From 2bf67cde0d77c40fed616a91708c21bc2fe94e51 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 22 Jul 2024 12:42:39 +0100 Subject: [PATCH] Added Nist values Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 8 +------- tasks/section_1/cis_1.1.1.x.yml | 9 ++++++++- tasks/section_1/cis_1.1.2.1.x.yml | 6 ++++++ tasks/section_1/cis_1.1.2.2.x.yml | 3 +++ tasks/section_1/cis_1.1.2.3.x.yml | 5 ++++- tasks/section_1/cis_1.1.2.4.x.yml | 3 +++ tasks/section_1/cis_1.1.2.5.x.yml | 3 +++ tasks/section_1/cis_1.1.2.6.x.yml | 3 +++ tasks/section_1/cis_1.1.2.7.x.yml | 3 +++ tasks/section_1/cis_1.2.1.x.yml | 5 ++++- tasks/section_1/cis_1.2.2.x.yml | 22 +++++++++++----------- tasks/section_1/cis_1.3.1.x.yml | 16 ++++++++++++++++ tasks/section_1/cis_1.4.x.yml | 2 ++ tasks/section_1/cis_1.5.x.yml | 3 +++ tasks/section_1/cis_1.6.x.yml | 15 +++++++++++++++ tasks/section_1/cis_1.7.x.yml | 15 +++++++++++++++ 16 files changed, 100 insertions(+), 21 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c6ecbda..aa85840 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -270,6 +270,7 @@ - users - name: "PRELIM | Discover Interactive UID MIN and MIN from logins.def" + when: rhel9cis_discover_int_uid block: - name: "PRELIM | Capture UID_MIN information from logins.def" ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' @@ -292,13 +293,6 @@ max_int_uid: "{{ uid_max_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}" -- name: "PRELIM | Output of uid findings" - ansible.builtin.debug: - msg: "{{ min_int_uid }} {{ max_int_uid }}" - - when: - - not discover_int_uid - - name: "PRELIM | Gather the package facts after prelim" ansible.builtin.package_facts: manager: auto diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index 8ea6909..4381911 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -9,6 +9,7 @@ - patch - rule_1.1.1.1 - cramfs + - NIST800-53R5_CM-7 block: - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: @@ -42,6 +43,7 @@ - patch - rule_1.1.1.2 - freevxfs + - NIST800-53R5_CM-7 block: - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: @@ -75,6 +77,7 @@ - patch - rule_1.1.1.3 - hfs + - NIST800-53R5_CM-7 block: - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: @@ -108,6 +111,7 @@ - patch - rule_1.1.1.4 - hfsplus + - NIST800-53R5_CM-7 block: - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: @@ -141,6 +145,7 @@ - patch - rule_1.1.1.5 - jffs2 + - NIST800-53R5_CM-7 block: - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: @@ -174,6 +179,7 @@ - patch - rule_1.1.1.6 - squashfs + - NIST800-53R5_CM-7 block: - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: @@ -207,6 +213,7 @@ - patch - rule_1.1.1.7 - udf + - NIST800-53R5_CM-7 block: - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: @@ -240,6 +247,7 @@ - patch - rule_1.1.1.8 - usb + - NIST800-53R5_SI-3 block: - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Edit modprobe config" ansible.builtin.lineinfile: @@ -272,7 +280,6 @@ - level1-workstation - patch - rule_1.1.1.9 - - usb vars: warn_control_id: '1.1.1.9' block: diff --git a/tasks/section_1/cis_1.1.2.1.x.yml b/tasks/section_1/cis_1.1.2.1.x.yml index cd27f5e..770753e 100644 --- a/tasks/section_1/cis_1.1.2.1.x.yml +++ b/tasks/section_1/cis_1.1.2.1.x.yml @@ -10,6 +10,7 @@ - audit - mounts - rule_1.1.2.1.1 + - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.1.1' required_mount: '/tmp' @@ -51,6 +52,9 @@ - rule_1.1.2.1.2 - rule_1.1.2.1.3 - rule_1.1.2.1.4 + - NIST800-53R5_CM-7 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 # via systemd - name: | @@ -73,6 +77,8 @@ - rule_1.1.2.1.2 - rule_1.1.2.1.3 - rule_1.1.2.1.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.template: src: etc/systemd/system/tmp.mount.j2 dest: /etc/systemd/system/tmp.mount diff --git a/tasks/section_1/cis_1.1.2.2.x.yml b/tasks/section_1/cis_1.1.2.2.x.yml index 0831626..f93a1d4 100644 --- a/tasks/section_1/cis_1.1.2.2.x.yml +++ b/tasks/section_1/cis_1.1.2.2.x.yml @@ -10,6 +10,7 @@ - audit - mounts - rule_1.1.2.2.1 + - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.2.1' block: @@ -45,6 +46,8 @@ - rule_1.1.2.2.2 - rule_1.1.2.2.3 - rule_1.1.2.2.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.posix.mount: name: /dev/shm src: tmpfs diff --git a/tasks/section_1/cis_1.1.2.3.x.yml b/tasks/section_1/cis_1.1.2.3.x.yml index 1468135..6fd1303 100644 --- a/tasks/section_1/cis_1.1.2.3.x.yml +++ b/tasks/section_1/cis_1.1.2.3.x.yml @@ -10,7 +10,7 @@ - audit - mounts - rule_1_1_2.3.1 - - skip_ansible_lint + - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.3.1' required_mount: '/home' @@ -37,6 +37,9 @@ - mounts - rule_1_1_2.3.2 - rule_1_1_2.3.3 + - NIST800-53R5_CM-7 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.mount: name: /home src: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.4.x.yml b/tasks/section_1/cis_1.1.2.4.x.yml index afa754b..85df1b2 100644 --- a/tasks/section_1/cis_1.1.2.4.x.yml +++ b/tasks/section_1/cis_1.1.2.4.x.yml @@ -10,6 +10,7 @@ - patch - mounts - rule_1_1_2.4.1 + - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.4.1' required_mount: '/var' @@ -37,6 +38,8 @@ - mounts - rule_1_1_2.4.2 - rule_1_1_2.4.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.mount: name: /var src: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.5.x.yml b/tasks/section_1/cis_1.1.2.5.x.yml index 93fa27c..dba75f5 100644 --- a/tasks/section_1/cis_1.1.2.5.x.yml +++ b/tasks/section_1/cis_1.1.2.5.x.yml @@ -11,6 +11,7 @@ - audit - mounts - rule_1_1_2.5.1 + - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.5.1' required_mount: '/var/tmp' @@ -41,6 +42,8 @@ - rule_1_1_2.5.2 - rule_1_1_2.5.3 - rule_1_1_2.5.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.mount: name: /var/tmp src: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.6.x.yml b/tasks/section_1/cis_1.1.2.6.x.yml index 6b497ec..00e0711 100644 --- a/tasks/section_1/cis_1.1.2.6.x.yml +++ b/tasks/section_1/cis_1.1.2.6.x.yml @@ -10,6 +10,7 @@ - audit - mounts - rule_1_1_2.6.1 + - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.6.1' required_mount: '/var/log' @@ -39,6 +40,8 @@ - rule_1_1_2.6.2 - rule_1_1_2.6.3 - rule_1_1_2.6.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.mount: name: /var/log src: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.2.7.x.yml b/tasks/section_1/cis_1.1.2.7.x.yml index 6b5d760..8e59fe6 100644 --- a/tasks/section_1/cis_1.1.2.7.x.yml +++ b/tasks/section_1/cis_1.1.2.7.x.yml @@ -10,6 +10,7 @@ - audit - mounts - rule_1_1_2.7.1 + - NIST800-53R5_CM-7 vars: warn_control_id: '1.1.2.7.1' required_mount: '/var/log/audit' @@ -49,3 +50,5 @@ - rule_1_1_2.7.2 - rule_1_1_2.7.3 - rule_1_1_2.7.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 diff --git a/tasks/section_1/cis_1.2.1.x.yml b/tasks/section_1/cis_1.2.1.x.yml index 8e805ab..c6ee203 100644 --- a/tasks/section_1/cis_1.2.1.x.yml +++ b/tasks/section_1/cis_1.2.1.x.yml @@ -12,6 +12,7 @@ - manual - patch - rule_1.2.1.1 + - NIST800-53R5_SI-2 block: - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" @@ -41,6 +42,7 @@ - level1-workstation - patch - rule_1.2.1.2 + - NIST800-53R5_SI-2 block: - name: "1.2.1.2 | AUDIT | Ensure gpgcheck is globally activated | Find repos" ansible.builtin.find: @@ -68,6 +70,7 @@ - manual - audit - rule_1.2.1.3 + - NIST800-53R5_SI-2 block: - name: "1.2.1.3 | PATCH | Ensure repo_gpgcheck is globally activated | dnf.conf" ansible.builtin.lineinfile: @@ -99,7 +102,7 @@ - manual - audit - rule_1.2.1.4 - - skip_ansible_lint + - NIST800-53R5_SI-2 vars: warn_control_id: '1.2.1.4' block: diff --git a/tasks/section_1/cis_1.2.2.x.yml b/tasks/section_1/cis_1.2.2.x.yml index 7c6dff7..2ccb59f 100644 --- a/tasks/section_1/cis_1.2.2.x.yml +++ b/tasks/section_1/cis_1.2.2.x.yml @@ -1,16 +1,16 @@ --- - name: "1.2.2.1 | PATCH | Ensure updates, patches, and additional security software are installed" - ansible.builtin.package: - name: "*" - state: latest - notify: Change_requires_reboot when: - - rhel9cis_rule_1_2_2_1 - - not system_is_ec2 + - rhel9cis_rule_1_2_2_1 + - not system_is_ec2 tags: - - level1-server - - level1-workstation - - patch - - rule_1.2.2.1 - - skip_ansible_lint + - level1-server + - level1-workstation + - patch + - rule_1.2.2.1 + - NIST800-53R5_SI-2 + ansible.builtin.package: + name: "*" + state: latest + notify: Change_requires_reboot diff --git a/tasks/section_1/cis_1.3.1.x.yml b/tasks/section_1/cis_1.3.1.x.yml index 2e0f0ce..197e474 100644 --- a/tasks/section_1/cis_1.3.1.x.yml +++ b/tasks/section_1/cis_1.3.1.x.yml @@ -9,6 +9,8 @@ - level1-workstation - patch - rule_1.3.1.1 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.package: name: libselinux state: present @@ -23,6 +25,8 @@ - scored - patch - rule_1.3.1.2 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.replace: path: /etc/default/grub regexp: '{{ item }}' @@ -45,6 +49,8 @@ - selinux - patch - rule_1.3.1.3 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" @@ -60,6 +66,8 @@ - selinux - patch - rule_1.3.1.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" @@ -76,6 +84,8 @@ - selinux - patch - rule_1.3.1.5 + - NIST800-53R4_AC-3 + - NIST800-53R4_SI-6 ansible.posix.selinux: conf: /etc/selinux/config policy: "{{ rhel9cis_selinux_pol }}" @@ -91,6 +101,8 @@ - audit - services - rule_1.3.1.6 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 vars: warn_control_id: '1.3.1.6' block: @@ -118,6 +130,8 @@ - level1-workstation - patch - rule_1.3.1.7 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.package: name: mcstrans state: absent @@ -134,3 +148,5 @@ - selinux - patch - rule_1.3.1.8 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index 384ab24..747faa8 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -10,6 +10,7 @@ - grub - patch - rule_1.4.1 + - NIST800-53R5_AC-3 ansible.builtin.copy: dest: /boot/grub2/user.cfg content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy @@ -27,6 +28,7 @@ - grub - patch - rule_1.4.2 + - NIST800-53R5_AC-3 block: - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" ansible.builtin.file: diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index b8ea0dd..05d4b6e 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -9,6 +9,8 @@ - patch - sysctl - rule_1.5.1 + - NIST800-53R5_CM-6 + - NIST800-53R5_CM-6.1 block: - name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled" ansible.builtin.set_fact: @@ -45,6 +47,7 @@ - patch - sysctl - rule_1.5.3 + - NIST800-53R5_CM-6b ansible.builtin.lineinfile: path: /etc/systemd/coredump.conf regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$' diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index bc15fbb..7c015a2 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -8,7 +8,9 @@ - level1-workstation - automated - patch + - crypto - rule_1.6.1 + - NIST800-53R5_SC-6 ansible.builtin.debug: msg: "Captured in prelim to ensure not LEGACY. Runs handler to update" changed_when: true @@ -25,6 +27,9 @@ - automated - patch - rule_1.6.2 + - NIST800-53R5_SC-8 + - NIST800-53R5_IA-5 + - NIST800-53R5_AC-17- NIST800-53R5_SC-6 ansible.builtin.lineinfile: path: /etc/sysconfig/sshd regexp: ^CRYPTO_POLICY\s*= @@ -40,7 +45,9 @@ - level1-workstation - automated - patch + - crypto - rule_1.6.3 + - NIST800-53R5_SC-6 block: - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | Add submodule exclusion" ansible.builtin.template: @@ -66,7 +73,9 @@ - level1-workstation - automated - patch + - crypto - rule_1.6.4 + - NIST800-53R5_SC-6 block: - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion" ansible.builtin.template: @@ -93,7 +102,9 @@ - level1-workstation - automated - patch + - crypto - rule_1.6.5 + - NIST800-53R5_SC-6 block: - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | Add submodule exclusion" ansible.builtin.template: @@ -119,7 +130,9 @@ - level1-workstation - automated - patch + - crypto - rule_1.6.6 + - NIST800-53R5_SC-6 block: - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion" ansible.builtin.template: @@ -145,7 +158,9 @@ - level1-workstation - automated - patch + - crypto - rule_1.6.7 + - NIST800-53R5_SC-6 block: - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | Add submodule exclusion" ansible.builtin.template: diff --git a/tasks/section_1/cis_1.7.x.yml b/tasks/section_1/cis_1.7.x.yml index e5ab0b4..c7484cd 100644 --- a/tasks/section_1/cis_1.7.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -9,6 +9,9 @@ - banner - patch - rule_1.7.1 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-3 + - NIST800-53R5_CM-6 ansible.builtin.template: src: etc/motd.j2 dest: /etc/motd @@ -24,6 +27,9 @@ - level1-workstation - patch - rule_1.7.2 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-3 + - NIST800-53R5_CM-6 ansible.builtin.template: src: etc/issue.j2 dest: /etc/issue @@ -40,6 +46,9 @@ - banner - patch - rule_1.7.3 + - NIST800-53R5_CM-1 + - NIST800-53R5_CM-3 + - NIST800-53R5_CM-6 ansible.builtin.template: src: etc/issue.net.j2 dest: /etc/issue.net @@ -56,6 +65,8 @@ - perms - patch - rule_1.7.4 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/motd owner: root @@ -71,6 +82,8 @@ - perms - patch - rule_1.7.5 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/issue owner: root @@ -86,6 +99,8 @@ - perms - patch - rule_1.7.6 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 ansible.builtin.file: path: /etc/issue.net owner: root