diff --git a/Changelog.md b/Changelog.md index 6933ff5..38005bb 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,10 @@ # Changes to rhel9CIS +## 1.0.4 + +#40 tmp systemd file variable naming update +#41 5.3.7 logic and rewrite - tidy up prelim for sugroup work - audit updated + ## 1.0.3 Update to auditd components improve idempotency and tidy up diff --git a/defaults/main.yml b/defaults/main.yml index fb188b0..836f16f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -645,11 +645,9 @@ rhel9cis_shell_session_timeout: # RHEL-09-5.4.1.5 Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords rhel9cis_futurepwchgdate_autofix: true -# 5.7 -# rhel9cis_sugroup: sugroup # change accordingly wheel is default +# 5.3.7 +rhel9cis_sugroup: nosugroup -# wheel users list please supply comma seperated e.g. "vagrant,root" -rhel9cis_sugroup_users: "root" ## Section6 vars @@ -660,13 +658,10 @@ rhel9cis_rpm_audit_file: /var/tmp/rpm_file_check rhel9cis_no_world_write_adjust: true rhel9cis_passwd_label: "{{ (this_item | default(item)).id }}: {{ (this_item | default(item)).dir }}" - # 6.2.16 ## Dont follow symlinks for changes to user home directory thanks to @dulin-gnet and comminty for rhel8-cis reedbacj rhel_09_6_2_16_home_follow_symlinks: false - - #### Goss Configuration Settings #### # Set correct env for the run_audit.sh script from https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" audit_run_script_environment: diff --git a/handlers/main.yml b/handlers/main.yml index 968e9e6..c4b27e7 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -31,7 +31,7 @@ daemon_reload: true enabled: true masked: false - state: Reloaded + state: reloaded - name: Remount tmp ansible.posix.mount: diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index c05ddb3..2947e6a 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -21,6 +21,10 @@ when: - audit_content == 'git' +- name: Pre Audit | confirm audit branch vs benchmark version + ansible.builtin.debug: + msg: "Audit will run the branch {{ audit_git_version }} for this Benchmark {{ benchmark_version }}" + - name: Pre Audit | copy to audit content files to server ansible.builtin.copy: src: "{{ audit_local_copy }}" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index e674fb6..f555337 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -226,26 +226,6 @@ - rule_5.3.4 - rule_5.3.5 -- name: "PRELIM | Check sugroup exists if used" - block: - - name: "PRELIM | Check su group exists if defined" - ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group - register: sugroup_exists - changed_when: false - failed_when: sugroup_exists.rc >= 2 - tags: - - skip_ansible_lint - - - name: "PRELIM | Check sugroup if defined exists before continuing" - ansible.builtin.assert: - that: sugroup_exists.rc == 0 - msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" - when: - - rhel9cis_sugroup is defined - - rhel9cis_rule_5_7 - tags: - - rule_5.7 - - name: "PRELIM | Discover Interactive UID MIN and MIN from logins.def" block: - name: "PRELIM | Capture UID_MIN information from logins.def" diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 0443781..2f63b23 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -109,17 +109,25 @@ - name: "5.3.7 | PATCH | Ensure access to the su command is restricted" block: + + - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Ensure sugroup exists" + ansible.builtin.group: + name: "{{ rhel9cis_sugroup }}" + state: present + register: rhel9cis_5_3_7_sugroup + + - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | remove users from group" + ansible.builtin.lineinfile: + path: /etc/group + regexp: '^{{ rhel9cis_sugroup }}(:.:.*:).*$' + line: '{{ rhel9cis_sugroup }}\g<1>' + backrefs: true + - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" ansible.builtin.lineinfile: path: /etc/pam.d/su regexp: '^(#)?auth\s+required\s+pam_wheel\.so' - line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}' - - - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root" - ansible.builtin.user: - name: "{{ item }}" - groups: "{{ rhel9cis_sugroup | default('wheel') }}" - loop: "{{ rhel9cis_sugroup_users }}" + line: 'auth required pam_wheel.so use_uid group={{ rhel9cis_sugroup }}' when: - rhel9cis_rule_5_3_7 tags: diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index caa87ce..8749fc1 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -508,7 +508,4 @@ rhel9cis_pass: warn_age: {{ rhel9cis_pass['warn_age'] }} ## 5.3.7 set sugroup if differs from wheel -rhel9cis_sugroup: {% if rhel9cis_sugroup is undefined %}wheel{% else %}{{ rhel9cis_sugroup }}{% endif %} - -## 5.3.7 sugroup users list -rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} +rhel9cis_sugroup: {{ rhel9cis_sugroup }} diff --git a/templates/etc/systemd/system/tmp.mount.j2 b/templates/etc/systemd/system/tmp.mount.j2 index f2c4fe2..3f689ee 100644 --- a/templates/etc/systemd/system/tmp.mount.j2 +++ b/templates/etc/systemd/system/tmp.mount.j2 @@ -23,8 +23,8 @@ After=swap.target What=tmpfs Where=/tmp Type=tmpfs -Options=mode=1777,strictatime,{% if rhel9cis_rule_1_1_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_4 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_5 %}noexec{% endif %} +Options=mode=1777,strictatime,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec{% endif %} # Make 'systemctl enable tmp.mount' work: [Install] -WantedBy=local-fs.target \ No newline at end of file +WantedBy=local-fs.target