diff --git a/.gitignore b/.gitignore index f67408e..de8046f 100644 --- a/.gitignore +++ b/.gitignore @@ -46,3 +46,6 @@ benchparse/ # GitHub Action/Workflow files .github/ + +# Precommit exclusions +.ansible/ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 401d32e..4791982 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,12 +41,12 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.23.3 + rev: v8.24.0 hooks: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.1.2 + rev: v25.1.3 hooks: - id: ansible-lint name: Ansible-lint diff --git a/README.md b/README.md index a16287d..d3bf75a 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,7 @@ ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues) ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success) ![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/RHEL9-CIS?label=Pull%20Requests) +[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit) ![License](https://img.shields.io/github/license/ansible-lockdown/RHEL9-CIS?label=License) diff --git a/defaults/main.yml b/defaults/main.yml index 3f6202b..da5ca20 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -923,7 +923,7 @@ rhel9cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf # Options are: minclass or credits # ensure only one is selected rhel9cis_passwd_complex_option: minclass # pragma: allowlist secret -rhel9cis_passwd_minclass: 3 +rhel9cis_passwd_minclass: 4 # rhel9cis_passwd_complex: credits rhel9cis_passwd_dcredit: -1 rhel9cis_passwd_ucredit: -2 @@ -1100,14 +1100,68 @@ rhel9cis_aide_cron: # ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging -## Control 6.2.3 | Configure rsyslog -## Control 6.2.1 | Configure journald -# This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation) -# or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best +## Controls 6.2.1.x | Configure systemd-journald service +## Controls 6.2.2.x | Configured journald +## Controls 6.2.3.x | Configure rsyslog + +# This variable governs which logging service should be used, choosing between 'rsyslog' +# or 'journald'(CIS recommendation) will trigger the execution of the associated subsection, as the-best # practices are written wholly independent of each other. rhel9cis_syslog: journald -## Control 6.2.2.x & 6.2.3.x - Ensure rsyslog is not configured to receive logs from a remote client +## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy +# Current variable configures the max amount of disk space the logs will use(thus, journal files +# will not grow without bounds) +# The variables below related to journald, please set these to your site specific values +# These variable specifies how much disk space the journal may use up at most +# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. +# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. +rhel9cis_journald_systemmaxuse: 10M +## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy +# Current variable configures the amount of disk space to keep free for other uses. +rhel9cis_journald_systemkeepfree: 100G +## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy +# This variable configures how much disk space the journal may use up at most. +# Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space. +rhel9cis_journald_runtimemaxuse: 10M +## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy +# This variable configures the actual amount of disk space to keep free +# Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space. +rhel9cis_journald_runtimekeepfree: 100G +## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy +# Current variable governs the settings for log retention(how long the log files will be kept). +# Thus, it specifies the maximum time to store entries in a single journal +# file before rotating to the next one. Set to 0 to turn off this feature. +# The given values is interpreted as seconds, unless suffixed with the units +# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. +# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +# ATTENTION: Uncomment the keyword below when values are set! +rhel9cis_journald_maxfilesec: 1month + +## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured +# 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to +# URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port +# number may be specified after a colon (":"), otherwise 19532 will be used by default. +rhel9cis_journal_upload_url: 192.168.50.42 +## The paths below have the default paths/files, but allow user to create custom paths/filenames + +## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured +# This variable specifies the path to the private key file used by the remote journal +# server to authenticate itself to the client. This key is used alongside the server's +# public certificate to establish secure communication. +rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured +# This variable specifies the path to the public certificate file of the remote journal +# server. This certificate is used to verify the authenticity of the remote server. +rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured +# This variable specifies the path to a file containing one or more public certificates +# of certificate authorities (CAs) that the client trusts. These trusted certificates are used +# to validate the authenticity of the remote server's certificate. +rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" +# ATTENTION: Uncomment the keyword below when values are set! + +# Control 6.2.3.x - Ensure rsyslog is not configured to receive logs from a remote client # This variable expresses whether the system is used as a log server or not. If set to: # - 'false', current system will act as a log CLIENT, thus it should NOT receive data from other hosts. # - 'true', current system will act as a log SERVER, enabling centralised log management(by protecting log integrity @@ -1155,57 +1209,25 @@ rhel9cis_remote_log_retrycount: 100 # of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true'). rhel9cis_remote_log_queuesize: 1000 -## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured -# 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to -# URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port -# number may be specified after a colon (":"), otherwise 19532 will be used by default. -rhel9cis_journal_upload_url: 192.168.50.42 -## The paths below have the default paths/files, but allow user to create custom paths/filenames - -## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured -# This variable specifies the path to the private key file used by the remote journal -# server to authenticate itself to the client. This key is used alongside the server's -# public certificate to establish secure communication. -rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" -## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured -# This variable specifies the path to the public certificate file of the remote journal -# server. This certificate is used to verify the authenticity of the remote server. -rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" -## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured -# This variable specifies the path to a file containing one or more public certificates -# of certificate authorities (CAs) that the client trusts. These trusted certificates are used -# to validate the authenticity of the remote server's certificate. -rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" -# ATTENTION: Uncomment the keyword below when values are set! - -## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy -# Current variable configures the max amount of disk space the logs will use(thus, journal files -# will not grow without bounds) -# The variables below related to journald, please set these to your site specific values -# These variable specifies how much disk space the journal may use up at most -# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes. -# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information. -rhel9cis_journald_systemmaxuse: 10M -## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy -# Current variable configures the amount of disk space to keep free for other uses. -rhel9cis_journald_systemkeepfree: 100G -## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy -# This variable configures how much disk space the journal may use up at most. -# Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space. -rhel9cis_journald_runtimemaxuse: 10M -## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy -# This variable configures the actual amount of disk space to keep free -# Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space. -rhel9cis_journald_runtimekeepfree: 100G -## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy -# Current variable governs the settings for log retention(how long the log files will be kept). -# Thus, it specifies the maximum time to store entries in a single journal -# file before rotating to the next one. Set to 0 to turn off this feature. -# The given values is interpreted as seconds, unless suffixed with the units -# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds. -# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks -# ATTENTION: Uncomment the keyword below when values are set! -rhel9cis_journald_maxfilesec: 1month +## Control 6.2.3.8 rsyslog rotate +# This variable configures whether to set your own rsyslog logrotate setting alternate to logrotate default settings +# Please refer to logrotate options to match your site requirements +# This sets when to rotate +rhel9cis_rsyslog_logrotate_rotated_when: weekly +# This sets how many rotations of the file to keep +rhel9cis_rsyslog_logrotate_rotatation_keep: 4 +# This defines whether to set various options or not +# these are taken from logrotate options +# Setting +# true will carry out the setting. +# false will either set no/not or not add the option +rhel9cis_rsyslog_logrotate_compress: true +rhel9cis_rsyslog_logrotate_missingok: true +rhel9cis_rsyslog_logrotate_notifempty: true +rhel9cis_rsyslog_logrotate_create: true +# Extra options that can be added according to rsyslog documentation +# Uncomment and add the required options e.g. mode owner group +# rhel9cis_rsyslog_logrotate_create_opts: ## Control 6.3.2.1 - Ensure audit_backlog_limit is sufficient # This variable represents the audit backlog limit, i.e., the maximum number of audit records that the @@ -1303,3 +1325,8 @@ rhel9cis_suid_sgid_adjust: false ## Control 7.1.11 - Ensure no world writable files exist # Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable. rhel9cis_no_world_write_adjust: true + +## Control 7.2.9 +# This allows ansible to alter the dot files as per rule if found +# When set to true this will align with benchmark - can impact a running system if not tested sufficiently +rhel9cis_dotperm_ansiblemanaged: false diff --git a/handlers/main.yml b/handlers/main.yml index 3c51ddf..1a3b66e 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -144,6 +144,15 @@ state: remounted listen: "Remount /var/log/audit" +- name: "Remounting /boot/efi" + vars: + mount_point: '/boot/efi' + ansible.posix.mount: + path: "{{ mount_point }}" + state: remounted + notify: Change_requires_reboot + listen: "Remount /boot/efi" + - name: Reload sysctl ansible.builtin.command: sysctl --system changed_when: true diff --git a/tasks/main.yml b/tasks/main.yml index 2e5049c..a0a58f8 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -116,17 +116,11 @@ fail_msg: "You still have the default name for your authselect profile" - name: "Check authselect profile is selected | Check current profile" - ansible.builtin.shell: authselect current | head -1 | awk '{print $NF}' + ansible.builtin.shell: authselect list changed_when: false failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ] register: prelim_authselect_current_profile - - name: "Check authselect profile is selected | Ensure profile name is set" - ansible.builtin.assert: - that: prelim_authselect_current_profile is defined - success_msg: "Authselect is running and profile is selected" - fail_msg: Authselect updates have been selected there are issues with profile selection" - - name: "Ensure root password is set" when: rhel9cis_rule_5_4_2_4 tags: diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index d422f14..d3534cd 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -29,7 +29,8 @@ - rule_1.4.2 - NIST800-53R5_AC-3 block: - - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" + - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | bios based system" + when: rhel9cis_legacy_boot ansible.builtin.file: path: "/boot/grub2/{{ item.path }}" owner: root @@ -39,6 +40,31 @@ modification_time: preserve access_time: preserve loop: - - { path: 'grub.cfg', mode: '0700' } - - { path: 'grubenv', mode: 'go-rwx' } - - { path: 'user.cfg', mode: 'go-rwx' } + - { path: 'grub.cfg', mode: 'u-x,go-rwx' } + - { path: 'grubenv', mode: 'u-x,go-rwx' } + - { path: 'user.cfg', mode: 'u-x,go-rwx' } + + - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system" + when: not rhel9cis_legacy_boot + vars: + efi_mount_options: ['umask=0077', 'fmask=0077', 'uid=0', 'gid=0'] + block: + - name: "1.4.2 | AUDIT | Ensure permissions on bootloader config are configured | efi based system | capture current state" + ansible.builtin.shell: grep "^[^#;]" /etc/fstab | grep '/boot/efi' | awk -F" " '{print $4}' + changed_when: false + register: discovered_efi_fstab + + - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Build Options" + when: item not in discovered_efi_fstab.stdout + ansible.builtin.set_fact: + efi_mount_opts_addition: "{{ efi_mount_opts_addition + ',' + item }}" + loop: "{{ efi_mount_options }}" + + - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Add mount options" + when: efi_mount_opts_addition | length > 0 + ansible.builtin.lineinfile: + path: /etc/fstab + regexp: (.*/boot/efi\s*\w*\s*){{ discovered_efi_fstab.stdout }}(.*) + line: \1{{ discovered_efi_fstab.stdout + efi_mount_opts_addition }}\2 + backrefs: true + notify: Remount /boot/efi diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index eadb9b5..5917019 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -14,9 +14,7 @@ - rule_5.3.2.1 block: - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles" - when: - - rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or - prelim_authselect_current_profile.stdout is not defined + when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}" changed_when: false args: diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index ef15f1a..12390b3 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -190,7 +190,7 @@ regexp: \s*umask line: "umask {{ rhel9cis_root_umask }}" create: true - mode: 'u+x,go-rwx' + mode: 'u-x,go-rwx' - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell" when: diff --git a/tasks/section_6/cis_6.2.2.1.x.yml b/tasks/section_6/cis_6.2.2.1.x.yml index 00e949b..945c2e4 100644 --- a/tasks/section_6/cis_6.2.2.1.x.yml +++ b/tasks/section_6/cis_6.2.2.1.x.yml @@ -17,7 +17,7 @@ name: systemd-journal-remote state: present -- name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-remote authentication is configured" +- name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-upload authentication is configured" when: - rhel9cis_rule_6_2_2_1_2 - not rhel9cis_system_is_log_server @@ -40,7 +40,7 @@ - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'} - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'} -- name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled and active" +- name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-upload is enabled and active" when: - not rhel9cis_system_is_log_server - rhel9cis_rule_6_2_2_1_3 diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml index 9333697..9d26acf 100644 --- a/tasks/section_6/cis_6.2.3.x.yml +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -256,8 +256,8 @@ - name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set rsyslog conf" ansible.builtin.template: - src: etc/logrotate.d/rsyslog.conf.j2 - dest: /etc/logrotate.d/rsyslog.conf + src: etc/logrotate.d/rsyslog_log.j2 + dest: /etc/logrotate.d/rsyslog_log owner: root group: root mode: 'g-wx,o-rwx' diff --git a/tasks/section_6/cis_6.2.4.1.yml b/tasks/section_6/cis_6.2.4.1.yml index 814c46c..9e8b9b3 100644 --- a/tasks/section_6/cis_6.2.4.1.yml +++ b/tasks/section_6/cis_6.2.4.1.yml @@ -8,6 +8,8 @@ - patch - logfiles - rule_6.2.4.1 + - NIST800-53R5_AC-3 + - NIST800-53R5_MP-2 block: - name: "6.2.4.1 | AUDIT | Ensure access to all logfiles has been configured | find log files" ansible.builtin.shell: find /var/log/ -type f -exec ls {} \; @@ -15,43 +17,35 @@ failed_when: false register: discovered_logfiles - - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" + - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions SSSD min 660" when: - discovered_logfiles.stdout_lines | length > 0 - - ('audit.log' in item or 'journal' in item) or - item == '/var/log/secure' or - item == '/var/log/syslog' or - item == '/var/log/messages' or - item == '/var/log/auth.log' + - item is match("/var/log/(gdm|sssd)") ansible.builtin.file: path: "{{ item }}" - mode: 'u-x,g-wx,o-rwx' + mode: 'ug-x,o-rwx' failed_when: discovered_logfile_list.state not in '[ file, absent ]' register: discovered_logfile_list loop: "{{ discovered_logfiles.stdout_lines }}" - - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" + - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions tmp min 664" when: - discovered_logfiles.stdout_lines | length > 0 - - ('anaconda' in item or 'dnf' in item or 'secure' in item or 'messages' in item or 'hawkey' in item) - ansible.builtin.file: - path: "{{ item }}" - mode: 'u-x,g-x,o-rwx' - failed_when: discovered_logfile_list.state not in '[ file, absent ]' - register: discovered_logfile_list - loop: "{{ discovered_logfiles.stdout_lines }}" - - - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions" - when: - - discovered_logfiles.stdout_lines | length > 0 - - ('sssd' in item or 'lastlog' in item) or - item == "/var/log/btmp" or - item == "/var/log/utmp" or - item == "/var/log/wtmp" or - item == "/var/log/lastlog" + - item is match("/var/log/((u|b|w)tmp*|lastlog)") ansible.builtin.file: path: "{{ item }}" mode: 'ug-x,o-wx' failed_when: discovered_logfile_list.state not in '[ file, absent ]' register: discovered_logfile_list loop: "{{ discovered_logfiles.stdout_lines }}" + + - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions else all 640" + when: + - discovered_logfiles.stdout_lines | length > 0 + - item is not match("/var/log/((u|b|w)tmp*|lastlog|sssd)") + ansible.builtin.file: + path: "{{ item }}" + mode: 'u-x,g-wx,o-rwx' + failed_when: discovered_logfile_list.state not in '[ file, absent ]' + register: discovered_logfile_list + loop: "{{ discovered_logfiles.stdout_lines }}" diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index a1909dc..dda7ee5 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -5,6 +5,7 @@ file: cis_6.1.x.yml - name: "SECTION | 6.2.1 | Configure systemd-journald service" + when: rhel9cis_syslog == 'journald' ansible.builtin.import_tasks: file: cis_6.2.1.x.yml diff --git a/tasks/section_7/cis_7.1.x.yml b/tasks/section_7/cis_7.1.x.yml index 83c83a0..b23fb89 100644 --- a/tasks/section_7/cis_7.1.x.yml +++ b/tasks/section_7/cis_7.1.x.yml @@ -169,6 +169,8 @@ owner: root group: root mode: 'u-x,go-wx' + failed_when: discovered_file_exists.state not in '[ file, absent ]' + register: discovered_file_exists - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured" when: diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index b9e632c..4d9c0d3 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -23,6 +23,7 @@ -w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file {% endif %} {% if rhel9cis_rule_6_3_3_4 %} +{% set syscalls = ["adjtimex","settimeofday"] %} {% set arch_syscalls = [] %} {% for syscall in syscalls %} {% if syscall in supported_syscalls %} @@ -31,6 +32,15 @@ {% endfor %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change +{% set syscalls = ["clock_settime"] %} +{% set arch_syscalls = [] %} +{% for syscall in syscalls %} +{% if syscall in supported_syscalls %} +{{ arch_syscalls.append(syscall) }} +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change +{% endif %} +{% endfor %} -w /etc/localtime -p wa -k time-change {% endif %} {% if rhel9cis_rule_6_3_3_5 %} @@ -41,8 +51,8 @@ {{ arch_syscalls.append(syscall) }} {% endif %} {% endfor %} --a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale --a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale +-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale +-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale @@ -169,7 +179,7 @@ -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng {% endif %} {% if rhel9cis_rule_6_3_3_17 %} --a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k priv_chng +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng {% endif %} {% if rhel9cis_rule_6_3_3_18 %} -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod diff --git a/templates/etc/logrotate.d/rsyslog.conf.j2 b/templates/etc/logrotate.d/rsyslog.conf.j2 deleted file mode 100644 index 2423b24..0000000 --- a/templates/etc/logrotate.d/rsyslog.conf.j2 +++ /dev/null @@ -1,11 +0,0 @@ -/var/log/rsyslog/*.log { - {{ rhel9cis_rsyslog_logrotate_rotated }} - rotate {{ rhel9cis_rsyslog_logrotate_keep }} - {% if rhel9cis_rsyslog_logrotate_compress %}compress{% else %}nocompress{% endif %} - {% if rhel9cis_rsyslog_logrotate_missingok %}missingok{% else %}missingok{% endif %} - {% if rhel9cis_rsyslog_logrotate_notifempty %}notifempty{% else %}ifempty{% endif %} - {% if rhel9cis_rsyslog_logrotate_create %}create {{ rhel9cis_rsyslog_logrotate_create_opts }}{% endif %} - postrotate - /usr/bin/systemctl reload rsyslog.service >/dev/null || true - endscript -} diff --git a/templates/etc/logrotate.d/rsyslog_log.j2 b/templates/etc/logrotate.d/rsyslog_log.j2 new file mode 100644 index 0000000..8acb53e --- /dev/null +++ b/templates/etc/logrotate.d/rsyslog_log.j2 @@ -0,0 +1,26 @@ +/var/log/rsyslog/*.log { + {{ rhel9cis_rsyslog_logrotate_rotated_when }} + rotate {{ rhel9cis_rsyslog_logrotate_rotatation_keep }} +{% if rhel9cis_rsyslog_logrotate_compress %} + compress +{% else %} + nocompress +{% endif %} +{% if rhel9cis_rsyslog_logrotate_missingok %} + missingok +{% else %} + nomissingok +{% endif %} +{% if rhel9cis_rsyslog_logrotate_notifempty %} + notifempty +{% else %} + ifempty +{% endif %} +{% if rhel9cis_rsyslog_logrotate_create %} + create{% if rhel9cis_rsyslog_logrotate_create_opts is defined %} {{ rhel9cis_rsyslog_logrotate_create_opts }}{% endif %} +{% endif %} + + postrotate + /usr/bin/systemctl reload rsyslog.service >/dev/null || true + endscript +} diff --git a/vars/main.yml b/vars/main.yml index c1d0fb3..cdca90d 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -22,6 +22,9 @@ rhel9cis_allowed_crypto_policies_modules: warn_control_list: "" warn_count: 0 +# Default empty values for 1.4.2 +efi_mount_opts_addition: '' + gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys" ## Controls 6.3.3.x - Audit template