Merge pull request #368 from ansible-lockdown/devel

July 25 Release to main

tasks/auditd.yml

@@ -25,7 +25,7 @@
     dest: /etc/audit/rules.d/99_auditd.rules
     owner: root
     group: root
-    mode: 'u-x,go-wx'
+    mode: 'u-x,g-wx,o-rwx'
   diff: "{{ discovered_auditd_rules_file.stat.exists }}"  # Only run diff if not a new file
   register: discovered_auditd_rules_template_updated
   notify:

tasks/section_1/cis_1.1.2.6.x.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: "1/.1 | PATCH | Ensure /var/log is a separate partition"
+- name: "1.1.2.6.1 | PATCH | Ensure /var/log is a separate partition"
   when:
     - rhel9cis_rule_1_1_2_6_1
     - required_mount not in prelim_mount_names

tasks/section_1/cis_1.1.2.7.x.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: "1/.1 | PATCH | Ensure /var/log/audit is a separate partition"
+- name: "1.1.2.7.1 | PATCH | Ensure /var/log/audit is a separate partition"
   when:
     - rhel9cis_rule_1_1_2_7_1
     - required_mount not in prelim_mount_names

tasks/section_1/main.yml

@@ -41,7 +41,7 @@
     file: cis_1.2.2.x.yml
 
 - name: "SECTION | 1.3.1 | Configure SELinux"
-  ansible.builtin.include_tasks:
+  ansible.builtin.import_tasks:
     file: cis_1.3.1.x.yml
 
 - name: "SECTION | 1.4 | Configure Bootloader"

tasks/section_3/cis_3.3.x.yml

@@ -240,12 +240,12 @@
     - rule_3.3.9
     - NIST800-53R5_AU-3
   block:
-    - name: "3.3.4 | PATCH | Ensure suspicious packets are logged | Set Fact"
+    - name: "3.3.9 | PATCH | Ensure suspicious packets are logged | Set Fact"
       ansible.builtin.set_fact:
         rhel9cis_sysctl_update: true
         rhel9cis_flush_ipv4_route: true
 
-    - name: "3.3.4 | PATCH | Ensure suspicious packets are logged"
+    - name: "3.3.9 | PATCH | Ensure suspicious packets are logged"
       ansible.builtin.debug:
         msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
 

tasks/section_5/cis_5.4.2.x.yml

@@ -61,7 +61,7 @@
     - level1-server
     - level1-workstation
     - patch
-    - rule_5.4.2.2
+    - rule_5.4.2.3
     - user
     - system
     - NIST800-53R5_CM-1
@@ -135,6 +135,22 @@
       ansible.builtin.set_fact:
         root_paths: "{{ discovered_root_paths.stdout }}"
 
+    - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for presence of non-dirs"
+      ansible.builtin.stat:
+        path: "{{ item }}"
+      loop: "{{ discovered_root_paths_split.stdout_lines }}"
+      register: paths_stat
+
+    - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Create dirs for some paths that are not dirs"
+      ansible.builtin.file:
+        path: "{{ item.item }}"
+        state: directory
+        owner: root
+        group: root
+        mode: 'go-w'
+      loop: "{{ paths_stat.results }}"
+      when: not item.stat.exists
+
     - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs"
       when: discovered_root_paths is defined
       ansible.builtin.shell: 'echo {{ root_paths }} | grep -q "::" && echo "roots path contains a empty directory (::)"'

tasks/section_6/cis_6.3.4.x.yml

@@ -27,9 +27,9 @@
     - level2-workstation
     - patch
     - auditd
-    - rule_6.3.4.1
     - rule_6.3.4.2
     - rule_6.3.4.3
+    - rule_6.3.4.4
     - NIST800-53R5_AU-3
   ansible.builtin.file:
     path: "{{ prelim_auditd_logfile.stdout }}"

templates/audit/99_auditd.rules.j2

@@ -56,8 +56,10 @@
 -w /etc/issue -p wa -k system-locale
 -w /etc/issue.net -p wa -k system-locale
 -w /etc/hosts -p wa -k system-locale
+-w /etc/hostname -p wa -k system-locale
 -w /etc/sysconfig/network -p wa -k system-locale
 -w /etc/sysconfig/network-scripts -p wa -k system-locale
+-w /etc/NetworkManager -p wa -k system-locale
 {% endif %}
 {% if rhel9cis_rule_6_3_3_6 %}
 {% for proc in discovered_priv_procs.stdout_lines -%}