diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml deleted file mode 100644 index 2f63b23..0000000 --- a/tasks/section_5/cis_5.3.x.yml +++ /dev/null @@ -1,138 +0,0 @@ ---- - -- name: "5.3.1 | PATCH | Ensure sudo is installed" - ansible.builtin.package: - name: sudo - state: present - when: - - rhel9cis_rule_5_3_1 - tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.3.1 - -- name: "5.3.2 | PATCH | Ensure sudo commands use pty" - ansible.builtin.lineinfile: - path: /etc/sudoers - line: "Defaults use_pty" - validate: '/usr/sbin/visudo -cf %s' - when: - - rhel9cis_rule_5_3_2 - tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.3.2 - -- name: "5.3.3 | PATCH | Ensure sudo log file exists" - ansible.builtin.lineinfile: - path: /etc/sudoers - regexp: '^Defaults logfile=' - line: 'Defaults logfile="{{ rhel9cis_sudolog_location }}"' - validate: '/usr/sbin/visudo -cf %s' - when: - - rhel9cis_rule_5_3_3 - tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.3.3 - -- name: "5.3.4 | PATCH | Ensure users must provide password for escalation" - ansible.builtin.replace: - path: "{{ item }}" - regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' - replace: '\1PASSWD\2' - validate: '/usr/sbin/visudo -cf %s' - loop: "{{ rhel9cis_sudoers_files.stdout_lines }}" - when: - - rhel9cis_rule_5_3_4 - tags: - - level2-server - - level2-workstation - - patch - - sudo - - rule_5.3.4 - -- name: "5.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" - ansible.builtin.replace: - path: "{{ item }}" - regexp: '^([^#].*)!authenticate(.*)' - replace: '\1authenticate\2' - validate: '/usr/sbin/visudo -cf %s' - loop: "{{ rhel9cis_sudoers_files.stdout_lines }}" - when: - - rhel9cis_rule_5_3_5 - tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.3.5 - -- name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly" - block: - - name: "5.3.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" - ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort - changed_when: false - failed_when: false - register: rhel9cis_5_3_6_timeout_files - - - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" - ansible.builtin.lineinfile: - path: /etc/sudoers - regexp: 'Defaults timestamp_timeout=' - line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" - validate: '/usr/sbin/visudo -cf %s' - when: rhel9cis_5_3_6_timeout_files.stdout | length == 0 - - - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" - ansible.builtin.replace: - path: "{{ item }}" - regexp: 'timestamp_timeout=(\d+)' - replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" - validate: '/usr/sbin/visudo -cf %s' - loop: "{{ rhel9cis_5_3_6_timeout_files.stdout_lines }}" - when: rhel9cis_5_3_6_timeout_files.stdout | length > 0 - when: - - rhel9cis_rule_5_3_6 - tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.3.6 - -- name: "5.3.7 | PATCH | Ensure access to the su command is restricted" - block: - - - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists" - ansible.builtin.group: - name: "{{ rhel9cis_sugroup }}" - state: present - register: rhel9cis_5_3_7_sugroup - - - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group" - ansible.builtin.lineinfile: - path: /etc/group - regexp: '^{{ rhel9cis_sugroup }}(:.:.*:).*$' - line: '{{ rhel9cis_sugroup }}\g<1>' - backrefs: true - - - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" - ansible.builtin.lineinfile: - path: /etc/pam.d/su - regexp: '^(#)?auth\s+required\s+pam_wheel\.so' - line: 'auth required pam_wheel.so use_uid group={{ rhel9cis_sugroup }}' - when: - - rhel9cis_rule_5_3_7 - tags: - - level1-server - - level1-workstation - - patch - - sudo - - rule_5.3.7 diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml deleted file mode 100644 index 7abe1d1..0000000 --- a/tasks/section_5/cis_5.6.1.x.yml +++ /dev/null @@ -1,173 +0,0 @@ ---- - -- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less" - block: - - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_MAX_DAYS' - line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" - - - name: "5.6.1.1 | AUDIT | Ensure password expiration is 365 days or less | Get existing users PASS_MAX_DAYS" - ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass['max_days'] }} || $5< {{ rhel9cis_pass['max_days'] }} || $5 == -1)){print $1}' /etc/shadow" - changed_when: false - failed_when: false - register: discovered_max_days - - - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" - ansible.builtin.user: - name: "{{ item }}" - password_expire_max: "{{ rhel9cis_pass['max_days'] }}" - loop: "{{ discovered_max_days.stdout_lines }}" - when: - - discovered_max_days.stdout_lines | length > 0 - - item in discovered_interactive_usernames.stdout - - rhel9cis_force_user_maxdays - when: - - rhel9cis_rule_5_6_1_1 - tags: - - level1-server - - level1-workstation - - patch - - password - - rule_5.6.1.1 - -- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" - block: - - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is configured | set login.defs" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_MIN_DAYS' - line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" - - - name: "5.6.1.2 | AUDIT | Ensure minimum days between password changes is configured | Get existing users PASS_MIN_DAYS" - ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $4< {{ rhel9cis_pass['min_days'] }} {print $1}' /etc/shadow" - changed_when: false - failed_when: false - register: discovered_min_days - - - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is configured | Set existing users PASS_MIN_DAYS" - ansible.builtin.user: - name: "{{ item }}" - password_expire_max: "{{ rhel9cis_pass['min_days'] }}" - loop: "{{ discovered_min_days.stdout_lines }}" - when: - - discovered_min_days.stdout_lines | length > 0 - - item in discovered_interactive_usernames.stdout - - rhel9cis_force_user_mindays - when: - - rhel9cis_rule_5_6_1_2 - tags: - - level1-server - - level1-workstation - - patch - - password - - rule_5.6.1.2 - -- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more" - block: - - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | set login.defs" - ansible.builtin.lineinfile: - path: /etc/login.defs - regexp: '^PASS_WARN_AGE' - line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" - - - name: "5.6.1.3 | AUDIT | Ensure password expiration warning days is 7 or more | Get existing users WARN_DAYS" - ansible.builtin.shell: "awk -F: '/^[^:]+:[^!*]/ && $6< {{ rhel9cis_pass['warn_age'] }} {print $1}' /etc/shadow" - changed_when: false - failed_when: false - register: discovered_warn_days - - - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more | Set existing users WARN_DAYS" - ansible.builtin.shell: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}" - loop: "{{ discovered_warn_days.stdout_lines }}" - when: - - discovered_warn_days.stdout_lines | length > 0 - - item in discovered_interactive_usernames.stdout - - rhel9cis_force_user_warnage - when: - - rhel9cis_rule_5_6_1_3 - tags: - - level1-server - - level1-workstation - - patch - - password - - rule_5.6.1.3 - -- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less" - block: - - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings" - ansible.builtin.shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_5_6_1_4_inactive_settings - - - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" - ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} - when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0 - - - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" - changed_when: false - check_mode: false - register: rhel9cis_5_6_1_4_user_list - - - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" - loop: "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}" - when: item in discovered_interactive_usernames.stdout - when: - - rhel9cis_rule_5_6_1_4 - tags: - - level1-server - - level1-workstation - - patch - - password - - rule_5.6.1.4 - -- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" - block: - - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" - ansible.builtin.shell: echo $(($(date --utc --date "$1" +%s)/86400)) - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_5_6_1_5_currentut - - - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" - ansible.builtin.shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'" - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_5_6_1_5_user_list - - - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" - ansible.builtin.debug: - msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" - when: - - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - - not rhel9cis_futurepwchgdate_autofix - - - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" - ansible.builtin.import_tasks: - file: warning_facts.yml - when: - - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - - not rhel9cis_futurepwchgdate_autofix - - - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - ansible.builtin.shell: passwd --expire {{ item }} - when: - - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - - rhel9cis_futurepwchgdate_autofix - loop: "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" - vars: - warn_control_id: '5.6.1.5' - when: - - rhel9cis_rule_5_6_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.6.1.5