set_stickybit.rc == 0 + register: rhel9cis_set_stickybit - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist" when: @@ -250,7 +254,7 @@ owner: "{{ rhel9cis_unowned_owner }}" group: "{{ rhel9cis_unowned_group }}" with_items: - - "{{ udiscovered_unowned_files_flatten }}" + - "{{ discovered_unowned_files_flatten }}" - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Warn Count" when: diff --git a/tasks/section_7/cis_7.2.x.yml b/tasks/section_7/cis_7.2.x.yml index 5cfbbc3..47d48f6 100644 --- a/tasks/section_7/cis_7.2.x.yml +++ b/tasks/section_7/cis_7.2.x.yml @@ -84,7 +84,7 @@ - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" when: discovered_passwd_gid_check.stdout | length > 0 ansible.builtin.debug: - msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join (', ') }}" + msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join(', ') }}" - name: "7.2.3 | WARNING | Ensure all groups in /etc/passwd exist in /etc/group | warn_count" when: discovered_passwd_gid_check.stdout | length > 0 @@ -243,7 +243,7 @@ state: directory owner: "{{ item.id }}" group: "{{ item.gid }}" - loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" + loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | list }}" loop_control: label: "{{ item.id }}" @@ -316,31 +316,3 @@ path: '{{ item }}' mode: 'go-w' with_items: "{{ discovered_homedir_dot_files.stdout_lines }}" - -- name: "7.2.4 | PATCH | Ensure shadow group is empty" - when: - - rhel9cis_rule_7_2_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.4 - - user - vars: - warn_control_id: '7.2.4' - block: - - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group" - ansible.builtin.getent: - database: group - split: ':' - key: shadow - - - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group" - ansible.builtin.debug: - msg: "Warning!! - You have users in the shadow group" - when: ansible_facts.getent_group.shadow[2] | length > 0 - - - name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: ansible_facts.getent_group.shadow[2] | length > 0