From 40bc7aa0829344e9a5bd4df12b98a17607b4d0c6 Mon Sep 17 00:00:00 2001 From: uk-bolly Date: Tue, 20 Feb 2024 15:43:43 +0000 Subject: [PATCH] Feb24 updates (#179) * change logic thanks to @rjacobs1990 see #175 Signed-off-by: Mark Bolwell * thanks to @ipruteani-sie #134 Signed-off-by: Mark Bolwell * Thanks to @stwongst #125 Signed-off-by: Mark Bolwell * thanks to @sgomez86 #146 Signed-off-by: Mark Bolwell * Added updates from #115 Signed-off-by: Mark Bolwell * removed rp_filter in post added in error Signed-off-by: Mark Bolwell * updated yamllint precommit Signed-off-by: Mark Bolwell * updated fqcn fo json_query Signed-off-by: Mark Bolwell * updated Signed-off-by: Mark Bolwell * fix typo for virt type query Signed-off-by: Mark Bolwell --------- Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 1 + .../workflows/main_pipeline_validation.yml | 1 + .pre-commit-config.yaml | 2 +- README.md | 4 ++-- defaults/main.yml | 24 +------------------ tasks/main.yml | 6 ++--- tasks/post.yml | 13 ---------- tasks/post_remediation_audit.yml | 2 +- tasks/pre_remediation_audit.yml | 2 +- tasks/prelim.yml | 2 +- tasks/section_4/cis_4.1.4.x.yml | 9 ++++--- tasks/section_6/cis_6.1.x.yml | 8 +++---- vars/main.yml | 2 +- 13 files changed, 21 insertions(+), 55 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 9fbe7aa..64feef4 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -125,6 +125,7 @@ env: ANSIBLE_HOST_KEY_CHECKING: "false" ANSIBLE_DEPRECATION_WARNINGS: "false" + ANSIBLE_INJECT_FACT_VARS: "false" # Remove test system - User secrets to keep if necessary diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 67ee9d9..cfa5801 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -114,6 +114,7 @@ env: ANSIBLE_HOST_KEY_CHECKING: "false" ANSIBLE_DEPRECATION_WARNINGS: "false" + ANSIBLE_INJECT_FACT_VARS: "false" # Remove test system - User secrets to keep if necessary diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ab43cdc..873f275 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -62,6 +62,6 @@ repos: - ansible-core>=2.10.1 - repo: https://github.com/adrienverge/yamllint.git - rev: v1.34.0 # or higher tag + rev: v1.35.1 # or higher tag hooks: - id: yamllint diff --git a/README.md b/README.md index 22bcd92..2ff1311 100644 --- a/README.md +++ b/README.md @@ -132,8 +132,8 @@ os_check: false - python-def (should be included in RHEL 9) - libselinux-python - pip packages - - jmespath ( complete list found in requirements.txt) -- collections found in collections/requirememnts.yml + - jmespath +- collections found in collections/requirements.yml pre-commit is available if installed on your host for pull request testing. diff --git a/defaults/main.yml b/defaults/main.yml index 9e9cb4c..6cd15ce 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -424,21 +424,6 @@ rhel9cis_rule_6_2_16: true # These /tmp settings will include nosuid,nodev,noexec to conform to CIS standards. rhel9cis_tmp_svc: false -## Control 1.1.9 -rhel9cis_allow_autofs: false - -## Control 1.2.1 -# This is the login information for your RedHat Subscription -# DO NOT USE PLAIN TEXT PASSWORDS!!!!! -# The intent here is to use a password utility like Ansible Vault here -rhel9cis_rh_sub_user: user -rhel9cis_rh_sub_password: password # pragma: allowlist secret - -## Control 1.2.2 -# Do you require rhnsd -# RedHat Satellite Subscription items -rhel9cis_rhnsd_required: false - ## Control 1.2.4 # When installing RHEL from authorized Red Hat source, RHEL will come with default YUM repository. NOT having a default YUM # repo ('rhel9cis_rhel_default_repo' set as 'false'), in conjunction with 'rhel9cis_rule_enable_repogpg' set as 'True', will enable the tasks @@ -455,7 +440,7 @@ rhel9cis_rule_enable_repogpg: true # must be changed to a value that may be generated with this command 'grub2-mkpasswd-pbkdf2' and must comply with # this format: 'grub.pbkdf2.sha512...' rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B' # pragma: allowlist secret -rhel9cis_bootloader_password: random # pragma: allowlist secret + ## Control 1.4.1 # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. rhel9cis_set_boot_pass: true @@ -781,11 +766,6 @@ rhel9cis_firewall: firewalld # to another zone): if there is no zone assigned to a connection, interface or source, only the default zone is used. rhel9cis_default_zone: public -# These settings are added to demonstrate how this update can be done (eventually will require a new control) -rhel9cis_firewalld_ports: - - number: 80 - protocol: tcp - ## Control 3.4.2.2 - Ensure at least one nftables table exists # This variable governs if a table will be automatically created in nftables. Without a table (no default one), nftables # will not filter network traffic, so if this variable is set to 'false' and no tables exist, an alarm will be triggered! @@ -1230,8 +1210,6 @@ rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check # Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable. rhel9cis_no_world_write_adjust: true -rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" - ## Control 6.2.16 - Ensure local interactive user dot files are not group or world writable # This boolean variable governs if current role should follow filesystem links for changes to # user home directory. diff --git a/tasks/main.yml b/tasks/main.yml index 40f49af..2d7aa57 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,7 +3,7 @@ - name: Check OS version and family ansible.builtin.assert: - that: (ansible_facts.distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==') + that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}" when: @@ -66,7 +66,7 @@ - name: Ensure root password is set block: - name: Ensure root password is set - ansible.builtin.shell: passwd -S root | grep "Password set, SHA512 crypt" + ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)" changed_when: false register: root_passwd_set @@ -102,7 +102,7 @@ - system_is_container when: - ansible_connection == 'docker' or - ansible_virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] + ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"] tags: - container_discovery - always diff --git a/tasks/post.yml b/tasks/post.yml index 724611d..3f1f706 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -26,19 +26,6 @@ - not system_is_container - "'procps-ng' in ansible_facts.packages" -- name: POST | Update usr sysctl - ansible.builtin.lineinfile: - dest: /usr/lib/sysctl.d/50-default.conf - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - loop: - - { regexp: '^net.ipv4.conf.default.rp_filter', line: 'net.ipv4.conf.default.rp_filter = 1' } - - { regexp: '^net.ipv4.conf.*.rp_filter', line: 'net.ipv4.conf.*.rp_filter = 1' } - when: - - rhel9cis_sysctl_update - - not system_is_container - - "'procps-ng' in ansible_facts.packages" - - name: Flush handlers ansible.builtin.meta: flush_handlers diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index eb01bc7..6bc5086 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -28,7 +28,7 @@ - name: Capture post-audit result ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}" + post_audit_summary: "{{ post_audit.stdout | from_json | community.general.json_query(summary) }}" vars: summary: summary."summary-line" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 49d1081..158c053 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -95,7 +95,7 @@ - name: Pre Audit | Capture pre-audit result ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}" + pre_audit_summary: "{{ pre_audit.stdout | from_json | community.general.json_query(summary) }}" vars: summary: summary."summary-line" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index a564a29..4eee776 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -97,7 +97,7 @@ - name: "PRELIM | Section 1.1 | Create list of mount points" ansible.builtin.set_fact: - mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}" + mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}" tags: - level1-server - level1-workstation diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 60b4e9b..7d683cf 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -64,12 +64,11 @@ - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" ansible.builtin.file: path: "{{ item.path }}" - mode: '0640' - loop: "{{ auditd_conf_files.files }}" + mode: "{{ '0600' if item.mode == '0600' else '0640' }}" + loop: "{{ auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" when: - - item.mode != '06(0|4)0' - rhel9cis_rule_4_1_4_5 tags: - level2-server @@ -82,7 +81,7 @@ ansible.builtin.file: path: "{{ item.path }}" owner: root - loop: "{{ auditd_conf_files.files }}" + loop: "{{ auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" when: @@ -98,7 +97,7 @@ ansible.builtin.file: path: "{{ item.path }}" group: root - loop: "{{ auditd_conf_files.files }}" + loop: "{{ auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" when: diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index f7c33cc..84df13e 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -173,7 +173,7 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: - msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] + msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit | community.general.json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel_09_6_1_10_unowned_files_found - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" @@ -220,7 +220,7 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: - msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] + msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit | community.general.json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel_09_6_1_11_ungrouped_files_found - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" @@ -277,7 +277,7 @@ - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist" ansible.builtin.debug: - msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] + msg: "Warning!! SUID set on items in {{ rhel_09_6_1_13_suid_perms | community.general.json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel9_6_1_13_suid_found - name: "6.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist | warning" @@ -320,7 +320,7 @@ - name: "6.1.14 | AUDIT | Audit SGID executables | Alert SGID executables exist" ansible.builtin.debug: - msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] + msg: "Warning!! SGID set on items in {{ rhel_09_6_1_14_sgid_perms | community.general.json_query('results[*].stdout_lines[*]') | flatten }}" # noqa jinja[invalid] when: rhel9_6_1_14_sgid_found - name: "6.1.14 | AUDIT | Audit SGID executables| warning" diff --git a/vars/main.yml b/vars/main.yml index 022c230..6f73a63 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -16,4 +16,4 @@ rhel9cis_allowed_crypto_policies_modules: warn_control_list: "" warn_count: 0 -gpg_key_package: "{{ ansible_distribution | lower }}-gpg-keys" +gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"