sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Merge pull request #381 from ansible-lockdown/August25_updates

Browse source 
August25 updates
This commit is contained in:
uk-bolly 2025-08-15 16:46:20 +01:00 committed by GitHub
commit 39c7dfa187
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 23 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.pre-commit-config.yaml
View file

@ -7,7 +7,7 @@ ci:
repos: repos:
- repo: https://github.com/pre-commit/pre-commit-hooks - repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0 rev: v6.0.0
hooks: hooks:
# Safety # Safety
- id: detect-aws-credentials - id: detect-aws-credentials

7
Changelog.md
View file

@ -1,5 +1,12 @@
# Changes to rhel9CIS # Changes to rhel9CIS
## 2.0.3 - Based on CIS v2.0.0
- addressed issue 371 thanks to @bgro and kodebach
- addressed issue 350 thanks to @chrispipo
- addressed issue 364 thanks to @polski-g
- pre-commit update
## 2.0.2 - Based on CIS v2.0.0 ## 2.0.2 - Based on CIS v2.0.0
- Update to audit_only to allow fetching results - Update to audit_only to allow fetching results

2
defaults/main.yml
View file

@ -617,6 +617,8 @@ rhel9cis_warning_banner: Authorized users only. All activity may be monitored an
# End Banner # End Banner
## Control 1.8.x - Settings for GDM ## Control 1.8.x - Settings for GDM
# do not run Control 1.8.x if using a display manager different than gdm
rhel10cis_display_manager: "gdm"
# This variable governs whether rules dealing with GUI specific packages(and/or their settings) should # This variable governs whether rules dealing with GUI specific packages(and/or their settings) should
# be executed either to: # be executed either to:
# - secure GDM, if GUI is needed('rhel9cis_gui: true') # - secure GDM, if GUI is needed('rhel9cis_gui: true')

15
tasks/main.yml
View file

@ -93,11 +93,14 @@
block: block:
- name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" # noqa name[template] - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" # noqa name[template]
ansible.builtin.assert: ansible.builtin.assert:
that: that: |
- prelim_ansible_user_password_set.stdout | length != 0 (
- prelim_ansible_user_password_set.stdout != "!!" ((prelim_ansible_user_password_set.stdout | length != 0) and (prelim_ansible_user_password_set.stdout != "!!" ))
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" or
success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" (ansible_env.SUDO_USER in rhel10cis_sudoers_exclude_nopasswd_list)
)
fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access"
success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4"
- name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template] - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template]
ansible.builtin.assert: ansible.builtin.assert:
@ -131,7 +134,7 @@
- rule_5.4.2.4 - rule_5.4.2.4
block: block:
- name: "Ensure root password is set" - name: "Ensure root password is set"
ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)" ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
changed_when: false changed_when: false
failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ] failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ]
register: prelim_root_passwd_set register: prelim_root_passwd_set

1
tasks/section_1/main.yml
View file

@ -61,5 +61,6 @@
file: cis_1.7.x.yml file: cis_1.7.x.yml
- name: "SECTION | 1.8 | Gnome Display Manager" - name: "SECTION | 1.8 | Gnome Display Manager"
when: rhel10cis_display_manager == 'gdm'
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: cis_1.8.x.yml file: cis_1.8.x.yml

4
tasks/section_5/cis_5.4.2.x.yml
View file

@ -139,7 +139,7 @@
ansible.builtin.stat: ansible.builtin.stat:
path: "{{ item }}" path: "{{ item }}"
loop: "{{ discovered_root_paths_split.stdout_lines }}" loop: "{{ discovered_root_paths_split.stdout_lines }}"
register: paths_stat register: discovered_root_paths_stat
- name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Create dirs for some paths that are not dirs" - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Create dirs for some paths that are not dirs"
ansible.builtin.file: ansible.builtin.file:
@ -148,7 +148,7 @@
owner: root owner: root
group: root group: root
mode: 'go-w' mode: 'go-w'
loop: "{{ paths_stat.results }}" loop: "{{ discovered_root_paths_stat.results }}"
when: not item.stat.exists when: not item.stat.exists
- name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs" - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs"

2
tasks/section_6/cis_6.2.3.x.yml
View file

@ -131,7 +131,7 @@
*.=warning;*.=err -/var/log/warn *.=warning;*.=err -/var/log/warn
*.crit /var/log/warn *.crit /var/log/warn
*.*;mail.none;news.none /var/log/messages *.*;mail.none;news.none /var/log/messages
insertafter: '#### RULES ####' insertbefore: '# ### sample forwarding rule ###'
notify: Restart rsyslog notify: Restart rsyslog
- name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings" - name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings"