From 835cd41c8aea77826dac8d90a35fa81ce4c8b193 Mon Sep 17 00:00:00 2001 From: Mark Tomich Date: Fri, 29 Mar 2024 14:12:12 -0400 Subject: [PATCH 01/13] removing the async because we need the results of the init in the subsequent step Signed-off-by: Mark Tomich --- tasks/section_1/cis_1.3.x.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 3010b5a..9bc8677 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -9,10 +9,6 @@ - name: "1.3.1 | PATCH | Ensure AIDE is installed | Build AIDE DB" ansible.builtin.shell: /usr/sbin/aide --init - changed_when: false - failed_when: false - async: 45 - poll: 0 args: creates: /var/lib/aide/aide.db.new.gz when: not ansible_check_mode From f11d2cc3f012611c60cd77dbaac927c7d9ba1e07 Mon Sep 17 00:00:00 2001 From: Svennd Date: Tue, 30 Apr 2024 16:16:16 +0200 Subject: [PATCH 02/13] typo a small description typo Signed-off-by: Svennd --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index d48728a..f1a2dea 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -403,7 +403,7 @@ rhel9cis_tmp_svc: false ## Control 1.2.1 # For new systems that have not yet run update the gpg key is not yet imported -# Setting to `true` will allow a test on the package and the foce the import of the key +# Setting to `true` will allow a test on the package and force the import of the key rhel9cis_force_gpg_key_import: true ## Control 1.2.4 From 2c09971cc2caebc8900106ea67ce6d87e72cbca7 Mon Sep 17 00:00:00 2001 From: Svennd Date: Wed, 22 May 2024 10:28:56 +0200 Subject: [PATCH 03/13] 2.4 : socket vs sockets This looks for all active sockets, but the command is singular Signed-off-by: Svennd --- tasks/section_2/cis_2.4.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index ac56312..15048f6 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -10,7 +10,7 @@ register: rhel9cis_2_4_services - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Get list of sockets" - ansible.builtin.shell: systemctl list-units --type=sockets + ansible.builtin.shell: systemctl list-units --type=socket changed_when: false failed_when: false check_mode: false From 4ca7b17c6e0df34269a34ac27b84c7c628978e59 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 3 Jun 2024 17:46:46 +0000 Subject: [PATCH 04/13] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/Yelp/detect-secrets: v1.4.0 → v1.5.0](https://github.com/Yelp/detect-secrets/compare/v1.4.0...v1.5.0) - [github.com/gitleaks/gitleaks: v8.18.2 → v8.18.3](https://github.com/gitleaks/gitleaks/compare/v8.18.2...v8.18.3) - [github.com/ansible-community/ansible-lint: v24.2.2 → v24.5.0](https://github.com/ansible-community/ansible-lint/compare/v24.2.2...v24.5.0) --- .pre-commit-config.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a76a23f..b0ba2f9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -30,20 +30,20 @@ repos: # Scan for passwords - repo: https://github.com/Yelp/detect-secrets - rev: v1.4.0 + rev: v1.5.0 hooks: - id: detect-secrets args: [ '--baseline', '.config/.secrets.baseline' ] exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.2 + rev: v8.18.3 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.2.2 + rev: v24.5.0 hooks: - id: ansible-lint name: Ansible-lint From 21e0bc83871cf3a5befbda09851a3bc4445df3ff Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 4 Jun 2024 17:53:12 +0100 Subject: [PATCH 05/13] added PR details #193 thanks to @brakkio86 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x.yml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index bb3cf34..64abc47 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -18,7 +18,7 @@ line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" insertbefore: '^#?password ?' - - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings" ansible.builtin.lineinfile: path: /etc/pam.d/password-auth regexp: '^password\s*requisite\s*pam_pwquality.so' @@ -78,10 +78,18 @@ - rule_5.5.2 - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality" - ansible.builtin.lineinfile: - path: /etc/pam.d/system-auth - line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" - insertafter: '^password\s*requisite\s*pam_pwquality.so' + block: + - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings" + ansible.builtin.lineinfile: + path: /etc/pam.d/system-auth + line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" + insertafter: '^password\s*requisite\s*pam_pwquality.so' + + - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings" + ansible.builtin.lineinfile: + path: /etc/pam.d/password-auth + line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" + insertafter: '^password\s*requisite\s*pam_pwquality.so' when: - rhel9cis_rule_5_5_3 tags: From b279a9fb805c653efcd3467751475b0070ea29a6 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jun 2024 08:00:02 +0100 Subject: [PATCH 06/13] Added /dev/null to exclude in prelim check shell Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 6ffc298..0db27d3 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -24,7 +24,7 @@ tags: - always ansible.builtin.shell: > - grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $1 }' + grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }' changed_when: false register: discovered_interactive_usernames From bd7c4e3da2c8a7c28450596e1abda85fef893ab0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jun 2024 08:01:17 +0100 Subject: [PATCH 07/13] improved tests based upon #190 thanks to @ipruteanu-sie Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.6.1.x.yml | 1 + tasks/section_5/cis_5.6.x.yml | 12 ++++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index 6ad3dc0..7abe1d1 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -116,6 +116,7 @@ - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" loop: "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}" + when: item in discovered_interactive_usernames.stdout when: - rhel9cis_rule_5_6_1_4 tags: diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 8fba898..5271388 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -14,8 +14,10 @@ - item.id != "halt" - item.id != "nfsnobody" - item.uid < min_int_uid | int - - item.shell != " /bin/false" - - item.shell != " /usr/sbin/nologin" + - item.shell != "/bin/false" + - item.shell != "/usr/sbin/nologin" + - item.shell != "/sbin/nologin" + - item.shell != "/dev/null" loop_control: label: "{{ item.id }}" @@ -31,8 +33,10 @@ - item.id != "root" - item.id != "nfsnobody" - item.uid < min_int_uid | int - - item.shell != " /bin/false" - - item.shell != " /usr/sbin/nologin" + - item.shell != "/bin/false" + - item.shell != "/usr/sbin/nologin" + - item.shell != "/sbin/nologin" + - item.shell != "/dev/null" loop_control: label: "{{ item.id }}" when: From 60a9000dda634c97d5246e7298b39bd6e4be28cd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jun 2024 09:46:14 +0100 Subject: [PATCH 08/13] Address #191 Signed-off-by: Mark Bolwell --- handlers/main.yml | 3 + tasks/section_5/cis_5.5.x.yml | 7 +- tasks/section_5/cis_5.5.x_authselect.yml | 144 +++++++++++++++++++++++ tasks/section_5/main.yml | 8 +- 4 files changed, 159 insertions(+), 3 deletions(-) create mode 100644 tasks/section_5/cis_5.5.x_authselect.yml diff --git a/handlers/main.yml b/handlers/main.yml index 544dd4b..e0598e2 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -79,6 +79,9 @@ ansible.builtin.systemd: daemon-reload: true +- name: Apply_authselect + ansible.builtin.shell: authselect apply-changes + ## Auditd tasks note order for handlers to run - name: Auditd immutable check diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index 64abc47..57ad96b 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -11,14 +11,14 @@ - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" } - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } - - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect" ansible.builtin.lineinfile: path: /etc/pam.d/system-auth regexp: '^password\s*requisite\s*pam_pwquality.so' line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" insertbefore: '^#?password ?' - - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings" + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect" ansible.builtin.lineinfile: path: /etc/pam.d/password-auth regexp: '^password\s*requisite\s*pam_pwquality.so' @@ -42,6 +42,7 @@ loop: - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' } - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' } + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth" ansible.builtin.lineinfile: path: "{{ item }}" @@ -51,6 +52,7 @@ loop: - "/etc/pam.d/system-auth" - "/etc/pam.d/password-auth" + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail" ansible.builtin.lineinfile: path: "{{ item }}" @@ -60,6 +62,7 @@ loop: - "/etc/pam.d/system-auth" - "/etc/pam.d/password-auth" + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so" ansible.builtin.lineinfile: path: "{{ item }}" diff --git a/tasks/section_5/cis_5.5.x_authselect.yml b/tasks/section_5/cis_5.5.x_authselect.yml new file mode 100644 index 0000000..3188302 --- /dev/null +++ b/tasks/section_5/cis_5.5.x_authselect.yml @@ -0,0 +1,144 @@ +--- + +- name: "5.5.1 | PATCH | Ensure password creation requirements are configured" + block: + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" + ansible.builtin.lineinfile: + path: /etc/security/pwquality.conf + regexp: ^{{ item.name }} + line: "{{ item.name }} = {{ item.value }}" + loop: + - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" } + - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } + + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect" + ansible.builtin.lineinfile: + path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" + regexp: '^password\s*requisite\s*pam_pwquality.so' + line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" + insertbefore: '^#?password ?' + notify: Apply_authselect + + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect" + ansible.builtin.lineinfile: + path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" + regexp: '^password\s*requisite\s*pam_pwquality.so' + line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" + insertbefore: '^#?password ?' + notify: Apply_authselect + when: + - rhel9cis_rule_5_5_1 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.5.1 + +- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured" + block: + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock.conf configs" + ansible.builtin.lineinfile: + path: /etc/security/faillock.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' } + - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' } + + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth" + ansible.builtin.lineinfile: + path: "{{ item }}" + regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*preauth(.*)' + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}" + insertafter: 'auth\s*(sufficient|required)\s*pam_env.so$' + loop: + - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" + - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" + notify: Apply_authselect + + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail" + ansible.builtin.lineinfile: + path: "{{ item }}" + regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*authfail(.*)' + line: "auth required pam_faillock.so authfail audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}" + insertbefore: 'auth\s*(sufficient|required)\s*pam_deny.so$' + loop: + - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" + - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" + notify: Apply_authselect + + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so" + ansible.builtin.lineinfile: + path: "{{ item }}" + regexp: '^account\s*(sufficient|required)\s*pam_faillock.so$' + line: "account required pam_faillock.so" + insertbefore: '^account\s*(sufficient|required)\s*pam_unix.so$' + loop: + - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" + - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" + notify: Apply_authselect + when: + - rhel9cis_rule_5_5_2 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.5.2 + +- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality" + block: + - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings" + ansible.builtin.lineinfile: + path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" + line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" + insertafter: '^password\s*requisite\s*pam_pwquality.so' + notify: Apply_authselect + + - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings" + ansible.builtin.lineinfile: + path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" + line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" + insertafter: '^password\s*requisite\s*pam_pwquality.so' + notify: Apply_authselect + when: + - rhel9cis_rule_5_5_3 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.5.3 + +- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 or yescrypt" + block: + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" + ansible.builtin.replace: + path: /etc/libuser.conf + regexp: '^crypt_style\s*=\s*.*$' + replace: 'crypt_style = sha512' + + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs" + ansible.builtin.replace: + path: /etc/login.defs + regexp: '^ENCRYPT_METHOD.*' + replace: 'ENCRYPT_METHOD SHA512' + + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth" + ansible.builtin.replace: + path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth" + regexp: '^password\s*sufficient\s*pam_unix.so.*$' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' + notify: Apply_authselect + + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth" + ansible.builtin.replace: + path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" + regexp: '^password\s*sufficient\s*pam_unix.so.*$' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' + notify: Apply_authselect + when: + - rhel9cis_rule_5_5_4 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.5.4 diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index ed06b5a..be71ea5 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -20,9 +20,15 @@ ansible.builtin.import_tasks: file: cis_5.4.x.yml -- name: "SECTION | 5.5 | Configure PAM " +- name: "SECTION | 5.5 | Configure PAM | not authselect" ansible.builtin.import_tasks: file: cis_5.5.x.yml + when: not rhel9cis_authselect_custom_profile_select + +- name: "SECTION | 5.5 | Configure PAM | authselect" + ansible.builtin.import_tasks: + file: cis_5.5.x_authselect.yml + when: rhel9cis_authselect_custom_profile_select - name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters" ansible.builtin.import_tasks: From 5595097e78de1f9ffec08ad0f101960f5a717aaa Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jun 2024 09:52:51 +0100 Subject: [PATCH 09/13] Allowed force for command 5.4.2 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 69eb090..638cc69 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -44,7 +44,7 @@ - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}" - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" - ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }}" + ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force" when: rhel9cis_authselect_custom_profile_select - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile" From 20e29864068e9383d58ef62f15f4a4853a29679a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jun 2024 17:10:22 +0100 Subject: [PATCH 10/13] capture only configuratoin lines from rsyslog Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index a3f2a44..740f820 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -59,7 +59,7 @@ - name: "4.2.1.5 | PATCH | Ensure logging is configured" block: - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" - ansible.builtin.shell: cat /etc/rsyslog.conf + ansible.builtin.shell: cat /etc/rsyslog.conf | grep -Ev "^#|^$" changed_when: false failed_when: false check_mode: false From 49296c34a238675e358b0a6c4b6fbd5881beaf72 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jun 2024 17:11:17 +0100 Subject: [PATCH 11/13] tidy up spacing Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.5.x_authselect.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section_5/cis_5.5.x_authselect.yml b/tasks/section_5/cis_5.5.x_authselect.yml index 3188302..0d1811b 100644 --- a/tasks/section_5/cis_5.5.x_authselect.yml +++ b/tasks/section_5/cis_5.5.x_authselect.yml @@ -49,7 +49,7 @@ ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*preauth(.*)' - line: "auth required pam_faillock.so preauth silent audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}" + line: "auth required pam_faillock.so preauth silent audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}" insertafter: 'auth\s*(sufficient|required)\s*pam_env.so$' loop: - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" @@ -60,7 +60,7 @@ ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*authfail(.*)' - line: "auth required pam_faillock.so authfail audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}" + line: "auth required pam_faillock.so authfail audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}" insertbefore: 'auth\s*(sufficient|required)\s*pam_deny.so$' loop: - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" @@ -71,7 +71,7 @@ ansible.builtin.lineinfile: path: "{{ item }}" regexp: '^account\s*(sufficient|required)\s*pam_faillock.so$' - line: "account required pam_faillock.so" + line: "account required pam_faillock.so" insertbefore: '^account\s*(sufficient|required)\s*pam_unix.so$' loop: - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth" From 06e96ba7694ab93e9ba3973aba88261095840121 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jun 2024 23:57:18 +0100 Subject: [PATCH 12/13] improvements Signed-off-by: Mark Bolwell --- handlers/main.yml | 4 ++++ tasks/section_5/cis_5.4.x.yml | 30 +++++++++++++++++------------- 2 files changed, 21 insertions(+), 13 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index e0598e2..dd97fec 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -81,7 +81,11 @@ - name: Apply_authselect ansible.builtin.shell: authselect apply-changes + when: not rhel9cis_rule_5_4_2 +- name: Apply_authselect + ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force --backup=rhel9cis_commit_{{ ansible_date_time.epoch}}" + when: rhel9cis_rule_5_4_2 ## Auditd tasks note order for handlers to run - name: Auditd immutable check diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 638cc69..e463998 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -3,21 +3,25 @@ - name: "5.4.1 | PATCH | Ensure custom authselect profile is used" block: - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles" - ansible.builtin.shell: 'authselect current | grep "Profile ID: custom/"' + ansible.builtin.shell: 'authselect list | grep custom' failed_when: false changed_when: false check_mode: false - register: rhel9cis_5_4_1_profiles - - - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles" - ansible.builtin.debug: - msg: - - "Below are the current custom profiles" - - "{{ rhel9cis_5_4_1_profiles.stdout_lines }}" + register: rhel9cis_5_4_1_current_profile - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles" ansible.builtin.shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} - when: rhel9cis_authselect_custom_profile_create + when: + - rhel9cis_authselect_custom_profile_create + - "rhel9cis_authselect.custom_profile_name not in rhel9cis_5_4_1_current_profile.stdout" + + - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Force custom profile creates backup" + ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} --force --backup=rhel9cis_5_4_1_{{ ansible_date_time.epoch}}" + register: authselect_5_4_1_select + when: + - rhel9cis_authselect_custom_profile_create + - "rhel9cis_authselect.custom_profile_name not in rhel9cis_5_4_1_current_profile.stdout" + when: - rhel9cis_rule_5_4_1 tags: @@ -28,7 +32,7 @@ - authselect - rule_5.4.1 -- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | with auth select profile" +- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Get Authselect profile options" block: - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" ansible.builtin.shell: "authselect current | grep with-faillock" @@ -43,11 +47,11 @@ - "Below are the current custom profiles" - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}" - - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" + - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Authselect add options" ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force" when: rhel9cis_authselect_custom_profile_select - - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile" + - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not Authselect profile" ansible.builtin.lineinfile: path: "/etc/pam.d/password-auth" regexp: "{{ item.regexp }}" @@ -61,7 +65,7 @@ - rhel9cis_add_faillock_without_authselect - rhel9cis_5_4_2_risks == 'ACCEPT' - - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile" + - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not Authselect profile" ansible.builtin.lineinfile: path: "/etc/pam.d/system-auth" regexp: "{{ item.regexp }}" From eeb76e2a372f18b28a5a165d1f7de739adf88be8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 5 Jun 2024 23:58:06 +0100 Subject: [PATCH 13/13] updated Signed-off-by: Mark Bolwell --- Changelog.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Changelog.md b/Changelog.md index 04969f0..4bd1c86 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,13 @@ # Changes to rhel9CIS +## 1.1.6 - Based on CIS v1.0.0 + +- #190 - thanks to @ipruteanu-sie + - addressed requirements in PR with alternate method +- #191 - thanks to @numericillustration + - Addressed authselect for pam +- #193 thanks to brakkio86 + ## 1.1.5 - Based on CIS v1.0.0 - added new interactive user discoveries