sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Merge pull request #29 from ansible-lockdown/Oct_update

Browse source 
Oct update
This commit is contained in:
George Nalen 2022-10-18 09:20:02 -04:00 committed by GitHub
commit 4e004e7d88
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 65 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.ansible-lint
View file

@ -4,6 +4,10 @@ skip_list:
- 'schema' - 'schema'
- 'no-changed-when' - 'no-changed-when'
- 'fqcn-builtins' - 'fqcn-builtins'
- 'experimental'
- 'name[casing]'
- 'name[template]'
- 'jinja[spacing]'
- '204' - '204'
- '305' - '305'
- '303' - '303'

4
.github/workflows/linux_benchmark_testing.yml vendored
View file

@ -26,12 +26,12 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/first-interaction@v1.1.0 - uses: actions/first-interaction@v1.1.1
with: with:
repo-token: ${{ secrets.GITHUB_TOKEN }} repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |- pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://discord.gg/JFxpSgPFEJ) as well. Please join in the conversation happening on the [Discord Server](https://discord.io/iansible-lockdown) as well.
# This workflow contains a single job called "build" # This workflow contains a single job called "build"
build: build:
# The type of runner that the job will run on # The type of runner that the job will run on

16
Changelog.md
View file

@ -1,5 +1,21 @@
# Changes to rhel9CIS # Changes to rhel9CIS
## 0.5
- audit path updated and output file name
### Taken from RHEL8-CIS issues and PRs
- #209 5.6.5 rewrite umask settings
- #220 tidy up and align variables
- #226 Thanks to Thulium-Drake
-Extended the auditd config required value for auditd space left percentage (not part of CIS Benchmark but required fopr auditd to run correctly in some cases)
- #227 thanks to OscarElits
- chrony files now RH expected locations
- #228 Thanks to benbulll
- audit binary copy var missing
## 0.4 ## 0.4
- Added assertion that ansible_user has password set for rule 5.3.4 - Added assertion that ansible_user has password set for rule 5.3.4

57
README.md
View file

@ -21,7 +21,7 @@ On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, d
## Caution(s) ## Caution(s)
This role **will make changes to the system** which may have unintended concequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. This role **will make changes to the system** which may have unintended concequences.
This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed. This role was developed against a clean install of the Operating System. If you are implimenting to an existing system please review this role for any site specific changes that are needed.
@ -29,23 +29,11 @@ To use release version please point to main branch
## Documentation ## Documentation
- [Readthedocs](https://ansible-lockdown.readthedocs.io/en/latest/)
- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown) - [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)
- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise) - [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)
- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration) - [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)
- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise) - [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)
- [Wiki](https://github.com/ansible-lockdown/RHEL9-CIS/wiki)
- [Repo GitHub Page](https://ansible-lockdown.github.io/RHEL9-CIS/)
## Auditing (new)
This can be turned on or off within the defaults/main.yml file with the variable rhel9cis_run_audit. The value is false by default, please refer to the wiki for more details.
This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings.
A new form of auditing has been develeoped, by using a small (12MB) go binary called [goss](https://github.com/aelsabbahy/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling.
This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process.
Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit).
## Requirements ## Requirements
@ -62,8 +50,10 @@ Rocky 9
- [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html)
- [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
- [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. - Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/RHEL9-CIS/wiki/Main-Variables). - Please read through the tasks in this role to gain an understanding of what each control is doing.
- Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file
## Dependencies ## Dependencies
@ -71,6 +61,7 @@ Rocky 9
- Ansible 2.9+ - Ansible 2.9+
- python-def (should be included in RHEL 9) - python-def (should be included in RHEL 9)
- libselinux-python - libselinux-python
- jmespath
## Role Variables ## Role Variables
@ -92,39 +83,3 @@ Below is an example of the tag section from a control within this role. Using th
- patch - patch
- rule_2.2.4 - rule_2.2.4
``` ```
## Example Audit Summary
This is based on a vagrant image with selections enabled. e.g. No Gui or firewall.
Note: More tests are run during audit as we check config and running state.
```txt
ok: [default] => {
"msg": [
"The pre remediation results are: ['Total Duration: 5.454s', 'Count: 338, Failed: 47, Skipped: 5'].",
"The post remediation results are: ['Total Duration: 5.007s', 'Count: 338, Failed: 46, Skipped: 5'].",
"Full breakdown can be found in /var/tmp",
""
]
}
PLAY RECAP *******************************************************************************************************************************************
default : ok=270 changed=23 unreachable=0 failed=0 skipped=140 rescued=0 ignored=0
```
## Branches
- devel - This is the default branch and the working development branch. Community pull requests will pull into this branch
- main - This is the release branch
- reports - This is a protected branch for our scoring reports, no code should ever go here
- all other branches** - Individual community member branches
## Community Contribution
We encourage you (the community) to contribute to this role. Please read the rules below.
- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge.
- All community Pull Requests are pulled into the devel branch
- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved
- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release

11
defaults/main.yml
View file

@ -508,6 +508,13 @@ update_audit_template: false
## Advanced option found in auditd post ## Advanced option found in auditd post
allow_auditd_uid_user_exclusions: false allow_auditd_uid_user_exclusions: false
# This can be used to configure other keys in auditd.conf
rhel9cis_auditd_extra_conf: {}
# Example:
# rhel9cis_auditd_extra_conf:
# admin_space_left: '10%'
## Preferred method of logging ## Preferred method of logging
## Whether rsyslog or journald preferred method for local logging ## Whether rsyslog or journald preferred method for local logging
## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5
@ -673,8 +680,8 @@ audit_files_url: "some url maybe s3?"
# Where the goss configs and outputs are stored # Where the goss configs and outputs are stored
audit_out_dir: '/opt' audit_out_dir: '/opt'
audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/" audit_conf_dir: "{{ audit_out_dir }}/{{ benchmark }}-Audit/"
pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" pre_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_pre_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}" post_audit_outfile: "{{ audit_out_dir }}/{{ ansible_hostname }}-{{ benchmark }}_post_scan_{{ ansible_date_time.epoch }}.{{ audit_format }}"
## The following should not need changing ## The following should not need changing
goss_file: "{{ audit_conf_dir }}goss.yml" goss_file: "{{ audit_conf_dir }}goss.yml"

1
meta/main.yml
View file

@ -5,6 +5,7 @@ galaxy_info:
company: "MindPoint Group" company: "MindPoint Group"
license: MIT license: MIT
role_name: rhel9_cis role_name: rhel9_cis
namespace: mindpointgroup
min_ansible_version: 2.10.0 min_ansible_version: 2.10.0
platforms: platforms:
- name: EL - name: EL

2
tasks/section_1/cis_1.4.x.yml
View file

@ -3,7 +3,7 @@
- name: "1.4.1 | PATCH | Ensure bootloader password is set" - name: "1.4.1 | PATCH | Ensure bootloader password is set"
copy: copy:
dest: /boot/grub2/user.cfg dest: /boot/grub2/user.cfg
content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" # noqa template-instead-of-copy
owner: root owner: root
group: root group: root
mode: 0600 mode: 0600

16
tasks/section_4/cis_4.1.2.x.yml
View file

@ -51,3 +51,19 @@
- patch - patch
- auditd - auditd
- rule_4.1.2.3 - rule_4.1.2.3
- name: PATCH | Configure other keys for auditd.conf
lineinfile:
path: /etc/audit/auditd.conf
regexp: "^{{ item }}( |=)"
line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}"
loop: "{{ rhel9cis_auditd_extra_conf.keys() }}"
notify: restart auditd
when:
- rhel9cis_auditd_extra_conf.keys() | length > 0
tags:
- level2-server
- level2-workstation
- automated
- patch
- auditd

9
tasks/section_5/cis_5.6.x.yml
View file

@ -87,6 +87,15 @@
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive"
block: block:
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings"
replace:
path: /etc/login.defs
regexp: "{{ item.regexp }}"
replace: "{{ item.replace }}"
loop:
- { regexp: '(UMASK\s+)0[012][0-6]', replace: '\1 027' }
- { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' }
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
replace: replace:
path: /etc/bashrc path: /etc/bashrc

2
tasks/section_6/cis_6.1.x.yml
View file

@ -14,7 +14,7 @@
block: block:
- name: "6.1.1 | AUDIT | Audit system file permissions | Add file discrepancy list to system" - name: "6.1.1 | AUDIT | Audit system file permissions | Add file discrepancy list to system"
copy: copy:
dest: "{{ rhel9cis_rpm_audit_file }}" dest: "{{ rhel9cis_rpm_audit_file }}" # noqa template-instead-of-copy
content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}" content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}"
owner: root owner: root
group: root group: root