sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

reorder and lint

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-01-13 10:04:33 +00:00
parent 198359cfbb
commit 440f1dfcd4
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
1 changed files with 257 additions and 270 deletions
Download patch file Download diff file Expand all files Collapse all files

527
tasks/section_6/cis_6.2.x.yml
View file

@ -1,300 +1,311 @@
---
- name: "6.2.1 | PATCH | Ensure password fields are not empty"
command: passwd -l {{ item }}
- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords"
block:
- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | discover"
ansible.builtin.shell: awk -F':' '($2 != "x" ) { print $1 " is not set to shadowed passwords "}' /etc/passwd
register: shadow_passwd
- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | Output"
ansible.builtin.debug:
msg: |
- "Warning!! Below are the accounts that do not have shadowed passwords set"
- "{{ shadow_passwd.stdout_line }}"
when: shadow_passwd.stdout | length > 0
- name: "6.2.1 | AUDIT | Ensure accounts in /etc/passwd use shadowed passwords | warning fact"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.2.1'
when: shadow_passwd.stdout | length >= 1
when:
- rhel9cis_rule_6_2_1
tags:
- level1-server
- level1-workstation
- patch
- accounts
- rule_6.2.1
- name: "6.2.2 | PATCH | Ensure password fields are not empty"
ansible.builtin.shell: passwd -l {{ item }}
changed_when: false
failed_when: false
with_items: "{{ empty_password_accounts.stdout_lines }}"
when:
- empty_password_accounts.rc
- rhel9cis_rule_6_2_1
tags:
- level1-server
- level1-workstation
- automated
- patch
- accounts
- rule_6.2.1
- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group"
block:
- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries"
shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}'
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_6_2_2_passwd_gid_check
- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files"
debug:
msg: "Good News! There are no users that have non-existent GUIDs (Groups)"
when: rhel9cis_6_2_2_passwd_gid_check.stdout | length == 0
- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
debug:
msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}"
when: rhel9cis_6_2_2_passwd_gid_check.stdout | length >= 1
- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_6.2.2' ]"
warn_count: "{{ warn_count | int + 1 }}"
when: rhel9cis_6_2_2_passwd_gid_check.stdout | length >= 1
when:
- rhel9cis_rule_6_2_2
tags:
- level1-server
- level1-workstation
- automated
- patch
- accounts
- rule_6.2.2
- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group"
block:
- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries"
ansible.builtin.shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}'
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_6_2_3_passwd_gid_check
- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files"
ansible.builtin.debug:
msg: "Good News! There are no users that have non-existent GUIDs (Groups)"
when: rhel9cis_6_2_3_passwd_gid_check.stdout | length == 0
- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
ansible.builtin.debug:
msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}"
when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1
- name: "6.2.3 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.2.3'
when: rhel9cis_6_2_3_passwd_gid_check.stdout | length >= 1
when:
- rhel9cis_rule_6_2_2
tags:
- level1-server
- level1-workstation
- audit
- accounts
- groups
- rule_6.2.2
- name: "6.2.3 | AUDIT Ensure no duplicate UIDs exist"
- name: "6.2.4 | AUDIT Ensure no duplicate UIDs exist"
block:
- name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
changed_when: false
failed_when: false
register: rhel9cis_6_2_3_user_uid_check
register: rhel9cis_6_2_4_user_uid_check
- name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist"
debug:
- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist"
ansible.builtin.debug:
msg: "Good News! There are no duplicate UID's in the system"
when: rhel9cis_6_2_3_user_uid_check.stdout | length == 0
when: rhel9cis_6_2_4_user_uid_check.stdout | length == 0
- name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs"
debug:
msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}"
when: rhel9cis_6_2_3_user_uid_check.stdout | length >= 1
- name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | warning count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_6.2.3' ]"
warn_count: "{{ warn_count | int + 1 }}"
when: rhel9cis_6_2_3_user_uid_check.stdout | length >= 1
when:
- rhel9cis_rule_6_2_3
tags:
- level1-server
- level1-workstation
- automated
- audit
- accounts
- users
- rule_6.2.3
- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist"
block:
- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs"
shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"
changed_when: false
failed_when: false
register: rhel9cis_6_2_4_user_user_check
- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist"
debug:
msg: "Good News! There are no duplicate GIDs in the system"
when: rhel9cis_6_2_4_user_user_check.stdout | length == 0
- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs"
debug:
msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}"
when: rhel9cis_6_2_4_user_user_check.stdout | length >= 1
- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | warning count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_6.2.4' ]"
warn_count: "{{ warn_count | int + 1 }}"
when: rhel9cis_6_2_4_user_user_check.stdout | length >= 1
- name: "6.2.4 | AUDIT | Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs"
ansible.builtin.debug:
msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_4_user_uid_check.stdout_lines }}"
when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1
- name: "6.2.4 | AUDIT| Ensure no duplicate UIDs exist | warning count"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.2.4'
when: rhel9cis_6_2_4_user_uid_check.stdout | length >= 1
when:
- rhel9cis_rule_6_2_4
tags:
- level1-server
- level1-workstation
- automated
- audit
- accounts
- groups
- users
- rule_6.2.4
- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist"
- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist"
block:
- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"
changed_when: false
failed_when: false
register: rhel9cis_6_2_5_user_username_check
register: rhel9cis_6_2_5_user_user_check
- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist"
debug:
msg: "Good News! There are no duplicate user names in the system"
when: rhel9cis_6_2_5_user_username_check.stdout | length == 0
- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist"
ansible.builtin.debug:
msg: "Good News! There are no duplicate GIDs in the system"
when: rhel9cis_6_2_5_user_user_check.stdout | length == 0
- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names"
debug:
msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}"
when: rhel9cis_6_2_5_user_username_check.stdout | length >= 1
- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs"
ansible.builtin.debug:
msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_5_user_user_check.stdout_lines }}"
when: rhel9cis_6_2_5_user_user_check.stdout | length >= 1
- name: "6.2.5 | AUDIT | Ensure no duplicate GIDs exist | warning count"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.2.5'
when: rhel9cis_6_2_5_user_user_check.stdout_lines | length >= 1
- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | warning count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_6.2.5' ]"
warn_count: "{{ warn_count | int + 1 }}"
when: rhel9cis_6_2_5_user_username_check.stdout | length >= 1
when:
- rhel9cis_rule_6_2_5
tags:
- level1-server
- level1-workstation
- automated
- audit
- accounts
- users
- groups
- rule_6.2.5
- name: "6.2.6 | AUDIT |Ensure no duplicate group names exist"
- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist"
block:
- name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names"
shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
ansible.builtin.shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
changed_when: false
failed_when: false
check_mode: false
register: rhel9cis_6_2_6_group_group_check
register: rhel9cis_6_2_6_user_username_check
- name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist"
debug:
msg: "Good News! There are no duplicate group names in the system"
when: rhel9cis_6_2_6_group_group_check.stdout is defined
- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names"
ansible.builtin.debug:
msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}"
when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1
- name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
debug:
msg: "Warning!! The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}"
when: rhel9cis_6_2_6_group_group_check.stdout is not defined
- name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | warning count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_6.2.6' ]"
warn_count: "{{ warn_count | int + 1 }}"
when: rhel9cis_6_2_6_group_group_check.stdout is not defined
- name: "6.2.6 | AUDIT | Ensure no duplicate user names exist | warning count"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.2.6'
when: rhel9cis_6_2_6_user_username_check.stdout | length >= 1
when:
- rhel9cis_rule_6_2_6
tags:
- level1-server
- level1-workstation
- automated
- audit
- accounts
- groups
- users
- rule_6.2.6
- name: "6.2.7 | PATCH | Ensure root PATH Integrity"
- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist"
block:
- name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine empty value"
shell: 'echo $PATH | grep ::'
- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names"
ansible.builtin.shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
changed_when: false
failed_when: rhel9cis_6_2_7_path_colon.rc == 0
failed_when: false
check_mode: false
register: rhel9cis_6_2_7_path_colon
register: rhel9cis_6_2_7_group_group_check
- name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determin colon end"
shell: 'echo $PATH | grep :$'
changed_when: false
failed_when: rhel9cis_6_2_7_path_colon_end.rc == 0
check_mode: false
register: rhel9cis_6_2_7_path_colon_end
- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
ansible.builtin.debug:
msg: "Warning!! The following group names are duplicates: {{ rhel9cis_6_2_7_group_group_check.stdout_lines }}"
when: rhel9cis_6_2_7_group_group_check.stdout is not defined
- name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine dot in path"
shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'"
changed_when: false
failed_when: '"." in rhel9cis_6_2_7_dot_in_path.stdout_lines'
check_mode: false
register: rhel9cis_6_2_7_dot_in_path
- name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path"
debug:
msg:
- "The following paths have an empty value: {{ rhel9cis_6_2_7_path_colon.stdout_lines }}"
- "The following paths have colon end: {{ rhel9cis_6_2_7_path_colon_end.stdout_lines }}"
- "The following paths have a dot in the path: {{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}"
- name: "6.2.7 | PATCH | Ensure root PATH Integrity | Determine rights and owner"
file: >
path='{{ item }}'
follow=yes
state=directory
owner=root
mode='o-w,g-w'
with_items: "{{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}"
- name: "6.2.7 | AUDIT | Ensure no duplicate group names exist | warning count"
ansible.builtin.import_tasks: warning_facts.yml
vars:
warn_control_id: '6.2.7'
when: rhel9cis_6_2_7_group_group_check.stdout is not defined
when:
- rhel9cis_rule_6_2_7
tags:
- level1-server
- level1-workstation
- automated
- patch
- paths
- audit
- accounts
- groups
- rule_6.2.7
- name: "6.2.8 | PATCH | Ensure root is the only UID 0 account"
command: passwd -l {{ item }}
- name: "6.2.8 | PATCH | Ensure root PATH Integrity"
block:
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determine empty value"
ansible.builtin.shell: 'echo $PATH | grep ::'
changed_when: false
failed_when: rhel9cis_6_2_8_path_colon.rc == 0
check_mode: false
register: rhel9cis_6_2_8_path_colon
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determin colon end"
ansible.builtin.shell: 'echo $PATH | grep :$'
changed_when: false
failed_when: rhel9cis_6_2_8_path_colon_end.rc == 0
check_mode: false
register: rhel9cis_6_2_8_path_colon_end
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Determine dot in path"
ansible.builtin.shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'"
changed_when: false
failed_when: '"." in rhel9cis_6_2_8_dot_in_path.stdout_lines'
check_mode: false
register: rhel9cis_6_2_8_dot_in_path
- name: "6.2.8 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path"
ansible.builtin.debug:
msg:
- "Warning!!"
- "The following paths have an empty value: {{ rhel9cis_6_2_8_path_colon.stdout_lines }}"
- "The following paths have colon end: {{ rhel9cis_6_2_8_path_colon_end.stdout_lines }}"
- "The following paths have a dot in the path: {{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}"
- name: "6.2.8 | PATCH | Ensure root PATH Integrity | Determine rights and owner"
ansible.builtin.file: >
path='{{ item }}'
follow=yes
state=directory
owner=root
mode='o-w,g-w'
with_items: "{{ rhel9cis_6_2_8_dot_in_path.stdout_lines }}"
when:
- rhel9cis_rule_6_2_8
tags:
- level1-server
- level1-workstation
- patch
- paths
- rule_6.2.8
- name: "6.2.9 | PATCH | Ensure root is the only UID 0 account"
ansible.builtin.shell: passwd -l {{ item }}
changed_when: false
failed_when: false
with_items: "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}"
when:
- rhel9cis_uid_zero_accounts_except_root.rc
- rhel9cis_rule_6_2_8
- rhel9cis_rule_6_2_9
tags:
- level1-server
- level1-workstation
- automated
- patch
- accounts
- users
- rule_6.2.8
- rule_6.2.9
- name: "6.2.9 | PATCH | Ensure all users' home directories exist"
- name: "6.2.10 | PATCH | Ensure local interactive user home directories exist"
block:
- name: "6.2.9 | AUDIT | Ensure all users' home directories exist"
stat:
- name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist"
ansible.builtin.stat:
path: "{{ item }}"
register: rhel_08_6_2_9_audit
register: rhel_08_6_2_10_audit
with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}"
- name: "6.2.9 | AUDIT | Ensure all users' home directories exist"
command: find -H {{ item.0 | quote }} -not -type l -perm /027
- name: "6.2.10 | AUDIT | Ensure local interactive user home directories exist"
ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027
check_mode: false
changed_when: rhel_08_6_2_9_patch_audit.stdout | length > 0
register: rhel_08_6_2_9_patch_audit
changed_when: rhel_08_6_2_10_patch_audit.stdout | length > 0
register: rhel_08_6_2_10_patch_audit
when:
- ansible_check_mode
- item.1.exists
with_together:
- "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}"
- "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}"
- "{{ rhel_08_6_2_10_audit.results | map(attribute='item') | list }}"
- "{{ rhel_08_6_2_10_audit.results | map(attribute='stat') | list }}"
loop_control:
label: "{{ item.0 }}"
- name: "6.2.9 | PATCH | Ensure all users' home directories exist"
file:
- name: "6.2.10 | PATCH | Ensure local interactive user home directories exist"
ansible.builtin.file:
path: "{{ item.0 }}"
recurse: true
mode: a-st,g-w,o-rwx
register: rhel_08_6_2_9_patch
register: rhel_08_6_2_10_patch
when:
- not ansible_check_mode
- item.1.exists
with_together:
- "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}"
- "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}"
- "{{ rhel_08_6_2_10_audit.results | map(attribute='item') | list }}"
- "{{ rhel_08_6_2_10_audit.results | map(attribute='stat') | list }}"
loop_control:
label: "{{ item.0 }}"
# set default ACLs so the homedir has an effective umask of 0027
- name: "6.2.9 | PATCH | Ensure all users' home directories exist"
acl:
- name: "6.2.10 | PATCH | Ensure local interactive user home directories exist"
ansible.posix.acl:
path: "{{ item.0 }}"
default: true
state: present
@ -304,7 +315,7 @@
when:
- not system_is_container
with_nested:
- "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results |
- "{{ (ansible_check_mode | ternary(rhel_08_6_2_10_patch_audit, rhel_08_6_2_10_patch)).results |
rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
-
- etype: group
@ -312,18 +323,16 @@
- etype: other
mode: '0'
when:
- rhel9cis_rule_6_2_9
- rhel9cis_rule_6_2_10
tags:
- level1-server
- level1-workstation
- automated
- patch
- users
- rule_6.2.9
- rule_6.2.10
- name: "6.2.10 | PATCH | Ensure users own their home directories"
file:
- name: "6.2.11 | PATCH | Ensure local interactive users own their home directories"
ansible.builtin.file:
path: "{{ item.dir }}"
owner: "{{ item.id }}"
state: directory
@ -334,56 +343,54 @@
- item.uid >= min_int_uid | int
- item.id != 'nobody'
- (item.id != 'tss' and item.dir != '/dev/null')
- rhel9cis_rule_6_2_10
- rhel9cis_rule_6_2_11
tags:
- skip_ansible_lint # settings found on 6_2_7
- level1-server
- level1-workstation
- automated
- patch
- users
- rule_6.2.10
- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
- name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive"
block:
- name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
stat:
- name: "6.2.12 | AUDIT | Ensure local interactive user home directories are mode 750 or more restrictive"
ansible.builtin.stat:
path: "{{ item }}"
with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}"
register: rhel_08_6_2_11_audit
register: rhel_08_6_2_12_audit
- name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
command: find -H {{ item.0 | quote }} -not -type l -perm /027
- name: "6.2.12 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027
check_mode: false
changed_when: rhel_08_6_2_11_patch_audit.stdout | length > 0
register: rhel_08_6_2_11_patch_audit
changed_when: rhel_08_6_2_12_patch_audit.stdout | length > 0
register: rhel_08_6_2_12_patch_audit
when:
- ansible_check_mode
- item.1.exists
with_together:
- "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}"
- "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}"
- "{{ rhel_08_6_2_12_audit.results | map(attribute='item') | list }}"
- "{{ rhel_08_6_2_12_audit.results | map(attribute='stat') | list }}"
loop_control:
label: "{{ item.0 }}"
- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
file:
- name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive"
ansible.builtin.file:
path: "{{ item.0 }}"
recurse: true
mode: a-st,g-w,o-rwx
register: rhel_08_6_2_11_patch
register: rhel_08_6_2_12_patch
when:
- not ansible_check_mode
- item.1.exists
with_together:
- "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}"
- "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}"
- "{{ rhel_08_6_2_12_audit.results | map(attribute='item') | list }}"
- "{{ rhel_08_6_2_12_audit.results | map(attribute='stat') | list }}"
loop_control:
label: "{{ item.0 }}"
# set default ACLs so the homedir has an effective umask of 0027
- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive"
acl:
- name: "6.2.12 | PATCH | Ensure local interactive user home directories are mode 750 or more restrictive"
ansible.posix.acl:
path: "{{ item.0 }}"
default: true
state: present
@ -393,75 +400,41 @@
when:
- not system_is_container
with_nested:
- "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results |
- "{{ (ansible_check_mode | ternary(rhel_08_6_2_12_patch_audit, rhel_08_6_2_12_patch)).results |
rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
-
- etype: group
mode: rx
- etype: other
mode: '0'
when:
- rhel9cis_rule_6_2_11
tags:
- level1-server
- level1-workstation
- automated
- patch
- users
- permissions
- rule_6.2.11
- name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable"
block:
- name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files"
shell: find /home/ -maxdepth 2 -name "\.*" -perm /g+w,o+w
changed_when: false
failed_when: false
register: rhel9cis_6_2_12_audit
- name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found"
debug:
msg: "Good news! We have not found any group or world-writable dot files on your sytem"
when:
- rhel9cis_6_2_12_audit.stdout is not defined
- name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured"
file:
path: '{{ item }}'
mode: go-w
with_items: "{{ rhel9cis_6_2_12_audit.stdout_lines }}"
when:
- rhel9cis_6_2_12_audit.stdout is defined
- rhel9cis_dotperm_ansiblemanaged
when:
- rhel9cis_rule_6_2_12
tags:
- level1-server
- level1-workstation
- automated
- patch
- users
- permissions
- rule_6.2.12
- name: "6.2.13 | PATCH | Ensure users' .netrc Files are not group or world accessible"
command: /bin/true
changed_when: false
failed_when: false
- name: "6.2.13 | PATCH | Ensure no local interactive user has .netrc files"
ansible.builtin.file:
path: "~{{ item }}/.netrc"
state: absent
with_items:
- "{{ users.stdout_lines }}"
when:
- rhel9cis_rule_6_2_13
tags:
- level1-server
- level1-workstation
- automated
- patch
- users
- permissions
- notimplemented
- rule_6.2.13
- name: "6.2.14 | PATCH | Ensure no users have .forward files"
file:
- name: "6.2.14 | PATCH | Ensure no local interactive user has .forward files"
ansible.builtin.file:
path: "~{{ item }}/.forward"
state: absent
with_items:
@ -471,15 +444,14 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- users
- files
- rule_6.2.14
- name: "6.2.15 | PATCH | Ensure no users have .netrc files"
file:
path: "~{{ item }}/.netrc"
- name: "6.2.15 | PATCH | Ensure no users have .rhosts files"
ansible.builtin.file:
path: "~{{ item }}/.rhosts"
state: absent
with_items:
- "{{ users.stdout_lines }}"
@ -488,24 +460,39 @@
tags:
- level1-server
- level1-workstation
- automated
- patch
- users
- files
- rule_6.2.15
- name: "6.2.16 | PATCH | Ensure no users have .rhosts files"
file:
path: "~{{ item }}/.rhosts"
state: absent
with_items: "{{ users.stdout_lines }}"
- name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable"
block:
- name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Check for files"
ansible.builtin.shell: find /home/ -maxdepth 2 -name "\.*" -perm /g+w,o+w
changed_when: false
failed_when: false
register: rhel9cis_6_2_16_audit
- name: "6.2.16 | AUDIT | Ensure local interactive user dot files are not group or world writable | Alert on files found"
ansible.builtin.debug:
msg: "Good news! We have not found any group or world-writable dot files on your sytem"
when:
- rhel9cis_6_2_16_audit.stdout is not defined
- name: "6.2.16 | PATCH | Ensure local interactive user dot files are not group or world writable | Changes files if configured"
ansible.builtin.file:
path: '{{ item }}'
mode: go-w
with_items: "{{ rhel9cis_6_2_16_audit.stdout_lines }}"
when:
- rhel9cis_6_2_16_audit.stdout is defined
- rhel9cis_dotperm_ansiblemanaged
when:
- rhel9cis_rule_6_2_16
tags:
- level1-server
- level1-workstation
- automated
- patch
- users
- files
- permissions
- rule_6.2.16