sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

improvements

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-08-07 10:31:31 +01:00
parent 47dc0c5b4c
commit 2a7d08da08
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
5 changed files with 211 additions and 284 deletions
Download patch file Download diff file Expand all files Collapse all files

174
tasks/main.yml
View file

@ -1,7 +1,7 @@
--- ---
# tasks file for RHEL9-CIS # tasks file for RHEL9-CIS
- name: Check OS version and family - name: "Check OS version and family"
ansible.builtin.assert: ansible.builtin.assert:
that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==') that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
@ -11,7 +11,7 @@
tags: tags:
- always - always
- name: Check ansible version - name: "Check ansible version"
ansible.builtin.assert: ansible.builtin.assert:
that: ansible_version.full is version_compare(min_ansible_version, '>=') that: ansible_version.full is version_compare(min_ansible_version, '>=')
fail_msg: "You must use Ansible {{ min_ansible_version }} or greater" fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
@ -19,16 +19,67 @@
tags: tags:
- always - always
- name: "Setup rules if container"
when:
- ansible_connection == 'docker' or
ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- container_discovery
- always
block:
- name: "Discover and set container variable if required"
ansible.builtin.set_fact:
system_is_container: true
- name: "Load variable for container"
ansible.builtin.include_vars:
file: "{{ container_vars_file }}"
- name: "Output if discovered is a container"
when:
- system_is_container
ansible.builtin.debug:
msg: system has been discovered as a container
- name: "Check crypto-policy input"
ansible.builtin.assert:
that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies
fail_msg: "Crypto policy is not a permitted version"
success_msg: "Crypto policy is a permitted version"
- name: "Check rhel9cis_bootloader_password_hash variable has been changed"
when:
- rhel9cis_set_boot_pass
- rhel9cis_rule_1_4_1
tags:
- always
ansible.builtin.assert:
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
- name: "Check crypto-policy module input"
when:
- rhel9cis_rule_1_6_1
- rhel9cis_crypto_policy_module | length > 0
tags:
- rule_1.6.1
- crypto
- NIST800-53R5_SC-6
ansible.builtin.assert:
that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
fail_msg: "Crypto policy module is not a permitted version"
success_msg: "Crypto policy module is a permitted version"
- name: "Check password set for {{ ansible_env.SUDO_USER }}" - name: "Check password set for {{ ansible_env.SUDO_USER }}"
when: when:
- rhel9cis_rule_5_3_4 - rhel9cis_rule_5_2_4
- ansible_env.SUDO_USER is defined - ansible_env.SUDO_USER is defined
- not system_is_ec2 - not system_is_ec2
tags: tags:
- user_passwd - user_passwd
- rule_5.3.4 - rule_5.2.4
vars: vars:
sudo_password_rule: rhel9cis_rule_5_3_4 # pragma: allowlist secret sudo_password_rule: rhel9cis_rule_5_2_4 # pragma: allowlist secret
block: block:
- name: "Check password set for {{ ansible_env.SUDO_USER }} | password state" - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state"
ansible.builtin.shell: "(grep {{ ansible_env.SUDO_USER }} /etc/shadow || echo 'not found:not found') | awk -F: '{print $2}'" ansible.builtin.shell: "(grep {{ ansible_env.SUDO_USER }} /etc/shadow || echo 'not found:not found') | awk -F: '{print $2}'"
@ -61,173 +112,108 @@
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access" fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access"
success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user" success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user"
- name: Ensure root password is set - name: "Ensure root password is set"
when: when:
- rhel9cis_rule_5_6_6 - rhel9cis_rule_5_4_2_4
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- accounts - accounts
- root - root
- rule_5.6.6 - rule_5.4.2.4
block: block:
- name: Ensure root password is set - name: "Ensure root password is set"
ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)" ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)"
changed_when: false changed_when: false
register: root_passwd_set register: root_passwd_set
- name: Ensure root password is set - name: "Ensure root password is set"
ansible.builtin.assert: ansible.builtin.assert:
that: root_passwd_set.rc == 0 that: root_passwd_set.rc == 0
fail_msg: "You have rule 5.6.6 enabled this requires that you have a root password set" fail_msg: "You have rule 5.4.2.4 enabled this requires that you have a root password set"
success_msg: "You have a root password set" success_msg: "You have a root password set"
- name: Setup rules if container - name: "Gather the package facts"
when:
- ansible_connection == 'docker' or
ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- container_discovery
- always
block:
- name: Discover and set container variable if required
ansible.builtin.set_fact:
system_is_container: true
- name: Load variable for container
ansible.builtin.include_vars:
file: "{{ container_vars_file }}"
- name: Output if discovered is a container
when:
- system_is_container
ansible.builtin.debug:
msg: system has been discovered as a container
- name: Check crypto-policy input
ansible.builtin.assert:
that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies
fail_msg: "Crypto policy is not a permitted version"
success_msg: "Crypto policy is a permitted version"
- name: Check crypto-policy module input
when:
- rhel9cis_rule_1_6_1
- rhel9cis_crypto_policy_module | length > 0
tags:
- rule_1.6.1
- crypto
- NIST800-53R5_SC-6
ansible.builtin.assert:
that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
fail_msg: "Crypto policy module is not a permitted version"
success_msg: "Crypto policy module is a permitted version"
- name: Check rhel9cis_bootloader_password_hash variable has been changed
when:
- rhel9cis_set_boot_pass
- rhel9cis_rule_1_4_1
tags:
- always
ansible.builtin.assert:
that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' # pragma: allowlist secret
msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
- name: Gather the package facts
tags: tags:
- always - always
ansible.builtin.package_facts: ansible.builtin.package_facts:
manager: auto manager: auto
- name: Include OS specific variables - name: "Include OS specific variables"
tags: tags:
- always - always
ansible.builtin.include_vars: ansible.builtin.include_vars:
file: "{{ ansible_facts.distribution }}.yml" file: "{{ ansible_facts.distribution }}.yml"
- name: Include preliminary steps - name: "Include preliminary steps"
tags: tags:
- prelim_tasks - prelim_tasks
- always - always
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: prelim.yml file: prelim.yml
- name: Run Section 1 tasks - name: "Run Section 1 tasks"
when: rhel9cis_section1 when: rhel9cis_section1
tags:
- rhel9cis_section1
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: section_1/main.yml file: section_1/main.yml
- name: Run Section 2 tasks - name: "Run Section 2 tasks"
when: rhel9cis_section2 when: rhel9cis_section2
tags:
- rhel9cis_section2
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: section_2/main.yml file: section_2/main.yml
- name: Run Section 3 tasks - name: "Run Section 3 tasks"
when: rhel9cis_section3 when: rhel9cis_section3
tags:
- rhel9cis_section3
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: section_3/main.yml file: section_3/main.yml
- name: Run Section 4 tasks - name: "Run Section 4 tasks"
when: rhel9cis_section4 when: rhel9cis_section4
tags:
- rhel9cis_section4
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: section_4/main.yml file: section_4/main.yml
- name: Run Section 5 tasks - name: "Run Section 5 tasks"
when: rhel9cis_section5 when: rhel9cis_section5
tags:
- rhel9cis_section5
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: section_5/main.yml file: section_5/main.yml
- name: Run Section 6 tasks - name: "Run Section 6 tasks"
when: rhel9cis_section6 when: rhel9cis_section6
tags:
- rhel9cis_section6
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: section_6/main.yml file: section_6/main.yml
# - name: Run Section 7 tasks - name: "Run Section 7 tasks"
# when: rhel9cis_section7 when: rhel9cis_section7
# tags: ansible.builtin.import_tasks:
# - rhel9cis_section7 file: section_7/main.yml
# ansible.builtin.import_tasks:
# file: section_7/main.yml
- name: Run auditd logic - name: "Run auditd logic"
when: update_audit_template when: update_audit_template
tags: tags:
- always - always
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: auditd.yml file: auditd.yml
- name: Run post remediation tasks - name: "Run post remediation tasks"
tags: tags:
- post_tasks - post_tasks
- always - always
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: post.yml file: post.yml
- name: Run post_remediation audit - name: "Run post_remediation audit"
when: when:
- run_audit - run_audit
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: post_remediation_audit.yml file: post_remediation_audit.yml
- name: Show Audit Summary - name: "Show Audit Summary"
when: run_audit when: run_audit
ansible.builtin.debug: ansible.builtin.debug:
msg: "{{ audit_results.split('\n') }}" msg: "{{ audit_results.split('\n') }}"
- name: If Warnings found Output count and control IDs affected - name: "If Warnings found Output count and control IDs affected"
when: warn_count != 0 when: warn_count != 0
tags: tags:
- always - always

238
tasks/prelim.yml
View file

@ -3,7 +3,7 @@
# Preliminary tasks that should always be run # Preliminary tasks that should always be run
# List users in order to look files inside each home directory # List users in order to look files inside each home directory
- name: PRELIM | Include audit specific variables - name: "PRELIM | Include audit specific variables"
when: when:
- run_audit or audit_only - run_audit or audit_only
- setup_audit - setup_audit
@ -13,7 +13,7 @@
ansible.builtin.include_vars: ansible.builtin.include_vars:
file: audit.yml file: audit.yml
- name: PRELIM | Include pre-remediation audit tasks - name: "PRELIM | Include pre-remediation audit tasks"
when: when:
- run_audit or audit_only - run_audit or audit_only
- setup_audit - setup_audit
@ -45,47 +45,26 @@
changed_when: false changed_when: false
register: prelim_interactive_uids register: prelim_interactive_uids
- name: "PRELIM | capture /etc/password variables" - name: "PRELIM | AUDIT | Capture /etc/password variables"
ansible.builtin.include_tasks: ansible.builtin.include_tasks:
file: parse_etc_password.yml file: parse_etc_password.yml
tags: tags:
- always - always
- name: "PRELIM | List users accounts" - name: "PRELIM | PATCH | Ensure python3-libselinux is installed"
ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd"
changed_when: false
check_mode: false
register: users
tags:
- level1-server
- level1-workstation
- users
- name: "PRELIM | Gather accounts with empty password fields"
ansible.builtin.shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'"
changed_when: false
check_mode: false
register: empty_password_accounts
tags:
- level1-server
- level1-workstation
- passwords
- name: "PRELIM | Ensure python3-libselinux is installed"
when: when:
- '"python3-libselinux" not in ansible_facts.packages' - '"python3-libselinux" not in ansible_facts.packages'
ansible.builtin.package: ansible.builtin.package:
name: python3-libselinux name: python3-libselinux
state: present state: present
- name: "PRELIM | Section 1.1 | Create list of mount points" - name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points"
tags:
- Always
ansible.builtin.set_fact: ansible.builtin.set_fact:
mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}"
tags:
- level1-server
- level1-workstation
- name: "PRELIM | Update to latest gpg keys" - name: "PRELIM | PATCH | Update to latest gpg keys"
when: when:
- rhel9cis_rule_1_2_1_1 - rhel9cis_rule_1_2_1_1
- ansible_facts.distribution != 'RedHat' - ansible_facts.distribution != 'RedHat'
@ -94,32 +73,32 @@
name: "{{ gpg_key_package }}" name: "{{ gpg_key_package }}"
state: latest state: latest
- name: "PRELIM | Check gpg keys are imported will cause 1.2.1.1 to fail if not | RedHat Only" - name: "PRELIM | AUDIT | Import gpg keys | RedHat Only"
when: when:
- rhel9cis_rule_1_2_1_1 - rhel9cis_rule_1_2_1_1
- rhel9cis_force_gpg_key_import - rhel9cis_force_gpg_key_import
- ansible_facts.distribution == 'RedHat' - ansible_facts.distribution == 'RedHat'
block: block:
- name: "PRELIM | Check gpg keys are imported will cause 1.2.1.1 to fail if not" - name: "PRELIM | AUDIT | Import gpg keys | get data"
ansible.builtin.shell: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' ansible.builtin.shell: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: check_gpg_imported register: prelim_check_gpg_imported
- name: "PRELIM | Check key package matches RedHat" - name: "PRELIM | AUDIT | Import gpg keys | Check Package"
when: "'not installed' in check_gpg_imported.stdout" when: "'not installed' in prelim_check_gpg_imported.stdout"
ansible.builtin.shell: rpm -qi redhat-release | grep Signature ansible.builtin.shell: rpm -qi redhat-release | grep Signature
changed_when: false changed_when: false
failed_when: false failed_when: false
register: os_gpg_package_valid register: prelim_os_gpg_package_valid
- name: "PRELIM | Force keys to be imported" - name: "PRELIM | PATCH | Force keys to be imported"
when: when:
- "'not installed' in check_gpg_imported.stdout" - "'not installed' in prelim_check_gpg_imported.stdout"
- "'Key ID 199e2f91fd431d51' in os_gpg_package_valid.stdout" - "'Key ID 199e2f91fd431d51' in prelim_os_gpg_package_valid.stdout"
ansible.builtin.shell: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release ansible.builtin.shell: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
- name: "PRELIM | if systemd coredump" - name: "PRELIM | AUDIT | Check systemd coredump"
when: when:
- rhel9cis_rule_1_5_4 - rhel9cis_rule_1_5_4
tags: tags:
@ -129,9 +108,9 @@
- systemd - systemd
ansible.builtin.stat: ansible.builtin.stat:
path: /etc/systemd/coredump.conf path: /etc/systemd/coredump.conf
register: systemd_coredump register: prelim_systemd_coredump
- name: "PRELIM | Setup crypto-policy" - name: "PRELIM | PATCH | Setup crypto-policy"
when: when:
- rhel9cis_rule_1_6_1 - rhel9cis_rule_1_6_1
tags: tags:
@ -140,43 +119,43 @@
- rule_1.6.1 - rule_1.6.1
- crypto - crypto
block: block:
- name: "PRELIM | Install crypto-policies | pkgs present" - name: "PRELIM | PATCH | Install crypto-policies | pkgs present"
ansible.builtin.package: ansible.builtin.package:
name: name:
- crypto-policies - crypto-policies
- crypto-policies-scripts - crypto-policies-scripts
state: present state: present
- name: "PRELIM | Gather system-wide crypto-policy" - name: "PRELIM | AUDIT | Gather system-wide crypto-policy"
ansible.builtin.shell: 'update-crypto-policies --show' ansible.builtin.shell: 'update-crypto-policies --show'
changed_when: false changed_when: false
check_mode: false check_mode: false
register: rhel9cis_system_wide_crypto_policy register: prelim_system_wide_crypto_policy
- name: "PRELIM | Gather system-wide crypto-policy | set fact system policy" - name: "PRELIM | AUDIT | Gather system-wide crypto-policy | set fact system policy"
ansible.builtin.set_fact: ansible.builtin.set_fact:
current_crypto_policy: "{{ rhel9cis_system_wide_crypto_policy.stdout.split(':')[0] }}" current_crypto_policy: "{{ prelim_system_wide_crypto_policy.stdout.split(':')[0] }}"
- name: "PRELIM | Gather system-wide crypto-policy module | set fact system policy submodule" - name: "PRELIM | AUDIT | Gather system-wide crypto-policy module | set fact system policy submodule"
when: "':' in rhel9cis_system_wide_crypto_policy.stdout" when: "':' in prelim_system_wide_crypto_policy.stdout"
ansible.builtin.set_fact: ansible.builtin.set_fact:
current_crypto_module: "{{ rhel9cis_system_wide_crypto_policy.stdout.split(':')[1] }}" current_crypto_module: "{{ prelim_system_wide_crypto_policy.stdout.split(':')[1] }}"
- name: "PRELIM | Set facts based on boot type" - name: "PRELIM | AUDIT | Set facts based on boot type"
block: block:
- name: "PRELIM | Check whether machine is UEFI-based" - name: "PRELIM | AUDIT | Check whether machine is UEFI-based"
ansible.builtin.stat: ansible.builtin.stat:
path: /sys/firmware/efi path: /sys/firmware/efi
register: rhel_09_efi_boot register: prelim_efi_boot
- name: "PRELIM | set legacy boot and grub path | Bios" - name: "PRELIM | AUDIT | Set legacy boot and grub path | Bios"
when: not rhel_09_efi_boot.stat.exists when: not prelim_efi_boot.stat.exists
ansible.builtin.set_fact: ansible.builtin.set_fact:
rhel9cis_legacy_boot: true rhel9cis_legacy_boot: true
grub2_path: /etc/grub2.cfg grub2_path: /etc/grub2.cfg
- name: "PRELIM | set grub fact | UEFI" - name: "PRELIM | AUDIT | Set grub fact | UEFI"
when: rhel_09_efi_boot.stat.exists when: prelim_efi_boot.stat.exists
ansible.builtin.set_fact: ansible.builtin.set_fact:
grub2_path: /etc/grub2-efi.cfg grub2_path: /etc/grub2-efi.cfg
@ -193,51 +172,15 @@
changed_when: false changed_when: false
failed_when: discover_wireless_adapters.rc not in [ 0, 1 ] failed_when: discover_wireless_adapters.rc not in [ 0, 1 ]
- name: "PRELIM | PATCH | Install Network-Manager | if wireless adpater present" - name: "PRELIM | PATCH | Install Network-Manager | if wireless adapter present"
when: when:
- rhel9cis_install_network_manager
- discover_wireless_adapters.rc == 0 - discover_wireless_adapters.rc == 0
- "'network-manager' not in ansible_facts.packages" - "'NetworkManager' not in ansible_facts.packages"
ansible.builtin.package: ansible.builtin.package:
name: network-manager name: NetworkManager
state: present state: present
- name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" - name: "PRELIM | PATCH | Install Cronie"
ansible.builtin.package:
name: audit
state: present
become: true
when:
- '"auditd" not in ansible_facts.packages'
- rhel9cis_rule_4_1_1_1
tags:
- level2-server
- level2-workstation
- patch
- rule_4.1.1.1
- auditd
- name: "PRELIM | 4.1.4.5 | Audit conf and rules files | list files"
when:
- rhel9cis_rule_4_1_4_5 or
rhel9cis_rule_4_1_4_6 or
rhel9cis_rule_4_1_4_7
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_4.1.4.5
- rule_4.1.4.6
- rule_4.1.4.7
ansible.builtin.find:
path: /etc/audit
file_type: file
recurse: true
patterns: '*.conf,*.rules'
register: auditd_conf_files
- name: "PRELIM | Section 5.1 | Configure cron"
when: when:
- rhel9cis_rule_5_1_1 - rhel9cis_rule_5_1_1
- '"cronie" not in ansible_facts.packages' - '"cronie" not in ansible_facts.packages'
@ -251,7 +194,7 @@
state: present state: present
# Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config # Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config
- name: "PRELIM | Section 5.2 | SSH" - name: "PRELIM | PATCH | SSH Config file is not exist"
when: when:
- rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config' - rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config'
- "'openssh-server' in ansible_facts.packages" - "'openssh-server' in ansible_facts.packages"
@ -266,55 +209,94 @@
mode: '0600' mode: '0600'
state: touch state: touch
- name: "PRELIM | 5.3.4 | Find all sudoers files." - name: "PRELIM | AUDIT | Gather UID 0 accounts other than root"
when: when: rhel9cis_rule_5_4_2_1
- rhel9cis_rule_5_3_4 or
rhel9cis_rule_5_3_5
tags: tags:
- rule_5.3.4 - rule_5.4.2.1
- rule_5.3.5
ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_sudoers_files
- name: "PRELIM | Gather UID 0 accounts other than root"
tags:
- rule_6.2.9
- level1-server - level1-server
- level1-workstation - level1-workstation
- users - users
ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'" ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'"
changed_when: false changed_when: false
check_mode: false check_mode: false
register: rhel9cis_uid_zero_accounts_except_root register: prelim_uid_zero_accounts_except_root
- name: "PRELIM | Discover Interactive UID MIN and MIN from logins.def" - name: "PRELIM | PATCH | Create journald config directory"
when:
- rhel9cis_syslog == 'journald'
- rhel9cis_rule_6_2_1_3 or
rhel9cis_rule_6_2_1_4
tags: always
ansible.builtin.file:
path: /etc/systemd/journald.conf.d
state: directory
- name: "PRELIM | PATCH | Configure System Accounting (auditd)"
when:
- '"auditd" not in ansible_facts.packages'
- rhel9cis_rule_6_3_1_1
tags:
- level2-server
- level2-workstation
- patch
- rule_6.3.1.1
- auditd
ansible.builtin.package:
name: audit
state: present
become: true
- name: "PRELIM | AUDIT | Discover audit logfile"
when:
- rhel9cis_rule_6_3_4_1 or
rhel9cis_rule_6_3_4_2 or
rhel9cis_rule_6_3_4_3 or
rhel9cis_rule_6_3_4_4
tags: always
ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'
changed_when: false
register: prelim_auditd_logfile
- name: "PRELIM | AUDIT | Audit conf and rules files | list files"
when:
- rhel9cis_rule_6_3_4_5 or
rhel9cis_rule_6_3_4_6 or
rhel9cis_rule_6_3_4_7
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.5
- rule_6.3.4.6
- rule_6.3.4.7
ansible.builtin.find:
path: /etc/audit
file_type: file
recurse: true
patterns: '*.conf,*.rules'
register: prelim_auditd_conf_files
- name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def"
when: rhel9cis_discover_int_uid when: rhel9cis_discover_int_uid
tags: always
block: block:
- name: "PRELIM | Capture UID_MIN information from logins.def" - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def"
ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
changed_when: false changed_when: false
register: uid_min_id register: prelim_uid_min_id
- name: "PRELIM | Capture UID_MAX information from logins.def" - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def"
ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}'
changed_when: false changed_when: false
register: uid_max_id register: prelim_uid_max_id
- name: "PRELIM | Capture GID_MIN information from logins.def" - name: "PRELIM | AUDIT | set_facts for interactive uid/gid"
ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}'
changed_when: false
register: gid_min_id
- name: "PRELIM | set_facts for interactive uid/gid"
ansible.builtin.set_fact: ansible.builtin.set_fact:
min_int_uid: "{{ uid_min_id.stdout }}" prelim_min_int_uid: "{{ prelim_uid_min_id.stdout }}"
max_int_uid: "{{ uid_max_id.stdout }}" prelim_max_int_uid: "{{ prelim_uid_max_id.stdout }}"
min_int_gid: "{{ gid_min_id.stdout }}"
- name: "PRELIM | Gather the package facts after prelim" - name: "PRELIM | AUDIT | Gather the package facts after prelim"
tags: tags:
- always - always
ansible.builtin.package_facts: ansible.builtin.package_facts:

43
tasks/section_6/cis_6.3.4.x.yml
View file

@ -10,17 +10,10 @@
- auditd - auditd
- rule_6.3.4.1 - rule_6.3.4.1
- NIST800-53R5_AU-3 - NIST800-53R5_AU-3
block: ansible.builtin.file:
- name: "6.3.4.1 | AUDIT | Ensure the audit log file directory mode is configured | get current permissions" path: "{{ prelim_auditd_logfile.stdout | dirname }}"
ansible.builtin.stat: state: directory
path: "{{ audit_discovered_logfile.stdout | dirname }}" mode: 'g-w,o-rwx'
register: auditlog_dir
- name: "6.3.4.1 | PATCH | Ensure the audit log file directory mode is configured | set"
ansible.builtin.file:
path: "{{ audit_discovered_logfile.stdout | dirname }}"
state: directory
mode: 'g-w,o-rwx'
- name: | - name: |
"6.3.4.2 | PATCH | Ensure audit log files mode is configured" "6.3.4.2 | PATCH | Ensure audit log files mode is configured"
@ -39,21 +32,11 @@
- rule_6.3.4.2 - rule_6.3.4.2
- rule_6.3.4.3 - rule_6.3.4.3
- NIST800-53R5_AU-3 - NIST800-53R5_AU-3
block: ansible.builtin.file:
- name: "6.3.4.2 | AUDIT | Ensure audit log files mode is configured | discover file" path: "{{ prelim_auditd_logfile.stdout }}"
ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }' mode: 'o-x,g-wx,o-rwx'
changed_when: false owner: root
register: audit_discovered_logfile group: root
- name: |
"6.3.4.2 | PATCH | Ensure audit log files mode is configured"
"6.3.4.3 | PATCH | Ensure audit log files owner is configured"
"6.3.4.4 | PATCH | Ensure audit log files group owner is configured"
ansible.builtin.file:
path: "{{ audit_discovered_logfile.stdout }}"
mode: 'o-x,g-wx,o-rwx'
owner: root
group: root
- name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured" - name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured"
when: when:
@ -67,7 +50,7 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
mode: 'u-x,g-wx,o-rwx' mode: 'u-x,g-wx,o-rwx'
loop: "{{ auditd_conf_files.files }}" loop: "{{ prelim_auditd_conf_files.files }}"
loop_control: loop_control:
label: "{{ item.path }}" label: "{{ item.path }}"
@ -83,7 +66,7 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
owner: root owner: root
loop: "{{ auditd_conf_files.files | default([]) }}" loop: "{{ prelim_auditd_conf_files.files | default([]) }}"
loop_control: loop_control:
label: "{{ item.path }}" label: "{{ item.path }}"
@ -99,7 +82,7 @@
ansible.builtin.file: ansible.builtin.file:
path: "{{ item.path }}" path: "{{ item.path }}"
group: root group: root
loop: "{{ auditd_conf_files.files | default([]) }}" loop: "{{ prelim_auditd_conf_files.files | default([]) }}"
loop_control: loop_control:
label: "{{ item.path }}" label: "{{ item.path }}"
@ -114,7 +97,7 @@
- rule_6.3.4.8 - rule_6.3.4.8
- NIST800-53R5_AU-3 - NIST800-53R5_AU-3
ansible.builtin.file: ansible.builtin.file:
path: "{{ item.item }}" path: "{{ item }}"
mode: 'go-w' mode: 'go-w'
loop: loop:
- /sbin/auditctl - /sbin/auditctl

8
tasks/section_7/cis_7.1.x.yml
View file

@ -192,6 +192,7 @@
- name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)"
when: when:
- rhel_09_7_1_11_perms_results.stdout_lines is defined - rhel_09_7_1_11_perms_results.stdout_lines is defined
- rhel_09_7_1_11_perms_results.stdout_lines | length > 0
- rhel9cis_no_world_write_adjust - rhel9cis_no_world_write_adjust
ansible.builtin.file: ansible.builtin.file:
path: '{{ item }}' path: '{{ item }}'
@ -200,7 +201,10 @@
loop: "{{ rhel_09_7_1_11_perms_results.stdout_lines }}" loop: "{{ rhel_09_7_1_11_perms_results.stdout_lines }}"
- name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit" - name: "7.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable directories add sticky bit"
ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -o+w ! -perm -1002 2>/dev/null | xargs chmod a+t
failed_when: rhel9cis_set_stickybit.rc not in [ 0, 123 ]
changed_when: rhel9cis_set_stickybit.rc == 0
register: rhel9cis_set_stickybit
- name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist" - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist"
when: when:
@ -250,7 +254,7 @@
owner: "{{ rhel9cis_unowned_owner }}" owner: "{{ rhel9cis_unowned_owner }}"
group: "{{ rhel9cis_unowned_group }}" group: "{{ rhel9cis_unowned_group }}"
with_items: with_items:
- "{{ udiscovered_unowned_files_flatten }}" - "{{ discovered_unowned_files_flatten }}"
- name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Warn Count" - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Warn Count"
when: when:

32
tasks/section_7/cis_7.2.x.yml
View file

@ -84,7 +84,7 @@
- name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" - name: "7.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
when: discovered_passwd_gid_check.stdout | length > 0 when: discovered_passwd_gid_check.stdout | length > 0
ansible.builtin.debug: ansible.builtin.debug:
msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join (', ') }}" msg: "Warning!! The following users have non-existent GIDs (Groups): {{ discovered_passwd_gid_check.stdout_lines | join(', ') }}"
- name: "7.2.3 | WARNING | Ensure all groups in /etc/passwd exist in /etc/group | warn_count" - name: "7.2.3 | WARNING | Ensure all groups in /etc/passwd exist in /etc/group | warn_count"
when: discovered_passwd_gid_check.stdout | length > 0 when: discovered_passwd_gid_check.stdout | length > 0
@ -243,7 +243,7 @@
state: directory state: directory
owner: "{{ item.id }}" owner: "{{ item.id }}"
group: "{{ item.gid }}" group: "{{ item.gid }}"
loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | list }}" loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | list }}"
loop_control: loop_control:
label: "{{ item.id }}" label: "{{ item.id }}"
@ -316,31 +316,3 @@
path: '{{ item }}' path: '{{ item }}'
mode: 'go-w' mode: 'go-w'
with_items: "{{ discovered_homedir_dot_files.stdout_lines }}" with_items: "{{ discovered_homedir_dot_files.stdout_lines }}"
- name: "7.2.4 | PATCH | Ensure shadow group is empty"
when:
- rhel9cis_rule_7_2_4
tags:
- level1-server
- level1-workstation
- patch
- rule_6.2.4
- user
vars:
warn_control_id: '7.2.4'
block:
- name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group"
ansible.builtin.getent:
database: group
split: ':'
key: shadow
- name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group"
ansible.builtin.debug:
msg: "Warning!! - You have users in the shadow group"
when: ansible_facts.getent_group.shadow[2] | length > 0
- name: "7.2.4 | AUDIT | Ensure shadow group is empty | check users in group"
ansible.builtin.import_tasks:
file: warning_facts.yml
when: ansible_facts.getent_group.shadow[2] | length > 0