sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Merge pull request #317 from ansible-lockdown/improvements

Browse source 
Improvements
This commit is contained in:
uk-bolly 2025-04-15 14:06:32 +01:00 committed by GitHub
commit 4c47bb5b6b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 51 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

6
defaults/main.yml
View file

@ -1,7 +1,8 @@
--- ---
# defaults file for rhel9-cis # defaults file for rhel9-cis
# WARNING: # WARNING:
# These values may be overriden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here: # These values may be overridden by other vars-setting options(e.g. like the below 'container_vars_file'), as explained here:
# https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable # https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
# Run the OS validation check # Run the OS validation check
@ -36,6 +37,7 @@ rhel9cis_level_2: true
# Create managed not custom local_facts files # Create managed not custom local_facts files
create_benchmark_facts: true create_benchmark_facts: true
ansible_facts_path: /etc/ansible/facts.d ansible_facts_path: /etc/ansible/facts.d
## Section 1.6 - Mandatory Access Control ## Section 1.6 - Mandatory Access Control
# This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting # This variable governs whether SELinux is disabled or not. If SELinux is NOT DISABLED by setting
# 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed. # 'rhel9cis_selinux_disable' to 'true', the 1.6 subsection will be executed.
@ -85,7 +87,7 @@ audit_capture_files_dir: /some/location to copy to on control node
# How to retrieve audit binary # How to retrieve audit binary
# Options are copy or download - detailed settings at the bottom of this file # Options are copy or download - detailed settings at the bottom of this file
# you will need to access to either github or the file already dowmloaded # you will need to access to either github or the file already downloaded
get_audit_binary_method: download get_audit_binary_method: download
## if get_audit_binary_method - copy the following needs to be updated for your environment ## if get_audit_binary_method - copy the following needs to be updated for your environment

8
tasks/audit_only.yml
View file

@ -9,14 +9,6 @@
delegate_to: localhost delegate_to: localhost
become: false become: false
- name: Audit_only | Get audits from systems and put in group dir
when: fetch_audit_files
ansible.builtin.fetch:
dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
flat: true
mode: 'go-wx'
src: "{{ pre_audit_outfile }}"
- name: Audit_only | Show Audit Summary - name: Audit_only | Show Audit Summary
when: audit_only when: audit_only
ansible.builtin.debug: ansible.builtin.debug:

20
tasks/fetch_audit_output.yml
View file

@ -2,7 +2,7 @@
# Stage to copy audit output to a centralised location # Stage to copy audit output to a centralised location
- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller" - name: "POST | FETCH | Fetch files and copy to controller"
when: audit_output_collection_method == "fetch" when: audit_output_collection_method == "fetch"
ansible.builtin.fetch: ansible.builtin.fetch:
src: "{{ item }}" src: "{{ item }}"
@ -17,7 +17,7 @@
# Added this option for continuity but could be changed by adjusting the variable audit_conf_dest # Added this option for continuity but could be changed by adjusting the variable audit_conf_dest
# Allowing backup to one location # Allowing backup to one location
- name: "FETCH_AUDIT_FILES | Copy files to location available to managed node" - name: "POST | FETCH | Copy files to location available to managed node"
when: audit_output_collection_method == "copy" when: audit_output_collection_method == "copy"
ansible.builtin.copy: ansible.builtin.copy:
src: "{{ item }}" src: "{{ item }}"
@ -25,21 +25,21 @@
mode: 'u-x,go-wx' mode: 'u-x,go-wx'
flat: true flat: true
failed_when: false failed_when: false
register: discovered_audit_fetch_copy_state register: discovered_audit_copy_state
loop: loop:
- pre_audit_outfile - "{{ pre_audit_outfile }}"
- post_audit_outfile - "{{ post_audit_outfile }}"
- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
when: when:
- (discovered_audit_fetch_state is defined and not discovered_audit_fetch_state.changed) or - (audit_output_collection_method == "fetch" and not discovered_audit_fetch_state.changed) or
(discovered_audit_copy_state is defined and not discovered_audit_copy_state.changed) (audit_output_collection_method == "copy" and not discovered_audit_copy_state.changed)
block: block:
- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
ansible.builtin.debug: ansible.builtin.debug:
msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy" msg: "Warning!! Unable to write to localhost {{ audit_output_destination }} for audit file copy"
- name: "FETCH_AUDIT_FILES | Fetch files and copy to controller | Warning if issues with fetch_audit_files" - name: "POST | FETCH | Fetch files and copy to controller | Warning if issues with fetch_audit_files"
vars: vars:
warn_control_id: "FETCH_AUDIT_FILES" warn_control_id: "FETCH_AUDIT_FILES"
ansible.builtin.import_tasks: ansible.builtin.import_tasks:

13
tasks/main.yml
View file

@ -213,13 +213,16 @@
ansible.builtin.import_tasks: ansible.builtin.import_tasks:
file: post_remediation_audit.yml file: post_remediation_audit.yml
- name: Add ansible file showing Benchmark and levels applied - name: Add ansible file showing Benchmark and levels applied if audit details not present
when: create_benchmark_facts when:
- create_benchmark_facts
- (post_audit_summary is defined) or
(ansible_local['compliance_facts']['lockdown_audit_details']['audit_summary'] is undefined and post_audit_summary is undefined)
tags: tags:
- always - always
- benchmark - benchmark
block: block:
- name: Create ansible facts directory - name: Create ansible facts directory if audit facts not present
ansible.builtin.file: ansible.builtin.file:
path: "{{ ansible_facts_path }}" path: "{{ ansible_facts_path }}"
state: directory state: directory
@ -227,13 +230,13 @@
group: root group: root
mode: 'u=rwx,go=rx' mode: 'u=rwx,go=rx'
- name: Create ansible facts file - name: Create ansible facts file and levels applied if audit facts not present
ansible.builtin.template: ansible.builtin.template:
src: etc/ansible/compliance_facts.j2 src: etc/ansible/compliance_facts.j2
dest: "{{ ansible_facts_path }}/compliance_facts.fact" dest: "{{ ansible_facts_path }}/compliance_facts.fact"
owner: root owner: root
group: root group: root
mode: "u-x,go-wx" mode: 'u-x,go=r'
- name: Fetch audit files - name: Fetch audit files
when: when:

46
tasks/section_5/cis_5.1.x.yml
View file

@ -6,7 +6,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- permissions - permissions
- rule_5.1.1 - rule_5.1.1
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
@ -23,7 +23,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- permissions - permissions
- rule_5.1.2 - rule_5.1.2
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
@ -53,7 +53,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.3 - rule_5.1.3
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
@ -166,7 +166,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.7 - rule_5.1.7
- NIST800-53R5_AC-3 - NIST800-53R5_AC-3
- NIST800-53R5_MP-2 - NIST800-53R5_MP-2
@ -195,6 +195,8 @@
path: "{{ rhel9cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: "^DenyUsers" regexp: "^DenyUsers"
line: "DenyUsers {{ rhel9cis_sshd_denyusers }}" line: "DenyUsers {{ rhel9cis_sshd_denyusers }}"
insertbefore: "^Match"
firstmatch: true
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
@ -213,7 +215,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.8 - rule_5.1.8
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -231,7 +233,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.9 - rule_5.1.9
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -261,7 +263,7 @@
- level2-server - level2-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.10 - rule_5.1.10
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
block: block:
@ -287,7 +289,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- sshs - sshd
- rule_5.1.11 - rule_5.1.11
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -317,7 +319,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.12 - rule_5.1.12
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -337,7 +339,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.13 - rule_5.1.13
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -348,6 +350,8 @@
path: "{{ rhel9cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*IgnoreRhosts regexp: ^(?i)(#|)\s*IgnoreRhosts
line: 'IgnoreRhosts yes' line: 'IgnoreRhosts yes'
insertbefore: "^Match"
firstmatch: true
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
@ -357,13 +361,15 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.14 - rule_5.1.14
- NIST800-53R5_CM-6 - NIST800-53R5_CM-6
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: "{{ rhel9cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*LoginGraceTime regexp: ^(?i)(#|)\s*LoginGraceTime
line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}" line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}"
insertbefore: "^Match"
firstmatch: true
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
@ -373,7 +379,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- sshs - sshd
- rule_5.1.15 - rule_5.1.15
- NIST800-53R5_AU-3 - NIST800-53R5_AU-3
- NIST800-53R5_AU-12 - NIST800-53R5_AU-12
@ -382,6 +388,8 @@
path: "{{ rhel9cis_sshd_config_file }}" path: "{{ rhel9cis_sshd_config_file }}"
regexp: ^(?i)(#|)\s*LogLevel regexp: ^(?i)(#|)\s*LogLevel
line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
insertbefore: "^Match"
firstmatch: true
validate: sshd -t -f %s validate: sshd -t -f %s
notify: Restart sshd notify: Restart sshd
@ -391,7 +399,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.16 - rule_5.1.16
- NIST800-53R5_AU-3 - NIST800-53R5_AU-3
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
@ -407,7 +415,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.17 - rule_5.1.17
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -427,7 +435,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.18 - rule_5.1.18
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -447,7 +455,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.19 - rule_5.1.19
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -467,7 +475,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.20 - rule_5.1.20
- NIST800-53R5_AC-6 - NIST800-53R5_AC-6
block: block:
@ -491,7 +499,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.21 - rule_5.1.21
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2
@ -511,7 +519,7 @@
- level1-server - level1-server
- level1-workstation - level1-workstation
- patch - patch
- ssh - sshd
- rule_5.1.22 - rule_5.1.22
- NIST800-53R5_CM-1 - NIST800-53R5_CM-1
- NIST800-53R5_CM-2 - NIST800-53R5_CM-2

2
tasks/section_5/cis_5.3.3.1.x.yml
View file

@ -23,7 +23,7 @@
- rhel9cis_disruption_high - rhel9cis_disruption_high
ansible.builtin.replace: ansible.builtin.replace:
path: "/etc/pam.d/{{ item }}-auth" path: "/etc/pam.d/{{ item }}-auth"
regexp: ^(\s*auth\s+(requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$) regexp: ^(\s*auth\s+(?:requisite|required|sufficient)\s+pam_faillock\.so)(.*)\s+deny\s*=\s*\S+(.*$)
replace: \1 \2\3 replace: \1 \2\3
loop: loop:
- password - password

1
templates/etc/ansible/compliance_facts.j2
View file

@ -29,6 +29,7 @@ Level_2_workstation_tag_run = true
[lockdown_audit_details] [lockdown_audit_details]
{% if run_audit %} {% if run_audit %}
# Audit run # Audit run
audit_run_date = {{ '%Y-%m-%d - %H:%M:%S' | ansible.builtin.strftime }}
audit_file_local_location = {{ audit_log_dir }} audit_file_local_location = {{ audit_log_dir }}
{% if not audit_only %} {% if not audit_only %}
audit_summary = {{ post_audit_results }} audit_summary = {{ post_audit_results }}