sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

added warning count

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-07-20 17:13:33 +01:00
parent c494559882
commit 6b6a4a32c8
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
17 changed files with 219 additions and 71 deletions
Download patch file Download diff file Expand all files Collapse all files

6
tasks/main.yml
View file

@ -180,3 +180,9 @@
msg: "{{ audit_results.split('\n') }}"
when:
- run_audit
- name: Output Warning count and control IDs affected
debug:
msg: "You have {{ warn_count }} warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}"
tags:
- always

26
tasks/section_1/cis_1.1.2.x.yml
View file

@ -1,11 +1,30 @@
---
- name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition"
debug:
msg: "Warning! /tmp is not mounted on a separate partition"
block:
- name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Absent"
debug:
msg: "Warning!! /tmp is not mounted on a separate partition"
when:
- required_mount not in mount_names
- name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.1.2.1' ]"
warn_count: "{{ warn_count|int + 1 }}"
when:
- required_mount not in mount_names
- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
register: var_mount_present
when:
- required_mount in mount_names
vars:
required_mount: '/tmp'
when:
- rhel9cis_rule_1_1_2_1
- ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0
tags:
- level1-server
- level1-workstation
@ -68,7 +87,6 @@
tags:
- level1-server
- level1-workstation
- scored
- patch
- mounts
- rule_1.1.2.1

11
tasks/section_1/cis_1.1.3.x.yml
View file

@ -4,12 +4,19 @@
block:
- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent"
debug:
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
register: var_mount_absent
changed_when: var_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.1.3.1' ]"
warn_count: "{{ warn_count|int + 1 }}"
when:
- required_mount not in mount_names
- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
@ -38,7 +45,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %}
opts: defaults,{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %}
with_items:
- "{{ ansible_mounts }}"
loop_control:

13
tasks/section_1/cis_1.1.4.x.yml
View file

@ -5,12 +5,19 @@
block:
- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent"
debug:
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
register: var_tmp_mount_absent
changed_when: var_tmp_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.1.4.1' ]"
warn_count: "{{ warn_count|int + 1 }}"
when:
- required_mount not in mount_names
- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
@ -39,7 +46,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %}
opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid{% endif %}
with_items:
- "{{ ansible_mounts }}"
loop_control:
@ -61,4 +68,4 @@
- skip_ansible_lint
- rule_1.1.4.2
- rule_1.1.4.3
- rule_1.1.4.4
- rule_1.1.4.4

12
tasks/section_1/cis_1.1.5.x.yml
View file

@ -4,11 +4,19 @@
block:
- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent"
debug:
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
register: var_log_mount_absent
changed_when: var_log_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.1.5.1' ]"
warn_count: "{{ warn_count|int + 1 }}"
when:
- required_mount not in mount_names
- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
@ -37,7 +45,7 @@
src: "{{ item.device }}"
fstype: "{{ item.fstype }}"
state: present
opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %}
opts: defaults,{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %}
with_items:
- "{{ ansible_mounts }}"
loop_control:

12
tasks/section_1/cis_1.1.6.x.yml
View file

@ -4,11 +4,19 @@
block:
- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent"
debug:
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
register: var_log_audit_mount_absent
changed_when: var_log_audit_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.1.6.1' ]"
warn_count: "{{ warn_count|int + 1 }}"
when:
- required_mount not in mount_names
- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."
@ -58,4 +66,4 @@
- skip_ansible_lint
- rule_1.1.6.2
- rule_1.1.6.3
- rule_1.1.6.4
- rule_1.1.6.4

10
tasks/section_1/cis_1.1.7.x.yml
View file

@ -4,11 +4,19 @@
block:
- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent"
debug:
msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task"
msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
register: home_mount_absent
changed_when: home_mount_absent.skipped is undefined
when:
- required_mount not in mount_names
- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.1.7.1' ]"
warn_count: "{{ warn_count|int + 1 }}"
when:
- required_mount not in mount_names
- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present"
debug:
msg: "Congratulations: {{ required_mount }} exists."

2
tasks/section_1/cis_1.1.8.x.yml
View file

@ -25,7 +25,7 @@
src: tmpfs
fstype: tmpfs
state: mounted
opts: defaults,{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %}
opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %}
when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout"
notify: change_requires_reboot
when:

12
tasks/section_1/cis_1.2.x.yml
View file

@ -25,7 +25,8 @@
when:
- rhel9cis_rule_1_2_2
- ansible_distribution == "RedHat" or
ansible_distribution == "Rocky"
ansible_distribution == "Rocky" or
ansible_distribution == "AlmaLinux"
tags:
- level1-server
- level1-workstation
@ -45,7 +46,7 @@
- name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos"
replace:
name: "{{ item.path }}"
regexp: '^gpgcheck\s+=\s+0'
regexp: "^gpgcheck=0"
replace: "gpgcheck=1"
with_items:
- "{{ yum_repos.files }}"
@ -74,8 +75,13 @@
- name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list"
debug:
msg:
- "Warning! Below are the configured repos. Please review and make sure all align with site policy"
- "Warning!! Below are the configured repos. Please review and make sure all align with site policy"
- "{{ dnf_configured.stdout_lines }}"
- name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Warn Count"
set_fact:
control_number: "{{ control_number }} + ['rule_1.2.4']"
warn_count: "{{ warn_count|int + 1 }}"
when:
- rhel9cis_rule_1_2_4
tags:

8
tasks/section_1/cis_1.6.1.x.yml
View file

@ -80,6 +80,12 @@
debug:
msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}"
when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0
- name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | warning count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_1.6.1.5 ]"
warn_count: "{{ warn_count|int + 1 }}"
when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0
when:
- rhel9cis_rule_1_6_1_5
tags:
@ -115,4 +121,4 @@
- level1-workstation
- automated
- patch
- rule_1.6.1.7
- rule_1.6.1.7

9
tasks/section_2/cis_2.4.yml
View file

@ -12,9 +12,14 @@
- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services"
debug:
msg:
- "Warning! Below are the list of services, both active and inactive"
- "Warning!! Below are the list of services, both active and inactive"
- "Please review to make sure all are essential"
- "{{ rhel9cis_2_4_services.stdout_lines }}"
- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Warn Count"
set_fact:
control_number: "{{ control_number }} + ['rule_2.4']"
warn_count: "{{ warn_count|int + 1 }}"
when:
- rhel9cis_rule_2_4
tags:
@ -23,4 +28,4 @@
- manual
- audit
- services
- rule_2.4
- rule_2.4

41
tasks/section_3/cis_3.4.2.x.yml
View file

@ -5,6 +5,7 @@
name: nftables
state: present
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_1
tags:
- level1-server
@ -17,22 +18,11 @@
# The control allows the service it be masked or not installed
# We have chosen not installed
- name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables"
block:
- name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | mask service"
systemd:
name: firewalld
masked: true
state: stopped
when:
- rhel9cis_nftables_firewalld_state == "masked"
- name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | pkg removed"
package:
name: firewalld
state: absent
when:
- rhel9cis_nftables_firewalld_state == "absent"
package:
name: firewalld
state: absent
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_2
tags:
- level1-server
@ -59,6 +49,7 @@
name: iptables-service
state: absent
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_3
tags:
- level1-server
@ -105,17 +96,26 @@
- name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables"
debug:
msg:
- "Warning! You currently have no nft tables, please review your setup"
- "Warning!! You currently have no nft tables, please review your setup"
- 'Use the command "nft create table inet <table name>" to create a new table'
when:
- rhel9cis_3_4_2_5_nft_tables.stdout | length == 0
- not rhel9cis_nft_tables_autonewtable
- name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables | warning count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_3.4.2.5' ]"
warn_count: "{{ warn_count|int + 1 }}"
when:
- rhel9cis_3_4_2_5_nft_tables.stdout | length == 0
- not rhel9cis_nft_tables_autonewtable
- name: "3.4.2.5 | PATCH | Ensure a table exists | Create table if needed"
command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}"
failed_when: no
when: rhel9cis_nft_tables_autonewtable
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_5
tags:
- level1-server
@ -167,11 +167,12 @@
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; }
when: rhel9cis_nft_tables_autochaincreate
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_6
tags:
- level1-server
- level1-workstation
- automated
- automate
- patch
- nftables
- rule_3.4.2.6
@ -208,6 +209,7 @@
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop
when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ip6saddr.stdout'
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_7
tags:
- level1-server
@ -255,6 +257,7 @@
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout'
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_8
tags:
- level1-server
@ -306,6 +309,7 @@
command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; }
when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_9_outputpolicy.stdout'
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_9
tags:
- level1-server
@ -320,6 +324,7 @@
name: nftables
enabled: yes
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_10
tags:
- level1-server
@ -332,9 +337,11 @@
- name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent"
lineinfile:
path: /etc/sysconfig/nftables.conf
state: present
insertafter: EOF
line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}"
when:
- rhel9cis_firewall == "nftables"
- rhel9cis_rule_3_4_2_11
tags:
- level1-server

21
tasks/section_4/cis_4.2.2.x.yml
View file

@ -41,6 +41,7 @@
state: started
enabled: yes
when:
- rhel9cis_system_is_log_server
- rhel9cis_rule_4_2_2_1_3
tags:
- level1-server
@ -52,11 +53,12 @@
- name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client"
systemd:
name: systemd-journal-remote
name: systemd-journal-remote.socket
state: stopped
enabled: no
masked: yes
when:
- not rhel9cis_system_is_log_server
- rhel9cis_rule_4_2_2_1_4
tags:
- level1-server
@ -83,7 +85,13 @@
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status"
debug:
msg:
- "Warning! The status of systemd-journald should be static and it is not. Please investigate"
- "Warning!! The status of systemd-journald should be static and it is not. Please investigate"
when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
- name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]"
warn_count: "{{ warn_count|int + 1 }}"
when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
when:
- rhel9cis_rule_4_2_2_2
@ -134,7 +142,6 @@
notify: restart systemd_journal_upload
when:
- rhel9cis_rule_4_2_2_5
- rhel9cis_preferred_log_capture == "journald"
tags:
- level1-server
- level2-workstation
@ -190,9 +197,13 @@
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings"
debug:
msg:
- "Warning! Below are the current default settings for journald, please confirm they align with your site policies"
# - "{{ rhel9cis_4_2_2_7_override_settings.stdout_lines }}"
- "Warning!! Below are the current default settings for journald, please confirm they align with your site policies"
- "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}"
- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Warn Count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_4.2.2.7' ]"
warn_count: "{{ warn_count|int + 1 }}"
when:
- rhel9cis_rule_4_2_2_7
tags:

12
tasks/section_5/cis_5.6.1.x.yml
View file

@ -78,7 +78,7 @@
- password
- rule_5.6.1.4
- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past"
- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past"
block:
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time"
shell: echo $(($(date --utc --date "$1" +%s)/86400))
@ -101,7 +101,15 @@
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
debug:
msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
msg: "Warning!! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}"
when:
- rhel9cis_5_6_1_5_user_list.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
- name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_5.6.1.5' ]"
warn_count: "{{ warn_count|int + 1 }}"
when:
- rhel9cis_5_6_1_5_user_list.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix

9
tasks/section_6/cis_6.1.x.yml
View file

@ -12,7 +12,7 @@
- name: "6.1.1 | AUDIT | Audit system file permissions | Create list and warning"
block:
- name: "6.1.1 | Audit system file permissions | Add file discrepancy list to system"
- name: "6.1.1 | AUDIT | Audit system file permissions | Add file discrepancy list to system"
copy:
dest: "{{ rhel9cis_rpm_audit_file }}"
content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}"
@ -20,8 +20,13 @@
- name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies"
debug:
msg: |
"Warning! You have some package descrepancies issues.
"Warning!! You have some package descrepancies issues.
The file list can be found in {{ rhel9cis_rpm_audit_file }}"
- name: "6.1.1 | AUDIT | Audit system file permissions | warning count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_6.1.1' ]"
warn_count: "{{ warn_count|int + 1 }}"
when: rhel9cis_6_1_1_packages_rpm.stdout|length > 0
- name: "6.1.1 | AUDIT | Audit system file permissions | Message out no package descrepancies"

80
tasks/section_6/cis_6.2.x.yml
View file

@ -29,12 +29,18 @@
- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files"
debug:
msg: "Good News! There are no users that have non-existent GUIDs (Groups)"
when: rhel9cis_6_2_2_passwd_gid_check.stdout | length == 0
when: rhel9cis_6_2_2_passwd_gid_check.stdout is not defined
- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group"
debug:
msg: "Warning! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}"
when: rhel9cis_6_2_2_passwd_gid_check.stdout | length > 0
msg: "Warning!! The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}"
when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined
- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | warning count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_6.2.2' ]"
warn_count: "{{ warn_count|int + 1 }}"
when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined
when:
- rhel9cis_rule_6_2_2
tags:
@ -57,12 +63,18 @@
- name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist"
debug:
msg: "Good News! There are no duplicate UID's in the system"
when: rhel9cis_6_2_3_user_uid_check.stdout | length == 0
when: rhel9cis_6_2_3_user_uid_check.stdout is not defined
- name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs"
debug:
msg: "Warning! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}"
when: rhel9cis_6_2_3_user_uid_check.stdout | length > 0
msg: "Warning!! The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}"
when: rhel9cis_6_2_3_user_uid_check.stdout is defined
- name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | warning count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_6.2.3' ]"
warn_count: "{{ warn_count|int + 1 }}"
when: rhel9cis_6_2_3_user_uid_check.stdout is defined
when:
- rhel9cis_rule_6_2_3
tags:
@ -85,12 +97,19 @@
- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist"
debug:
msg: "Good News! There are no duplicate GIDs in the system"
when: rhel9cis_6_2_4_user_user_check.stdout | length == 0
when: rhel9cis_6_2_4_user_user_check.stdout is not defined
- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs"
debug:
msg: "Warning! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}"
when: rhel9cis_6_2_4_user_user_check.stdout | length > 0
msg: "Warning!! The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}"
when: rhel9cis_6_2_4_user_user_check.stdout is defined
- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | warning count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_6.2.4' ]"
warn_count: "{{ warn_count|int + 1 }}"
when: rhel9cis_6_2_4_user_user_check.stdout is defined
when:
- rhel9cis_rule_6_2_4
tags:
@ -113,12 +132,18 @@
- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist"
debug:
msg: "Good News! There are no duplicate user names in the system"
when: rhel9cis_6_2_5_user_username_check.stdout | length == 0
when: rhel9cis_6_2_5_user_username_check.stdout is not defined
- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names"
debug:
msg: "Warning! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}"
when: rhel9cis_6_2_5_user_username_check.stdout | length > 0
msg: "Warning!! The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}"
when: rhel9cis_6_2_5_user_username_check.stdout is defined
- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | warning count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_6.2.5' ]"
warn_count: "{{ warn_count|int + 1 }}"
when: rhel9cis_6_2_5_user_username_check.stdout is defined
when:
- rhel9cis_rule_6_2_5
tags:
@ -142,12 +167,18 @@
- name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist"
debug:
msg: "Good News! There are no duplicate group names in the system"
when: rhel9cis_6_2_6_group_group_check.stdout | length == 0
when: rhel9cis_6_2_6_group_group_check.stdout is defined
- name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names"
debug:
msg: "Warning! The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}"
when: rhel9cis_6_2_6_group_group_check.stdout | length > 0
msg: "Warning!! The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}"
when: rhel9cis_6_2_6_group_group_check.stdout is not defined
- name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | warning count"
set_fact:
control_number: "{{ control_number }} + [ 'rule_6.2.6' ]"
warn_count: "{{ warn_count|int + 1 }}"
when: rhel9cis_6_2_6_group_group_check.stdout is not defined
when:
- rhel9cis_rule_6_2_6
tags:
@ -230,7 +261,7 @@
stat:
path: "{{ item }}"
register: rhel_08_6_2_9_audit
with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<', max_int_uid | int ) | map(attribute='dir') | list }}"
with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<=', max_int_uid | int ) | map(attribute='dir') | list }}"
- name: "6.2.9 | AUDIT | Ensure all users' home directories exist"
command: find -H {{ item.0 | quote }} -not -type l -perm /027
@ -270,7 +301,8 @@
recursive: yes
etype: "{{ item.1.etype }}"
permissions: "{{ item.1.mode }}"
when: not system_is_container
when:
- not system_is_container
with_nested:
- "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results |
rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
@ -299,7 +331,8 @@
loop_control:
label: "{{ rhel9cis_passwd_label }}"
when:
- min_int_uid | int <= item.uid
- item.uid >= min_int_uid | int
- item.id != 'nobody'
- rhel9cis_rule_6_2_10
tags:
- skip_ansible_lint # settings found on 6_2_7
@ -315,7 +348,7 @@
- name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
stat:
path: "{{ item }}"
with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '<', max_int_uid | int ) | map(attribute='dir') | list }}"
with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | map(attribute='dir') | list }}"
register: rhel_08_6_2_11_audit
- name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
@ -356,7 +389,8 @@
recursive: yes
etype: "{{ item.1.etype }}"
permissions: "{{ item.1.mode }}"
when: not system_is_container
when:
- not system_is_container
with_nested:
- "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results |
rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
@ -427,8 +461,8 @@
- name: "6.2.14 | PATCH | Ensure no users have .forward files"
file:
path: "~{{ item }}/.forward"
state: absent
dest: "~{{ item }}/.forward"
with_items:
- "{{ users.stdout_lines }}"
when:
@ -444,8 +478,8 @@
- name: "6.2.15 | PATCH | Ensure no users have .netrc files"
file:
path: "~{{ item }}/.netrc"
state: absent
dest: "~{{ item }}/.netrc"
with_items:
- "{{ users.stdout_lines }}"
when:
@ -461,8 +495,8 @@
- name: "6.2.16 | PATCH | Ensure no users have .rhosts files"
file:
path: "~{{ item }}/.rhosts"
state: absent
dest: "~{{ item }}/.rhosts"
with_items: "{{ users.stdout_lines }}"
when:
- rhel9cis_rule_6_2_16

6
vars/main.yml
View file

@ -1,8 +1,12 @@
---
# vars file for RHEL9-CIS
min_ansible_version: 2.10
min_ansible_version: 2.9.4
rhel9cis_allowed_crypto_policies:
- 'DEFAULT'
- 'FUTURE'
- 'FIPS'
# Used to control warning summary
control_number: ""
warn_count: 0