Merge pull request #210 from ansible-lockdown/devel

Release to main
2024-06-10 12:49:41 +01:00 · 2024-06-10 12:49:41 +01:00 · 306eb59b88
commit 306eb59b88
parent 7661bc0963 f652ee449a
13 changed files with 217 additions and 32 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -30,20 +30,20 @@ repos:

 # Scan for passwords
 - repo: https://github.com/Yelp/detect-secrets
-  rev: v1.4.0
+  rev: v1.5.0
  hooks:
  - id: detect-secrets
    args: [ '--baseline', '.config/.secrets.baseline' ]
    exclude: .config/.gitleaks-report.json

 - repo: https://github.com/gitleaks/gitleaks
-  rev: v8.18.2
+  rev: v8.18.3
  hooks:
  - id: gitleaks
    args: ['--baseline-path', '.config/.gitleaks-report.json']

 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v24.2.2
+  rev: v24.5.0
  hooks:
  - id: ansible-lint
    name: Ansible-lint
--- a/Changelog.md
+++ b/Changelog.md
@ -1,5 +1,13 @@
 # Changes to rhel9CIS

+## 1.1.6 - Based on CIS v1.0.0
+
+- #190 - thanks to @ipruteanu-sie
+  - addressed requirements in PR with alternate method
+- #191 - thanks to @numericillustration
+  - Addressed authselect for pam
+- #193 thanks to brakkio86
+
 ## 1.1.5 - Based on CIS v1.0.0

 - added new interactive user discoveries
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -403,7 +403,7 @@ rhel9cis_tmp_svc: false

 ## Control 1.2.1
 # For new systems that have not yet run update the gpg key is not yet imported
-# Setting to `true` will allow a test on the package and the foce the import of the key
+# Setting to `true` will allow a test on the package and force the import of the key
 rhel9cis_force_gpg_key_import: true

 ## Control 1.2.4
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -79,6 +79,13 @@
  ansible.builtin.systemd:
      daemon-reload: true

+- name: Apply_authselect
+  ansible.builtin.shell: authselect apply-changes
+  when: not rhel9cis_rule_5_4_2
+
+- name: Apply_authselect
+  ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force --backup=rhel9cis_commit_{{ ansible_date_time.epoch}}"
+  when: rhel9cis_rule_5_4_2
 ## Auditd tasks note order for handlers to run

 - name: Auditd immutable check
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -24,7 +24,7 @@
  tags:
      - always
  ansible.builtin.shell: >
-      grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $1 }'
+      grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }'
  changed_when: false
  register: discovered_interactive_usernames

--- a/tasks/section_2/cis_2.4.yml
+++ b/tasks/section_2/cis_2.4.yml
@ -10,7 +10,7 @@
        register: rhel9cis_2_4_services

      - name: "2.4 | AUDIT | Ensure nonessential services listening on the system are removed or masked | Get list of sockets"
-        ansible.builtin.shell: systemctl list-units --type=sockets
+        ansible.builtin.shell: systemctl list-units --type=socket
        changed_when: false
        failed_when: false
        check_mode: false
--- a/tasks/section_4/cis_4.2.1.x.yml
+++ b/tasks/section_4/cis_4.2.1.x.yml
@ -59,7 +59,7 @@
 - name: "4.2.1.5 | PATCH | Ensure logging is configured"
  block:
      - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
-        ansible.builtin.shell: cat /etc/rsyslog.conf
+        ansible.builtin.shell: cat /etc/rsyslog.conf | grep -Ev "^#|^$"
        changed_when: false
        failed_when: false
        check_mode: false
--- a/tasks/section_5/cis_5.4.x.yml
+++ b/tasks/section_5/cis_5.4.x.yml
@ -3,21 +3,25 @@
 - name: "5.4.1 | PATCH | Ensure custom authselect profile is used"
  block:
      - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles"
-        ansible.builtin.shell: 'authselect current | grep "Profile ID: custom/"'
+        ansible.builtin.shell: 'authselect list | grep custom'
        failed_when: false
        changed_when: false
        check_mode: false
-        register: rhel9cis_5_4_1_profiles
-
-      - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles"
-        ansible.builtin.debug:
-            msg:
-                - "Below are the current custom profiles"
-                - "{{ rhel9cis_5_4_1_profiles.stdout_lines }}"
+        register: rhel9cis_5_4_1_current_profile

      - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles"
        ansible.builtin.shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
-        when: rhel9cis_authselect_custom_profile_create
+        when:
+            - rhel9cis_authselect_custom_profile_create
+            - "rhel9cis_authselect.custom_profile_name not in rhel9cis_5_4_1_current_profile.stdout"
+
+      - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Force custom profile creates backup"
+        ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} --force --backup=rhel9cis_5_4_1_{{ ansible_date_time.epoch}}"
+        register: authselect_5_4_1_select
+        when:
+            - rhel9cis_authselect_custom_profile_create
+            - "rhel9cis_authselect.custom_profile_name not in rhel9cis_5_4_1_current_profile.stdout"
+
  when:
      - rhel9cis_rule_5_4_1
  tags:
@ -28,7 +32,7 @@
      - authselect
      - rule_5.4.1

- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | with auth select profile"
+- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Get Authselect profile options"
  block:
      - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features"
        ansible.builtin.shell: "authselect current | grep with-faillock"
@ -43,11 +47,11 @@
                - "Below are the current custom profiles"
                - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}"

-      - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
-        ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }}  {{ rhel9cis_authselect['options'] }}"
+      - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Authselect add options"
+        ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force"
        when: rhel9cis_authselect_custom_profile_select

-      - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile"
+      - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not Authselect profile"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/password-auth"
            regexp: "{{ item.regexp }}"
@ -61,7 +65,7 @@
            - rhel9cis_add_faillock_without_authselect
            - rhel9cis_5_4_2_risks == 'ACCEPT'

-      - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile"
+      - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not Authselect profile"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/system-auth"
            regexp: "{{ item.regexp }}"
--- a/tasks/section_5/cis_5.5.x.yml
+++ b/tasks/section_5/cis_5.5.x.yml
@ -11,14 +11,14 @@
            - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
            - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }

-      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
+      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/system-auth
            regexp: '^password\s*requisite\s*pam_pwquality.so'
            line: "password    requisite     pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
            insertbefore: '^#?password ?'

-      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings"
+      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/password-auth
            regexp: '^password\s*requisite\s*pam_pwquality.so'
@ -42,6 +42,7 @@
        loop:
            - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' }
            - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' }
+
      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
@ -51,6 +52,7 @@
        loop:
            - "/etc/pam.d/system-auth"
            - "/etc/pam.d/password-auth"
+
      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
@ -60,6 +62,7 @@
        loop:
            - "/etc/pam.d/system-auth"
            - "/etc/pam.d/password-auth"
+
      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
@ -78,10 +81,18 @@
      - rule_5.5.2

 - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
+  block:
+      - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/system-auth
            line: "password    requisite     pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
            insertafter: '^password\s*requisite\s*pam_pwquality.so'
+
+      - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings"
+        ansible.builtin.lineinfile:
+            path: /etc/pam.d/password-auth
+            line: "password    requisite     pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
+            insertafter: '^password\s*requisite\s*pam_pwquality.so'
  when:
      - rhel9cis_rule_5_5_3
  tags:
--- a/tasks/section_5/cis_5.5.x_authselect.yml
+++ b/tasks/section_5/cis_5.5.x_authselect.yml
@ -0,0 +1,144 @@
+---
+
+- name: "5.5.1 | PATCH | Ensure password creation requirements are configured"
+  block:
+      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings"
+        ansible.builtin.lineinfile:
+            path: /etc/security/pwquality.conf
+            regexp: ^{{ item.name }}
+            line: "{{ item.name }} = {{ item.value }}"
+        loop:
+            - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" }
+            - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" }
+
+      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings | not Authselect"
+        ansible.builtin.lineinfile:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            regexp: '^password\s*requisite\s*pam_pwquality.so'
+            line: "password    requisite     pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
+            insertbefore: '^#?password ?'
+        notify: Apply_authselect
+
+      - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set password-auth retry settings | not Authselect"
+        ansible.builtin.lineinfile:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+            regexp: '^password\s*requisite\s*pam_pwquality.so'
+            line: "password    requisite     pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
+            insertbefore: '^#?password ?'
+        notify: Apply_authselect
+  when:
+      - rhel9cis_rule_5_5_1
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.1
+
+- name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured"
+  block:
+      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set faillock.conf configs"
+        ansible.builtin.lineinfile:
+            path: /etc/security/faillock.conf
+            regexp: "{{ item.regexp }}"
+            line: "{{ item.line }}"
+        loop:
+            - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = {{ rhel9cis_pam_faillock.deny }}' }
+            - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = {{ rhel9cis_pam_faillock.unlock_time }}' }
+
+      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set preauth"
+        ansible.builtin.lineinfile:
+            path: "{{ item }}"
+            regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*preauth(.*)'
+            line: "auth         required     pam_faillock.so preauth silent audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
+            insertafter: 'auth\s*(sufficient|required)\s*pam_env.so$'
+        loop:
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+        notify: Apply_authselect
+
+      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Set authfail"
+        ansible.builtin.lineinfile:
+            path: "{{ item }}"
+            regexp: '^auth\s*(sufficient|required)\s*pam_faillock.so\s*authfail(.*)'
+            line: "auth         required     pam_faillock.so authfail audit deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time}}"
+            insertbefore: 'auth\s*(sufficient|required)\s*pam_deny.so$'
+        loop:
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+        notify: Apply_authselect
+
+      - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | Load account faillock.so"
+        ansible.builtin.lineinfile:
+            path: "{{ item }}"
+            regexp: '^account\s*(sufficient|required)\s*pam_faillock.so$'
+            line: "account     required     pam_faillock.so"
+            insertbefore: '^account\s*(sufficient|required)\s*pam_unix.so$'
+        loop:
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            - "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+        notify: Apply_authselect
+  when:
+      - rhel9cis_rule_5_5_2
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.2
+
+- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
+  block:
+      - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set system-auth remember Settings"
+        ansible.builtin.lineinfile:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            line: "password    requisite     pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
+            insertafter: '^password\s*requisite\s*pam_pwquality.so'
+        notify: Apply_authselect
+
+      - name: "5.5.3 | PATCH | Ensure password reuse is limited | Set password-auth remember Settings"
+        ansible.builtin.lineinfile:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+            line: "password    requisite     pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
+            insertafter: '^password\s*requisite\s*pam_pwquality.so'
+        notify: Apply_authselect
+  when:
+      - rhel9cis_rule_5_5_3
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.3
+
+- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 or yescrypt"
+  block:
+      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf"
+        ansible.builtin.replace:
+            path: /etc/libuser.conf
+            regexp: '^crypt_style\s*=\s*.*$'
+            replace: 'crypt_style = sha512'
+
+      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs"
+        ansible.builtin.replace:
+            path: /etc/login.defs
+            regexp: '^ENCRYPT_METHOD.*'
+            replace: 'ENCRYPT_METHOD SHA512'
+
+      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth"
+        ansible.builtin.replace:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth"
+            regexp: '^password\s*sufficient\s*pam_unix.so.*$'
+            replace: 'password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
+        notify: Apply_authselect
+
+      - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth"
+        ansible.builtin.replace:
+            path: "/etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth"
+            regexp: '^password\s*sufficient\s*pam_unix.so.*$'
+            replace: 'password    sufficient     pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
+        notify: Apply_authselect
+  when:
+      - rhel9cis_rule_5_5_4
+  tags:
+      - level1-server
+      - level1-workstation
+      - patch
+      - rule_5.5.4
--- a/tasks/section_5/cis_5.6.1.x.yml
+++ b/tasks/section_5/cis_5.6.1.x.yml
@ -116,6 +116,7 @@
      - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
        ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
        loop: "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}"
+        when: item in discovered_interactive_usernames.stdout
  when:
      - rhel9cis_rule_5_6_1_4
  tags:
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@ -16,6 +16,8 @@
            - item.uid < min_int_uid | int
            - item.shell != "/bin/false"
            - item.shell != "/usr/sbin/nologin"
+            - item.shell != "/sbin/nologin"
+            - item.shell != "/dev/null"
        loop_control:
            label: "{{ item.id }}"

@ -33,6 +35,8 @@
            - item.uid < min_int_uid | int
            - item.shell != "/bin/false"
            - item.shell != "/usr/sbin/nologin"
+            - item.shell != "/sbin/nologin"
+            - item.shell != "/dev/null"
        loop_control:
            label: "{{ item.id }}"
  when:
--- a/tasks/section_5/main.yml
+++ b/tasks/section_5/main.yml
@ -20,9 +20,15 @@
  ansible.builtin.import_tasks:
      file: cis_5.4.x.yml

- name: "SECTION | 5.5 | Configure PAM "
+- name: "SECTION | 5.5 | Configure PAM | not authselect"
  ansible.builtin.import_tasks:
      file: cis_5.5.x.yml
+  when: not rhel9cis_authselect_custom_profile_select
+
+- name: "SECTION | 5.5 | Configure PAM | authselect"
+  ansible.builtin.import_tasks:
+      file: cis_5.5.x_authselect.yml
+  when: rhel9cis_authselect_custom_profile_select

 - name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters"
  ansible.builtin.import_tasks: