sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

added args warn for shell

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-01-13 12:08:30 +00:00
parent 66814a6f01
commit 95d8152603
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
24 changed files with 187 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

6
handlers/main.yml
View file

@ -89,6 +89,8 @@
- name: reload dconf
become: yes
shell: dconf update
args:
warn: false
- name: update auditd
template:
@ -105,7 +107,7 @@
check_mode: no
failed_when: no
args:
warn: no
warn: false
when:
- not rhel9cis_skip_for_travis
tags:
@ -113,6 +115,8 @@
- name: grub2cfg
shell: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}"
args:
warn: false
ignore_errors: True
tags:
- skip_ansible_lint

6
tasks/check_prereqs.yml
View file

@ -4,10 +4,10 @@
block:
- name: Check if python36-rpm package installed
shell: rpm -q python36-rpm
failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] )
changed_when: false
args:
warn: false
failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] )
changed_when: false
register: python36_rpm_present
- name: Add the EPEL repository required for the python36-rpm pkg
@ -29,6 +29,8 @@
- name: Disable Epel repo if installed earlier
shell: yum-config-manager disable epel
args:
warn: false
when: epel_installed.changed
when:
- ( ansible_python.version.major == 3 and ansible_python.version.minor == 6 )

4
tasks/section_1/cis_1.1.x.yml
View file

@ -252,6 +252,8 @@
1.1.16 | L1 | AUDIT | Ensure nosuid option set on /dev/shm partition | Check for /dev/shm existence
1.1.17 | L1 | AUDIT | Ensure noexec option set on /dev/shm partition | Check for /dev/shm existence"
shell: mount -l | grep -E '\s/dev/shm\s'
args:
warn: false
changed_when: false
failed_when: false
check_mode: no
@ -306,7 +308,7 @@
- name: "1.1.21 | L1 | PATCH | Ensure sticky bit is set on all world-writable directories"
shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
args:
warn: no
warn: false
changed_when: false
failed_when: false
when:

2
tasks/section_1/cis_1.10.yml
View file

@ -4,6 +4,8 @@
shell: |
update-crypto-policies --set "{{ rhel9cis_crypto_policy }}"
update-crypto-policies
args:
warn: false
when:
- rhel9cis_rule_1_10
- system_wide_crypto_policy['stdout'] == 'LEGACY'

2
tasks/section_1/cis_1.11.yml
View file

@ -4,6 +4,8 @@
shell: |
update-crypto-policies --set "{{ rhel9cis_crypto_policy }}"
update-crypto-policies
args:
warn: false
when:
- rhel9cis_rule_1_11
- system_wide_crypto_policy['stdout'] not in rhel9cis_allowed_crypto_policies

6
tasks/section_1/cis_1.2.x.yml
View file

@ -38,6 +38,8 @@
- name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured"
shell: gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release
args:
warn: false
when:
- rhel9cis_rule_1_2_3
- ansible_distribution == "RedHat"
@ -77,12 +79,12 @@
block:
- name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Get repo list"
shell: dnf repolist
args:
warn: false
changed_when: false
failed_when: false
register: dnf_configured
check_mode: no
args:
warn: false
- name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Display repo list"
debug:

5
tasks/section_1/cis_1.4.x.yml
View file

@ -9,12 +9,13 @@
- name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed | Configure AIDE"
shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
args:
warn: false
creates: /var/lib/aide/aide.db.gz
changed_when: false
failed_when: false
async: 45
poll: 0
args:
creates: /var/lib/aide/aide.db.gz
when: not ansible_check_mode
when:
- rhel9cis_config_aide

2
tasks/section_1/cis_1.7.1.x.yml
View file

@ -66,6 +66,8 @@
block:
- name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Find the unconfined daemons"
shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
args:
warn: false
register: rhelcis_1_7_1_5_unconf_daemons
failed_when: false
changed_when: false

4
tasks/section_2/cis_2.2.x.yml
View file

@ -5,7 +5,7 @@
- name: "2.2.2 | L1 | AUDIT | Ensure X Window System is not installed | capture xorg-x11 packages"
shell: rpm -qa | grep xorg-x11
args:
warn: no
warn: false
failed_when: xorg_x11_installed.rc >=2
check_mode: no
changed_when: false
@ -14,7 +14,7 @@
- name: "2.2.2 | L1 | PATCH | Ensure X Window System is not installed | remove packages if found"
shell: "dnf remove {{ item }}"
args:
warn: no
warn: false
with_items:
- xorg_x11_installed.stdout_lines
when: xorg_x11_installed.stdout | length > 0

6
tasks/section_3/cis_3.4.2.x.yml
View file

@ -46,6 +46,8 @@
- name: "3.4.2.4 | L1 | PATCH | Ensure default zone is set"
shell: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}"
args:
warn: false
when:
- rhel9cis_firewall == "firewalld"
- rhel9cis_rule_3_4_2_4
@ -59,6 +61,8 @@
block:
- name: "3.4.2.5 | L1 | AUDIT | Ensure network interfaces are assigned to appropriate zone | Get list of interfaces and polocies"
shell: "nmcli -t connection show | awk -F: '{ if($4){print $4} }' | while read INT; do firewall-cmd --get-active-zones | grep -B1 $INT; done"
args:
warn: false
changed_when: false
failed_when: false
check_mode: no
@ -82,6 +86,8 @@
block:
- name: "3.4.2.6 | L1 | AUDIT | Ensure firewalld drops unnecessary services and ports | Get list of services and ports"
shell: "firewall-cmd --get-active-zones | awk '!/:/ {print $1}' | while read ZN; do firewall-cmd --list-all --zone=$ZN; done"
args:
warn: false
changed_when: false
failed_when: false
check_mode: no

58
tasks/section_3/cis_3.4.3.x.yml
View file

@ -2,6 +2,8 @@
- name: "3.4.3.1 | L1 | PATCH | Ensure iptables are flushed with nftables"
shell: ip6tables -F
args:
warn: false
when:
- rhel9cis_rule_3_4_3_1
- rhel9cis_firewall != "iptables"
@ -16,6 +18,8 @@
block:
- name: "3.4.3.2 | L1 | AUDIT | Ensure a table exists | Check for tables"
shell: nft list tables
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_2_nft_tables
@ -38,6 +42,8 @@
- name: "3.4.3.2 | L1 | PATCH | Ensure a table exists | Create table if needed"
shell: nft create table inet "{{ rhel9cis_nft_tables_tablename }}"
args:
warn: false
failed_when: no
when: rhel9cis_nft_tables_autonewtable
when:
@ -53,18 +59,24 @@
block:
- name: "3.4.3.3 | L1 | Ensure nftables base chains exist | Get current chains for INPUT"
shell: nft list ruleset | grep 'hook input'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_3_input_chains
- name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Get current chains for FORWARD"
shell: nft list ruleset | grep 'hook forward'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_3_forward_chains
- name: "3.4.3.3 | L1 | AUDIT | Ensure nftables base chains exist | Get current chains for OUTPUT"
shell: nft list ruleset | grep 'hook output'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_3_output_chains
@ -83,7 +95,7 @@
- name: "3.4.3.3 | L1 | PATCH | Ensure nftables base chains exist | Create chains if needed"
shell: "{{ item }}"
args:
warn: no
warn: false
failed_when: no
with_items:
- nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; }
@ -103,32 +115,44 @@
block:
- name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather iif lo accept existence"
shell: nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_4_iiflo
- name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip saddr existence"
shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_4_ipsaddr
- name: "3.4.3.4 | L1 | AUDIT | Ensure nftables loopback traffic is configured | Gather ip6 saddr existence"
shell: nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_4_ip6saddr
- name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept
args:
warn: false
when: '"iif \"lo\" accept" not in rhel9cis_3_4_3_4_iiflo.stdout'
- name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop
args:
warn: false
when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ipsaddr.stdout'
- name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop
args:
warn: false
when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ip6saddr.stdout'
when:
- rhel9cis_firewall == "nftables"
@ -143,38 +167,54 @@
block:
- name: "3.4.3.5 | L1 | AUDIT | Ensure nftables outbound and established connections are configured | Gather incoming connection rules"
shell: nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_5_inconnectionrule
- name: "3.4.3.5 | L1 | AUDIT | Ensure nftables outbound and established connections are configured | Gather outbound connection rules"
shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_5_outconnectionrule
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
args:
warn: false
when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout'
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept
args:
warn: false
when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout'
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept
args:
warn: false
when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout'
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept
args:
warn: false
when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout'
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept
args:
warn: false
when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout'
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
args:
warn: false
when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout'
when:
- rhel9cis_firewall == "nftables"
@ -189,42 +229,58 @@
block:
- name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook input deny policy"
shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook input'
args:
warn: false
failed_when: false
changed_when: false
register: rhel9cis_3_4_3_6_inputpolicy
- name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook forward deny policy"
shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook forward'
args:
warn: false
failed_when: false
changed_when: false
register: rhel9cis_3_4_3_6_forwardpolicy
- name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for hook output deny policy"
shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'hook output'
args:
warn: false
failed_when: false
changed_when: false
register: rhel9cis_3_4_3_6_outputpolicy
- name: "3.4.3.6 | L1 | AUDIT | Ensure nftables default deny firewall policy | Check for SSH allow"
shell: nft list table inet "{{ rhel9cis_nft_tables_tablename }}" | grep 'ssh'
args:
warn: false
failed_when: false
changed_when: false
register: rhel9cis_3_4_3_6_sshallowcheck
- name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic"
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept
args:
warn: false
when: '"tcp dport ssh accept" not in rhel9cis_3_4_3_6_sshallowcheck.stdout'
- name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy"
shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; }
args:
warn: false
when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_3_6_inputpolicy.stdout'
- name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy"
shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; }
args:
warn: false
when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_3_6_forwardpolicy.stdout'
- name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy"
shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; }
args:
warn: false
when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_3_6_outputpolicy.stdout'
when:
- rhel9cis_firewall == "nftables"

4
tasks/section_3/cis_3.4.4.1.x.yml
View file

@ -85,12 +85,16 @@
block:
- name: "3.4.4.1.4 | L1 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get list of TCP open ports"
shell: netstat -ant |grep "tcp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_4_1_4_otcp
- name: "3.4.4.1.4 | L1 | AUDIT | Ensure iptables firewall rules exist for all open ports | Get the list of udp open ports"
shell: netstat -ant |grep "udp.*LISTEN" | awk '{ print $4 }'| sed 's/.*://'
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_3_4_4_1_4_oudp

12
tasks/section_3/cis_3.5.yml
View file

@ -2,15 +2,10 @@
- name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled"
block:
- name: "3.5 | L1 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available"
shell: rpm -q NetworkManager
# changed_when: false
# failed_when: false
check_mode: no
register: rhel_09_nmcli_available
- name: "3.5 | L1 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled"
shell: nmcli radio wifi
args:
warn: false
register: rhel_09_wifi_enabled
changed_when: rhel_09_wifi_enabled.stdout != "disabled"
failed_when: false
@ -18,10 +13,13 @@
- name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled"
shell: nmcli radio all off
args:
warn: false
changed_when: false
failed_when: false
when: rhel_09_wifi_enabled is changed
when:
- '"NetworkManager" in ansible_facts.packages'
- rhel9cis_rule_3_5
tags:
- level1-server

4
tasks/section_4/cis_4.1.1.x.yml
View file

@ -41,6 +41,8 @@
block:
- name: "4.1.1.3 | L2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX"
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
args:
warn: false
changed_when: false
failed_when: false
check_mode: no
@ -74,6 +76,8 @@
block:
- name: "4.1.1.4 | L2 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX"
shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
args:
warn: false
changed_when: false
failed_when: false
check_mode: no

2
tasks/section_4/cis_4.1.x.yml
View file

@ -121,6 +121,8 @@
block:
- name: "4.1.12 | L2 | AUDIT | Ensure successful file system mounts are collected"
shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
args:
warn: false
changed_when: false
failed_when: false
check_mode: no

2
tasks/section_4/cis_4.2.1.x.yml
View file

@ -44,6 +44,8 @@
block:
- name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out"
shell: cat /etc/rsyslog.conf
args:
warn: false
become: yes
changed_when: false
failed_when: no

2
tasks/section_4/cis_4.2.3.yml
View file

@ -2,6 +2,8 @@
- name: "4.2.3 | L1 | PATCH | Ensure permissions on all logfiles are configured"
shell: find /var/log -type f -exec chmod g-wx,o-rwx "{}" +
args:
warn: false
changed_when: false
failed_when: false
when:

2
tasks/section_5/cis_5.2.x.yml
View file

@ -334,7 +334,7 @@
- name: "5.2.20 | L1 | PATCH | Ensure system-wide crypto policy is not over-ridden"
shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
args:
warn: no
warn: false
notify: restart sshd
when:
- rhel9cis_rule_5_2_20

12
tasks/section_5/cis_5.3.x.yml
View file

@ -4,6 +4,8 @@
block:
- name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Gather profiles"
shell: 'authselect current | grep "Profile ID: custom/"'
args:
warn: false
failed_when: false
changed_when: false
check_mode: no
@ -18,7 +20,7 @@
- name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Create custom profiles"
shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
args:
warn: no
warn: false
when: rhel9cis_authselect_custom_profile_create
when:
- rhel9cis_rule_5_3_1
@ -34,7 +36,7 @@
- name: "5.3.2 | L1 | AUDIT | Select authselect profile | Gather profiles and enabled features"
shell: "authselect current"
args:
warn: no
warn: false
failed_when: false
changed_when: false
check_mode: no
@ -49,7 +51,7 @@
- name: "5.3.2 | L1 | PATCH | Select authselect profile | Create custom profiles"
shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }}"
args:
warn: no
warn: false
when: rhel9cis_authselect_custom_profile_select
when:
- rhel9cis_rule_5_3_2
@ -64,6 +66,8 @@
block:
- name: "5.3.3 | L1 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features"
shell: "authselect current | grep with-faillock"
args:
warn: false
failed_when: false
changed_when: false
check_mode: no
@ -78,7 +82,7 @@
- name: "5.3.3 | L1 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock"
args:
warn: no
warn: false
when: rhel9cis_authselect_custom_profile_select
when:
- rhel9cis_rule_5_3_3

14
tasks/section_5/cis_5.5.1.x.yml
View file

@ -46,6 +46,8 @@
block:
- name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings"
shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
args:
warn: false
changed_when: false
failed_when: false
check_mode: no
@ -53,16 +55,22 @@
- name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
args:
warn: false
when: rhel9cis_5_5_1_4_inactive_settings.stdout | length == 0
- name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1'
args:
warn: false
check_mode: no
register: rhel_09_5_5_1_4_audit
changed_when: false
- name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
args:
warn: false
with_items:
- "{{ rhel_09_5_5_1_4_audit.stdout_lines }}"
when:
@ -77,6 +85,8 @@
block:
- name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time"
shell: echo $(($(date --utc --date "$1" +%s)/86400))
args:
warn: false
failed_when: false
changed_when: false
check_mode: no
@ -84,6 +94,8 @@
- name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_5_1_5_currentut.stdout }})print$1}'"
args:
warn: false
changed_when: false
failed_when: false
check_mode: no
@ -103,6 +115,8 @@
- name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
shell: passwd --expire {{ item }}
args:
warn: false
when:
- rhel9cis_5_5_1_5_user_list | length > 0
- rhel9cis_futurepwchgdate_autofix

2
tasks/section_5/cis_5.5.x.yml
View file

@ -64,6 +64,8 @@
- name: "5.5.4 | L1 | PATCH | Ensure default group for the root account is GID 0"
shell: usermod -g 0 root
args:
warn: false
changed_when: false
failed_when: false
when:

2
tasks/section_5/cis_5.6.yml
View file

@ -10,6 +10,8 @@
- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Capture consoles"
shell: cat /etc/securetty
args:
warn: false
changed_when: false
register: rhel_09_5_6_audit
when: rhel9cis_securetty_check.stat.exists

12
tasks/section_6/cis_6.1.x.yml
View file

@ -5,7 +5,7 @@
- name: "6.1.1 | L2 | AUDIT | Audit system file permissions | Audit the packages"
shell: rpm -Va --nomtime --nosize --nomd5 --nolinkto
args:
warn: no
warn: false
changed_when: false
failed_when: false
register: rhel9cis_6_1_1_packages_rpm
@ -152,6 +152,8 @@
block:
- name: "6.1.10 | L1 | AUDIT | Ensure no world writable files exist | Get list of world-writable files"
shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
args:
warn: false
failed_when: false
changed_when: false
register: rhel_09_6_1_10_perms_results
@ -183,6 +185,8 @@
block:
- name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories"
shell: find "{{ item.mount }}" -xdev -nouser
args:
warn: false
check_mode: false
failed_when: false
changed_when: false
@ -209,6 +213,8 @@
block:
- name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories"
shell: find "{{ item.mount }}" -xdev -nogroup
args:
warn: false
check_mode: false
failed_when: false
changed_when: false
@ -235,6 +241,8 @@
block:
- name: "6.1.13 | L1 | AUDIT | Audit SUID executables | Find all SUID executables"
shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000
args:
warn: false
failed_when: false
changed_when: false
register: rhel_09_6_1_13_perms_results
@ -266,6 +274,8 @@
block:
- name: "6.1.14 | L1 | AUDIT | Audit SGID executables | Find all SGID executables"
shell: df {{ item.mount }} -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000
args:
warn: false
failed_when: false
changed_when: false
register: rhel_09_6_1_14_perms_results

40
tasks/section_6/cis_6.2.x.yml
View file

@ -2,6 +2,8 @@
- name: "6.2.1 | L1 | AUDIT | Ensure password fields are not empty"
shell: passwd -l {{ item }}
args:
warn: false
changed_when: false
failed_when: false
with_items: "{{ empty_password_accounts.stdout_lines }}"
@ -16,6 +18,8 @@
- name: "6.2.2 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd"
shell: sed -i '/^+/ d' /etc/passwd
args:
warn: false
changed_when: false
failed_when: false
when:
@ -31,6 +35,8 @@
block:
- name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine empty value"
shell: 'echo $PATH | grep ::'
args:
warn: false
check_mode: no
register: path_colon
changed_when: False
@ -38,6 +44,8 @@
- name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determin colon end"
shell: 'echo $PATH | grep :$'
args:
warn: false
check_mode: no
register: path_colon_end
changed_when: False
@ -45,6 +53,8 @@
- name: "6.2.3 | L1 | AUDIT | Ensure root PATH Integrity | Determine dot in path"
shell: "/bin/bash --login -c 'env | grep ^PATH=' | sed -e 's/PATH=//' -e 's/::/:/' -e 's/:$//' -e 's/:/\\n/g'"
args:
warn: false
check_mode: no
register: dot_in_path
changed_when: False
@ -75,6 +85,8 @@
- name: "6.2.4 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow"
shell: sed -i '/^+/ d' /etc/shadow
args:
warn: false
changed_when: false
failed_when: false
when:
@ -88,6 +100,8 @@
- name: "6.2.5 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/group"
shell: sed -i '/^+/ d' /etc/group
args:
warn: false
changed_when: false
failed_when: false
when:
@ -101,6 +115,8 @@
- name: "6.2.6 | L1 | PATCH | Ensure root is the only UID 0 account"
shell: passwd -l {{ item }}
args:
warn: false
changed_when: false
failed_when: false
with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}"
@ -123,6 +139,8 @@
- name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
shell: find -H {{ item.0 | quote }} -not -type l -perm /027
args:
warn: false
check_mode: false
changed_when: rhel_09_6_2_7_patch_audit.stdout | length > 0
register: rhel_09_6_2_7_patch_audit
@ -198,6 +216,8 @@
block:
- name: "6.2.9 | L1 | AUDIT | Ensure users' dot files are not group or world-writable | Check for files"
shell: find /home/ -name "\.*" -perm /g+w,o+w
args:
warn: false
changed_when: false
failed_when: false
register: rhel9cis_6_2_9_audit
@ -252,6 +272,8 @@
- name: "6.2.12 | L1 | PATCH | Ensure users' .netrc Files are not group or world accessible"
shell: /bin/true
args:
warn: false
changed_when: false
failed_when: false
when:
@ -279,6 +301,8 @@
block:
- name: "6.2.14 | L1 | AUDIT | Ensure all groups in /etc/passwd exist in /etc/group | Check /etc/passwd entries"
shell: pwck -r | grep 'no group' | awk '{ gsub("[:\47]",""); print $2}'
args:
warn: false
changed_when: false
failed_when: false
check_mode: false
@ -305,6 +329,8 @@
block:
- name: "6.2.15 | L1 | AUDIT | Ensure no duplicate UIDs exist | Check for duplicate UIDs"
shell: "pwck -r | awk -F: '{if ($3 in uid) print $1 ; else uid[$3]}' /etc/passwd"
args:
warn: false
changed_when: false
failed_when: false
register: user_uid_check
@ -330,6 +356,8 @@
block:
- name: "6.2.16 | L1 | AUDIT | Ensure no duplicate GIDs exist | Check for duplicate GIDs"
shell: "pwck -r | awk -F: '{if ($3 in users) print $1 ; else users[$3]}' /etc/group"
args:
warn: false
changed_when: false
failed_when: false
register: user_user_check
@ -355,6 +383,8 @@
block:
- name: "6.2.17 | L1 | AUDIT | Ensure no duplicate user names exist | Check for duplicate User Names"
shell: "pwck -r | awk -F: '{if ($1 in users) print $1 ; else users[$1]}' /etc/passwd"
args:
warn: false
changed_when: false
failed_when: false
register: user_username_check
@ -380,6 +410,8 @@
block:
- name: "6.2.18 | L1 | AUDIT | Ensure no duplicate group names exist | Check for duplicate group names"
shell: 'getent passwd | cut -d: -f1 | sort -n | uniq -d'
args:
warn: false
changed_when: false
failed_when: false
check_mode: no
@ -406,6 +438,8 @@
block:
- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for shadow group and pull group id"
shell: "getent group shadow | cut -d: -f3"
args:
warn: false
changed_when: false
failed_when: false
check_mode: no
@ -413,6 +447,8 @@
- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check /etc/group for empty shadow group"
shell: grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group
args:
warn: false
changed_when: false
failed_when: false
check_mode: no
@ -420,6 +456,8 @@
- name: "6.2.19 | L1 | AUDIT | Ensure shadow group is empty | Check for users assigned to shadow"
shell: "getent passwd | awk -F: '$4 == '{{ rhel9cis_shadow_gid.stdout }}' {print $1}'"
args:
warn: false
changed_when: false
failed_when: false
check_mode: no
@ -465,6 +503,8 @@
- name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist"
shell: find -H {{ item.0 | quote }} -not -type l -perm /027
args:
warn: false
check_mode: false
changed_when: rhel_09_6_2_20_patch_audit.stdout | length > 0
register: rhel_09_6_2_20_patch_audit