From 440f1dfcd470dd2fa43e8d7078552917f269a837 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 13 Jan 2023 10:04:33 +0000 Subject: [PATCH] reorder and lint Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.x.yml | 527 +++++++++++++++++----------------- 1 file changed, 257 insertions(+), 270 deletions(-) diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 235146e..a280cab 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -1,300 +1,311 @@ --- -- name: "6.2.1 | PATCH | Ensure password fields are not empty" - command: passwd -l {{ item }} +- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords" + block: + - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | discover" + ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd + register: shadow_passwd + + - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Output" + ansible.builtin.debug: + msg: | + - "Warning!! Below are the accounts that do not have shadowed passwords set" + - "{{ shadow_passwd.stdout_line }}" + when: shadow_passwd.stdout | length > 0 + + - name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.1' + when: shadow_passwd.stdout | length >= 1 + + when: + - rhel9cis_rule_6_2_1 + tags: + - level1-server + - level1-workstation + - patch + - accounts + - rule_6.2.1 + +- name: "6.2.2 | PATCH | Ensure password fields are not empty" + ansible.builtin.shell: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ empty_password_accounts.stdout_lines }}" when: - empty_password_accounts.rc - - rhel9cis_rule_6_2_1 - tags: - - level1-server - - level1-workstation - - automated - - patch - - accounts - - rule_6.2.1 - - -- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" - block: - - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" - shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_6_2_2_passwd_gid_check - - - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" - debug: - msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: rhel9cis_6_2_2_passwd_gid_check.stdout | length == 0 - - - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" - debug: - msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" - when: rhel9cis_6_2_2_passwd_gid_check.stdout | length >= 1 - - - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.2.2' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_2_2_passwd_gid_check.stdout | length >= 1 - when: - rhel9cis_rule_6_2_2 tags: - level1-server - level1-workstation - automated + - patch + - accounts + - rule_6.2.2 + +- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" + block: + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" + ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_6_2_3_passwd_gid_check + + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" + ansible.builtin.debug: + msg: "Good News! There are no users that have non-existent GUIDs (Groups)" + when: rhel9cis_6_2_3_passwd_gid_check.stdout | length == 0 + + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" + ansible.builtin.debug: + msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" + when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 + + - name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.3' + when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1 + when: + - rhel9cis_rule_6_2_2 + tags: + - level1-server + - level1-workstation - audit - accounts - groups - rule_6.2.2 -- name: "6.2.3 | AUDIT Ensure no duplicate UIDs exist" +- name: "6.2.4 | AUDIT Ensure no duplicate UIDs exist" block: - - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" - shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" + - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" changed_when: false failed_when: false - register: rhel9cis_6_2_3_user_uid_check + register: rhel9cis_6_2_4_user_uid_check - - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" - debug: + - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" + ansible.builtin.debug: msg: "Good News! There are no duplicate UID's in the system" - when: rhel9cis_6_2_3_user_uid_check.stdout | length == 0 + when: rhel9cis_6_2_4_user_uid_check.stdout | length == 0 - - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" - debug: - msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" - when: rhel9cis_6_2_3_user_uid_check.stdout | length >= 1 - - - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.2.3' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_2_3_user_uid_check.stdout | length >= 1 - when: - - rhel9cis_rule_6_2_3 - tags: - - level1-server - - level1-workstation - - automated - - audit - - accounts - - users - - rule_6.2.3 - -- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist" - block: - - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" - shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" - changed_when: false - failed_when: false - register: rhel9cis_6_2_4_user_user_check - - - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" - debug: - msg: "Good News! There are no duplicate GIDs in the system" - when: rhel9cis_6_2_4_user_user_check.stdout | length == 0 - - - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" - debug: - msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" - when: rhel9cis_6_2_4_user_user_check.stdout | length >= 1 - - - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.2.4' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_2_4_user_user_check.stdout | length >= 1 + - name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" + ansible.builtin.debug: + msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_4_user_uid_check.stdout_lines }}" + when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 + - name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.4' + when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_4 tags: - level1-server - level1-workstation - - automated - audit - accounts - - groups + - users - rule_6.2.4 -- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist" +- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist" block: - - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" - shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" + - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" changed_when: false failed_when: false - register: rhel9cis_6_2_5_user_username_check + register: rhel9cis_6_2_5_user_user_check - - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" - debug: - msg: "Good News! There are no duplicate user names in the system" - when: rhel9cis_6_2_5_user_username_check.stdout | length == 0 + - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" + ansible.builtin.debug: + msg: "Good News! There are no duplicate GIDs in the system" + when: rhel9cis_6_2_5_user_user_check.stdout | length == 0 - - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" - debug: - msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" - when: rhel9cis_6_2_5_user_username_check.stdout | length >= 1 + - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" + ansible.builtin.debug: + msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_5_user_user_check.stdout_lines }}" + when: rhel9cis_6_2_5_user_user_check.stdout | length >= 1 + + - name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.5' + when: rhel9cis_6_2_5_user_user_check.stdout_lines | length >= 1 - - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.2.5' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_2_5_user_username_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_5 tags: - level1-server - level1-workstation - - automated - audit - accounts - - users + - groups - rule_6.2.5 -- name: "6.2.6 | AUDIT |Ensure no duplicate group names exist" +- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist" block: - - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" - shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' + - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" + ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" changed_when: false failed_when: false - check_mode: false - register: rhel9cis_6_2_6_group_group_check + register: rhel9cis_6_2_6_user_username_check - - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" - debug: - msg: "Good News! There are no duplicate group names in the system" - when: rhel9cis_6_2_6_group_group_check.stdout is defined + - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" + ansible.builtin.debug: + msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" + when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 - - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" - debug: - msg: "Warning!! The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}" - when: rhel9cis_6_2_6_group_group_check.stdout is not defined - - - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | warning count" - set_fact: - control_number: "{{ control_number }} + [ 'rule_6.2.6' ]" - warn_count: "{{ warn_count | int + 1 }}" - when: rhel9cis_6_2_6_group_group_check.stdout is not defined + - name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.6' + when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1 when: - rhel9cis_rule_6_2_6 tags: - level1-server - level1-workstation - - automated - audit - accounts - - groups + - users - rule_6.2.6 -- name: "6.2.7 | PATCH | Ensure root PATH Integrity" +- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist" block: - - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine empty value" - shell: 'echo $PATH | grep ::' + - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" + ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' changed_when: false - failed_when: rhel9cis_6_2_7_path_colon.rc == 0 + failed_when: false check_mode: false - register: rhel9cis_6_2_7_path_colon + register: rhel9cis_6_2_7_group_group_check - - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determin colon end" - shell: 'echo $PATH | grep :$' - changed_when: false - failed_when: rhel9cis_6_2_7_path_colon_end.rc == 0 - check_mode: false - register: rhel9cis_6_2_7_path_colon_end + - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" + ansible.builtin.debug: + msg: "Warning!! The following group names are duplicates: {{ rhel9cis_6_2_7_group_group_check.stdout_lines }}" + when: rhel9cis_6_2_7_group_group_check.stdout is not defined - - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine dot in path" - shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" - changed_when: false - failed_when: '"." in rhel9cis_6_2_7_dot_in_path.stdout_lines' - check_mode: false - register: rhel9cis_6_2_7_dot_in_path - - - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" - debug: - msg: - - "The following paths have an empty value: {{ rhel9cis_6_2_7_path_colon.stdout_lines }}" - - "The following paths have colon end: {{ rhel9cis_6_2_7_path_colon_end.stdout_lines }}" - - "The following paths have a dot in the path: {{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}" - - - name: "6.2.7 | PATCH | Ensure root PATH Integrity | Determine rights and owner" - file: > - path='{{ item }}' - follow=yes - state=directory - owner=root - mode='o-w,g-w' - with_items: "{{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}" + - name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '6.2.7' + when: rhel9cis_6_2_7_group_group_check.stdout is not defined when: - rhel9cis_rule_6_2_7 tags: - level1-server - level1-workstation - - automated - - patch - - paths + - audit + - accounts + - groups - rule_6.2.7 -- name: "6.2.8 | PATCH | Ensure root is the only UID 0 account" - command: passwd -l {{ item }} +- name: "6.2.8 | PATCH | Ensure root PATH Integrity" + block: + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determine empty value" + ansible.builtin.shell: 'echo $PATH | grep ::' + changed_when: false + failed_when: rhel9cis_6_2_8_path_colon.rc == 0 + check_mode: false + register: rhel9cis_6_2_8_path_colon + + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determin colon end" + ansible.builtin.shell: 'echo $PATH | grep :$' + changed_when: false + failed_when: rhel9cis_6_2_8_path_colon_end.rc == 0 + check_mode: false + register: rhel9cis_6_2_8_path_colon_end + + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determine dot in path" + ansible.builtin.shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" + changed_when: false + failed_when: '"." in rhel9cis_6_2_8_dot_in_path.stdout_lines' + check_mode: false + register: rhel9cis_6_2_8_dot_in_path + + - name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" + ansible.builtin.debug: + msg: + - "Warning!!" + - "The following paths have an empty value: {{ rhel9cis_6_2_8_path_colon.stdout_lines }}" + - "The following paths have colon end: {{ rhel9cis_6_2_8_path_colon_end.stdout_lines }}" + - "The following paths have a dot in the path: {{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}" + + - name: "6.2.8 | PATCH | Ensure root PATH Integrity | Determine rights and owner" + ansible.builtin.file: > + path='{{ item }}' + follow=yes + state=directory + owner=root + mode='o-w,g-w' + with_items: "{{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}" + when: + - rhel9cis_rule_6_2_8 + tags: + - level1-server + - level1-workstation + - patch + - paths + - rule_6.2.8 + +- name: "6.2.9 | PATCH | Ensure root is the only UID 0 account" + ansible.builtin.shell: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}" when: - rhel9cis_uid_zero_accounts_except_root.rc - - rhel9cis_rule_6_2_8 + - rhel9cis_rule_6_2_9 tags: - level1-server - level1-workstation - - automated - patch - accounts - users - - rule_6.2.8 + - rule_6.2.9 -- name: "6.2.9 | PATCH | Ensure all users' home directories exist" +- name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" block: - - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" - stat: + - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" + ansible.builtin.stat: path: "{{ item }}" - register: rhel_08_6_2_9_audit + register: rhel_08_6_2_10_audit with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}" - - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" - command: find -H {{ item.0 | quote }} -not -type l -perm /027 + - name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist" + ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false - changed_when: rhel_08_6_2_9_patch_audit.stdout | length > 0 - register: rhel_08_6_2_9_patch_audit + changed_when: rhel_08_6_2_10_patch_audit.stdout | length > 0 + register: rhel_08_6_2_10_patch_audit when: - ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_10_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_10_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" - - name: "6.2.9 | PATCH | Ensure all users' home directories exist" - file: + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" + ansible.builtin.file: path: "{{ item.0 }}" recurse: true mode: a-st,g-w,o-rwx - register: rhel_08_6_2_9_patch + register: rhel_08_6_2_10_patch when: - not ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_10_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_10_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.9 | PATCH | Ensure all users' home directories exist" - acl: + - name: "6.2.10 | PATCH | Ensure local interactive user home directories exist" + ansible.posix.acl: path: "{{ item.0 }}" default: true state: present @@ -304,7 +315,7 @@ when: - not system_is_container with_nested: - - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results | + - "{{ (ansible_check_mode | ternary(rhel_08_6_2_10_patch_audit, rhel_08_6_2_10_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - etype: group @@ -312,18 +323,16 @@ - etype: other mode: '0' when: - - rhel9cis_rule_6_2_9 + - rhel9cis_rule_6_2_10 tags: - level1-server - level1-workstation - - automated - patch - users - - rule_6.2.9 + - rule_6.2.10 - -- name: "6.2.10 | PATCH | Ensure users own their home directories" - file: +- name: "6.2.11 | PATCH | Ensure local interactive users own their home directories" + ansible.builtin.file: path: "{{ item.dir }}" owner: "{{ item.id }}" state: directory @@ -334,56 +343,54 @@ - item.uid >= min_int_uid | int - item.id != 'nobody' - (item.id != 'tss' and item.dir != '/dev/null') - - rhel9cis_rule_6_2_10 + - rhel9cis_rule_6_2_11 tags: - - skip_ansible_lint # settings found on 6_2_7 - level1-server - level1-workstation - - automated - patch - users - rule_6.2.10 -- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" +- name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" block: - - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" - stat: + - name: "6.2.12 | AUDIT | Ensure local interactive user home directories are mode 750 or more restrictive" + ansible.builtin.stat: path: "{{ item }}" with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}" - register: rhel_08_6_2_11_audit + register: rhel_08_6_2_12_audit - - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" - command: find -H {{ item.0 | quote }} -not -type l -perm /027 + - name: "6.2.12 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" + ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false - changed_when: rhel_08_6_2_11_patch_audit.stdout | length > 0 - register: rhel_08_6_2_11_patch_audit + changed_when: rhel_08_6_2_12_patch_audit.stdout | length > 0 + register: rhel_08_6_2_12_patch_audit when: - ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_12_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_12_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" - - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" - file: + - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" + ansible.builtin.file: path: "{{ item.0 }}" recurse: true mode: a-st,g-w,o-rwx - register: rhel_08_6_2_11_patch + register: rhel_08_6_2_12_patch when: - not ansible_check_mode - item.1.exists with_together: - - "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}" - - "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_12_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_12_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" - acl: + - name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive" + ansible.posix.acl: path: "{{ item.0 }}" default: true state: present @@ -393,75 +400,41 @@ when: - not system_is_container with_nested: - - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results | + - "{{ (ansible_check_mode | ternary(rhel_08_6_2_12_patch_audit, rhel_08_6_2_12_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - etype: group mode: rx - etype: other mode: '0' - when: - - rhel9cis_rule_6_2_11 - tags: - - level1-server - - level1-workstation - - automated - - patch - - users - - permissions - - rule_6.2.11 - -- name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable" - block: - - name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" - shell: find /home/ -maxdepth 2 -name "\.*" -perm /g+w,o+w - changed_when: false - failed_when: false - register: rhel9cis_6_2_12_audit - - - name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" - debug: - msg: "Good news! We have not found any group or world-writable dot files on your sytem" - when: - - rhel9cis_6_2_12_audit.stdout is not defined - - - name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" - file: - path: '{{ item }}' - mode: go-w - with_items: "{{ rhel9cis_6_2_12_audit.stdout_lines }}" - when: - - rhel9cis_6_2_12_audit.stdout is defined - - rhel9cis_dotperm_ansiblemanaged when: - rhel9cis_rule_6_2_12 tags: - level1-server - level1-workstation - - automated - patch - users - permissions - rule_6.2.12 -- name: "6.2.13 | PATCH | Ensure users' .netrc Files are not group or world accessible" - command: /bin/true - changed_when: false - failed_when: false +- name: "6.2.13 | PATCH | Ensure no local interactive user has .netrc files" + ansible.builtin.file: + path: "~{{ item }}/.netrc" + state: absent + with_items: + - "{{ users.stdout_lines }}" when: - rhel9cis_rule_6_2_13 tags: - level1-server - level1-workstation - - automated - patch - users - permissions - - notimplemented - rule_6.2.13 -- name: "6.2.14 | PATCH | Ensure no users have .forward files" - file: +- name: "6.2.14 | PATCH | Ensure no local interactive user has .forward files" + ansible.builtin.file: path: "~{{ item }}/.forward" state: absent with_items: @@ -471,15 +444,14 @@ tags: - level1-server - level1-workstation - - automated - patch - users - files - rule_6.2.14 -- name: "6.2.15 | PATCH | Ensure no users have .netrc files" - file: - path: "~{{ item }}/.netrc" +- name: "6.2.15 | PATCH | Ensure no users have .rhosts files" + ansible.builtin.file: + path: "~{{ item }}/.rhosts" state: absent with_items: - "{{ users.stdout_lines }}" @@ -488,24 +460,39 @@ tags: - level1-server - level1-workstation - - automated - patch - users - files - rule_6.2.15 -- name: "6.2.16 | PATCH | Ensure no users have .rhosts files" - file: - path: "~{{ item }}/.rhosts" - state: absent - with_items: "{{ users.stdout_lines }}" +- name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable" + block: + - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Check for files" + ansible.builtin.shell: find /home/ -maxdepth 2 -name "\.*" -perm /g+w,o+w + changed_when: false + failed_when: false + register: rhel9cis_6_2_16_audit + + - name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Alert on files found" + ansible.builtin.debug: + msg: "Good news! We have not found any group or world-writable dot files on your sytem" + when: + - rhel9cis_6_2_16_audit.stdout is not defined + + - name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable | Changes files if configured" + ansible.builtin.file: + path: '{{ item }}' + mode: go-w + with_items: "{{ rhel9cis_6_2_16_audit.stdout_lines }}" + when: + - rhel9cis_6_2_16_audit.stdout is defined + - rhel9cis_dotperm_ansiblemanaged when: - rhel9cis_rule_6_2_16 tags: - level1-server - level1-workstation - - automated - patch - users - - files + - permissions - rule_6.2.16