diff --git a/tasks/main.yml b/tasks/main.yml index 9a6ee31..a55063a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -180,3 +180,9 @@ msg: "{{ audit_results.split('\n') }}" when: - run_audit + +- name: Output Warning count and control IDs affected + debug: + msg: "You have {{ warn_count }} warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}" + tags: + - always diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml index a50797d..d43d768 100644 --- a/tasks/section_1/cis_1.1.2.x.yml +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -1,11 +1,30 @@ --- - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition" - debug: - msg: "Warning! /tmp is not mounted on a separate partition" + block: + - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Absent" + debug: + msg: "Warning!! /tmp is not mounted on a separate partition" + when: + - required_mount not in mount_names + + - name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.2.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: var_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/tmp' when: - rhel9cis_rule_1_1_2_1 - - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 tags: - level1-server - level1-workstation @@ -68,7 +87,6 @@ tags: - level1-server - level1-workstation - - scored - patch - mounts - rule_1.1.2.1 diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml index 8fa9e4b..6dbc1d2 100644 --- a/tasks/section_1/cis_1.1.3.x.yml +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -4,12 +4,19 @@ block: - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent" debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_mount_absent changed_when: var_mount_absent.skipped is undefined when: - required_mount not in mount_names + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" debug: msg: "Congratulations: {{ required_mount }} exists." @@ -38,7 +45,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index c780013..62c4306 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -5,12 +5,19 @@ block: - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_tmp_mount_absent changed_when: var_tmp_mount_absent.skipped is undefined when: - required_mount not in mount_names + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" debug: msg: "Congratulations: {{ required_mount }} exists." @@ -39,7 +46,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: @@ -61,4 +68,4 @@ - skip_ansible_lint - rule_1.1.4.2 - rule_1.1.4.3 - - rule_1.1.4.4 + - rule_1.1.4.4 \ No newline at end of file diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml index c9343c4..985b3d8 100644 --- a/tasks/section_1/cis_1.1.5.x.yml +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -4,11 +4,19 @@ block: - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_log_mount_absent changed_when: var_log_mount_absent.skipped is undefined when: - required_mount not in mount_names + + - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" debug: msg: "Congratulations: {{ required_mount }} exists." @@ -37,7 +45,7 @@ src: "{{ item.device }}" fstype: "{{ item.fstype }}" state: present - opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} with_items: - "{{ ansible_mounts }}" loop_control: diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 1df3e84..47bcba7 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -4,11 +4,19 @@ block: - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: var_log_audit_mount_absent changed_when: var_log_audit_mount_absent.skipped is undefined when: - required_mount not in mount_names + + - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" debug: msg: "Congratulations: {{ required_mount }} exists." @@ -58,4 +66,4 @@ - skip_ansible_lint - rule_1.1.6.2 - rule_1.1.6.3 - - rule_1.1.6.4 + - rule_1.1.6.4 \ No newline at end of file diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml index 453fef5..6ba442d 100644 --- a/tasks/section_1/cis_1.1.7.x.yml +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -4,11 +4,19 @@ block: - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task" register: home_mount_absent changed_when: home_mount_absent.skipped is undefined when: - required_mount not in mount_names + + - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - required_mount not in mount_names + - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" debug: msg: "Congratulations: {{ required_mount }} exists." diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml index 75bdabb..a61a6af 100644 --- a/tasks/section_1/cis_1.1.8.x.yml +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -25,7 +25,7 @@ src: tmpfs fstype: tmpfs state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} + opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" notify: change_requires_reboot when: diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 960815f..4ad09df 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -25,7 +25,8 @@ when: - rhel9cis_rule_1_2_2 - ansible_distribution == "RedHat" or - ansible_distribution == "Rocky" + ansible_distribution == "Rocky" or + ansible_distribution == "AlmaLinux" tags: - level1-server - level1-workstation @@ -45,7 +46,7 @@ - name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" replace: name: "{{ item.path }}" - regexp: '^gpgcheck\s+=\s+0' + regexp: "^gpgcheck=0" replace: "gpgcheck=1" with_items: - "{{ yum_repos.files }}" @@ -74,8 +75,13 @@ - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" debug: msg: - - "Warning! Below are the configured repos. Please review and make sure all align with site policy" + - "Warning!! Below are the configured repos. Please review and make sure all align with site policy" - "{{ dnf_configured.stdout_lines }}" + + - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Warn Count" + set_fact: + control_number: "{{ control_number }} + ['rule_1.2.4']" + warn_count: "{{ warn_count|int + 1 }}" when: - rhel9cis_rule_1_2_4 tags: diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml index f917a99..f0ea11a 100644 --- a/tasks/section_1/cis_1.6.1.x.yml +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -80,6 +80,12 @@ debug: msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 + + - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_1.6.1.5 ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 when: - rhel9cis_rule_1_6_1_5 tags: @@ -115,4 +121,4 @@ - level1-workstation - automated - patch - - rule_1.6.1.7 + - rule_1.6.1.7 \ No newline at end of file diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index e17ab76..14b86ed 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -12,9 +12,14 @@ - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" debug: msg: - - "Warning! Below are the list of services, both active and inactive" + - "Warning!! Below are the list of services, both active and inactive" - "Please review to make sure all are essential" - "{{ rhel9cis_2_4_services.stdout_lines }}" + + - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Warn Count" + set_fact: + control_number: "{{ control_number }} + ['rule_2.4']" + warn_count: "{{ warn_count|int + 1 }}" when: - rhel9cis_rule_2_4 tags: @@ -23,4 +28,4 @@ - manual - audit - services - - rule_2.4 + - rule_2.4 \ No newline at end of file diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index a9284c5..b74eda1 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -5,6 +5,7 @@ name: nftables state: present when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_1 tags: - level1-server @@ -17,22 +18,11 @@ # The control allows the service it be masked or not installed # We have chosen not installed - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables" - block: - - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | mask service" - systemd: - name: firewalld - masked: true - state: stopped - when: - - rhel9cis_nftables_firewalld_state == "masked" - - - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | pkg removed" - package: - name: firewalld - state: absent - when: - - rhel9cis_nftables_firewalld_state == "absent" + package: + name: firewalld + state: absent when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_2 tags: - level1-server @@ -59,6 +49,7 @@ name: iptables-service state: absent when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_3 tags: - level1-server @@ -105,17 +96,26 @@ - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables" debug: msg: - - "Warning! You currently have no nft tables, please review your setup" + - "Warning!! You currently have no nft tables, please review your setup" - 'Use the command "nft create table inet " to create a new table' when: - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0 - not rhel9cis_nft_tables_autonewtable + - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_3.4.2.5' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: + - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0 + - not rhel9cis_nft_tables_autonewtable + - name: "3.4.2.5 | PATCH | Ensure a table exists | Create table if needed" command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" failed_when: no when: rhel9cis_nft_tables_autonewtable when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_5 tags: - level1-server @@ -167,11 +167,12 @@ - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } when: rhel9cis_nft_tables_autochaincreate when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_6 tags: - level1-server - level1-workstation - - automated + - automate - patch - nftables - rule_3.4.2.6 @@ -208,6 +209,7 @@ command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ip6saddr.stdout' when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_7 tags: - level1-server @@ -255,6 +257,7 @@ command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_8 tags: - level1-server @@ -306,6 +309,7 @@ command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_9_outputpolicy.stdout' when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_9 tags: - level1-server @@ -320,6 +324,7 @@ name: nftables enabled: yes when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_10 tags: - level1-server @@ -332,9 +337,11 @@ - name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent" lineinfile: path: /etc/sysconfig/nftables.conf + state: present insertafter: EOF line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" when: + - rhel9cis_firewall == "nftables" - rhel9cis_rule_3_4_2_11 tags: - level1-server diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 9660670..7a35d8f 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -41,6 +41,7 @@ state: started enabled: yes when: + - rhel9cis_system_is_log_server - rhel9cis_rule_4_2_2_1_3 tags: - level1-server @@ -52,11 +53,12 @@ - name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" systemd: - name: systemd-journal-remote + name: systemd-journal-remote.socket state: stopped enabled: no masked: yes when: + - not rhel9cis_system_is_log_server - rhel9cis_rule_4_2_2_1_4 tags: - level1-server @@ -83,7 +85,13 @@ - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" debug: msg: - - "Warning! The status of systemd-journald should be static and it is not. Please investigate" + - "Warning!! The status of systemd-journald should be static and it is not. Please investigate" + when: "'static' not in rhel9cis_4_2_2_2_status.stdout" + + - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]" + warn_count: "{{ warn_count|int + 1 }}" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" when: - rhel9cis_rule_4_2_2_2 @@ -134,7 +142,6 @@ notify: restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_5 - - rhel9cis_preferred_log_capture == "journald" tags: - level1-server - level2-workstation @@ -190,9 +197,13 @@ - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings" debug: msg: - - "Warning! Below are the current default settings for journald, please confirm they align with your site policies" - # - "{{ rhel9cis_4_2_2_7_override_settings.stdout_lines }}" + - "Warning!! Below are the current default settings for journald, please confirm they align with your site policies" - "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}" + + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Warn Count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_4.2.2.7' ]" + warn_count: "{{ warn_count|int + 1 }}" when: - rhel9cis_rule_4_2_2_7 tags: diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml index d8ea214..790e876 100644 --- a/tasks/section_5/cis_5.6.1.x.yml +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -78,7 +78,7 @@ - password - rule_5.6.1.4 -- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" +- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" block: - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" shell: echo $(($(date --utc --date "$1" +%s)/86400)) @@ -101,7 +101,15 @@ - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" debug: - msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + when: + - rhel9cis_5_6_1_5_user_list.stdout | length > 0 + - not rhel9cis_futurepwchgdate_autofix + + - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]" + warn_count: "{{ warn_count|int + 1 }}" when: - rhel9cis_5_6_1_5_user_list.stdout | length > 0 - not rhel9cis_futurepwchgdate_autofix diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index c169d4b..c61b51e 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -12,7 +12,7 @@ - name: "6.1.1 | AUDIT | Audit system file permissions | Create list and warning" block: - - name: "6.1.1 | Audit system file permissions | Add file discrepancy list to system" + - name: "6.1.1 | AUDIT | Audit system file permissions | Add file discrepancy list to system" copy: dest: "{{ rhel9cis_rpm_audit_file }}" content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}" @@ -20,8 +20,13 @@ - name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" debug: msg: | - "Warning! You have some package descrepancies issues. + "Warning!! You have some package descrepancies issues. The file list can be found in {{ rhel9cis_rpm_audit_file }}" + + - name: "6.1.1 | AUDIT | Audit system file permissions | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.1.1' ]" + warn_count: "{{ warn_count|int + 1 }}" when: rhel9cis_6_1_1_packages_rpm.stdout|length > 0 - name: "6.1.1 | AUDIT | Audit system file permissions | Message out no package descrepancies" diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 31dafa8..6675488 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -29,12 +29,18 @@ - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" debug: msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: rhel9cis_6_2_2_passwd_gid_check.stdout | length == 0 + when: rhel9cis_6_2_2_passwd_gid_check.stdout is not defined - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" debug: - msg: "Warning! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" - when: rhel9cis_6_2_2_passwd_gid_check.stdout | length > 0 + msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" + when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined + + - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.2.2' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined when: - rhel9cis_rule_6_2_2 tags: @@ -57,12 +63,18 @@ - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" debug: msg: "Good News! There are no duplicate UID's in the system" - when: rhel9cis_6_2_3_user_uid_check.stdout | length == 0 + when: rhel9cis_6_2_3_user_uid_check.stdout is not defined - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" debug: - msg: "Warning! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" - when: rhel9cis_6_2_3_user_uid_check.stdout | length > 0 + msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" + when: rhel9cis_6_2_3_user_uid_check.stdout is defined + + - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.2.3' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhel9cis_6_2_3_user_uid_check.stdout is defined when: - rhel9cis_rule_6_2_3 tags: @@ -85,12 +97,19 @@ - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" debug: msg: "Good News! There are no duplicate GIDs in the system" - when: rhel9cis_6_2_4_user_user_check.stdout | length == 0 + when: rhel9cis_6_2_4_user_user_check.stdout is not defined - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" debug: - msg: "Warning! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" - when: rhel9cis_6_2_4_user_user_check.stdout | length > 0 + msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" + when: rhel9cis_6_2_4_user_user_check.stdout is defined + + - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.2.4' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhel9cis_6_2_4_user_user_check.stdout is defined + when: - rhel9cis_rule_6_2_4 tags: @@ -113,12 +132,18 @@ - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" debug: msg: "Good News! There are no duplicate user names in the system" - when: rhel9cis_6_2_5_user_username_check.stdout | length == 0 + when: rhel9cis_6_2_5_user_username_check.stdout is not defined - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" debug: - msg: "Warning! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" - when: rhel9cis_6_2_5_user_username_check.stdout | length > 0 + msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" + when: rhel9cis_6_2_5_user_username_check.stdout is defined + + - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.2.5' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhel9cis_6_2_5_user_username_check.stdout is defined when: - rhel9cis_rule_6_2_5 tags: @@ -142,12 +167,18 @@ - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" debug: msg: "Good News! There are no duplicate group names in the system" - when: rhel9cis_6_2_6_group_group_check.stdout | length == 0 + when: rhel9cis_6_2_6_group_group_check.stdout is defined - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" debug: - msg: "Warning! The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}" - when: rhel9cis_6_2_6_group_group_check.stdout | length > 0 + msg: "Warning!! The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}" + when: rhel9cis_6_2_6_group_group_check.stdout is not defined + + - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | warning count" + set_fact: + control_number: "{{ control_number }} + [ 'rule_6.2.6' ]" + warn_count: "{{ warn_count|int + 1 }}" + when: rhel9cis_6_2_6_group_group_check.stdout is not defined when: - rhel9cis_rule_6_2_6 tags: @@ -230,7 +261,7 @@ stat: path: "{{ item }}" register: rhel_08_6_2_9_audit - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<', max_int_uid | int ) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}" - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" command: find -H {{ item.0 | quote }} -not -type l -perm /027 @@ -270,7 +301,8 @@ recursive: yes etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: not system_is_container + when: + - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" @@ -299,7 +331,8 @@ loop_control: label: "{{ rhel9cis_passwd_label }}" when: - - min_int_uid | int <= item.uid + - item.uid >= min_int_uid | int + - item.id != 'nobody' - rhel9cis_rule_6_2_10 tags: - skip_ansible_lint # settings found on 6_2_7 @@ -315,7 +348,7 @@ - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" stat: path: "{{ item }}" - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<', max_int_uid | int ) | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}" register: rhel_08_6_2_11_audit - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" @@ -356,7 +389,8 @@ recursive: yes etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: not system_is_container + when: + - not system_is_container with_nested: - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" @@ -427,8 +461,8 @@ - name: "6.2.14 | PATCH | Ensure no users have .forward files" file: + path: "~{{ item }}/.forward" state: absent - dest: "~{{ item }}/.forward" with_items: - "{{ users.stdout_lines }}" when: @@ -444,8 +478,8 @@ - name: "6.2.15 | PATCH | Ensure no users have .netrc files" file: + path: "~{{ item }}/.netrc" state: absent - dest: "~{{ item }}/.netrc" with_items: - "{{ users.stdout_lines }}" when: @@ -461,8 +495,8 @@ - name: "6.2.16 | PATCH | Ensure no users have .rhosts files" file: + path: "~{{ item }}/.rhosts" state: absent - dest: "~{{ item }}/.rhosts" with_items: "{{ users.stdout_lines }}" when: - rhel9cis_rule_6_2_16 diff --git a/vars/main.yml b/vars/main.yml index dbbc71f..9b13f43 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,8 +1,12 @@ --- # vars file for RHEL9-CIS -min_ansible_version: 2.10 +min_ansible_version: 2.9.4 rhel9cis_allowed_crypto_policies: - 'DEFAULT' - 'FUTURE' - 'FIPS' + +# Used to control warning summary +control_number: "" +warn_count: 0 \ No newline at end of file