sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

added args warn for shell

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-01-13 12:08:30 +00:00
parent 66814a6f01
commit 95d8152603
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
24 changed files with 187 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

12
tasks/section_6/cis_6.1.x.yml
View file

@ -5,7 +5,7 @@
- name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Audit the packages"
shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto
args:
warn: no
warn: false
changed_when: false
failed_when: false
register: rhel9cis_6_1_1_packages_rpm
@ -152,6 +152,8 @@
block:
- name: "6.1.10 | L1 | AUDIT | Ensure no world writable files exist | Get list of world-writable files"
shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
args:
warn: false
failed_when: false
changed_when: false
register: rhel_09_6_1_10_perms_results
@ -183,6 +185,8 @@
block:
- name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories"
shell: find "{{ item.mount }}" -xdev -nouser
args:
warn: false
check_mode: false
failed_when: false
changed_when: false
@ -209,6 +213,8 @@
block:
- name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories"
shell: find "{{ item.mount }}" -xdev -nogroup
args:
warn: false
check_mode: false
failed_when: false
changed_when: false
@ -235,6 +241,8 @@
block:
- name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Find all SUID executables"
shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000
args:
warn: false
failed_when: false
changed_when: false
register: rhel_09_6_1_13_perms_results
@ -266,6 +274,8 @@
block:
- name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Find all SGID executables"
shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000
args:
warn: false
failed_when: false
changed_when: false
register: rhel_09_6_1_14_perms_results

40
tasks/section_6/cis_6.2.x.yml
View file

@ -2,6 +2,8 @@
- name: "6.2.1 | L1 | AUDIT | Ensure password fields are not empty"
shell: passwd -l {{ item }}
args:
warn: false
changed_when: false
failed_when: false
with_items: "{{ empty_password_accounts.stdout_lines }}"
@ -16,6 +18,8 @@
- name: "6.2.2 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd"
shell: sed -i '/^+/ d' /etc/passwd
args:
warn: false
changed_when: false
failed_when: false
when:
@ -31,6 +35,8 @@
block:
- name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine empty value"
shell: 'echo $PATH | grep ::'
args:
warn: false
check_mode: no
register: path_colon
changed_when: False
@ -38,6 +44,8 @@
- name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determin colon end"
shell: 'echo $PATH | grep :$'
args:
warn: false
check_mode: no
register: path_colon_end
changed_when: False
@ -45,6 +53,8 @@
- name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine dot in path"
shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'"
args:
warn: false
check_mode: no
register: dot_in_path
changed_when: False
@ -75,6 +85,8 @@
- name: "6.2.4 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow"
shell: sed -i '/^+/ d' /etc/shadow
args:
warn: false
changed_when: false
failed_when: false
when:
@ -88,6 +100,8 @@
- name: "6.2.5 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/group"
shell: sed -i '/^+/ d' /etc/group
args:
warn: false
changed_when: false
failed_when: false
when:
@ -101,6 +115,8 @@
- name: "6.2.6 | L1 | PATCH | Ensure root is the only UID 0 account"
shell: passwd -l {{ item }}
args:
warn: false
changed_when: false
failed_when: false
with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}"
@ -123,6 +139,8 @@
- name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
shell: find -H {{ item.0 | quote }} -not -type l -perm /027
args:
warn: false
check_mode: false
changed_when: rhel_09_6_2_7_patch_audit.stdout | length > 0
register: rhel_09_6_2_7_patch_audit
@ -198,6 +216,8 @@
block:
- name: "6.2.9 | L1 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files"
shell: find /home/ -name "\.*" -perm /g+w,o+w
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_6_2_9_audit
@ -252,6 +272,8 @@
- name: "6.2.12 | L1 | PATCH | Ensure users' .netrc Files are not group or world accessible"
shell: /bin/true
args:
warn: false
changed_when: false
failed_when: false
when:
@ -279,6 +301,8 @@
block:
- name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries"
shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}'
args:
warn: false
changed_when: false
failed_when: false
check_mode: false
@ -305,6 +329,8 @@
block:
- name: "6.2.15 | L1 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
args:
warn: false
changed_when: false
failed_when: false
register: user_uid_check
@ -330,6 +356,8 @@
block:
- name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs"
shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"
args:
warn: false
changed_when: false
failed_when: false
register: user_user_check
@ -355,6 +383,8 @@
block:
- name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
args:
warn: false
changed_when: false
failed_when: false
register: user_username_check
@ -380,6 +410,8 @@
block:
- name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names"
shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
args:
warn: false
changed_when: false
failed_when: false
check_mode: no
@ -406,6 +438,8 @@
block:
- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for shadow group and pull group id"
shell: "getent group shadow | cut -d: -f3"
args:
warn: false
changed_when: false
failed_when: false
check_mode: no
@ -413,6 +447,8 @@
- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check /etc/group for empty shadow group"
shell: grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group
args:
warn: false
changed_when: false
failed_when: false
check_mode: no
@ -420,6 +456,8 @@
- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for users assigned to shadow"
shell: "getent passwd | awk -F: '$4 == '{{ rhel9cis_shadow_gid.stdout }}' {print $1}'"
args:
warn: false
changed_when: false
failed_when: false
check_mode: no
@ -465,6 +503,8 @@
- name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist"
shell: find -H {{ item.0 | quote }} -not -type l -perm /027
args:
warn: false
check_mode: false
changed_when: rhel_09_6_2_20_patch_audit.stdout | length > 0
register: rhel_09_6_2_20_patch_audit