sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Lint updates

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-12-11 11:49:02 +00:00
parent fcf9eb674f
commit 88ac5c3d65
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
19 changed files with 127 additions and 84 deletions
Download patch file Download diff file Expand all files Collapse all files

5
templates/fs_with_cves.sh → files/fs_with_cves.sh
View file

@ -1,11 +1,8 @@
{% raw %} {% raw %}#! /usr/bin/env bash
#! /usr/bin/env bash
# Based on original Script provided by CIS # Based on original Script provided by CIS
# CVEs correct at time of creation - April2024 # CVEs correct at time of creation - April2024
#! /usr/bin/env bash
{ {
a_output=(); a_output2=(); a_modprope_config=(); a_excluded=(); a_available_modules=() a_output=(); a_output2=(); a_modprope_config=(); a_excluded=(); a_available_modules=()
a_ignore=("xfs" "vfat" "ext2" "ext3" "ext4") a_ignore=("xfs" "vfat" "ext2" "ext3" "ext4")

6
tasks/section_1/cis_1.1.1.x.yml
View file

@ -284,15 +284,15 @@
warn_control_id: '1.1.1.9' warn_control_id: '1.1.1.9'
block: block:
- name: "1.1.1.9 | PATCH | Ensure unused filesystems kernel modules are not available | Add discovery script" - name: "1.1.1.9 | PATCH | Ensure unused filesystems kernel modules are not available | Add discovery script"
ansible.builtin.template: ansible.builtin.copy:
src: fs_with_cves.sh src: fs_with_cves.sh
dest: /var/fs_with_cves.sh dest: /var/fs_with_cves.sh
owner: root owner: root
group: root group: root
mode: '0744' mode: 'u+x,go-wx'
- name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Run discovery script" - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Run discovery script"
ansible.builtin.shell: /var/fs_with_cves.sh ansible.builtin.command: /var/fs_with_cves.sh
changed_when: false changed_when: false
failed_when: discovered_fs_modules_loaded.rc not in [ 0, 99 ] failed_when: discovered_fs_modules_loaded.rc not in [ 0, 99 ]
register: discovered_fs_modules_loaded register: discovered_fs_modules_loaded

8
tasks/section_1/cis_1.2.1.x.yml
View file

@ -15,13 +15,15 @@
- NIST800-53R5_SI-2 - NIST800-53R5_SI-2
block: block:
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys" - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys"
ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}" ansible.builtin.shell: |
"rpm -qa | grep {{ os_gpg_key_pubkey_name }}"
changed_when: false changed_when: false
failed_when: false failed_when: false
register: discovered_os_installed_pub_keys register: discovered_os_installed_pub_keys
- name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys" - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys"
ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"' ansible.builtin.shell: |
'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: discovered_os_gpg_key_check register: discovered_os_gpg_key_check
@ -107,7 +109,7 @@
warn_control_id: '1.2.1.4' warn_control_id: '1.2.1.4'
block: block:
- name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Get repo list" - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Get repo list"
ansible.builtin.shell: dnf repolist ansible.builtin.command: dnf repolist
changed_when: false changed_when: false
failed_when: false failed_when: false
register: discovered_dnf_configured register: discovered_dnf_configured

2
tasks/section_2/cis_2.1.x.yml
View file

@ -718,7 +718,7 @@
warn_control_id: '2.1.22' warn_control_id: '2.1.22'
block: block:
- name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services" - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services"
ansible.builtin.shell: systemctl list-units --type=service ansible.builtin.command: systemctl list-units --type=service # noqa command-instead-of-module
changed_when: false changed_when: false
failed_when: discovered_running_services.rc not in [ 0, 1 ] failed_when: discovered_running_services.rc not in [ 0, 1 ]
check_mode: false check_mode: false

2
tasks/section_2/cis_2.4.x.yml
View file

@ -146,7 +146,7 @@
- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users" - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
ansible.builtin.file: ansible.builtin.file:
path: /etc/cron.allow path: /etc/cron.allow
state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}' state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}'
owner: root owner: root
group: root group: root
mode: u-x,g-wx,o-rwx mode: u-x,g-wx,o-rwx

4
tasks/section_3/cis_3.1.x.yml
View file

@ -40,7 +40,7 @@
block: block:
- name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool" - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool"
when: "'network-manager' in ansible_facts.packages" when: "'network-manager' in ansible_facts.packages"
ansible.builtin.shell: nmcli radio wifi ansible.builtin.command: nmcli radio wifi
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
@ -50,7 +50,7 @@
when: when:
- "'network-manager' in ansible_facts.packages" - "'network-manager' in ansible_facts.packages"
- "'enabled' in discovered_wifi_status.stdout" - "'enabled' in discovered_wifi_status.stdout"
ansible.builtin.shell: nmcli radio all off ansible.builtin.command: nmcli radio all off
changed_when: discovered_nmcli_radio_off.rc == 0 changed_when: discovered_nmcli_radio_off.rc == 0
register: discovered_nmcli_radio_off register: discovered_nmcli_radio_off

12
tasks/section_3/cis_3.2.x.yml
View file

@ -18,6 +18,7 @@
regexp: '^(#)?install dccp(\\s|$)' regexp: '^(#)?install dccp(\\s|$)'
line: "{{ item }}" line: "{{ item }}"
create: true create: true
mode: 'u-x,go-rwx'
loop: loop:
- install dccp /bin/true - install dccp /bin/true
- blacklist dccp - blacklist dccp
@ -28,7 +29,7 @@
regexp: "^(#)?blacklist cramfs(\\s|$)" regexp: "^(#)?blacklist cramfs(\\s|$)"
line: "blacklist cramfs" line: "blacklist cramfs"
create: true create: true
mode: '0600' mode: 'u-x,go-rwx'
- name: "3.2.2 | PATCH | Ensure tipc kernel module is not available" - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available"
when: when:
@ -48,6 +49,7 @@
regexp: '^(#)?install tipc(\\s|$)' regexp: '^(#)?install tipc(\\s|$)'
line: "{{ item }}" line: "{{ item }}"
create: true create: true
mode: 'u-x,go-rwx'
loop: loop:
- install tipc /bin/true - install tipc /bin/true
- blacklist tipc - blacklist tipc
@ -58,7 +60,7 @@
regexp: "^(#)?blacklist tipc(\\s|$)" regexp: "^(#)?blacklist tipc(\\s|$)"
line: "blacklist tipc" line: "blacklist tipc"
create: true create: true
mode: '0600' mode: 'u-x,go-rwx'
- name: "3.2.3 | PATCH | Ensure rds kernel module is not available" - name: "3.2.3 | PATCH | Ensure rds kernel module is not available"
when: when:
@ -78,6 +80,7 @@
regexp: '^(#)?install rds(\\s|$)' regexp: '^(#)?install rds(\\s|$)'
line: "{{ item }}" line: "{{ item }}"
create: true create: true
mode: 'u-x,go-rwx'
loop: loop:
- install rds /bin/true - install rds /bin/true
- blacklist rds - blacklist rds
@ -88,7 +91,7 @@
regexp: "^(#)?blacklist rds(\\s|$)" regexp: "^(#)?blacklist rds(\\s|$)"
line: "blacklist rds" line: "blacklist rds"
create: true create: true
mode: '0600' mode: 'u-x,go-rwx'
- name: "3.2.4 | PATCH | Ensure sctp kernel module is not available" - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available"
when: when:
@ -108,6 +111,7 @@
regexp: '^(#)?install sctp(\\s|$)' regexp: '^(#)?install sctp(\\s|$)'
line: "{{ item }}" line: "{{ item }}"
create: true create: true
mode: 'u-x,go-rwx'
loop: loop:
- install sctp /bin/true - install sctp /bin/true
- blacklist sctp - blacklist sctp
@ -118,4 +122,4 @@
regexp: "^(#)?blacklist sctp(\\s|$)" regexp: "^(#)?blacklist sctp(\\s|$)"
line: "blacklist sctp" line: "blacklist sctp"
create: true create: true
mode: '0600' mode: 'u-x,go-rwx'

2
tasks/section_4/cis_4.1.x.yml
View file

@ -52,7 +52,7 @@
name: "{{ rhel9cis_firewall }}" name: "{{ rhel9cis_firewall }}"
state: installed state: installed
- name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled" # noqa name[template]
ansible.builtin.systemd: ansible.builtin.systemd:
name: "{{ rhel9cis_firewall }}" name: "{{ rhel9cis_firewall }}"
enabled: true enabled: true

62
tasks/section_4/cis_4.3.x.yml
View file

@ -8,7 +8,8 @@
- rhel9cis_rule_4_3_3 - rhel9cis_rule_4_3_3
- rhel9cis_rule_4_3_4 - rhel9cis_rule_4_3_4
tags: always tags: always
ansible.builtin.shell: "nft add table inet {{ rhel9cis_nft_tables_tablename }}" ansible.builtin.command: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
changed_when: true
- name: "4.3.1 | PATCH | Ensure nftables base chains exist" - name: "4.3.1 | PATCH | Ensure nftables base chains exist"
when: when:
@ -22,19 +23,22 @@
- NIST800-55_CA-9 - NIST800-55_CA-9
block: block:
- name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT" - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for INPUT"
ansible.builtin.shell: nft list ruleset | grep 'hook input' ansible.builtin.shell: |
nft list ruleset | grep 'hook input'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: discovered_nftables_input_chains register: discovered_nftables_input_chains
- name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD" - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD"
ansible.builtin.shell: nft list ruleset | grep 'hook forward' ansible.builtin.shell: |
nft list ruleset | grep 'hook forward'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: discovered_nftables_forward_chains register: discovered_nftables_forward_chains
- name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT" - name: "4.3.1 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT"
ansible.builtin.shell: nft list ruleset | grep 'hook output' ansible.builtin.shell: |
nft list ruleset | grep 'hook output'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: discovered_nftables_output_chains register: discovered_nftables_output_chains
@ -52,7 +56,8 @@
- name: "4.3.1 | PATCH | Ensure nftables base chains exist | Create chains if needed" - name: "4.3.1 | PATCH | Ensure nftables base chains exist | Create chains if needed"
when: rhel9cis_nft_tables_autochaincreate when: rhel9cis_nft_tables_autochaincreate
ansible.builtin.shell: "{{ item }}" ansible.builtin.command: "{{ item }}"
changed_when: true
failed_when: false failed_when: false
loop: loop:
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; } - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; }
@ -71,44 +76,50 @@
- NIST800-55_CA-9 - NIST800-55_CA-9
block: block:
- name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather incoming connection rules" - name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather incoming connection rules"
ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' ansible.builtin.shell: |
nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: discovered_nftables_inconnectionrule register: discovered_nftables_inconnectionrule
- name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules" - name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules"
ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' ansible.builtin.command: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: discovered_nftables_outconnectionrule register: discovered_nftables_outconnectionrule
- name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy" - name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy"
when: '"ip protocol tcp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' when: '"ip protocol tcp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
ansible.builtin.shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
changed_when: true
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy" - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy"
when: '"ip protocol udp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' when: '"ip protocol udp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept
changed_when: true
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy" - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy"
when: '"ip protocol icmp ct state established accept" not in discovered_nftables_inconnectionrule.stdout' when: '"ip protocol icmp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept
changed_when: true
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy" - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy"
when: '"ip protocol tcp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' when: '"ip protocol tcp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept
changed_when: true
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy" - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy"
when: '"ip protocol udp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' when: '"ip protocol udp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept
changed_when: true
- name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy" - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy"
when: '"ip protocol icmp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout' when: '"ip protocol icmp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
changed_when: true
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy" - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy"
when: when: rhel9cis_rule_4_3_3
- rhel9cis_rule_4_3_3
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -118,25 +129,29 @@
- NIST800-55_CA-9 - NIST800-55_CA-9
block: block:
- name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy" - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy"
ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input' ansible.builtin.shell: |
nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input'
failed_when: false failed_when: false
changed_when: false changed_when: false
register: discovered_nftables_inputpolicy register: discovered_nftables_inputpolicy
- name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy" - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy"
ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward' ansible.builtin.shell: |
nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward'
failed_when: false failed_when: false
changed_when: false changed_when: false
register: discovered_nftables_forwardpolicy register: discovered_nftables_forwardpolicy
- name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy" - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy"
ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output' ansible.builtin.shell: |
nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output'
failed_when: false failed_when: false
changed_when: false changed_when: false
register: discovered_nftables_outputpolicy register: discovered_nftables_outputpolicy
- name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow" - name: "4.3.3 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow"
ansible.builtin.shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh' ansible.builtin.shell: |
nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh'
failed_when: false failed_when: false
changed_when: false changed_when: false
register: discovered_nftables_sshallowcheck register: discovered_nftables_sshallowcheck
@ -144,22 +159,25 @@
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic" - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic"
when: '"tcp dport ssh accept" not in discovered_nftables_sshallowcheck.stdout' when: '"tcp dport ssh accept" not in discovered_nftables_sshallowcheck.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept
changed_when: true
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy" - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy"
when: '"type filter hook input priority 0; policy drop;" not in discovered_nftables_inputpolicy.stdout' when: '"type filter hook input priority 0; policy drop;" not in discovered_nftables_inputpolicy.stdout'
ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; } ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; }
changed_when: true
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy" - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy"
when: '"type filter hook forward priority 0; policy drop;" not in discovered_nftables_forwardpolicy.stdout' when: '"type filter hook forward priority 0; policy drop;" not in discovered_nftables_forwardpolicy.stdout'
ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; } ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; }
changed_when: true
- name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy" - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy"
when: '"type filter hook output priority 0; policy drop;" not in discovered_nftables_outputpolicy.stdout' when: '"type filter hook output priority 0; policy drop;" not in discovered_nftables_outputpolicy.stdout'
ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; } ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; }
changed_when: true
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured" - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured"
when: when: rhel9cis_rule_4_3_4
- rhel9cis_rule_4_3_4
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation
@ -169,19 +187,22 @@
- NIST800-55_CA-9 - NIST800-55_CA-9
block: block:
- name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence | nftables" - name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence | nftables"
ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept' ansible.builtin.shell: |
nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: discovered_nftables_iiflo register: discovered_nftables_iiflo
- name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence | nftables" - name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence | nftables"
ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr' ansible.builtin.shell: |
nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: discovered_nftables_ipsaddr register: discovered_nftables_ipsaddr
- name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence | nftables" - name: "4.3.4 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence | nftables"
ansible.builtin.shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr' ansible.builtin.shell: |
nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr'
changed_when: false changed_when: false
failed_when: false failed_when: false
register: discovered_nftables_ip6saddr register: discovered_nftables_ip6saddr
@ -189,11 +210,14 @@
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule | nftables" - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule | nftables"
when: '"iif \"lo\" accept" not in discovered_nftables_iiflo.stdout' when: '"iif \"lo\" accept" not in discovered_nftables_iiflo.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept
changed_when: true
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule | nftables" - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule | nftables"
when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in discovered_nftables_ipsaddr.stdout' when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in discovered_nftables_ipsaddr.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop
changed_when: true
- name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule | nftables" - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule | nftables"
when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in discovered_nftables_ip6saddr.stdout' when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in discovered_nftables_ip6saddr.stdout'
ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop
changed_when: true

36
tasks/section_5/cis_5.3.2.x.yml
View file

@ -17,12 +17,13 @@
when: when:
- rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or - rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or
prelim_authselect_current_profile.stdout is not defined prelim_authselect_current_profile.stdout is not defined
ansible.builtin.shell: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}" ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
changed_when: false
args: args:
creates: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}" creates: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}"
- name: "5.3.2.1 | AUDIT | Ensure active authselect profile includes pam modules | get profile features" - name: "5.3.2.1 | AUDIT | Ensure active authselect profile includes pam modules | get profile features"
ansible.builtin.shell: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}" ansible.builtin.command: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}"
changed_when: false changed_when: false
register: discovered_authselect_profile_features register: discovered_authselect_profile_features
@ -37,7 +38,8 @@
- password - password
- name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Backup and Add pam modules" - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Backup and Add pam modules"
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}" ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}"
changed_when: true
- name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled" - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled"
when: when:
@ -59,14 +61,16 @@
notify: Authselect update notify: Authselect update
block: block:
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config" - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config"
ansible.builtin.shell: authselect current | grep faillock ansible.builtin.shell: |
authselect current | grep faillock
changed_when: false changed_when: false
failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ] failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
register: discovered_authselect_current_faillock register: discovered_authselect_current_faillock
- name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing" - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing"
when: discovered_authselect_current_faillock.rc != 0 when: discovered_authselect_current_faillock.rc != 0
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
changed_when: true
- name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled" - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
when: when:
@ -83,14 +87,16 @@
- rule_5.3.2.3 - rule_5.3.2.3
block: block:
- name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Get current config" - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Get current config"
ansible.builtin.shell: authselect current | grep quality ansible.builtin.shell: |
authselect current | grep quality
changed_when: false changed_when: false
failed_when: discovered_authselect_current_quality.rc not in [ 0, 1 ] failed_when: discovered_authselect_current_quality.rc not in [ 0, 1 ]
register: discovered_authselect_current_quality register: discovered_authselect_current_quality
- name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Add feature if missing" - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled | Add feature if missing"
when: discovered_authselect_current_quality.rc != 0 when: discovered_authselect_current_quality.rc != 0
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
changed_when: true
notify: Authselect update notify: Authselect update
- name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled" - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled"
@ -108,14 +114,16 @@
- rule_5.3.2.4 - rule_5.3.2.4
block: block:
- name: "5.3.2.4 | AUDIT | Ensure pam_pwhistory module is enabled | Get current config" - name: "5.3.2.4 | AUDIT | Ensure pam_pwhistory module is enabled | Get current config"
ansible.builtin.shell: authselect current | grep pwhistory ansible.builtin.shell: |
authselect current | grep pwhistory
changed_when: false changed_when: false
failed_when: discovered_authselect_current_history.rc not in [ 0, 1 ] failed_when: discovered_authselect_current_history.rc not in [ 0, 1 ]
register: discovered_authselect_current_history register: discovered_authselect_current_history
- name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled | enable feature" - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled | enable feature"
when: discovered_authselect_current_history.rc != 0 when: discovered_authselect_current_history.rc != 0
ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}" ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
changed_when: true
notify: Authselect update notify: Authselect update
- name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled" - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled"
@ -146,8 +154,8 @@
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
line: "{{ item.line }}" line: "{{ item.line }}"
backrefs: true backrefs: true
insertafter: "{{ item.after | default (omit) }}" insertafter: "{{ item.after | default(omit) }}"
insertbefore: "{{ item.before | default (omit) }}" insertbefore: "{{ item.before | default(omit) }}"
loop: loop:
- { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', after: '^auth.*pam_faillock.*preauth' } - { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', after: '^auth.*pam_faillock.*preauth' }
- { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' } - { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' }
@ -160,8 +168,8 @@
line: "{{ item.line }}" line: "{{ item.line }}"
regexp: "{{ item.regexp }}" regexp: "{{ item.regexp }}"
backrefs: true backrefs: true
insertafter: "{{ item.after | default (omit) }}" insertafter: "{{ item.after | default(omit) }}"
insertbefore: "{{ item.before | default (omit) }}" insertbefore: "{{ item.before | default(omit) }}"
loop: loop:
- { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\2', after: '^auth.*pam_faillock.*preauth' } - { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\2', after: '^auth.*pam_faillock.*preauth' }
- { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' } - { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' }

1
tasks/section_5/cis_5.3.3.1.x.yml
View file

@ -104,6 +104,7 @@
line: "{{ rhel9cis_pamroot_lock_option }}" line: "{{ rhel9cis_pamroot_lock_option }}"
insertafter: '^# end of pam-auth-update config' insertafter: '^# end of pam-auth-update config'
create: true create: true
mode: 'u-x,go-wx'
- name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | remove lockout from pam files NOT AuthSelect" - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | remove lockout from pam files NOT AuthSelect"
when: when:

28
tasks/section_5/cis_5.4.1.x.yml
View file

@ -96,7 +96,8 @@
- discovered_warn_days.stdout_lines | length > 0 - discovered_warn_days.stdout_lines | length > 0
- item in prelim_interactive_usernames.stdout - item in prelim_interactive_usernames.stdout
- rhel9cis_force_user_warnage - rhel9cis_force_user_warnage
ansible.builtin.shell: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}" ansible.builtin.command: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}"
changed_when: true
loop: "{{ discovered_warn_days.stdout_lines }}" loop: "{{ discovered_warn_days.stdout_lines }}"
- name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured" - name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured"
@ -125,25 +126,29 @@
- rule_5.4.1.5 - rule_5.4.1.5
block: block:
- name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | Check current settings" - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is configured | Check current settings"
ansible.builtin.shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d= ansible.builtin.shell: |
useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
register: discovered_passwdlck_inactive_settings register: discovered_passwdlck_inactive_settings
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set default inactive setting" - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set default inactive setting"
ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
when: discovered_passwdlck_inactive_settings.stdout | length == 0 when: discovered_passwdlck_inactive_settings.stdout | length == 0
ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
changed_when: true
- name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list" - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow" ansible.builtin.shell: |
"awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
changed_when: false changed_when: false
check_mode: false check_mode: false
register: discovered_passwdlck_user_list register: discovered_passwdlck_user_list
- name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts" - name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
when: item in prelim_interactive_usernames.stdout when: item in prelim_interactive_usernames.stdout
ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}" ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
changed_when: true
loop: "{{ discovered_passwdlck_user_list.stdout_lines }}" loop: "{{ discovered_passwdlck_user_list.stdout_lines }}"
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past" - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past"
@ -172,22 +177,23 @@
register: discovered_passwdlck_user_future register: discovered_passwdlck_user_future
- name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future" - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
when:
- discovered_passwdlck_user_future.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
ansible.builtin.debug: ansible.builtin.debug:
msg: "Warning!! The following accounts have the last PW change date in the future: {{ discovered_passwdlck_user_future.stdout_lines }}" msg: "Warning!! The following accounts have the last PW change date in the future: {{ discovered_passwdlck_user_future.stdout_lines }}"
when:
- discovered_passwdlck_user_future.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix
- name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | warning count" - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
when: when:
- discovered_passwdlck_user_future.stdout | length > 0 - discovered_passwdlck_user_future.stdout | length > 0
- not rhel9cis_futurepwchgdate_autofix - not rhel9cis_futurepwchgdate_autofix
ansible.builtin.import_tasks:
file: warning_facts.yml
- name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future" - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
ansible.builtin.shell: passwd --expire {{ item }} changed_when: true
when: when:
- discovered_passwdlck_user_future.stdout | length > 0 - discovered_passwdlck_user_future.stdout | length > 0
- rhel9cis_futurepwchgdate_autofix - rhel9cis_futurepwchgdate_autofix
loop: "{{ discovered_passwdlck_user_future.stdout_lines }}" loop: "{{ discovered_passwdlck_user_future.stdout_lines }}"
ansible.builtin.command: passwd --expire {{ item }}

3
tasks/section_5/cis_5.4.2.x.yml
View file

@ -17,7 +17,7 @@
- NIST800-53R5_CM-6 - NIST800-53R5_CM-6
- NIST800-53R5_CM-7 - NIST800-53R5_CM-7
- NIST800-53R5_IA-5 - NIST800-53R5_IA-5
ansible.builtin.shell: passwd -l {{ item }} ansible.builtin.command: passwd -l {{ item }}
changed_when: false changed_when: false
failed_when: false failed_when: false
loop: "{{ prelim_uid_zero_accounts_except_root.stdout_lines }}" loop: "{{ prelim_uid_zero_accounts_except_root.stdout_lines }}"
@ -194,6 +194,7 @@
regexp: \s*umask regexp: \s*umask
line: "umask {{ rhel9cis_root_umask }}" line: "umask {{ rhel9cis_root_umask }}"
create: true create: true
mode: 'u+x,go-rwx'
- name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell" - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell"
when: when:

10
tasks/section_6/cis_6.1.x.yml
View file

@ -45,7 +45,8 @@
rhel9cis_aide_db_recreate rhel9cis_aide_db_recreate
block: block:
- name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB" - name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB"
ansible.builtin.shell: "{{ aide_initiate_command }}" ansible.builtin.command: "{{ aide_initiate_command }}"
changed_when: true
- name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB | Wait for file before continuing" - name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB | Wait for file before continuing"
ansible.builtin.wait_for: ansible.builtin.wait_for:
@ -56,6 +57,7 @@
src: /var/lib/aide/aide.db.new.gz src: /var/lib/aide/aide.db.new.gz
dest: /var/lib/aide/aide.db.gz dest: /var/lib/aide/aide.db.gz
remote_src: true remote_src: true
mode: 'ug-wx,o-rwx'
- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked" - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked"
when: when:
@ -85,15 +87,15 @@
- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service" - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
when: rhel9cis_aide_scan == "timer" when: rhel9cis_aide_scan == "timer"
ansible.builtin.systemd: ansible.builtin.systemd_service:
name: aidecheck.service name: aidecheck.service
enabled: true enabled: true
- name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service" - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
when: rhel9cis_aide_scan == "timer" when: rhel9cis_aide_scan == "timer"
ansible.builtin.systemd: ansible.builtin.systemd_service:
name: aidecheck.timer name: aidecheck.timer
state: running state: started
enabled: true enabled: true
- name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools" - name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"

18
tasks/section_6/cis_6.3.1.x.yml
View file

@ -1,8 +1,7 @@
--- ---
- name: "6.3.1.1 | PATCH | Ensure auditd is installed" - name: "6.3.1.1 | PATCH | Ensure auditd is installed"
when: when: rhel9cis_rule_6_3_1_1
- rhel9cis_rule_6_3_1_1
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
@ -27,8 +26,7 @@
state: present state: present
- name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" - name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
when: when: rhel9cis_rule_6_3_1_2
- rhel9cis_rule_6_3_1_2
tags: tags:
- level2-server - level2-server
- level2-workstation - level2-workstation
@ -49,7 +47,8 @@
- discovered_grubby_curr_value_audit_linux.stdout == '' or - discovered_grubby_curr_value_audit_linux.stdout == '' or
'0' in discovered_grubby_curr_value_audit_linux.stdout or '0' in discovered_grubby_curr_value_audit_linux.stdout or
'off' in discovered_grubby_curr_value_audit_linux.stdout|lower 'off' in discovered_grubby_curr_value_audit_linux.stdout|lower
ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" ansible.builtin.command: grubby --update-kernel=ALL --args="audit=1"
changed_when: true
- name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" - name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
when: when:
@ -81,17 +80,16 @@
discovered_reset_backlog_limits: true discovered_reset_backlog_limits: true
- name: "6.3.1.3 | AUDIT | Check to see if any limits are too low" - name: "6.3.1.3 | AUDIT | Check to see if any limits are too low"
when: when: (item | int < rhel9cis_audit_back_log_limit)
- (item | int < rhel9cis_audit_back_log_limit)
ansible.builtin.set_fact: ansible.builtin.set_fact:
discovered_reset_backlog_limits: true discovered_reset_backlog_limits: true
loop: "{{ discovered_grubby_curr_value_backlog_linux.stdout_lines }}" loop: "{{ discovered_grubby_curr_value_backlog_linux.stdout_lines }}"
- name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied" - name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied"
when: when: discovered_reset_backlog_limits is defined
- discovered_reset_backlog_limits is defined ansible.builtin.command:
ansible.builtin.shell:
cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
changed_when: true
- name: "6.3.1.4 | PATCH | Ensure auditd service is enabled and active" - name: "6.3.1.4 | PATCH | Ensure auditd service is enabled and active"
when: when:

4
tasks/section_7/cis_7.1.x.yml
View file

@ -221,7 +221,7 @@
warn_control_id: '7.1.12' warn_control_id: '7.1.12'
block: block:
- name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories" - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories"
ansible.builtin.shell: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs ansible.builtin.command: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false
@ -283,7 +283,7 @@
warn_control_id: '7.1.13' warn_control_id: '7.1.13'
block: block:
- name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID" - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID"
ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs
changed_when: false changed_when: false
failed_when: false failed_when: false
check_mode: false check_mode: false

4
tasks/section_7/cis_7.2.x.yml
View file

@ -237,13 +237,13 @@
- users - users
- rule_7.2.8 - rule_7.2.8
block: block:
- name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent" - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent" # noqa risky-file-permissions
ansible.builtin.file: ansible.builtin.file:
path: "{{ item.dir }}" path: "{{ item.dir }}"
state: directory state: directory
owner: "{{ item.id }}" owner: "{{ item.id }}"
group: "{{ item.gid }}" group: "{{ item.gid }}"
loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', max_int_uid | int) | list }}" loop: "{{ rhel9cis_passwd | selectattr('uid', '>=', prelim_min_int_uid | int) | selectattr('uid', '<=', prelim_max_int_uid | int) | list }}"
loop_control: loop_control:
label: "{{ item.id }}" label: "{{ item.id }}"

2
tasks/warning_facts.yml
View file

@ -14,7 +14,7 @@
# #
# warn_count the main variable for the number of warnings and each time a warn_control_id is added # warn_count the main variable for the number of warnings and each time a warn_control_id is added
# the count increases by a value of 1 # the count increases by a value of 1
- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." - name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." # noqa name[template]
ansible.builtin.set_fact: ansible.builtin.set_fact:
warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]"
warn_count: "{{ warn_count | int + 1 }}" warn_count: "{{ warn_count | int + 1 }}"

2
vars/audit.yml
View file

@ -35,7 +35,7 @@ audit_format: json
audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml" audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml"
audit_results: | audit_results: |
The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results}} The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }}
{% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %} {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %}
Full breakdown can be found in {{ audit_log_dir }} Full breakdown can be found in {{ audit_log_dir }}