From 22cd20c067de049a75e6647a7909113ff6bd577c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 9 Aug 2024 16:20:14 +0100 Subject: [PATCH 01/43] updated for issue #226 Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.4.x.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index c42f876..dcf8413 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -23,7 +23,7 @@ "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files" ansible.builtin.file: path: "{{ audit_discovered_logfile.stdout }}" - mode: "{% if auditd_logfile.stat.mode != '0600' %}0640{% endif %}" + mode: 'u-x,g-rw,o-rwx' owner: root group: root when: @@ -50,7 +50,7 @@ ansible.builtin.file: path: "{{ audit_discovered_logfile.stdout | dirname }}" state: directory - mode: '0750' + mode: 'g-w,o-rwx' when: not auditlog_dir.stat.mode is match('07(0|5)0') when: - rhel9cis_rule_4_1_4_4 @@ -64,7 +64,7 @@ - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" ansible.builtin.file: path: "{{ item.path }}" - mode: "{{ '0600' if item.mode == '0600' else '0640' }}" + mode: 'u-x,g-wx,u-rwx' loop: "{{ auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -126,8 +126,7 @@ - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required" ansible.builtin.file: path: "{{ item.item }}" - mode: '0750' - + mode: 'go-w' loop: "{{ audit_bins.results }}" loop_control: label: "{{ item.item }}" From 44aa939e130bc4500ac07e68ed131d7687089b13 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 9 Aug 2024 16:23:37 +0100 Subject: [PATCH 02/43] issue #227 resolved thanks @ckbaker10 Signed-off-by: Mark Bolwell --- tasks/post_remediation_audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index d58e921..ad5bcb5 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -35,7 +35,7 @@ - audit_format == "documentation" block: - name: Post Audit | Capture audit data if documentation format - ansible.builtin.shell: "tail -2 /opt/audit_ubuntu2204-CIS-UBUNTU22_1720624848.documentation" + ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' ' register: post_audit_summary changed_when: false From 82119205b1d111326ba5ee65c13e7b9d24131fba Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 9 Aug 2024 17:21:36 +0100 Subject: [PATCH 03/43] issue #224 addressed thanks to @globalpayments-shoebsyed Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.4.x.yml | 6 ++++++ tasks/section_4/cis_4.2.3.yml | 2 ++ 2 files changed, 8 insertions(+) diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index dcf8413..2312b03 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -65,6 +65,8 @@ ansible.builtin.file: path: "{{ item.path }}" mode: 'u-x,g-wx,u-rwx' + failed_when: rhel9cis_4_1_4_5_file_list.state not in '[ file, absent ]' + register: rhel9cis_4_1_4_5_file_list loop: "{{ auditd_conf_files.files }}" loop_control: label: "{{ item.path }}" @@ -81,6 +83,8 @@ ansible.builtin.file: path: "{{ item.path }}" owner: root + failed_when: rhel9cis_4_1_4_6_file_list.state not in '[ file, absent ]' + register: rhel9cis_4_1_4_6_file_list loop: "{{ auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" @@ -97,6 +101,8 @@ ansible.builtin.file: path: "{{ item.path }}" group: root + failed_when: rhel9cis_4_1_4_7_file_list.state not in '[ file, absent ]' + register: rhel9cis_4_1_4_7_file_list loop: "{{ auditd_conf_files.files | default([]) }}" loop_control: label: "{{ item.path }}" diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index 823975a..42bb419 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -14,6 +14,8 @@ ansible.builtin.file: path: "{{ item.path }}" mode: "{{ '0600' if item.mode == '0600' else '0640' }}" + failed_when: rhel9cis_4_2_3_file_list.state not in '[ file, absent ]' + register: rhel9cis_4_2_3_file_list loop: "{{ logfiles.files }}" loop_control: label: "{{ item.path }}" From 3c08540062fba3c3764a0d8b2f85ee97df9cf25b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 9 Aug 2024 17:21:47 +0100 Subject: [PATCH 04/43] improved 6.1.10 Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index ef3d3b3..87c7a1a 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -150,7 +150,7 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist" block: - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" - ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser + ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser -not -fstype nfs changed_when: false failed_when: false check_mode: false @@ -162,26 +162,21 @@ - item['device'].startswith('/dev') - not 'bind' in item['options'] - - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | set fact" + - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use" ansible.builtin.set_fact: - rhel_09_6_1_10_unowned_files_found: true - loop: "{{ rhel_09_6_1_10_audit.results }}" - when: - - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - - item.stdout | length > 0 + discovered_unowned_files_flatten: "{{ rhel_09_6_1_10_audit.results | map(attribute='stdout_lines') | flatten }}" - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: - msg: "Warning!! Missing owner on items in {{ rhel_09_6_1_10_audit.stdout_lines }}" - when: rhel_09_6_1_10_unowned_files_found + msg: "Warning!! Missing owner on items in {{ discovered_unowned_files_flatten }}" + when: discovered_unowned_files_flatten | length > 0 - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | warning" ansible.builtin.import_tasks: file: warning_facts.yml vars: warn_control_id: '6.1.10' - when: rhel_09_6_1_10_unowned_files_found + when: discovered_unowned_files_flatten | length > 0 vars: rhel_09_6_1_10_unowned_files_found: false when: From 82c1137b94287abcbd4a1214571896ecf55ffe8b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 9 Aug 2024 17:33:01 +0100 Subject: [PATCH 05/43] updated logic 6.1.11 Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.1.x.yml | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 87c7a1a..a0e8dd6 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -177,8 +177,6 @@ vars: warn_control_id: '6.1.10' when: discovered_unowned_files_flatten | length > 0 - vars: - rhel_09_6_1_10_unowned_files_found: false when: - rhel9cis_rule_6_1_10 tags: @@ -204,28 +202,21 @@ - item['device'].startswith('/dev') - not 'bind' in item['options'] - - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | set fact" + - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Flatten no_user_items results for easier use" ansible.builtin.set_fact: - rhel_09_6_1_11_ungrouped_files_found: true - loop: "{{ rhel_09_6_1_11_audit.results }}" - when: - - item | length > 0 - - item.stdout is defined # skipped items are part of results list, but don't have the registered module properties - - item.stdout | length > 0 + discovered_ungrouped_files_flatten: "{{ rhel_09_6_1_11_audit.results | map(attribute='stdout_lines') | flatten }}" - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: - msg: "Warning!! Missing group on items in {{ rhel_09_6_1_11_audit.stdout_lines }}" - when: rhel_09_6_1_11_ungrouped_files_found + msg: "Warning!! Missing group on items in {{ discovered_ungrouped_files_flatten }}" + when: discovered_ungrouped_files_flatten | length > 0 - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning" ansible.builtin.import_tasks: file: warning_facts.yml vars: warn_control_id: '6.1.11' - when: rhel_09_6_1_11_ungrouped_files_found - vars: - rhel_09_6_1_11_ungrouped_files_found: false + when: discovered_ungrouped_files_flatten | length > 0 when: - rhel9cis_rule_6_1_11 tags: From a0fd194ef449cf6aebdf3c2bed0464f42ee82d30 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 12 Aug 2024 10:47:38 +0100 Subject: [PATCH 06/43] fixed typo on 4.1.4.5 Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.1.4.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.1.4.x.yml b/tasks/section_4/cis_4.1.4.x.yml index 2312b03..79c0f23 100644 --- a/tasks/section_4/cis_4.1.4.x.yml +++ b/tasks/section_4/cis_4.1.4.x.yml @@ -64,7 +64,7 @@ - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive" ansible.builtin.file: path: "{{ item.path }}" - mode: 'u-x,g-wx,u-rwx' + mode: 'u-x,g-wx,o-rwx' failed_when: rhel9cis_4_1_4_5_file_list.state not in '[ file, absent ]' register: rhel9cis_4_1_4_5_file_list loop: "{{ auditd_conf_files.files }}" From 8fe700fea79eb7dd429126d8e7567ea9eb7ce69e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 12 Aug 2024 21:38:52 +0100 Subject: [PATCH 07/43] removed jmespath reference Signed-off-by: Mark Bolwell --- .config/requirements.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/.config/requirements.txt b/.config/requirements.txt index 52cb84d..ba7d83b 100644 --- a/.config/requirements.txt +++ b/.config/requirements.txt @@ -1,5 +1,4 @@ passlib lxml xmltodict -jmespath yamllint From 383d2d410cb8ba0c17869679c6fce887221f1507 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 12 Aug 2024 21:39:03 +0100 Subject: [PATCH 08/43] updated to fix output Signed-off-by: Mark Bolwell --- tasks/audit_only.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/audit_only.yml b/tasks/audit_only.yml index 864f5bb..ab5a573 100644 --- a/tasks/audit_only.yml +++ b/tasks/audit_only.yml @@ -22,7 +22,7 @@ when: - audit_only ansible.builtin.debug: - msg: "The Audit results are: {{ pre_audit_summary }}." + msg: "{{ audit_results.split('\n') }}" - name: Audit_only | Stop Playbook Audit Only selected when: From e510607fb6a55bec1a41a2c80a5cb3ec36048321 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 13 Aug 2024 11:12:38 +0100 Subject: [PATCH 09/43] updated audit and arm64 audit support Signed-off-by: Mark Bolwell --- tasks/LE_audit_setup.yml | 2 +- vars/audit.yml | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml index 7ef94b4..08d047d 100644 --- a/tasks/LE_audit_setup.yml +++ b/tasks/LE_audit_setup.yml @@ -10,7 +10,7 @@ - name: Pre Audit Setup | Set audit package name | ARM64 ansible.builtin.set_fact: audit_pkg_arch_name: ARM64 - when: ansible_facts.machine == "arm64" + when: ansible_facts.machine == "aarch64" - name: Pre Audit Setup | Download audit binary ansible.builtin.get_url: diff --git a/vars/audit.yml b/vars/audit.yml index 9dc666a..e677d8e 100644 --- a/vars/audit.yml +++ b/vars/audit.yml @@ -26,8 +26,9 @@ post_audit_outfile: "{{ audit_log_dir }}/{{ ansible_facts.hostname }}-{{ benchma ### Audit binary settings ### audit_bin_version: - release: v0.4.4 - AMD64_checksum: 'sha256:1c4f54b22fde9d4d5687939abc2606b0660a5d14a98afcd09b04b793d69acdc5' + release: v0.4.8 + AMD64_checksum: 'sha256:85d00b7bba5f175bec95de7dfe1f71f8f25204914aad4c6f03c8457868eb6e2f' + ARM64_checksum: 'sha256:bca8c898bfd35b94c51455ece6193c95e2cd7b2b183ac2047b2d76291e73e47d' audit_bin_path: /usr/local/bin/ audit_bin: "{{ audit_bin_path }}goss" audit_format: json From 27ee4a81673e769958e6f58c88b8b8667ce14471 Mon Sep 17 00:00:00 2001 From: Michael Hicks Date: Wed, 14 Aug 2024 20:29:44 -0700 Subject: [PATCH 10/43] added calls to sshd restart handler to fix #230 Signed-off-by: Michael Hicks --- tasks/section_5/cis_5.2.x.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index ac62767..3c34413 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -125,6 +125,7 @@ regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' validate: sshd -t -f %s + notify: Restart sshd when: - rhel9cis_rule_5_2_5 tags: @@ -140,6 +141,7 @@ regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' validate: sshd -t -f %s + notify: Restart sshd when: - rhel9cis_rule_5_2_6 tags: @@ -162,6 +164,7 @@ ansible.builtin.file: path: /etc/ssh/sshd_config.d/01-permitrootlogin.conf state: absent + notify: Restart sshd when: - rhel9cis_rule_5_2_7 tags: @@ -177,6 +180,7 @@ regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' validate: sshd -t -f %s + notify: Restart sshd when: - rhel9cis_rule_5_2_8 tags: @@ -192,6 +196,7 @@ regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' validate: sshd -t -f %s + notify: Restart sshd when: - rhel9cis_rule_5_2_9 tags: @@ -207,6 +212,7 @@ regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' validate: sshd -t -f %s + notify: Restart sshd when: - rhel9cis_rule_5_2_10 tags: @@ -222,6 +228,7 @@ regexp: "^#IgnoreRhosts|^IgnoreRhosts" line: 'IgnoreRhosts yes' validate: sshd -t -f %s + notify: Restart sshd when: - rhel9cis_rule_5_2_11 tags: @@ -240,6 +247,7 @@ regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' validate: sshd -t -f %s + notify: Restart sshd - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled | override" ansible.builtin.lineinfile: @@ -247,6 +255,7 @@ regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' validate: sshd -t -f %s + notify: Restart sshd when: - rhel9cis_rule_5_2_12 tags: @@ -262,6 +271,7 @@ regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' validate: sshd -t -f %s + notify: Restart sshd when: - rhel9cis_rule_5_2_13 tags: @@ -297,6 +307,7 @@ path: "{{ rhel9_cis_sshd_config_file }}" regexp: '^Banner' line: 'Banner /etc/issue.net' + notify: Restart sshd when: - rhel9cis_rule_5_2_15 tags: @@ -312,6 +323,7 @@ regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' validate: sshd -t -f %s + notify: Restart sshd when: - rhel9cis_rule_5_2_16 tags: @@ -327,6 +339,7 @@ regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' validate: sshd -t -f %s + notify: Restart sshd when: - rhel9cis_rule_5_2_17 tags: @@ -342,6 +355,7 @@ regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' validate: sshd -t -f %s + notify: Restart sshd when: - rhel9cis_rule_5_2_18 tags: @@ -357,6 +371,7 @@ regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" validate: sshd -t -f %s + notify: Restart sshd when: - rhel9cis_rule_5_2_19 tags: @@ -374,6 +389,7 @@ regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s + notify: Restart sshd - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" ansible.builtin.lineinfile: @@ -381,6 +397,7 @@ regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" validate: sshd -t -f %s + notify: Restart sshd when: - rhel9cis_rule_5_2_20 tags: From e05c2f32411e01cc60b814cb86b330f073fc7e56 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 21 Aug 2024 11:11:10 +0100 Subject: [PATCH 11/43] added fix for #232 thanks to @Arkhenys Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.2.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 740f820..fd1961f 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -123,7 +123,7 @@ local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages local6,local7.* -/var/log/localmessages - *.emrg :omusrmsg:* + *.emerg :omusrmsg:* insertafter: '#### RULES ####' notify: Restart rsyslog From b368d8bf7c767fa7556eece953b4d1a5ac9c6639 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 22 Aug 2024 09:13:53 +0100 Subject: [PATCH 12/43] Fix link to Changelog.md in README.md Signed-off-by: Mark Goddard --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f8f3680..3260cb0 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,7 @@ The control found in the `defaults` main also needs to reflect this, as this con CIS release always contains changes, it is highly recommended to review the new references and available variables. This has changed significantly since the ansible-lockdown initial release. This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites which configure the system accordingly. -Further details can be seen in the [Changelog](./ChangeLog.md) +Further details can be seen in the [Changelog](./Changelog.md) ## Auditing (new) From 2d2f2817330d3788dff46d9bfa61d25a941ec0d1 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 6 Sep 2024 14:32:48 +0100 Subject: [PATCH 13/43] made ssh_config file tage always Signed-off-by: Mark Bolwell --- tasks/prelim.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 0db27d3..d88a338 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -251,9 +251,7 @@ - rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config' - "'openssh-server' in ansible_facts.packages" tags: - - ssh - - level1_server - - level1_workstation + - always - name: "PRELIM | 5.3.4 | Find all sudoers files." ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" From 3cdd2a0368755bd93be5b9e8d2f4db3052f1174f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 6 Sep 2024 14:40:52 +0100 Subject: [PATCH 14/43] updated var naming from rhel9_cis to rhel9cis Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/prelim.yml | 4 +-- tasks/section_5/cis_5.2.x.yml | 40 +++++++++++++++--------------- templates/ansible_vars_goss.yml.j2 | 2 +- 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 117933e..622af55 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -962,7 +962,7 @@ rhel9cis_logrotate: "daily" # This value, containing the absolute filepath of the produced 'sshd' config file, allows usage of # drop-in files('/etc/ssh/ssh_config.d/{ssh_drop_in_name}.conf', supported by RHEL9) when CIS adopts them. # Otherwise, the default value is '/etc/ssh/ssh_config'. -rhel9_cis_sshd_config_file: /etc/ssh/sshd_config +rhel9cis_sshd_config_file: /etc/ssh/sshd_config ## Controls: ## - 5.2.4 - Ensure SSH access is limited diff --git a/tasks/prelim.yml b/tasks/prelim.yml index d88a338..1db6db5 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -242,13 +242,13 @@ # Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config - name: "PRELIM | Section 5.2 | SSH" ansible.builtin.file: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" owner: root group: root mode: '0600' state: touch when: - - rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config' + - rhel9cis_sshd_config_file != '/etc/ssh/sshd_config' - "'openssh-server' in ansible_facts.packages" tags: - always diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 3c34413..d6c6bf9 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -77,7 +77,7 @@ block: - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^AllowUsers" line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}" validate: sshd -t -f %s @@ -86,7 +86,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^AllowGroups" line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}" validate: sshd -t -f %s @@ -95,7 +95,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^DenyUsers" line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}" validate: sshd -t -f %s @@ -104,7 +104,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^DenyGroups" line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}" validate: sshd -t -f %s @@ -121,7 +121,7 @@ - name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' validate: sshd -t -f %s @@ -137,7 +137,7 @@ - name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' validate: sshd -t -f %s @@ -155,7 +155,7 @@ block: - name: "5.2.7 | PATCH | Ensure SSH root login is disabled | config file" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' validate: sshd -t -f %s @@ -176,7 +176,7 @@ - name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' validate: sshd -t -f %s @@ -192,7 +192,7 @@ - name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' validate: sshd -t -f %s @@ -208,7 +208,7 @@ - name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' validate: sshd -t -f %s @@ -224,7 +224,7 @@ - name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^#IgnoreRhosts|^IgnoreRhosts" line: 'IgnoreRhosts yes' validate: sshd -t -f %s @@ -243,7 +243,7 @@ - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled | config file" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' validate: sshd -t -f %s @@ -267,7 +267,7 @@ - name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' validate: sshd -t -f %s @@ -304,7 +304,7 @@ - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: '^Banner' line: 'Banner /etc/issue.net' notify: Restart sshd @@ -319,7 +319,7 @@ - name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' validate: sshd -t -f %s @@ -335,7 +335,7 @@ - name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' validate: sshd -t -f %s @@ -351,7 +351,7 @@ - name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' validate: sshd -t -f %s @@ -367,7 +367,7 @@ - name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" validate: sshd -t -f %s @@ -385,7 +385,7 @@ block: - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s @@ -393,7 +393,7 @@ - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" validate: sshd -t -f %s diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index f3b8a98..e639bef 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -462,7 +462,7 @@ rhel9cis_syslog: {{ rhel9cis_syslog }} # Section 5 # This will allow use of drop in files when CIS adopts them. -rhel9_cis_sshd_config_file: {{ rhel9_cis_sshd_config_file }} +rhel9_cis_sshd_config_file: {{ rhel9cis_sshd_config_file }} ## 5.2.4 Note the following to understand precedence and layout rhel9cis_sshd_limited: false From 078c091232b7997444e24e2b83a599e1263073c7 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 12 Sep 2024 14:39:19 +0100 Subject: [PATCH 15/43] removed unneccesary vars Signed-off-by: Mark Bolwell --- defaults/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 622af55..0b24c57 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -49,15 +49,10 @@ rhel9cis_selinux_disable: false # UEFI boot('/etc/grub2-efi.cfg') or in case of BIOS legacy-boot('/etc/grub2.cfg'). rhel9cis_legacy_boot: false -## Python Binary -## This is used for python3 Installations where python2 OS modules are used in ansible -python2_bin: /bin/python2.7 - ## Benchmark name used by audting control role # The audit variable found at the base ## metadata for Audit benchmark benchmark_version: 'v1.0.0' - benchmark: RHEL9-CIS # Whether to skip the system reboot before audit From 9d8cef3c30c1c69aa8efcbd7e9f6b400e5a138a6 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 16 Sep 2024 17:48:44 +0000 Subject: [PATCH 16/43] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.18.4 → v8.19.2](https://github.com/gitleaks/gitleaks/compare/v8.18.4...v8.19.2) - [github.com/ansible-community/ansible-lint: v24.7.0 → v24.9.0](https://github.com/ansible-community/ansible-lint/compare/v24.7.0...v24.9.0) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 260cffe..f009319 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,13 +37,13 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.18.4 + rev: v8.19.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.7.0 + rev: v24.9.0 hooks: - id: ansible-lint name: Ansible-lint From b12b5dcf5004b14af5ebca9bff583f7b5e05e27a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 19 Sep 2024 12:38:49 +0100 Subject: [PATCH 17/43] Added gui discovery and updated comments Signed-off-by: Mark Bolwell --- defaults/main.yml | 10 ++++------ tasks/prelim.yml | 7 +++++++ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0b24c57..5b1b81c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -521,6 +521,10 @@ rhel9cis_selinux_pol: targeted rhel9cis_selinux_enforce: enforcing # Whether or not to run tasks related to auditing/patching the desktop environment +## Control 1.8.1-10 +# This variable governs whether rules dealing with GUI specific packages(and/or their settings) +# Discovered value can be overridden to true is required +rhel9stig_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}" ## Section 2. Services @@ -562,12 +566,6 @@ rhel9cis_chrony_server_minsources: 2 # Set the respective variable to true to keep the service, # otherwise the service is stopped and disabled -## Control 1.8.10-10, 2.2.1 -# This variable governs whether rules dealing with GUI specific packages(and/or their settings) should -# be executed either to: -# - secure GDM, if GUI is needed('rhel9cis_gui: true') -# - or remove GDM and X-Windows-system, if no GUI is needed('rhel9cis_gui: false') -rhel9cis_gui: false ## Control 2.2.2 - Ensure Avahi Server is not installed # This variable, when set to false, will specify that Avahi Server packages should be uninstalled. rhel9cis_avahi_server: false diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1db6db5..13afd85 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -190,6 +190,13 @@ - rhel9cis_force_gpg_key_import - ansible_facts.distribution == 'RedHat' +- name: "PRELIM | Discover Gnome Desktop Environment" + ansible.builtin.stat: + path: /usr/share/gnome/gnome-version.xml + register: prelim_gnome_present + tags: + - always + - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)" ansible.builtin.package: name: audit From 810d0e639f6ed100b6f5ebc163f00ddb04a3601d Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 23 Sep 2024 09:33:57 +0100 Subject: [PATCH 18/43] updated typo for gui default Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5b1b81c..e3dc9b5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -524,7 +524,7 @@ rhel9cis_selinux_enforce: enforcing ## Control 1.8.1-10 # This variable governs whether rules dealing with GUI specific packages(and/or their settings) # Discovered value can be overridden to true is required -rhel9stig_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}" +rhel9cis_gui: "{{ prelim_gnome_present.stat.exists | default(false) }}" ## Section 2. Services From 93f136f5263ad18e61e93acb8b64dcbcc99e9de8 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 17:49:02 +0000 Subject: [PATCH 19/43] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.9.0 → v24.9.2](https://github.com/ansible-community/ansible-lint/compare/v24.9.0...v24.9.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f009319..51202b8 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -43,7 +43,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.9.0 + rev: v24.9.2 hooks: - id: ansible-lint name: Ansible-lint From 506433ee46eb23bc4f080152397bdbf84be4521b Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 30 Sep 2024 17:52:58 +0000 Subject: [PATCH 20/43] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.19.2 → v8.19.3](https://github.com/gitleaks/gitleaks/compare/v8.19.2...v8.19.3) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 51202b8..f4fb400 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,7 +37,7 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.19.2 + rev: v8.19.3 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From 0f94ed9637c884acddcdf2aeab18be196899bb0e Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 7 Oct 2024 18:26:50 +0000 Subject: [PATCH 21/43] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/pre-commit-hooks: v4.6.0 → v5.0.0](https://github.com/pre-commit/pre-commit-hooks/compare/v4.6.0...v5.0.0) - [github.com/gitleaks/gitleaks: v8.19.3 → v8.20.0](https://github.com/gitleaks/gitleaks/compare/v8.19.3...v8.20.0) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f4fb400..cf8c7b9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v5.0.0 hooks: # Safety - id: detect-aws-credentials @@ -37,7 +37,7 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.19.3 + rev: v8.20.0 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From 41bc1e2aa07e6ec3d8c98ea1d497d6aa6668faa5 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 14 Oct 2024 17:59:52 +0000 Subject: [PATCH 22/43] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.20.0 → v8.20.1](https://github.com/gitleaks/gitleaks/compare/v8.20.0...v8.20.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index cf8c7b9..bedf1b3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,7 +37,7 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.20.0 + rev: v8.20.1 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From ef00aa00b30cbdb4df508fa98e197eebcd39be12 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 21 Oct 2024 17:54:56 +0000 Subject: [PATCH 23/43] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.20.1 → v8.21.1](https://github.com/gitleaks/gitleaks/compare/v8.20.1...v8.21.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bedf1b3..8f6c2b3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,7 +37,7 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.20.1 + rev: v8.21.1 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From aee4c2a25ebcb19205c7803236997153efc0c8bd Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 28 Oct 2024 18:01:21 +0000 Subject: [PATCH 24/43] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.21.1 → v8.21.2](https://github.com/gitleaks/gitleaks/compare/v8.21.1...v8.21.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8f6c2b3..300b2e2 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -37,7 +37,7 @@ repos: exclude: .config/.gitleaks-report.json - repo: https://github.com/gitleaks/gitleaks - rev: v8.21.1 + rev: v8.21.2 hooks: - id: gitleaks args: ['--baseline-path', '.config/.gitleaks-report.json'] From 988c42f8aacd2dcfbb4360bcda78522a9974d333 Mon Sep 17 00:00:00 2001 From: yinggs Date: Wed, 30 Oct 2024 17:48:51 +0800 Subject: [PATCH 25/43] Added selectattr filter to fix #249 Signed-off-by: yinggs --- tasks/section_6/cis_6.1.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index a0e8dd6..a89c16c 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -164,7 +164,7 @@ - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Flatten no_user_items results for easier use" ansible.builtin.set_fact: - discovered_unowned_files_flatten: "{{ rhel_09_6_1_10_audit.results | map(attribute='stdout_lines') | flatten }}" + discovered_unowned_files_flatten: "{{ rhel_09_6_1_10_audit.results | selectattr('stdout_lines', 'defined') | map(attribute='stdout_lines') | flatten }}" - name: "6.1.10 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" ansible.builtin.debug: @@ -204,7 +204,7 @@ - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Flatten no_user_items results for easier use" ansible.builtin.set_fact: - discovered_ungrouped_files_flatten: "{{ rhel_09_6_1_11_audit.results | map(attribute='stdout_lines') | flatten }}" + discovered_ungrouped_files_flatten: "{{ rhel_09_6_1_11_audit.results | selectattr('stdout_lines', 'defined') | map(attribute='stdout_lines') | flatten }}" - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" ansible.builtin.debug: From 272ac4efb42fd773f83cc5cc52916e8c93877065 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Nov 2024 16:57:27 +0000 Subject: [PATCH 26/43] updated to enable greater idempotence on filemounts Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.7.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index d113361..a123426 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -32,7 +32,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_7_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_7_3) %},nosuid{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" From efd86bf8052d0f8d0c12c344d20170a8e2aac1d8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Nov 2024 17:01:46 +0000 Subject: [PATCH 27/43] updated for first interaction step Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 912b3db..c9328cb 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -27,7 +27,7 @@ jobs: # This will create messages for first time contributers and direct them to the Discord server welcome: - runs-on: self-hosted + runs-on: ubuntu-latest steps: - uses: actions/first-interaction@main From bb631b10dbe470e3679715640e15de83b3ec62e8 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Nov 2024 15:43:44 +0000 Subject: [PATCH 28/43] improved idempotence on mount point options Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.2.x.yml | 2 +- tasks/section_1/cis_1.1.3.x.yml | 4 +--- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.5.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 2 +- tasks/section_1/cis_1.1.8.x.yml | 2 +- 6 files changed, 6 insertions(+), 8 deletions(-) diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index 10d6d2d..861e679 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -32,7 +32,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_4) %},nosuid{% endif %}" notify: Remount tmp loop: "{{ ansible_facts.mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 3a64a06..423b15c 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -31,9 +31,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}nosuid{% endif %} - loop: "{{ ansible_facts.mounts }}" - loop_control: + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_3_3) %},nosuid" label: "{{ item.device }}" notify: Change_requires_reboot when: diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 713dba6..4487e9b 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -33,7 +33,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} + opts: "{{ item.options }}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_4_2) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_4_3) %},nosuid{% endif %}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_4_4) %},nodev{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index ac8b827..8c4732f 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -33,7 +33,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_5_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_5_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_5_4) %},nosuid{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 5a7c8f4..709a206 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -32,7 +32,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_6_2) %},noexec{% endif %}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_6_3) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_6_4) %},nosuid{% endif %}" loop: "{{ ansible_facts.mounts }}" loop_control: label: "{{ item.device }}" diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 6a50de8..506c1a6 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -40,7 +40,7 @@ src: tmpfs fstype: tmpfs state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_4 %}nosuid{% endif %} + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_8_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_8_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_8_4) %},nosuid{% endif %}" notify: Change_requires_reboot when: - rhel9cis_rule_1_1_8_2 or From 1c1a39c58b5e7b2ea129c15aad4cdda1d4fdc963 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Nov 2024 15:46:17 +0000 Subject: [PATCH 29/43] improved gpg regex Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.2.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index fc0bf27..babf869 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -44,7 +44,7 @@ - name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" ansible.builtin.replace: name: "{{ item.path }}" - regexp: "^gpgcheck=0" + regexp: ^gpgcheck\s*=\s*0 replace: "gpgcheck=1" loop: "{{ yum_repos.files }}" loop_control: @@ -104,7 +104,7 @@ - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" ansible.builtin.replace: path: "{{ item.path }}" - regexp: '^repo_gpgcheck( |)=( |)0' + regexp: ^repo_gpgcheck\s*=\s*0 replace: repo_gpgcheck=1 loop: "{{ repo_files.files }}" loop_control: From fbf16ec54dc9664b9380fe887ca2c37eb859fa96 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Nov 2024 15:59:07 +0000 Subject: [PATCH 30/43] readded lines removed in error Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.3.x.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 423b15c..e6d0705 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -31,7 +31,9 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_3_3) %},nosuid" + opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_3_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_3_3) %},nosuid{% endif %}" + loop: "{{ ansible_facts.mounts }}" + loop_control: label: "{{ item.device }}" notify: Change_requires_reboot when: From d6c9e426855bac16047a75ae72238816279c1e2b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 11 Nov 2024 16:00:01 +0000 Subject: [PATCH 31/43] reverted back to original Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.1.8.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 506c1a6..6a50de8 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -40,7 +40,7 @@ src: tmpfs fstype: tmpfs state: mounted - opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_8_2) %},nodev{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_8_3) %},noexec{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_8_4) %},nosuid{% endif %}" + opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_4 %}nosuid{% endif %} notify: Change_requires_reboot when: - rhel9cis_rule_1_1_8_2 or From 28a35960d7acb7e6c69cdaa9c90fe3663d00ba97 Mon Sep 17 00:00:00 2001 From: Jeffrey van Pelt Date: Mon, 11 Nov 2024 17:38:04 +0100 Subject: [PATCH 32/43] Added a means to allow system users to have a shell Signed-off-by: Jeffrey van Pelt --- defaults/main.yml | 5 +++++ tasks/section_5/cis_5.6.x.yml | 1 + 2 files changed, 6 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index e3dc9b5..0cc7a2b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1137,6 +1137,11 @@ rhel9cis_force_user_mindays: false # This can break current connecting user access rhel9cis_force_user_warnage: false +## Control 5.6.2 - Ensure system accounts are secured | Set nologin +# The system users on this list are allowed to have a shell (e.g. applications +# that require a shell to function) +rhel9cis_system_users_shell: [] + ## Control 5.6.3 - Ensure default user shell timeout is 900 seconds or less # Session timeout setting file (TMOUT setting can be set in multiple files) # Timeout value is in seconds. (60 seconds * 10 = 600) diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 5271388..11bed39 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -13,6 +13,7 @@ - item.id != "shutdown" - item.id != "halt" - item.id != "nfsnobody" + - item.id not in rhel9cis_system_users_shell - item.uid < min_int_uid | int - item.shell != "/bin/false" - item.shell != "/usr/sbin/nologin" From c4b489fe4c0cd109a574ed734c5d63cccc1c536f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 12 Nov 2024 15:45:20 +0000 Subject: [PATCH 33/43] fixed filename thanks to @levaillx Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.8.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml index ce35a48..36f6052 100644 --- a/tasks/section_1/cis_1.8.x.yml +++ b/tasks/section_1/cis_1.8.x.yml @@ -131,7 +131,7 @@ - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file" ansible.builtin.template: src: etc/dconf/db/00-screensaver_lock.j2 - dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver" + dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver_lock" owner: root group: root mode: '0644' From 1166b8b9c5962b67e15a631e93a2541b18d684c3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 18 Nov 2024 17:38:04 +0000 Subject: [PATCH 34/43] updated typos Signed-off-by: Mark Bolwell --- README.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3260cb0..86ebd36 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ Refer to [Contributing Guide](./CONTRIBUTING.rst) This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. -Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL8-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode. +Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL9-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode. This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. @@ -128,11 +128,9 @@ os_check: false **Technical Dependencies:** - Python3 -- Ansible 2.10+ +- Ansible 2.12+ - python-def (should be included in RHEL 9) - libselinux-python -- pip packages - - jmespath - collections found in collections/requirements.yml pre-commit is available if installed on your host for pull request testing. From f591dc2507c2e4e68ecd5e319214bf5324ffa811 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 18 Nov 2024 17:55:23 +0000 Subject: [PATCH 35/43] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.9.2 → v24.10.0](https://github.com/ansible-community/ansible-lint/compare/v24.9.2...v24.10.0) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 300b2e2..1c69745 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -43,7 +43,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.9.2 + rev: v24.10.0 hooks: - id: ansible-lint name: Ansible-lint From 576475d851de7a2ce1dd6ebb3c6b2f0d4af3056f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 19 Nov 2024 14:03:46 +0000 Subject: [PATCH 36/43] removed skip_ansible_lint tag Signed-off-by: Mark Bolwell --- handlers/main.yml | 4 ---- tasks/section_1/cis_1.1.3.x.yml | 1 - tasks/section_1/cis_1.1.4.x.yml | 1 - tasks/section_1/cis_1.1.5.x.yml | 2 -- tasks/section_1/cis_1.1.6.x.yml | 1 - tasks/section_1/cis_1.1.7.x.yml | 2 -- tasks/section_1/cis_1.1.8.x.yml | 1 - tasks/section_1/cis_1.2.x.yml | 1 - tasks/section_1/cis_1.9.yml | 2 -- 9 files changed, 15 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index dd97fec..c302106 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -57,8 +57,6 @@ - name: Grub2cfg ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" ignore_errors: true # noqa ignore-errors - tags: - - skip_ansible_lint - name: Restart rsyslog ansible.builtin.systemd: @@ -102,8 +100,6 @@ - name: Restart auditd ansible.builtin.shell: service auditd restart - tags: - - skip_ansible_lint - name: Change_requires_reboot ansible.builtin.set_fact: diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index e6d0705..d219b39 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -45,6 +45,5 @@ - level1-workstation - patch - mounts - - skip_ansible_lint - rule_1.1.3.2 - rule_1.1.3.3 diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 4487e9b..d04ac02 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -48,7 +48,6 @@ - level1-workstation - patch - mounts - - skip_ansible_lint - rule_1.1.4.2 - rule_1.1.4.3 - rule_1.1.4.4 diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index 8c4732f..af4e230 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -22,7 +22,6 @@ - audit - mounts - rule_1.1.5.1 - - skip_ansible_lint - name: | "1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition" @@ -48,7 +47,6 @@ - level1-workstation - patch - mounts - - skip_ansible_lint - rule_1.1.5.2 - rule_1.1.5.3 - rule_1.1.5.4 diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 709a206..d20e83d 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -47,7 +47,6 @@ - level1-workstation - patch - mounts - - skip_ansible_lint - rule_1.1.6.2 - rule_1.1.6.3 - rule_1.1.6.4 diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index a123426..d081811 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -22,7 +22,6 @@ - audit - mounts - rule_1.1.7.1 - - skip_ansible_lint - name: | "1.1.7.2 | PATCH | Ensure nodev option set on /home partition @@ -48,4 +47,3 @@ - mounts - rule_1.1.7.2 - rule_1.1.7.3 - - skip_ansible_lint diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 6a50de8..5ebf666 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -29,7 +29,6 @@ - audit - mounts - rule_1.1.8.1 - - skip_ansible_lint - name: | "1.1.8.2 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index babf869..3c57e41 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -85,7 +85,6 @@ - manual - audit - rule_1.2.3 - - skip_ansible_lint - name: "1.2.4 | AUDIT | Ensure repo_gpgcheck is globally activated" block: diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml index e226948..39f0cd9 100644 --- a/tasks/section_1/cis_1.9.yml +++ b/tasks/section_1/cis_1.9.yml @@ -7,10 +7,8 @@ notify: Change_requires_reboot when: - rhel9cis_rule_1_9 - - not system_is_ec2 tags: - level1-server - level1-workstation - patch - rule_1.9 - - skip_ansible_lint From 12432ee7480c7588be68776b2b15ef42f5e1b488 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 4 Dec 2024 11:18:33 +0000 Subject: [PATCH 37/43] updated 1.5.2 regexp as per #262 Signed-off-by: Mark Bolwell --- tasks/section_1/cis_1.5.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 3f80647..d0cb983 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -18,7 +18,7 @@ - name: "1.5.2 | PATCH | Ensure core dump backtraces are disabled" ansible.builtin.lineinfile: path: /etc/systemd/coredump.conf - regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$' + regexp: '^ProcessSizeMax\s*=\s*.*[1-9].*' line: 'ProcessSizeMax=0' when: - rhel9cis_rule_1_5_2 From 8aef8f7121600b8e34463fa1d245986668f779df Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 4 Dec 2024 11:19:21 +0000 Subject: [PATCH 38/43] updated Copyright line Signed-off-by: Mark Bolwell --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index f6d2b57..7e51eb7 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases +Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal From 33969e2a8a962720023609f655b95f272728d901 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 4 Dec 2024 11:31:42 +0000 Subject: [PATCH 39/43] Updated company naming Signed-off-by: Mark Bolwell --- templates/audit/98_auditd_exception.rules.j2 | 2 +- templates/audit/99_auditd.rules.j2 | 2 +- templates/etc/cron.d/aide.cron.j2 | 2 +- templates/etc/dconf/db/00-automount_lock.j2 | 2 +- templates/etc/dconf/db/00-autorun_lock.j2 | 2 +- templates/etc/dconf/db/00-media-automount.j2 | 2 +- templates/etc/dconf/db/00-media-autorun.j2 | 2 +- templates/etc/dconf/db/00-screensaver.j2 | 2 +- templates/etc/dconf/db/00-screensaver_lock.j2 | 2 +- templates/etc/dconf/db/gdm.d/01-banner-message.j2 | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/templates/audit/98_auditd_exception.rules.j2 b/templates/audit/98_auditd_exception.rules.j2 index 0f4a4f9..70ebd03 100644 --- a/templates/audit/98_auditd_exception.rules.j2 +++ b/templates/audit/98_auditd_exception.rules.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # This file contains users whose actions are not logged by auditd diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 6f7c388..0d75c33 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # This template will set all of the auditd configurations via a handler in the role in one task instead of individually diff --git a/templates/etc/cron.d/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 index db93323..4c1af92 100644 --- a/templates/etc/cron.d/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,7 +1,7 @@ # Run AIDE integrity check ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company ### YOUR CHANGES WILL BE LOST! # CIS 1.3.2 diff --git a/templates/etc/dconf/db/00-automount_lock.j2 b/templates/etc/dconf/db/00-automount_lock.j2 index efebeac..0e55b5a 100644 --- a/templates/etc/dconf/db/00-automount_lock.j2 +++ b/templates/etc/dconf/db/00-automount_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop media-handling automount setting /org/gnome/desktop/media-handling/automount diff --git a/templates/etc/dconf/db/00-autorun_lock.j2 b/templates/etc/dconf/db/00-autorun_lock.j2 index 4506f4f..cf9ed5d 100644 --- a/templates/etc/dconf/db/00-autorun_lock.j2 +++ b/templates/etc/dconf/db/00-autorun_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop media-handling settings /org/gnome/desktop/media-handling/autorun-never diff --git a/templates/etc/dconf/db/00-media-automount.j2 b/templates/etc/dconf/db/00-media-automount.j2 index 78ad883..640538c 100644 --- a/templates/etc/dconf/db/00-media-automount.j2 +++ b/templates/etc/dconf/db/00-media-automount.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/desktop/media-handling] automount=false diff --git a/templates/etc/dconf/db/00-media-autorun.j2 b/templates/etc/dconf/db/00-media-autorun.j2 index 81bdfea..382469c 100644 --- a/templates/etc/dconf/db/00-media-autorun.j2 +++ b/templates/etc/dconf/db/00-media-autorun.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/desktop/media-handling] autorun-never=true diff --git a/templates/etc/dconf/db/00-screensaver.j2 b/templates/etc/dconf/db/00-screensaver.j2 index acfeaee..a747336 100644 --- a/templates/etc/dconf/db/00-screensaver.j2 +++ b/templates/etc/dconf/db/00-screensaver.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Specify the dconf path [org/gnome/desktop/session] diff --git a/templates/etc/dconf/db/00-screensaver_lock.j2 b/templates/etc/dconf/db/00-screensaver_lock.j2 index d6c5d70..5988316 100644 --- a/templates/etc/dconf/db/00-screensaver_lock.j2 +++ b/templates/etc/dconf/db/00-screensaver_lock.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company # Lock desktop screensaver idle-delay setting /org/gnome/desktop/session/idle-delay diff --git a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 index c7ae76e..901e9e0 100644 --- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2 +++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2 @@ -1,6 +1,6 @@ ## Ansible controlled file # Added as part of ansible-lockdown CIS baseline -# provided by MindPointGroup LLC +# provided by Mindpoint Group - A Tyto Athene Company [org/gnome/login-screen] banner-message-enable=true From a6ce1ef1bf9a492d4ee61b9a57c6413ca430069a Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 10:18:09 +0000 Subject: [PATCH 40/43] updated auditd restart handler Signed-off-by: Mark Bolwell --- handlers/main.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index c302106..31e784d 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -98,8 +98,15 @@ when: - auditd_immutable_check.stdout == '1' -- name: Restart auditd - ansible.builtin.shell: service auditd restart +- name: Stop auditd process + ansible.builtin.shell: systemctl kill auditd + listen: Restart auditd + +- name: Start auditd process + ansible.builtin.systemd_service: + name: auditd + state: started + listen: Restart auditd - name: Change_requires_reboot ansible.builtin.set_fact: From 088cd51931f2b07d8d655903615cbb0292523cfd Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 10:18:25 +0000 Subject: [PATCH 41/43] Updated auditd template changed warning Signed-off-by: Mark Bolwell --- tasks/auditd.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/auditd.yml b/tasks/auditd.yml index 62f2794..82ee5de 100644 --- a/tasks/auditd.yml +++ b/tasks/auditd.yml @@ -23,7 +23,7 @@ ansible.builtin.import_tasks: file: warning_facts.yml vars: - warn_control_id: 'Auditd template updated, see diff output for details' + warn_control_id: 'Auditd template updated, validate as expected' when: - rhel9cis_auditd_template_updated.changed - rhel9cis_auditd_file.stat.exists From 7a780a4702e358aa13d8dfdbb2f08d00bd67d769 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 10 Dec 2024 10:29:50 +0000 Subject: [PATCH 42/43] updated for lint Signed-off-by: Mark Bolwell --- handlers/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 31e784d..cea6940 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -104,8 +104,8 @@ - name: Start auditd process ansible.builtin.systemd_service: - name: auditd - state: started + name: auditd + state: started listen: Restart auditd - name: Change_requires_reboot From 4799e7830bf35cefeafb3b71173ed86f29af6e40 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 16 Dec 2024 17:53:37 +0000 Subject: [PATCH 43/43] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v24.10.0 → v24.12.2](https://github.com/ansible-community/ansible-lint/compare/v24.10.0...v24.12.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 1c69745..0033657 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -43,7 +43,7 @@ repos: args: ['--baseline-path', '.config/.gitleaks-report.json'] - repo: https://github.com/ansible-community/ansible-lint - rev: v24.10.0 + rev: v24.12.2 hooks: - id: ansible-lint name: Ansible-lint