sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

updated 1.4.2 thanks to @brent-bean #300

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2025-02-26 11:01:35 +00:00
parent 5c919fb19d
commit 40078515fe
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
3 changed files with 48 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

9
handlers/main.yml
View file

@ -144,6 +144,15 @@
state: remounted state: remounted
listen: "Remount /var/log/audit" listen: "Remount /var/log/audit"
- name: "Remounting /boot/efi"
vars:
mount_point: '/boot/efi'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
notify: Change_requires_reboot
listen: "Remount /boot/efi"
- name: Reload sysctl - name: Reload sysctl
ansible.builtin.command: sysctl --system ansible.builtin.command: sysctl --system
changed_when: true changed_when: true

40
tasks/section_1/cis_1.4.x.yml
View file

@ -29,7 +29,8 @@
- rule_1.4.2 - rule_1.4.2
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
block: block:
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | bios based system"
when: rhel9cis_legacy_boot
ansible.builtin.file: ansible.builtin.file:
path: "/boot/grub2/{{ item.path }}" path: "/boot/grub2/{{ item.path }}"
owner: root owner: root
@ -39,6 +40,37 @@
modification_time: preserve modification_time: preserve
access_time: preserve access_time: preserve
loop: loop:
- { path: 'grub.cfg', mode: '0700' } - { path: 'grub.cfg', mode: 'u-x,go-rwx' }
- { path: 'grubenv', mode: 'go-rwx' } - { path: 'grubenv', mode: 'u-x,go-rwx' }
- { path: 'user.cfg', mode: 'go-rwx' } - { path: 'user.cfg', mode: 'u-x,go-rwx' }
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system"
when: not rhel9cis_legacy_boot
vars:
efi_mount_options: ['umask=0077','fmask=0077','uid=0','gid=0']
block:
- name: "1.4.2 | AUDIT | Ensure permissions on bootloader config are configured | efi based system | capture current state"
ansible.builtin.shell: grep "^[^#;]" /etc/fstab | grep '/boot/efi' | cut -d ' ' -f4
changed_when: false
register: discovered_efi_fstab
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Build Options"
when: item not in discovered_efi_fstab.stdout
ansible.builtin.set_fact:
efi_mount_opts_addition: "{{ efi_mount_opts_addition + item + ',' }}"
loop: "{{ efi_mount_options }}"
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Add mount options"
ansible.builtin.lineinfile:
path: /etc/fstab
regexp: (.*/boot/efi\s*\w*\s*){{ discovered_efi_fstab.stdout }}(.*)
line: \1{{ discovered_efi_fstab.stdout + efi_mount_opts_addition }}\2
backrefs: true
notify: Remount /boot/efi
- debug:
msg:
- "{{ discovered_efi_fstab.stdout }}"
- "{{ efi_mount_opts_addition }}"
- pause:

3
vars/main.yml
View file

@ -22,6 +22,9 @@ rhel9cis_allowed_crypto_policies_modules:
warn_control_list: "" warn_control_list: ""
warn_count: 0 warn_count: 0
# Default empty values for 1.4.2
efi_mount_opts_addition: ''
gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys" gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"
## Controls 6.3.3.x - Audit template ## Controls 6.3.3.x - Audit template