diff --git a/Changelog.md b/Changelog.md index 03e4878..b120eee 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,16 @@ # Changes to rhel9CIS +## 0.2 + +- not all controls work with rhel8 releases any longer + - selinux disabled 1.6.1.4 + - logrotate - 4.3.x +- updated to rhel8cis v2.0 benchamrk requirements +- removed iptables firewall controls (not valid on rhel9) +- added more to logrotate 4.3.x - sure to logrotate now a seperate package +- grub path now standard to /boot/grub2/grub.cfg +- 1.6.1.4 from rh8 removed as selinux.cfg doesnt disable selinux any longer + ## 0.1 - change to include statements diff --git a/README.md b/README.md index d629e1f..048c85f 100644 --- a/README.md +++ b/README.md @@ -11,8 +11,9 @@ ![Release](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS?style=plastic) Configure RHEL 9 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant with RHEL8 settings (RHEL9 not yet released) +Based on v2.0.0 RHEL8 -Based on [CIS RedHat Enterprise Linux 8 Benchmark v1.0.1 - 05-19-2021 ](https://www.cisecurity.org/cis-benchmarks/) +Based on [CIS RedHat Enterprise Linux 8 Benchmark v2.0.0. - 02-23-2022 ](https://www.cisecurity.org/cis-benchmarks/) ## Join us diff --git a/defaults/main.yml b/defaults/main.yml index 23f8efd..02b0422 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,7 +1,6 @@ --- # defaults file for rhel9-cis -rhel9cis_skip_for_travis: false system_is_container: false container_vars_file: is_container.yml # rhel9cis is left off the front of this var for consistency in testing pipeline @@ -11,7 +10,6 @@ system_is_ec2: false # Run the OS validation check os_check: true -rhel9cis_notauto: false rhel9cis_section1: true rhel9cis_section2: true rhel9cis_section3: true @@ -19,6 +17,10 @@ rhel9cis_section4: true rhel9cis_section5: true rhel9cis_section6: true +# This is used for audit purposes to run only specifc level use the tags +# e.g. +# - level1-server +# - level2-workstation rhel9cis_level_1: true rhel9cis_level_2: true @@ -36,6 +38,9 @@ benchmark: RHEL9-CIS # Whether to skip the reboot skip_reboot: true +# default value will change to true but wont reboot if not enabled but will error +change_requires_reboot: false + #### Basic external goss audit enablement settings #### #### Precise details - per setting can be found at the bottom of this file #### @@ -54,7 +59,7 @@ audit_content: git run_audit: false # Timeout for those cmds that take longer to run where timeout set -audit_cmd_timeout: 30000 +audit_cmd_timeout: 60000 ### End Goss enablements #### #### Detailed settings found at the end of this document #### @@ -67,74 +72,77 @@ audit_cmd_timeout: 30000 rhel9cis_rule_1_1_1_1: true rhel9cis_rule_1_1_1_2: true rhel9cis_rule_1_1_1_3: true -rhel9cis_rule_1_1_1_4: true -rhel9cis_rule_1_1_1_5: true -rhel9cis_rule_1_1_2: true -rhel9cis_rule_1_1_3: true -rhel9cis_rule_1_1_4: true -rhel9cis_rule_1_1_5: true -rhel9cis_rule_1_1_6: true -rhel9cis_rule_1_1_7: true -rhel9cis_rule_1_1_8: true -rhel9cis_rule_1_1_9: true -rhel9cis_rule_1_1_10: true -rhel9cis_rule_1_1_11: true -rhel9cis_rule_1_1_12: true -rhel9cis_rule_1_1_13: true -rhel9cis_rule_1_1_14: true -rhel9cis_rule_1_1_15: true -rhel9cis_rule_1_1_16: true -rhel9cis_rule_1_1_17: true +rhel9cis_rule_1_1_2_1: true +rhel9cis_rule_1_1_2_2: true +rhel9cis_rule_1_1_2_3: true +rhel9cis_rule_1_1_2_4: true +rhel9cis_rule_1_1_3_1: true +rhel9cis_rule_1_1_3_2: true +rhel9cis_rule_1_1_3_3: true +rhel9cis_rule_1_1_3_4: true +rhel9cis_rule_1_1_4_1: true +rhel9cis_rule_1_1_4_2: true +rhel9cis_rule_1_1_4_3: true +rhel9cis_rule_1_1_4_4: true +rhel9cis_rule_1_1_5_1: true +rhel9cis_rule_1_1_5_2: true +rhel9cis_rule_1_1_5_3: true +rhel9cis_rule_1_1_5_4: true +rhel9cis_rule_1_1_6_1: true +rhel9cis_rule_1_1_6_2: true +rhel9cis_rule_1_1_6_3: true +rhel9cis_rule_1_1_6_4: true +rhel9cis_rule_1_1_7_1: true +rhel9cis_rule_1_1_7_2: true +rhel9cis_rule_1_1_7_3: true +rhel9cis_rule_1_1_7_4: true +rhel9cis_rule_1_1_7_5: true +rhel9cis_rule_1_1_8_1: true +rhel9cis_rule_1_1_8_2: true +rhel9cis_rule_1_1_8_3: true rhel9cis_rule_1_1_18: true rhel9cis_rule_1_1_19: true rhel9cis_rule_1_1_20: true rhel9cis_rule_1_1_21: true -rhel9cis_rule_1_1_22: true -rhel9cis_rule_1_1_23: true +rhel9cis_rule_1_1_9: true +rhel9cis_rule_1_1_10: true rhel9cis_rule_1_2_1: true rhel9cis_rule_1_2_2: true rhel9cis_rule_1_2_3: true rhel9cis_rule_1_2_4: true -rhel9cis_rule_1_2_5: true rhel9cis_rule_1_3_1: true rhel9cis_rule_1_3_2: true -rhel9cis_rule_1_3_3: true rhel9cis_rule_1_4_1: true rhel9cis_rule_1_4_2: true +rhel9cis_rule_1_4_3: true rhel9cis_rule_1_5_1: true rhel9cis_rule_1_5_2: true rhel9cis_rule_1_5_3: true -rhel9cis_rule_1_6_1: true -rhel9cis_rule_1_6_2: true -rhel9cis_rule_1_7_1_1: true -rhel9cis_rule_1_7_1_2: true -rhel9cis_rule_1_7_1_3: true -rhel9cis_rule_1_7_1_4: true -rhel9cis_rule_1_7_1_5: true -rhel9cis_rule_1_7_1_6: true -rhel9cis_rule_1_7_1_7: true -rhel9cis_rule_1_8_1_1: true -rhel9cis_rule_1_8_1_2: true -rhel9cis_rule_1_8_1_3: true -rhel9cis_rule_1_8_1_4: true -rhel9cis_rule_1_8_1_5: true -rhel9cis_rule_1_8_1_6: true +rhel9cis_rule_1_6_1_1: true +rhel9cis_rule_1_6_1_2: true +rhel9cis_rule_1_6_1_3: true +rhel9cis_rule_1_6_1_4: true +rhel9cis_rule_1_6_1_5: true +rhel9cis_rule_1_6_1_6: true +rhel9cis_rule_1_6_1_7: true +rhel9cis_rule_1_7_1: true +rhel9cis_rule_1_7_2: true +rhel9cis_rule_1_7_3: true +rhel9cis_rule_1_7_4: true +rhel9cis_rule_1_7_5: true +rhel9cis_rule_1_7_6: true +rhel9cis_rule_1_8_1: true rhel9cis_rule_1_8_2: true +rhel9cis_rule_1_8_3: true +rhel9cis_rule_1_8_4: true +rhel9cis_rule_1_8_5: true rhel9cis_rule_1_9: true rhel9cis_rule_1_10: true -rhel9cis_rule_1_11: true # Section 2 rules rhel9cis_rule_2_1_1: true rhel9cis_rule_2_1_2: true -rhel9cis_rule_2_1_3: true -rhel9cis_rule_2_1_4: true -rhel9cis_rule_2_1_5: true -rhel9cis_rule_2_1_6: true -rhel9cis_rule_2_1_7: true -rhel9cis_rule_2_2_1_1: true -rhel9cis_rule_2_2_1_2: true -rhel9cis_rule_2_2_1_3: true +rhel9cis_rule_2_2_1: true rhel9cis_rule_2_2_2: true rhel9cis_rule_2_2_3: true rhel9cis_rule_2_2_4: true @@ -152,53 +160,51 @@ rhel9cis_rule_2_2_15: true rhel9cis_rule_2_2_16: true rhel9cis_rule_2_2_17: true rhel9cis_rule_2_2_18: true +rhel9cis_rule_2_2_19: true +rhel9cis_rule_2_2_20: true rhel9cis_rule_2_3_1: true rhel9cis_rule_2_3_2: true rhel9cis_rule_2_3_3: true +rhel9cis_rule_2_3_4: true +rhel9cis_rule_2_3_5: true +rhel9cis_rule_2_3_6: true +rhel9cis_rule_2_4: true -# Section 3 rules + Section 3 rules rhel9cis_rule_3_1_1: true rhel9cis_rule_3_1_2: true +rhel9cis_rule_3_1_3: true +rhel9cis_rule_3_1_4: true rhel9cis_rule_3_2_1: true rhel9cis_rule_3_2_2: true -rhel9cis_rule_3_2_3: true -rhel9cis_rule_3_2_4: true -rhel9cis_rule_3_2_5: true -rhel9cis_rule_3_2_6: true -rhel9cis_rule_3_2_7: true -rhel9cis_rule_3_2_8: true -rhel9cis_rule_3_2_9: true rhel9cis_rule_3_3_1: true rhel9cis_rule_3_3_2: true rhel9cis_rule_3_3_3: true rhel9cis_rule_3_3_4: true +rhel9cis_rule_3_3_5: true +rhel9cis_rule_3_3_6: true +rhel9cis_rule_3_3_7: true +rhel9cis_rule_3_3_8: true +rhel9cis_rule_3_3_9: true rhel9cis_rule_3_4_1_1: true +rhel9cis_rule_3_4_1_2: true +rhel9cis_rule_3_4_1_3: true +rhel9cis_rule_3_4_1_4: true +rhel9cis_rule_3_4_1_5: true +rhel9cis_rule_3_4_1_6: true +rhel9cis_rule_3_4_1_7: true rhel9cis_rule_3_4_2_1: true rhel9cis_rule_3_4_2_2: true rhel9cis_rule_3_4_2_3: true rhel9cis_rule_3_4_2_4: true rhel9cis_rule_3_4_2_5: true rhel9cis_rule_3_4_2_6: true -rhel9cis_rule_3_4_3_1: true -rhel9cis_rule_3_4_3_2: true -rhel9cis_rule_3_4_3_3: true -rhel9cis_rule_3_4_3_4: true -rhel9cis_rule_3_4_3_5: true -rhel9cis_rule_3_4_3_6: true -rhel9cis_rule_3_4_3_7: true -rhel9cis_rule_3_4_3_8: true -rhel9cis_rule_3_4_4_1_1: true -rhel9cis_rule_3_4_4_1_2: true -rhel9cis_rule_3_4_4_1_3: true -rhel9cis_rule_3_4_4_1_4: true -rhel9cis_rule_3_4_4_1_5: true -rhel9cis_rule_3_4_4_2_1: true -rhel9cis_rule_3_4_4_2_2: true -rhel9cis_rule_3_4_4_2_3: true -rhel9cis_rule_3_4_4_2_4: true -rhel9cis_rule_3_4_4_2_5: true -rhel9cis_rule_3_5: true -rhel9cis_rule_3_6: true +rhel9cis_rule_3_4_2_7: true +rhel9cis_rule_3_4_2_8: true +rhel9cis_rule_3_4_2_9: true +rhel9cis_rule_3_4_2_10: true +rhel9cis_rule_3_4_2_11: true + # Section 4 rules rhel9cis_rule_4_1_1_1: true @@ -208,32 +214,48 @@ rhel9cis_rule_4_1_1_4: true rhel9cis_rule_4_1_2_1: true rhel9cis_rule_4_1_2_2: true rhel9cis_rule_4_1_2_3: true -rhel9cis_rule_4_1_3: true -rhel9cis_rule_4_1_4: true -rhel9cis_rule_4_1_5: true -rhel9cis_rule_4_1_6: true -rhel9cis_rule_4_1_7: true -rhel9cis_rule_4_1_8: true -rhel9cis_rule_4_1_9: true -rhel9cis_rule_4_1_10: true -rhel9cis_rule_4_1_11: true -rhel9cis_rule_4_1_12: true -rhel9cis_rule_4_1_13: true -rhel9cis_rule_4_1_14: true -rhel9cis_rule_4_1_15: true -rhel9cis_rule_4_1_16: true -rhel9cis_rule_4_1_17: true +rhel9cis_rule_4_1_3_1: true +rhel9cis_rule_4_1_3_2: true +rhel9cis_rule_4_1_3_3: true +rhel9cis_rule_4_1_3_4: true +rhel9cis_rule_4_1_3_5: true +rhel9cis_rule_4_1_3_6: true +rhel9cis_rule_4_1_3_7: true +rhel9cis_rule_4_1_3_8: true +rhel9cis_rule_4_1_3_9: true +rhel9cis_rule_4_1_3_10: true +rhel9cis_rule_4_1_3_11: true +rhel9cis_rule_4_1_3_12: true +rhel9cis_rule_4_1_3_13: true +rhel9cis_rule_4_1_3_14: true +rhel9cis_rule_4_1_3_15: true +rhel9cis_rule_4_1_3_16: true +rhel9cis_rule_4_1_3_17: true +rhel9cis_rule_4_1_3_18: true +rhel9cis_rule_4_1_3_19: true +rhel9cis_rule_4_1_3_20: true +rhel9cis_rule_4_1_3_21: true rhel9cis_rule_4_2_1_1: true rhel9cis_rule_4_2_1_2: true rhel9cis_rule_4_2_1_3: true rhel9cis_rule_4_2_1_4: true rhel9cis_rule_4_2_1_5: true rhel9cis_rule_4_2_1_6: true -rhel9cis_rule_4_2_2_1: true +rhel9cis_rule_4_2_1_7: true +rhel9cis_rule_4_2_2_1_1: true +rhel9cis_rule_4_2_2_1_2: true +rhel9cis_rule_4_2_2_1_3: true +rhel9cis_rule_4_2_2_1_4: true rhel9cis_rule_4_2_2_2: true rhel9cis_rule_4_2_2_3: true +rhel9cis_rule_4_2_2_4: true +rhel9cis_rule_4_2_2_5: true +rhel9cis_rule_4_2_2_6: true +rhel9cis_rule_4_2_2_7: true rhel9cis_rule_4_2_3: true -rhel9cis_rule_4_3: true +rhel9cis_rule_4_3_1: true +rhel9cis_rule_4_3_2: true +rhel9cis_rule_4_3_3: true # Section 5 rules rhel9cis_rule_5_1_1: true @@ -244,6 +266,7 @@ rhel9cis_rule_5_1_5: true rhel9cis_rule_5_1_6: true rhel9cis_rule_5_1_7: true rhel9cis_rule_5_1_8: true +rhel9cis_rule_5_1_9: true rhel9cis_rule_5_2_1: true rhel9cis_rule_5_2_2: true rhel9cis_rule_5_2_3: true @@ -267,21 +290,26 @@ rhel9cis_rule_5_2_20: true rhel9cis_rule_5_3_1: true rhel9cis_rule_5_3_2: true rhel9cis_rule_5_3_3: true +rhel9cis_rule_5_3_4: true +rhel9cis_rule_5_3_5: true +rhel9cis_rule_5_3_6: true +rhel9cis_rule_5_3_7: true rhel9cis_rule_5_4_1: true rhel9cis_rule_5_4_2: true -rhel9cis_rule_5_4_3: true -rhel9cis_rule_5_4_4: true -rhel9cis_rule_5_5_1_1: true -rhel9cis_rule_5_5_1_2: true -rhel9cis_rule_5_5_1_3: true -rhel9cis_rule_5_5_1_4: true -rhel9cis_rule_5_5_1_5: true +rhel9cis_rule_5_5_1: true rhel9cis_rule_5_5_2: true rhel9cis_rule_5_5_3: true rhel9cis_rule_5_5_4: true rhel9cis_rule_5_5_5: true -rhel9cis_rule_5_6: true -rhel9cis_rule_5_7: true +rhel9cis_rule_5_6_1_1: true +rhel9cis_rule_5_6_1_2: true +rhel9cis_rule_5_6_1_3: true +rhel9cis_rule_5_6_1_4: true +rhel9cis_rule_5_6_1_5: true +rhel9cis_rule_5_6_2: true +rhel9cis_rule_5_6_3: true +rhel9cis_rule_5_6_4: true +rhel9cis_rule_5_6_5: true # Section 6 rules rhel9cis_rule_6_1_1: true @@ -298,6 +326,7 @@ rhel9cis_rule_6_1_11: true rhel9cis_rule_6_1_12: true rhel9cis_rule_6_1_13: true rhel9cis_rule_6_1_14: true +rhel9cis_rule_6_1_15: true rhel9cis_rule_6_2_1: true rhel9cis_rule_6_2_2: true rhel9cis_rule_6_2_3: true @@ -305,7 +334,7 @@ rhel9cis_rule_6_2_4: true rhel9cis_rule_6_2_5: true rhel9cis_rule_6_2_6: true rhel9cis_rule_6_2_7: true -rhel9cis_rule_6_2_8: false +rhel9cis_rule_6_2_8: true rhel9cis_rule_6_2_9: true rhel9cis_rule_6_2_10: true rhel9cis_rule_6_2_11: true @@ -314,51 +343,20 @@ rhel9cis_rule_6_2_13: true rhel9cis_rule_6_2_14: true rhel9cis_rule_6_2_15: true rhel9cis_rule_6_2_16: true -rhel9cis_rule_6_2_17: true -rhel9cis_rule_6_2_18: true -rhel9cis_rule_6_2_19: true -rhel9cis_rule_6_2_20: true -# Service configuration booleans set true to keep service -rhel9cis_avahi_server: false -rhel9cis_cups_server: false -rhel9cis_dhcp_server: false -rhel9cis_ldap_server: false -rhel9cis_telnet_server: false -rhel9cis_nfs_server: false -rhel9cis_rpc_server: false -rhel9cis_ntalk_server: false -rhel9cis_rsyncd_server: false -rhel9cis_tftp_server: false -rhel9cis_rsh_server: false -rhel9cis_nis_server: false -rhel9cis_snmp_server: false -rhel9cis_squid_server: false -rhel9cis_smb_server: false -rhel9cis_dovecot_server: false -rhel9cis_httpd_server: false -rhel9cis_vsftpd_server: false -rhel9cis_named_server: false -rhel9cis_nfs_rpc_server: false -rhel9cis_is_mail_server: false -rhel9cis_bind: false -rhel9cis_vsftpd: false -rhel9cis_httpd: false -rhel9cis_dovecot: false -rhel9cis_samba: false -rhel9cis_squid: false -rhel9cis_net_snmp: false -rhel9cis_allow_autofs: false ## Section 1 vars -# 1.1.2 +#### 1.1.2 # These settings go into the /etc/fstab file for the /tmp mount settings # The value must contain nosuid,nodev,noexec to conform to CIS standards # rhel9cis_tmp_tmpfs_settings: "defaults,rw,nosuid,nodev,noexec,relatime 0 0" # If set true uses the tmp.mount service else using fstab configuration rhel9cis_tmp_svc: false +#### 1.1.9 +rhel9cis_allow_autofs: false + # 1.2.1 # This is the login information for your RedHat Subscription # DO NOT USE PLAIN TEXT PASSWORDS!!!!! @@ -371,20 +369,16 @@ rhel9cis_rh_sub_password: password # RedHat Satellite Subscription items rhel9cis_rhnsd_required: false -# 1.3.3 var log location variable -rhel9cis_varlog_location: "/var/log/sudo.log" - -# xinetd required -rhel9cis_xinetd_required: false # 1.4.2 Bootloader password rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' rhel9cis_bootloader_password: random rhel9cis_set_boot_pass: false -# 1.10/1.11 Set crypto policy (LEGACY, DEFAULT, FUTURE, FIPS) -# Control 1.10 sates not ot use LEGACY and control 1.11 says to use FUTURE or FIPS. -rhel9cis_crypto_policy: "FUTURE" + +# 1.10 Set crypto policy DEFAULT +# Control 1.10 states not to use LEGACY +rhel9cis_crypto_policy: "DEFAULT" # System network parameters (host only OR host and router) rhel9cis_is_router: false @@ -397,7 +391,7 @@ rhel9cis_config_aide: true # AIDE cron settings rhel9cis_aide_cron: cron_user: root - cron_file: /etc/cron.d/aide.cron + cron_file: /etc/cron.d/aide_cron aide_job: '/usr/sbin/aide --check' aide_minute: 0 aide_hour: 5 @@ -409,105 +403,145 @@ rhel9cis_aide_cron: rhel9cis_selinux_pol: targeted # Whether or not to run tasks related to auditing/patching the desktop environment -rhel9cis_gui: false -# Set to 'true' if X Windows is needed in your environment -rhel9cis_xwindows_required: false +## 2. Services -rhel9cis_openldap_clients_required: false -rhel9cis_telnet_required: false -rhel9cis_talk_required: false -rhel9cis_rsh_required: false -rhel9cis_ypbind_required: false -# 2.2.1.1 Time Synchronization - Either chrony or ntp -rhel9cis_time_synchronization: chrony - -# 2.2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 +### 2.1 Time Synchronization +#### 2.1.2 Time Synchronization servers - used in template file chrony.conf.j2 rhel9cis_time_synchronization_servers: - 0.pool.ntp.org - 1.pool.ntp.org - 2.pool.ntp.org - 3.pool.ntp.org - rhel9cis_chrony_server_options: "minpoll 8" -rhel9cis_ntp_server_options: "iburst" + +### 2.2 Special Purposes +##### Service configuration booleans set true to keep service +rhel9cis_xinetd_server: false +rhel9cis_gui: false +rhel9cis_avahi_server: false +rhel9cis_cups_server: false +rhel9cis_dhcp_server: false +rhel9cis_dns_server: false +rhel9cis_ftp_server: false +rhel9cis_vsftpd_server: false +rhel9cis_tftp_server: false +rhel9cis_httpd_server: false +rhel9cis_nginx_server: false +rhel9cis_dovecot_server: false +rhel9cis_imap_server: false +rhel9cis_samba_server: false +rhel9cis_squid_server: false +rhel9cis_snmp_server: false +rhel9cis_nis_server: false +rhel9cis_telnet_server: false +rhel9cis_is_mail_server: false +# Note the options +# Packages are used for client services and Server- only remove if you dont use the client service +# + +rhel9cis_use_nfs_server: false +rhel9cis_use_nfs_service: false + +rhel9cis_use_rpc_server: false +rhel9cis_use_rpc_service: false + +rhel9cis_use_rsync_server: false +rhel9cis_use_rsync_service: false + +#### 2.3 Service clients +rhel9cis_ypbind_required: false +rhel9cis_rsh_required: false +rhel9cis_talk_required: false +rhel9cis_telnet_required: false +rhel9cis_openldap_clients_required: false +rhel9cis_tftp_client: false + ## Section3 vars -# 3.4.2 | PATCH | Ensure /etc/hosts.allow is configured -rhel9cis_host_allow: - - "10.0.0.0/255.0.0.0" - - "172.16.0.0/255.240.0.0" - - "192.168.0.0/255.255.0.0" - -# Firewall Service - either firewalld, iptables, or nftables +### Firewall Service - either firewalld, iptables, or nftables +#### Some control allow for services to be removed or masked +#### The options are under each heading +#### absent = remove the package +#### masked = leave package if installed and mask the service rhel9cis_firewall: firewalld -# 3.4.2.4 Default zone setting +##### firewalld rhel9cis_default_zone: public +rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy -# 3.4.2.5 Zone and Interface setting -rhel9cis_int_zone: customezone -rhel9cis_interface: eth0 - -rhel9cis_firewall_services: - - ssh - - dhcpv6-client - -# 3.4.3.2 Set nftables new table create +#### nftables +rhel9cis_nftables_firewalld_state: masked rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_tablename: filter - -# 3.4.3.3 Set nftables new chain create rhel9cis_nft_tables_autochaincreate: true + # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: | Authorized uses only. All activity may be monitored and reported. # End Banner ## Section4 vars - +### 4.1 Configure System Accounting +#### 4.1.2 Configure Data Retention rhel9cis_auditd: space_left_action: email action_mail_acct: root admin_space_left_action: halt max_log_file_action: keep_logs -rhel9cis_logrotate: "daily" - # The audit_back_log_limit value should never be below 8192 rhel9cis_audit_back_log_limit: 8192 # The max_log_file parameter should be based on your sites policy rhel9cis_max_log_file_size: 10 -# RHEL-09-4.2.1.4/4.2.1.5 remote and destation log server name +## Preferred method of logging +## Whether rsyslog or journald preferred method for local logging +## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 +rhel9cis_preferred_log_capture: rsyslog + +#### 4.2.1.6 remote and destation log server name rhel9cis_remote_log_server: logagg.example.com -# RHEL-09-4.2.1.5 +#### 4.2.1.7 rhel9cis_system_is_log_server: false +# 4.2.2.1.2 +# rhel9cis_journal_upload_url is the ip address to upload the journal entries to +rhel9cis_journal_upload_url: 192.168.50.42 +# The paths below have the default paths/files, but allow user to create custom paths/filenames +rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem" +rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem" +rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem" + +# 4.2.2.1 +# The variables below related to journald, please set these to your site specific values +# rhel9cis_journald_systemmaxuse is the max amount of disk space the logs will use +rhel9cis_journald_systemmaxuse: 10M +# rhel9cis_journald_systemkeepfree is the amount of disk space to keep free +rhel9cis_journald_systemkeepfree: 100G +rhel9cis_journald_runtimemaxuse: 10M +rhel9cis_journald_runtimekeepfree: 100G +# rhel9cis_journald_MaxFileSec is how long in time to keep log files. Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks +rhel9cis_journald_maxfilesec: 1month + +#### 4.3 +rhel9cis_logrotate: "daily" + ## Section5 vars rhel9cis_sshd: clientalivecountmax: 0 clientaliveinterval: 900 - ciphers: "aes256-ctr,aes192-ctr,aes128-ctr" - macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" logingracetime: 60 # WARNING: make sure you understand the precedence when working with these values!! # allowusers: # allowgroups: systems dba # denyusers: # denygroups: -rhel9cis_pam_faillock: - attempts: 5 - interval: 900 - unlock_time: 900 - fail_for_root: no - remember: 5 - pwhash: sha512 # 5.2.5 SSH LogLevel setting. Options are INFO or VERBOSE rhel9cis_ssh_loglevel: INFO @@ -517,9 +551,10 @@ rhel9cis_ssh_maxsessions: 4 rhel9cis_inactivelock: lock_days: 30 + +rhel9cis_use_authconfig: false # 5.3.1/5.3.2 Custom authselect profile settings. Settings in place now will fail, they are place holders from the control example # Due to the way many multiple options and ways to configure this control needs to be enabled and settings adjusted to minimise risk -rhel9cis_use_authconfig: false rhel9cis_authselect: custom_profile_name: custom-profile default_file_to_copy: "sssd --symlink-meta" @@ -531,6 +566,7 @@ rhel9cis_authselect_custom_profile_create: false # 5.3.2 Enable automation to select custom profile options, using the settings above rhel9cis_authselect_custom_profile_select: false + rhel9cis_pass: max_days: 365 min_days: 7 @@ -539,22 +575,26 @@ rhel9cis_pass: rhel9cis_syslog: rsyslog rhel9cis_rsyslog_ansiblemanaged: true -rhel9cis_vartmp: - source: /tmp - fstype: none - opts: "defaults,nodev,nosuid,noexec,bind" - enabled: false +# 5.5.1 ## PAM rhel9cis_pam_password: - minlen: "14" - minclass: "4" + minlen: 14 + minclass: 4 + +rhel9cis_pam_faillock: + remember: 5 # UID settings for interactive users -# These are discovered via logins.def is set true +# These are discovered via logins.def if set true discover_int_uid: false min_int_uid: 1000 max_int_uid: 65533 +# 5.3.3 var log location variable +rhel9cis_sudolog_location: "/var/log/sudo.log" + +#### 5.3.6 +rhel9cis_sudo_timestamp_timeout: 15 # RHEL-09-5.4.5 # Session timeout setting file (TMOUT setting can be set in multiple files) diff --git a/group_vars/docker b/group_vars/docker deleted file mode 100644 index 5b6e3b2..0000000 --- a/group_vars/docker +++ /dev/null @@ -1,28 +0,0 @@ ---- -ansible_user: root -# AIDE cron settings -rhel9cis_aide_cron: - cron_user: root - cron_file: /var/spool/cron/root - aide_job: '/usr/sbin/aide --check' - aide_minute: 0 - aide_hour: 5 - aide_day: '*' - aide_month: '*' - aide_weekday: '*' - -rhel9cis_sshd: - clientalivecountmax: 3 - clientaliveinterval: 300 - ciphers: "aes256-ctr,aes192-ctr,aes128-ctr" - macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com" - logingracetime: 60 - # - make sure you understand the precedence when working with these values!! - allowusers: vagrant - allowgroups: vagrant - denyusers: root - denygroups: root - -# Workarounds for Docker -rhel9cis_skip_for_travis: true -rhel9cis_selinux_disable: true diff --git a/group_vars/vagrant b/group_vars/vagrant deleted file mode 100644 index 1c0fb37..0000000 --- a/group_vars/vagrant +++ /dev/null @@ -1,28 +0,0 @@ ---- -ansible_user: vagrant -# AIDE cron settings -rhel9cis_aide_cron: - cron_user: root - cron_file: /var/spool/cron/root - aide_job: '/usr/sbin/aide --check' - aide_minute: 0 - aide_hour: 5 - aide_day: '*' - aide_month: '*' - aide_weekday: '*' - -rhel9cis_sshd: - clientalivecountmax: 3 - clientaliveinterval: 300 - ciphers: 'aes256-ctr,aes192-ctr,aes128-ctr' - macs: 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' - logingracetime: 60 - # - make sure you understand the precedence when working with these values!! - allowusers: vagrant - allowgroups: vagrant - denyusers: root - denygroups: root - -# Vagrant can touch code that Docker cannot -rhel9cis_skip_for_travis: false -rhel9cis_selinux_disable: false diff --git a/handlers/main.yml b/handlers/main.yml index ad56e8b..08c8026 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -22,24 +22,29 @@ - name: update sysctl template: - src: etc/99-sysctl.conf.j2 - dest: /etc/sysctl.d/99-sysctl.conf + src: "etc/sysctl.d/{{ item }}.j2" + dest: "/etc/sysctl.d/{{ item }}" owner: root group: root mode: 0600 notify: reload sysctl - when: + with_items: + - 60-kernel_sysctl.conf + - 60-disable_ipv6.conf + - 60-netipv4_sysctl.conf + - 60-netipv6_sysctl.conf + when: - ansible_virtualization_type != "docker" - "'procps-ng' in ansible_facts.packages" - name: reload sysctl sysctl: - name: net.ipv4.route.flush - value: '1' - state: present - reload: true - ignoreerrors: true - when: + name: net.ipv4.route.flush + value: '1' + state: present + reload: true + ignoreerrors: true + when: - ansible_virtualization_type != "docker" - "'systemd' in ansible_facts.packages" @@ -72,12 +77,6 @@ name: firewalld state: restarted -- name: restart xinetd - become: true - service: - name: xinetd - state: restarted - - name: restart sshd become: true service: @@ -112,13 +111,11 @@ failed_when: false args: warn: false - when: - - not rhel9cis_skip_for_travis tags: - skip_ansible_lint - name: grub2cfg - shell: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}" + shell: "grub2-mkconfig -o /boot/grub2/grub.cfg" args: warn: false ignore_errors: True @@ -131,12 +128,20 @@ name: rsyslog state: restarted -- name: restart syslog-ng - become: true +- name: restart journald service: - name: syslog-ng + name: systemd-journald + state: restarted + +- name: restart systemd_journal_upload + service: + name: systemd-journal-upload state: restarted - name: systemd_daemon_reload systemd: daemon-reload: true + +- name: change_requires_reboot + set_fact: + change_requires_reboot: true diff --git a/local.yml b/local.yml index 3f17560..18c2f43 100644 --- a/local.yml +++ b/local.yml @@ -6,4 +6,3 @@ roles: - role: "{{ playbook_dir }}" - diff --git a/meta/main.yml b/meta/main.yml index 266a468..aac8be8 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -22,7 +22,7 @@ galaxy_info: - disa - rhel9 collections: - - community.general - - community.crypto - - ansible.posix + - community.general + - community.crypto + - ansible.posix dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml index b316f67..264120a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,12 +3,12 @@ - name: Check OS version and family assert: - that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') + that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" - when: - - os_check - - not system_is_ec2 + when: + - os_check + - not system_is_ec2 tags: - always @@ -29,7 +29,7 @@ - name: Load variable for container include_vars: file: "{{ container_vars_file }}" - + - name: output if discovered is a container debug: msg: system has been discovered as a container @@ -50,129 +50,133 @@ - name: Check rhel9cis_bootloader_password_hash variable has been changed assert: - that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' - msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set" + that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' + msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly" when: - - rhel9cis_set_boot_pass - - rhel9cis_rule_1_5_2 + - rhel9cis_set_boot_pass + - rhel9cis_rule_1_4_1 + tags: + - always - name: "check sugroup exists if used" block: - - name: "Check su group exists if defined" - shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group - args: - warn: false - register: sugroup_exists - changed_when: false - failed_when: sugroup_exists.rc >= 2 - tags: - - skip_ansible_lint + - name: "Check su group exists if defined" + shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group + args: + warn: false + register: sugroup_exists + changed_when: false + failed_when: sugroup_exists.rc >= 2 + tags: + - skip_ansible_lint - - name: Check sugroup if defined exists before continuing - assert: - that: sugroup_exists.rc == 0 - msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" + - name: Check sugroup if defined exists before continuing + assert: + that: sugroup_exists.rc == 0 + msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" when: - - rhel9cis_sugroup is defined - - rhel9cis_rule_5_7 + - rhel9cis_sugroup is defined + - rhel9cis_rule_5_7 tags: - - rule_5.7 + - rule_5.7 - name: Gather the package facts package_facts: manager: auto tags: - - always + - always - name: Include OS specific variables include_vars: "{{ ansible_distribution }}.yml" tags: - - always + - always - name: Include preliminary steps import_tasks: prelim.yml tags: - - prelim_tasks - - always + - prelim_tasks + - always - name: run pre_remediation audit include_tasks: pre_remediation_audit.yml when: - - run_audit + - run_audit - name: Gather the package facts after prelim package_facts: manager: auto tags: - - always + - always - name: capture /etc/password variables include_tasks: parse_etc_password.yml - when: - - rhel9cis_section6 + when: + - rhel9cis_section6 tags: - - rule_5.5.2 - - rule_6.2.7 - - rule_6.2.8 - - rule_6.2.20 - - rhel9cis_section6 + - rule_5.5.2 + - rule_5.6.2 + - rule_6.2.9 + - rule_6.2.10 + - rule_6.2.11 + - rhel9cis_section5 + - rhel9cis_section6 - name: run Section 1 tasks import_tasks: section_1/main.yml become: true when: rhel9cis_section1 tags: - - rhel9cis_section1 + - rhel9cis_section1 - name: run Section 2 tasks import_tasks: section_2/main.yml become: true when: rhel9cis_section2 tags: - - rhel9cis_section2 + - rhel9cis_section2 - name: run Section 3 tasks import_tasks: section_3/main.yml become: true when: rhel9cis_section3 tags: - - rhel9cis_section3 + - rhel9cis_section3 - name: run Section 4 tasks import_tasks: section_4/main.yml become: true when: rhel9cis_section4 tags: - - rhel9cis_section4 + - rhel9cis_section4 - name: run Section 5 tasks import_tasks: section_5/main.yml become: true when: rhel9cis_section5 tags: - - rhel9cis_section5 + - rhel9cis_section5 - name: run Section 6 tasks import_tasks: section_6/main.yml become: true when: rhel9cis_section6 tags: - - rhel9cis_section6 + - rhel9cis_section6 - name: run post remediation tasks import_tasks: post.yml become: true tags: - - post_tasks - - always + - post_tasks + - always - name: run post_remediation audit import_tasks: post_remediation_audit.yml when: - - run_audit + - run_audit - name: Show Audit Summary debug: msg: "{{ audit_results.split('\n') }}" when: - - run_audit + - run_audit diff --git a/tasks/post.yml b/tasks/post.yml index 5f54737..69783ab 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -10,7 +10,7 @@ package_facts: manager: auto tags: - - always + - always - name: trigger update sysctl shell: /bin/true @@ -20,19 +20,20 @@ check_mode: false notify: update sysctl when: - - rhel9cis_rule_1_6_1 or - rhel9cis_rule_1_6_2 or - rhel9cis_rule_3_1_2 or + - rhel9cis_rule_3_1_1 or rhel9cis_rule_3_1_2 or + rhel9cis_rule_3_1_3 or rhel9cis_rule_3_2_1 or rhel9cis_rule_3_2_2 or - rhel9cis_rule_3_2_3 or - rhel9cis_rule_3_2_4 or - rhel9cis_rule_3_2_5 or - rhel9cis_rule_3_2_6 or - rhel9cis_rule_3_2_7 or - rhel9cis_rule_3_2_8 or - rhel9cis_rule_3_2_9 + rhel9cis_rule_3_3_1 or + rhel9cis_rule_3_3_2 or + rhel9cis_rule_3_3_3 or + rhel9cis_rule_3_3_4 or + rhel9cis_rule_3_3_5 or + rhel9cis_rule_3_3_6 or + rhel9cis_rule_3_3_7 or + rhel9cis_rule_3_3_8 or + rhel9cis_rule_3_3_9 tags: - sysctl @@ -66,7 +67,30 @@ - name: flush handlers meta: flush_handlers -- name: Reboot host - reboot: - when: - - not skip_reboot +- name: POST | reboot system if changes require it and not skipped + block: + - name: POST | Reboot system if changes require it and not skipped + reboot: + when: + - change_requires_reboot + - not skip_reboot + + - name: POST | Warning a reboot required but skip option set + debug: + msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results" + changed_when: true + when: + - change_requires_reboot + - skip_reboot + tags: + - grub + - level1-server + - level1-workstation + - level2-server + - level2-workstation + - rhel9cis_section1 + - rhel9cis_section2 + - rhel9cis_section3 + - rhel9cis_section4 + - rhel9cis_section5 + - rhel9cis_section6 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 5521a8d..eb17d00 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -32,8 +32,9 @@ warn: false changed_when: false check_mode: false - register: uid_zero_accounts_except_root + register: rhel9cis_uid_zero_accounts_except_root tags: + - rule_6.2.8 - level1-server - level1-workstation - users @@ -55,13 +56,11 @@ check_mode: false register: system_wide_crypto_policy when: - - rhel9cis_rule_1_10 or - rhel9cis_rule_1_11 + - rhel9cis_rule_1_10 tags: - level1-server - level1-workstation - - rule_1.10 or - rule_1.11 + - rule_1.10 - crypto - name: "PRELIM | if systemd coredump" @@ -69,11 +68,11 @@ path: /etc/systemd/coredump.conf register: systemd_coredump when: - - rhel9cis_rule_1_6_1 + - rhel9cis_rule_1_5_1 tags: - level1-server - level1-workstation - - rule_1.6.1 + - rule_1.5.1 - systemd - name: "PRELIM | Section 1.1 | Create list of mount points" @@ -88,7 +87,7 @@ name: audit state: present become: true - when: + when: - '"auditd" not in ansible_facts.packages' - rhel9cis_rule_4_1_1_1 tags: @@ -144,39 +143,18 @@ - authconfig - auditd -- name: "PRELIM | Set facts based on boot type" - block: - - name: "PRELIM | Check whether machine is UEFI-based" - stat: - path: /sys/firmware/efi - register: rhel_09_efi_boot - - - name: "PRELIM | AUDIT | set legacy boot and grub path | Bios" - set_fact: - rhel9cis_legacy_boot: true - grub2_path: /etc/grub2.cfg - when: not rhel_09_efi_boot.stat.exists - - - name: "PRELIM | set grub fact | UEFI" - set_fact: - grub2_path: /etc/grub2-efi.cfg - when: rhel_09_efi_boot.stat.exists - when: - - not system_is_container - tags: - - bootloader - - grub - -- name: "PRELIM | AUDIT | Ensure permissions on bootloader config are configured | Get grub config file stats" - stat: - path: "{{ grub2_path }}" +- name: "PRELIM | 5.3.4 | Find all sudoers files." + command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'" changed_when: false - register: grub_cfg + failed_when: false + check_mode: false + register: rhel9cis_sudoers_files when: - - not system_is_container + - rhel9cis_rule_5_3_4 or + rhel9cis_rule_5_3_5 tags: - - bootloader - - grub + - rule_5.3.4 + - rule_5.3.5 - name: "PRELIM | Check for rhnsd service" shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2" @@ -197,7 +175,7 @@ shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_min_id - + - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' changed_when: false @@ -214,8 +192,7 @@ max_int_uid: "{{ uid_max_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}" - debug: - msg: "{{ min_int_uid }} {{ max_int_uid }}" + msg: "{{ min_int_uid }} {{ max_int_uid }}" when: - not discover_int_uid - diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml index dc8ae32..f687901 100644 --- a/tasks/section_1/cis_1.1.1.x.yml +++ b/tasks/section_1/cis_1.1.1.x.yml @@ -1,16 +1,16 @@ --- -- name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled" +- name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled" block: - - name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" + - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install cramfs(\\s|$)" line: "install cramfs /bin/true" - create: true + create: yes mode: 0600 - - name: "1.1.1.1 | L1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" + - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Disable cramfs" modprobe: name: cramfs state: absent @@ -20,83 +20,57 @@ tags: - level1-server - level1-workstation - - scored + - automated - patch - rule_1.1.1.1 - cramfs -- name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited" +- name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled" block: - - name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited | Edit modprobe config" + - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install vfat(\\s|$)" - line: "install vfat /bin/true" - create: true - mode: 0600 - - - name: "1.1.1.2 | L2 | PATCH | Ensure mounting of vFAT filesystems is limited | Disable vFAT" - modprobe: - name: vfat - state: absent - when: ansible_connection != 'docker' - when: - - rhel9cis_rule_1_1_1_2 - - rhel9cis_legacy_boot - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.1.1.2 - - vfat - -- name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled" - block: - - name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config" - lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install squashfs(\\s|$)" line: "install squashfs /bin/true" - create: true + create: yes mode: 0600 - - name: "1.1.1.3 | L1 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" + - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Disable squashfs" modprobe: name: squashfs state: absent when: ansible_connection != 'docker' when: - - rhel9cis_rule_1_1_1_3 + - rhel9cis_rule_1_1_1_2 tags: - - level1-server - - level1-workstation - - scored + - level2-server + - level2-workstation + - automated - patch - - rule_1.1.1.3 + - rule_1.1.1.2 - squashfs -- name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disabled" +- name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disabled" block: - - name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" + - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install udf(\\s|$)" line: "install udf /bin/true" - create: true + create: yes mode: 0600 - - name: "1.1.1.4 | L1 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" + - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Disable udf" modprobe: name: udf state: absent when: ansible_connection != 'docker' when: - - rhel9cis_rule_1_1_1_4 + - rhel9cis_rule_1_1_1_3 tags: - - level1-server - - level1-workstation - - scored + - level2-server + - level2-workstation + - automated - patch - - rule_1.1.1.4 + - rule_1.1.1.3 - udf diff --git a/tasks/section_1/cis_1.1.2.x.yml b/tasks/section_1/cis_1.1.2.x.yml new file mode 100644 index 0000000..bb18993 --- /dev/null +++ b/tasks/section_1/cis_1.1.2.x.yml @@ -0,0 +1,77 @@ +--- + +- name: "1.1.2.1 | PATCH | Ensure /tmp is a separate partition" + debug: + msg: "WARNING!! /tmp is not mounted on a separate partition" + when: + - rhel9cis_rule_1_1_2_1 + - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0 + tags: + - level1-server + - level1-workstation + - automated + - audit + - mounts + - rule_1.1.2.1 + +# via fstab +- name: | + "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" + "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" + "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" + mount: + name: /tmp + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %} + notify: remount tmp + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + when: + - item.mount == "/tmp" + - not rhel9cis_tmp_svc + - rhel9cis_rule_1_1_2_2 or + rhel9cis_rule_1_1_2_3 or + rhel9cis_rule_1_1_2_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - rule_1.1.2.2 + - rule_1.1.2.3 + - rule_1.1.2.4 + +# via systemd +- name: | + "1.1.2.1 | PATCH | Ensure /tmp is configured" + "1.1.2.2 | PATCH | Ensure nodev option set on /tmp partition" + "1.1.2.3 | PATCH | Ensure noexec option set on /tmp partition" + "1.1.2.4 | PATCH | Ensure nosuid option set on /tmp partition" + template: + src: etc/systemd/system/tmp.mount.j2 + dest: /etc/systemd/system/tmp.mount + owner: root + group: root + mode: 0644 + notify: systemd restart tmp.mount + when: + - rhel9cis_tmp_svc + - rhel9cis_rule_1_1_2_1 or + rhel9cis_rule_1_1_2_2 or + rhel9cis_rule_1_1_2_3 or + rhel9cis_rule_1_1_2_4 + tags: + - level1-server + - level1-workstation + - scored + - patch + - mounts + - rule_1.1.2.1 + - rule_1.1.2.2 + - rule_1.1.2.3 + - rule_1.1.2.4 diff --git a/tasks/section_1/cis_1.1.3.x.yml b/tasks/section_1/cis_1.1.3.x.yml new file mode 100644 index 0000000..8fa9e4b --- /dev/null +++ b/tasks/section_1/cis_1.1.3.x.yml @@ -0,0 +1,63 @@ +--- + +- name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var" + block: + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Absent" + debug: + msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + register: var_mount_absent + changed_when: var_mount_absent.skipped is undefined + when: + - required_mount not in mount_names + + - name: "1.1.3.1 | AUDIT | Ensure separate partition exists for /var | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: var_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/var' + when: + - rhel9cis_rule_1_1_3_1 + tags: + - level2-server + - level2-workstation + - automated + - patch + - mounts + - rule_1.1.3.1 + +# skips if mount is absent +- name: | + "1.1.3.2 | PATCH | Ensure nodev option set on /var partition" + "1.1.3.3 | PATCH | Ensure noexec option set on /var partition" + "1.1.3.4 | PATCH | Ensure nosuid option set on /var partition" + mount: + name: /var + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_3_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_3_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_3_4 %}nosuid{% endif %} + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + notify: change_requires_reboot + when: + - var_mount_present is defined + - item.mount == "/var" + - rhel9cis_rule_1_1_3_1 # This is required so the check takes place + - rhel9cis_rule_1_1_3_2 or + rhel9cis_rule_1_1_3_3 or + rhel9cis_rule_1_1_3_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - skip_ansible_lint + - rule_1.1.3.2 + - rule_1.1.3.3 + - rule_1.1.3.4 diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml new file mode 100644 index 0000000..c780013 --- /dev/null +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -0,0 +1,64 @@ +--- + +# Skips if mount is absent +- name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp" + block: + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" + debug: + msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + register: var_tmp_mount_absent + changed_when: var_tmp_mount_absent.skipped is undefined + when: + - required_mount not in mount_names + + - name: "1.1.4.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: var_tmp_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/var/tmp' + when: + - rhel9cis_rule_1_1_4_1 + tags: + - level2-server + - level2-workstation + - automated + - audit + - mounts + - rule_1.1.4.1 + +# skips if mount is absent +- name: | + "1.1.4.2 | PATCH | Ensure noexec option set on /var/tmp partition" + "1.1.4.3 | PATCH | Ensure nosuid option set on /var/tmp partition" + "1.1.4.4 | PATCH | Ensure nodev option set on /var/tmp partition" + mount: + name: /var/tmp + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_4_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_4_4 %}nodev{% endif %} + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + notify: change_requires_reboot + when: + - var_tmp_mount_present is defined + - item.mount == "/var/tmp" + - rhel9cis_rule_1_1_4_1 # This is required so the check takes place + - rhel9cis_rule_1_1_4_2 or + rhel9cis_rule_1_1_4_3 or + rhel9cis_rule_1_1_4_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - skip_ansible_lint + - rule_1.1.4.2 + - rule_1.1.4.3 + - rule_1.1.4.4 diff --git a/tasks/section_1/cis_1.1.5.x.yml b/tasks/section_1/cis_1.1.5.x.yml new file mode 100644 index 0000000..c9343c4 --- /dev/null +++ b/tasks/section_1/cis_1.1.5.x.yml @@ -0,0 +1,62 @@ +--- + +- name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log" + block: + - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Absent" + debug: + msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + register: var_log_mount_absent + changed_when: var_log_mount_absent.skipped is undefined + when: + - required_mount not in mount_names + - name: "1.1.5.1 | AUDIT | Ensure separate partition exists for /var/log | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: var_log_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/var/log' + when: + - rhel9cis_rule_1_1_5_1 + tags: + - level2-server + - level2-workstation + - automated + - audit + - mounts + - rule_1.1.5.1 + - skip_ansible_lint + +- name: | + "1.1.5.2 | PATCH | Ensure nodev option set on /var/log partition" + "1.1.5.3 | PATCH | Ensure noexec option set on /var/log partition" + "1.1.5.4 | PATCH | Ensure nosuid option set on /var/log partition" + mount: + name: /var/log + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_5_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_5_4 %}nosuid{% endif %} + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + notify: change_requires_reboot + when: + - var_log_mount_present is defined + - item.mount == "/var/log" + - rhel9cis_rule_1_1_5_1 # This is required so the check takes place + - rhel9cis_rule_1_1_5_2 or + rhel9cis_rule_1_1_5_3 or + rhel9cis_rule_1_1_5_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - skip_ansible_lint + - rule_1.1.5.2 + - rule_1.1.5.3 + - rule_1.1.5.4 diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml new file mode 100644 index 0000000..1df3e84 --- /dev/null +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -0,0 +1,61 @@ +--- + +- name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit" + block: + - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" + debug: + msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + register: var_log_audit_mount_absent + changed_when: var_log_audit_mount_absent.skipped is undefined + when: + - required_mount not in mount_names + - name: "1.1.6.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: var_log_audit_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/var/log/audit' + when: + - rhel9cis_rule_1_1_6_1 + tags: + - level2-server + - level2-workstation + - automated + - audit + - mounts + - rule_1.1.6.1 + +- name: | + "1.1.6.2 | PATCH | Ensure noexec option set on /var/log/audit partition" + "1.1.6.3 | PATCH | Ensure nodev option set on /var/log/audit partition" + "1.1.6.4 | PATCH | Ensure nosuid option set on /var/log/audit partition" + mount: + name: /var/log/audit + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_6_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_6_3 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_6_4 %}nosuid{% endif %} + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + notify: change_requires_reboot + when: + - var_log_audit_mount_present is defined + - item.mount == "/var/log/audit" + - rhel9cis_rule_1_1_6_1 # This is required so the check takes place + - rhel9cis_rule_1_1_6_2 or + rhel9cis_rule_1_1_6_3 or + rhel9cis_rule_1_1_6_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - skip_ansible_lint + - rule_1.1.6.2 + - rule_1.1.6.3 + - rule_1.1.6.4 diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml new file mode 100644 index 0000000..453fef5 --- /dev/null +++ b/tasks/section_1/cis_1.1.7.x.yml @@ -0,0 +1,64 @@ +--- + +- name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home" + block: + - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Absent" + debug: + msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" + register: home_mount_absent + changed_when: home_mount_absent.skipped is undefined + when: + - required_mount not in mount_names + - name: "1.1.7.1 | AUDIT | Ensure separate partition exists for /home | Present" + debug: + msg: "Congratulations: {{ required_mount }} exists." + register: home_mount_present + when: + - required_mount in mount_names + vars: + required_mount: '/home' + when: + - rhel9cis_rule_1_1_7_1 + tags: + - level2-server + - level2-workstation + - automated + - audit + - mounts + - rule_1.1.7.1 + - skip_ansible_lint + +- name: | + "1.1.7.2 | PATCH | Ensure nodev option set on /home partition + 1.1.7.3 | PATCH | Ensure nosuid option set on /home partition + 1.1.7.4 | PATCH | Ensure usrquota option set on /home partition + 1.1.7.5 | PATCH | Ensure grpquota option set on /home partition" + mount: + name: /home + src: "{{ item.device }}" + fstype: "{{ item.fstype }}" + state: present + opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}{% if rhel9cis_rule_1_1_7_4 %}usrquota,{% endif %}{% if rhel9cis_rule_1_1_7_5 %}grpquota{% endif %} + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.device }}" + notify: change_requires_reboot + when: + - home_mount_present is defined + - item.mount == "/home" + - rhel9cis_rule_1_1_7_1 + - rhel9cis_rule_1_1_7_2 or + rhel9cis_rule_1_1_7_3 or + rhel9cis_rule_1_1_7_4 or + rhel9cis_rule_1_1_7_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - rule_1.1.7.2 + - rule_1.1.7.3 + - rule_1.1.7.4 + - skip_ansible_lint diff --git a/tasks/section_1/cis_1.1.8.x.yml b/tasks/section_1/cis_1.1.8.x.yml new file mode 100644 index 0000000..75bdabb --- /dev/null +++ b/tasks/section_1/cis_1.1.8.x.yml @@ -0,0 +1,43 @@ +--- + +# Skips if mount is absent +- name: | + "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition + 1.1.8.2 | PATCH | Ensure nosuid option set on /dev/shm partition + 1.1.8.3 | PATCH | Ensure noexec option set on /dev/shm partition" + block: + - name: | + "1.1.8.1 | AUDIT | Ensure nodev option set on /dev/shm partition | Check for /dev/shm existence + 1.1.8.2 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence + 1.1.8.3 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence" + shell: mount -l | grep -E '\s/dev/shm\s' + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_1_1_8_x_dev_shm_status + + - name: | + "1.1.8.1 | PATCH | Ensure nodev option set on /dev/shm partition | Set nodev option + 1.1.8.2 | PATCH | Ensure noexec option set on /dev/shm partition | Set nosuid option + 1.1.8.3 | PATCH | Ensure nosuid option set on /dev/shm partition | Set noexec option" + mount: + name: /dev/shm + src: tmpfs + fstype: tmpfs + state: mounted + opts: defaults,{% if rhel9cis_rule_1_1_8_1 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_2 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}nosuid{% endif %} + when: "'dev/shm' in rhel9cis_1_1_8_x_dev_shm_status.stdout" + notify: change_requires_reboot + when: + - rhel9cis_rule_1_1_8_1 or + rhel9cis_rule_1_1_8_2 or + rhel9cis_rule_1_1_8_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - mounts + - rule_1.1.8.1 + - rule_1.1.8.2 + - rule_1.1.8.3 diff --git a/tasks/section_1/cis_1.1.x.yml b/tasks/section_1/cis_1.1.x.yml index 2becc11..a77e524 100644 --- a/tasks/section_1/cis_1.1.x.yml +++ b/tasks/section_1/cis_1.1.x.yml @@ -1,365 +1,45 @@ --- -- name: | - "SCORED | 1.1.2 | PATCH | Ensure /tmp is configured" - "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition" - "SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition" - "SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition" - "via fstab" - mount: - name: /tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if rhel9cis_rule_1_1_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_4 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_5 %}nosuid{% endif %} - notify: remount tmp - loop: "{{ ansible_mounts }}" - when: - - item.mount == "/tmp" - - not rhel9cis_tmp_svc - - rhel9cis_rule_1_1_2 or - rhel9cis_rule_1_1_3 or - rhel9cis_rule_1_1_4 or - rhel9cis_rule_1_1_5 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - rule_1.1.3 - - rule_1.1.4 - - rule_1.1.5 - -- name: | - "SCORED | 1.1.2 | PATCH | Ensure /tmp is configured" - "SCORED | 1.1.3 | PATCH | Ensure nodev option set on /tmp partition" - "SCORED | 1.1.4 | PATCH | Ensure nosuid option set on /tmp partition" - "SCORED | 1.1.5 | PATCH | Ensure noexec option set on /tmp partition" - "via systemd" - template: - src: etc/systemd/system/tmp.mount.j2 - dest: /etc/systemd/system/tmp.mount - owner: root - group: root - mode: 0644 - notify: systemd restart tmp.mount - when: - - rhel9cis_tmp_svc - - rhel9cis_rule_1_1_2 or - rhel9cis_rule_1_1_3 or - rhel9cis_rule_1_1_4 or - rhel9cis_rule_1_1_5 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - rule_1.1.3 - - rule_1.1.4 - - rule_1.1.5 - -- name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var" - block: - - name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: var_mount_absent - changed_when: var_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.6 | L2 | AUDIT | Ensure separate partition exists for /var | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - when: - - required_mount in mount_names - vars: - required_mount: '/var' - when: - - rhel9cis_rule_1_1_6 - tags: - - level2-server - - level2-workstation - - scored - - patch - - mounts - - rule_1.1.6 - -- name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | skips if mount absent" - block: - - name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: var_tmp_mount_absent - changed_when: var_tmp_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.7 | L2 | AUDIT | Ensure separate partition exists for /var/tmp | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - register: var_tmp_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/var/tmp' - when: - - rhel9cis_rule_1_1_7 - tags: - - level2-server - - level2-workstation - - scored - - audit - - mounts - - rule_1.1.7 - -- name: | - "1.1.8 | L1 | PATCH | Ensure nodev option set on /var/tmp partition | skips if mount absent" - "1.1.9 | L1 | PATCH | Ensure nosuid option set on /var/tmp partition | skips if mount absent" - "1.1.10 | L1 | PATCH | Ensure noexec option set on /var/tmp partition | skips if mount absent" - mount: - name: /var/tmp - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if rhel9cis_rule_1_1_10 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_9 %}nosuid{% endif %} - loop: "{{ ansible_mounts }}" - when: - - var_tmp_mount_present is defined - - item.mount == "/var/tmp" - - rhel9cis_rule_1_1_7 # This is required so the check takes place - - rhel9cis_rule_1_1_8 or - rhel9cis_rule_1_1_9 or - rhel9cis_rule_1_1_10 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - skip_ansible_lint - -- name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log" - block: - - name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_mount_absent - changed_when: var_log_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.11 | L2 | AUDIT | Ensure separate partition exists for /var/log | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - when: - - required_mount in mount_names - vars: - required_mount: '/var/log' - when: - - rhel9cis_rule_1_1_11 - tags: - - level2-server - - level2-workstation - - scored - - audit - - mounts - - rule_1.1.11 - - skip_ansible_lint - -- name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit" - block: - - name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: var_log_audit_mount_absent - changed_when: var_log_audit_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.12 | L2 | AUDIT | Ensure separate partition exists for /var/log/audit | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - when: - - required_mount in mount_names - vars: - required_mount: '/var/log/audit' - when: - - rhel9cis_rule_1_1_12 - tags: - - level2-server - - level2-workstation - - scored - - audit - - mounts - - rule_1.1.12 - - -- name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home" - block: - - name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home | Absent" - debug: - msg: "Warning! {{ required_mount }} doesn't exist. This is a manual task" - register: home_mount_absent - changed_when: home_mount_absent.skipped is undefined - when: - - required_mount not in mount_names - - name: "1.1.13 | L2 | AUDIT | Ensure separate partition exists for /home | Present" - debug: - msg: "Congratulations: {{ required_mount }} exists." - register: home_mount_present - when: - - required_mount in mount_names - vars: - required_mount: '/home' - when: - - rhel9cis_rule_1_1_13 - tags: - - level2-server - - level2-workstation - - scored - - audit - - mounts - - rule_1.1.13 - - skip_ansible_lint - -- name: "1.1.14 | L1 | PATCH | Ensure nodev option set on /home partition | skips if mount absent" - mount: - name: /home - src: "{{ item.device }}" - fstype: "{{ item.fstype }}" - state: present - opts: defaults,{% if rhel9cis_rule_1_1_14 %}nodev{% endif %} - loop: "{{ ansible_mounts }}" - when: - - home_mount_present is defined - - item.mount == "/home" - - rhel9cis_rule_1_1_14 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - rule_1.1.13 - - skip_ansible_lint - -- name: | - "1.1.15 | L1 | PATCH | Ensure nodev option set on /dev/shm partition | skips if mount absent - 1.1.16 | L1 | PATCH | Ensure nosuid option set on /dev/shm partition | skips if mount absent - 1.1.17 | L1 | PATCH | Ensure noexec option set on /dev/shm partition | skips if mount absent" - block: - - name: | - "1.1.15 | L1 | AUDIT | Ensure nodev option set on /dev/shm partition | Check for /dev/shm existence - 1.1.16 | L1 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence - 1.1.17 | L1 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence" - shell: mount -l | grep -E '\s/dev/shm\s' - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_1_1_15_dev_shm_status - - - name: | - "1.1.15 | L1 | PATCH | Ensure nodev option set on /dev/shm partition | skips if mount absent - 1.1.16 | L1 | PATCH | Ensure nosuid option set on /dev/shm partition | skips if mount absent - 1.1.17 | L1 | PATCH | Ensure noexec option set on /dev/shm partition | skips if mount absent" - mount: - name: /dev/shm - src: tmpfs - fstype: tmpfs - state: mounted - opts: defaults,{% if rhel9cis_rule_1_1_17 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_15 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_16 %}nosuid{% endif %} - when: "'dev/shm' in rhel9cis_1_1_15_dev_shm_status.stdout" - when: - - rhel9cis_rule_1_1_15 or - rhel9cis_rule_1_1_16 or - rhel9cis_rule_1_1_17 - tags: - - level1-server - - level1-workstation - - scored - - patch - - mounts - - rule_1.1.15 - - rule_1.1.16 - - rule_1.1.17 - -- name: | - "1.1.18 | L1 | PATCH | Ensure nodev option set on removable media partitions" - "1.1.19 | L1 | PATCH | Ensure nosuid option set on removable media partitions" - "1.1.20 | L1 | PATCH | Ensure noexec option set on removable media partitions" - debug: - msg: "--> Not relevant" - changed_when: false - when: - - rhel9cis_rule_1_1_18 or - rhel9cis_rule_1_1_19 or - rhel9cis_rule_1_1_20 - tags: - - level1-server - - level1-workstation - - notscored - - audit - - mounts - - rule_1.1.18 - - rule_1.1.19 - - rule_1.1.20 - -- name: "1.1.21 | L1 | PATCH | Ensure sticky bit is set on all world-writable directories" - shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t - args: - warn: false - changed_when: false - failed_when: false - when: - - rhel9cis_rule_1_1_21 - tags: - - skip_ansible_lint - - level1-server - - level1-workstation - - patch - - stickybits - - permissons - - rule_1.1.21 - -- name: "1.1.22 | L1 | PATCH | Disable Automounting" +- name: "1.1.9 | PATCH | Disable Automounting" service: name: autofs - enabled: false + enabled: no when: - not rhel9cis_allow_autofs - "'autofs' in ansible_facts.packages" - - rhel9cis_rule_1_1_22 + - rhel9cis_rule_1_1_9 tags: - level1-server - level2-workstation + - automated - patch - mounts - automounting - - rule_1.1.22 + - rule_1.1.9 -- name: "1.1.23 | L1 | PATCH | Disable USB Storage" +- name: "1.1.10 | PATCH | Disable USB Storage" block: - - name: "1.1.23 | L1 | PATCH | Disable USB Storage | Edit modprobe config" + - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" lineinfile: - dest: /etc/modprobe.d/CIS.conf + path: /etc/modprobe.d/CIS.conf regexp: "^(#)?install usb-storage(\\s|$)" line: "install usb-storage /bin/true" - create: true + create: yes owner: root group: root mode: 0600 - - name: "1.1.23 | L1 | PATCH | Disable USB Storage | Edit modprobe config" + - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config" modprobe: name: usb-storage state: absent when: - - rhel9cis_rule_1_1_23 + - rhel9cis_rule_1_1_10 tags: - level1-server - level2-workstation + - automated - patch - mounts - removable_storage - - rule_1.1.23 + - rule_1.1.10 diff --git a/tasks/section_1/cis_1.10.yml b/tasks/section_1/cis_1.10.yml index 6b4a161..19ddc3f 100644 --- a/tasks/section_1/cis_1.10.yml +++ b/tasks/section_1/cis_1.10.yml @@ -1,17 +1,17 @@ --- -- name: "1.10 | L1 | PATCH | Ensure system-wide crypto policy is not legacy" +- name: "1.10 | PATCH | Ensure system-wide crypto policy is not legacy" shell: | update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" update-crypto-policies - args: - warn: false + notify: change_requires_reboot when: - rhel9cis_rule_1_10 - system_wide_crypto_policy['stdout'] == 'LEGACY' tags: - level1-server - level1-workstation + - automated - no system_is_ec2 - patch - rule_1.10 diff --git a/tasks/section_1/cis_1.11.yml b/tasks/section_1/cis_1.11.yml deleted file mode 100644 index bfd8806..0000000 --- a/tasks/section_1/cis_1.11.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: "1.11 | L2 | PATCH | Ensure system-wide crypto policy is FUTURE or FIPS" - shell: | - update-crypto-policies --set "{{ rhel9cis_crypto_policy }}" - update-crypto-policies - args: - warn: false - when: - - rhel9cis_rule_1_11 - - system_wide_crypto_policy['stdout'] not in rhel9cis_allowed_crypto_policies - tags: - - level2-server - - level2-workstation - - not system_is_ec2 - - patch - - rule_1.11 diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 52372a3..0023f2d 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -1,6 +1,6 @@ --- -- name: "1.2.1 | L1 | PATCH | Ensure Red Hat Subscription Manager connection is configured" +- name: "1.2.1 | PATCH | Ensure Red Hat Subscription Manager connection is configured" redhat_subscription: state: present username: "{{ rhel9cis_rh_sub_user }}" @@ -14,90 +14,74 @@ tags: - level1-server - level1-workstation - - notscored + - manual - patch - rule_1.2.1 - skip_ansible_lint # Added as no_log still errors on ansuible-lint -- name: "1.2.2 | L1 | PATCH | Disable the rhnsd Daemon" - service: - name: rhnsd - state: stopped - enabled: false - masked: true +- name: "1.2.2 | AUDIT | Ensure GPG keys are configured" + shell: "PKG=`rpm -qf {{ rpm_gpg_key }}` && rpm -q --queryformat \"%{PACKAGER} %{SIGPGP:pgpsig}\\n\" \"${PKG}\" | grep \"^{{ rpm_packager }}.*Key.ID.{{ rpm_key }}\"" + changed_when: false when: - - ansible_distribution == "RedHat" - - rhnsd_service_status.stdout == "loaded" and not rhel9cis_rhnsd_required - rhel9cis_rule_1_2_2 - tags: - - level1-server - - level1-workstation - - notscored - - patch - - rule_1.2.2 - -- name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured" - shell: gpg --quiet --with-fingerprint "{{ rpm_gpg_key }}" - args: - warn: false - when: - - rhel9cis_rule_1_2_3 - ansible_distribution == "RedHat" or ansible_distribution == "Rocky" tags: - level1-server - level1-workstation - - notscored + - manual - patch - - rule_1.2.3 + - rule_1.2.2 -- name: "1.2.4 | L1 | PATCH | Ensure gpgcheck is globally activated" +- name: "1.2.3| PATCH | Ensure gpgcheck is globally activated" block: - - name: "1.2.4 | L1 | AUDIT | Ensure gpgcheck is globally activated | Find repos" + - name: "1.2.3 | AUDIT | Ensure gpgcheck is globally activated | Find repos" find: paths: /etc/yum.repos.d patterns: "*.repo" register: yum_repos changed_when: false - - name: "1.2.4 | L1 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" + - name: "1.2.3 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" replace: name: "{{ item.path }}" - regexp: "^gpgcheck=0" + regexp: '^gpgcheck\s+=\s+0' replace: "gpgcheck=1" with_items: - "{{ yum_repos.files }}" + loop_control: + label: "{{ item.path }}" when: - - rhel9cis_rule_1_2_4 + - rhel9cis_rule_1_2_3 tags: - level1-server - level1-workstation - - scored + - automated - patch - - rule_1.2.4 + - rule_1.2.3 -- name: "1.2.5 | L1 | Ensure package manager repositories are configured" +- name: "1.2.4 | AUDIT | Ensure package manager repositories are configured" block: - - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Get repo list" - shell: dnf repolist - args: - warn: false + - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Get repo list" + command: dnf repolist changed_when: false failed_when: false register: dnf_configured - check_mode: false + check_mode: no + args: + warn: false - - name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Display repo list" + - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Display repo list" debug: msg: - "Alert! Below are the configured repos. Please review and make sure all align with site policy" - "{{ dnf_configured.stdout_lines }}" when: - - rhel9cis_rule_1_2_5 + - rhel9cis_rule_1_2_4 tags: - level1-server - level1-workstation - - notscored - - patch - - rule_1.2.5 + - manual + - audit + - rule_1.2.4 - skip_ansible_lint diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml index 8456bc1..4dd7bcd 100644 --- a/tasks/section_1/cis_1.3.x.yml +++ b/tasks/section_1/cis_1.3.x.yml @@ -1,44 +1,51 @@ --- -- name: "1.3.1 | L1 | PATCH | Ensure sudo is installed" - package: - name: sudo - state: present +- name: "1.3.1 | PATCH | Ensure AIDE is installed" + block: + - name: "1.3.1 | PATCH | Ensure AIDE is installed | Install AIDE" + package: + name: aide + state: present + + - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE" + command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' + changed_when: false + failed_when: false + async: 45 + poll: 0 + args: + creates: /var/lib/aide/aide.db.gz + when: not ansible_check_mode when: + - rhel9cis_config_aide - rhel9cis_rule_1_3_1 tags: - level1-server - level1-workstation - - scored - - sudo + - automated + - aide - patch - rule_1.3.1 -- name: "1.3.2 | L1 | PATCH | Ensure sudo commands use pty" - lineinfile: - dest: /etc/sudoers - line: "Defaults use_pty" - state: present +- name: "1.3.2 | PATCH | Ensure filesystem integrity is regularly checked" + cron: + name: Run AIDE integrity check + cron_file: "{{ rhel9cis_aide_cron['cron_file'] }}" + user: "{{ rhel9cis_aide_cron['cron_user'] }}" + minute: "{{ rhel9cis_aide_cron['aide_minute'] | default('0') }}" + hour: "{{ rhel9cis_aide_cron['aide_hour'] | default('5') }}" + day: "{{ rhel9cis_aide_cron['aide_day'] | default('*') }}" + month: "{{ rhel9cis_aide_cron['aide_month'] | default('*') }}" + weekday: "{{ rhel9cis_aide_cron['aide_weekday'] | default('*') }}" + job: "{{ rhel9cis_aide_cron['aide_job'] }}" when: - rhel9cis_rule_1_3_2 + - not system_is_ec2 tags: - level1-server - level1-workstation - - scored + - automated + - aide + - file_integrity - patch - rule_1.3.2 - -- name: "1.3.3 | L1 | PATCH | Ensure sudo log file exists" - lineinfile: - dest: /etc/sudoers - regexp: '^Defaults logfile=' - line: 'Defaults logfile="{{ rhel9cis_varlog_location }}"' - state: present - when: - - rhel9cis_rule_1_3_3 - tags: - - level1-server - - level1-workstation - - scored - - patch - - rule_1.3.3 diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index a5b1f3b..6ac4979 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -1,47 +1,72 @@ --- -- name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed" - block: - - name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed | Install AIDE" - package: - name: aide - state: present - - - name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed | Configure AIDE" - shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz' - args: - warn: false - creates: /var/lib/aide/aide.db.gz - changed_when: false - failed_when: false - async: 45 - poll: 0 - when: not ansible_check_mode +- name: "1.4.1 | PATCH | Ensure bootloader password is set" + copy: + dest: /boot/grub2/user.cfg + content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" + owner: root + group: root + mode: 0600 + notify: grub2cfg when: - - rhel9cis_config_aide + - rhel9cis_set_boot_pass - rhel9cis_rule_1_4_1 tags: - level1-server - level1-workstation - - scored - - aide + - automated + - grub - patch - rule_1.4.1 -- name: "1.4.2 | L1 | PATCH | Ensure filesystem integrity is regularly checked" - template: - src: aide.cron.j2 - dest: /etc/cron.d/aide.cron - owner: root - group: root - mode: 0644 +- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" + block: + - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured" + file: + path: /boot/grub2/grub.cfg + owner: root + group: root + mode: 0600 + + - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | UEFI" + mount: + name: /boot/efi + src: "UUID={{ item.uuid }}" + fstype: vfat + state: present + opts: defaults,umask=0027,fmask=0077,uid=0,gid=0 + passno: '0' + with_items: + - "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" + when: + - not rhel9cis_legacy_boot + - item.mount == "/boot/efi" when: - rhel9cis_rule_1_4_2 tags: - level1-server - level1-workstation - - scored - - aide - - file_integrity + - automated + - grub - patch - rule_1.4.2 + +- name: "1.4.3 | PATCH | Ensure authentication is required when booting into rescue mode" + lineinfile: + path: /etc/systemd/system/rescue.service.d/00-require-auth.conf + regexp: '^ExecStart=' + line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" + create: yes + owner: root + group: root + mode: 0644 + when: + - rhel9cis_rule_1_4_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.4.3 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index 5b16946..6573e51 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -1,76 +1,47 @@ --- -- name: "1.5.1 | L1 | PATCH | Ensure permissions on bootloader config are configured" - block: - - name: "1.5.1 | L1 | PATCH | Ensure permissions on bootloader config are configured" - file: - path: "{{ grub_cfg.stat.lnk_source }}" - owner: root - group: root - mode: 0600 - - - name: "1.5.1 | L1 | PATCH | Ensure permissions on bootloader config are configured | UEFI" - mount: - name: /boot/efi - src: "UUID={{ item.uuid }}" - fstype: vfat - state: present - opts: defaults,umask=0027,fmask=0077,uid=0,gid=0 - passno: '0' - loop: "{{ ansible_mounts }}" - when: - - not rhel9cis_legacy_boot - - item.mount == "/boot/efi" +- name: "1.5.1 | PATCH | Ensure core dump storage is disabled" + lineinfile: + path: /etc/systemd/coredump.conf + regexp: '^Storage\s*=\s*(?!none).*' + line: 'Storage=none' + notify: systemd_daemon_reload when: - rhel9cis_rule_1_5_1 - - grub_cfg.stat.exists - - grub_cfg.stat.islnk + - systemd_coredump.stat.exists tags: - level1-server - level1-workstation - - scored - - grub + - automated - patch - rule_1.5.1 -- name: "1.5.2 | L1 | PATCH | Ensure bootloader password is set" - copy: - dest: /boot/grub2/user.cfg - content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}" - owner: root - group: root - mode: 0600 - notify: grub2cfg +- name: "1.5.2 | PATCH | Ensure core dump backtraces are disabled" + lineinfile: + path: /etc/systemd/coredump.conf + regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$' + line: 'ProcessSizeMax=0' when: - - rhel9cis_set_boot_pass - - grub_pass is defined and grub_pass.passhash is defined - - grub_pass.passhash | length > 0 - rhel9cis_rule_1_5_2 tags: - level1-server - level1-workstation - - scored - - grub + - automated - patch + - sysctl - rule_1.5.2 -- name: "1.5.3 | L1 | PATCH | Ensure authentication required for single user mode" - block: - - name: "1.5.3 | L1 | PATCH | Ensure authentication required for single user mode | Emergency service" - lineinfile: - dest: /usr/lib/systemd/system/emergency.service - regexp: '/sbin/sulogin' - line: 'ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency' - - - name: "1.5.3 | L1 | PATCH | Ensure authentication required for single user mode | Rescue service" - lineinfile: - dest: /usr/lib/systemd/system/rescue.service - regexp: '/sbin/sulogin' - line: 'ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue' +- name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" + notify: + - update sysctl when: - rhel9cis_rule_1_5_3 tags: - level1-server - level1-workstation + - automated - patch + - sysctl - rule_1.5.3 diff --git a/tasks/section_1/cis_1.6.1.x.yml b/tasks/section_1/cis_1.6.1.x.yml new file mode 100644 index 0000000..f917a99 --- /dev/null +++ b/tasks/section_1/cis_1.6.1.x.yml @@ -0,0 +1,118 @@ +--- + +- name: "1.6.1.1 | PATCH | Ensure SELinux is installed" + package: + name: libselinux + state: present + when: + - rhel9cis_rule_1_6_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.6.1.1 + +- name: "1.6.1.2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" + replace: + dest: /etc/default/grub + regexp: '(selinux|enforcing)\s*=(\s0|0).*' + replace: '' + register: selinux_grub_patch + ignore_errors: yes + notify: grub2cfg + when: + - rhel9cis_rule_1_6_1_2 + tags: + - level1-server + - level1-workstation + - scored + - patch + - rule_1.6.1.2 + +# State set to enforcing because control 1.6.1.5 requires enforcing to be set +- name: "1.6.1.3 | PATCH | Ensure SELinux policy is configured" + selinux: + conf: /etc/selinux/config + policy: "{{ rhel9cis_selinux_pol }}" + state: enforcing + when: + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_3 + tags: + - level1-server + - level1-workstation + - automated + - selinux + - patch + - rule_1.6.1.3 + +- name: "1.6.1.4 | PATCH | Ensure the SELinux state is enforcing" + selinux: + conf: /etc/selinux/config + policy: "{{ rhel9cis_selinux_pol }}" + state: enforcing + when: + - not rhel9cis_selinux_disable + - rhel9cis_rule_1_6_1_4 + tags: + - level2-server + - level2-workstation + - automated + - selinux + - patch + - rule_1.6.1.4 + +- name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist" + block: + - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Find the unconfined services" + shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' + register: rhelcis_1_6_1_5_unconf_services + failed_when: false + changed_when: false + + - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on no unconfined services" + debug: + msg: "Good News! There are no services found on your system" + when: rhelcis_1_6_1_5_unconf_services.stdout | length == 0 + + - name: "1.6.1.5 | AUDIT | Ensure no unconfined services exist | Message on unconfined services" + debug: + msg: "Warning! You have unconfined services: {{ rhelcis_1_6_1_5_unconf_services.stdout_lines }}" + when: rhelcis_1_6_1_5_unconf_services.stdout | length > 0 + when: + - rhel9cis_rule_1_6_1_5 + tags: + - level1-server + - level1-workstation + - automated + - audit + - services + - rule_1.6.1.5 + +- name: "1.6.1.6 | PATCH | Ensure SETroubleshoot is not installed" + package: + name: setroubleshoot + state: absent + when: + - rhel9cis_rule_1_6_1_6 + - "'setroubleshoot' in ansible_facts.packages" + tags: + - level1-server + - automated + - selinux + - patch + - rule_1.6.1.6 + +- name: "1.6.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" + package: + name: mcstrans + state: absent + when: + - rhel9cis_rule_1_6_1_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_1.6.1.7 diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml deleted file mode 100644 index 1b37c0d..0000000 --- a/tasks/section_1/cis_1.6.x.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- - -- name: "1.6.1 | L1 | PATCH | Ensure core dumps are restricted" - block: - - name: "1.6.1 | L1 | Ensure core dumps are restricted | Update limits.conf file" - lineinfile: - state: present - dest: /etc/security/limits.conf - regexp: '^#?\\*.*core' - line: '* hard core 0' - insertbefore: '^# End of file' - - - name: "1.6.1 | L1 | PATCH | Ensure core dumps are restricted | Set active kernel parameter" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - - name: "1.6.1 | L1 | PATCH | Ensure core dumps are restricted | if systemd coredump" - lineinfile: - path: /etc/systemd/coredump.conf - regexp: "{{ item.regexp }}" - line: "{{ item.regexp }}{{ item.line }}" - state: present - with_items: - - {'regexp': 'Storage=', 'line': 'none'} - - {'regexp': 'ProcessSizeMax=', 'line': '0'} - notify: - - systemd_daemon_reload - when: - - systemd_coredump.stat.exists - when: - - rhel9cis_rule_1_6_1 - tags: - - level1-server - - level1-workstation - - scored - - sysctl - - patch - - rule_1.6.1 - -- name: "1.6.2 | L1 | PATCH | Ensure address space layout randomization (ASLR) is enabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - when: - - rhel9cis_rule_1_6_2 - tags: - - level1-server - - level1-workstation - - scored - - patch - - rule_1.6.2 diff --git a/tasks/section_1/cis_1.7.1.x.yml b/tasks/section_1/cis_1.7.1.x.yml deleted file mode 100644 index ded7128..0000000 --- a/tasks/section_1/cis_1.7.1.x.yml +++ /dev/null @@ -1,117 +0,0 @@ ---- - -- name: "1.7.1.1 | L2 | PATCH | Ensure SELinux is installed" - package: - name: libselinux - state: present - when: - - rhel9cis_rule_1_7_1_1 - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.7.1.1 - -- name: "1.7.1.2 | L2 | PATCH | Ensure SELinux is not disabled in bootloader configuration" - replace: - dest: /etc/default/grub - regexp: '(selinux|enforcing)\s*=\s*0\s*' - replace: '' - register: selinux_grub_patch - ignore_errors: true - notify: grub2cfg - when: - - rhel9cis_rule_1_7_1_2 - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.7.1.2 - -- name: "1.7.1.3 | L2 | PATCH | Ensure SELinux policy is configured" - selinux: - conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" - state: enforcing - when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_7_1_3 - tags: - - level2-server - - level2-workstation - - scored - - selinux - - patch - - rule_1.7.1.3 - -- name: "1.7.1.4 | L2 | PATCH | Ensure the SELinux state is enforcing" - selinux: - conf: /etc/selinux/config - policy: "{{ rhel9cis_selinux_pol }}" - state: enforcing - when: - - not rhel9cis_selinux_disable - - rhel9cis_rule_1_7_1_4 - tags: - - level2-server - - level2-workstation - - scored - - selinux - - patch - - rule_1.7.1.4 - -- name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist" - block: - - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Find the unconfined daemons" - shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }' - args: - warn: false - register: rhelcis_1_7_1_5_unconf_daemons - failed_when: false - changed_when: false - - - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Message on no unconfined daemones" - debug: - msg: "Good News! There are no unconfined daemons found on your system" - when: rhelcis_1_7_1_5_unconf_daemons.stdout | length == 0 - - - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Message on unconfined daemones" - debug: - msg: "Warning! You have unconfined daemons: {{ rhelcis_1_7_1_5_unconf_daemons.stdout_lines }}" - when: rhelcis_1_7_1_5_unconf_daemons.stdout | length > 0 - when: - - rhel9cis_rule_1_7_1_5 - tags: - - level2-server - - level2-workstation - - audit - - rule_1.7.1.5 - -- name: "1.7.1.6 | L2 | PATCH | Ensure SETroubleshoot is not installed" - package: - name: setroubleshoot - state: absent - when: - - rhel9cis_rule_1_7_1_6 - - "'setroubleshoot' in ansible_facts.packages" - tags: - - level2-server - - scored - - selinux - - patch - - rule_1.7.1.6 - -- name: "1.7.1.7 | L2 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed" - package: - name: mcstrans - state: absent - when: - - rhel9cis_rule_1_7_1_7 - tags: - - level2-server - - level2-workstation - - scored - - patch - - rule_1.7.1.7 diff --git a/tasks/section_1/cis_1.8.1.x.yml b/tasks/section_1/cis_1.7.x.yml similarity index 58% rename from tasks/section_1/cis_1.8.1.x.yml rename to tasks/section_1/cis_1.7.x.yml index d8cbec3..1ee5579 100644 --- a/tasks/section_1/cis_1.8.1.x.yml +++ b/tasks/section_1/cis_1.7.x.yml @@ -1,6 +1,6 @@ --- -- name: "1.8.1.1 | L1 | PATCH | Ensure message of the day is configured properly" +- name: "1.7.1 | PATCH | Ensure message of the day is configured properly" template: src: etc/motd.j2 dest: /etc/motd @@ -8,15 +8,16 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_8_1_1 + - rhel9cis_rule_1_7_1 tags: - level1-server - level1-workstation + - automated - banner - patch - - rule_1.8.1.1 + - rule_1.7.1 -- name: "1.8.1.2 | L1 | PATCH | Ensure local login warning banner is configured properly" +- name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly" template: src: etc/issue.j2 dest: /etc/issue @@ -24,14 +25,15 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_8_1_2 + - rhel9cis_rule_1_7_2 tags: - level1-server - level1-workstation + - automated - patch - - rule_1.8.1.2 + - rule_1.7.2 -- name: "1.8.1.3 | L1 | PATCH | Ensure remote login warning banner is configured properly" +- name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly" template: src: etc/issue.net.j2 dest: /etc/issue.net @@ -39,15 +41,16 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_8_1_3 + - rhel9cis_rule_1_7_3 tags: - level1-server - level1-workstation + - automated - banner - patch - - rule_1.8.1.3 + - rule_1.7.3 -- name: "1.8.1.4 | L1 | PATCH | Ensure permissions on /etc/motd are configured" +- name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured" file: dest: /etc/motd state: file @@ -55,15 +58,16 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_8_1_4 + - rhel9cis_rule_1_7_4 tags: - level1-server - level1-workstation + - automated - perms - patch - - rule_1.8.1.4 + - rule_1.7.4 -- name: "1.8.1.5 | L1 | PATCH | Ensure permissions on /etc/issue are configured" +- name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured" file: dest: /etc/issue state: file @@ -71,15 +75,16 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_8_1_5 + - rhel9cis_rule_1_7_5 tags: - level1-server - level1-workstation + - automated - perms - patch - - rule_1.8.1.5 + - rule_1.7.5 -- name: "1.8.1.6 | L1 | PATCH | Ensure permissions on /etc/issue.net are configured" +- name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured" file: dest: /etc/issue.net state: file @@ -87,10 +92,11 @@ group: root mode: 0644 when: - - rhel9cis_rule_1_8_1_6 + - rhel9cis_rule_1_7_6 tags: - level1-server - level1-workstation + - automated - perms - patch - - rule_1.8.1.6 + - rule_1.7.6 diff --git a/tasks/section_1/cis_1.8.2.yml b/tasks/section_1/cis_1.8.2.yml deleted file mode 100644 index be371dc..0000000 --- a/tasks/section_1/cis_1.8.2.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: "1.8.2 | L1 | PATCH | Ensure GDM login banner is configured" - lineinfile: - dest: "{{ item.file }}" - regexp: "{{ item.regexp }}" - line: "{{ item.line }}" - state: present - create: true - owner: root - group: root - mode: 0644 - with_items: - - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } - - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } - - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } - - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " } - when: - - rhel9cis_gui - - rhel9cis_rule_1_8_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_1.8.2 diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml new file mode 100644 index 0000000..a126a0a --- /dev/null +++ b/tasks/section_1/cis_1.8.x.yml @@ -0,0 +1,111 @@ +--- + +- name: "1.8.1 | PATCH | Ensure GNOME Display Manager is removed" + package: + name: gdm + state: absent + when: + - rhel9cis_rule_1_8_1 + - "'gdm' in ansible_facts.packages" + tags: + - level2-server + - automated + - patch + - gui + - gdm + - rule_1.8.1 + +- name: "1.8.2 | PATCH | Ensure GDM login banner is configured" + lineinfile: + path: "{{ item.file }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + state: present + create: yes + owner: root + group: root + mode: 0644 + notify: reload dconf + with_items: + - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } + - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } + - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-enable', line: 'banner-message-enable=true' } + - { file: '/etc/dconf/db/gdm.d/01-banner-message', regexp: 'banner-message-text', line: "banner-message-text='{{ rhel9cis_warning_banner }}' " } + when: + - rhel9cis_rule_1_8_2 + - rhel9cis_gui + tags: + - level1-server + - level1-workstation + - automated + - patch + - gui + - gdm + - rule_1.8.2 + +- name: "1.8.3 | PATCH | Ensure last logged in user display is disabled" + lineinfile: + path: "{{ item.file }}" + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + create: yes + owner: root + group: root + mode: 0644 + notify: reload dconf + with_items: + - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' } + - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' } + - { file: '/etc/dconf/profile/gdm', regexp: 'file-db', line: 'file-db:/usr/share/gdm/greeter-dconf-defaults'} + - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: '\[org\/gnome\/login-screen\]', line: '[org/gnome/login-screen]' } + - { file: '/etc/dconf/db/gdm.d/00-login-screen', regexp: 'disable-user-list=', line: 'disable-user-list=true' } + when: + - rhel9cis_rule_1_8_3 + - rhel9cis_gui + tags: + - level1-server + - level1-workstation + - automated + - patch + - gui + - rule_1.8.3 + +- name: "1.8.4 | PATCH | Ensure XDMCP is not enabled" + lineinfile: + path: /etc/gdm/custom.conf + regexp: 'Enable=true' + state: absent + when: + - rhel9cis_rule_1_8_4 + - rhel9cis_gui + tags: + - level1-server + - level1-workstation + - automated + - patch + - gui + - rule_1.8.4 + +- name: "1.8.5 | PATCH | Ensure automatic mounting of removable media is disabled" + lineinfile: + path: /etc/dconf/db/local.d/00-media-automount + regexp: "{{ item.regex }}" + line: "{{ item.line }}" + create: yes + notify: reload dconf + with_items: + - { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' } + - { regex: 'automount=', line: 'automount=false' } + - { regex: 'automount-open=', line: 'automount-open=false'} + when: + - rhel9cis_rule_1_8_5 + - rhel9cis_gui + tags: + - level1-server + - level2-workstation + - automated + - patch + - gui + - rule_1.8.5 diff --git a/tasks/section_1/cis_1.9.yml b/tasks/section_1/cis_1.9.yml index a67d5db..42c27b1 100644 --- a/tasks/section_1/cis_1.9.yml +++ b/tasks/section_1/cis_1.9.yml @@ -1,15 +1,17 @@ --- -- name: "1.9 | L1 | PATCH | Ensure updates, patches, and additional security software are installed" +- name: "1.9 | PATCH | Ensure updates, patches, and additional security software are installed" package: name: "*" state: latest + notify: change_requires_reboot when: - rhel9cis_rule_1_9 - not system_is_ec2 tags: - level1-server - level1-workstation + - automated - patch - rule_1.9 - skip_ansible_lint diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 933804e..1d6ab55 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -1,42 +1,59 @@ --- -- name: "SECTION | 1.1 | FileSystem Configurations\n - SECTION | 1.1.1.x | Disable unused filesystems" +- name: "SECTION | 1.1.1.x | Disable unused filesystems" import_tasks: cis_1.1.1.x.yml -- import_tasks: cis_1.1.x.yml + +- name: "SECTION | 1.1.2.x | Configure /tmp" + import_tasks: cis_1.1.2.x.yml + +- name: "SECTION | 1.1.3.x | Configure /var" + import_tasks: cis_1.1.3.x.yml + +- name: "SECTION | 1.1.4.x | Configure /var/tmp" + import_tasks: cis_1.1.4.x.yml + +- name: "SECTION | 1.1.5.x | Configure /var/log" + import_tasks: cis_1.1.5.x.yml + +- name: "SECTION | 1.1.6.x | Configure /var/log/audit" + import_tasks: cis_1.1.6.x.yml + +- name: "SECTION | 1.1.7.x | Configure /home" + import_tasks: cis_1.1.7.x.yml + +- name: "SECTION | 1.1.8.x | Configure /dev/shm" + import_tasks: cis_1.1.8.x.yml + +- name: "SECTION | 1.1.x | Disable various mounting" + import_tasks: cis_1.1.x.yml - name: "SECTION | 1.2 | Configure Software Updates" import_tasks: cis_1.2.x.yml -- name: "SECTION | 1.3 | Configure sudo" +- name: "SECTION | 1.3 | Filesystem Integrity Checking" import_tasks: cis_1.3.x.yml - -- name: "SECTION | 1.4 | Filesystem Integrity" - include_tasks: cis_1.4.x.yml when: rhel9cis_config_aide -- name: "SECTION | 1.5 | Secure Boot Settings" +- name: "SECTION | 1.4 | Secure Boot Settings" + import_tasks: cis_1.4.x.yml + +- name: "SECTION | 1.5 | Additional Process Hardening" import_tasks: cis_1.5.x.yml -- name: "SECTION | 1.6 | Additional Process Hardening" - import_tasks: cis_1.6.x.yml - -- name: "SECTION | 1.7 | bootloader and Mandatory Access Control" - include_tasks: cis_1.7.1.x.yml +- name: "SECTION | 1.6 | Mandatory Access Control" + include_tasks: cis_1.6.1.x.yml when: not rhel9cis_selinux_disable -- name: "SECTION | 1.8 | Warning Banners" - import_tasks: cis_1.8.1.x.yml +- name: "SECTION | 1.7 | Command Line Warning Banners" + import_tasks: cis_1.7.x.yml -- name: "SECTION | 1.9 | Updated and Patches" +- name: "SECTION | 1.8 | Gnome Display Manager" + import_tasks: cis_1.8.x.yml + +- name: "SECTION | 1.9 | Updates and Patches" import_tasks: cis_1.9.yml - name: "SECTION | 1.10 | Crypto policies" include_tasks: cis_1.10.yml when: - not system_is_ec2 - -- name: "SECTION | 1.11 | FIPS/FUTURE Crypto policies" - include_tasks: cis_1.11.yml - when: - - not system_is_ec2 diff --git a/tasks/section_2/cis_2.1.1.yml b/tasks/section_2/cis_2.1.1.yml deleted file mode 100644 index 5b56364..0000000 --- a/tasks/section_2/cis_2.1.1.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- - -- name: "2.1.1 | L1 | PATCH | Ensure xinetd is not installed" - package: - name: xinetd - state: absent - when: - - rhel9cis_rule_2_1_1 - tags: - - level1-server - - level1-workstation - - scored - - patch - - rule_2.1.1 diff --git a/tasks/section_2/cis_2.1.x.yml b/tasks/section_2/cis_2.1.x.yml new file mode 100644 index 0000000..effe806 --- /dev/null +++ b/tasks/section_2/cis_2.1.x.yml @@ -0,0 +1,41 @@ +--- + +- name: "2.1.1 | PATCH | Ensure time synchronization is in use" + package: + name: chrony + state: present + when: + - rhel9cis_rule_2_1_1 + - not system_is_container + tags: + - level1-server + - level1-workstation + - automated + - patch + - rule_2.1.1 + +- name: "2.1.2 | PATCH | Ensure chrony is configured" + block: + - name: "2.1.2 | PATCH | Ensure chrony is configured | Set configuration" + template: + src: etc/chrony.conf.j2 + dest: /etc/chrony.conf + owner: root + group: root + mode: 0644 + + - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" + lineinfile: + path: /etc/sysconfig/chronyd + regexp: "^(#)?OPTIONS" + line: "OPTIONS=\"-u chrony\"" + create: yes + mode: 0644 + when: + - rhel9cis_rule_2_1_2 + - not system_is_container + tags: + - level1-server + - level1-workstation + - patch + - rule_2.1.2 diff --git a/tasks/section_2/cis_2.2.1.x.yml b/tasks/section_2/cis_2.2.1.x.yml deleted file mode 100644 index 8b8b39c..0000000 --- a/tasks/section_2/cis_2.2.1.x.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- - -- name: "2.2.1.1 | L1 | PATCH | Ensure time synchronization is in use - service install" - package: - name: "{{ rhel9cis_time_synchronization }}" - state: present - when: - - rhel9cis_rule_2_2_1_1 - - not system_is_container - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.1.1 - -- name: "2.2.1.2 | L1 | PATCH | Ensure chrony is configured" - block: - - name: "2.2.1.2 | L1 | PATCH | Ensure chrony is configured | Set configuration" - template: - src: chrony.conf.j2 - dest: /etc/chrony.conf - owner: root - group: root - mode: 0644 - - - name: "2.2.1.2 | L1 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1" - lineinfile: - dest: /etc/sysconfig/chronyd - regexp: "^(#)?OPTIONS" - line: "OPTIONS=\"-u chrony\"" - state: present - create: true - mode: 0644 - when: - - rhel9cis_time_synchronization == "chrony" - - rhel9cis_rule_2_2_1_2 - - not system_is_container - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.1.2 diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index f21bcd0..6a195ca 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -1,86 +1,228 @@ --- -- name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed" - block: - - name: "2.2.2 | L1 | AUDIT | Ensure X Window System is not installed | capture xorg-x11 packages" - shell: rpm -qa | grep xorg-x11 - args: - warn: false - failed_when: xorg_x11_installed.rc >=2 - check_mode: false - changed_when: false - register: xorg_x11_installed - - - name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed | remove packages if found" - shell: "dnf remove {{ item }}" - args: - warn: false - with_items: - - xorg_x11_installed.stdout_lines - when: xorg_x11_installed.stdout | length > 0 +- name: "2.2.1 | PATCH | Ensure xinetd is not installed" + package: + name: xinetd + state: absent when: - - not rhel9cis_xwindows_required - - rhel9cis_rule_2_2_2 + - rhel9cis_rule_2_2_1 + - not rhel9cis_xinetd_server + - "'xinetd' in ansible_facts.packages" tags: - level1-server - - scored - - xwindows + - level1-workstation + - automated - patch + - rule_2.2.1 + +- name: "2.2.2 | PATCH | Ensure xorg-x11-server-common is not installed" + package: + name: xorg-x11-server-common + state: absent + when: + - rhel9cis_rule_2_2_2 + - "'xorg-x11-server-common' in ansible_facts.packages" + tags: + - level1-server + - automated + - patch + - x11 - rule_2.2.2 -- name: "2.2.3 | L1 | PATCH | Ensure rsync service is not enabled " - service: - name: rsyncd - state: stopped - enabled: false +- name: "2.2.3 | PATCH | Ensure Avahi Server is not installed" + package: + name: + - avahi-autoipd + - avahi + state: absent when: - - not rhel9cis_rsyncd_server - - "'rsyncd' in ansible_facts.packages" + - rhel9cis_rule_2_2_3 + - not rhel9cis_avahi_server + - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages" + tags: + - level1-server + - level2-workstation + - automated + - patch + - avahi + - rule_2.2.3 + +- name: "2.2.4 | PATCH | Ensure CUPS is not installed" + package: + name: cups + state: absent + when: + - not rhel9cis_cups_server + - "'cups' in ansible_facts.packages" - rhel9cis_rule_2_2_3 tags: - level1-server - - level1-workstation + - automated - patch + - cups - rule_2.2.3 -- name: "2.2.4 | L1 | PATCH | Ensure Avahi Server is not enabled" - service: - name: avahi-daemon - state: stopped - enabled: false +- name: "2.2.5 | PATCH | Ensure DHCP Server is not installed" + package: + name: dhcp-server + state: absent when: - - not rhel9cis_avahi_server - - "'avahi' in ansible_facts.packages" - - rhel9cis_rule_2_2_4 - tags: - - level1-server - - level1-workstation - - scored - - avahi - - services - - patch - - rule_2.2.4 - -- name: "2.2.5 | L1 | PATCH | Ensure SNMP Server is not enabled" - service: - name: snmpd - state: stopped - enabled: false - when: - - not rhel9cis_snmp_server - - "'net-snmp' in ansible_facts.packages" + - not rhel9cis_dhcp_server + - "'dhcp-server' in ansible_facts.packages" - rhel9cis_rule_2_2_5 tags: - level1-server - level1-workstation + - automated - patch + - dhcp - rule_2.2.5 -- name: "2.2.6 | L1 | PATCH | Ensure HTTP Proxy Server is not enabled" - service: +- name: "2.2.6 | PATCH | Ensure DNS Server is not installed" + package: + name: bind + state: absent + when: + - not rhel9cis_dns_server + - "'bind' in ansible_facts.packages" + - rhel9cis_rule_2_2_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - dns + - rule_2.2.6 + +- name: "2.2.7 | PATCH | Ensure FTP Server is not installed" + package: + name: ftp + state: absent + when: + - not rhel9cis_ftp_server + - "'ftp' in ansible_facts.packages" + - rhel9cis_rule_2_2_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - ftp + - rule_2.2.7 + +- name: "2.2.8 | PATCH | Ensure VSFTP Server is not installed" + package: + name: vsftpd + state: absent + when: + - not rhel9cis_vsftpd_server + - "'vsftpd' in ansible_facts.packages" + - rhel9cis_rule_2_2_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - vsftpd + - rule_2.2.8 + +- name: "2.2.9 | PACH | Ensure TFTP Server is not installed" + package: + name: tftp-server + state: absent + when: + - not rhel9cis_tftp_server + - "'tftp-server' in ansible_facts.packages" + - rhel9cis_rule_2_2_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - tftp + - rule_2.2.9 + +- name: "2.2.10 | PATCH | Ensure a web server is not installed" + block: + - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove httpd server" + package: + name: httpd + state: absent + when: + - not rhel9cis_httpd_server + - "'httpd' in ansible_facts.packages" + + - name: "2.2.10 | PATCH | Ensure a web server is not installed | Remove nginx server" + package: + name: nginx + state: absent + when: + - not rhel9cis_nginx_server + - "'nginx' in ansible_facts.packages" + when: + - rhel9cis_rule_2_2_10 + tags: + - level1-server + - level1-workstation + - automated + - patch + - httpd + - nginx + - webserver + - rule_2.2.9 + +- name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" + block: + - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" + package: + name: + - dovecot + state: absent + when: + - not rhel9cis_dovecot_server + - "'dovecot' in ansible_facts.packages" + + - name: "2.2.11 | PATCH | Ensure IMAP and POP3 server is not installed" + package: + name: + - cyrus-imapd + state: absent + when: + - not rhel9cis_imap_server + - "'cyrus-imapd' in ansible_facts.packages" + + when: + - rhel9cis_rule_2_2_11 + tags: + - level1-server + - level1-workstation + - automated + - patch + - dovecot + - imap + - pop3 + - rule_2.2.11 + +- name: "2.2.12 | PATCH | Ensure Samba is not enabled" + package: + name: samba + state: absent + when: + - not rhel9cis_samba_server + - "'samba' in ansible_facts.packages" + - rhel9cis_rule_2_2_12 + tags: + - level1-server + - level1-workstation + - automated + - patch + - samba + - rule_2.2.12 + +- name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed" + package: name: squid - state: stopped - enabled: false + state: absent when: - not rhel9cis_squid_server - "'squid' in ansible_facts.packages" @@ -88,179 +230,31 @@ tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.6 + - squid + - rule_2.2.13 -- name: "2.2.7 | L1 | PATCH | Ensure Samba is not enabled" - service: - name: smb - state: stopped - enabled: false +- name: "2.2.14 | PATCH | Ensure net-snmp is not installed" + package: + name: net-snmp + state: absent when: - - not rhel9cis_smb_server - - "'samba' in ansible_facts.packages" - - rhel9cis_rule_2_2_7 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.7 - -- name: "2.2.8 | L1 | PATCH | Ensure IMAP and POP3 server is not enabled" - service: - name: dovecot - state: stopped - enabled: false - when: - - not rhel9cis_dovecot_server - - "'dovecot' in ansible_facts.packages" - - rhel9cis_rule_2_2_8 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.8 - -- name: "2.2.9 | L1 | PATCH | Ensure HTTP server is not enabled" - service: - name: httpd - state: stopped - enabled: false - when: - - not rhel9cis_httpd_server - - "'httpd' in ansible_facts.packages" - - rhel9cis_rule_2_2_9 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.9 - -- name: "2.2.10 | L1 | PATCH | Ensure FTP Server is not enabled" - service: - name: vsftpd - state: stopped - enabled: false - when: - - not rhel9cis_vsftpd_server - - "'vsftpd' in ansible_facts.packages" - - rhel9cis_rule_2_2_10 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.10 - -- name: "2.2.11 | L1 | PATCH | Ensure DNS Server is not enabled" - service: - name: named - state: stopped - enabled: false - when: - - not rhel9cis_named_server - - "'bind' in ansible_facts.packages" - - rhel9cis_rule_2_2_11 - tags: - - level1-server - - level1-workstation - - patch - - rule_2.2.11 - -- name: "2.2.12 | L1 | PATCH | Ensure NFS is not enabled" - service: - name: nfs-server - state: stopped - enabled: false - when: - - not rhel9cis_nfs_rpc_server - - "'nfs-utils' in ansible_facts.packages" - - rhel9cis_rule_2_2_12 - tags: - - level1-server - - level1-workstation - - scored - - nfs - - services - - patch - - rule_2.2.12 - -- name: "2.2.13 | L1 | PATCH | Ensure RPC is not enabled" - service: - name: rpcbind - state: stopped - enabled: false - when: - - not rhel9cis_nfs_rpc_server - - "'rpcbind' in ansible_facts.packages" - - rhel9cis_rule_2_2_13 - tags: - - level1-server - - level1-workstation - - scored - - rpc - - services - - patch - - rule_2.2.7 - -- name: "2.2.14 | L1 | PATCH | Ensure LDAP server is not enabled" - service: - name: slapd - state: stopped - enabled: false - when: - - not rhel9cis_ldap_server - - "'openldap-servers' in ansible_facts.packages" + - not rhel9cis_snmp_server + - "'net-snmp' in ansible_facts.packages" - rhel9cis_rule_2_2_14 tags: - level1-server - level1-workstation - - scored - - ldap - - services + - automated - patch - - rule_2.2.6 + - snmp + - rule_2.2.14 -- name: "2.2.15 | L1 | PATCH | Ensure DHCP Server is not enabled" - service: - name: dhcpd - state: stopped - enabled: false - when: - - not rhel9cis_dhcp_server - - "'dhcp' in ansible_facts.packages" - - rhel9cis_rule_2_2_15 - tags: - - level1-server - - level1-workstation - - scored - - dhcp - - services - - patch - - rule_2.2.15 - -- name: "2.2.16 | L1 | PATCH | Ensure CUPS is not enabled" - service: - name: cups - state: stopped - enabled: false - when: - - not rhel9cis_cups_server - - "'cups' in ansible_facts.packages" - - rhel9cis_rule_2_2_16 - tags: - - level1-server - - level2-workstation - - scored - - cups - - services - - patch - - rule_2.2.16 - -- name: "2.2.17 | L1 | PATCH | Ensure NIS Server is not enabled" - service: +- name: "2.2.15 | PATCH | Ensure NIS Server is not installed" + package: name: ypserv - state: stopped - enabled: false + state: absent when: - not rhel9cis_nis_server - "'ypserv' in ansible_facts.packages" @@ -268,21 +262,135 @@ tags: - level1-server - level1-workstation + - automated - patch + - nis - rule_2.2.17 -- name: "2.2.18 | L1 | PATCH | Ensure mail transfer agent is configured for local-only mode" +- name: "2.2.16 | PATCH | Ensure telnet-server is not installed" + package: + name: telnet-server + state: absent + when: + - not rhel9cis_telnet_server + - "'telnet-server' in ansible_facts.packages" + - rhel9cis_rule_2_2_16 + tags: + - level1-server + - level1-workstation + - automated + - patch + - telnet + - rule_2.2.16 + +- name: "2.2.17 | PATCH | Ensure mail transfer agent is configured for local-only mode" lineinfile: - dest: /etc/postfix/main.cf + path: /etc/postfix/main.cf regexp: "^(#)?inet_interfaces" line: "inet_interfaces = loopback-only" notify: restart postfix when: - not rhel9cis_is_mail_server - "'postfix' in ansible_facts.packages" + - rhel9cis_rule_2_2_17 + tags: + - level1-server + - level1-workstation + - automated + - patch + - postfix + - rule_2.2.17 + +# The name title of the service says mask the service, but the fix allows for both options +# Options available in default/main if to remove the package default is false just mask the server service +- name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked" + block: + - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | remove package" + package: + name: nfs-utils + state: absent + when: + - not rhel9cis_use_nfs_server + - not rhel9cis_use_nfs_service + + - name: "2.2.18 | PATCH | Ensure nfs-utils is not installed or the nfs-server service is masked | mask service" + systemd: + name: nfs-server + masked: true + state: stopped + when: + - not rhel9cis_use_nfs_server + - rhel9cis_use_nfs_service + when: + - "'nfs-utils' in ansible_facts.packages" - rhel9cis_rule_2_2_18 tags: - level1-server - level1-workstation + - automated - patch - - rule_2.2.1 + - nfs + - services + - rule_2.2.18 + +# The name title of the service says mask the service, but the fix allows for both options +# Options available in default/main if to remove the package default is false just mask the server service +- name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked" + block: + - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | remove package" + package: + name: rpcbind + state: absent + when: + - not rhel9cis_use_rpc_server + - not rhel9cis_use_rpc_service + + - name: "2.2.19 | PATCH | Ensure rpcbind is not installed or the rpcbind services are masked | mask service" + systemd: + name: rpcbind.socket + masked: true + state: stopped + when: + - rhel9cis_use_rpc_server + - not rhel9cis_use_rpc_service + when: + - "'rpcbind' in ansible_facts.packages" + - rhel9cis_rule_2_2_19 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rpc + - rule_2.2.19 + +# The name title of the service says mask the service, but the fix allows for both options +# Options available in default/main if to remove the package default is false just mask the server service +- name: "2.2.20 | PATCH | Ensure rsync service is not enabled " + block: + - name: "2.2.20 | PATCH | Ensure rsync service is not enabled | remove package" + package: + name: rsync + state: absent + when: + - not rhel9cis_use_rsync_server + - not rhel9cis_use_rsync_service + + - name: "2.2.20 | PATCH | Ensure rsync service is not enabled | mask service" + systemd: + name: rsyncd + masked: true + state: stopped + when: + - rhel9cis_use_rsync_server + - not rhel9cis_use_rsync_service + when: + - "'rsync' in ansible_facts.packages" + - rhel9cis_rule_2_2_20 + tags: + - level1-server + - level1-workstation + - automated + - patch + - rsync + - rule_2.2.20 diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index 875eff8..a1941da 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -1,6 +1,6 @@ --- -- name: "2.3.1 | L1 | PATCH | Ensure NIS Client is not installed" +- name: "2.3.1 | PATCH | Ensure NIS Client is not installed" package: name: ypbind state: absent @@ -11,33 +11,87 @@ tags: - level1-server - level1-workstation + - automated - patch + - nis - rule_2.3.1 -- name: "2.3.2 | L1 | PATCH | Ensure telnet client is not installed" +- name: "2.3.2 | PATCH | Ensure rsh client is not installed" + package: + name: rsh + state: absent + when: + - not rhel9cis_rsh_required + - "'rsh' in ansible_facts.packages" + - rhel9cis_rule_2_3_2 + tags: + - level1-server + - level2-server + - automated + - patch + - rsh + - rule_2.3.2 + +- name: "2.3.3 | PATCH | Ensure talk client is not installed" + package: + name: talk + state: absent + when: + - not rhel9cis_talk_required + - "'talk' in ansible_facts.packages" + - rhel9cis_rule_2_3_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - talk + - rule_2.3.3 + +- name: "2.3.4 | PATCH | Ensure telnet client is not installed" package: name: telnet state: absent when: - not rhel9cis_telnet_required - "'telnet' in ansible_facts.packages" - - rhel9cis_rule_2_3_2 + - rhel9cis_rule_2_3_4 tags: - level1-server - level1-workstation + - automated - patch - - rule_2.3.2 + - telnet + - rule_2.3.4 -- name: "2.3.3 | L1 | PATCH | Ensure LDAP client is not installed" +- name: "2.3.5 | PATCH | Ensure LDAP client is not installed" package: name: openldap-clients state: absent when: - not rhel9cis_openldap_clients_required - "'openldap-clients' in ansible_facts.packages" - - rhel9cis_rule_2_3_3 + - rhel9cis_rule_2_3_5 tags: - level1-server - level1-workstation + - automated - patch - - rule_2.3.3 + - ldap + - rule_2.3.5 + +- name: "2.3.6 | PATCH | Ensure TFTP client is not installed" + package: + name: tftp + state: absent + when: + - not rhel9cis_tftp_client + - "'tftp' in ansible_facts.packages" + - rhel9cis_rule_2_3_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - tftp + - rule_2.3.6 diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml new file mode 100644 index 0000000..5db134e --- /dev/null +++ b/tasks/section_2/cis_2.4.yml @@ -0,0 +1,26 @@ +--- + +- name: "2.4 | AUDIT | Ensure nonessential services are removed or masked" + block: + - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Get list of services" + shell: systemctl list-units --type=service + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_2_4_services + + - name: "2.4 | AUDIT | Ensure nonessential services are removed or masked | Display list of services" + debug: + msg: + - "Alert! Below are the list of services, both active and inactive" + - "Please review to make sure all are essential" + - "{{ rhel9cis_2_4_services.stdout_lines }}" + when: + - rhel9cis_rule_2_4 + tags: + - level1-server + - level1-workstation + - manual + - audit + - services + - rule_2.4 diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 2b705ae..8f79854 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -1,13 +1,13 @@ --- -- name: "SECTION | 2.1 | xinetd" - import_tasks: cis_2.1.1.yml - -- name: "SECTION | 2.2.1 | Time Synchronization" - import_tasks: cis_2.2.1.x.yml +- name: "SECTION | 2.1 | Time Synchronization" + import_tasks: cis_2.1.x.yml - name: "SECTION | 2.2 | Special Purpose Services" import_tasks: cis_2.2.x.yml - name: "SECTION | 2.3 | Service Clients" import_tasks: cis_2.3.x.yml + +- name: "SECTION | 2.4 | Nonessential services removed" + import_tasks: cis_2.4.yml diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index ad692fa..db3c0fd 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -1,43 +1,91 @@ --- -- name: "3.1.1 | L1 | PATCH | Ensure IP forwarding is disabled" - block: - - name: "3.1.1 | L1 | PATCH | Ensure IP forwarding is disabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - - name: "3.1.1 | L1 | PATCH | Ensure IP forwarding is disabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required +# The CIS Control wants IPv6 disabled if not in use. +# We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use +- name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" + notify: + - update sysctl + - sysctl flush ipv6 route table when: - - not rhel9cis_is_router + - not rhel9cis_ipv6_required - rhel9cis_rule_3_1_1 tags: - level1-server - level1-workstation - - sysctl + - manual - patch + - ipv6 + - networking - rule_3.1.1 -- name: "3.1.2 | L1 | PATCH | Ensure packet redirect sending is disabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table +- name: "3.1.2 | PATCH | Ensure SCTP is disabled" + template: + src: "etc/modprobe.d/modprobe.conf.j2" + dest: "/etc/modprobe.d/{{ item }}.conf" + mode: "0600" + owner: root + group: root + with_items: + - sctp when: - - not rhel9cis_is_router - rhel9cis_rule_3_1_2 tags: - - level1-server - - level1-workstation - - sysctl + - level2-server + - level2-workstation + - automated - patch + - sctp - rule_3.1.2 + +- name: "3.1.3 | PATCH | Ensure DCCP is disabled" + template: + src: "etc/modprobe.d/modprobe.conf.j2" + dest: "/etc/modprobe.d/{{ item }}.conf" + mode: "0600" + owner: root + group: root + with_items: + - dccp + when: + - rhel9cis_rule_3_1_3 + tags: + - level2-server + - level2-workstation + - automated + - dccp + - patch + - rule_3.1.3 + +- name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled" + block: + - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available" + command: rpm -q NetworkManager + changed_when: false + failed_when: false + check_mode: no + args: + warn: no + register: rhel_08_nmcli_available + + - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" + command: nmcli radio wifi + register: rhel_08_wifi_enabled + changed_when: rhel_08_wifi_enabled.stdout != "disabled" + failed_when: false + when: rhel_08_nmcli_available.rc == 0 + + - name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" + command: nmcli radio all off + changed_when: false + failed_when: false + when: rhel_08_wifi_enabled is changed + when: + - rhel9cis_rule_3_1_4 + tags: + - level1-server + - automated + - patch + - wireless + - rule_3.1.4 diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index ce85507..46295ec 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -1,155 +1,45 @@ --- -- name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" +- name: "3.2.1 | PATCH | Ensure IP forwarding is disabled" block: - - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + notify: - update sysctl - sysctl flush ipv4 route table - - name: "3.2.1 | L1 | PATCH | Ensure source routed packets are not accepted" + - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv6 forwarding" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" notify: - - sysctl flush ipv6 route table - update sysctl + - sysctl flush ipv6 route table when: rhel9cis_ipv6_required when: + - not rhel9cis_is_router - rhel9cis_rule_3_2_1 tags: - level1-server - level1-workstation + - automated - sysctl - patch - rule_3.2.1 -- name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" - block: - - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - - name: "3.2.2 | L1 | PATCH | Ensure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required +- name: "3.2.2 | PATCH | Ensure packet redirect sending is disabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table when: + - not rhel9cis_is_router - rhel9cis_rule_3_2_2 tags: - level1-server - level1-workstation - - sysctl + - automated - patch + - sysctl - rule_3.2.2 - -- name: "3.2.3 | L1 | PATCH | Ensure secure ICMP redirects are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_3 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.3 - -- name: "3.2.4 | L1 | PATCH | Ensure suspicious packets are logged" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_4 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.4 - -- name: "3.2.5 | L1 | PATCH | Ensure broadcast ICMP requests are ignored" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_5 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.5 - -- name: "3.2.6 | L1 | PATCH | Ensure bogus ICMP responses are ignored" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_6 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.6 - -- name: "3.2.7 | L1 | PATCH | Ensure Reverse Path Filtering is enabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_7 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.7 - -- name: "3.2.8 | L1 | PATCH | Ensure TCP SYN Cookies is enabled" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: update sysctl - when: - - rhel9cis_rule_3_2_8 - tags: - - level1-server - - level1-workstation - - sysctl - - patch - - rule_3.2.8 - -- name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" - block: - - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - update sysctl - - sysctl flush ipv4 route table - - - name: "3.2.9 | L2 | PATCH | Ensure IPv6 router advertisements are not accepted" - debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/99-sysctl.conf" - notify: - - sysctl flush ipv6 route table - - update sysctl - when: rhel9cis_ipv6_required - when: - - rhel9cis_ipv6_required - - rhel9cis_rule_3_2_9 - tags: - - level2-server - - level2-workstation - - sysctl - - patch - - rule_3.2.9 diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index 0b49ba4..139ca65 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -1,61 +1,155 @@ --- -- name: "3.3.1 | L2 | PATCH | Ensure DCCP is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install dccp(\\s|$)" - line: "install dccp /bin/true" - create: true - mode: 0600 +- name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" + block: + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table + + - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + notify: + - sysctl flush ipv6 route table + - update sysctl + when: rhel9cis_ipv6_required when: - rhel9cis_rule_3_3_1 tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation + - sysctl - patch - rule_3.3.1 -- name: "3.3.2 | L2 | PATCH | Ensure SCTP is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install sctp(\\s|$)" - line: "install sctp /bin/true" - create: true - mode: 0600 +- name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" + block: + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table + + - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf" + notify: + - sysctl flush ipv6 route table + - update sysctl + when: rhel9cis_ipv6_required when: - rhel9cis_rule_3_3_2 tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation + - sysctl - patch - rule_3.3.2 -- name: "3.3.3 | L2 | PATCH | Ensure RDS is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install rds(\\s|$)" - line: "install rds /bin/true" - create: true - mode: 0600 +- name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + notify: update sysctl when: - rhel9cis_rule_3_3_3 tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation + - sysctl - patch - rule_3.3.3 -- name: "3.3.4 | L2 | PATCH | Ensure TIPC is disabled" - lineinfile: - dest: /etc/modprobe.d/CIS.conf - regexp: "^(#)?install tipc(\\s|$)" - line: "install tipc /bin/true" - create: true - mode: 0600 +- name: "3.3.4 | PATCH | Ensure suspicious packets are logged" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + notify: update sysctl when: - rhel9cis_rule_3_3_4 tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation + - sysctl - patch - rule_3.3.4 + +- name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_3_5 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.3.5 + +- name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_3_6 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.3.6 + +- name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_3_7 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.3.7 + +- name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + notify: update sysctl + when: + - rhel9cis_rule_3_3_8 + tags: + - level1-server + - level1-workstation + - sysctl + - patch + - rule_3.3.8 + +- name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" + block: + - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + notify: + - update sysctl + - sysctl flush ipv4 route table + + - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" + debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl" + notify: + - sysctl flush ipv6 route table + - update sysctl + when: rhel9cis_ipv6_required + when: + - rhel9cis_ipv6_required + - rhel9cis_rule_3_3_9 + tags: + - level2-server + - level2-workstation + - sysctl + - patch + - rule_3.3.9 diff --git a/tasks/section_3/cis_3.4.1.1.yml b/tasks/section_3/cis_3.4.1.1.yml deleted file mode 100644 index fc78b06..0000000 --- a/tasks/section_3/cis_3.4.1.1.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- - -- name: "3.4.1.1 | L1 | PATCH | Ensure a Firewall package is installed" - package: - name: "{{ rhel9cis_firewall }}" - state: present - when: - - rhel9cis_rule_3_4_1_1 - - not system_is_container - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.1.1 diff --git a/tasks/section_3/cis_3.4.1.x.yml b/tasks/section_3/cis_3.4.1.x.yml new file mode 100644 index 0000000..3518b42 --- /dev/null +++ b/tasks/section_3/cis_3.4.1.x.yml @@ -0,0 +1,143 @@ +--- + +- name: "3.4.1.1 | PATCH | Ensure firewalld is installed" + package: + name: + - firewalld + - iptables + state: present + when: + - rhel9cis_rule_3_4_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - firewalld + - rule_3.4.1.1 + +- name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld" + block: + - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | Stop running services" + systemd: + name: "{{ item }}" + masked: true + with_items: + - iptables + - ip6tables + when: item in ansible_facts.packages + + - name: "3.4.1.2 | PATCH | Ensure iptables-services not installed with firewalld | remove iptables-services pkg " + package: + name: iptables-services + state: absent + when: + when: + - rhel9cis_rule_3_4_1_2 + - "'iptables-services' in ansible_facts.packages" + tags: + - level1-server + - level1-workstation + - automated + - patch + - firewalld + - rule_3.4.1.2 + +- name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld" + block: + - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | mask service" + systemd: + name: nftables + state: stopped + masked: yes + when: + - rhel9cis_firewalld_nftables_state == "masked" + + - name: "3.4.1.3 | PATCH | Ensure nftables either not installed or masked with firewalld | pkg removed" + package: + name: nftables + state: absent + when: + - rhel9cis_firewalld_nftables_state == "absent" + when: + - rhel9cis_rule_3_4_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - firewalld + - rule_3_4_1_3 + +- name: "3.4.1.4 | PATCH | Ensure firewalld service is enabled and running" + systemd: + name: firewalld + state: started + enabled: yes + when: + - rhel9cis_rule_3_4_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - firewalld + - rule_3_4_1_4 + +- name: "3.4.1.5 | PATCH | Ensure firewalld default zone is set" + command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" + when: + - rhel9cis_rule_3_4_1_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - firewalld + - rule_3.4.1.5 + +- name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone" + block: + - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies" + shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_3_4_1_6_interfacepolicy + + - name: "3.4.1.6 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy" + debug: + msg: + - "The items below are the policies tied to the interfaces, please correct as needed" + - "{{ rhel9cis_3_4_1_6_interfacepolicy.stdout_lines }}" + when: + - rhel9cis_rule_3_4_1_6 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_3.4.1.6 + +- name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports" + block: + - name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" + shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_3_4_1_7_servicesport + + - name: "3.4.1.7 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" + debug: + msg: + - "The items below are the services and ports that are accepted, please correct as needed" + - "{{ rhel9cis_3_4_1_7_servicesport.stdout_lines }}" + when: + - rhel9cis_rule_3_4_1_7 + tags: + - level1-server + - level1-workstation + - manual + - audit + - rule_3.4.1.7 diff --git a/tasks/section_3/cis_3.4.2.x.yml b/tasks/section_3/cis_3.4.2.x.yml index 68b08dc..a9284c5 100644 --- a/tasks/section_3/cis_3.4.2.x.yml +++ b/tasks/section_3/cis_3.4.2.x.yml @@ -1,108 +1,345 @@ --- -- name: "3.4.2.1 | L1 | PATCH | Ensure firewalld service is enabled and running" - service: - name: firewalld - state: started - enabled: true +- name: "3.4.2.1 | PATCH | Ensure nftables is installed" + package: + name: nftables + state: present when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_2_1 tags: - level1-server - level1-workstation + - automated - patch - - rule_3_4_2_1 + - nftables + - rule_3.4.2.1 -- name: "3.4.2.2 | L1 | PATCH | Ensure iptables is not enabled with firewalld" - systemd: - name: iptables - masked: true +# The control allows the service it be masked or not installed +# We have chosen not installed +- name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables" + block: + - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | mask service" + systemd: + name: firewalld + masked: true + state: stopped + when: + - rhel9cis_nftables_firewalld_state == "masked" + + - name: "3.4.2.2 | PATCH | Ensure firewalld is either not installed or masked with nftables | pkg removed" + package: + name: firewalld + state: absent + when: + - rhel9cis_nftables_firewalld_state == "absent" when: - - rhel9cis_firewall == "firewalld" - - "'iptables' in ansible_facts.packages" - rhel9cis_rule_3_4_2_2 tags: - - skip_ansible_lint - level1-server - level1-workstation + - automated - patch - - rule_3_4_2_2 + - nftables + - rule_3.4.2.2 -- name: "3.4.2.3 | L1 | PATCH | Ensure nftables is not enabled with firewalld" - systemd: - name: nftables - enabled: false - masked: true +- name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables" + block: + - name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables | Stop services" + systemd: + name: "{{ item }}" + enabled: false + masked: true + ignore_errors: true + with_items: + - iptables + - ip6tables + + - name: "3.4.2.3 | PATCH | Ensure iptables-services not installed with nftables | Remove IPTables" + package: + name: iptables-service + state: absent when: - - rhel9cis_firewall == "firewalld" - - "'nftables' in ansible_facts.packages" - rhel9cis_rule_3_4_2_3 tags: - level1-server - level1-workstation + - automated - patch - - rule_3_4_2_3 + - nftables + - rule_3.4.2.3 -- name: "3.4.2.4 | L1 | PATCH | Ensure default zone is set" - shell: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}" - args: - warn: false +- name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables" + block: + - name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables | IPv4" + command: iptables -F + + - name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables | IPv6" + command: ip6tables -F + when: rhel9cis_ipv6_required when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_2_4 + - rhel9cis_firewall != "firewalld" tags: - level1-server - level1-workstation + - manual - patch + - nftables - rule_3.4.2.4 -- name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone" +- name: "3.4.2.5 | AUDIT | Ensure an nftables table exists" block: - - name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies" - shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done" - args: - warn: false + - name: "3.4.2.5 | AUDIT | Ensure a table exists | Check for tables" + command: nft list tables changed_when: false failed_when: false - check_mode: false - register: rhel9cis_3_4_2_5_interfacepolicy + register: rhel9cis_3_4_2_5_nft_tables - - name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies | Show the interface to policy" + - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Show existing tables" debug: msg: - - "The items below are the policies tied to the interfaces, please correct as needed" - - "{{ rhel9cis_3_4_2_5_interfacepolicy.stdout_lines }}" + - "Below are the current nft tables, please review" + - "{{ rhel9cis_3_4_2_5_nft_tables.stdout_lines }}" + when: rhel9cis_3_4_2_5_nft_tables.stdout | length > 0 + + - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists | Alert on no tables" + debug: + msg: + - "Warning! You currently have no nft tables, please review your setup" + - 'Use the command "nft create table inet " to create a new table' + when: + - rhel9cis_3_4_2_5_nft_tables.stdout | length == 0 + - not rhel9cis_nft_tables_autonewtable + + - name: "3.4.2.5 | PATCH | Ensure a table exists | Create table if needed" + command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" + failed_when: no + when: rhel9cis_nft_tables_autonewtable when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_2_5 tags: - level1-server - level1-workstation - - audit + - automated + - patch + - nftables - rule_3.4.2.5 -- name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports" +- name: "3.4.2.6 | PATCH | Ensure nftables base chains exist" block: - - name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports" - shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done" - args: - warn: false + - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT" + shell: nft list ruleset | grep 'hook input' changed_when: false failed_when: false - check_mode: false - register: rhel9cis_3_4_2_6_servicesport + register: rhel9cis_3_4_2_6_input_chains - - name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Show services and ports" + - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" + shell: nft list ruleset | grep 'hook forward' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_6_forward_chains + + - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" + shell: nft list ruleset | grep 'hook output' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_6_output_chains + + - name: "3.4.2.6 | AUDIT | Ensure nftables base chains exist | Display chains for review" debug: msg: - - "The items below are the services and ports that are accepted, please correct as needed" - - "{{ rhel9cis_3_4_2_6_servicesport.stdout_lines }}" + - "Below are the current INPUT chains" + - "{{ rhel9cis_3_4_2_6_input_chains.stdout_lines }}" + - "Below are the current FORWARD chains" + - "{{ rhel9cis_3_4_2_6_forward_chains.stdout_lines }}" + - "Below are teh current OUTPUT chains" + - "{{ rhel9cis_3_4_2_6_output_chains.stdout_lines }}" + when: not rhel9cis_nft_tables_autochaincreate + + - name: "3.4.2.6 | PATCH | Ensure nftables base chains exist | Create chains if needed" + shell: "{{ item }}" + args: + warn: no + failed_when: no + with_items: + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } + - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } + when: rhel9cis_nft_tables_autochaincreate when: - - rhel9cis_firewall == "firewalld" - rhel9cis_rule_3_4_2_6 tags: - level1-server - level1-workstation - - audit + - automated + - patch + - nftables - rule_3.4.2.6 + +- name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured" + block: + - name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence" + shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_7_iiflo + + - name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence" + shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_7_ipsaddr + + - name: "3.4.2.7 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence" + shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_7_ip6saddr + + - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept + when: '"iif \"lo\" accept" not in rhel9cis_3_4_2_7_iiflo.stdout' + + - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop + when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ipsaddr.stdout' + + - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop + when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_2_7_ip6saddr.stdout' + when: + - rhel9cis_rule_3_4_2_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nftables + - rule_3.4.2.7 + +- name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured" + block: + - name: "3.4.2.8 | AUDIT | Ensure nftables outbound and established connections are configured | Gather incoming connection rules" + shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_8_inconnectionrule + + - name: "3.4.2.8| AUDIT | Ensure nftables outbound and established connections are configured | Gather outbound connection rules" + shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + changed_when: false + failed_when: false + register: rhel9cis_3_4_2_8_outconnectionrule + + - name: "3.4.2.8| PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept + when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout' + + - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept + when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout' + + - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept + when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_2_8_inconnectionrule.stdout' + + - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept + when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' + + - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept + when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' + + - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept + when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_2_8_outconnectionrule.stdout' + when: + - rhel9cis_rule_3_4_2_8 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nftables + - rule_3.4.3.5 + +- name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy" + block: + - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_9_inputpolicy + + - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_9_forwardpolicy + + - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_9_outputpolicy + + - name: "3.4.2.9 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" + shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' + failed_when: false + changed_when: false + register: rhel9cis_3_4_2_9_sshallowcheck + + - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" + command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept + when: '"tcp dport ssh accept" not in rhel9cis_3_4_2_9_sshallowcheck.stdout' + + - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" + command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } + when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_2_9_inputpolicy.stdout' + + - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" + command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } + when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_2_9_forwardpolicy.stdout' + + - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" + command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } + when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_2_9_outputpolicy.stdout' + when: + - rhel9cis_rule_3_4_2_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nftables + - rule_3.4.2.9 + +- name: "3.4.2.10 | PATCH | Ensure nftables service is enabled" + service: + name: nftables + enabled: yes + when: + - rhel9cis_rule_3_4_2_10 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nftables + - rule_3.4.3.7 + +- name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent" + lineinfile: + path: /etc/sysconfig/nftables.conf + insertafter: EOF + line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" + when: + - rhel9cis_rule_3_4_2_11 + tags: + - level1-server + - level1-workstation + - automated + - patch + - nftables + - rule_3.4.2.11 diff --git a/tasks/section_3/cis_3.4.3.x.yml b/tasks/section_3/cis_3.4.3.x.yml deleted file mode 100644 index 4212139..0000000 --- a/tasks/section_3/cis_3.4.3.x.yml +++ /dev/null @@ -1,320 +0,0 @@ ---- - -- name: "3.4.3.1 | L1 | PATCH | Ensure iptables are flushed with nftables" - shell: ip6tables -F - args: - warn: false - when: - - rhel9cis_rule_3_4_3_1 - - rhel9cis_firewall != "iptables" - - rhel9cis_ipv6_required - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.1 - -- name: "3.4.3.2 | L1 | AUDIT | Ensure an nftables table exists" - block: - - name: "3.4.3.2 | L1 | AUDIT | Ensure a table exists | Check for tables" - shell: nft list tables - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_2_nft_tables - - - name: "3.4.3.2 | L1 | AUDIT | Ensure an nftables table exists | Show existing tables" - debug: - msg: - - "Below are the current nft tables, please review" - - "{{ rhel9cis_3_4_3_2_nft_tables.stdout_lines }}" - when: rhel9cis_3_4_3_2_nft_tables.stdout | length > 0 - - - name: "3.4.3.2 | L1 | AUDIT | Ensure an nftables table exists | Alert on no tables" - debug: - msg: - - "Warning! You currently have no nft tables, please review your setup" - - 'Use the shell "nft create table inet
" to create a new table' - when: - - rhel9cis_3_4_3_2_nft_tables.stdout | length == 0 - - not rhel9cis_nft_tables_autonewtable - - - name: "3.4.3.2 | L1 | PATCH | Ensure a table exists | Create table if needed" - shell: nft create table inet "{{ rhel9cis_nft_tables_tablename }}" - args: - warn: false - failed_when: false - when: rhel9cis_nft_tables_autonewtable - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.2 - -- name: "3.4.3.3 | L1 | PATCH | Ensure nftables base chains exist" - block: - - name: "3.4.3.3 | L1 | Ensure nftables base chains exist | Get current chains for INPUT" - shell: nft list ruleset | grep 'hook input' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_3_input_chains - - - name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" - shell: nft list ruleset | grep 'hook forward' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_3_forward_chains - - - name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" - shell: nft list ruleset | grep 'hook output' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_3_output_chains - - - name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Display chains for review" - debug: - msg: - - "Below are the current INPUT chains" - - "{{ rhel9cis_3_4_3_3_input_chains.stdout_lines }}" - - "Below are the current FORWARD chains" - - "{{ rhel9cis_3_4_3_3_forward_chains.stdout_lines }}" - - "Below are teh current OUTPUT chains" - - "{{ rhel9cis_3_4_3_3_output_chains.stdout_lines }}" - when: not rhel9cis_nft_tables_autochaincreate - - - name: "3.4.3.3 | L1 | PATCH | Ensure nftables base chains exist | Create chains if needed" - shell: "{{ item }}" - args: - warn: false - failed_when: false - with_items: - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { type filter hook forward priority 0 \; } - - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; } - when: rhel9cis_nft_tables_autochaincreate - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.3 - -- name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured" - block: - - name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_4_iiflo - - - name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_4_ipsaddr - - - name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence" - shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_4_ip6saddr - - - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept - args: - warn: false - when: '"iif \"lo\" accept" not in rhel9cis_3_4_3_4_iiflo.stdout' - - - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop - args: - warn: false - when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ipsaddr.stdout' - - - name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop - args: - warn: false - when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ip6saddr.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.4 - -- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured" - block: - - name: "3.4.3.5 | L1 | AUDIT | Ensure nftables outbound and established connections are configured | Gather incoming connection rules" - shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_5_inconnectionrule - - - name: "3.4.3.5 | L1 | AUDIT | Ensure nftables outbound and established connections are configured | Gather outbound connection rules" - shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_3_5_outconnectionrule - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept - args: - warn: false - when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept - args: - warn: false - when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept - args: - warn: false - when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout' - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept - args: - warn: false - when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept - args: - warn: false - when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - - - name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept - args: - warn: false - when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.5 - -- name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy" - block: - - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' - args: - warn: false - failed_when: false - changed_when: false - register: rhel9cis_3_4_3_6_inputpolicy - - - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' - args: - warn: false - failed_when: false - changed_when: false - register: rhel9cis_3_4_3_6_forwardpolicy - - - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' - args: - warn: false - failed_when: false - changed_when: false - register: rhel9cis_3_4_3_6_outputpolicy - - - name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" - shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' - args: - warn: false - failed_when: false - changed_when: false - register: rhel9cis_3_4_3_6_sshallowcheck - - - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" - shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept - args: - warn: false - when: '"tcp dport ssh accept" not in rhel9cis_3_4_3_6_sshallowcheck.stdout' - - - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" - shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } - args: - warn: false - when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_3_6_inputpolicy.stdout' - - - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" - shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } - args: - warn: false - when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_3_6_forwardpolicy.stdout' - - - name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" - shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } - args: - warn: false - when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_3_6_outputpolicy.stdout' - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.6 - -- name: "3.4.3.7 | L1 | PATCH | Ensure nftables service is enabled | Check if nftables is enabled" - service: - name: nftables - enabled: true - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_7 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.7 - -- name: "3.4.3.8 | L1 | PATCH | Ensure nftables rules are permanent" - lineinfile: - path: /etc/sysconfig/nftables.conf - state: present - insertafter: EOF - line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}" - when: - - rhel9cis_firewall == "nftables" - - rhel9cis_rule_3_4_3_8 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.3.8 diff --git a/tasks/section_3/cis_3.4.4.1.x.yml b/tasks/section_3/cis_3.4.4.1.x.yml deleted file mode 100644 index a18e7ef..0000000 --- a/tasks/section_3/cis_3.4.4.1.x.yml +++ /dev/null @@ -1,148 +0,0 @@ ---- - -- name: "3.4.4.1.1 | L1 | PATCH | Ensure iptables default deny firewall policy" - block: - - name: "3.4.4.1.1 | L1 | PATCH | Ensure iptables default deny firewall policy | Configure ssh to be allowed" - iptables: - chain: INPUT - protocol: tcp - destination_port: "22" - jump: ACCEPT - - - name: "3.4.4.1.1 | L1 | PATCH | Ensure iptables default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - rhel9cis_rule_3_4_4_1_1 - - rhel9cis_firewall == "iptables" - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.4.1.1 - -- name: "3.4.4.1.2 | L1 | PATCH | Ensure iptables loopback traffic is configured" - block: - - name: "3.4.4.1.2 | L1 | Ensure iptables loopback traffic is configured | INPUT Loopback ACCEPT" - iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - - - name: "3.4.4.1.2 | L1 | PATCH | Ensure iptables loopback traffic is configured | OUTPUT Loopback ACCEPT" - iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - - - name: "3.4.4.1.2 | L1 | PATCH | Ensure iptables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" - iptables: - action: append - chain: INPUT - source: 127.0.0.0/8 - jump: DROP - when: - - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.4.1.2 - -- name: "3.4.4.1.3 | L1 | PATCH | Ensure iptables outbound and established connections are configured" - iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED } - - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } - when: - - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_1_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.4.1.3 - -- name: "3.4.4.1.4 | L1 | PATCH | Ensure iptables firewall rules exist for all open ports" - block: - - name: "3.4.4.1.4 | L1 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of TCP open ports" - shell: netstat -ant |grep "tcp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_4_1_4_otcp - - - name: "3.4.4.1.4 | L1 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get the list of udp open ports" - shell: netstat -ant |grep "udp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_3_4_4_1_4_oudp - - - name: "3.4.4.1.4 | L1 | PATCH | Ensure iptables firewall rules exist for all open ports | Adjust open tcp ports" - iptables: - action: append - chain: INPUT - protocol: tcp - destination_port: "{{ item }}" - match: state - ctstate: NEW - jump: ACCEPT - with_items: - - "{{ rhel9cis_3_4_4_1_4_otcp.stdout_lines }}" - when: rhel9cis_3_4_4_1_4_otcp.stdout is defined - - - name: "3.4.4.1.4 | L1 | PATCH | Ensure iptables firewall rules exist for all open ports | Adjust open udp ports" - iptables: - action: append - chain: INPUT - protocol: udp - destination_port: "{{ item }}" - match: state - ctstate: NEW - jump: ACCEPT - with_items: - - "{{ rhel9cis_3_4_4_1_4_oudp.stdout_lines }}" - when: rhel9cis_3_4_4_1_4_otcp.stdout is defined - when: - - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_1_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.4.1.4 - -- name: "3.4.4.1.5 | L1 | PATCH | Ensure iptables service is enabled and active | Check if iptables is enabled" - service: - name: iptables - enabled: true - state: started - when: - - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.4.1.5 diff --git a/tasks/section_3/cis_3.4.4.2.x.yml b/tasks/section_3/cis_3.4.4.2.x.yml deleted file mode 100644 index be4bf54..0000000 --- a/tasks/section_3/cis_3.4.4.2.x.yml +++ /dev/null @@ -1,136 +0,0 @@ ---- - -- name: "3.4.4.2.1 | L1 | PATCH | Ensure ip6tables default deny firewall policy" - block: - - name: "3.4.4.2.1 | L1 | Ensure ip6tables default deny firewall policy | Configure ssh to be allowed" - iptables: - chain: INPUT - protocol: tcp - destination_port: "22" - jump: ACCEPT - ip_version: ipv6 - - - name: "3.4.4.2.1 | L1 | PATCH | Ensure ip6tables default deny firewall policy | Set drop items" - iptables: - policy: DROP - chain: "{{ item }}" - ip_version: ipv6 - with_items: - - INPUT - - FORWARD - - OUTPUT - when: - - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_2_1 - - rhel9cis_ipv6_required - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.4.2.1 - -- name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured" - block: - - name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback ACCEPT" - iptables: - action: append - chain: INPUT - in_interface: lo - jump: ACCEPT - ip_version: ipv6 - - - name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured | OUTPUT Loopback ACCEPT" - iptables: - action: append - chain: OUTPUT - out_interface: lo - jump: ACCEPT - ip_version: ipv6 - - - name: "3.4.4.2.2 | L1 | PATCH | Ensure ip6tables loopback traffic is configured | INPUT Loopback 127.0.0.0/8" - iptables: - action: append - chain: INPUT - source: ::1 - jump: DROP - ip_version: ipv6 - when: - - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_2_2 - - rhel9cis_ipv6_required - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.4.2.2 - -- name: "3.4.4.2.3 | L1 | PATCH | Ensure ip6tables outbound and established connections are configured" - iptables: - action: append - chain: '{{ item.chain }}' - protocol: '{{ item.protocol }}' - match: state - ctstate: '{{ item.ctstate }}' - jump: ACCEPT - ip_version: ipv6 - with_items: - - { chain: OUTPUT, protocol: tcp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: udp, ctstate: 'NEW,ESTABLISHED' } - - { chain: OUTPUT, protocol: icmp, ctstate: 'NEW,ESTABLISHED' } - - { chain: INPUT, protocol: tcp, ctstate: ESTABLISHED } - - { chain: INPUT, protocol: udp, ctstate: ESTABLISHED } - - { chain: INPUT, protocol: icmp, ctstate: ESTABLISHED } - when: - - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_2_3 - - rhel9cis_ipv6_required - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.4.2.3 - -- name: "3.4.4.2.4 | L1 | PATCH | Ensure ip6tables firewall rules exist for all open ports" - block: - - name: "3.4.4.2.4 | L1 | AUDIT | Ensure ip6tables firewall rules exist for all open ports | Get list of TCP6 open ports" - shell: netstat -ant |grep "tcp6.*LISTEN" | awk '{ print $4 }'| sed 's/.*://' - changed_when: false - failed_when: false - register: rhel9cis_3_4_4_2_4_otcp - - - name: "3.4.4.2.4 | L1 | PATCH |Ensure ip6tables firewall rules exist for all open ports| Adjust open tcp6 ports" - iptables: - action: append - chain: INPUT - protocol: tcp - destination_port: "{{ item }}" - match: state - ctstate: NEW - jump: ACCEPT - ip_version: ipv6 - with_items: - - "{{ rhel9cis_3_4_4_2_4_otcp.stdout_lines }}" - when: rhel9cis_3_4_4_2_4_otcp.stdout is defined - when: - - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_2_4 - - rhel9cis_ipv6_required - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.4.2.4 - -- name: "3.4.4.2.5 | L1 | PATCH | Ensure ip6tables service is enabled and active | Check if ip6tables is enabled" - service: - name: ip6tables - enabled: true - state: started - when: - - rhel9cis_firewall == "iptables" - - rhel9cis_rule_3_4_4_2_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_3.4.4.2.5 diff --git a/tasks/section_3/cis_3.5.yml b/tasks/section_3/cis_3.5.yml deleted file mode 100644 index abe73d5..0000000 --- a/tasks/section_3/cis_3.5.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled" - block: - - name: "3.5 | L1 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled" - shell: nmcli radio wifi - args: - warn: false - register: rhel_09_wifi_enabled - changed_when: rhel_09_wifi_enabled.stdout != "disabled" - failed_when: false - - - name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled" - shell: nmcli radio all off - args: - warn: false - changed_when: false - failed_when: false - when: rhel_09_wifi_enabled is changed - when: - - '"NetworkManager" in ansible_facts.packages' - - rhel9cis_rule_3_5 - tags: - - level1-server - - level2-workstation - - patch - - rule_3.5 diff --git a/tasks/section_3/cis_3.6.yml b/tasks/section_3/cis_3.6.yml deleted file mode 100644 index 4fa1ae5..0000000 --- a/tasks/section_3/cis_3.6.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- name: "3.6 | L2 | PATCH | Disable IPv6" - replace: - dest: /etc/default/grub - regexp: '(^GRUB_CMDLINE_LINUX\s*\=\s*)(?:")(.+)(?/dev/null; done + changed_when: false + failed_when: false + check_mode: no + register: priv_procs + + - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_6 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.6 + +- name: "4.1.3.7 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_7 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3_7 + +- name: "4.1.3.8 | PATCH | Ensure events that modify user/group information are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_8 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.8 + +- name: "4.1.3.9 | PATCH | Ensure discretionary access control permission modification events are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_9 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.9 + +- name: "4.1.3.10 | PATCH | Ensure successful file system mounts are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_10 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.10 + +- name: "4.1.3.11 | PATCH | Ensure session initiation information is collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_11 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.11 + +- name: "4.1.3.12 | PATCH | Ensure login and logout events are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_12 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.12 + +- name: "4.1.3.13 | PATCH | Ensure file deletion events by users are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_13 + tags: + - level2-server + - level2-workstation + - auditd + - patch + - rule_4.1.3.13 + +- name: "4.1.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_14 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.14 + +- name: "4.1.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_15 + tags: + - level2-server + - level2- workstation + - automated + - patch + - auditd + - rule_4.1.3.15 + +- name: "4.1.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_16 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.16 + +- name: "4.1.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_17 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.17 + +- name: "4.1.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_18 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.18 + +- name: "4.1.3.19 | PATCH | Ensure kernel module loading and unloading is collected" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_19 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.3.19 + +- name: "4.1.3.20 | PATCH | Ensure the audit configuration is immutable" + debug: + msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" + changed_when: true + notify: update auditd + when: + - rhel9cis_rule_4_1_3_20 + tags: + - level2-server + - level2-workstation + - automated + - patch + - auditd + - rule_4.1.20 + +- name: "4.1.3.21 | AUDIT | Ensure the running and on disk configuration is the same" + debug: + msg: + - "Please run augenrules --load if you suspect there is a configuration that is not active" + when: + - rhel9cis_rule_4_1_3_21 + tags: + - level2-server + - level2-workstation + - manual + - patch + - auditd + - rule_4.1.3.21 diff --git a/tasks/section_4/cis_4.1.x.yml b/tasks/section_4/cis_4.1.x.yml deleted file mode 100644 index ba14ec0..0000000 --- a/tasks/section_4/cis_4.1.x.yml +++ /dev/null @@ -1,207 +0,0 @@ ---- - -- name: "4.1.3 | L2 | PATCH | Ensure changes to system administration scope (sudoers) is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_3 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.3 - -- name: "4.1.4 | L2 | PATCH | Ensure login and logout events are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_4 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.4 - -- name: "4.1.5 | L2 | PATCH | Ensure session initiation information is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_5 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.5 - -- name: "4.1.6 | L2 | PATCH | Ensure events that modify date and time information are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_6 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.6 - -- name: "4.1.7 | L2 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_7 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.7 - -- name: "4.1.8 | L2 | PATCH | Ensure events that modify the system's network environment are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_8 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.8 - -- name: "4.1.9 | L2 | PATCH | Ensure discretionary access control permission modification events are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_9 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.9 - -- name: "4.1.10 | L2 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_10 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.10 - -- name: "4.1.11 | L2 | PATCH | Ensure events that modify user/group information are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_11 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.11 - -- name: "4.1.12 | L2 | PATCH | Ensure successful file system mounts are collected" - block: - - name: "4.1.12 | L2 | AUDIT | Ensure successful file system mounts are collected" - shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: priv_procs - - - name: "4.1.12 | L2 | PATCH | Ensure successful file system mounts are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_12 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.12 - -- name: "4.1.13 | L2 | PATCH | Ensure use of privileged commands is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_13 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.13 - -- name: "4.1.14 | L2 | PATCH | Ensure file deletion events by users are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_14 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.14 - -- name: "4.1.15 | L2 | PATCH | Ensure kernel module loading and unloading is collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_15 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.15 - -- name: "4.1.16 | L2 | PATCH | Ensure system administrator actions (sudolog) are collected" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_16 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.16 - -- name: "4.1.17 | L2 | PATCH | Ensure the audit configuration is immutable" - debug: - msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules" - notify: update auditd - when: - - rhel9cis_rule_4_1_17 - tags: - - level2-server - - level2-workstation - - auditd - - patch - - rule_4.1.17 diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index dd9cdce..7e70a02 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -1,6 +1,6 @@ --- -- name: "4.2.1.1 | L1 | PATCH | Ensure rsyslog installed" +- name: "4.2.1.1 | PATCH | Ensure rsyslog installed" package: name: rsyslog state: present @@ -10,55 +10,74 @@ tags: - level1-server - level1-workstation + - automated - patch + - rsyslog - rule_4.2.1.1 -- name: "4.2.1.2 | L1 | PATCH | Ensure rsyslog Service is enabled" +- name: "4.2.1.2 | PATCH | Ensure rsyslog Service is enabled" service: name: rsyslog - enabled: true + enabled: yes when: - rhel9cis_rule_4_2_1_2 tags: - level1-server - level1-workstation + - automated - patch - rsyslog - rule_4.2.1.2 -- name: "4.2.1.3 | L1 | PATCH | Ensure rsyslog default file permissions configured" +# This is counter to control 4.2.2.5?? +- name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog" lineinfile: - dest: /etc/rsyslog.conf + path: /etc/systemd/journald.conf + regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" + line: ForwardToSyslog=yes + when: + - rhel9cis_rule_4_2_1_3 + - rhel9cis_preferred_log_capture == "rsyslog" + tags: + - level1-server + - level1-workstation + - manual + - patch + - rule_4.2.1.3 + +- name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured" + lineinfile: + path: /etc/rsyslog.conf regexp: '^\$FileCreateMode' line: '$FileCreateMode 0640' notify: restart rsyslog when: - - rhel9cis_rule_4_2_1_3 + - rhel9cis_rule_4_2_1_4 tags: - level1-server - level1-workstation + - automated - patch - - rule_4.2.1.3 + - rsyslog + - rule_4.2.1.4 -- name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured" +- name: "4.2.1.5 | PATCH | Ensure logging is configured" block: - - name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out" - shell: cat /etc/rsyslog.conf - args: - warn: false - become: true + - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" + command: cat /etc/rsyslog.conf + become: yes changed_when: false - failed_when: false - check_mode: false - register: rhel_09_4_2_1_4_audit + failed_when: no + check_mode: no + register: rhel_08_4_2_1_5_audit - - name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out" + - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out" debug: msg: - "These are the current logging configurations for rsyslog, please review:" - - "{{ rhel_09_4_2_1_4_audit.stdout_lines }}" + - "{{ rhel_08_4_2_1_5_audit.stdout_lines }}" - - name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | mail.* log setting" + - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting" blockinfile: path: /etc/rsyslog.conf state: present @@ -73,7 +92,7 @@ notify: restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - - name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | news.crit log setting" + - name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting" blockinfile: path: /etc/rsyslog.conf state: present @@ -86,7 +105,7 @@ notify: restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - - name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | Misc. log setting" + - name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting" blockinfile: path: /etc/rsyslog.conf state: present @@ -100,13 +119,13 @@ notify: restart rsyslog when: rhel9cis_rsyslog_ansiblemanaged - - name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured | Local log settings" + - name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings" blockinfile: path: /etc/rsyslog.conf state: present marker: "#{mark} LOCAL LOG SETTINGS (ANSIBLE MANAGED)" block: | - # local log settings + # local log settings to meet CIS standards local0,local1.* -/var/log/localmessages local2,local3.* -/var/log/localmessages local4,local5.* -/var/log/localmessages @@ -114,16 +133,39 @@ *.emrg :omusrmsg:* insertafter: '#### RULES ####' notify: restart rsyslog + + - name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings" + blockinfile: + path: /etc/rsyslog.conf + state: present + marker: "#{mark} Auth SETTINGS (ANSIBLE MANAGED)" + block: | + # Private settings to meet CIS standards + auth,authpriv.* /var/log/secure + insertafter: '#### RULES ####' + notify: restart rsyslog + + - name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings" + blockinfile: + path: /etc/rsyslog.conf + state: present + marker: "#{mark} Cron SETTINGS (ANSIBLE MANAGED)" + block: | + # Cron settings to meet CIS standards + cron.* /var/log/cron + insertafter: '#### RULES ####' + notify: restart rsyslog when: - - rhel9cis_rule_4_2_1_4 + - rhel9cis_rule_4_2_1_5 tags: - level1-server - level1-workstation + - manual - patch - rsyslog - - rule_4.2.1.4 + - rule_4.2.1.5 -- name: "4.2.1.5 | L1 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" +- name: "4.2.1.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host" blockinfile: path: /etc/rsyslog.conf state: present @@ -137,18 +179,19 @@ - result.rc != 257 notify: restart rsyslog when: - - rhel9cis_rule_4_2_1_5 + - rhel9cis_rule_4_2_1_6 - rhel9cis_remote_log_server is defined tags: - level1-server - level1-workstation + - manual - patch - - rule_4.2.1.5 - rsyslog + - rule_4.2.1.6 -- name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts." +- name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client" block: - - name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | When not log host" + - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client. | When not log host" replace: path: /etc/rsyslog.conf regexp: '({{ item }})' @@ -157,9 +200,11 @@ with_items: - '^(\$ModLoad imtcp)' - '^(\$InputTCPServerRun)' + - '^(module\(load="imtcp"\))' + - '^(input\(type="imtcp")' when: not rhel9cis_system_is_log_server - - name: "4.2.1.6 | L1 | PATCH | Ensure remote rsyslog messages are only accepted on designated log hosts. | When log host" + - name: "4.2.1.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote clients. | When log host" replace: path: /etc/rsyslog.conf regexp: '^#(.*{{ item }}.*)' @@ -168,12 +213,15 @@ with_items: - 'ModLoad imtcp' - 'InputTCPServerRun' + - 'module\(load="imtcp"\)' + - 'input\(type="imtcp"' when: rhel9cis_system_is_log_server when: - - rhel9cis_rule_4_2_1_6 + - rhel9cis_rule_4_2_1_7 tags: - level1-server - level1-workstation + - automated - patch - - rule_4.2.1.6 - rsyslog + - rule_4.2.1.7 diff --git a/tasks/section_4/cis_4.2.2.x.yml b/tasks/section_4/cis_4.2.2.x.yml index 1c87ed4..8523066 100644 --- a/tasks/section_4/cis_4.2.2.x.yml +++ b/tasks/section_4/cis_4.2.2.x.yml @@ -1,43 +1,204 @@ --- -- name: "4.2.2.1 | L1 | PATCH | Ensure journald is configured to send logs to rsyslog" - lineinfile: - dest: /etc/systemd/journald.conf - regexp: "^#ForwardToSyslog=|^ForwardToSyslog=" - line: ForwardToSyslog=yes +- name: "4.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed" + package: + name: systemd-journal-remote state: present when: - - rhel9cis_rule_4_2_2_1 + - rhel9cis_rule_4_2_2_1_1 tags: - level1-server - level1-workstation + - manual - patch - - rule_4.2.2.1 + - journald + - rule_4.2.2.1.1 -- name: "4.2.2.2 | L1 | PATCH | Ensure journald is configured to compress large log files" +- name: "4.2.2.1.2 | PATCH | Ensure systemd-journal-remote is configured" lineinfile: - dest: /etc/systemd/journald.conf - regexp: "^#Compress=|^Compress=" - line: Compress=yes - state: present + path: /etc/systemd/journal-upload.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: restart systemd_journal_upload + with_items: + - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'} + - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'} + - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'} + - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'} + when: + - rhel9cis_rule_4_2_2_1_2 + tags: + - level1-server + - level1-workstation + - manual + - patch + - journald + - rule_4.2.2.1.2 + +- name: "4.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled" + systemd: + name: systemd-journal-upload + state: started + enabled: yes + when: + - rhel9cis_rule_4_2_2_1_3 + tags: + - level1-server + - level1-workstation + - manual + - patch + - journald + - rule_4.2.2.1.3 + +- name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" + systemd: + name: systemd-journal-remote + state: stopped + enabled: no + masked: yes + when: + - rhel9cis_rule_4_2_2_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - journald + - rule_4.2.2.1.4 + +- name: "4.2.2.2 | PATCH | Ensure journald service is enabled" + block: + - name: "4.2.2.2 | PATCH | Ensure journald service is enabled | Enable service" + systemd: + name: systemd-journald + state: started + enabled: yes + + - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status" + shell: systemctl is-enabled systemd-journald.service + changed_when: false + failed_when: false + register: rhel9cis_4_2_2_2_status + + - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" + debug: + msg: + - "ALERT! The status of systemd-journald should be static and it is not. Please investigate" + when: "'static' not in rhel9cis_4_2_2_2_status.stdout" when: - rhel9cis_rule_4_2_2_2 tags: - level1-server - level1-workstation - - patch + - automated + - audit + - journald - rule_4.2.2.2 -- name: "4.2.2.3 | L1 | PATCH | Ensure journald is configured to write logfiles to persistent disk" +- name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files" lineinfile: - dest: /etc/systemd/journald.conf - regexp: "^#Storage=|^Storage=" - line: Storage=persistent - state: present + path: /etc/systemd/journald.conf + regexp: "^#Compress=|^Compress=" + line: Compress=yes when: - rhel9cis_rule_4_2_2_3 tags: - level1-server - level1-workstation + - automated - patch + - journald - rule_4.2.2.3 + +- name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" + lineinfile: + path: /etc/systemd/journald.conf + regexp: "^#Storage=|^Storage=" + line: Storage=persistent + when: + - rhel9cis_rule_4_2_2_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - journald + - rule_4.2.2.4 + +# This is counter to control 4.2.1.3?? +- name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" + lineinfile: + path: /etc/systemd/journald.conf + regexp: "^ForwardToSyslog=" + line: "#ForwardToSyslog=yes" + notify: restart systemd_journal_upload + when: + - rhel9cis_rule_4_2_2_5 + - rhel9cis_preferred_log_capture == "journald" + tags: + - level1-server + - level2-workstation + - manual + - patch + - journald + - rule_4.2.2.5 + +- name: "4.2.2.6 | PATCH | Ensure journald log rotation is configured per site policy" + lineinfile: + path: /etc/systemd/journald.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + notify: restart journald + with_items: + - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'} + - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' } + - { regexp: '^#RuntimeMaxUse=|^RuntimeMaxUse=', line: 'RuntimeMaxUse={{ rhel9cis_journald_runtimemaxuse }}'} + - { regexp: '^#RuntimeKeepFree=|^RuntimeKeepFree=', line: 'RuntimeKeepFree={{ rhel9cis_journald_runtimekeepfree }}'} + - { regexp: '^#MaxFileSec=|^MaxFileSec=', line: 'MaxFileSec={{ rhel9cis_journald_maxfilesec }}'} + when: + - rhel9cis_rule_4_2_2_6 + tags: + - level1-server + - level1-workstation + - manual + - patch + - journald + - rule_4.2.2.6 + +- name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured" + block: + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Check for override file" + find: + paths: /etc/tmpfiles.d + patterns: systemd.conf + register: rhel9cis_4_2_2_7_override_status + + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get override file settings" + shell: cat /etc/tmpfiles.d/systemd.conf + changed_when: false + failed_when: false + register: rhel9cis_4_2_2_7_override_settings + when: rhel9cis_4_2_2_7_override_status.matched >= 1 + + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get non-override file settings" + shell: cat /usr/lib/tmpfiles.d/systemd.conf + changed_when: false + failed_when: false + register: rhel9cis_4_2_2_7_notoverride_settings + when: rhel9cis_4_2_2_7_override_status.matched == 0 + + - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings" + debug: + msg: + - "Alert! Below are the current default settings for journald, please confirm they align with your site policies" + # - "{{ rhel9cis_4_2_2_7_override_settings.stdout_lines }}" + - "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}" + when: + - rhel9cis_rule_4_2_2_7 + tags: + - level1-server + - level1-workstation + - manual + - patch + - journald + - rule_4.2.2.7 diff --git a/tasks/section_4/cis_4.2.3.yml b/tasks/section_4/cis_4.2.3.yml index bd13030..a1b3bb7 100644 --- a/tasks/section_4/cis_4.2.3.yml +++ b/tasks/section_4/cis_4.2.3.yml @@ -1,9 +1,7 @@ --- -- name: "4.2.3 | L1 | PATCH | Ensure permissions on all logfiles are configured" - shell: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + - args: - warn: false +- name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured" + command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" + changed_when: false failed_when: false when: @@ -11,5 +9,7 @@ tags: - level1-server - level1-workstation + - automated - patch + - logfiles - rule_4.2.3 diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 7e7fafb..2ba5f1f 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -1,13 +1,42 @@ --- -- name: "4.3 | L1 | PATCH | Ensure logrotate is configured" +- name: "4.3.1 | PATCH | Ensure logrotate is installed" + package: + name: rsyslog-logrotate + state: present + when: + - rhel9cis_rule_4_3_1 + tags: + - level1-server + - level1-workstation + - manual + - patch + - logrotate + - rule_4.3.1 + +- name: "4.3.2 | PATCH | Ensure logrotate is running and enabled" + systemd: + name: logrotate + state: started + enabled: true + when: + - rhel9cis_rule_4_3_2 + tags: + - level1-server + - level1-workstation + - manual + - patch + - logrotate + - rule_4.3.2 + +- name: "4.3.3 | PATCH | Ensure logrotate is configured" block: - - name: "4.3 | L1 | AUDIT | Ensure logrotate is configured | Get logrotate settings" + - name: "4.3.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" find: paths: /etc/logrotate.d/ register: log_rotates - - name: "4.3 | L1 | PATCH | Ensure logrotate is configured" + - name: "4.3.3 | PATCH | Ensure logrotate is configured" replace: path: "{{ item.path }}" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' @@ -15,11 +44,14 @@ with_items: - "{{ log_rotates.files }}" - { path: "/etc/logrotate.conf" } + loop_control: + label: "{{ item.path }}" when: - - rhel9cis_rule_4_3 - - "'logrotate' in ansible_facts.packages" + - rhel9cis_rule_4_3_3 tags: - level1-server - level1-workstation + - manual - patch - - rule_4.3 + - logrotate + - rule_4.3.3 diff --git a/tasks/section_4/main.yml b/tasks/section_4/main.yml index 8e84241..d28e3ce 100644 --- a/tasks/section_4/main.yml +++ b/tasks/section_4/main.yml @@ -1,21 +1,21 @@ --- -- name: "SECTION | 4.1| Configure System Accounting (auditd)" +- name: "SECTION | 4.1 | Configure System Accounting (auditd)" include_tasks: cis_4.1.1.x.yml when: - not system_is_container -- name: "SECTION | 4.1.2.x| Configure Data Retention" +- name: "SECTION | 4.1.2 | Configure Data Retention" import_tasks: cis_4.1.2.x.yml -- name: "SECTION | 4.1.x| Auditd rules" - import_tasks: cis_4.1.x.yml +- name: "SECTION | 4.1.3 | Configure Auditd rules" + import_tasks: cis_4.1.3.x.yml -- name: "SECTION | 4.2.x| Configure Logging" +- name: "SECTION | 4.2 | Configure Logging" import_tasks: cis_4.2.1.x.yml when: rhel9cis_syslog == 'rsyslog' -- name: "SECTION | 4.2.2.x| Configure journald" +- name: "SECTION | 4.2.2 Configure journald" import_tasks: cis_4.2.2.x.yml - name: "SECTION | 4.2.3 | Configure logile perms" diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index dffbeaf..734b434 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -1,18 +1,20 @@ --- -- name: "5.1.1 | L1 | PATCH | Ensure cron daemon is enabled" +- name: "5.1.1 | PATCH | Ensure cron daemon is enabled" service: name: crond - enabled: true + enabled: yes when: - rhel9cis_rule_5_1_1 tags: - level1-server - level1-workstation + - automated - patch + - cron - rule_5.1.1 -- name: "5.1.2 | L1 | PATCH | Ensure permissions on /etc/crontab are configured" +- name: "5.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" file: dest: /etc/crontab owner: root @@ -23,10 +25,12 @@ tags: - level1-server - level1-workstation + - automated - patch + - cron - rule_5.1.2 -- name: "5.1.3 | L1 | PATCH | Ensure permissions on /etc/cron.hourly are configured" +- name: "5.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" file: dest: /etc/cron.hourly state: directory @@ -38,10 +42,12 @@ tags: - level1-server - level1-workstation + - automated - patch + - cron - rule_5.1.3 -- name: "5.1.4 | L1 | PATCH | Ensure permissions on /etc/cron.daily are configured" +- name: "5.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" file: dest: /etc/cron.daily state: directory @@ -53,10 +59,12 @@ tags: - level1-server - level1-workstation + - automated - patch + - cron - rule_5.1.4 -- name: "5.1.5 | L1 | PATCH | Ensure permissions on /etc/cron.weekly are configured" +- name: "5.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" file: dest: /etc/cron.weekly state: directory @@ -71,7 +79,7 @@ - patch - rule_5.1.5 -- name: "5.1.6 | L1 | PATCH | Ensure permissions on /etc/cron.monthly are configured" +- name: "5.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" file: dest: /etc/cron.monthly state: directory @@ -83,10 +91,11 @@ tags: - level1-server - level1-workstation + - automated - patch - rule_5.1.6 -- name: "5.1.7 | L1 | PATCH | Ensure permissions on /etc/cron.d are configured" +- name: "5.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" file: dest: /etc/cron.d state: directory @@ -98,43 +107,27 @@ tags: - level1-server - level1-workstation + - automated - patch + - cron - rule_5.1.7 -- name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users" +- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users" block: - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Remove at.deny" - file: - dest: /etc/at.deny - state: absent - - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Check if at.allow exists" - stat: - path: "/etc/at.allow" - register: p - - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Ensure at.allow is restricted to authorized users" - file: - dest: /etc/at.allow - state: '{{ "file" if p.stat.exists else "touch" }}' - owner: root - group: root - mode: 0600 - - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Remove cron.deny" + - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" file: dest: /etc/cron.deny state: absent - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Check if cron.allow exists" + - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists" stat: path: "/etc/cron.allow" - register: p + register: rhel9cis_5_1_8_cron_allow_state - - name: "5.1.8 | L1 | PATCH | Ensure at/cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" + - name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" file: dest: /etc/cron.allow - state: '{{ "file" if p.stat.exists else "touch" }}' + state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root group: root mode: 0600 @@ -143,5 +136,36 @@ tags: - level1-server - level1-workstation + - automated - patch + - cron - rule_5.1.8 + +- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users" + block: + - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" + file: + dest: /etc/at.deny + state: absent + + - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" + stat: + path: "/etc/at.allow" + register: rhel9cis_5_1_9_at_allow_state + + - name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" + file: + dest: /etc/at.allow + state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}' + owner: root + group: root + mode: 0600 + when: + - rhel9cis_rule_5_1_9 + tags: + - level1-server + - level1-workstation + - automated + - patch + - cron + - rule_5.1.9 diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 0629cc7..7234da6 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -1,6 +1,6 @@ --- -- name: "5.2.1 | L1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured" +- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" file: dest: /etc/ssh/sshd_config state: file @@ -12,259 +12,282 @@ tags: - level1-server - level1-workstation + - automated - patch + - ssh + - permissions - rule_5.2.1 -- name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited" +- name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured" block: - - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^AllowUsers" - line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} - notify: restart sshd - when: "rhel9cis_sshd['allowusers']|default('') | length > 0" - - - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^AllowGroups" - line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} - notify: restart sshd - when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" - - - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^DenyUsers" - line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} - notify: restart sshd - when: "rhel9cis_sshd['denyusers']|default('') | length > 0" - - - name: "5.2.2 | L1 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^DenyGroups" - line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} - notify: restart sshd - when: "rhel9cis_sshd['denygroups']|default('') | length > 0" - when: - - rhel9cis_rule_5_2_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.2.2 - -- name: "5.2.3 | L1 | PATCH | Ensure permissions on SSH private host key files are configured" - block: - - name: "5.2.3 | L1 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys" + - name: "5.2.2 | AUDIT | Ensure permissions on SSH private host key files are configured | Find the SSH private host keys" find: paths: /etc/ssh patterns: 'ssh_host_*_key' recurse: true file_type: any - register: rhel9cis_5_2_3_ssh_private_host_key + register: rhel9cis_5_2_2_ssh_private_host_key - - name: "5.2.3 | L1 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys" + - name: "5.2.2 | PATCH | Ensure permissions on SSH private host key files are configured | Set permissions on SSH private host keys" file: path: "{{ item.path }}" owner: root group: root mode: 0600 with_items: - - "{{ rhel9cis_5_2_3_ssh_private_host_key.files }}" + - "{{ rhel9cis_5_2_2_ssh_private_host_key.files }}" + loop_control: + label: "{{ item.path }}" when: - - rhel9cis_rule_5_2_3 + - rhel9cis_rule_5_2_2 tags: - level1-server - level1-workstation + - automated - patch - - rule_5.2.3 + - ssh + - permissions + - rule_5.2.2 -- name: "5.2.4 | L1 | PATCH | Ensure permissions on SSH public host key files are configured" +- name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured" block: - - name: "5.2.4 | L1 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys" + - name: "5.2.3 | AUDIT | Ensure permissions on SSH public host key files are configured | Find the SSH public host keys" find: paths: /etc/ssh patterns: 'ssh_host_*_key.pub' recurse: true file_type: any - register: rhel9cis_5_2_4_ssh_public_host_key + register: rhel9cis_5_2_3_ssh_public_host_key - - name: "5.2.4 | L1 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys" + - name: "5.2.3 | PATCH | Ensure permissions on SSH public host key files are configured | Set permissions on SSH public host keys" file: path: "{{ item.path }}" owner: root group: root mode: 0644 with_items: - - "{{ rhel9cis_5_2_4_ssh_public_host_key.files }}" + - "{{ rhel9cis_5_2_3_ssh_public_host_key.files }}" + loop_control: + label: "{{ item.path }}" + when: + - rhel9cis_rule_5_2_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - ssh + - rule_5.2.3 + +- name: "5.2.4 | PATCH | Ensure SSH access is limited" + block: + - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^AllowUsers" + line: AllowUsers {{ rhel9cis_sshd['allowusers'] }} + validate: sshd -t -f %s + notify: restart sshd + when: "rhel9cis_sshd['allowusers']|default('') | length > 0" + + - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^AllowGroups" + line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }} + validate: sshd -t -f %s + notify: restart sshd + when: "rhel9cis_sshd['allowgroups']|default('') | length > 0" + + - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^DenyUsers" + line: DenyUsers {{ rhel9cis_sshd['denyusers'] }} + validate: sshd -t -f %s + notify: restart sshd + when: "rhel9cis_sshd['denyusers']|default('') | length > 0" + + - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^DenyGroups" + line: DenyGroups {{ rhel9cis_sshd['denygroups'] }} + validate: sshd -t -f %s + notify: restart sshd + when: "rhel9cis_sshd['denygroups']|default('') | length > 0" when: - rhel9cis_rule_5_2_4 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.4 -- name: "5.2.5 | L1 | PATCH | Ensure SSH LogLevel is appropriate" +- name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_5 tags: - level1-server - level1-workstation + - automated - patch + - sshs - rule_5.2.5 -- name: "5.2.6 | L2 | PATCH | Ensure SSH X11 forwarding is disabled" +- name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#X11Forwarding|^X11Forwarding" - line: 'X11Forwarding no' + path: /etc/ssh/sshd_config + regexp: "^#UsePAM|^UsePAM" + line: 'UsePAM yes' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_6 tags: - - level2-server + - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.6 -- name: "5.2.7 | L1 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" +- name: "5.2.7 | PATCH | Ensure SSH root login is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^(#)?MaxAuthTries \d' - line: 'MaxAuthTries 4' + path: /etc/ssh/sshd_config + regexp: "^#PermitRootLogin|^PermitRootLogin" + line: 'PermitRootLogin no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_7 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.7 -- name: "5.2.8 | L1 | PATCH | Ensure SSH IgnoreRhosts is enabled" +- name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#IgnoreRhosts|^IgnoreRhosts" - line: 'IgnoreRhosts yes' + path: /etc/ssh/sshd_config + regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" + line: 'HostbasedAuthentication no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_8 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.8 -- name: "5.2.9 | L1 | PATCH | Ensure SSH HostbasedAuthentication is disabled" +- name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: ^#HostbasedAuthentication|^HostbasedAuthentication" - line: 'HostbasedAuthentication no' + path: /etc/ssh/sshd_config + regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" + line: 'PermitEmptyPasswords no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_9 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.9 -- name: "5.2.10 | L1 | PATCH | Ensure SSH root login is disabled" +- name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#PermitRootLogin|^PermitRootLogin" - line: 'PermitRootLogin no' + path: /etc/ssh/sshd_config + regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" + line: 'PermitUserEnvironment no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_10 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.10 -- name: "5.2.11 | L1 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" +- name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" - line: 'PermitEmptyPasswords no' + path: /etc/ssh/sshd_config + regexp: "^#IgnoreRhosts|^IgnoreRhosts" + line: 'IgnoreRhosts yes' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_11 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.11 -- name: "5.2.12 | L1 | PATCH | Ensure SSH PermitUserEnvironment is disabled" +- name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" - line: 'PermitUserEnvironment no' + path: /etc/ssh/sshd_config + regexp: "^#X11Forwarding|^X11Forwarding" + line: 'X11Forwarding no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_12 tags: - - level1-server + - level2-server - level1-workstation + - automated - patch + - ssh - rule_5.2.12 -- name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured" - block: - - name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^ClientAliveInterval' - line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" - - - name: "5.2.13 | L1 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: '^ClientAliveCountMax' - line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" +- name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" + lineinfile: + path: /etc/ssh/sshd_config + regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" + line: 'AllowTcpForwarding no' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_13 tags: - - level1-server - - level1-workstation + - level2-server + - level2-workstation + - automated - patch + - ssh - rule_5.2.13 -- name: "5.2.14 | L1 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" - lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#LoginGraceTime|^LoginGraceTime" - line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" +- name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden" + shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd + args: + warn: no + notify: restart sshd when: - rhel9cis_rule_5_2_14 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.14 -- name: "5.2.15 | L1 | PATCH | Ensure SSH warning banner is configured" +- name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" lineinfile: - state: present - dest: /etc/ssh/sshd_config + path: /etc/ssh/sshd_config regexp: '^Banner' line: 'Banner /etc/issue.net' when: @@ -272,74 +295,96 @@ tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.15 -- name: "5.2.16 | L1 | PATCH | Ensure SSH PAM is enabled" +- name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#UsePAM|^UsePAM" - line: 'UsePAM yes' + path: /etc/ssh/sshd_config + regexp: '^(#)?MaxAuthTries \d' + line: 'MaxAuthTries 4' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_16 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.16 -- name: "5.2.17 | L2 | PATCH | Ensure SSH AllowTcpForwarding is disabled" +- name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured" lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" - line: 'AllowTcpForwarding no' + path: /etc/ssh/sshd_config + regexp: "^#MaxStartups|^MaxStartups" + line: 'MaxStartups 10:30:60' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_17 tags: - - level2-server - - level2-workstation + - level1-server + - level1-workstation + - automated - patch + - ssh - rule_5.2.17 -- name: "5.2.18 | L1 | PATCH | Ensure SSH MaxStartups is configured" +- name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#MaxStartups|^MaxStartups" - line: 'MaxStartups 10:30:60' + path: /etc/ssh/sshd_config + regexp: "^#MaxSessions|^MaxSessions" + line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_18 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.18 -- name: "5.2.19 | L1 | PATCH | Ensure SSH MaxSessions is set to 4 or less" +- name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" lineinfile: - state: present - dest: /etc/ssh/sshd_config - regexp: "^#MaxSessions|^MaxSessions" - line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' + path: /etc/ssh/sshd_config + regexp: "^#LoginGraceTime|^LoginGraceTime" + line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_19 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.19 -- name: "5.2.20 | L1 | PATCH | Ensure system-wide crypto policy is not over-ridden" - shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd - args: - warn: false - notify: restart sshd +- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured" + block: + - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^ClientAliveInterval' + line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" + validate: sshd -t -f %s + + - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" + lineinfile: + path: /etc/ssh/sshd_config + regexp: '^ClientAliveCountMax' + line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" + validate: sshd -t -f %s when: - rhel9cis_rule_5_2_20 tags: - level1-server - level1-workstation + - automated - patch + - ssh - rule_5.2.20 diff --git a/tasks/section_5/cis_5.3.x.yml b/tasks/section_5/cis_5.3.x.yml index 2762302..f9dad14 100644 --- a/tasks/section_5/cis_5.3.x.yml +++ b/tasks/section_5/cis_5.3.x.yml @@ -1,94 +1,139 @@ --- -- name: "5.3.1 | L1 | PATCH | Create custom authselect profile" - block: - - name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Gather profiles" - shell: 'authselect current | grep "Profile ID: custom/"' - args: - warn: false - failed_when: false - changed_when: false - check_mode: false - register: rhel9cis_5_3_1_profiles - - - name: "5.3.1 | L1 | AUDIT | Create custom authselect profile | Show profiles" - debug: - msg: - - "Below are the current custom profiles" - - "{{ rhel9cis_5_3_1_profiles.stdout_lines }}" - - - name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Create custom profiles" - shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} - args: - warn: false - when: rhel9cis_authselect_custom_profile_create +- name: "5.3.1 | PATCH | Ensure sudo is installed" + package: + name: sudo + state: present when: - rhel9cis_rule_5_3_1 tags: - level1-server - level1-workstation + - automated - patch - - authselect + - sudo - rule_5.3.1 -- name: "5.3.2 | L1 | PATCH | Select authselect profile" - block: - - name: "5.3.2 | L1 | AUDIT | Select authselect profile | Gather profiles and enabled features" - shell: "authselect current" - args: - warn: false - failed_when: false - changed_when: false - check_mode: false - register: rhel9cis_5_3_2_profiles - - - name: "5.3.2 | L1 | AUDIT | Select authselect profile | Show profiles" - debug: - msg: - - "Below are the current custom profiles" - - "{{ rhel9cis_5_3_2_profiles.stdout_lines }}" - - - name: "5.3.2 | L1 | PATCH | Select authselect profile | Create custom profiles" - shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }}" - args: - warn: false - when: rhel9cis_authselect_custom_profile_select +- name: "5.3.2 | PATCH | Ensure sudo commands use pty" + lineinfile: + path: /etc/sudoers + line: "Defaults use_pty" + validate: '/usr/sbin/visudo -cf %s' when: - rhel9cis_rule_5_3_2 tags: - level1-server - level1-workstation + - automated - patch - - authselect + - sudo - rule_5.3.2 -- name: "5.3.3 | L1 | PATCH | Ensure authselect includes with-faillock" - block: - - name: "5.3.3 | L1 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" - shell: "authselect current | grep with-faillock" - args: - warn: false - failed_when: false - changed_when: false - check_mode: false - register: rhel9cis_5_3_3_profiles_faillock - - - name: "5.3.3 | L1 | AUDIT | Ensure authselect includes with-faillock| Show profiles" - debug: - msg: - - "Below are the current custom profiles" - - "{{ rhel9cis_5_3_3_profiles_faillock.stdout_lines }}" - - - name: "5.3.3 | L1 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" - shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" - args: - warn: false - when: rhel9cis_authselect_custom_profile_select +- name: "5.3.3 | PATCH | Ensure sudo log file exists" + lineinfile: + path: /etc/sudoers + regexp: '^Defaults logfile=' + line: 'Defaults logfile="{{ rhel9cis_sudolog_location }}"' + validate: '/usr/sbin/visudo -cf %s' when: - rhel9cis_rule_5_3_3 tags: - level1-server - level1-workstation + - automated - patch - - authselect + - sudo - rule_5.3.3 + +- name: "5.3.4 | PATCH | Ensure users must provide password for escalation" + replace: + path: "{{ item }}" + regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)' + replace: '\1PASSWD\2' + validate: '/usr/sbin/visudo -cf %s' + with_items: + - "{{ rhel9cis_sudoers_files.stdout_lines }}" + when: + - rhel9cis_rule_5_3_4 + tags: + - level2-server + - level2-workstation + - automated + - patch + - sudo + - rule_5.3.4 + +- name: "5.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally" + replace: + path: "{{ item }}" + regexp: '^([^#].*)!authenticate(.*)' + replace: '\1authenticate\2' + validate: '/usr/sbin/visudo -cf %s' + with_items: + - "{{ rhel9cis_sudoers_files.stdout_lines }}" + when: + - rhel9cis_rule_5_3_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - sudo + - rule_5.3.5 + +- name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly" + block: + - name: "5.3.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set" + shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort + changed_when: false + failed_when: false + register: rhel9cis_5_3_6_timeout_files + + - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results" + lineinfile: + path: /etc/sudoers + regexp: 'Defaults timestamp_timeout=' + line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" + validate: '/usr/sbin/visudo -cf %s' + when: rhel9cis_5_3_6_timeout_files.stdout | length == 0 + + - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results" + replace: + path: "{{ item }}" + regexp: 'timestamp_timeout=(\d+)' + replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}" + validate: '/usr/sbin/visudo -cf %s' + with_items: + - "{{ rhel9cis_5_3_6_timeout_files.stdout_lines }}" + when: rhel9cis_5_3_6_timeout_files.stdout | length > 0 + when: + - rhel9cis_rule_5_3_6 + tags: + - level1-server + - level1-workstation + - automated + - patch + - sudo + - rule_5.3.6 + +- name: "5.3.7 | PATCH | Ensure access to the su command is restricted" + block: + - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" + lineinfile: + path: /etc/pam.d/su + regexp: '^(#)?auth\s+required\s+pam_wheel\.so' + line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}' + + - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root" + user: + name: "{{ rhel9cis_sugroup_users }}" + groups: "{{ rhel9cis_sugroup | default('wheel') }}" + when: + - rhel9cis_rule_5_3_7 + tags: + - level1-server + - level1-workstation + - automated + - patch + - sudo + - rule_5.3.7 diff --git a/tasks/section_5/cis_5.4.x.yml b/tasks/section_5/cis_5.4.x.yml index 05ccefb..501af41 100644 --- a/tasks/section_5/cis_5.4.x.yml +++ b/tasks/section_5/cis_5.4.x.yml @@ -1,131 +1,61 @@ --- -- name: | - "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured - 5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured - 5.4.3 | L1 | PATCH | Ensure password reuse is limited - 5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512" +- name: "5.4.1 | PATCH | Ensure custom authselect profile is used" block: - - name: "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" - lineinfile: - state: present - dest: /etc/security/pwquality.conf - regexp: ^{{ item.name }} - line: "{{ item.name }} = {{ item.value }}" - with_items: - - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" } - - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } - when: rhel9cis_rule_5_4_1 + - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Gather profiles" + shell: 'authselect current | grep "Profile ID: custom/"' + failed_when: false + changed_when: false + check_mode: no + register: rhel9cis_5_4_1_profiles - - name: | - "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings - 5.4.3| L1 | PATCH | Ensure password reuse is limited | Set system-auth remember settings" - lineinfile: - dest: /etc/pam.d/system-auth - state: present - regexp: '^password requisite pam_pwquality.so' - line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" - insertbefore: '^#?password ?' - when: - - rhel9cis_rule_5_4_1 or - rhel9cis_rule_5_4_3 + - name: "5.4.1 | AUDIT | Ensure custom authselect profile is used | Show profiles" + debug: + msg: + - "Below are the current custom profiles" + - "{{ rhel9cis_5_4_1_profiles.stdout_lines }}" - - name: "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" - lineinfile: - dest: /etc/pam.d/password-auth - state: present - regexp: '^password requisite pam_pwquality.so' - line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" - insertbefore: '^#?password ?' - when: rhel9cis_rule_5_4_1 - - - name: "5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured | Add deny count and unlock time for preauth" - lineinfile: - dest: /etc/pam.d/{{ item }} - state: present - regexp: '^auth required pam_faillock.so preauth' - line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" - insertafter: '^#?auth ?' - with_items: - - "system-auth" - - "password-auth" - when: rhel9cis_rule_5_4_2 - - - name: "5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured | Add deny count and unlock times for authfail" - lineinfile: - dest: /etc/pam.d/{{ item }} - state: present - regexp: '^auth required pam_faillock.so authfail' - line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" - insertafter: '^#?auth ?' - with_items: - - "system-auth" - - "password-auth" - when: rhel9cis_rule_5_4_2 - - - name: | - "5.4.3 | L1 | PATCH | Ensure password reuse is limited | Set system-auth remember remember settings - 5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512 | Set system-auth pwhash settings" - lineinfile: - dest: /etc/pam.d/system-auth - state: present - regexp: '^password sufficient pam_unix.so' - line: "password sufficient pam_unix.so {{ rhel9cis_pam_faillock.pwhash }} shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}" - insertafter: '^#?password ?' - when: - - rhel9cis_rule_5_4_3 or - rhel9cis_rule_5_4_4 - - - name: "5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512 | Set system-auth pwhash settings" - lineinfile: - dest: /etc/pam.d/password-auth - state: present - regexp: '^password sufficient pam_unix.so' - line: "password sufficient pam_unix.so {{ rhel9cis_pam_faillock.pwhash }} shadow try_first_pass use_authtok" - insertafter: '^#?password ?' - when: rhel9cis_rule_5_4_4 - - # The two steps below were added to keep authconfig from overwritting the above configs. This follows steps from here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-hardening_your_system_with_tools_and_services - # With the steps below you will score five (5) points lower due to false positive results - - name: | - "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured - 5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured - 5.4.3 | L1 | PATCH | Ensure password reuse is limited - 5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512" - copy: - src: /etc/pam.d/{{ item }} - dest: /etc/pam.d/{{ item }}-local - remote_src: true - owner: root - group: root - mode: '0644' - with_items: - - "system-auth" - - "password-auth" - - - name: | - "5.4.1 | L1 | PATCH | Ensure password creation requirements are configured - 5.4.2 | L1 | PATCH | Ensure lockout for failed password attempts is configured - 5.4.3 | L1 | PATCH | Ensure password reuse is limited - 5.4.4 | L1 | PATCH | Ensure password hashing algorithm is SHA-512" - file: - src: /etc/pam.d/{{ item }}-local - dest: /etc/pam.d/{{ item }} - state: link - force: true - with_items: - - "system-auth" - - "password-auth" + - name: "5.4.1 | PATCH | Ensure custom authselect profile is used | Create custom profiles" + shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }} + args: + warn: no + when: rhel9cis_authselect_custom_profile_create when: - - rhel9cis_rule_5_4_1 or - rhel9cis_rule_5_4_2 or - rhel9cis_rule_5_4_3 or - rhel9cis_rule_5_4_4 + - rhel9cis_rule_5_4_1 tags: - level1-server - level1-workstation + - manual - patch + - authselect - rule_5.4.1 + +- name: "5.4.2 | PATCH | Ensure authselect includes with-faillock" + block: + - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features" + shell: "authselect current | grep with-faillock" + failed_when: false + changed_when: false + check_mode: no + register: rhel9cis_5_4_2_profiles_faillock + + - name: "5.4.2 | AUDIT | Ensure authselect includes with-faillock| Show profiles" + debug: + msg: + - "Below are the current custom profiles" + - "{{ rhel9cis_5_4_2_profiles_faillock.stdout_lines }}" + + - name: "5.4.2 | PATCH | Ensure authselect includes with-faillock | Create custom profiles" + shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock" + args: + warn: no + when: rhel9cis_authselect_custom_profile_select + when: + - rhel9cis_rule_5_4_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - authselect - rule_5.4.2 - - rule_5.4.3 - - rule_5.4.4 diff --git a/tasks/section_5/cis_5.5.1.x.yml b/tasks/section_5/cis_5.5.1.x.yml deleted file mode 100644 index c7486e1..0000000 --- a/tasks/section_5/cis_5.5.1.x.yml +++ /dev/null @@ -1,131 +0,0 @@ ---- - -- name: "5.5.1.1 | L1 | PATCH | Ensure password expiration is 365 days or less" - lineinfile: - state: present - dest: /etc/login.defs - regexp: '^PASS_MAX_DAYS' - line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" - when: - - rhel9cis_rule_5_5_1_1 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.1 - -- name: "5.5.1.2 | L1 | PATCH | Ensure minimum days between password changes is 7 or more" - lineinfile: - state: present - dest: /etc/login.defs - regexp: '^PASS_MIN_DAYS' - line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" - when: - - rhel9cis_rule_5_5_1_2 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.2 - -- name: "5.5.1.3 | L1 | PATCH | Ensure password expiration warning days is 7 or more" - lineinfile: - state: present - dest: /etc/login.defs - regexp: '^PASS_WARN_AGE' - line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" - when: - - rhel9cis_rule_5_5_1_3 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.3 - -- name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less" - block: - - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings" - shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_5_5_1_4_inactive_settings - - - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" - shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} - args: - warn: false - when: rhel9cis_5_5_1_4_inactive_settings.stdout | length == 0 - - - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1' - args: - warn: false - check_mode: false - register: rhel_09_5_5_1_4_audit - changed_when: false - - - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" - args: - warn: false - with_items: - - "{{ rhel_09_5_5_1_4_audit.stdout_lines }}" - when: - - rhel9cis_rule_5_5_1_4 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.4 - -- name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past" - block: - - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" - shell: echo $(($(date --utc --date "$1" +%s)/86400)) - args: - warn: false - failed_when: false - changed_when: false - check_mode: false - register: rhel9cis_5_5_1_5_currentut - - - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" - shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_5_1_5_currentut.stdout }})print$1}'" - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_5_5_1_5_user_list - - - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" - debug: - msg: "Good News! All accounts have PW change dates that are in the past" - when: rhel9cis_5_5_1_5_user_list.stdout | length == 0 - - - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" - debug: - msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_5_1_5_user_list.stdout_lines }}" - when: - - rhel9cis_5_5_1_5_user_list.stdout | length > 0 - - not rhel9cis_futurepwchgdate_autofix - - - name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - shell: passwd --expire {{ item }} - args: - warn: false - when: - - rhel9cis_5_5_1_5_user_list | length > 0 - - rhel9cis_futurepwchgdate_autofix - with_items: - - "{{ rhel9cis_5_5_1_5_user_list.stdout_lines }}" - when: - - rhel9cis_rule_5_5_1_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.1.5 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index ebed1bd..9b4c7d3 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -1,59 +1,87 @@ --- -- name: "5.5.2 | L1 | PATCH | Ensure system accounts are secured" +- name: "5.5.1 | PATCH | " block: - - name: "5.5.2 | L1 | Ensure system accounts are secured | Set nologin" - user: - name: "{{ item.id }}" - shell: /usr/sbin/nologin + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set pwquality config settings" + lineinfile: + path: /etc/security/pwquality.conf + regexp: ^{{ item.name }} + line: "{{ item.name }} = {{ item.value }}" with_items: - - "{{ rhel9cis_passwd }}" - when: - - item.id != "root" - - item.id != "sync" - - item.id != "shutdown" - - item.id != "halt" - - item.uid < 1000 - - item.shell != " /bin/false" - - item.shell != " /usr/sbin/nologin" + - { name: minlen, value: "{{ rhel9cis_pam_password.minlen }}" } + - { name: minclass, value: "{{ rhel9cis_pam_password.minclass }}" } - - name: "5.5.2 | L1 | PATCH | Ensure system accounts are secured | Lock accounts" - user: - name: "{{ item.id }}" - password_lock: true - with_items: - - "{{ rhel9cis_passwd }}" - when: - - item.id != "halt" - - item.id != "shutdown" - - item.id != "sync" - - item.id != "root" - - min_int_uid | int >= item.uid - - item.shell != " /bin/false" - - item.shell != " /usr/sbin/nologin" + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" + lineinfile: + path: /etc/pam.d/system-auth + regexp: '^password\s*requisite\s*pam_pwquality.so' + line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" + insertbefore: '^#?password ?' + + - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth retry settings" + lineinfile: + path: /etc/pam.d/password-auth + regexp: '^password\s*requisite\s*pam_pwquality.so' + line: "password requisite pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3" + insertbefore: '^#?password ?' when: - - rhel9cis_rule_5_5_2 + - rhel9cis_rule_5_5_1 tags: - level1-server - level1-workstation - patch - - rule_5.5.2 + - rule_5.5.1 -- name: "5.5.3 | L1 | PATCH | Ensure default user shell timeout is 900 seconds or less" - blockinfile: - create: true - mode: 0644 - dest: "{{ item.dest }}" - state: "{{ item.state }}" - marker: "# {mark} ANSIBLE MANAGED" - block: | - # Set session timeout - CIS ID RHEL-09-5.4.5 - TMOUT={{ rhel9cis_shell_session_timeout.timeout }} - export TMOUT - readonly TMOUT +- name: "5.5.2 | PATCH | Ensure system accounts are secured | pre RHEL8.2" + block: + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock time for preauth" + lineinfile: + path: /etc/pam.d/{{ item }} + regexp: '^auth\s*required\s*pam_faillock.so preauth' + line: "auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" + insertafter: '^#?auth ?' + with_items: + - "system-auth" + - "password-auth" + + - name: "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured | pre RHEL8.2 | Add deny count and unlock times for authfail" + lineinfile: + path: /etc/pam.d/{{ item }} + regexp: '^auth\s*required\s*pam_faillock.so authfail' + line: "auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.attempts }}{{ (rhel9cis_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}unlock_time={{ rhel9cis_pam_faillock.unlock_time }}" + insertafter: '^#?auth ?' + with_items: + - "system-auth" + - "password-auth" + when: + - ansible_distribution_version <= "8.1" + - rhel9cis_rule_5_5_2 + +- name: "5.5.2 | PATCH | Ensure system accounts are secured | RHEL8.2+ " + lineinfile: + path: /etc/security/faillock.conf + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" with_items: - - { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present } - - { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } + - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' } + - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' } + when: + - ansible_distribution_version >= "8.2" + - rhel9cis_rule_5_5_2 + +- name: "5.5.3 | PATCH | Ensure password reuse is limited" + block: + - name: "5.5.3 | PATCH | Ensure password reuse is limited | pwhistory" + lineinfile: + path: /etc/pam.d/system-auth + line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" + insertafter: '^password\s*requisite\s*pam_pwquality.so' + + - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" + replace: + path: /etc/pam.d/system-auth + regexp: '^password\s*sufficient\s*pam_unix.so.*$' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_3 tags: @@ -62,12 +90,31 @@ - patch - rule_5.5.3 -- name: "5.5.4 | L1 | PATCH | Ensure default group for the root account is GID 0" - shell: usermod -g 0 root - args: - warn: false - changed_when: false - failed_when: false +- name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512" + block: + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" + replace: + path: /etc/libuser.conf + regexp: '^crypt_style\s*=\s*.*$' + replace: 'crypt_style = sha512' + + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs" + replace: + path: /etc/login.defs + regexp: '^ENCRYPT_METHOD.*' + replace: 'ENCRYPT_METHOD SHA512' + + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth" + replace: + path: /etc/pam.d/password-auth + regexp: '^password\s*sufficient\s*pam_unix.so.*$' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' + + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth" + replace: + path: /etc/pam.d/system-auth + regexp: '^password\s*sufficient\s*pam_unix.so.*$' + replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' when: - rhel9cis_rule_5_5_4 tags: @@ -75,24 +122,3 @@ - level1-workstation - patch - rule_5.5.4 - -- name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive" - block: - - name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" - replace: - path: /etc/bashrc - regexp: '(^\s+umask) 0[012][0-6]' - replace: '\1 027' - - - name: "5.5.5 | L1 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" - replace: - path: /etc/profile - regexp: '(^\s+umask) 0[012][0-6]' - replace: '\1 027' - when: - - rhel9cis_rule_5_5_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.5.5 diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml new file mode 100644 index 0000000..c728d90 --- /dev/null +++ b/tasks/section_5/cis_5.6.1.x.yml @@ -0,0 +1,122 @@ +--- + +- name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less" + lineinfile: + path: /etc/login.defs + regexp: '^PASS_MAX_DAYS' + line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}" + when: + - rhel9cis_rule_5_6_1_1 + tags: + - level1-server + - level1-workstation + - automated + - patch + - password + - rule_5.5.1.1 + +- name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more" + lineinfile: + path: /etc/login.defs + regexp: '^PASS_MIN_DAYS' + line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}" + when: + - rhel9cis_rule_5_6_1_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - password + - rule_5.6.1.2 + +- name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more" + lineinfile: + path: /etc/login.defs + regexp: '^PASS_WARN_AGE' + line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}" + when: + - rhel9cis_rule_5_6_1_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - password + - rule_5.5.1.3 + +- name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less" + block: + - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings" + shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_5_6_1_4_inactive_settings + + - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting" + command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }} + when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0 + + - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" + shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1' + changed_when: false + check_mode: no + register: rhel_8_5_6_1_4_user_list + + - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" + command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" + with_items: + - "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}" + when: + - rhel9cis_rule_5_6_1_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - password + - rule_5.6.1.4 + +- name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past" + block: + - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time" + shell: echo $(($(date --utc --date "$1" +%s)/86400)) + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_5_6_1_5_currentut + + - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future" + shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_6_1_5_currentut.stdout }})print$1}'" + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_5_6_1_5_user_list + + - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert no pw change in the future exist" + debug: + msg: "Good News! All accounts have PW change dates that are in the past" + when: rhel9cis_5_6_1_5_user_list.stdout | length == 0 + + - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" + debug: + msg: "Warning! The following accounts have the last PW change date in the future: {{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + when: + - rhel9cis_5_6_1_5_user_list.stdout | length > 0 + - not rhel9cis_futurepwchgdate_autofix + + - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" + command: passwd --expire {{ item }} + when: + - rhel9cis_5_6_1_5_user_list | length > 0 + - rhel9cis_futurepwchgdate_autofix + with_items: + - "{{ rhel9cis_5_6_1_5_user_list.stdout_lines }}" + when: + - rhel9cis_rule_5_6_1_5 + tags: + - level1-server + - level1-workstation + - patch + - rule_5.5.1.5 diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml new file mode 100644 index 0000000..91540ea --- /dev/null +++ b/tasks/section_5/cis_5.6.x.yml @@ -0,0 +1,109 @@ +--- + +- name: "5.6.2 | PATCH | Ensure system accounts are secured" + block: + - name: "5.6.2 | Ensure system accounts are secured | Set nologin" + user: + name: "{{ item.id }}" + shell: /usr/sbin/nologin + with_items: + - "{{ rhel9cis_passwd }}" + when: + - item.id != "root" + - item.id != "sync" + - item.id != "shutdown" + - item.id != "halt" + - item.id != "nfsnobody" + - min_int_uid | int < item.gid + - item.shell != " /bin/false" + - item.shell != " /usr/sbin/nologin" + loop_control: + label: "{{ item.id }}" + + - name: "5.6.2 | PATCH | Ensure system accounts are secured | Lock accounts" + user: + name: "{{ item.id }}" + password_lock: true + with_items: + - "{{ rhel9cis_passwd }}" + when: + - item.id != "halt" + - item.id != "shutdown" + - item.id != "sync" + - item.id != "root" + - item.id != "nfsnobody" + - min_int_uid | int < item.gid + - item.shell != " /bin/false" + - item.shell != " /usr/sbin/nologin" + loop_control: + label: "{{ item.id }}" + when: + - rhel9cis_rule_5_6_2 + tags: + - level1-server + - level1-workstation + - automated + - patch + - accounts + - rule_5.6.2 + +- name: "5.6.3 | PATCH | Ensure default user shell timeout is 900 seconds or less" + blockinfile: + create: yes + mode: 0644 + dest: "{{ item.dest }}" + state: "{{ item.state }}" + marker: "# {mark} CIS 5.6.3 ANSIBLE MANAGED" + block: | + TMOUT={{ rhel9cis_shell_session_timeout.timeout }} + export TMOUT + readonly TMOUT + with_items: + - { dest: "{{ rhel9cis_shell_session_timeout.file }}", state: present } + - { dest: /etc/profile, state: "{{ (rhel9cis_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}" } + when: + - rhel9cis_rule_5_6_3 + tags: + - level1-server + - level1-workstation + - automated + - patch + - accounts + - rule_5.6.3 + +- name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0" + user: + name: root + group: 0 + when: + - rhel9cis_rule_5_6_4 + tags: + - level1-server + - level1-workstation + - automated + - patch + - accounts + - rule_5.6.4 + +- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" + block: + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" + replace: + path: /etc/bashrc + regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' + replace: 'UMASK 027' + + - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/profile" + replace: + path: /etc/profile + regexp: '^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]' + replace: 'UMASK 027' + when: + - rhel9cis_rule_5_6_5 + tags: + - level1-server + - level1-workstation + - automated + - patch + - accounts + - rule_5.6.5 diff --git a/tasks/section_5/cis_5.6.yml b/tasks/section_5/cis_5.6.yml deleted file mode 100644 index 6262c3c..0000000 --- a/tasks/section_5/cis_5.6.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- - -# this will just display the list of consoles. The site will need to confirm the allowed consoles are correct and change manually if needed. -- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console" - block: - - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Check if securetty file exists" - stat: - path: /etc/securetty - register: rhel9cis_securetty_check - - - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Capture consoles" - shell: cat /etc/securetty - args: - warn: false - changed_when: false - register: rhel_09_5_6_audit - when: rhel9cis_securetty_check.stat.exists - - - name: "5.6 | L1 | AUDIT |Ensure root login is restricted to system console | Display Console" - debug: - msg: - - "These are the consoles with root login access, please review:" - - "{{ rhel_09_5_6_audit.stdout_lines }}" - when: rhel9cis_securetty_check.stat.exists - - - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Display that no securetty file exists" - debug: - msg: - - "There is no /etc/securetty file, this has been removed by default in RHEL9" - when: not rhel9cis_securetty_check.stat.exists - when: - - rhel9cis_rule_5_6 - tags: - - level1-server - - level1-workstation - - audit - - rule_5.6 diff --git a/tasks/section_5/cis_5.7.yml b/tasks/section_5/cis_5.7.yml deleted file mode 100644 index 9e7bbec..0000000 --- a/tasks/section_5/cis_5.7.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- - -- name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted" - block: - - name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid" - lineinfile: - state: present - dest: /etc/pam.d/su - regexp: '^(#)?auth\s+required\s+pam_wheel\.so' - line: 'auth required pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}' - - - name: "5.7 | L1 | PATCH | Ensure access to the su command is restricted | wheel group contains root" - user: - name: "{{ rhel9cis_sugroup_users }}" - groups: "{{ rhel9cis_sugroup | default('wheel') }}" - when: - - rhel9cis_rule_5_7 - tags: - - level1-server - - level1-workstation - - patch - - rule_5.7 diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index 08e5c45..b7db859 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -1,5 +1,7 @@ --- +# Access, Authentication, and Authorization + - name: "SECTION | 5.1 | Configure time-based job schedulers" import_tasks: cis_5.1.x.yml @@ -8,22 +10,17 @@ when: - "'openssh-server' in ansible_facts.packages" -- name: "SECTION | 5.3 | Configure Profiles" +- name: "SECTION | 5.3 | Configure privilege escalation" include_tasks: cis_5.3.x.yml - when: - - rhel9cis_use_authconfig -- name: "SECTION | 5.4 | Configure PAM " +- name: "SECTION | 5.4 | Configure authselect" import_tasks: cis_5.4.x.yml -- name: "SECTION | 5.5.1.x | Passwords and Accounts" - import_tasks: cis_5.5.1.x.yml - -- name: "SECTION | 5.5.x | System Accounts and User Settings" +- name: "SECTION | 5.5 | Configure PAM " import_tasks: cis_5.5.x.yml -- name: "SECTION | 5.6 | Root Login" - import_tasks: cis_5.6.yml +- name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters" + import_tasks: cis_5.6.1.x.yml -- name: Section | 5.7 | su Command Restriction - import_tasks: cis_5.7.yml +- name: "SECTION | 5.6.x | Misc. User Account Settings" + import_tasks: cis_5.6.x.yml diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index c596ed1..c169d4b 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -1,30 +1,30 @@ --- -- name: "6.1.1 | L2 | AUDIT | Audit system file permissions" +- name: "6.1.1 | AUDIT | Audit system file permissions" block: - - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Audit the packages" + - name: "6.1.1 | AUDIT | Audit system file permissions | Audit the packages" shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto args: - warn: false + warn: no changed_when: false failed_when: false register: rhel9cis_6_1_1_packages_rpm - - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Create list and warning" + - name: "6.1.1 | AUDIT | Audit system file permissions | Create list and warning" block: - - name: "6.1.1 | L2 | Audit system file permissions | Add file discrepancy list to system" + - name: "6.1.1 | Audit system file permissions | Add file discrepancy list to system" copy: dest: "{{ rhel9cis_rpm_audit_file }}" content: "{{ rhel9cis_6_1_1_packages_rpm.stdout }}" - - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" + - name: "6.1.1 | AUDIT | Audit system file permissions | Message out alert for package descrepancies" debug: msg: | "Warning! You have some package descrepancies issues. The file list can be found in {{ rhel9cis_rpm_audit_file }}" when: rhel9cis_6_1_1_packages_rpm.stdout|length > 0 - - name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Message out no package descrepancies" + - name: "6.1.1 | AUDIT | Audit system file permissions | Message out no package descrepancies" debug: msg: "Good News! There are no package descrepancies" when: rhel9cis_6_1_1_packages_rpm.stdout|length == 0 @@ -33,26 +33,32 @@ tags: - level2-server - level2-workstation + - manual - audit + - permissions - rule_6.1.1 -- name: "6.1.2 | L1 | PATCH | Ensure permissions on /etc/passwd are configured" - file: - dest: /etc/passwd - owner: root - group: root - mode: 0644 +- name: "6.1.2 | PATCH | Ensure sticky bit is set on all world-writable directories" + shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t + args: + warn: no + changed_when: false + failed_when: false when: - rhel9cis_rule_6_1_2 tags: + - skip_ansible_lint - level1-server - level1-workstation + - automated - patch - - rule_6.1.2 + - stickybits + - permissons + - rule_1.1.21 -- name: "6.1.3 | L1 | PATCH | Ensure permissions on /etc/passwd- are configured" +- name: "6.1.3 | PATCH | Ensure permissions on /etc/passwd are configured" file: - dest: /etc/passwd- + dest: /etc/passwd owner: root group: root mode: 0644 @@ -61,10 +67,12 @@ tags: - level1-server - level1-workstation + - automated - patch + - permissions - rule_6.1.3 -- name: "6.1.4 | L1 | PATCH | Ensure permissions on /etc/shadow are configured" +- name: "6.1.4 | PATCH | Ensure permissions on /etc/shadow are configured" file: dest: /etc/shadow owner: root @@ -75,24 +83,28 @@ tags: - level1-server - level1-workstation + - automated - patch + - permissions - rule_6.1.4 -- name: "6.1.5 | L1 | PATCH | Ensure permissions on /etc/shadow- are configured" +- name: "6.1.5 | PATCH | Ensure permissions on /etc/group are configured" file: - dest: /etc/shadow- + dest: /etc/group- owner: root group: root - mode: 0000 + mode: 0644 when: - rhel9cis_rule_6_1_5 tags: - level1-server - level1-workstation + - automated - patch + - permissions - rule_6.1.5 -- name: "6.1.6 | L1 | PATCH | Ensure permissions on /etc/gshadow are configured" +- name: "6.1.6 | PATCH | Ensure permissions on /etc/gshadow are configured" file: dest: /etc/gshadow owner: root @@ -103,38 +115,44 @@ tags: - level1-server - level1-workstation + - automated - patch + - permissions - rule_6.1.6 -- name: "6.1.7 | L1 | PATCH | Ensure permissions on /etc/gshadow- are configured" +- name: "6.1.7 | PATCH | Ensure permissions on /etc/passwd- are configured" file: - dest: /etc/gshadow- + dest: /etc/passwd- owner: root group: root - mode: 0000 + mode: 0644 when: - rhel9cis_rule_6_1_7 tags: - level1-server - level1-workstation + - automated - patch + - permissions - rule_6.1.7 -- name: "6.1.8 | L1 | PATCH | Ensure permissions on /etc/group are configured" +- name: "6.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured" file: - dest: /etc/group- + dest: /etc/shadow- owner: root group: root - mode: 0644 + mode: 0000 when: - - rhel9cis_rule_6_1_8 + - rhel9cis_rule_6_1_6 tags: - level1-server - level1-workstation + - automated - patch - - rule_6.1.8 + - permissions + - rule_6.1.6 -- name: "6.1.9 | L1 | PATCH | Ensure permissions on /etc/group- are configured" +- name: "6.1.9 | PATCH | Ensure permissions on /etc/group- are configured" file: dest: /etc/group- owner: root @@ -145,87 +163,78 @@ tags: - level1-server - level1-workstation + - automated - patch + - permissionss - rule_6.1.9 -- name: "6.1.10 | L1 | PATCH | Ensure no world writable files exist" - block: - - name: "6.1.10 | L1 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" - shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 - args: - warn: false - failed_when: false - changed_when: false - register: rhel_09_6_1_10_perms_results - - - name: "6.1.10 | L1 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist" - debug: - msg: "Good news! We have not found any world-writable files on your system" - when: - - rhel_09_6_1_10_perms_results.stdout is not defined - - - name: "6.1.10 | L1 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" - file: - path: '{{ item }}' - mode: o-w - state: touch - with_items: "{{ rhel_09_6_1_10_perms_results.stdout_lines }}" - when: - - rhel_09_6_1_10_perms_results.stdout_lines is defined - - rhel9cis_no_world_write_adjust +- name: "6.1.10 | PATCH | Ensure permissions on /etc/gshadow- are configured" + file: + dest: /etc/gshadow- + owner: root + group: root + mode: 0000 when: - rhel9cis_rule_6_1_10 tags: - level1-server - level1-workstation + - automated - patch + - permissions - rule_6.1.10 -- name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist" +- name: "6.1.11 | PATCH | Ensure no world writable files exist" block: - - name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" - shell: find "{{ item.mount }}" -xdev -nouser - args: - warn: false - check_mode: false + - name: "6.1.11 | AUDIT | Ensure no world writable files exist | Get list of world-writable files" + shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 failed_when: false changed_when: false - with_items: "{{ ansible_mounts }}" - register: rhel_09_6_1_11_audit - when: item['device'].startswith('/dev') and not 'bind' in item['options'] + register: rhel_08_6_1_11_perms_results - - name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" + - name: "6.1.11 | AUDIT | Ensure no world writable files exist | Alert no world-writable files exist" debug: - msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_11_audit.results }}" + msg: "Good news! We have not found any world-writable files on your system" when: - - item.stdout_lines is defined - - item.stdout_lines | length > 0 + - rhel_08_6_1_11_perms_results.stdout is not defined + + - name: "6.1.11 | PATCH | Ensure no world writable files exist | Adjust world-writable files if they exist (Configurable)" + file: + path: '{{ item }}' + mode: o-w + state: touch + with_items: "{{ rhel_08_6_1_11_perms_results.stdout_lines }}" + when: + - rhel_08_6_1_11_perms_results.stdout_lines is defined + - rhel9cis_no_world_write_adjust when: - rhel9cis_rule_6_1_11 tags: - level1-server - level1-workstation - - audit + - automated + - patch + - files + - permissions - rule_6.1.11 -- name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist" +- name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist" block: - - name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" - shell: find "{{ item.mount }}" -xdev -nogroup - args: - warn: false - check_mode: false - failed_when: false + - name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories" + command: find "{{ item.mount }}" -xdev -nouser changed_when: false - register: rhel_09_6_1_12_audit + failed_when: false + check_mode: false + register: rhel_08_6_1_12_audit with_items: "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" when: item['device'].startswith('/dev') and not 'bind' in item['options'] - - name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" + - name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist | Displaying any unowned files or directories" debug: - msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_12_audit.results }}" + msg: "Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + with_items: "{{ rhel_08_6_1_12_audit.results }}" when: - item.stdout_lines is defined - item.stdout_lines | length > 0 @@ -234,71 +243,109 @@ tags: - level1-server - level1-workstation - - patch + - automated + - audit + - files + - permissions - rule_6.1.12 -- name: "6.1.13 | L1 | AUDIT | Audit SUID executables" +- name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist" block: - - name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Find all SUID executables" - shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 - args: - warn: false + - name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories" + command: find "{{ item.mount }}" -xdev -nogroup + check_mode: false failed_when: false changed_when: false - register: rhel_09_6_1_13_perms_results + register: rhel_08_6_1_13_audit with_items: "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" + when: item['device'].startswith('/dev') and not 'bind' in item['options'] - - name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Alert no SUID executables exist" + - name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist | Displaying all ungrouped files or directories" debug: - msg: "Good news! We have not found any SUID executable files on your system" - failed_when: false - changed_when: false + msg: "Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}" + with_items: "{{ rhel_08_6_1_13_audit.results }}" when: - - rhel_09_6_1_13_perms_results.stdout is not defined - - - name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Alert SUID executables exist" - debug: - msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_13_perms_results.stdout_lines }}" - when: - - rhel_09_6_1_13_perms_results.stdout is defined + - item.stdout_lines is defined + - item.stdout_lines | length > 0 when: - rhel9cis_rule_6_1_13 tags: - level1-server - level1-workstation + - automated - audit + - files + - permissions - rule_6.1.13 -- name: "6.1.14 | L1 | AUDIT | Audit SGID executables" +- name: "6.1.14 | AUDIT | Audit SUID executables" block: - - name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Find all SGID executables" - shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 - args: - warn: false + - name: "6.1.14 | AUDIT | Audit SUID executables | Find all SUID executables" + shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 failed_when: false changed_when: false - register: rhel_09_6_1_14_perms_results + register: rhel_08_6_1_14_perms_results with_items: "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" - - name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Alert no SGID executables exist" + - name: "6.1.14 | AUDIT | Audit SUID executables | Alert no SUID executables exist" debug: - msg: "Good news! We have not found any SGID executable files on your system" + msg: "Good news! We have not found any SUID executable files on your system" failed_when: false changed_when: false when: - - rhel_09_6_1_14_perms_results.stdout is not defined + - rhel_08_6_1_14_perms_results.stdout is not defined - - name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Alert SGID executables exist" + - name: "6.1.14 | AUDIT | Audit SUID executables | Alert SUID executables exist" debug: - msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" - with_items: "{{ rhel_09_6_1_14_perms_results.stdout_lines }}" + msg: "Manual intervention is required -- SUID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" + with_items: "{{ rhel_08_6_1_14_perms_results.stdout_lines }}" when: - - rhel_09_6_1_14_perms_results.stdout is defined + - rhel_08_6_1_14_perms_results.stdout is defined when: - rhel9cis_rule_6_1_14 tags: - level1-server - level1-workstation - - patch + - manual + - audit + - files - rule_6.1.14 + +- name: "6.1.15 | AUDIT | Audit SGID executables" + block: + - name: "6.1.15 | AUDIT | Audit SGID executables | Find all SGID executables" + shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 + failed_when: false + changed_when: false + register: rhel_08_6_1_15_perms_results + with_items: "{{ ansible_mounts }}" + loop_control: + label: "{{ item.mount }}" + + - name: "6.1.15 | AUDIT | Audit SGID executables | Alert no SGID executables exist" + debug: + msg: "Good news! We have not found any SGID executable files on your system" + failed_when: false + changed_when: false + when: + - rhel_08_6_1_15_perms_results.stdout is not defined + + - name: "6.1.15 | AUDIT | Audit SGID executables | Alert SGID executables exist" + debug: + msg: "Manual intervention is required -- SGID set on items in {{ item.item.mount }}: {{ item.stout_lines | join(', ') }}" + with_items: "{{ rhel_08_6_1_15_perms_results.stdout_lines }}" + when: + - rhel_08_6_1_15_perms_results.stdout is defined + when: + - rhel9cis_rule_6_1_15 + tags: + - level1-server + - level1-workstation + - manual + - audit + - files + - rule_6.1.15 diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml index 7b9523b..096a310 100644 --- a/tasks/section_6/cis_6.2.x.yml +++ b/tasks/section_6/cis_6.2.x.yml @@ -1,9 +1,7 @@ --- -- name: "6.2.1 | L1 | AUDIT | Ensure password fields are not empty" - shell: passwd -l {{ item }} - args: - warn: false +- name: "6.2.1 | PATCH | Ensure password fields are not empty" + command: passwd -l {{ item }} changed_when: false failed_when: false with_items: "{{ empty_password_accounts.stdout_lines }}" @@ -13,177 +11,268 @@ tags: - level1-server - level1-workstation + - automated - patch + - accounts - rule_6.2.1 -- name: "6.2.2 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd" - shell: sed -i '/^+/ d' /etc/passwd - args: - warn: false - changed_when: false - failed_when: false + +- name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" + block: + - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" + shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' + changed_when: false + failed_when: false + check_mode: false + register: rhel9cis_6_2_2_passwd_gid_check + + - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" + debug: + msg: "Good News! There are no users that have non-existent GUIDs (Groups)" + when: rhel9cis_6_2_2_passwd_gid_check.stdout is not defined + + - name: "6.2.2 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" + debug: + msg: "WARNING: The following users have non-existent GIDs (Groups): {{ rhel9cis_6_2_2_passwd_gid_check.stdout_lines | join (', ') }}" + when: rhel9cis_6_2_2_passwd_gid_check.stdout is defined when: - rhel9cis_rule_6_2_2 tags: - level1-server - level1-workstation - - patch + - automated + - audit + - accounts + - groups - rule_6.2.2 - - skip_ansible_lint -- name: "6.2.3 | L1 | PATCH | Ensure root PATH Integrity" +- name: "6.2.3 | AUDIT Ensure no duplicate UIDs exist" block: - - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine empty value" + - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" + shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" + changed_when: false + failed_when: false + register: rhel9cis_6_2_3_user_uid_check + + - name: "6.2.3 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" + debug: + msg: "Good News! There are no duplicate UID's in the system" + when: rhel9cis_6_2_3_user_uid_check.stdout is not defined + + - name: "6.2.3 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" + debug: + msg: "Warning: The following users have UIDs that are duplicates: {{ rhel9cis_6_2_3_user_uid_check.stdout_lines }}" + when: rhel9cis_6_2_3_user_uid_check.stdout is defined + when: + - rhel9cis_rule_6_2_3 + tags: + - level1-server + - level1-workstation + - automated + - audit + - accounts + - users + - rule_6.2.3 + +- name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist" + block: + - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" + shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" + changed_when: false + failed_when: false + register: rhel9cis_6_2_4_user_user_check + + - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" + debug: + msg: "Good News! There are no duplicate GIDs in the system" + when: rhel9cis_6_2_4_user_user_check.stdout is not defined + + - name: "6.2.4 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" + debug: + msg: "Warning: The following groups have duplicate GIDs: {{ rhel9cis_6_2_4_user_user_check.stdout_lines }}" + when: rhel9cis_6_2_4_user_user_check.stdout is defined + when: + - rhel9cis_rule_6_2_4 + tags: + - level1-server + - level1-workstation + - automated + - audit + - accounts + - groups + - rule_6.2.4 + +- name: "6.2.5 | AUDIT | Ensure no duplicate user names exist" + block: + - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" + shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" + changed_when: false + failed_when: false + register: rhel9cis_6_2_5_user_username_check + + - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" + debug: + msg: "Good News! There are no duplicate user names in the system" + when: rhel9cis_6_2_5_user_username_check.stdout is not defined + + - name: "6.2.5 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" + debug: + msg: "Warning: The following user names are duplicates: {{ rhel9cis_6_2_5_user_username_check.stdout_lines }}" + when: rhel9cis_6_2_5_user_username_check.stdout is defined + when: + - rhel9cis_rule_6_2_5 + tags: + - level1-server + - level1-workstation + - automated + - audit + - accounts + - users + - rule_6.2.5 + +- name: "6.2.6 | AUDIT |Ensure no duplicate group names exist" + block: + - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" + shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' + changed_when: false + failed_when: false + check_mode: no + register: rhel9cis_6_2_6_group_group_check + + - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" + debug: + msg: "Good News! There are no duplicate group names in the system" + when: rhel9cis_6_2_6_group_group_check.stdout is defined + + - name: "6.2.6 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" + debug: + msg: "Warning: The following group names are duplicates: {{ rhel9cis_6_2_6_group_group_check.stdout_lines }}" + when: rhel9cis_6_2_6_group_group_check.stdout is not defined + when: + - rhel9cis_rule_6_2_6 + tags: + - level1-server + - level1-workstation + - automated + - audit + - accounts + - groups + - rule_6.2.6 + +- name: "6.2.7 | PATCH | Ensure root PATH Integrity" + block: + - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine empty value" shell: 'echo $PATH | grep ::' - args: - warn: false - check_mode: false - register: path_colon changed_when: False - failed_when: path_colon.rc == 0 + failed_when: rhel9cis_6_2_7_path_colon.rc == 0 + check_mode: no + register: rhel9cis_6_2_7_path_colon - - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determin colon end" + - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determin colon end" shell: 'echo $PATH | grep :$' - args: - warn: false - check_mode: false - register: path_colon_end changed_when: False - failed_when: path_colon_end.rc == 0 + failed_when: rhel9cis_6_2_7_path_colon_end.rc == 0 + check_mode: no + register: rhel9cis_6_2_7_path_colon_end - - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine dot in path" + - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Determine dot in path" shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'" - args: - warn: false - check_mode: false - register: dot_in_path changed_when: False - failed_when: '"." in dot_in_path.stdout_lines' + failed_when: '"." in rhel9cis_6_2_7_dot_in_path.stdout_lines' + check_mode: no + register: rhel9cis_6_2_7_dot_in_path - - name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" + - name: "6.2.7 | AUDIT | Ensure root PATH Integrity | Alert on empty value, colon end, and dot in path" debug: msg: - - "The following paths have an empty value: {{ path_colon.stdout_lines }}" - - "The following paths have colon end: {{ path_colon_end.stdout_lines }}" - - "The following paths have a dot in the path: {{ dot_in_path.stdout_lines }}" + - "The following paths have an empty value: {{ rhel9cis_6_2_7_path_colon.stdout_lines }}" + - "The following paths have colon end: {{ rhel9cis_6_2_7_path_colon_end.stdout_lines }}" + - "The following paths have a dot in the path: {{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}" - - name: "6.2.3 | L1 | PATCH | Ensure root PATH Integrity (Scored) | Determine rights and owner" + - name: "6.2.7 | PATCH | Ensure root PATH Integrity (Scored) | Determine rights and owner" file: > path='{{ item }}' follow=yes state=directory owner=root mode='o-w,g-w' - with_items: "{{ dot_in_path.stdout_lines }}" + with_items: "{{ rhel9cis_6_2_7_dot_in_path.stdout_lines }}" when: - - rhel9cis_rule_6_2_3 + - rhel9cis_rule_6_2_7 tags: - level1-server - level1-workstation + - automated - patch - - rule_6.2.3 + - paths + - rule_6.2.7 -- name: "6.2.4 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow" - shell: sed -i '/^+/ d' /etc/shadow - args: - warn: false +- name: "6.2.8 | PATCH | Ensure root is the only UID 0 account" + command: passwd -l {{ item }} changed_when: false failed_when: false + with_items: "{{ rhel9cis_uid_zero_accounts_except_root.stdout_lines }}" when: - - rhel9cis_rule_6_2_4 + - rhel9cis_uid_zero_accounts_except_root.rc + - rhel9cis_rule_6_2_8 tags: - level1-server - level1-workstation + - automated - patch - - rule_6.2.4 - - skip_ansible_lint + - accounts + - users + - rule_6.2.8 -- name: "6.2.5 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/group" - shell: sed -i '/^+/ d' /etc/group - args: - warn: false - changed_when: false - failed_when: false - when: - - rhel9cis_rule_6_2_5 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.5 - - skip_ansible_lint - -- name: "6.2.6 | L1 | PATCH | Ensure root is the only UID 0 account" - shell: passwd -l {{ item }} - args: - warn: false - changed_when: false - failed_when: false - with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}" - when: - - uid_zero_accounts_except_root.rc - - rhel9cis_rule_6_2_6 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.6 - -- name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" +- name: "6.2.9 | PATCH | Ensure all users' home directories exist" block: - - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" + - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" stat: path: "{{ item }}" - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}" - register: rhel_09_6_2_7_audit + register: rhel_08_6_2_9_audit + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" - - debug: - var: rhel_09_6_2_7_audit - - - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" - shell: find -H {{ item.0 | quote }} -not -type l -perm /027 - args: - warn: false + - name: "6.2.9 | AUDIT | Ensure all users' home directories exist" + command: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false - changed_when: rhel_09_6_2_7_patch_audit.stdout | length > 0 - register: rhel_09_6_2_7_patch_audit + changed_when: rhel_08_6_2_9_patch_audit.stdout | length > 0 + register: rhel_08_6_2_9_patch_audit when: - ansible_check_mode - item.1.exists with_together: - - "{{ rhel_09_6_2_7_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_7_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" - - name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" + - name: "6.2.9 | PATCH | Ensure all users' home directories exist" file: path: "{{ item.0 }}" - recurse: true + recurse: yes mode: a-st,g-w,o-rwx - register: rhel_09_6_2_7_patch + register: rhel_08_6_2_9_patch when: - not ansible_check_mode - item.1.exists with_together: - - "{{ rhel_09_6_2_7_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_7_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_9_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_9_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.7 | L1 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" + - name: "6.2.9 | PATCH | Ensure all users' home directories exist" acl: path: "{{ item.0 }}" - default: true + default: yes state: present - recursive: true + recursive: yes etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: - - not system_is_container + when: not system_is_container with_nested: - - "{{ (ansible_check_mode | ternary(rhel_09_6_2_7_patch_audit, rhel_09_6_2_7_patch)).results | + - "{{ (ansible_check_mode | ternary(rhel_08_6_2_9_patch_audit, rhel_08_6_2_9_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - etype: group @@ -191,14 +280,17 @@ - etype: other mode: '0' when: - - rhel9cis_rule_6_2_7 + - rhel9cis_rule_6_2_9 tags: - level1-server - level1-workstation + - automated - patch - - rule_6.2.7 + - users + - rule_6.2.9 -- name: "6.2.8 | L1 | PATCH | Ensure users own their home directories" + +- name: "6.2.10 | PATCH | Ensure users own their home directories" file: path: "{{ item.dir }}" owner: "{{ item.id }}" @@ -207,348 +299,66 @@ loop_control: label: "{{ rhel9cis_passwd_label }}" when: - - min_int_uid | int >= item.uid - - rhel9cis_rule_6_2_8 + - min_int_uid | int <= item.uid + - rhel9cis_rule_6_2_10 tags: - skip_ansible_lint # settings found on 6_2_7 - level1-server - level1-workstation + - automated - patch - - rule_6.2.8 - -- name: "6.2.9 | L1 | PATCH | Ensure users' dot files are not group or world-writable" - block: - - name: "6.2.9 | L1 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" - shell: find /home/ -name "\.*" -perm /g+w,o+w - args: - warn: false - changed_when: false - failed_when: false - register: rhel9cis_6_2_9_audit - - - name: "6.2.9 | L1 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" - debug: - msg: "Good news! We have not found any group or world-writable dot files on your sytem" - when: - - rhel9cis_6_2_9_audit.stdout is not defined - - - name: "6.2.9 | L1 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" - file: - path: '{{ item }}' - mode: go-w - with_items: "{{ rhel9cis_6_2_9_audit.stdout_lines }}" - when: - - rhel9cis_6_2_9_audit.stdout is defined - - rhel9cis_dotperm_ansiblemanaged - when: - - rhel9cis_rule_6_2_9 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.9 - -- name: "6.2.10 | L1 | PATCH | Ensure no users have .forward files" - file: - state: absent - dest: "~{{ item }}/.forward" - with_items: "{{ users.stdout_lines }}" - when: - - rhel9cis_rule_6_2_10 - tags: - - level1-server - - level1-workstation - - patch + - users - rule_6.2.10 -- name: "6.2.11 | L1 | PATCH | Ensure no users have .netrc files" - file: - state: absent - dest: "~{{ item }}/.netrc" - with_items: "{{ users.stdout_lines }}" - when: - - rhel9cis_rule_6_2_11 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.11 - -- name: "6.2.12 | L1 | PATCH | Ensure users' .netrc Files are not group or world accessible" - shell: /bin/true - args: - warn: false - changed_when: false - failed_when: false - when: - - rhel9cis_rule_6_2_12 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.12 - -- name: "6.2.13 | L1 | PATCH | Ensure no users have .rhosts files" - file: - state: absent - dest: "~{{ item }}/.rhosts" - with_items: "{{ users.stdout_lines }}" - when: - - rhel9cis_rule_6_2_13 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.13 - -- name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group" +- name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" block: - - name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries" - shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}' - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: passwd_gid_check - - - name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print message that all groups match between passwd and group files" - debug: - msg: "Good News! There are no users that have non-existent GUIDs (Groups)" - when: passwd_gid_check.stdout is not defined - - - name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Print warning about users with invalid GIDs missing GID entries in /etc/group" - debug: - msg: "WARNING: The following users have non-existent GIDs (Groups): {{ passwd_gid_check.stdout_lines | join (', ') }}" - when: passwd_gid_check.stdout is defined - when: - - rhel9cis_rule_6_2_14 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.14 - -- name: "6.2.15 | L1 | AUDIT Ensure no duplicate UIDs exist" - block: - - name: "6.2.15 | L1 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs" - shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd" - args: - warn: false - changed_when: false - failed_when: false - register: user_uid_check - - - name: "6.2.15 | L1 | AUDIT | Ensure no duplicate UIDs exist | Print message that no duplicate UIDs exist" - debug: - msg: "Good News! There are no duplicate UID's in the system" - when: user_uid_check.stdout is not defined - - - name: "6.2.15 | L1 | AUDIT| Ensure no duplicate UIDs exist | Print warning about users with duplicate UIDs" - debug: - msg: "Warning: The following users have UIDs that are duplicates: {{ user_uid_check.stdout_lines }}" - when: user_uid_check.stdout is defined - when: - - rhel9cis_rule_6_2_15 - tags: - - level1-server - - level1-workstation - - patch - - rule_6.2.15 - -- name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist" - block: - - name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs" - shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group" - args: - warn: false - changed_when: false - failed_when: false - register: user_user_check - - - name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Print message that no duplicate GID's exist" - debug: - msg: "Good News! There are no duplicate GIDs in the system" - when: user_user_check.stdout is not defined - - - name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Print warning about users with duplicate GIDs" - debug: - msg: "Warning: The following groups have duplicate GIDs: {{ user_user_check.stdout_lines }}" - when: user_user_check.stdout is defined - when: - - rhel9cis_rule_6_2_16 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.16 - -- name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist" - block: - - name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names" - shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd" - args: - warn: false - changed_when: false - failed_when: false - register: user_username_check - - - name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Print message that no duplicate user names exist" - debug: - msg: "Good News! There are no duplicate user names in the system" - when: user_username_check.stdout is not defined - - - name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Print warning about users with duplicate User Names" - debug: - msg: "Warning: The following user names are duplicates: {{ user_username_check.stdout_lines }}" - when: user_username_check.stdout is defined - when: - - rhel9cis_rule_6_2_17 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.17 - -- name: "6.2.18 | L1 | AUDIT |Ensure no duplicate group names exist" - block: - - name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names" - shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d' - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: group_group_check - - - name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Print message that no duplicate groups exist" - debug: - msg: "Good News! There are no duplicate group names in the system" - when: group_group_check.stdout is defined - - - name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Print warning about users with duplicate group names" - debug: - msg: "Warning: The following group names are duplicates: {{ group_group_check.stdout_lines }}" - when: group_group_check.stdout is not defined - when: - - rhel9cis_rule_6_2_18 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.18 - -- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty" - block: - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for shadow group and pull group id" - shell: "getent group shadow | cut -d: -f3" - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_shadow_gid - - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check /etc/group for empty shadow group" - shell: grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_empty_shadow - - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for users assigned to shadow" - shell: "getent passwd | awk -F: '$4 == '{{ rhel9cis_shadow_gid.stdout }}' {print $1}'" - args: - warn: false - changed_when: false - failed_when: false - check_mode: false - register: rhel9cis_shadow_passwd - - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert shadow group is empty and no users assigned" - debug: - msg: - - " Good News! The shadow group is empty and there are no users assigned to shadow" - when: - - rhel9cis_empty_shadow.stdout | length == 0 - - rhel9cis_shadow_passwd.stdout | length == 0 - - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert shadow group is not empty" - debug: - msg: - - "Alert! The shadow group is not empty" - when: - - rhel9cis_empty_shadow.stdout | length > 0 - - - name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Alert users are using shadow group" - debug: - msg: - - "Alert! The following users are assigned to the shadow group, please assing them to the appropriate group" - - "{{ rhel9cis_shadow_passwd.stdout_lines }}" - when: - - rhel9cis_shadow_passwd.stdout | length > 0 - when: - - rhel9cis_rule_6_2_19 - tags: - - level1-server - - level1-workstation - - audit - - rule_6.2.19 - -- name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist" - block: - - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist" + - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" stat: path: "{{ item }}" - register: rhel_09_6_2_20_audit - with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}" + with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}" + register: rhel_08_6_2_11_audit - - name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist" - shell: find -H {{ item.0 | quote }} -not -type l -perm /027 - args: - warn: false + - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive" + command: find -H {{ item.0 | quote }} -not -type l -perm /027 check_mode: false - changed_when: rhel_09_6_2_20_patch_audit.stdout | length > 0 - register: rhel_09_6_2_20_patch_audit + changed_when: rhel_08_6_2_11_patch_audit.stdout | length > 0 + register: rhel_08_6_2_11_patch_audit when: - ansible_check_mode - item.1.exists with_together: - - "{{ rhel_09_6_2_20_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_20_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" - - name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist" + - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" file: path: "{{ item.0 }}" - recurse: true + recurse: yes mode: a-st,g-w,o-rwx - register: rhel_09_6_2_20_patch + register: rhel_08_6_2_11_patch when: - not ansible_check_mode - item.1.exists with_together: - - "{{ rhel_09_6_2_20_audit.results | map(attribute='item') | list }}" - - "{{ rhel_09_6_2_20_audit.results | map(attribute='stat') | list }}" + - "{{ rhel_08_6_2_11_audit.results | map(attribute='item') | list }}" + - "{{ rhel_08_6_2_11_audit.results | map(attribute='stat') | list }}" loop_control: label: "{{ item.0 }}" # set default ACLs so the homedir has an effective umask of 0027 - - name: "6.2.20 | L1 | PATCH | Ensure all users' home directories exist" + - name: "6.2.11 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" acl: path: "{{ item.0 }}" - default: true + default: yes state: present - recursive: true + recursive: yes etype: "{{ item.1.etype }}" permissions: "{{ item.1.mode }}" - when: - - not system_is_container + when: not system_is_container with_nested: - - "{{ (ansible_check_mode | ternary(rhel_09_6_2_20_patch_audit, rhel_09_6_2_20_patch)).results | + - "{{ (ansible_check_mode | ternary(rhel_08_6_2_11_patch_audit, rhel_08_6_2_11_patch)).results | rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}" - - etype: group @@ -556,9 +366,111 @@ - etype: other mode: '0' when: - - rhel9cis_rule_6_2_20 + - rhel9cis_rule_6_2_11 tags: - level1-server - level1-workstation + - automated - patch - - rule_6.2.20 + - users + - permissions + - rule_6.2.11 + +- name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable" + block: + - name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files" + shell: find /home/ -maxdepth 2 -name "\.*" -perm /g+w,o+w + changed_when: false + failed_when: false + register: rhel9cis_6_2_12_audit + + - name: "6.2.12 | AUDIT | Ensure users' dot files are not group or world-writable | Alert on files found" + debug: + msg: "Good news! We have not found any group or world-writable dot files on your sytem" + when: + - rhel9cis_6_2_12_audit.stdout is not defined + + - name: "6.2.12 | PATCH | Ensure users' dot files are not group or world-writable | Changes files if configured" + file: + path: '{{ item }}' + mode: go-w + with_items: "{{ rhel9cis_6_2_12_audit.stdout_lines }}" + when: + - rhel9cis_6_2_12_audit.stdout is defined + - rhel9cis_dotperm_ansiblemanaged + when: + - rhel9cis_rule_6_2_12 + tags: + - level1-server + - level1-workstation + - automated + - patch + - users + - permissions + - rule_6.2.12 + +- name: "6.2.13 | PATCH | Ensure users' .netrc Files are not group or world accessible" + command: /bin/true + changed_when: false + failed_when: false + when: + - rhel9cis_rule_6_2_13 + tags: + - level1-server + - level1-workstation + - automated + - patch + - users + - permissions + - notimplemented + - rule_6.2.13 + +- name: "6.2.14 | PATCH | Ensure no users have .forward files" + file: + state: absent + dest: "~{{ item }}/.forward" + with_items: + - "{{ users.stdout_lines }}" + when: + - rhel9cis_rule_6_2_14 + tags: + - level1-server + - level1-workstation + - automated + - patch + - users + - files + - rule_6.2.14 + +- name: "6.2.15 | PATCH | Ensure no users have .netrc files" + file: + state: absent + dest: "~{{ item }}/.netrc" + with_items: + - "{{ users.stdout_lines }}" + when: + - rhel9cis_rule_6_2_15 + tags: + - level1-server + - level1-workstation + - automated + - patch + - users + - files + - rule_6.2.15 + +- name: "6.2.16 | PATCH | Ensure no users have .rhosts files" + file: + state: absent + dest: "~{{ item }}/.rhosts" + with_items: "{{ users.stdout_lines }}" + when: + - rhel9cis_rule_6_2_16 + tags: + - level1-server + - level1-workstation + - automated + - patch + - users + - files + - rule_6.2.16 diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index ec9dac6..0947ce3 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -1,16 +1,17 @@ +## metadata for benchmark + ## metadata for Audit benchmark -benchmark_version: '1.0.1' +benchmark_version: '2.0.0' # Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS -is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% endif %} +# If run via script this is discovered and set +host_os_distribution: {{ ansible_distribution | lower }} -rhel9cis_os_distribution: {{ ansible_distribution | lower }} -# timeout for each command to run where set - default = 10seconds/10000ms -timeout_ms: {{ audit_cmd_timeout }} +# timeout for each command to run where set - default = 10seconds/10000ms +timeout_ms: 60000 # Taken from LE rhel9-cis -rhel9cis_notauto: {{ rhel9cis_notauto }} rhel9cis_section1: {{ rhel9cis_section1 }} rhel9cis_section2: {{ rhel9cis_section2 }} rhel9cis_section3: {{ rhel9cis_section3 }} @@ -23,84 +24,114 @@ rhel9cis_level_2: {{ rhel9cis_level_2 }} rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }} - - -# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy +# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy run_heavy_tests: true + +# True is BIOS based system else set to false {% if rhel9cis_legacy_boot is defined %} rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }} {% endif %} - rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} + # These variables correspond with the CIS rule IDs or paragraph numbers defined in # the CIS benchmark documents. # PLEASE NOTE: These work in coordination with the section # group variables and tags. # You must enable an entire section in order for the variables below to take effect. # Section 1 rules +# 1.1.1 Disable unused filesystems rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }} rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }} rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }} -rhel9cis_rule_1_1_1_4: {{ rhel9cis_rule_1_1_1_4 }} -rhel9cis_rule_1_1_2: {{ rhel9cis_rule_1_1_2 }} -rhel9cis_rule_1_1_3: {{ rhel9cis_rule_1_1_3 }} -rhel9cis_rule_1_1_4: {{ rhel9cis_rule_1_1_4 }} -rhel9cis_rule_1_1_5: {{ rhel9cis_rule_1_1_5 }} -rhel9cis_rule_1_1_6: {{ rhel9cis_rule_1_1_6 }} -rhel9cis_rule_1_1_7: {{ rhel9cis_rule_1_1_7 }} -rhel9cis_rule_1_1_8: {{ rhel9cis_rule_1_1_8 }} +# 1.1.2 Configure /tmp +rhel9cis_rule_1_1_2_1: {{ rhel9cis_rule_1_1_2_1 }} +rhel9cis_rule_1_1_2_2: {{ rhel9cis_rule_1_1_2_2 }} +rhel9cis_rule_1_1_2_3: {{ rhel9cis_rule_1_1_2_3 }} +rhel9cis_rule_1_1_2_4: {{ rhel9cis_rule_1_1_2_4 }} +# 1.1.3 Configure /var +rhel9cis_rule_1_1_3_1: {{ rhel9cis_rule_1_1_3_1 }} +rhel9cis_rule_1_1_3_2: {{ rhel9cis_rule_1_1_3_2 }} +rhel9cis_rule_1_1_3_3: {{ rhel9cis_rule_1_1_3_3 }} +rhel9cis_rule_1_1_3_4: {{ rhel9cis_rule_1_1_3_4 }} +# 1.1.4 Configure /var/tmp +rhel9cis_rule_1_1_4_1: {{ rhel9cis_rule_1_1_4_1 }} +rhel9cis_rule_1_1_4_2: {{ rhel9cis_rule_1_1_4_2 }} +rhel9cis_rule_1_1_4_3: {{ rhel9cis_rule_1_1_4_3 }} +rhel9cis_rule_1_1_4_4: {{ rhel9cis_rule_1_1_4_4 }} +# 1.1.5 Configure /var/log +rhel9cis_rule_1_1_5_1: {{ rhel9cis_rule_1_1_5_1 }} +rhel9cis_rule_1_1_5_2: {{ rhel9cis_rule_1_1_5_2 }} +rhel9cis_rule_1_1_5_3: {{ rhel9cis_rule_1_1_5_3 }} +rhel9cis_rule_1_1_5_4: {{ rhel9cis_rule_1_1_5_4 }} +# 1.1.6 Configure /var/log/audit +rhel9cis_rule_1_1_6_1: {{ rhel9cis_rule_1_1_6_1 }} +rhel9cis_rule_1_1_6_2: {{ rhel9cis_rule_1_1_6_2 }} +rhel9cis_rule_1_1_6_3: {{ rhel9cis_rule_1_1_6_3 }} +rhel9cis_rule_1_1_6_4: {{ rhel9cis_rule_1_1_6_4 }} +# 1.1.7 Configure /home +rhel9cis_rule_1_1_7_1: {{ rhel9cis_rule_1_1_7_1 }} +rhel9cis_rule_1_1_7_2: {{ rhel9cis_rule_1_1_7_2 }} +rhel9cis_rule_1_1_7_3: {{ rhel9cis_rule_1_1_7_3 }} +rhel9cis_rule_1_1_7_4: {{ rhel9cis_rule_1_1_7_4 }} +rhel9cis_rule_1_1_7_5: {{ rhel9cis_rule_1_1_7_5 }} +# 1.1.8 Configure /dev/shm +rhel9cis_rule_1_1_8_1: {{ rhel9cis_rule_1_1_8_1 }} +rhel9cis_rule_1_1_8_2: {{ rhel9cis_rule_1_1_8_2 }} +rhel9cis_rule_1_1_8_3: {{ rhel9cis_rule_1_1_8_3 }} +# 1.9 autofs rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }} +# 1.10 usb-storage rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }} -rhel9cis_rule_1_1_11: {{ rhel9cis_rule_1_1_11 }} -rhel9cis_rule_1_1_12: {{ rhel9cis_rule_1_1_12 }} -rhel9cis_rule_1_1_13: {{ rhel9cis_rule_1_1_13 }} -rhel9cis_rule_1_1_14: {{ rhel9cis_rule_1_1_14 }} -rhel9cis_rule_1_1_15: {{ rhel9cis_rule_1_1_15 }} -rhel9cis_rule_1_1_16: {{ rhel9cis_rule_1_1_16 }} -rhel9cis_rule_1_1_17: {{ rhel9cis_rule_1_1_17 }} -rhel9cis_rule_1_1_18: {{ rhel9cis_rule_1_1_18 }} -rhel9cis_rule_1_1_19: {{ rhel9cis_rule_1_1_19 }} -rhel9cis_rule_1_1_20: {{ rhel9cis_rule_1_1_20 }} -rhel9cis_rule_1_1_21: {{ rhel9cis_rule_1_1_21 }} -rhel9cis_rule_1_1_22: {{ rhel9cis_rule_1_1_22 }} -rhel9cis_rule_1_1_23: {{ rhel9cis_rule_1_1_23 }} +# 1.2 Configure Software Updates rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %} # Only run if Redhat and Subscribed rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }} rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }} rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }} -rhel9cis_rule_1_2_5: {{ rhel9cis_rule_1_2_5 }} +# 1.3 Filesystem Integrity Checking rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }} rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }} -rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }} +# 1.4 Secure Boot Settings rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }} rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }} +rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }} +# 1.5 Additional Process Hardening rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }} -rhel9cis_rule_1_6_1: {{ rhel9cis_rule_1_6_1 }} -rhel9cis_rule_1_6_2: {{ rhel9cis_rule_1_6_2 }} -rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }} -rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }} -rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }} -rhel9cis_rule_1_7_1_4: {{ rhel9cis_rule_1_7_1_4 }} -rhel9cis_rule_1_7_1_5: {{ rhel9cis_rule_1_7_1_5 }} -rhel9cis_rule_1_7_1_6: {{ rhel9cis_rule_1_7_1_6 }} -rhel9cis_rule_1_7_1_7: {{ rhel9cis_rule_1_7_1_7 }} -rhel9cis_rule_1_8_1_1: {{ rhel9cis_rule_1_8_1_1 }} -rhel9cis_rule_1_8_1_2: {{ rhel9cis_rule_1_8_1_2 }} -rhel9cis_rule_1_8_1_3: {{ rhel9cis_rule_1_8_1_3 }} -rhel9cis_rule_1_8_1_4: {{ rhel9cis_rule_1_8_1_4 }} -rhel9cis_rule_1_8_1_5: {{ rhel9cis_rule_1_8_1_5 }} -rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }} +# 1.6 Mandatory Access Control +rhel9cis_rule_1_6_1_1: {{ rhel9cis_rule_1_6_1_1 }} +rhel9cis_rule_1_6_1_2: {{ rhel9cis_rule_1_6_1_2 }} +rhel9cis_rule_1_6_1_3: {{ rhel9cis_rule_1_6_1_3 }} +rhel9cis_rule_1_6_1_4: {{ rhel9cis_rule_1_6_1_4 }} +rhel9cis_rule_1_6_1_5: {{ rhel9cis_rule_1_6_1_5 }} +rhel9cis_rule_1_6_1_6: {{ rhel9cis_rule_1_6_1_6 }} +rhel9cis_rule_1_6_1_7: {{ rhel9cis_rule_1_6_1_7 }} +# 1.7 Command Line Warning Banners +rhel9cis_rule_1_7_1: {{ rhel9cis_rule_1_7_1 }} +rhel9cis_rule_1_7_2: {{ rhel9cis_rule_1_7_2 }} +rhel9cis_rule_1_7_3: {{ rhel9cis_rule_1_7_3 }} +rhel9cis_rule_1_7_4: {{ rhel9cis_rule_1_7_4 }} +rhel9cis_rule_1_7_5: {{ rhel9cis_rule_1_7_5 }} +rhel9cis_rule_1_7_6: {{ rhel9cis_rule_1_7_6 }} +# 1.8 Gnome Display Manager +rhel9cis_rule_1_8_1: {{ rhel9cis_rule_1_8_1 }} rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} +rhel9cis_rule_1_8_3: {{ rhel9cis_rule_1_8_3 }} +rhel9cis_rule_1_8_4: {{ rhel9cis_rule_1_8_4 }} +rhel9cis_rule_1_8_5: {{ rhel9cis_rule_1_8_5 }} +# 1.9 Ensure updates, patches, and additional security software are installed rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} +# Ensure system-wide crypto policy is not legacy rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }} -rhel9cis_rule_1_11: {{ rhel9cis_rule_1_11 }} -# section 2 rules + +# section 2 +# Services +# 2.1 Time Synchronization rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }} -rhel9cis_rule_2_2_1_1: {{ rhel9cis_rule_2_2_1_1 }} -rhel9cis_rule_2_2_1_2: {{ rhel9cis_rule_2_2_1_2 }} +rhel9cis_rule_2_1_2: {{ rhel9cis_rule_2_1_2 }} +# 2.2 Special Purpose Services +rhel9cis_rule_2_2_1: {{ rhel9cis_rule_2_2_1 }} rhel9cis_rule_2_2_2: {{ rhel9cis_rule_2_2_2 }} rhel9cis_rule_2_2_3: {{ rhel9cis_rule_2_2_3 }} rhel9cis_rule_2_2_4: {{ rhel9cis_rule_2_2_4 }} @@ -118,74 +149,123 @@ rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }} rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }} rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }} rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }} +rhel9cis_rule_2_2_19: {{ rhel9cis_rule_2_2_19 }} +rhel9cis_rule_2_2_20: {{ rhel9cis_rule_2_2_20 }} +# 2.3 service clients rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }} rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }} rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }} +rhel9cis_rule_2_3_4: {{ rhel9cis_rule_2_3_4 }} +rhel9cis_rule_2_3_5: {{ rhel9cis_rule_2_3_5 }} +rhel9cis_rule_2_4: true # todo # Section 3 rules +# 3.1 Disable unused network protocols and devices rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }} rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }} +rhel9cis_rule_3_1_3: {{ rhel9cis_rule_3_1_3 }} +rhel9cis_rule_3_1_4: {{ rhel9cis_rule_3_1_4 }} +# 3.2 Network Parameters (Host Only) rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }} rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }} -rhel9cis_rule_3_2_3: {{ rhel9cis_rule_3_2_3 }} -rhel9cis_rule_3_2_4: {{ rhel9cis_rule_3_2_4 }} -rhel9cis_rule_3_2_5: {{ rhel9cis_rule_3_2_5 }} -rhel9cis_rule_3_2_6: {{ rhel9cis_rule_3_2_6 }} -rhel9cis_rule_3_2_7: {{ rhel9cis_rule_3_2_7 }} -rhel9cis_rule_3_2_8: {{ rhel9cis_rule_3_2_8 }} -rhel9cis_rule_3_2_9: {{ rhel9cis_rule_3_2_9 }} +# 3.3 Network Parameters (Host and Router) rhel9cis_rule_3_3_1: {{ rhel9cis_rule_3_3_1 }} rhel9cis_rule_3_3_2: {{ rhel9cis_rule_3_3_2 }} rhel9cis_rule_3_3_3: {{ rhel9cis_rule_3_3_3 }} rhel9cis_rule_3_3_4: {{ rhel9cis_rule_3_3_4 }} +rhel9cis_rule_3_3_5: {{ rhel9cis_rule_3_3_5 }} +rhel9cis_rule_3_3_6: {{ rhel9cis_rule_3_3_6 }} +rhel9cis_rule_3_3_7: {{ rhel9cis_rule_3_3_7 }} +rhel9cis_rule_3_3_8: {{ rhel9cis_rule_3_3_8 }} +rhel9cis_rule_3_3_9: {{ rhel9cis_rule_3_3_9 }} +# 3.4.1 Configure firewalld rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }} +rhel9cis_rule_3_4_1_2: {{ rhel9cis_rule_3_4_1_2 }} +rhel9cis_rule_3_4_1_3: {{ rhel9cis_rule_3_4_1_3 }} +rhel9cis_rule_3_4_1_4: {{ rhel9cis_rule_3_4_1_4 }} +rhel9cis_rule_3_4_1_5: {{ rhel9cis_rule_3_4_1_5 }} +rhel9cis_rule_3_4_1_6: {{ rhel9cis_rule_3_4_1_6 }} +rhel9cis_rule_3_4_1_7: {{ rhel9cis_rule_3_4_1_7 }} +# 3.4.1 Configure nftables rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }} rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }} rhel9cis_rule_3_4_2_3: {{ rhel9cis_rule_3_4_2_3 }} rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }} rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }} rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }} -rhel9cis_rule_3_5: {{ rhel9cis_rule_3_5 }} -rhel9cis_rule_3_6: {{ rhel9cis_rule_3_6 }} +rhel9cis_rule_3_4_2_7: {{ rhel9cis_rule_3_4_2_7 }} +rhel9cis_rule_3_4_2_8: {{ rhel9cis_rule_3_4_2_8 }} +rhel9cis_rule_3_4_2_9: {{ rhel9cis_rule_3_4_2_9 }} +rhel9cis_rule_3_4_2_10: {{ rhel9cis_rule_3_4_2_10 }} +rhel9cis_rule_3_4_2_11: {{ rhel9cis_rule_3_4_2_11 }} - -# Section 4 rules +# Section 4 rules +# 4.1 Configure System Accounting rhel9cis_rule_4_1_1_1: {{ rhel9cis_rule_4_1_1_1 }} rhel9cis_rule_4_1_1_2: {{ rhel9cis_rule_4_1_1_2 }} rhel9cis_rule_4_1_1_3: {{ rhel9cis_rule_4_1_1_3 }} rhel9cis_rule_4_1_1_4: {{ rhel9cis_rule_4_1_1_4 }} + +# 4.1.2 Configure Data retention rhel9cis_rule_4_1_2_1: {{ rhel9cis_rule_4_1_2_1 }} rhel9cis_rule_4_1_2_2: {{ rhel9cis_rule_4_1_2_2 }} rhel9cis_rule_4_1_2_3: {{ rhel9cis_rule_4_1_2_3 }} -rhel9cis_rule_4_1_3: {{ rhel9cis_rule_4_1_3 }} -rhel9cis_rule_4_1_4: {{ rhel9cis_rule_4_1_4 }} -rhel9cis_rule_4_1_5: {{ rhel9cis_rule_4_1_5 }} -rhel9cis_rule_4_1_6: {{ rhel9cis_rule_4_1_6 }} -rhel9cis_rule_4_1_7: {{ rhel9cis_rule_4_1_7 }} -rhel9cis_rule_4_1_8: {{ rhel9cis_rule_4_1_8 }} -rhel9cis_rule_4_1_9: {{ rhel9cis_rule_4_1_9 }} -rhel9cis_rule_4_1_10: {{ rhel9cis_rule_4_1_10 }} -rhel9cis_rule_4_1_11: {{ rhel9cis_rule_4_1_11 }} -rhel9cis_rule_4_1_12: {{ rhel9cis_rule_4_1_12 }} -rhel9cis_rule_4_1_13: {{ rhel9cis_rule_4_1_13 }} -rhel9cis_rule_4_1_14: {{ rhel9cis_rule_4_1_14 }} -rhel9cis_rule_4_1_15: {{ rhel9cis_rule_4_1_15 }} -rhel9cis_rule_4_1_16: {{ rhel9cis_rule_4_1_16 }} -rhel9cis_rule_4_1_17: {{ rhel9cis_rule_4_1_17 }} + +# 4.1.3 Configure auditd rules +rhel9cis_rule_4_1_3_1: {{ rhel9cis_rule_4_1_3_1 }} +rhel9cis_rule_4_1_3_2: {{ rhel9cis_rule_4_1_3_2 }} +rhel9cis_rule_4_1_3_3: {{ rhel9cis_rule_4_1_3_3 }} +rhel9cis_rule_4_1_3_4: {{ rhel9cis_rule_4_1_3_4 }} +rhel9cis_rule_4_1_3_5: {{ rhel9cis_rule_4_1_3_5 }} +rhel9cis_rule_4_1_3_6: {{ rhel9cis_rule_4_1_3_6 }} +rhel9cis_rule_4_1_3_7: {{ rhel9cis_rule_4_1_3_7 }} +rhel9cis_rule_4_1_3_8: {{ rhel9cis_rule_4_1_3_8 }} +rhel9cis_rule_4_1_3_9: {{ rhel9cis_rule_4_1_3_9 }} +rhel9cis_rule_4_1_3_10: {{ rhel9cis_rule_4_1_3_10 }} +rhel9cis_rule_4_1_3_11: {{ rhel9cis_rule_4_1_3_11 }} +rhel9cis_rule_4_1_3_12: {{ rhel9cis_rule_4_1_3_12 }} +rhel9cis_rule_4_1_3_13: {{ rhel9cis_rule_4_1_3_13 }} +rhel9cis_rule_4_1_3_14: {{ rhel9cis_rule_4_1_3_14 }} +rhel9cis_rule_4_1_3_15: {{ rhel9cis_rule_4_1_3_15 }} +rhel9cis_rule_4_1_3_16: {{ rhel9cis_rule_4_1_3_16 }} +rhel9cis_rule_4_1_3_17: {{ rhel9cis_rule_4_1_3_17 }} +rhel9cis_rule_4_1_3_18: {{ rhel9cis_rule_4_1_3_18 }} +rhel9cis_rule_4_1_3_19: {{ rhel9cis_rule_4_1_3_19 }} +rhel9cis_rule_4_1_3_20: {{ rhel9cis_rule_4_1_3_20 }} +rhel9cis_rule_4_1_3_21: {{ rhel9cis_rule_4_1_3_21 }} + +# 4.2.1 Configure rsyslog rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }} rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }} +rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_3 }} rhel9cis_rule_4_2_1_3: {{ rhel9cis_rule_4_2_1_3 }} rhel9cis_rule_4_2_1_4: {{ rhel9cis_rule_4_2_1_4 }} rhel9cis_rule_4_2_1_5: {{ rhel9cis_rule_4_2_1_5 }} rhel9cis_rule_4_2_1_6: {{ rhel9cis_rule_4_2_1_6 }} -rhel9cis_rule_4_2_2_1: {{ rhel9cis_rule_4_2_2_1 }} +rhel9cis_rule_4_2_1_7: {{ rhel9cis_rule_4_2_1_7 }} + +# 4.2.2 Configure journald +rhel9cis_rule_4_2_2_1_1: {{ rhel9cis_rule_4_2_2_1_1 }} +rhel9cis_rule_4_2_2_1_2: {{ rhel9cis_rule_4_2_2_1_2 }} +rhel9cis_rule_4_2_2_1_3: {{ rhel9cis_rule_4_2_2_1_3 }} +rhel9cis_rule_4_2_2_1_4: {{ rhel9cis_rule_4_2_2_1_4 }} rhel9cis_rule_4_2_2_2: {{ rhel9cis_rule_4_2_2_2 }} rhel9cis_rule_4_2_2_3: {{ rhel9cis_rule_4_2_2_3 }} +rhel9cis_rule_4_2_2_4: {{ rhel9cis_rule_4_2_2_4 }} +rhel9cis_rule_4_2_2_5: {{ rhel9cis_rule_4_2_2_5 }} +rhel9cis_rule_4_2_2_6: {{ rhel9cis_rule_4_2_2_6 }} +rhel9cis_rule_4_2_2_7: {{ rhel9cis_rule_4_2_2_7 }} rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }} -rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }} + +# 4.3 Logrotate +rhel9cis_rule_4_3_1: {{ rhel9cis_rule_4_3_1 }} +rhel9cis_rule_4_3_2: {{ rhel9cis_rule_4_3_2 }} +rhel9cis_rule_4_3_3: {{ rhel9cis_rule_4_3_3 }} # Section 5 +# Authentication and Authorization +# 5.1 Configure time-based job schedulers rhel9cis_rule_5_1_1: {{ rhel9cis_rule_5_1_1 }} rhel9cis_rule_5_1_2: {{ rhel9cis_rule_5_1_2 }} rhel9cis_rule_5_1_3: {{ rhel9cis_rule_5_1_3 }} @@ -195,6 +275,7 @@ rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }} rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }} rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }} +# 5.2 Configure SSH Server rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }} rhel9cis_rule_5_2_2: {{ rhel9cis_rule_5_2_2 }} rhel9cis_rule_5_2_3: {{ rhel9cis_rule_5_2_3 }} @@ -215,31 +296,41 @@ rhel9cis_rule_5_2_17: {{ rhel9cis_rule_5_2_17 }} rhel9cis_rule_5_2_18: {{ rhel9cis_rule_5_2_18 }} rhel9cis_rule_5_2_19: {{ rhel9cis_rule_5_2_19 }} rhel9cis_rule_5_2_20: {{ rhel9cis_rule_5_2_20 }} - +# 5.3 Configure privilege escalation rhel9cis_rule_5_3_1: {{ rhel9cis_rule_5_3_1 }} rhel9cis_rule_5_3_2: {{ rhel9cis_rule_5_3_2 }} rhel9cis_rule_5_3_3: {{ rhel9cis_rule_5_3_3 }} +rhel9cis_rule_5_3_4: {{ rhel9cis_rule_5_3_4 }} +rhel9cis_rule_5_3_5: {{ rhel9cis_rule_5_3_5 }} +rhel9cis_rule_5_3_6: {{ rhel9cis_rule_5_3_6 }} +rhel9cis_rule_5_3_7: {{ rhel9cis_rule_5_3_7 }} + +# 5.4 Configure authselect rhel9cis_rule_5_4_1: {{ rhel9cis_rule_5_4_1 }} rhel9cis_rule_5_4_2: {{ rhel9cis_rule_5_4_2 }} -rhel9cis_rule_5_4_3: {{ rhel9cis_rule_5_4_3 }} -rhel9cis_rule_5_4_4: {{ rhel9cis_rule_5_4_4 }} - -rhel9cis_rule_5_5_1_1: {{ rhel9cis_rule_5_5_1_1 }} -rhel9cis_rule_5_5_1_2: {{ rhel9cis_rule_5_5_1_2 }} -rhel9cis_rule_5_5_1_3: {{ rhel9cis_rule_5_5_1_3 }} -rhel9cis_rule_5_5_1_4: {{ rhel9cis_rule_5_5_1_4 }} -rhel9cis_rule_5_5_1_5: {{ rhel9cis_rule_5_5_1_5 }} +# 5.5 Configure PAM +rhel9cis_rule_5_5_1: {{ rhel9cis_rule_5_5_1 }} rhel9cis_rule_5_5_2: {{ rhel9cis_rule_5_5_2 }} rhel9cis_rule_5_5_3: {{ rhel9cis_rule_5_5_3 }} rhel9cis_rule_5_5_4: {{ rhel9cis_rule_5_5_4 }} -rhel9cis_rule_5_5_5: {{ rhel9cis_rule_5_5_5 }} -rhel9cis_rule_5_6: {{ rhel9cis_rule_5_6 }} -rhel9cis_rule_5_7: {{ rhel9cis_rule_5_7 }} +# 5.6 User Accounts and Environment +# 5.6.1 Set Shadow Password Suite Parameters +rhel9cis_rule_5_6_1_1: {{ rhel9cis_rule_5_6_1_1 }} +rhel9cis_rule_5_6_1_2: {{ rhel9cis_rule_5_6_1_2 }} +rhel9cis_rule_5_6_1_3: {{ rhel9cis_rule_5_6_1_3 }} +rhel9cis_rule_5_6_1_4: {{ rhel9cis_rule_5_6_1_4 }} +rhel9cis_rule_5_6_1_5: {{ rhel9cis_rule_5_6_1_5 }} +rhel9cis_rule_5_6_2: {{ rhel9cis_rule_5_6_2 }} +rhel9cis_rule_5_6_3: {{ rhel9cis_rule_5_6_3 }} +rhel9cis_rule_5_6_4: {{ rhel9cis_rule_5_6_4 }} +rhel9cis_rule_5_6_5: {{ rhel9cis_rule_5_6_5 }} # Section 6 +# 6 System Maintenance +# 6.1 System File Permissions rhel9cis_rule_6_1_1: {{ rhel9cis_rule_6_1_1 }} rhel9cis_rule_6_1_2: {{ rhel9cis_rule_6_1_2 }} rhel9cis_rule_6_1_3: {{ rhel9cis_rule_6_1_3 }} @@ -254,7 +345,9 @@ rhel9cis_rule_6_1_11: {{ rhel9cis_rule_6_1_11 }} rhel9cis_rule_6_1_12: {{ rhel9cis_rule_6_1_12 }} rhel9cis_rule_6_1_13: {{ rhel9cis_rule_6_1_13 }} rhel9cis_rule_6_1_14: {{ rhel9cis_rule_6_1_14 }} +rhel9cis_rule_6_1_15: {{ rhel9cis_rule_6_1_15 }} +# 6.2 User and Group Settings rhel9cis_rule_6_2_1: {{ rhel9cis_rule_6_2_1 }} rhel9cis_rule_6_2_2: {{ rhel9cis_rule_6_2_2 }} rhel9cis_rule_6_2_3: {{ rhel9cis_rule_6_2_3 }} @@ -271,204 +364,132 @@ rhel9cis_rule_6_2_13: {{ rhel9cis_rule_6_2_13 }} rhel9cis_rule_6_2_14: {{ rhel9cis_rule_6_2_14 }} rhel9cis_rule_6_2_15: {{ rhel9cis_rule_6_2_15 }} rhel9cis_rule_6_2_16: {{ rhel9cis_rule_6_2_16 }} -rhel9cis_rule_6_2_17: {{ rhel9cis_rule_6_2_17 }} -rhel9cis_rule_6_2_18: {{ rhel9cis_rule_6_2_18 }} -rhel9cis_rule_6_2_19: {{ rhel9cis_rule_6_2_19 }} -rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }} +############ -# Service configuration booleans set true to keep service -rhel9cis_avahi_server: {{ rhel9cis_avahi_server }} -rhel9cis_cups_server: {{ rhel9cis_cups_server }} -rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} -rhel9cis_ldap_server: {{ rhel9cis_ldap_server }} -rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} -rhel9cis_nfs_server: {{ rhel9cis_nfs_server }} -rhel9cis_rpc_server: {{ rhel9cis_rpc_server }} -rhel9cis_ntalk_server: {{ rhel9cis_ntalk_server }} -rhel9cis_rsyncd_server: {{ rhel9cis_rsyncd_server }} -rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} -rhel9cis_rsh_server: {{ rhel9cis_rsh_server }} -rhel9cis_nis_server: {{ rhel9cis_nis_server }} -rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} -rhel9cis_squid_server: {{ rhel9cis_squid_server }} -rhel9cis_smb_server: {{ rhel9cis_smb_server }} -rhel9cis_dovecot_server: {{ rhel9cis_dovecot_server }} -rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} -rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} -rhel9cis_named_server: {{ rhel9cis_named_server }} -rhel9cis_nfs_rpc_server: {{ rhel9cis_nfs_rpc_server }} -rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} -rhel9cis_bind: {{ rhel9cis_bind }} -rhel9cis_vsftpd: {{ rhel9cis_vsftpd }} -rhel9cis_httpd: {{ rhel9cis_httpd }} -rhel9cis_dovecot: {{ rhel9cis_dovecot }} -rhel9cis_samba: {{ rhel9cis_samba }} -rhel9cis_squid: {{ rhel9cis_squid }} -rhel9cis_net_snmp: {{ rhel9cis_net_snmp}} -rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }} - -# client services -rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} -rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} -rhel9cis_talk_required: {{ rhel9cis_talk_required }} -rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} -rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} +# Section 1 # AIDE rhel9cis_config_aide: {{ rhel9cis_config_aide }} -# aide setup via - cron, timer -rhel9_aide_scan: cron - -# AIDE cron settings -rhel9cis_aide_cron: - cron_user: {{ rhel9cis_aide_cron.cron_user }} - cron_file: '{{ rhel9cis_aide_cron.cron_file }}' - aide_job: ' {{ rhel9cis_aide_cron.aide_job }}' - aide_minute: '{{ rhel9cis_aide_cron.aide_minute }}' - aide_hour: '{{ rhel9cis_aide_cron.aide_hour }}' - aide_day: '{{ rhel9cis_aide_cron.aide_day }}' - aide_month: '{{ rhel9cis_aide_cron.aide_month }}' - aide_weekday: '{{ rhel9cis_aide_cron.aide_weekday }}' - -# 1.5.1 Bootloader password -rhel9cis_bootloader_password: {{ rhel9cis_bootloader_password_hash }} -rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} - -# 1.10 crypto -rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }} +# Whether or not to run tasks related to auditing/patching the desktop environment +rhel9cis_gui: {{ rhel9cis_gui }} # Warning Banner Content (issue, issue.net, motd) rhel9cis_warning_banner: {{ rhel9cis_warning_banner }} # End Banner +# aide setup via - cron, timer +rhel9_aide_scan: cron + +# Section 2 +## 2.2 Special Purposes # Set to 'true' if X Windows is needed in your environment -rhel9cis_xwindows_required: {{ rhel9cis_xwindows_required }} +rhel9cis_xwindows_required: false +### Service configuration booleans set true to keep service +rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }} +rhel9cis_avahi_server: {{ rhel9cis_avahi_server }} +rhel9cis_cups_server: {{ rhel9cis_cups_server }} +rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} +rhel9cis_dns_server: {{ rhel9cis_dns_server }} +rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} +rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} +rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} +rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} +rhel9cis_nginx_server: {{ rhel9cis_nginx_server }} +rhel9cis_dovecot_server: {{ rhel9cis_dovecot_server }} +rhel9cis_imap_server: {{ rhel9cis_imap_server }} +rhel9cis_samba_server: {{ rhel9cis_samba_server }} +rhel9cis_squid_server: {{ rhel9cis_squid_server }} +rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} +rhel9cis_nis_server: {{ rhel9cis_nis_server }} +rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} +rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} -# Whether or not to run tasks related to auditing/patching the desktop environment -rhel9cis_gui: {{ rhel9cis_gui }} +# Note the options +# Packages are used for client services and Server- only remove if you dont use the client service +# +rhel9cis_use_nfs_server: {{ rhel9cis_use_nfs_server }} +rhel9cis_use_nfs_service: {{ rhel9cis_use_nfs_service }} +rhel9cis_use_rpc_server: {{ rhel9cis_use_rpc_server }} +rhel9cis_use_rpc_service: {{ rhel9cis_use_rpc_service }} +rhel9cis_use_rsync_server: {{ rhel9cis_use_rsync_server }} +rhel9cis_use_rsync_service: {{ rhel9cis_use_rsync_service }} -# xinetd required -rhel9cis_xinetd_required: {{ rhel9cis_xinetd_required }} +#### 2.3 Service clients +rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} +rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} +rhel9cis_talk_required: {{ rhel9cis_talk_required }} +rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} +rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} +rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} -# IPv6 required +# Section 3 + +## IPv6 required rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }} -# System network parameters (host only OR host and router) +## 3.2 System network parameters (host only OR host and router) rhel9cis_is_router: {{ rhel9cis_is_router }} -# Time Synchronization -rhel9cis_time_synchronization: {{ rhel9cis_time_synchronization }} - -rhel9cis_varlog_location: {{ rhel9cis_varlog_location }} - +## Section 3.4 +### Firewall rhel9cis_firewall: {{ rhel9cis_firewall }} -#rhel9cis_firewall: iptables -rhel9cis_default_firewall_zone: {{ rhel9cis_default_zone }} -rhel9cis_firewall_interface: -- enp0s3 -- enp0s8 - -rhel9cis_firewall_services: {{ rhel9cis_firewall_services }} +##### firewalld +rhel9cis_default_zone: {{ rhel9cis_default_zone }} +rhel9cis_firewalld_nftables_state: {{ rhel9cis_firewalld_nftables_state }} # Note if absent removes the firewalld pkg dependancy +#### nftables +rhel9cis_nftables_firewalld_state: {{ rhel9cis_nftables_firewalld_state }} +rhel9cis_nft_tables_autonewtable: {{ rhel9cis_nft_tables_autonewtable }} +rhel9cis_nft_tables_tablename: {{ rhel9cis_nft_tables_tablename }} +rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }} - -### Section 4 -## auditd settings -rhel9cis_auditd: - space_left_action: {{ rhel9cis_auditd.space_left_action}} - action_mail_acct: {{ rhel9cis_auditd.action_mail_acct }} - admin_space_left_action: {{ rhel9cis_auditd.admin_space_left_action }} - max_log_file_action: {{ rhel9cis_auditd.max_log_file_action }} - auditd_backlog_limit: {{ rhel9cis_audit_back_log_limit }} +# Section 4 ## syslog -rhel9_cis_rsyslog: true +rhel9_cis_rsyslog: {{ rhel9cis_syslog }} -### Section 5 +# Section 5 +## 5.2.4 Note the following to understand precedence and layout rhel9cis_sshd_limited: false -#Note the following to understand precedence and layout rhel9cis_sshd_access: - AllowUser: - AllowGroup: - DenyUser: - DenyGroup: + - AllowUser + - AllowGroup + - DenyUser + - DenyGroup -rhel9cis_ssh_strong_ciphers: Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128- gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -rhel9cis_ssh_weak_ciphers: - 3des-cbc - aes128-cbc - aes192-cbc - aes256-cbc - arcfour - arcfour128 - arcfour256 - blowfish-cbc - cast128-cbc - rijndael-cbc@lysator.liu.se - -rhel9cis_ssh_strong_macs: MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2- 512,hmac-sha2-256 -rhel9cis_ssh_weak_macs: - hmac-md5 - hmac-md5-96 - hmac-ripemd160 - hmac-sha1 - hmac-sha1-96 - umac-64@openssh.com - umac-128@openssh.com - hmac-md5-etm@openssh.com - hmac-md5-96-etm@openssh.com - hmac-ripemd160-etm@openssh.com - hmac-sha1-etm@openssh.com - hmac-sha1-96-etm@openssh.com - umac-64-etm@openssh.com - umac-128-etm@openssh.com - -rhel9cis_ssh_strong_kex: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman- group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 -rhel9cis_ssh_weak_kex: - diffie-hellman-group1-sha1 - diffie-hellman-group14-sha1 - diffie-hellman-group-exchange-sha1 - -rhel9cis_ssh_aliveinterval: "300" -rhel9cis_ssh_countmax: "3" - -## PAM -rhel9cis_pam_password: - minlen: {{ rhel9cis_pam_password.minlen }} - minclass: {{ rhel9cis_pam_password.minclass }} -rhel9cis_pam_passwd_retry: "3" -# faillock or tally2 -rhel9cis_accountlock: faillock - -## note this is to skip tests -skip_rhel9cis_pam_passwd_auth: true -skip_rhel9cis_pam_system_auth: true - -# choose one of below -rhel9cis_pwhistory_so: "14" -rhel9cis_unix_so: false -rhel9cis_passwd_remember: "5" - -# logins.def password settings -rhel9cis_pass: - max_days: {{ rhel9cis_pass.max_days }} - min_days: {{ rhel9cis_pass.min_days }} - warn_age: {{ rhel9cis_pass.warn_age }} - -# 5.3.1/5.3.2 Custon authselect profile settings. Settings in place now will fail, they are place holders from the control example -rhel9cis_authselect: - custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }} - default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }} - options: {{ rhel9cis_authselect.options }} - -# 5.3.1 Enable automation to creat custom profile settings, using the setings above -rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }} - -# 5.3.2 Enable automation to select custom profile options, using the settings above +## 5.3.2 & 5.4.2 Enable automation to select custom profile options, using the settings above rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile_select }} -# 5.7 -rhel9cis_sugroup: {{ rhel9cis_sugroup| default('wheel') }} -rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} +## 5.3.2 Authselect select false if using AD or RHEL ID mgmt +rhel9cis_authselect: + custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }} + default_file_to_copy: {{ rhel9cis_authselect['default_file_to_copy'] }} + + +## 5.4.1 Enable automation to create custom profile settings, using the setings above +rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }} + +# 5.5.1 +## PAM +rhel9cis_pam_password: + minlen: {{ rhel9cis_pam_password['minlen'] }} + minclass: {{ rhel9cis_pam_password['minclass'] }} +rhel9cis_pam_passwd_retry: "3" + +## 5.5.3 choose one of below +rhel9cis_pwhistory_so: "14" +rhel9cis_passwd_remember: "5" + +## 5.6.x login.defs password settings +rhel9cis_pass: + max_days: {{ rhel9cis_pass['max_days'] }} + min_days: {{ rhel9cis_pass['min_days'] }} + warn_age: {{ rhel9cis_pass['warn_age'] }} + +## 5.3.7 set sugroup if differs from wheel +rhel9cis_sugroup: {% if rhel9cis_sugroup is undefined %}wheel{% else %}{{ rhel9cis_sugroup }}{% endif %} + +## 5.3.7 sugroup users list +rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} \ No newline at end of file diff --git a/templates/ansible_vars_goss.yml.old b/templates/ansible_vars_goss.yml.old new file mode 100644 index 0000000..f10c74f --- /dev/null +++ b/templates/ansible_vars_goss.yml.old @@ -0,0 +1,429 @@ +## metadata for Audit benchmark +benchmark_version: '1.0.1' + +# Set if genuine RHEL (subscription manager check) not for derivatives e.g. CentOS +is_redhat_os: {% if ansible_distribution == "RedHat" %}true{% else %}false{% endif %} + +rhel9cis_os_distribution: {{ ansible_distribution | lower }} + +# timeout for each command to run where set - default = 10seconds/10000ms +timeout_ms: {{ audit_cmd_timeout }} + +# Taken from LE rhel8-cis +rhel9cis_section1: {{ rhel9cis_section1 }} +rhel9cis_section2: {{ rhel9cis_section2 }} +rhel9cis_section3: {{ rhel9cis_section3 }} +rhel9cis_section4: {{ rhel9cis_section4 }} +rhel9cis_section5: {{ rhel9cis_section5 }} +rhel9cis_section6: {{ rhel9cis_section6 }} + +rhel9cis_level_1: {{ rhel9cis_level_1 }} +rhel9cis_level_2: {{ rhel9cis_level_2 }} + +rhel9cis_selinux_disable: {{ rhel9cis_selinux_disable }} + + + +# to enable rules that may have IO impact on a system e.g. full filesystem scans or CPU heavy +run_heavy_tests: true +{% if rhel9cis_legacy_boot is defined %} +rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }} +{% endif %} + + +rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} +# These variables correspond with the CIS rule IDs or paragraph numbers defined in +# the CIS benchmark documents. +# PLEASE NOTE: These work in coordination with the section # group variables and tags. +# You must enable an entire section in order for the variables below to take effect. +# Section 1 rules +rhel9cis_rule_1_1_1_1: {{ rhel9cis_rule_1_1_1_1 }} +rhel9cis_rule_1_1_1_2: {{ rhel9cis_rule_1_1_1_2 }} +rhel9cis_rule_1_1_1_3: {{ rhel9cis_rule_1_1_1_3 }} +rhel9cis_rule_1_1_1_4: {{ rhel9cis_rule_1_1_1_4 }} +rhel9cis_rule_1_1_2: {{ rhel9cis_rule_1_1_2 }} +rhel9cis_rule_1_1_3: {{ rhel9cis_rule_1_1_3 }} +rhel9cis_rule_1_1_4: {{ rhel9cis_rule_1_1_4 }} +rhel9cis_rule_1_1_5: {{ rhel9cis_rule_1_1_5 }} +rhel9cis_rule_1_1_6: {{ rhel9cis_rule_1_1_6 }} +rhel9cis_rule_1_1_7: {{ rhel9cis_rule_1_1_7 }} +rhel9cis_rule_1_1_8: {{ rhel9cis_rule_1_1_8 }} +rhel9cis_rule_1_1_9: {{ rhel9cis_rule_1_1_9 }} +rhel9cis_rule_1_1_10: {{ rhel9cis_rule_1_1_10 }} +rhel9cis_rule_1_1_11: {{ rhel9cis_rule_1_1_11 }} +rhel9cis_rule_1_1_12: {{ rhel9cis_rule_1_1_12 }} +rhel9cis_rule_1_1_13: {{ rhel9cis_rule_1_1_13 }} +rhel9cis_rule_1_1_14: {{ rhel9cis_rule_1_1_14 }} +rhel9cis_rule_1_1_15: {{ rhel9cis_rule_1_1_15 }} +rhel9cis_rule_1_1_16: {{ rhel9cis_rule_1_1_16 }} +rhel9cis_rule_1_1_17: {{ rhel9cis_rule_1_1_17 }} +rhel9cis_rule_1_1_18: {{ rhel9cis_rule_1_1_18 }} +rhel9cis_rule_1_1_19: {{ rhel9cis_rule_1_1_19 }} +rhel9cis_rule_1_1_20: {{ rhel9cis_rule_1_1_20 }} +rhel9cis_rule_1_1_21: {{ rhel9cis_rule_1_1_21 }} +rhel9cis_rule_1_1_22: {{ rhel9cis_rule_1_1_22 }} +rhel9cis_rule_1_1_23: {{ rhel9cis_rule_1_1_23 }} +rhel9cis_rule_1_2_1: {% if ansible_distribution == "RedHat" %}True{% else %}False{% endif %} # Only run if Redhat and Subscribed +rhel9cis_rule_1_2_2: {{ rhel9cis_rule_1_2_2 }} +rhel9cis_rule_1_2_3: {{ rhel9cis_rule_1_2_3 }} +rhel9cis_rule_1_2_4: {{ rhel9cis_rule_1_2_4 }} +rhel9cis_rule_1_2_5: {{ rhel9cis_rule_1_2_5 }} +rhel9cis_rule_1_3_1: {{ rhel9cis_rule_1_3_1 }} +rhel9cis_rule_1_3_2: {{ rhel9cis_rule_1_3_2 }} +rhel9cis_rule_1_3_3: {{ rhel9cis_rule_1_3_3 }} +rhel9cis_rule_1_4_1: {{ rhel9cis_rule_1_4_1 }} +rhel9cis_rule_1_4_2: {{ rhel9cis_rule_1_4_2 }} +rhel9cis_rule_1_4_3: {{ rhel9cis_rule_1_4_3 }} +rhel9cis_rule_1_5_1: {{ rhel9cis_rule_1_5_1 }} +rhel9cis_rule_1_5_2: {{ rhel9cis_rule_1_5_2 }} +rhel9cis_rule_1_5_3: {{ rhel9cis_rule_1_5_3 }} + +rhel9cis_rule_1_7_1_1: {{ rhel9cis_rule_1_7_1_1 }} +rhel9cis_rule_1_7_1_2: {{ rhel9cis_rule_1_7_1_2 }} +rhel9cis_rule_1_7_1_3: {{ rhel9cis_rule_1_7_1_3 }} +rhel9cis_rule_1_7_1_4: {{ rhel9cis_rule_1_7_1_4 }} +rhel9cis_rule_1_7_1_5: {{ rhel9cis_rule_1_7_1_5 }} +rhel9cis_rule_1_7_1_6: {{ rhel9cis_rule_1_7_1_6 }} +rhel9cis_rule_1_7_1_7: {{ rhel9cis_rule_1_7_1_7 }} +rhel9cis_rule_1_8_1_1: {{ rhel9cis_rule_1_8_1_1 }} +rhel9cis_rule_1_8_1_2: {{ rhel9cis_rule_1_8_1_2 }} +rhel9cis_rule_1_8_1_3: {{ rhel9cis_rule_1_8_1_3 }} +rhel9cis_rule_1_8_1_4: {{ rhel9cis_rule_1_8_1_4 }} +rhel9cis_rule_1_8_1_5: {{ rhel9cis_rule_1_8_1_5 }} +rhel9cis_rule_1_8_1_6: {{ rhel9cis_rule_1_8_1_6 }} +rhel9cis_rule_1_8_2: {{ rhel9cis_rule_1_8_2 }} +rhel9cis_rule_1_9: {{ rhel9cis_rule_1_9 }} +rhel9cis_rule_1_10: {{ rhel9cis_rule_1_10 }} + + +# section 2 rules +rhel9cis_rule_2_1_1: {{ rhel9cis_rule_2_1_1 }} +rhel9cis_rule_2_2_1_1: {{ rhel9cis_rule_2_2_1_1 }} +rhel9cis_rule_2_2_1_2: {{ rhel9cis_rule_2_2_1_2 }} +rhel9cis_rule_2_2_2: {{ rhel9cis_rule_2_2_2 }} +rhel9cis_rule_2_2_3: {{ rhel9cis_rule_2_2_3 }} +rhel9cis_rule_2_2_4: {{ rhel9cis_rule_2_2_4 }} +rhel9cis_rule_2_2_5: {{ rhel9cis_rule_2_2_5 }} +rhel9cis_rule_2_2_6: {{ rhel9cis_rule_2_2_6 }} +rhel9cis_rule_2_2_7: {{ rhel9cis_rule_2_2_7 }} +rhel9cis_rule_2_2_8: {{ rhel9cis_rule_2_2_8 }} +rhel9cis_rule_2_2_9: {{ rhel9cis_rule_2_2_9 }} +rhel9cis_rule_2_2_10: {{ rhel9cis_rule_2_2_10 }} +rhel9cis_rule_2_2_11: {{ rhel9cis_rule_2_2_11 }} +rhel9cis_rule_2_2_12: {{ rhel9cis_rule_2_2_12 }} +rhel9cis_rule_2_2_13: {{ rhel9cis_rule_2_2_13 }} +rhel9cis_rule_2_2_14: {{ rhel9cis_rule_2_2_14 }} +rhel9cis_rule_2_2_15: {{ rhel9cis_rule_2_2_15 }} +rhel9cis_rule_2_2_16: {{ rhel9cis_rule_2_2_16 }} +rhel9cis_rule_2_2_17: {{ rhel9cis_rule_2_2_17 }} +rhel9cis_rule_2_2_18: {{ rhel9cis_rule_2_2_18 }} +rhel9cis_rule_2_3_1: {{ rhel9cis_rule_2_3_1 }} +rhel9cis_rule_2_3_2: {{ rhel9cis_rule_2_3_2 }} +rhel9cis_rule_2_3_3: {{ rhel9cis_rule_2_3_3 }} + + +# Section 3 rules +rhel9cis_rule_3_1_1: {{ rhel9cis_rule_3_1_1 }} +rhel9cis_rule_3_1_2: {{ rhel9cis_rule_3_1_2 }} +rhel9cis_rule_3_2_1: {{ rhel9cis_rule_3_2_1 }} +rhel9cis_rule_3_2_2: {{ rhel9cis_rule_3_2_2 }} +rhel9cis_rule_3_2_3: {{ rhel9cis_rule_3_2_3 }} +rhel9cis_rule_3_2_4: {{ rhel9cis_rule_3_2_4 }} +rhel9cis_rule_3_2_5: {{ rhel9cis_rule_3_2_5 }} +rhel9cis_rule_3_2_6: {{ rhel9cis_rule_3_2_6 }} +rhel9cis_rule_3_2_7: {{ rhel9cis_rule_3_2_7 }} +rhel9cis_rule_3_2_8: {{ rhel9cis_rule_3_2_8 }} +rhel9cis_rule_3_2_9: {{ rhel9cis_rule_3_2_9 }} +rhel9cis_rule_3_3_1: {{ rhel9cis_rule_3_3_1 }} +rhel9cis_rule_3_3_2: {{ rhel9cis_rule_3_3_2 }} +rhel9cis_rule_3_3_3: {{ rhel9cis_rule_3_3_3 }} +rhel9cis_rule_3_3_4: {{ rhel9cis_rule_3_3_4 }} +rhel9cis_rule_3_4_1_1: {{ rhel9cis_rule_3_4_1_1 }} +rhel9cis_rule_3_4_2_1: {{ rhel9cis_rule_3_4_2_1 }} +rhel9cis_rule_3_4_2_2: {{ rhel9cis_rule_3_4_2_2 }} +rhel9cis_rule_3_4_2_3: {{ rhel9cis_rule_3_4_2_3 }} +rhel9cis_rule_3_4_2_4: {{ rhel9cis_rule_3_4_2_4 }} +rhel9cis_rule_3_4_2_5: {{ rhel9cis_rule_3_4_2_5 }} +rhel9cis_rule_3_4_2_6: {{ rhel9cis_rule_3_4_2_6 }} +rhel9cis_rule_3_5: {{ rhel9cis_rule_3_5 }} +rhel9cis_rule_3_6: {{ rhel9cis_rule_3_6 }} + + +# Section 4 rules +rhel9cis_rule_4_1_1_1: {{ rhel9cis_rule_4_1_1_1 }} +rhel9cis_rule_4_1_1_2: {{ rhel9cis_rule_4_1_1_2 }} +rhel9cis_rule_4_1_1_3: {{ rhel9cis_rule_4_1_1_3 }} +rhel9cis_rule_4_1_1_4: {{ rhel9cis_rule_4_1_1_4 }} +rhel9cis_rule_4_1_2_1: {{ rhel9cis_rule_4_1_2_1 }} +rhel9cis_rule_4_1_2_2: {{ rhel9cis_rule_4_1_2_2 }} +rhel9cis_rule_4_1_2_3: {{ rhel9cis_rule_4_1_2_3 }} +rhel9cis_rule_4_1_3: {{ rhel9cis_rule_4_1_3 }} +rhel9cis_rule_4_1_4: {{ rhel9cis_rule_4_1_4 }} +rhel9cis_rule_4_1_5: {{ rhel9cis_rule_4_1_5 }} +rhel9cis_rule_4_1_6: {{ rhel9cis_rule_4_1_6 }} +rhel9cis_rule_4_1_7: {{ rhel9cis_rule_4_1_7 }} +rhel9cis_rule_4_1_8: {{ rhel9cis_rule_4_1_8 }} +rhel9cis_rule_4_1_9: {{ rhel9cis_rule_4_1_9 }} +rhel9cis_rule_4_1_10: {{ rhel9cis_rule_4_1_10 }} +rhel9cis_rule_4_1_11: {{ rhel9cis_rule_4_1_11 }} +rhel9cis_rule_4_1_12: {{ rhel9cis_rule_4_1_12 }} +rhel9cis_rule_4_1_13: {{ rhel9cis_rule_4_1_13 }} +rhel9cis_rule_4_1_14: {{ rhel9cis_rule_4_1_14 }} +rhel9cis_rule_4_1_15: {{ rhel9cis_rule_4_1_15 }} +rhel9cis_rule_4_1_16: {{ rhel9cis_rule_4_1_16 }} +rhel9cis_rule_4_1_17: {{ rhel9cis_rule_4_1_17 }} +rhel9cis_rule_4_2_1_1: {{ rhel9cis_rule_4_2_1_1 }} +rhel9cis_rule_4_2_1_2: {{ rhel9cis_rule_4_2_1_2 }} +rhel9cis_rule_4_2_1_3: {{ rhel9cis_rule_4_2_1_3 }} +rhel9cis_rule_4_2_1_4: {{ rhel9cis_rule_4_2_1_4 }} +rhel9cis_rule_4_2_1_5: {{ rhel9cis_rule_4_2_1_5 }} +rhel9cis_rule_4_2_1_6: {{ rhel9cis_rule_4_2_1_6 }} +rhel9cis_rule_4_2_2_1: {{ rhel9cis_rule_4_2_2_1 }} +rhel9cis_rule_4_2_2_2: {{ rhel9cis_rule_4_2_2_2 }} +rhel9cis_rule_4_2_2_3: {{ rhel9cis_rule_4_2_2_3 }} +rhel9cis_rule_4_2_3: {{ rhel9cis_rule_4_2_3 }} +rhel9cis_rule_4_3: {{ rhel9cis_rule_4_3 }} + +# Section 5 +rhel9cis_rule_5_1_1: {{ rhel9cis_rule_5_1_1 }} +rhel9cis_rule_5_1_2: {{ rhel9cis_rule_5_1_2 }} +rhel9cis_rule_5_1_3: {{ rhel9cis_rule_5_1_3 }} +rhel9cis_rule_5_1_4: {{ rhel9cis_rule_5_1_4 }} +rhel9cis_rule_5_1_5: {{ rhel9cis_rule_5_1_5 }} +rhel9cis_rule_5_1_6: {{ rhel9cis_rule_5_1_6 }} +rhel9cis_rule_5_1_7: {{ rhel9cis_rule_5_1_7 }} +rhel9cis_rule_5_1_8: {{ rhel9cis_rule_5_1_8 }} + +rhel9cis_rule_5_2_1: {{ rhel9cis_rule_5_2_1 }} +rhel9cis_rule_5_2_2: {{ rhel9cis_rule_5_2_2 }} +rhel9cis_rule_5_2_3: {{ rhel9cis_rule_5_2_3 }} +rhel9cis_rule_5_2_4: {{ rhel9cis_rule_5_2_4 }} +rhel9cis_rule_5_2_5: {{ rhel9cis_rule_5_2_5 }} +rhel9cis_rule_5_2_6: {{ rhel9cis_rule_5_2_6 }} +rhel9cis_rule_5_2_7: {{ rhel9cis_rule_5_2_7 }} +rhel9cis_rule_5_2_8: {{ rhel9cis_rule_5_2_8 }} +rhel9cis_rule_5_2_9: {{ rhel9cis_rule_5_2_9 }} +rhel9cis_rule_5_2_10: {{ rhel9cis_rule_5_2_10 }} +rhel9cis_rule_5_2_11: {{ rhel9cis_rule_5_2_11 }} +rhel9cis_rule_5_2_12: {{ rhel9cis_rule_5_2_12 }} +rhel9cis_rule_5_2_13: {{ rhel9cis_rule_5_2_13 }} +rhel9cis_rule_5_2_14: {{ rhel9cis_rule_5_2_14 }} +rhel9cis_rule_5_2_15: {{ rhel9cis_rule_5_2_15 }} +rhel9cis_rule_5_2_16: {{ rhel9cis_rule_5_2_16 }} +rhel9cis_rule_5_2_17: {{ rhel9cis_rule_5_2_17 }} +rhel9cis_rule_5_2_18: {{ rhel9cis_rule_5_2_18 }} +rhel9cis_rule_5_2_19: {{ rhel9cis_rule_5_2_19 }} +rhel9cis_rule_5_2_20: {{ rhel9cis_rule_5_2_20 }} + +rhel9cis_rule_5_3_1: {{ rhel9cis_rule_5_3_1 }} +rhel9cis_rule_5_3_2: {{ rhel9cis_rule_5_3_2 }} +rhel9cis_rule_5_3_3: {{ rhel9cis_rule_5_3_3 }} + +rhel9cis_rule_5_4_1: {{ rhel9cis_rule_5_4_1 }} +rhel9cis_rule_5_4_2: {{ rhel9cis_rule_5_4_2 }} +rhel9cis_rule_5_4_3: {{ rhel9cis_rule_5_4_3 }} +rhel9cis_rule_5_4_4: {{ rhel9cis_rule_5_4_4 }} + +rhel9cis_rule_5_5_1_1: {{ rhel9cis_rule_5_5_1_1 }} +rhel9cis_rule_5_5_1_2: {{ rhel9cis_rule_5_5_1_2 }} +rhel9cis_rule_5_5_1_3: {{ rhel9cis_rule_5_5_1_3 }} +rhel9cis_rule_5_5_1_4: {{ rhel9cis_rule_5_5_1_4 }} +rhel9cis_rule_5_5_1_5: {{ rhel9cis_rule_5_5_1_5 }} + +rhel9cis_rule_5_5_2: {{ rhel9cis_rule_5_5_2 }} +rhel9cis_rule_5_5_3: {{ rhel9cis_rule_5_5_3 }} +rhel9cis_rule_5_5_4: {{ rhel9cis_rule_5_5_4 }} +rhel9cis_rule_5_5_5: {{ rhel9cis_rule_5_5_5 }} + +rhel9cis_rule_5_6: {{ rhel9cis_rule_5_6 }} +rhel9cis_rule_5_7: {{ rhel9cis_rule_5_7 }} + +# Section 6 +rhel9cis_rule_6_1_1: {{ rhel9cis_rule_6_1_1 }} +rhel9cis_rule_6_1_2: {{ rhel9cis_rule_6_1_2 }} +rhel9cis_rule_6_1_3: {{ rhel9cis_rule_6_1_3 }} +rhel9cis_rule_6_1_4: {{ rhel9cis_rule_6_1_4 }} +rhel9cis_rule_6_1_5: {{ rhel9cis_rule_6_1_5 }} +rhel9cis_rule_6_1_6: {{ rhel9cis_rule_6_1_6 }} +rhel9cis_rule_6_1_7: {{ rhel9cis_rule_6_1_7 }} +rhel9cis_rule_6_1_8: {{ rhel9cis_rule_6_1_8 }} +rhel9cis_rule_6_1_9: {{ rhel9cis_rule_6_1_9 }} +rhel9cis_rule_6_1_10: {{ rhel9cis_rule_6_1_10 }} +rhel9cis_rule_6_1_11: {{ rhel9cis_rule_6_1_11 }} +rhel9cis_rule_6_1_12: {{ rhel9cis_rule_6_1_12 }} +rhel9cis_rule_6_1_13: {{ rhel9cis_rule_6_1_13 }} +rhel9cis_rule_6_1_14: {{ rhel9cis_rule_6_1_14 }} + +rhel9cis_rule_6_2_1: {{ rhel9cis_rule_6_2_1 }} +rhel9cis_rule_6_2_2: {{ rhel9cis_rule_6_2_2 }} +rhel9cis_rule_6_2_3: {{ rhel9cis_rule_6_2_3 }} +rhel9cis_rule_6_2_4: {{ rhel9cis_rule_6_2_4 }} +rhel9cis_rule_6_2_5: {{ rhel9cis_rule_6_2_5 }} +rhel9cis_rule_6_2_6: {{ rhel9cis_rule_6_2_6 }} +rhel9cis_rule_6_2_7: {{ rhel9cis_rule_6_2_7 }} +rhel9cis_rule_6_2_8: {{ rhel9cis_rule_6_2_8 }} +rhel9cis_rule_6_2_9: {{ rhel9cis_rule_6_2_9 }} +rhel9cis_rule_6_2_10: {{ rhel9cis_rule_6_2_10 }} +rhel9cis_rule_6_2_11: {{ rhel9cis_rule_6_2_11 }} +rhel9cis_rule_6_2_12: {{ rhel9cis_rule_6_2_12 }} +rhel9cis_rule_6_2_13: {{ rhel9cis_rule_6_2_13 }} +rhel9cis_rule_6_2_14: {{ rhel9cis_rule_6_2_14 }} +rhel9cis_rule_6_2_15: {{ rhel9cis_rule_6_2_15 }} +rhel9cis_rule_6_2_16: {{ rhel9cis_rule_6_2_16 }} +rhel9cis_rule_6_2_17: {{ rhel9cis_rule_6_2_17 }} +rhel9cis_rule_6_2_18: {{ rhel9cis_rule_6_2_18 }} +rhel9cis_rule_6_2_19: {{ rhel9cis_rule_6_2_19 }} +rhel9cis_rule_6_2_20: {{ rhel9cis_rule_6_2_20 }} + + +# Service configuration booleans set true to keep service +rhel9cis_avahi_server: {{ rhel9cis_avahi_server }} +rhel9cis_cups_server: {{ rhel9cis_cups_server }} +rhel9cis_dhcp_server: {{ rhel9cis_dhcp_server }} +rhel9cis_dns_server: {{ rhel9cis_dns_server }} +rhel9cis_ftp_server: {{ rhel9cis_ftp_server }} +rhel9cis_vsftpd_server: {{ rhel9cis_vsftpd_server }} +rhel9cis_tftp_server: {{ rhel9cis_tftp_server }} +rhel9cis_httpd_server: {{ rhel9cis_httpd_server }} +rhel9cis_nginx_server: {{ rhel9cis_nginx_server }} +rhel9cis_dovecot_cyrus_server: {{ rhel9cis_dovecot_cyrus_server }} +rhel9cis_samba_server: {{ rhel9cis_samba_server }} +rhel9cis_squid_server: {{ rhel9cis_squid_server }} +rhel9cis_snmp_server: {{ rhel9cis_snmp_server }} +rhel9cis_nis_server: {{ rhel9cis_nis_server }} +rhel9cis_telnet_server: {{ rhel9cis_telnet_server }} +rhel9cis_is_mail_server: {{ rhel9cis_is_mail_server }} +rhel9cis_nfs_server: {{ rhel9cis_nfs_server }} +rhel9cis_rpc_server: {{ rhel9cis_rpc_server }} +rhel9cis_rsync_server: {{ rhel9cis_rsync_server }} + + +rhel9cis_allow_autofs: {{ rhel9cis_allow_autofs }} + +# client services +rhel9cis_ypbind_required: {{ rhel9cis_ypbind_required }} +rhel9cis_rsh_required: {{ rhel9cis_rsh_required }} +rhel9cis_talk_required: {{ rhel9cis_talk_required }} +rhel9cis_telnet_required: {{ rhel9cis_telnet_required }} +rhel9cis_openldap_clients_required: {{ rhel9cis_openldap_clients_required }} +rhel9cis_tftp_client: {{ rhel9cis_tftp_client }} + + + + +# AIDE +rhel9cis_config_aide: {{ rhel9cis_config_aide }} + +# aide setup via - cron, timer +rhel9_aide_scan: cron + +# AIDE cron settings +rhel9cis_aide_cron: + cron_user: {{ rhel9cis_aide_cron.cron_user }} + cron_file: '{{ rhel9cis_aide_cron.cron_file }}' + aide_job: ' {{ rhel9cis_aide_cron.aide_job }}' + aide_minute: '{{ rhel9cis_aide_cron.aide_minute }}' + aide_hour: '{{ rhel9cis_aide_cron.aide_hour }}' + aide_day: '{{ rhel9cis_aide_cron.aide_day }}' + aide_month: '{{ rhel9cis_aide_cron.aide_month }}' + aide_weekday: '{{ rhel9cis_aide_cron.aide_weekday }}' + +# 1.5.1 Bootloader password +rhel9cis_bootloader_password: {{ rhel9cis_bootloader_password_hash }} +rhel9cis_set_boot_pass: {{ rhel9cis_set_boot_pass }} + +# 1.10 crypto +rhel9cis_crypto_policy: {{ rhel9cis_crypto_policy }} + +# Warning Banner Content (issue, issue.net, motd) +rhel9cis_warning_banner: {{ rhel9cis_warning_banner }} +# End Banner + + +# Whether or not to run tasks related to auditing/patching the desktop environment +rhel9cis_gui: {{ rhel9cis_gui }} + +# xinetd required +rhel9cis_xinetd_server: {{ rhel9cis_xinetd_server }} + +# IPv6 required +rhel9cis_ipv6_required: {{ rhel9cis_ipv6_required }} + +# System network parameters (host only OR host and router) +rhel9cis_is_router: {{ rhel9cis_is_router }} + + +rhel9cis_firewall: {{ rhel9cis_firewall }} +#rhel9cis_firewall: iptables +rhel9cis_default_firewall_zone: {{ rhel9cis_default_zone }} +rhel9cis_firewall_interface: +- enp0s3 +- enp0s8 + +rhel9cis_firewall_services: {{ rhel9cis_firewall_services }} + + +### Section 4 +## auditd settings +rhel9cis_auditd: + space_left_action: {{ rhel9cis_auditd.space_left_action}} + action_mail_acct: {{ rhel9cis_auditd.action_mail_acct }} + admin_space_left_action: {{ rhel9cis_auditd.admin_space_left_action }} + max_log_file_action: {{ rhel9cis_auditd.max_log_file_action }} + auditd_backlog_limit: {{ rhel9cis_audit_back_log_limit }} + +## syslog +rhel9_cis_rsyslog: true + +### Section 5 +rhel9cis_sshd_limited: false +#Note the following to understand precedence and layout +rhel9cis_sshd_access: + AllowUser: + AllowGroup: + DenyUser: + DenyGroup: + +rhel9cis_ssh_aliveinterval: "300" +rhel9cis_ssh_countmax: "3" + +rhel9cis_sudolog_location: {{ rhel9cis_sudolog_location }} + +## PAM +rhel9cis_pam_password: + minlen: {{ rhel9cis_pam_password.minlen }} + minclass: {{ rhel9cis_pam_password.minclass }} +rhel9cis_pam_passwd_retry: "3" +# faillock or tally2 +rhel9cis_accountlock: faillock + +## note this is to skip tests +skip_rhel9cis_pam_passwd_auth: true +skip_rhel9cis_pam_system_auth: true + +# choose one of below +rhel9cis_pwhistory_so: "14" +rhel9cis_unix_so: false +rhel9cis_passwd_remember: "5" + +# logins.def password settings +rhel9cis_pass: + max_days: {{ rhel9cis_pass.max_days }} + min_days: {{ rhel9cis_pass.min_days }} + warn_age: {{ rhel9cis_pass.warn_age }} + +# 5.3.1/5.3.2 Custon authselect profile settings. Settings in place now will fail, they are place holders from the control example +rhel9cis_authselect: + custom_profile_name: {{ rhel9cis_authselect['custom_profile_name'] }} + default_file_to_copy: {{ rhel9cis_authselect.default_file_to_copy }} + options: {{ rhel9cis_authselect.options }} + +# 5.3.1 Enable automation to creat custom profile settings, using the setings above +rhel9cis_authselect_custom_profile_create: {{ rhel9cis_authselect_custom_profile_create }} + +# 5.3.2 Enable automation to select custom profile options, using the settings above +rhel9cis_authselect_custom_profile_select: {{ rhel9cis_authselect_custom_profile_select }} + +# 5.7 +rhel9cis_sugroup: {{ rhel9cis_sugroup| default('wheel') }} +rhel9cis_sugroup_users: {{ rhel9cis_sugroup_users }} diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 43897d7..7abe895 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -1,79 +1,93 @@ -# File created initially via RHEL9 CIS ansible-lockdown remdiation role -{% if rhel9cis_rule_4_1_3 %} +# This template will set all of the auditd configurations via a handler in the role in one task instead of individually +{% if rhel9cis_rule_4_1_3_1 %} -w /etc/sudoers -p wa -k scope --w /etc/sudoers.d/ -p wa -k scope +-w /etc/sudoers.d -p wa -k scope {% endif %} -{% if rhel9cis_rule_4_1_4 %} --w /var/log/faillog -p wa -k logins --w /var/log/lastlog -p wa -k logins +{% if rhel9cis_rule_4_1_3_2 %} +-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation +-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation {% endif %} -{% if rhel9cis_rule_4_1_5 %} --w /var/run/utmp -p wa -k session --w /var/log/wtmp -p wa -k logins --w /var/log/btmp -p wa -k logins +{% if rhel9cis_rule_4_1_3_3 %} +-w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file {% endif %} -{% if rhel9cis_rule_4_1_6 %} --a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change --a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change --a always,exit -F arch=b64 -S clock_settime -k time-change --a always,exit -F arch=b32 -S clock_settime -k time-change +{% if rhel9cis_rule_4_1_3_4 %} +-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change +-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change -w /etc/localtime -p wa -k time-change {% endif %} -{% if rhel9cis_rule_4_1_7 %} --w /etc/selinux/ -p wa -k MAC-policy --w /usr/share/selinux/ -p wa -k MAC-policy -{% endif %} -{% if rhel9cis_rule_4_1_8 %} --a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale --a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale +{% if rhel9cis_rule_4_1_3_5 %} +-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale +-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale +-w /etc/sysconfig/network-scripts -p wa -k system-locale {% endif %} -{% if rhel9cis_rule_4_1_9 %} --a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod --a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>={{ min_int_uid }} -F auid!=4294967295 -k perm_mod +{% if rhel9cis_rule_4_1_3_6 %} +{% for proc in priv_procs.stdout_lines -%} +-a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k privileged +{% endfor %} {% endif %} -{% if rhel9cis_rule_4_1_10 %} --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access --a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=access +{% if rhel9cis_rule_4_1_3_7 %} +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>={{ min_int_uid }} -F auid!=unset -k access +-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>={{ min_int_uid }} -F auid!=unset -k access {% endif %} -{% if rhel9cis_rule_4_1_11 %} +{% if rhel9cis_rule_4_1_3_8 %} -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity {% endif %} -{% if rhel9cis_rule_4_1_12 %} --a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts --a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=4294967295 -k mounts +{% if rhel9cis_rule_4_1_3_9 %} +-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod +-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ min_int_uid }} -F auid!=unset -F key=perm_mod {% endif %} -{% if rhel9cis_rule_4_1_13 %} -{% for proc in priv_procs.stdout_lines -%} --a always,exit -F path={{ proc }} -F perm=x -F auid>={{ min_int_uid }} -F auid!=4294967295 -k privileged -{% endfor %} +{% if rhel9cis_rule_4_1_3_10 %} +-a always,exit -F arch=b32 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts +-a always,exit -F arch=b64 -S mount -F auid>={{ min_int_uid }} -F auid!=unset -k mounts {% endif %} -{% if rhel9cis_rule_4_1_14 %} --a always,exit -F arch=b32 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete --a always,exit -F arch=b64 -S rmdir,unlink,unlinkat,rename -S renameat -F auid>={{ min_int_uid }} -F auid!=4294967295 -F key=delete +{% if rhel9cis_rule_4_1_3_11 %} +-w /var/run/utmp -p wa -k session +-w /var/log/wtmp -p wa -k session +-w /var/log/btmp -p wa -k session {% endif %} -{% if rhel9cis_rule_4_1_15 %} --w /usr/sbin/insmod -p x -k modules --w /usr/sbin/rmmod -p x -k modules --w /usr/sbin/modprobe -p x -k modules --a always,exit -F arch=b64 -S init_module -S delete_module -k modules +{% if rhel9cis_rule_4_1_3_12 %} +-w /var/log/lastlog -p wa -k logins +-w /var/run/faillock -p wa -k logins {% endif %} -{% if rhel9cis_rule_4_1_16 %} --w /var/log/sudo.log -p wa -k actions +{% if rhel9cis_rule_4_1_3_13 %} +-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete +-a always,exit -F arch=b32 -S rename,unlink,unlinkat,renameat -F auid>={{ min_int_uid }} -F auid!=unset -F key=delete {% endif %} -{% if rhel9cis_rule_4_1_17 %} +{% if rhel9cis_rule_4_1_3_14 %} +-w /etc/selinux -p wa -k MAC-policy +-w /usr/share/selinux -p wa -k MAC-policy +{% endif %} +{% if rhel9cis_rule_4_1_3_15 %} +-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng +{% endif %} +{% if rhel9cis_rule_4_1_3_16 %} +-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k perm_chng +{% endif %} +{% if rhel9cis_rule_4_1_3_17 %} +-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k priv_cmd +{% endif %} +{% if rhel9cis_rule_4_1_3_18 %} +-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k usermod +{% endif %} +{% if rhel9cis_rule_4_1_3_19 %} +-a always,exit -F arch=b64 -S init_module,finit_module,delete_module,create_module,query_module -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules +-a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ min_int_uid }} -F auid!=unset -k kernel_modules +{% endif %} +{% if rhel9cis_rule_4_1_3_20 %} -e 2 + {% endif %} diff --git a/templates/etc/99-sysctl.conf.j2 b/templates/etc/99-sysctl.conf.j2 deleted file mode 100644 index 61f4dfa..0000000 --- a/templates/etc/99-sysctl.conf.j2 +++ /dev/null @@ -1,75 +0,0 @@ -# Setting added via ansible CIS remediation playbook - -{% if rhel9cis_rule_1_6_1 %} -# Filesystem sysctl -# CIS 1.6.1 -fs.suid_dumpable = 0 -{% endif %} -{% if rhel9cis_rule_1_6_2 %} -# Kernel sysctl -# CIS 1.6.2 -kernel.randomize_va_space = 2 -{% endif %} - -# Network sysctl -{% if rhel9cis_rule_3_1_1 %} -# CIS 3.1.1 -net.ipv4.ip_forward = 0 -{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} -net.ipv6.conf.all.forwarding = 0 -{% endif %} -{% endif %} -{% if rhel9cis_rule_3_1_2 %} -# CIS 3.1.2 -net.ipv4.conf.all.send_redirects = 0 -net.ipv4.conf.default.send_redirects = 0 -{% endif %} -{% if rhel9cis_rule_3_2_1 %} -# CIS 3.2.1 -net.ipv4.conf.all.accept_source_route = 0 -net.ipv4.conf.default.accept_source_route = 0 -{% if rhel9cis_rule_3_2_1 and rhel9cis_ipv6_required %} -net.ipv6.conf.all.accept_source_route = 0 -net.ipv6.conf.default.accept_source_route = 0 -{% endif %} -{% endif %} -{% if rhel9cis_rule_3_2_2 %} -# CIS 3.2.2 -net.ipv4.conf.all.accept_redirects = 0 -net.ipv4.conf.default.accept_redirects = 0 -{% if rhel9cis_rule_3_2_2 and rhel9cis_ipv6_required %} -net.ipv6.conf.all.accept_redirects = 0 -net.ipv6.conf.default.accept_redirects = 0 -{% endif %} -{% endif %} -{% if rhel9cis_rule_3_2_3 %} -# CIS 3.2.3 -net.ipv4.conf.all.secure_redirects = 0 -net.ipv4.conf.default.secure_redirects = 0 -{% endif %} -{% if rhel9cis_rule_3_2_4 %} -# CIS 3.2.4 -net.ipv4.conf.all.log_martians = 1 -net.ipv4.conf.default.log_martians = 1 -{% endif %} -{% if rhel9cis_rule_3_2_5 %} -# CIS 3.2.5 -net.ipv4.icmp_echo_ignore_broadcasts = 1 -{% endif %} -{% if rhel9cis_rule_3_2_6 %} -# CIS 3.2.6 -net.ipv4.icmp_ignore_bogus_error_responses = 1 -{% endif %} -{% if rhel9cis_rule_3_2_7 %} -# CIS 3.2.7 -net.ipv4.conf.default.rp_filter = 1 -{% endif %} -{% if rhel9cis_rule_3_2_8 %} -# CIS 3.2.8 -net.ipv4.tcp_syncookies = 1 -{% endif %} -{% if rhel9cis_rule_3_2_9 %} -# CIS 3.2.9 -net.ipv6.conf.all.accept_ra = 0 -net.ipv6.conf.default.accept_ra = 0 -{% endif %} \ No newline at end of file diff --git a/templates/chrony.conf.j2 b/templates/etc/chrony.conf.j2 similarity index 100% rename from templates/chrony.conf.j2 rename to templates/etc/chrony.conf.j2 diff --git a/templates/aide.cron.j2 b/templates/etc/cron.d/aide.cron.j2 similarity index 95% rename from templates/aide.cron.j2 rename to templates/etc/cron.d/aide.cron.j2 index 848dcca..f9014fa 100644 --- a/templates/aide.cron.j2 +++ b/templates/etc/cron.d/aide.cron.j2 @@ -1,5 +1,5 @@ # Run AIDE integrity check # added via ansible-lockdown remediation -# CIS 1.4.2 +# CIS 1.3.2 {{ rhel9cis_aide_cron['aide_minute'] }} {{ rhel9cis_aide_cron['aide_hour'] }} {{ rhel9cis_aide_cron['aide_month'] }} {{ rhel9cis_aide_cron['aide_weekday'] }} {{ rhel9cis_aide_cron['aide_job'] }} diff --git a/templates/etc/modprobe.d/modprobe.conf.j2 b/templates/etc/modprobe.d/modprobe.conf.j2 new file mode 100644 index 0000000..1a1a48d --- /dev/null +++ b/templates/etc/modprobe.d/modprobe.conf.j2 @@ -0,0 +1,5 @@ +# Disable usage of protocol {{ item }} +# Set by ansible {{ benchmark }} remediation role +# https://github.com/ansible-lockdown + +install {{ item }} /bin/true \ No newline at end of file diff --git a/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 new file mode 100644 index 0000000..34ee10c --- /dev/null +++ b/templates/etc/sysctl.d/60-disable_ipv6.conf.j2 @@ -0,0 +1,7 @@ +# Setting added via ansible CIS remediation playbook + +# IPv6 disable +{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %} +net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.default.disable_ipv6 = 1 +{% endif %} diff --git a/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 new file mode 100644 index 0000000..cbfffed --- /dev/null +++ b/templates/etc/sysctl.d/60-kernel_sysctl.conf.j2 @@ -0,0 +1,8 @@ +# Setting added via ansible CIS remediation playbook + + +{% if rhel9cis_rule_1_5_3 %} +# Kernel sysctl +# CIS 1.5.3 +kernel.randomize_va_space = 2 +{% endif %} \ No newline at end of file diff --git a/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 new file mode 100644 index 0000000..308b914 --- /dev/null +++ b/templates/etc/sysctl.d/60-netipv4_sysctl.conf.j2 @@ -0,0 +1,49 @@ +# Setting added via ansible CIS remediation playbook + +# IPv4 Network sysctl +{% if rhel9cis_rule_3_2_1 %} +# CIS 3.2.1 +net.ipv4.ip_forward = 0 +{% endif %} +{% if rhel9cis_rule_3_2_2 %} +# CIS 3.2.2 +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 +{% endif %} +{% if rhel9cis_rule_3_3_1 %} +# CIS 3.3.1 +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 +{% endif %} +{% if rhel9cis_rule_3_3_2 %} +# CIS 3.3.2 +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +{% endif %} +{% if rhel9cis_rule_3_3_3 %} +# CIS 3.3.3 +net.ipv4.conf.all.secure_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 +{% endif %} +{% if rhel9cis_rule_3_3_4 %} +# CIS 3.3.4 +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 +{% endif %} +{% if rhel9cis_rule_3_3_5 %} +# CIS 3.3.5 +net.ipv4.icmp_echo_ignore_broadcasts = 1 +{% endif %} +{% if rhel9cis_rule_3_3_6 %} +# CIS 3.3.6 +net.ipv4.icmp_ignore_bogus_error_responses = 1 +{% endif %} +{% if rhel9cis_rule_3_3_7 %} +# CIS 3.3.7 +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 +{% endif %} +{% if rhel9cis_rule_3_3_8 %} +# CIS 3.3.8 +net.ipv4.tcp_syncookies = 1 +{% endif %} diff --git a/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 new file mode 100644 index 0000000..0b23c55 --- /dev/null +++ b/templates/etc/sysctl.d/60-netipv6_sysctl.conf.j2 @@ -0,0 +1,21 @@ +# Setting added via ansible CIS remediation playbook + +# IPv6 Network sysctl +{% if rhel9cis_ipv6_required %} +{% if rhel9cis_rule_3_2_1 %} +net.ipv6.conf.all.forwarding = 0 +{% endif %} +{% if rhel9cis_rule_3_3_1 %} +net.ipv6.conf.all.accept_source_route = 0 +net.ipv6.conf.default.accept_source_route = 0 +{% endif %} +{% if rhel9cis_rule_3_3_2 %} +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 +{% endif %} +{% if rhel9cis_rule_3_3_9 %} +# CIS 3.3.9 +net.ipv6.conf.all.accept_ra = 0 +net.ipv6.conf.default.accept_ra = 0 +{% endif %} +{% endif %} \ No newline at end of file diff --git a/templates/hosts.allow.j2 b/templates/hosts.allow.j2 deleted file mode 100644 index 4bab3d1..0000000 --- a/templates/hosts.allow.j2 +++ /dev/null @@ -1,11 +0,0 @@ -# -# hosts.allow This file contains access rules which are used to -# allow or deny connections to network services that -# either use the tcp_wrappers library or that have been -# started through a tcp_wrappers-enabled xinetd. -# -# See 'man 5 hosts_options' and 'man 5 hosts_access' -# for information on rule syntax. -# See 'man tcpd' for information on tcp_wrappers -# -ALL: {% for iprange in rhel9cis_host_allow -%}{{ iprange }}{% if not loop.last %}, {% endif %}{% endfor %} diff --git a/templates/ntp.conf.j2 b/templates/ntp.conf.j2 deleted file mode 100644 index c745ab1..0000000 --- a/templates/ntp.conf.j2 +++ /dev/null @@ -1,59 +0,0 @@ -# For more information about this file, see the man pages -# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). - -driftfile /var/lib/ntp/drift - -# Permit time synchronization with our time source, but do not -# permit the source to query or modify the service on this system. -#restrict default nomodify notrap nopeer noquery -restrict -4 default kod nomodify notrap nopeer noquery -restrict -6 default kod nomodify notrap nopeer noquery - -# Permit all access over the loopback interface. This could -# be tightened as well, but to do so would effect some of -# the administrative functions. -restrict 127.0.0.1 -restrict ::1 - -# Hosts on local network are less restricted. -#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap - -# Use public servers from the pool.ntp.org project. -# Please consider joining the pool (http://www.pool.ntp.org/join.html). -{% for server in rhel9cis_time_synchronization_servers -%} -server {{ server }} {{ rhel9cis_ntp_server_options }} -{% endfor %} - -#broadcast 192.168.1.255 autokey # broadcast server -#broadcastclient # broadcast client -#broadcast 224.0.1.1 autokey # multicast server -#multicastclient 224.0.1.1 # multicast client -#manycastserver 239.255.254.254 # manycast server -#manycastclient 239.255.254.254 autokey # manycast client - -# Enable public key cryptography. -#crypto - -includefile /etc/ntp/crypto/pw - -# Key file containing the keys and key identifiers used when operating -# with symmetric key cryptography. -keys /etc/ntp/keys - -# Specify the key identifiers which are trusted. -#trustedkey 4 8 42 - -# Specify the key identifier to use with the ntpdc utility. -#requestkey 8 - -# Specify the key identifier to use with the ntpq utility. -#controlkey 8 - -# Enable writing of statistics records. -#statistics clockstats cryptostats loopstats peerstats - -# Disable the monitoring facility to prevent amplification attacks using ntpdc -# monlist command when default restrict does not include the noquery flag. See -# CVE-2013-5211 for more details. -# Note: Monitoring will not be disabled with the limited restriction flag. -disable monitor diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index 8f9f4b7..69e5994 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -1,4 +1,4 @@ --- # OS Specific Settings -rpm_gpg_key: RPM-GPG-KEY-AlmaLinux \ No newline at end of file +rpm_gpg_key: RPM-GPG-KEY-AlmaLinux diff --git a/vars/RedHat.yml b/vars/RedHat.yml index d67cedc..0b1c2cc 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -1,4 +1,6 @@ --- # OS Specific Settings -rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-official +rpm_gpg_key: /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release +rpm_packager: "Red Hat, Inc" +rpm_key: "199e2f91fd431d51" # found on https://access.redhat.com/security/team/key/ diff --git a/vars/is_container.yml b/vars/is_container.yml index a8ac4fb..32504ee 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -6,8 +6,6 @@ ## controls -# Authconfig -rhel9cis_use_authconfig: false # Firewall rhel9cis_firewall: None @@ -43,7 +41,7 @@ rhel9cis_rule_5_1_8: false # crypto rhel9cis_rule_1_10: false -rhel9cis_rule_1_11: false + # grub rhel9cis_rule_1_5_1: false @@ -56,7 +54,7 @@ rhel9cis_rule_1_1_2: false rhel9cis_rule_1_1_3: false rhel9cis_rule_1_1_4: false rhel9cis_rule_1_1_5: false -#/var +# /var rhel9cis_rule_1_1_6: false # /var/tmp rhel9cis_rule_1_1_7: false @@ -89,7 +87,7 @@ rhel9cis_rule_4_2_2_2: false rhel9cis_rule_4_2_2_3: false # systemd -rhel9cis_rule_1_6_1: false + # Users/passwords/accounts rhel9cis_rule_5_5_2: false diff --git a/vars/main.yml b/vars/main.yml index e68cec0..dbbc71f 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -3,5 +3,6 @@ min_ansible_version: 2.10 rhel9cis_allowed_crypto_policies: + - 'DEFAULT' - 'FUTURE' - 'FIPS'