section 2 updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-07-23 08:20:09 +01:00 · 2024-07-23 08:20:09 +01:00 · 3a027af304
commit 3a027af304
parent a53569a474
1 changed files with 89 additions and 163 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -28,7 +28,7 @@ os_check: true
 # E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true.
 # If you do not want the tasks from that section to get executed you simply set the variable to "false".
 rhel9cis_section1: true
-rhel9cis_section2: false
+rhel9cis_section2: true
 rhel9cis_section3: false
 rhel9cis_section4: false
 rhel9cis_section5: false
@ -229,31 +229,54 @@ rhel9cis_rule_1_8_9: true
 rhel9cis_rule_1_8_10: true

 # Section 2 rules are controling Services (Special Purpose Services, and service clients)
+## Configure Server Services
 rhel9cis_rule_2_1_1: true
 rhel9cis_rule_2_1_2: true
+rhel9cis_rule_2_1_3: true
+rhel9cis_rule_2_1_4: true
+rhel9cis_rule_2_1_5: true
+rhel9cis_rule_2_1_6: true
+rhel9cis_rule_2_1_7: true
+rhel9cis_rule_2_1_8: true
+rhel9cis_rule_2_1_9: true
+rhel9cis_rule_2_1_10: true
+rhel9cis_rule_2_1_11: true
+rhel9cis_rule_2_1_12: true
+rhel9cis_rule_2_1_13: true
+rhel9cis_rule_2_1_14: true
+rhel9cis_rule_2_1_15: true
+rhel9cis_rule_2_1_16: true
+rhel9cis_rule_2_1_17: true
+rhel9cis_rule_2_1_18: true
+rhel9cis_rule_2_1_19: true
+rhel9cis_rule_2_1_20: true
+rhel9cis_rule_2_1_21: true
+rhel9cis_rule_2_1_22: true
+
+## Configure Client Services
 rhel9cis_rule_2_2_1: true
 rhel9cis_rule_2_2_2: true
 rhel9cis_rule_2_2_3: true
 rhel9cis_rule_2_2_4: true
 rhel9cis_rule_2_2_5: true
-rhel9cis_rule_2_2_6: true
-rhel9cis_rule_2_2_7: true
-rhel9cis_rule_2_2_8: true
-rhel9cis_rule_2_2_9: true
-rhel9cis_rule_2_2_10: true
-rhel9cis_rule_2_2_11: true
-rhel9cis_rule_2_2_12: true
-rhel9cis_rule_2_2_13: true
-rhel9cis_rule_2_2_14: true
-rhel9cis_rule_2_2_15: true
-rhel9cis_rule_2_2_16: true
-rhel9cis_rule_2_2_17: true
-rhel9cis_rule_2_2_18: true
+
+## Configure Time Synchronization
 rhel9cis_rule_2_3_1: true
 rhel9cis_rule_2_3_2: true
 rhel9cis_rule_2_3_3: true
-rhel9cis_rule_2_3_4: true
-rhel9cis_rule_2_4: true
+
+## Job Schedulers
+### cron
+rhel9cis_rule_2_4_1_1: true
+rhel9cis_rule_2_4_1_2: true
+rhel9cis_rule_2_4_1_3: true
+rhel9cis_rule_2_4_1_4: true
+rhel9cis_rule_2_4_1_5: true
+rhel9cis_rule_2_4_1_6: true
+rhel9cis_rule_2_4_1_7: true
+rhel9cis_rule_2_4_1_8: true
+### at
+rhel9cis_rule_2_4_2_1: true

 # Section 3 rules are used for securely configuring the network configuration(kernel params, ACL, Firewall settings)
 rhel9cis_rule_3_1_1: true
@ -562,6 +585,9 @@ rhel9cis_selinux_enforce: enforcing

 # Whether or not to run tasks related to auditing/patching the desktop environment

+
+## 1.8 GDM graphical interface
+rhel9cis_gui: false
 ## Section 2. Services

 ## Section 2.1 Time Synchronization
@ -597,162 +623,62 @@ rhel9cis_chrony_server_makestep: "1.0 3"
 # improve the reliability, because multiple sources will need to correspond with each other.
 rhel9cis_chrony_server_minsources: 2

-## Section 2.2 Special Purposes
-# Service configuration variables (boolean).
-# Set the respective variable to true to keep the service,
-# otherwise the service is stopped and disabled
-
-## Control 1.8.10-10, 2.2.1
-# This variable governs whether rules dealing with GUI specific packages(and/or their settings) should
-# be executed either to:
-# - secure GDM, if GUI is needed('rhel9cis_gui: true')
-# - or remove GDM and X-Windows-system, if no GUI is needed('rhel9cis_gui: false')
-rhel9cis_gui: false
-## Control 2.2.2 - Ensure Avahi Server is not installed
-# This variable, when set to false, will specify that Avahi Server packages should be uninstalled.
+# Service configuration
+# Options are
+# true to leave installed if exists not changes take place
+# false - this removes the package
+# mask - if a dependancy for product so cannot be removed
+# Server Services
+rhel9cis_autofs_services: false
+rhel9cis_autofs_mask: true
 rhel9cis_avahi_server: false
-## Control 2.2.3 -  Ensure CUPS is not installed
-# This variable, when set to false, will specify that CUPS(Common UNIX Printing System) package should be uninstalled.
-rhel9cis_cups_server: false
-## Control 2.2.4 - Ensure DHCP Server is not installed
-# This variable, when set to false, will specify that DHCP server package should be uninstalled.
+rhel9cis_avahi_mask: false
 rhel9cis_dhcp_server: false
-## Control 2.2.5 - Ensure DNS Server is not installed
-# This variable, when set to false, will specify that DNS server package should be uninstalled.
+rhel9cis_dhcp_mask: false
 rhel9cis_dns_server: false
-## Control 2.2.14 - Ensure dnsmasq is not installed
-# This variable, when set to false, will specify that dnsmasq package should be uninstalled.
+rhel9cis_dns_mask: false
 rhel9cis_dnsmasq_server: false
-## Control 2.2.6 - Ensure VSFTP Server is not installed
-# This variable, when set to false, will specify that VSFTP server package should be uninstalled.
-rhel9cis_vsftpd_server: false
-## Control 2.2.7 - Ensure TFTP Server is not installed
-# This variable, when set to false, will specify that TFTP server package should be uninstalled.
-rhel9cis_tftp_server: false
-## Control 2.2.8 - Ensure a web server is not installed - HTTPD
-# This variable, when set to false, will specify that webserver packages(HTTPD) should be uninstalled.
-rhel9cis_httpd_server: false
-## Control 2.2.8 - Ensure a web server is not installed - NGINX
-# This variable, when set to false, will specify that webserver packages(NGINX) should be uninstalled.
-rhel9cis_nginx_server: false
-## Control 2.2.9 - Ensure IMAP and POP3 server is not installed - dovecot
-# This variable, when set to false, will specify that IMAP and POP3 servers(dovecot) should be uninstalled.
-rhel9cis_dovecot_server: false
-## Control 2.2.9 - Ensure IMAP and POP3 server is not installed - cyrus-imapd
-# This variable, when set to false, will specify that IMAP and POP3 servers(cyrus-imapd) should be uninstalled.
-rhel9cis_imap_server: false
-## Control 2.2.10 - Ensure Samba is not enabled
-# This variable, when set to false, will specify that 'samba' package should be uninstalled.
+rhel9cis_dnsmasq_mask: false
 rhel9cis_samba_server: false
-## Control 2.2.11 - Ensure HTTP Proxy Server is not installed
-# This variable, when set to false, will specify that 'squid' package should be uninstalled.
-rhel9cis_squid_server: false
-## Control 2.2.12 - Ensure net-snmp is not installed
-# This variable, when set to false, will specify that 'net-snmp' package should be uninstalled.
-rhel9cis_snmp_server: false
-## Control 2.2.13 - Ensure telnet-server is not installed
-# This variable, when set to false, will specify that 'telnet-server' package should be uninstalled.
+rhel9cis_samba_mask: false
+rhel9cis_ftp_server: false
+rhel9cis_ftp_mask: false
+rhel9cis_message_server: false  # This is for messaging dovecot and cyrus-imap
+rhel9cis_message_mask: false
+rhel9cis_nfs_server: true
+rhel9cis_nfs_mask: true
+rhel9cis_nis_server: true  # set to mask if nis client required
+rhel9cis_nis_mask: false
+rhel9cis_print_server: false  # replaces cups
+rhel9cis_print_mask: false
+rhel9cis_rpc_server: true
+rhel9cis_rpc_mask: true
+rhel9cis_rsync_server: false
+rhel9cis_rsync_mask: false
+rhel9cis_net_snmp_server: false
+rhel9cis_net_snmp_mask: false
 rhel9cis_telnet_server: false
-## Control 2.2.15 - Ensure mail transfer agent is configured for local-only mode
-# This variable, when system is NOT a mailserver, will configure Postfix to listen only on the loopback interface(the virtual
-# network interface that the server uses to communicate internally.
+rhel9cis_telnet_mask: false
+rhel9cis_tftp_server: false
+rhel9cis_tftp_mask: false
+rhel9cis_squid_server: false
+rhel9cis_squid_mask: false
+rhel9cis_httpd_server: false
+rhel9cis_httpd_mask: false
+rhel9cis_nginx_server: false
+rhel9cis_nginx_mask: false
+rhel9cis_xinetd_server: false
+rhel9cis_xinetd_mask: false
+rhel9cis_xwindow_server: false  # will remove mask not an option
 rhel9cis_is_mail_server: false

-# Note the options
-# Client package configuration variables.
-# Packages are used for client services and Server- only remove if you dont use the client service
-# Set the respective variable to `true` to keep the
-# client package, otherwise it is uninstalled (false).
-
-## Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked"
-# This variable specifies if the usage of NFS SERVER is needed. Execution of the rule which secures (by uninstalling or masking service)
-# NFS(if it's NOT needed) will depend on the var used in conjunction('rhel9cis_use_nfs_service') with current one, respectively:
-# - if Server IS NOT needed('false') and:
-#    - Service IS NOT needed('rhel9cis_use_nfs_service: false'): 'nfs-utils' package will be removed
-#    - Service IS needed('rhel9cis_use_nfs_service: true'): impossible to need the service without the server
-# - if Server IS needed('true') and:
-#    - Service IS NOT needed('rhel9cis_use_nfs_service: false'): 'nfs-server' service will be masked
-#    - Service IS needed('rhel9cis_use_nfs_service: true'): Rule will be SKIPPED.
-#  | Server  | Service | Result                                                    |
-#  |---------|---------|-----------------------------------------------------------|
-#  | false   | false   | Remove package                                            |
-#  | false   | true    | Needing 'service' without needing 'server' makes no sense |
-#  | true    | false   | Mask 'service'                                            |
-#  | true    | true    | SKIP RULE, BOTH 'service' and 'server' are required       |
-rhel9cis_use_nfs_server: false
-## Control 2.2.16 - Ensure nfs-utils is not installed or the nfs-server service is masked.
-# This variable specifies if the usage of NFS SERVICE is needed. If it's:
-#   - needed('true'): rule which uninstalls/masks-service WILL NOT be executed at all
-#   - not needed('false'): rule which uninstalls/masks-service WILL be executed, its behavior being
-#    controlled by the var used in conjunction with current one:
-#          - removing 'nfs-utils' package('rhel9cis_use_nfs_server' set to 'false')
-#          - masking the 'nfs-server' service('rhel9cis_use_nfs_server' set to 'true')
-rhel9cis_use_nfs_service: false
-
-## Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked
-# This variable specifies if the usage of RPC SERVER is needed. Execution of the rule which secures (by uninstalling or masking service)
-# RPC(if it's NOT needed) will depend on the var used in conjunction('rhel9cis_use_rpc_service') with current one, respectively:
-# - if Server IS NOT needed('false') and:
-#    - Service IS NOT needed('rhel9cis_use_rpc_service: false'): 'rpcbind' package will be removed
-#    - Service IS needed('rhel9cis_use_rpc_service: true'): impossible to need the service without the server
-# - if Server IS needed('true') and:
-#    - Service IS NOT needed('rhel9cis_use_rpc_service: false'): 'rpcbind.socket' service will be masked
-#    - Service IS needed('rhel9cis_use_rpc_service: true'): Rule will be SKIPPED.
-#  | Server  | Service | Result                                                    |
-#  |---------|---------|-----------------------------------------------------------|
-#  | false   | false   | Remove package                                            |
-#  | false   | true    | Needing 'service' without needing 'server' makes no sense |
-#  | true    | false   | Mask 'service'                                            |
-#  | true    | true    | SKIP RULE, BOTH 'service' and 'server' are required       |
-rhel9cis_use_rpc_server: false
-## Control 2.2.17 - Ensure rpcbind is not installed or the rpcbind services are masked
-# This variable specifies if the usage of RPC SERVICE is needed. If it's:
-#   - needed('true'): rule which uninstalls/masks-service WILL NOT be executed at all
-#   - not needed('false'): rule which uninstalls/masks-service WILL be executed, its behavior being controlled by the var
-#     used in conjunction with current one:
-#          - removing 'rpcbind' package('rhel9cis_use_rpc_server' set to 'false')
-#          - masking the 'rpcbind.socket' service('rhel9cis_use_rpc_server' set to 'true')
-rhel9cis_use_rpc_service: false
-
-## Control 2.2.18 - Ensure rsync service is not enabled
-# This variable specifies if the usage of RSYNC SERVER is needed. Execution of the rule which secures (by uninstalling or masking service)
-# RSYNC(if it's NOT needed) will depend on the var used in conjunction('rhel9cis_use_rsync_service') with current one, respectively:
-# - if Server IS NOT needed('false') and:
-#    - Service IS NOT needed('rhel9cis_use_rsync_service: false'): 'rsync-daemon' package will be removed
-#    - Service IS needed('rhel9cis_use_rsync_service: true'): impossible to need the service without the server
-# - if Server IS needed('true') and:
-#    - Service IS NOT needed('rhel9cis_use_rsync_service: false'): 'rsyncd' service will be masked
-#    - Service IS needed('rhel9cis_use_rsync_service: true'): Rule will be SKIPPED.
-#  | Server  | Service | Result                                                    |
-#  |---------|---------|-----------------------------------------------------------|
-#  | false   | false   | Remove package                                            |
-#  | false   | true    | Needing 'service' without needing 'server' makes no sense |
-#  | true    | false   | Mask 'service'                                            |
-#  | true    | true    | SKIP RULE, BOTH 'service' and 'server' are required       |
-rhel9cis_use_rsync_server: false
-## Control 2.2.18 - Ensure rsync service is not enabled
-# This variable specifies if the usage of RSYNC SERVICE is needed. If it's:
-#   - needed('true'): rule which uninstalls/masks-service WILL NOT be executed at all
-#   - not needed('false'): rule which uninstalls/masks-service WILL be executed, its behavior being controlled by the var
-#     used in conjunction with current one:
-#          - removing 'rsync-daemon' package('rhel9cis_use_rsync_server' set to 'false')
-#          - masking the 'rsyncd' service('rhel9cis_use_rsync_server' set to 'true')
-rhel9cis_use_rsync_service: false
-
 ## Section 2.3 Service clients

-## Control - 2.3.1 - Ensure telnet client is not installed
-# Set this variable to `true` to keep package `telnet`; otherwise, the package is uninstalled.
-rhel9cis_telnet_required: false
-## Control - 2.3.2 - Ensure LDAP client is not installed
-# Set this variable to `true` to keep package `openldap-clients`; otherwise, the package is uninstalled.
-rhel9cis_openldap_clients_required: false
-## Control - 2.3.3 - Ensure FTP client is not installed
-# Set this variable to `true` to keep package `tftp`; otherwise, the package is uninstalled.
-rhel9cis_tftp_client: false
-## Control - 2.3.4 - Ensure FTP client is not installed
-# Set this variable to `true` to keep package `ftp`; otherwise, the package is uninstalled.
 rhel9cis_ftp_client: false
+rhel9cis_openldap_clients_required: false
+rhel9cis_ypbind_required: false  # Same package as NIS server
+rhel9cis_telnet_required: false
+rhel9cis_tftp_client: false

 ## Section 3 vars
 ## Sysctl
@ -1113,7 +1039,7 @@ rhel9cis_pam_faillock:

 # UID settings for interactive users
 # These are discovered via logins.def if set true
-discover_int_uid: false
+rhel9cis_discover_int_uid: true
 ### Controls:
 # - 5.6.2 -  Ensure system accounts are secured
 # - 6.2.10 - Ensure local interactive user home directories exist
@ -1226,7 +1152,7 @@ rhel9cis_no_world_write_adjust: true
 # This boolean variable governs if current role should follow filesystem links for changes to
 # user home directory.
 rhel_09_6_2_16_home_follow_symlinks: false
-# thanks to @dulin-gnet and community for rhel8-cis feedback.
+# thanks to @dulin-gnet and community for rhel9-cis feedback.

 #### Goss Configuration Settings ####
 # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"