From b62a414abb71466f4e50eb41a7d7415fd8e057fe Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 21 Jul 2025 17:28:55 +0000 Subject: [PATCH 01/47] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/gitleaks/gitleaks: v8.27.2 → v8.28.0](https://github.com/gitleaks/gitleaks/compare/v8.27.2...v8.28.0) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index a4d0a42..dec2081 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -41,7 +41,7 @@ repos: - id: detect-secrets - repo: https://github.com/gitleaks/gitleaks - rev: v8.27.2 + rev: v8.28.0 hooks: - id: gitleaks From 876e261d1f311a2add28b0c50b265649f17ebb97 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Aug 2025 09:53:09 +0100 Subject: [PATCH 02/47] fixed issues for permissions when using fetch thanks to @steve-hayes Signed-off-by: Mark Bolwell --- tasks/pre_remediation_audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 61959fa..250f987 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -70,7 +70,7 @@ mode: 'go-rwx' - name: Pre Audit | Run pre_remediation audit {{ benchmark }} # noqa name[template] - ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length] + ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length] changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" From 4b62f0fc3518352b1d0d36758f7945bfa8fa05b9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 4 Aug 2025 09:56:30 +0100 Subject: [PATCH 03/47] Updated post steps inline with pre steps for file permissions Signed-off-by: Mark Bolwell --- tasks/post_remediation_audit.yml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 68e7035..357a23f 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,22 +1,13 @@ --- - name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template] - ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" + ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length] changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" AUDIT_CONTENT_LOCATION: "{{ audit_conf_dest | default('/opt') }}" AUDIT_FILE: goss.yml -- name: Post Audit | ensure audit files readable by users - ansible.builtin.file: - path: "{{ item }}" - mode: '0644' - state: file - loop: - - "{{ post_audit_outfile }}" - - "{{ pre_audit_outfile }}" - - name: Post Audit | Capture audit data if json format when: audit_format == "json" block: From cfbbb3339a988f65512c180bfe6667f90ce13c53 Mon Sep 17 00:00:00 2001 From: Michael Hicks Date: Mon, 11 Aug 2025 15:12:17 -0700 Subject: [PATCH 04/47] renames 3 uses of ansible.builtin.systemd_service to ansible.builtin.systemd to maintain ansible 2.12+ compat. Fixes #379 Signed-off-by: Michael Hicks --- handlers/main.yml | 2 +- tasks/section_6/cis_6.1.x.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 1894300..1ef6ccf 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -263,7 +263,7 @@ listen: Restart auditd - name: Start auditd process - ansible.builtin.systemd_service: + ansible.builtin.systemd: name: auditd state: started listen: Restart auditd diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml index 1db531b..a29118a 100644 --- a/tasks/section_6/cis_6.1.x.yml +++ b/tasks/section_6/cis_6.1.x.yml @@ -91,13 +91,13 @@ - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service" when: rhel9cis_aide_scan == "timer" - ansible.builtin.systemd_service: + ansible.builtin.systemd: name: aidecheck.service enabled: true - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service" when: rhel9cis_aide_scan == "timer" - ansible.builtin.systemd_service: + ansible.builtin.systemd: name: aidecheck.timer state: started enabled: true From 553f18e9926bb6e6ba7772e470375b44c709bdf5 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Aug 2025 15:13:33 +0100 Subject: [PATCH 05/47] updated pre-commit-hooks version Signed-off-by: Mark Bolwell --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index dec2081..aa27650 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,7 +7,7 @@ ci: repos: - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v5.0.0 + rev: v6.0.0 hooks: # Safety - id: detect-aws-credentials From b21569c62dd7a15c269c9c928a2c61c4c5a81d9b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Aug 2025 16:00:36 +0100 Subject: [PATCH 06/47] added update for gdm and giu packages Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 ++ tasks/section_1/main.yml | 1 + 2 files changed, 3 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index d50aecf..98efbba 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -617,6 +617,8 @@ rhel9cis_warning_banner: Authorized users only. All activity may be monitored an # End Banner ## Control 1.8.x - Settings for GDM +# do not run Control 1.8.x if using a display manager different than gdm +rhel10cis_display_manager: "gdm" # This variable governs whether rules dealing with GUI specific packages(and/or their settings) should # be executed either to: # - secure GDM, if GUI is needed('rhel9cis_gui: true') diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index c540fab..29687b3 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -61,5 +61,6 @@ file: cis_1.7.x.yml - name: "SECTION | 1.8 | Gnome Display Manager" + when: rhel10cis_display_manager == 'gdm' ansible.builtin.import_tasks: file: cis_1.8.x.yml From fd2bfb7437215591945e4c0261f651f8e5eb04b0 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Aug 2025 16:03:11 +0100 Subject: [PATCH 07/47] improved prelim tests for 5.2.4 Signed-off-by: Mark Bolwell --- tasks/main.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 460acc8..191ea25 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -93,11 +93,14 @@ block: - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set" # noqa name[template] ansible.builtin.assert: - that: - - prelim_ansible_user_password_set.stdout | length != 0 - - prelim_ansible_user_password_set.stdout != "!!" - fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access" - success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user" + that: | + ( + ((prelim_ansible_user_password_set.stdout | length != 0) and (prelim_ansible_user_password_set.stdout != "!!" )) + or + (ansible_env.SUDO_USER in rhel10cis_sudoers_exclude_nopasswd_list) + ) + fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access" + success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4" - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked" # noqa name[template] ansible.builtin.assert: From cddad90a236347d6e20841488371363809bd2b99 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Aug 2025 16:04:07 +0100 Subject: [PATCH 08/47] enabled different locale characters in password check Signed-off-by: Mark Bolwell --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 191ea25..83aff0c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -134,7 +134,7 @@ - rule_5.4.2.4 block: - name: "Ensure root password is set" - ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)" + ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)" changed_when: false failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ] register: prelim_root_passwd_set From 7428f269e74586716c11bb9404c240cd9cc39007 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Aug 2025 16:09:51 +0100 Subject: [PATCH 09/47] changed rsyslog to insert before line134 Signed-off-by: Mark Bolwell --- tasks/section_6/cis_6.2.3.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml index 9d26acf..eaa3bd1 100644 --- a/tasks/section_6/cis_6.2.3.x.yml +++ b/tasks/section_6/cis_6.2.3.x.yml @@ -131,7 +131,7 @@ *.=warning;*.=err -/var/log/warn *.crit /var/log/warn *.*;mail.none;news.none /var/log/messages - insertafter: '#### RULES ####' + insertbefore: '# ### sample forwarding rule ###' notify: Restart rsyslog - name: "6.2.3.5 | PATCH | Ensure logging is configured | Local log settings" From f0fb7011226b5f25f34766bbe07f71eeae5279ea Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Aug 2025 16:10:37 +0100 Subject: [PATCH 10/47] updated var naming on 5.4.2.5 Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.2.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.4.2.x.yml b/tasks/section_5/cis_5.4.2.x.yml index b3dd7d9..b291cc2 100644 --- a/tasks/section_5/cis_5.4.2.x.yml +++ b/tasks/section_5/cis_5.4.2.x.yml @@ -139,7 +139,7 @@ ansible.builtin.stat: path: "{{ item }}" loop: "{{ discovered_root_paths_split.stdout_lines }}" - register: paths_stat + register: discovered_root_paths_stat - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Create dirs for some paths that are not dirs" ansible.builtin.file: @@ -148,7 +148,7 @@ owner: root group: root mode: 'go-w' - loop: "{{ paths_stat.results }}" + loop: "{{ discovered_root_paths_stat.results }}" when: not item.stat.exists - name: "5.4.2.5 | AUDIT | Ensure root PATH Integrity | Check for empty dirs" From f8d95213671abb8a0bfc39a6144380f1e22e8c26 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 15 Aug 2025 16:19:07 +0100 Subject: [PATCH 11/47] updated Signed-off-by: Mark Bolwell --- Changelog.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Changelog.md b/Changelog.md index b6db646..68ba2d4 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,12 @@ # Changes to rhel9CIS +## 2.0.3 - Based on CIS v2.0.0 + +- addressed issue 371 thanks to @bgro and kodebach +- addressed issue 350 thanks to @chrispipo +- addressed issue 364 thanks to @polski-g +- pre-commit update + ## 2.0.2 - Based on CIS v2.0.0 - Update to audit_only to allow fetching results From 7af8f5fe2426aba27d477e40f22c1df8cf658b06 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 25 Aug 2025 17:29:58 +0000 Subject: [PATCH 12/47] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v25.6.1 → v25.8.2](https://github.com/ansible-community/ansible-lint/compare/v25.6.1...v25.8.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index aa27650..4ae1ee6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.6.1 + rev: v25.8.2 hooks: - id: ansible-lint name: Ansible-lint From 88507f95166a0be477f87df1c71df15aa48ac489 Mon Sep 17 00:00:00 2001 From: polski-g Date: Thu, 28 Aug 2025 13:15:29 -0400 Subject: [PATCH 13/47] 5.4.1.1: shell command should run in check_mode Signed-off-by: polski-g --- tasks/section_5/cis_5.4.1.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 7fcfb0b..58cd936 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -24,6 +24,7 @@ ansible.builtin.shell: "awk -F: '(/^[^:]+:[^!*]/ && ($5> {{ rhel9cis_pass_max_days }} || $5< {{ rhel9cis_pass_max_days }} || $5 == -1)){print $1}' /etc/shadow" changed_when: false failed_when: false + check_mode: false register: discovered_max_days - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less | Set existing users PASS_MAX_DAYS" From de7555aa1045fb30caeb292f34d74a9ad8e69920 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 2 Sep 2025 17:14:30 -0400 Subject: [PATCH 14/47] Update Changelog with fixes Signed-off-by: Frederick Witty --- Changelog.md | 2 +- tasks/prelim.yml | 20 +++++++------------- tasks/section_1/cis_1.6.x.yml | 5 +++-- tasks/section_4/cis_4.3.x.yml | 2 +- 4 files changed, 12 insertions(+), 17 deletions(-) diff --git a/Changelog.md b/Changelog.md index 68ba2d4..af7476e 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,7 +1,7 @@ # Changes to rhel9CIS ## 2.0.3 - Based on CIS v2.0.0 - +- update command to shell module on tasks - addressed issue 371 thanks to @bgro and kodebach - addressed issue 350 thanks to @chrispipo - addressed issue 364 thanks to @polski-g diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 715b0cb..bd69172 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -167,6 +167,7 @@ current_crypto_module: "{{ prelim_system_wide_crypto_policy.stdout.split(':')[1] }}" - name: "PRELIM | AUDIT | Set facts based on boot type" + tags: always block: - name: "PRELIM | AUDIT | Check whether machine is UEFI-based" ansible.builtin.stat: @@ -185,17 +186,14 @@ grub2_path: /etc/grub2-efi.cfg - name: "PRELIM | AUDIT | Discover Gnome Desktop Environment" - tags: - - always + tags: always ansible.builtin.stat: path: /usr/share/gnome/gnome-version.xml register: prelim_gnome_present - name: "PRELIM | PATCH | Install dconf if gui installed" - when: - - rhel9cis_gui - tags: - - always + when: rhel9cis_gui + tags: always ansible.builtin.package: name: dconf state: present @@ -204,8 +202,7 @@ when: - rhel9cis_rule_3_1_2 - not system_is_container - tags: - - always + tags: always block: - name: "PRELIM | AUDIT | Discover is wireless adapter on system" ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless @@ -251,9 +248,7 @@ state: touch - name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists" - when: - - rhel9cis_rule_5_1_10 or - rhel9cis_rule_5_1_11 + when: rhel9cis_rule_5_1_10 or rhel9cis_rule_5_1_11 ansible.builtin.stat: path: /etc/ssh/sshd_config.d/50-redhat.conf register: prelim_sshd_50_redhat_file @@ -361,7 +356,6 @@ prelim_max_int_uid: "{{ prelim_uid_max_id.stdout | default(max_int_uid) }}" - name: "PRELIM | AUDIT | Gather the package facts after prelim" - tags: - - always + tags: always ansible.builtin.package_facts: manager: auto diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index c418324..0530645 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -21,12 +21,14 @@ tags: - level1-server - level1-workstation + - sshd - automated - patch - rule_1.6.2 - NIST800-53R5_SC-8 - NIST800-53R5_IA-5 - - NIST800-53R5_AC-17- NIST800-53R5_SC-6 + - NIST800-53R5_AC-17 + - NIST800-53R5_SC-6 ansible.builtin.lineinfile: path: /etc/sysconfig/sshd regexp: ^CRYPTO_POLICY\s*= @@ -76,7 +78,6 @@ - rule_1.6.4 - NIST800-53R5_SC-6 block: - - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion" ansible.builtin.template: src: etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2 diff --git a/tasks/section_4/cis_4.3.x.yml b/tasks/section_4/cis_4.3.x.yml index 4e23998..4398df2 100644 --- a/tasks/section_4/cis_4.3.x.yml +++ b/tasks/section_4/cis_4.3.x.yml @@ -81,7 +81,7 @@ register: discovered_nftables_inconnectionrule - name: "4.3.2 | AUDIT | Ensure nftables established connections are configured | Gather outbound connection rules" - ansible.builtin.command: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' + ansible.builtin.shell: nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state' changed_when: false failed_when: false register: discovered_nftables_outconnectionrule From 1c9c1b919c77e747bd1bfab5a414c849f10b3655 Mon Sep 17 00:00:00 2001 From: polski-g Date: Wed, 3 Sep 2025 09:55:00 -0400 Subject: [PATCH 15/47] 1.4.2: grep command should run in check_mode Signed-off-by: polski-g --- tasks/section_1/cis_1.4.x.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index c6c3aac..5969dff 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -52,6 +52,7 @@ - name: "1.4.2 | AUDIT | Ensure permissions on bootloader config are configured | efi based system | capture current state" ansible.builtin.shell: grep "^[^#;]" /etc/fstab | grep '/boot/efi' | awk -F" " '{print $4}' changed_when: false + check_mode: false register: discovered_efi_fstab - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Build Options" From b0ec6c48208d026e59939c6b9750e033a6bc00d0 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 5 Sep 2025 16:24:11 -0400 Subject: [PATCH 16/47] Fix for #384, thank you @polski-g Signed-off-by: Frederick Witty --- Changelog.md | 1 + defaults/main.yml | 2 +- tasks/main.yml | 2 +- tasks/section_1/main.yml | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index af7476e..fb4a9f4 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changes to rhel9CIS ## 2.0.3 - Based on CIS v2.0.0 +- addressed issue #384 thank you @polski-g - update command to shell module on tasks - addressed issue 371 thanks to @bgro and kodebach - addressed issue 350 thanks to @chrispipo diff --git a/defaults/main.yml b/defaults/main.yml index 98efbba..344e195 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -618,7 +618,7 @@ rhel9cis_warning_banner: Authorized users only. All activity may be monitored an ## Control 1.8.x - Settings for GDM # do not run Control 1.8.x if using a display manager different than gdm -rhel10cis_display_manager: "gdm" +rhel9cis_display_manager: "gdm" # This variable governs whether rules dealing with GUI specific packages(and/or their settings) should # be executed either to: # - secure GDM, if GUI is needed('rhel9cis_gui: true') diff --git a/tasks/main.yml b/tasks/main.yml index 83aff0c..968debd 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -97,7 +97,7 @@ ( ((prelim_ansible_user_password_set.stdout | length != 0) and (prelim_ansible_user_password_set.stdout != "!!" )) or - (ansible_env.SUDO_USER in rhel10cis_sudoers_exclude_nopasswd_list) + (ansible_env.SUDO_USER in rhel9cis_sudoers_exclude_nopasswd_list) ) fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set or or the user is not included in the exception list for rule 5.2.4 - It can break access" success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user or the user is included in the exception list for rule 5.2.4" diff --git a/tasks/section_1/main.yml b/tasks/section_1/main.yml index 29687b3..fff557b 100644 --- a/tasks/section_1/main.yml +++ b/tasks/section_1/main.yml @@ -61,6 +61,6 @@ file: cis_1.7.x.yml - name: "SECTION | 1.8 | Gnome Display Manager" - when: rhel10cis_display_manager == 'gdm' + when: rhel9cis_display_manager == 'gdm' ansible.builtin.import_tasks: file: cis_1.8.x.yml From 413ccb96b7131dcc7c3427cf806758b7223b8038 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 5 Sep 2025 16:39:55 -0400 Subject: [PATCH 17/47] Update cryto policy based controls with improved logic Signed-off-by: Frederick Witty --- Changelog.md | 1 + defaults/main.yml | 1 + tasks/prelim.yml | 3 +-- tasks/section_1/cis_1.6.x.yml | 9 ++++++++- tasks/section_5/cis_5.1.x.yml | 3 +++ 5 files changed, 14 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index fb4a9f4..252418c 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changes to rhel9CIS ## 2.0.3 - Based on CIS v2.0.0 +- improvment on crypto policy managed controls with var logic - addressed issue #384 thank you @polski-g - update command to shell module on tasks - addressed issue 371 thanks to @bgro and kodebach diff --git a/defaults/main.yml b/defaults/main.yml index 344e195..b829873 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -595,6 +595,7 @@ rhel9cis_set_boot_pass: true # -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' ## Controls 1.6.x and Controls 5.1.x +rhel9cis_crypto_policy_ansible_managed: true # This variable contains the value of the crypto policy module(combinations of policies and # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, # using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index bd69172..1368993 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -136,8 +136,7 @@ register: prelim_systemd_coredump - name: "PRELIM | PATCH | Setup crypto-policy" - when: - - rhel9cis_rule_1_6_1 + when: rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 0530645..6f3d6af 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -1,7 +1,9 @@ --- - name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy" - when: rhel9cis_rule_1_6_1 + when: + - rhel9cis_rule_1_6_1 + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -39,6 +41,7 @@ when: - rhel9cis_rule_1_6_3 - "'NO-SHA1' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -69,6 +72,7 @@ when: - rhel9cis_rule_1_6_4 - "'NO-WEAKMAC' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -99,6 +103,7 @@ when: - rhel9cis_rule_1_6_5 - "'NO-SSHCBC' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -129,6 +134,7 @@ when: - rhel9cis_rule_1_6_6 - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -159,6 +165,7 @@ when: - rhel9cis_rule_1_6_7 - "'NO-SSHETM' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 3fd366c..ee384d3 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -80,6 +80,7 @@ when: - rhel9cis_rule_5_1_4 - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -108,6 +109,7 @@ when: - rhel9cis_rule_5_1_5 - "'NO-SHA1' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation @@ -136,6 +138,7 @@ when: - rhel9cis_rule_5_1_6 - "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module" + - rhel9cis_crypto_policy_ansible_managed tags: - level1-server - level1-workstation From 2dfa9266a8ce9f0d08b210302c523e8b8058e0f8 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 8 Sep 2025 11:54:57 -0400 Subject: [PATCH 18/47] Update cryto policy var to standard Signed-off-by: Frederick Witty --- defaults/main.yml | 6 +++--- tasks/prelim.yml | 2 +- tasks/section_1/cis_1.6.x.yml | 12 ++++++------ tasks/section_5/cis_5.1.x.yml | 6 +++--- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index b829873..c46ece3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -586,7 +586,9 @@ rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' # pr # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file. rhel9cis_set_boot_pass: true -## Controls 1.6.x +## Controls 1.6.x and Controls 5.1.x +# This variable governs if current Ansible role should manage system-wide crypto policy. +rhel9cis_crypto_policy_ansiblemanaged: true # This variable contains the value to be set as the system-wide crypto policy. Current rule enforces NOT USING # 'LEGACY' value(as it is less secure, it just ensures compatibility with legacy systems), therefore # possible values for this variable are, as explained by RedHat docs: @@ -594,8 +596,6 @@ rhel9cis_set_boot_pass: true # -'FUTURE': conservative security level that is believed to withstand any near-term future attacks # -'FIPS': A level that conforms to the FIPS140-2 requirements rhel9cis_crypto_policy: 'DEFAULT' -## Controls 1.6.x and Controls 5.1.x -rhel9cis_crypto_policy_ansible_managed: true # This variable contains the value of the crypto policy module(combinations of policies and # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file, # using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1368993..7321267 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -136,7 +136,7 @@ register: prelim_systemd_coredump - name: "PRELIM | PATCH | Setup crypto-policy" - when: rhel9cis_crypto_policy_ansible_managed + when: rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml index 6f3d6af..8aace04 100644 --- a/tasks/section_1/cis_1.6.x.yml +++ b/tasks/section_1/cis_1.6.x.yml @@ -3,7 +3,7 @@ - name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy" when: - rhel9cis_rule_1_6_1 - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -41,7 +41,7 @@ when: - rhel9cis_rule_1_6_3 - "'NO-SHA1' not in rhel9cis_crypto_policy_module" - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -72,7 +72,7 @@ when: - rhel9cis_rule_1_6_4 - "'NO-WEAKMAC' not in rhel9cis_crypto_policy_module" - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -103,7 +103,7 @@ when: - rhel9cis_rule_1_6_5 - "'NO-SSHCBC' not in rhel9cis_crypto_policy_module" - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -134,7 +134,7 @@ when: - rhel9cis_rule_1_6_6 - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module" - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -165,7 +165,7 @@ when: - rhel9cis_rule_1_6_7 - "'NO-SSHETM' not in rhel9cis_crypto_policy_module" - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index ee384d3..42ca036 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -80,7 +80,7 @@ when: - rhel9cis_rule_5_1_4 - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module" - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -109,7 +109,7 @@ when: - rhel9cis_rule_5_1_5 - "'NO-SHA1' not in rhel9cis_crypto_policy_module" - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation @@ -138,7 +138,7 @@ when: - rhel9cis_rule_5_1_6 - "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module" - - rhel9cis_crypto_policy_ansible_managed + - rhel9cis_crypto_policy_ansiblemanaged tags: - level1-server - level1-workstation From 5794114b3e2207655b173a098c0b01bdc9a2474a Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 9 Sep 2025 15:12:01 -0400 Subject: [PATCH 19/47] Update prelim logic to address #382 Signed-off-by: Frederick Witty --- Changelog.md | 1 + tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 252418c..9e27290 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changes to rhel9CIS ## 2.0.3 - Based on CIS v2.0.0 +- addressed issue #382 to improve regex logic on 5.4.2.4 - improvment on crypto policy managed controls with var logic - addressed issue #384 thank you @polski-g - update command to shell module on tasks diff --git a/tasks/main.yml b/tasks/main.yml index 968debd..760ee1b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -134,7 +134,7 @@ - rule_5.4.2.4 block: - name: "Ensure root password is set" - ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)" + ansible.builtin.shell: LC_ALL=C passwd -S root | grep -E "(Password set|Password locked)" changed_when: false failed_when: prelim_root_passwd_set.rc not in [ 0, 1 ] register: prelim_root_passwd_set From e61cafb59be8b9c447fab098d9e3acb77de723dd Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 9 Sep 2025 15:59:30 -0400 Subject: [PATCH 20/47] addressed issue #387, thank you @fragglexarmy Signed-off-by: Frederick Witty --- Changelog.md | 1 + tasks/section_5/cis_5.4.1.x.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 9e27290..099c93d 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,6 +1,7 @@ # Changes to rhel9CIS ## 2.0.3 - Based on CIS v2.0.0 +- addressed issue #387, thank you @fragglexarmy - addressed issue #382 to improve regex logic on 5.4.2.4 - improvment on crypto policy managed controls with var logic - addressed issue #384 thank you @polski-g diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index 7fcfb0b..3ea1c99 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -64,7 +64,7 @@ - rhel9cis_force_user_mindays ansible.builtin.user: name: "{{ item }}" - password_expire_max: "{{ rhel9cis_pass_min_days }}" + password_expire_min: "{{ rhel9cis_pass_min_days }}" loop: "{{ discovered_min_days.stdout_lines }}" - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured" From d92ec8c5640319995ea3f33e3409f8c9d0230d75 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 9 Sep 2025 16:31:14 -0400 Subject: [PATCH 21/47] typo fix Signed-off-by: Frederick Witty --- Changelog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 099c93d..ec3d9aa 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,7 +3,7 @@ ## 2.0.3 - Based on CIS v2.0.0 - addressed issue #387, thank you @fragglexarmy - addressed issue #382 to improve regex logic on 5.4.2.4 -- improvment on crypto policy managed controls with var logic +- improvement on crypto policy managed controls with var logic - addressed issue #384 thank you @polski-g - update command to shell module on tasks - addressed issue 371 thanks to @bgro and kodebach From 392c3f90161f23b61a9eba5f4166073318a5f21e Mon Sep 17 00:00:00 2001 From: polski-g Date: Tue, 2 Sep 2025 12:15:45 -0400 Subject: [PATCH 22/47] Support section 5 modularization corrected trailing whitespace Signed-off-by: polski-g --- defaults/main.yml | 6 ++++ tasks/section_5/main.yml | 65 +++++++++++++++++++++++----------------- 2 files changed, 44 insertions(+), 27 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 98efbba..ed3cf59 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -18,11 +18,17 @@ rhel9cis_disruption_high: true # These variables govern whether the tasks of a particular section are to be executed when running the role. # E.g: If you want to execute the tasks of Section 1 you should set the "_section1" variable to true. # If you do not want the tasks from that section to get executed you simply set the variable to "false". +# Some sections support sub-section modularization. The super-section and sub-section must both be true +# for the sub-section to execute. rhel9cis_section1: true rhel9cis_section2: true rhel9cis_section3: true rhel9cis_section4: true rhel9cis_section5: true +rhel9cis_section5_1: true +rhel9cis_section5_2: true +rhel9cis_section5_3: true +rhel9cis_section5_4: true rhel9cis_section6: true rhel9cis_section7: true diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index ae908ac..c4dacff 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -5,45 +5,56 @@ - name: "SECTION | 5.1 | Configure SSH Server" when: - "'openssh-server' in ansible_facts.packages" + - rhel9cis_section5_1 ansible.builtin.import_tasks: file: cis_5.1.x.yml - name: "SECTION | 5.2 | Configure privilege escalation" + when: + - - rhel9cis_section5_2 ansible.builtin.import_tasks: file: cis_5.2.x.yml -- name: "SECTION | 5.3.1.x | Configure PAM software packages" - ansible.builtin.import_tasks: - file: cis_5.3.1.x.yml +- name: "SECTION | 5.3" + when: + - rhel9cis_section5_3 + block: + - name: "SECTION | 5.3.1.x | Configure PAM software packages" + ansible.builtin.import_tasks: + file: cis_5.3.1.x.yml -- name: "SECTION | 5.3.2.x | Configure authselect" - ansible.builtin.import_tasks: - file: cis_5.3.2.x.yml + - name: "SECTION | 5.3.2.x | Configure authselect" + ansible.builtin.import_tasks: + file: cis_5.3.2.x.yml -- name: "SECTION | 5.3.3.1.x | Configure pam_faillock module" - ansible.builtin.import_tasks: - file: cis_5.3.3.1.x.yml + - name: "SECTION | 5.3.3.1.x | Configure pam_faillock module" + ansible.builtin.import_tasks: + file: cis_5.3.3.1.x.yml -- name: "SECTION | 5.3.3.2.x | Configure pam_pwquality module" - ansible.builtin.import_tasks: - file: cis_5.3.3.2.x.yml + - name: "SECTION | 5.3.3.2.x | Configure pam_pwquality module" + ansible.builtin.import_tasks: + file: cis_5.3.3.2.x.yml -- name: "SECTION | 5.3.3.3.x | Configure pam_pwhistory module" - ansible.builtin.import_tasks: - file: cis_5.3.3.3.x.yml + - name: "SECTION | 5.3.3.3.x | Configure pam_pwhistory module" + ansible.builtin.import_tasks: + file: cis_5.3.3.3.x.yml -- name: "SECTION | 5.3.3.4.x | Configure pam_unix module" - ansible.builtin.import_tasks: - file: cis_5.3.3.4.x.yml + - name: "SECTION | 5.3.3.4.x | Configure pam_unix module" + ansible.builtin.import_tasks: + file: cis_5.3.3.4.x.yml -- name: "SECTION | 5.4.1.x | Configure shadow password suite parameters" - ansible.builtin.import_tasks: - file: cis_5.4.1.x.yml +- name: "SECTION | 5.4" + when: + - rhel9cis_section5_4 + block: + - name: "SECTION | 5.4.1.x | Configure shadow password suite parameters" + ansible.builtin.import_tasks: + file: cis_5.4.1.x.yml -- name: "SECTION | 5.4.2.x | Configure root and system accounts and environment" - ansible.builtin.import_tasks: - file: cis_5.4.2.x.yml + - name: "SECTION | 5.4.2.x | Configure root and system accounts and environment" + ansible.builtin.import_tasks: + file: cis_5.4.2.x.yml -- name: "SECTION | 5.4.3.x | Configure user default environment" - ansible.builtin.import_tasks: - file: cis_5.4.3.x.yml + - name: "SECTION | 5.4.3.x | Configure user default environment" + ansible.builtin.import_tasks: + file: cis_5.4.3.x.yml From 2557470054c9d784bcda461299ee9f542865b7a8 Mon Sep 17 00:00:00 2001 From: polski-g Date: Thu, 28 Aug 2025 13:55:41 -0400 Subject: [PATCH 23/47] 5.3.2.2: fix regex failing to match whitespace Fixed yamllint (colons) issues Signed-off-by: polski-g --- tasks/section_5/cis_5.3.2.x.yml | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/tasks/section_5/cis_5.3.2.x.yml b/tasks/section_5/cis_5.3.2.x.yml index 5917019..6e1919c 100644 --- a/tasks/section_5/cis_5.3.2.x.yml +++ b/tasks/section_5/cis_5.3.2.x.yml @@ -91,9 +91,15 @@ insertafter: "{{ item.after | default(omit) }}" line: "{{ item.line }}" loop: - - { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" } - - { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" } - - { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: "account required pam_faillock.so" } + - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth" + after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail" + before: "auth\\s+required\\s+pam_deny.so" + line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + - regexp: "account\\s+required\\s+pam_faillock.so" + before: "account\\s+required\\s+pam_unix.so" + line: "account required pam_faillock.so" # yamllint disable-line rule:colons - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add lines password-auth" when: not rhel9cis_allow_authselect_updates @@ -104,9 +110,15 @@ insertafter: "{{ item.after | default(omit) }}" line: "{{ item.line }}" loop: - - { regexp: auth\s*required\s*pam_faillock.so preauth, after: auth\s*required\s*pam_env.so, line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" } - - { regexp: auth\s*required\s*pam_faillock.so authfail, before: auth\s*required\s*pam_deny.so, line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" } - - { regexp: account\s*required\s*pam_faillock.so, before: account\s*required\s*pam_unix.so, line: "account required pam_faillock.so" } + - regexp: "auth\\s+required\\s+pam_faillock.so\\s+preauth" + after: "auth\\s+required\\s+pam_env.so" # yamllint disable-line rule:colons + line: "auth required pam_faillock.so preauth silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + - regexp: "auth\\s+required\\s+pam_faillock.so\\s+authfail" + before: "auth\\s+required\\s+pam_deny.so" + line: "auth required pam_faillock.so authfail silent deny=3 unlock_timeout={{ rhel9cis_pam_faillock_unlock_time }}" # yamllint disable-line rule:colons + - regexp: "account\\s+required\\s+pam_faillock.so" + before: "account\\s+required\\s+pam_unix.so" + line: "account required pam_faillock.so" # yamllint disable-line rule:colons - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled" when: From 03d42ba8ced44b8fe8e3f23b2d449753826c62b2 Mon Sep 17 00:00:00 2001 From: Danny Beuker Date: Mon, 22 Sep 2025 09:57:55 +0200 Subject: [PATCH 24/47] Suggestion for the missing assert parameter Signed-off-by: Danny Beuker --- tasks/pre_remediation_audit.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index 250f987..cf8d8c7 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -57,6 +57,7 @@ - name: Pre Audit Setup | If audit ensure goss is available when: not prelim_goss_available.stat.exists ansible.builtin.assert: + that: prelim_goss_available['stat']['exists'] == true msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}" - name: Pre Audit Setup | Copy ansible default vars values to test audit From 2c0b5134b15331ff375963f23749229ee15e16bb Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 22 Sep 2025 17:39:44 +0000 Subject: [PATCH 25/47] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v25.8.2 → v25.9.0](https://github.com/ansible-community/ansible-lint/compare/v25.8.2...v25.9.0) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4ae1ee6..7fd561a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.8.2 + rev: v25.9.0 hooks: - id: ansible-lint name: Ansible-lint From d63f58972deb487e5119405d74b536aa58ab0e97 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Oct 2025 10:32:24 +0100 Subject: [PATCH 26/47] fixed typo Signed-off-by: Mark Bolwell --- tasks/section_5/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/main.yml b/tasks/section_5/main.yml index c4dacff..09a2fdd 100644 --- a/tasks/section_5/main.yml +++ b/tasks/section_5/main.yml @@ -11,7 +11,7 @@ - name: "SECTION | 5.2 | Configure privilege escalation" when: - - - rhel9cis_section5_2 + - rhel9cis_section5_2 ansible.builtin.import_tasks: file: cis_5.2.x.yml From d2b371432eb6959cf2fb62def22434e5d2c06263 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Oct 2025 10:32:52 +0100 Subject: [PATCH 27/47] issue #393 addressed thanks to @fragglexarmy Signed-off-by: Mark Bolwell --- tasks/section_5/cis_5.4.1.x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section_5/cis_5.4.1.x.yml b/tasks/section_5/cis_5.4.1.x.yml index ea6eb11..badca42 100644 --- a/tasks/section_5/cis_5.4.1.x.yml +++ b/tasks/section_5/cis_5.4.1.x.yml @@ -94,7 +94,7 @@ - discovered_warn_days.stdout_lines | length > 0 - item in prelim_interactive_users | map(attribute='username') | list - rhel9cis_force_user_warnage - ansible.builtin.command: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}" + ansible.builtin.command: "chage --warndays {{ rhel9cis_pass_warn_age }} {{ item }}" changed_when: true loop: "{{ discovered_warn_days.stdout_lines }}" From ed5942f4941c2e6331a9ae5f0444ba609e9e397e Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Oct 2025 10:37:12 +0100 Subject: [PATCH 28/47] workflows updated Signed-off-by: Mark Bolwell --- .../workflows/devel_pipeline_validation.yml | 242 +++++++++--------- .../workflows/main_pipeline_validation.yml | 223 ++++++++-------- 2 files changed, 229 insertions(+), 236 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index 10750a2..deac4d7 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -4,16 +4,16 @@ on: # yamllint disable-line rule:truthy pull_request_target: - types: [opened, reopened, synchronize] - branches: - - devel - - benchmark* - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' + types: [opened, reopened, synchronize] + branches: + - devel + - benchmark* + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' # Allow manual running of workflow workflow_dispatch: @@ -27,133 +27,131 @@ # that can run sequentially or in parallel jobs: # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest + welcome: + runs-on: ubuntu-latest - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + steps: + - uses: actions/first-interaction@main + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} + issue_message: |- + Congrats on opening your first issue and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + pr_message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. - # This workflow contains a single job that tests the playbook - playbook-test: - # The type of runner that the job will run on - runs-on: self-hosted - env: - ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - AWS_REGION: "us-east-1" - ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - # working-directory: .github/workflows + # This workflow contains a single job that tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: self-hosted + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + AWS_REGION: "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + # working-directory: .github/workflows - steps: + steps: - - name: Git clone the lockdown repository to test - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.head.sha }} + - name: Git clone the lockdown repository to test + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} - - name: If a variable for IAC_BRANCH is set use that branch - working-directory: .github/workflows - run: | - if [ ${{ vars.IAC_BRANCH }} != '' ]; then - echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV - echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" - else - echo IAC_BRANCH=main >> $GITHUB_ENV - fi + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi - # Pull in terraform code for linux servers - - name: Clone GitHub IaC plan - uses: actions/checkout@v4 - with: - repository: ansible-lockdown/github_linux_IaC - path: .github/workflows/github_linux_IaC - ref: ${{ env.IAC_BRANCH }} + # Pull in terraform code for linux servers + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + ref: ${{ env.IAC_BRANCH }} - # Uses dedicated restricted role and policy to enable this only for this task - # No credentials are part of github for AWS auth - - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@main - with: - role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} - role-session-name: ${{ secrets.AWS_ROLE_SESSION }} - aws-region: ${{ env.AWS_REGION }} + # Uses dedicated restricted role and policy to enable this only for this task + # No credentials are part of github for AWS auth + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} + aws-region: ${{ env.AWS_REGION }} - - name: DEBUG - Show IaC files - if: env.ENABLE_DEBUG == 'true' - run: | - echo "OSVAR = $OSVAR" - echo "benchmark_type = $benchmark_type" - echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" - echo "VPC_ID" = $AWS_VPC_SECGRP_ID" - pwd - ls - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} - VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - name: Tofu init - id: init - run: tofu init - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + - name: Tofu init + id: init + run: tofu init + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - name: Tofu validate - id: validate - run: tofu validate - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + - name: Tofu validate + id: validate + run: tofu validate + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - name: Tofu apply - id: apply - env: - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} - TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} - run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false + - name: Tofu apply + id: apply + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - run: cat hosts.yml + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml - # Aws deployments taking a while to come up insert sleep or playbook fails + # Aws deployments taking a while to come up insert sleep or playbook fails - - name: Sleep to allow system to come up - run: sleep ${{ vars.BUILD_SLEEPTIME }} + - name: Sleep to allow system to come up + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the Ansible playbook - - name: Run_Ansible_Playbook - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - run: | - /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + # Run the Ansible playbook + - name: Run_Ansible_Playbook + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + run: | + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml - # Remove test system - User secrets to keep if necessary + # Remove test system - User secrets to keep if necessary - - name: Tofu Destroy - if: always() && env.ENABLE_DEBUG == 'false' - env: - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} - TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} - run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false + - name: Tofu Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml index 6792a00..6c1d2ea 100644 --- a/.github/workflows/main_pipeline_validation.yml +++ b/.github/workflows/main_pipeline_validation.yml @@ -4,16 +4,16 @@ on: # yamllint disable-line rule:truthy pull_request_target: - types: [opened, reopened, synchronize] - branches: - - main - - latest - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' + types: [opened, reopened, synchronize] + branches: + - main + - latest + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' # Allow permissions for AWS auth permissions: @@ -24,123 +24,118 @@ # A workflow run is made up of one or more jobs # that can run sequentially or in parallel jobs: + # This workflow contains a single job that tests the playbook + playbook-test: + # The type of runner that the job will run on + runs-on: self-hosted + env: + ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} + # Imported as a variable by terraform + TF_VAR_repository: ${{ github.event.repository.name }} + AWS_REGION : "us-east-1" + ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} + defaults: + run: + shell: bash + working-directory: .github/workflows/github_linux_IaC + # working-directory: .github/workflows - # This workflow contains a single job that tests the playbook - playbook-test: - # The type of runner that the job will run on - runs-on: self-hosted - env: - ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} - # Imported as a variable by terraform - TF_VAR_repository: ${{ github.event.repository.name }} - AWS_REGION : "us-east-1" - ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }} - defaults: - run: - shell: bash - working-directory: .github/workflows/github_linux_IaC - # working-directory: .github/workflows + steps: - steps: + - name: Git clone the lockdown repository to test + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} - - name: Git clone the lockdown repository to test - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.head.sha }} + - name: If a variable for IAC_BRANCH is set use that branch + working-directory: .github/workflows + run: | + if [ ${{ vars.IAC_BRANCH }} != '' ]; then + echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV + echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" + else + echo IAC_BRANCH=main >> $GITHUB_ENV + fi - - name: If a variable for IAC_BRANCH is set use that branch - working-directory: .github/workflows - run: | - if [ ${{ vars.IAC_BRANCH }} != '' ]; then - echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV - echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}" - else - echo IAC_BRANCH=main >> $GITHUB_ENV - fi + # Pull in terraform code for linux servers + - name: Clone GitHub IaC plan + uses: actions/checkout@v4 + with: + repository: ansible-lockdown/github_linux_IaC + path: .github/workflows/github_linux_IaC + ref: ${{ env.IAC_BRANCH }} - # Pull in terraform code for linux servers - - name: Clone GitHub IaC plan - uses: actions/checkout@v4 - with: - repository: ansible-lockdown/github_linux_IaC - path: .github/workflows/github_linux_IaC - ref: ${{ env.IAC_BRANCH }} + # Uses dedicated restricted role and policy to enable this only for this task + # No credentials are part of github for AWS auth + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@main + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-session-name: ${{ secrets.AWS_ROLE_SESSION }} + aws-region: ${{ env.AWS_REGION }} - # Uses dedicated restricted role and policy to enable this only for this task - # No credentials are part of github for AWS auth - - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@main - with: - role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} - role-session-name: ${{ secrets.AWS_ROLE_SESSION }} - aws-region: ${{ env.AWS_REGION }} + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - name: DEBUG - Show IaC files - if: env.ENABLE_DEBUG == 'true' - run: | - echo "OSVAR = $OSVAR" - echo "benchmark_type = $benchmark_type" - echo "PRIVSUBNET_ID = $AWS_PRIVSUBNET_ID" - echo "VPC_ID" = $AWS_VPC_SECGRP_ID" - pwd - ls - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - benchmark_type: ${{ vars.BENCHMARK_TYPE }} - PRIVSUBNET_ID: ${{ secrets.AWS_PRIVSUBNET_ID }} - VPC_ID: ${{ secrets.AWS_VPC_SECGRP_ID }} + - name: Tofu init + id: init + run: tofu init + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - name: Tofu init - id: init - run: tofu init - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + - name: Tofu validate + id: validate + run: tofu validate + env: + # Imported from GitHub variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - name: Tofu validate - id: validate - run: tofu validate - env: - # Imported from GitHub variables this is used to load the relevant OS.tfvars file - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - - - name: Tofu apply - id: apply - env: - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} - TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} - run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false + - name: Tofu apply + id: apply + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false ## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - run: cat hosts.yml + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml - # Aws deployments taking a while to come up insert sleep or playbook fails + # Aws deployments taking a while to come up insert sleep or playbook fails - - name: Sleep to allow system to come up - run: sleep ${{ vars.BUILD_SLEEPTIME }} + - name: Sleep to allow system to come up + run: sleep ${{ vars.BUILD_SLEEPTIME }} - # Run the Ansible playbook - - name: Run_Ansible_Playbook - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - run: | - /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml + # Run the Ansible playbook + - name: Run_Ansible_Playbook + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + run: | + /opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml --private-key ~/.ssh/le_runner ../../../site.yml - # Remove test system - User secrets to keep if necessary + # Remove test system - User secrets to keep if necessary - - name: Tofu Destroy - if: always() && env.ENABLE_DEBUG == 'false' - env: - OSVAR: ${{ vars.OSVAR }} - TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} - TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} - TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} - run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false + - name: Tofu Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + TF_VAR_privsubnet_id: ${{ secrets.AWS_PRIVSUBNET_ID }} + TF_VAR_vpc_secgrp_id: ${{ secrets.AWS_VPC_SECGRP_ID }} + run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve -input=false From 81eadd4a6f81d58d3f2c7e4434ece27c842516b9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Oct 2025 12:59:44 +0100 Subject: [PATCH 29/47] max-concurrent audit option added Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 ++ tasks/post_remediation_audit.yml | 2 +- tasks/pre_remediation_audit.yml | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d7719ba..ed14e51 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -88,6 +88,8 @@ setup_audit: false run_audit: false # Run heavy tests - some tests can have more impact on a system enabling these can have greater impact on a system audit_run_heavy_tests: true +# Ability to limit the number of concurrent processes used by goss (default 50) +audit_max_concurrent: 50 ## Only run Audit do not remediate audit_only: false diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml index 357a23f..5e9419c 100644 --- a/tasks/post_remediation_audit.yml +++ b/tasks/post_remediation_audit.yml @@ -1,7 +1,7 @@ --- - name: Post Audit | Run post_remediation {{ benchmark }} audit # noqa name[template] - ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length] + ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length] changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index cf8d8c7..dd9efb4 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -1,4 +1,5 @@ --- + - name: Pre Audit Setup | Setup the LE audit when: setup_audit tags: setup_audit @@ -71,7 +72,7 @@ mode: 'go-rwx' - name: Pre Audit | Run pre_remediation audit {{ benchmark }} # noqa name[template] - ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length] + ansible.builtin.shell: "umask 0022 && {{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -m {{ audit_max_concurrent }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\"" # noqa yaml[line-length] changed_when: true environment: AUDIT_BIN: "{{ audit_bin }}" From 6f167140d1a3b1c1c713793ec17850f83a0c7c68 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Wed, 1 Oct 2025 13:00:14 +0100 Subject: [PATCH 30/47] updated Signed-off-by: Mark Bolwell --- Changelog.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Changelog.md b/Changelog.md index ec3d9aa..85eab9c 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,15 @@ # Changes to rhel9CIS + +## 2.0.4 - Based on CIS v2.0.0 + +- addressed issue #393 thank you to @fragglexarmy +- addressed issue #394 thank you to @dbeuker +- addressed issues #390 and #391 thanks to @polski-g +- Added max-concurrent options for audit +- work flow updates +- audit logic improvements + ## 2.0.3 - Based on CIS v2.0.0 - addressed issue #387, thank you @fragglexarmy - addressed issue #382 to improve regex logic on 5.4.2.4 From 319c7a8fbbf3e159002c0fde14ca926ab5425e69 Mon Sep 17 00:00:00 2001 From: polski-g Date: Thu, 8 May 2025 10:59:55 -0400 Subject: [PATCH 31/47] ensure check mode runs all non-destructive tasks Signed-off-by: polski-g --- tasks/prelim.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 7321267..7c31c25 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -114,6 +114,7 @@ ansible.builtin.shell: rpm -qi redhat-release | grep Signature # noqa command-instead-of-module changed_when: false failed_when: false + check_mode: false register: prelim_os_gpg_package_valid - name: "PRELIM | PATCH | Force keys to be imported" # noqa command-instead-of-module @@ -207,6 +208,7 @@ ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless register: discover_wireless_adapters changed_when: false + check_mode: false failed_when: discover_wireless_adapters.rc not in [ 0, 1 ] - name: "PRELIM | PATCH | Install Network-Manager | if wireless adapter present" From 7aa911b3541617cd71677c1ebcdcf5a0eba1a8ce Mon Sep 17 00:00:00 2001 From: Thomas Rumbaut Date: Thu, 2 Oct 2025 10:06:44 +0200 Subject: [PATCH 32/47] Update cis_3.2.x.yml (add dccp to blacklist instead of cramfs Signed-off-by: Thomas Rumbaut --- tasks/section_3/cis_3.2.x.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index a49d907..415d966 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -25,8 +25,8 @@ - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available | blacklist" ansible.builtin.lineinfile: path: /etc/modprobe.d/blacklist.conf - regexp: "^(#)?blacklist cramfs(\\s|$)" - line: "blacklist cramfs" + regexp: "^(#)?blacklist dccp(\\s|$)" + line: "blacklist dccp" create: true mode: 'u-x,go-rwx' From eb2fc50dc7bb89d416deb81223bd06ac6cf8b5e3 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Oct 2025 13:47:01 +0100 Subject: [PATCH 33/47] updated to latest version Signed-off-by: Mark Bolwell --- README.md | 194 ++++++++++++++++++++++++++++++++---------------------- 1 file changed, 117 insertions(+), 77 deletions(-) diff --git a/README.md b/README.md index 098c50a..5c75173 100644 --- a/README.md +++ b/README.md @@ -6,59 +6,93 @@ --- +## Public Repository 📣 + ![Org Stars](https://img.shields.io/github/stars/ansible-lockdown?label=Org%20Stars&style=social) ![Stars](https://img.shields.io/github/stars/ansible-lockdown/RHEL9-CIS?label=Repo%20Stars&style=social) ![Forks](https://img.shields.io/github/forks/ansible-lockdown/RHEL9-CIS?style=social) -![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) +![Followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) - -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61781?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) +![License](https://img.shields.io/github/license/ansible-lockdown/RHEL9-CIS?label=License) + +## Lint & Pre-Commit Tools 🔧 + +[![Pre-Commit.ci](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/RHEL9-CIS/pre-commit-ci.json)](https://results.pre-commit.ci/latest/github/ansible-lockdown/RHEL9-CIS/devel) +![YamlLint](https://img.shields.io/badge/yamllint-Present-brightgreen?style=flat&logo=yaml&logoColor=white) +![Ansible-Lint](https://img.shields.io/badge/ansible--lint-Present-brightgreen?style=flat&logo=ansible&logoColor=white) + +## Community Release Information 📂 + ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -![Release Tag](https://img.shields.io/github/v/release/ansible-lockdown/RHEL9-CIS) -![Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS) +![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/RHEL9-CIS?label=Release%20Tag&&color=success) +![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/RHEL9-CIS?label=Release%20Date) +![Benchmark Version Main](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/RHEL9-CIS/benchmark-version-main.json) +![Benchmark Version Devel](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/RHEL9-CIS/benchmark-version-devel.json) [![Main Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/main_pipeline_validation.yml) [![Devel Pipeline Status](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/RHEL9-CIS/actions/workflows/devel_pipeline_validation.yml) + + ![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/RHEL9-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits) - -![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues) -![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success) +![Open Issues](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues) +![Closed Issues](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success) ![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/RHEL9-CIS?label=Pull%20Requests) -[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit) - -![License](https://img.shields.io/github/license/ansible-lockdown/RHEL9-CIS?label=License) --- -### Community +## Subscriber Release Information 🔐 -Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. +![Private Release Branch](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/release-branch.json) +![Private Benchmark Version](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/benchmark-version.json) + +[![Private Remediate Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/remediate.json)](https://github.com/ansible-lockdown/Private-RHEL9-CIS/actions/workflows/main_pipeline_validation.yml) +[![Private GPO Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/gpo.json)](https://github.com/ansible-lockdown/Private-RHEL9-CIS/actions/workflows/main_pipeline_validation_gpo.yml) + +![Private Pull Requests](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/prs.json) +![Private Closed Issues](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_linux_IaC/badges/Private-RHEL9-CIS/issues-closed.json) --- -## Caution(s) +## Looking for support? 🤝 + +[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_WINDOWS_2022_cis) + +[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_WINDOWS_2022_cis) + +### Community 💬 + +On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users + +--- + +## 🚨 Caution(s) 🚨 This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. - Testing is the most important thing you can do. -- Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL9-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode. +- Check Mode is not guaranteed! 🚫 The role will complete in check mode without errors, but it is not supported and should be used with caution. - This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. -- To use release version please point to main branch and relevant release/tag for the cis benchmark you wish to work with. - -- If moving across major releases e.g. v2.0.0 - v3.0.0 there are significant changes to the benchmarks and controls it is suggested to start as a new standard not to upgrade. - -- Containers references vars/is_container.yml this is an example and to be updated for your requirements +- To use release version please point to main branch and relevant release for the cis benchmark you wish to work with. - Did we mention testing?? --- +## Coming From A Previous Release ⏪ + +CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release. +This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. + +Further details can be seen in the [Changelog](./ChangeLog.md) + +--- + ## Matching a security Level for CIS It is possible to to only run level 1 or level 2 controls for CIS. @@ -71,14 +105,34 @@ This is managed using tags: The control found in defaults main also need to reflect this as this control the testing that takes place if you are using the audit component. -## Coming from a previous release +--- +## Requirements ✅ -CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release. -This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. +**General:** -Further details can be seen in the [Changelog](./Changelog.md) +- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible -## Auditing (new) + - [Main Ansible documentation page](https://docs.ansible.com) + - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) + - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) + - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) +- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. +- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file. + +**Technical Dependencies:** + +RHEL Family OS 9 + +- Access to download or add the goss binary and content to the system if using auditing +(other options are available on how to get the content to the system.) +- Python3.8 +- Ansible 2.12+ +- python-def +- libselinux-python + +--- + +## Auditing 🔍 This can be turned on or off within the defaults/main.yml file with the variable run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role. @@ -109,7 +163,7 @@ PLAY RECAP ********************************************************************* default : ok=270 changed=23 unreachable=0 failed=0 skipped=140 rescued=0 ignored=0 ``` -## Documentation +## Documentation 📖 - [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/) - [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_RH9_cis) @@ -117,38 +171,32 @@ default : ok=270 changed=23 unreachable=0 failed=0 s - [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_RH9_cis) - [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_RH9_cis) -## Requirements - -**General:** - -- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible - - - [Main Ansible documentation page](https://docs.ansible.com) - - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) - - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) -- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file. - -**Technical Dependencies:** - -RHEL/AlmaLinux/Rocky/Oracle 9 - Other versions are not supported. - -- Access to download or add the goss binary and content to the system if using auditing -(other options are available on how to get the content to the system.) -- Python3.8 -- Ansible 2.12+ -- python-def -- libselinux-python ## Role Variables This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. -## Tags +## Tags 🏷️ -There are many tags available for added control precision. Each control has it's own set of tags noting what level, if it's scored/notscored, what OS element it relates to, if it's a patch or audit, and the rule number. +There are many tags available for added control precision. Each control has its own set of tags noting what level, what OS element it relates to, whether it's a patch or audit, and the rule number. Additionally, NIST references follow a specific conversion format for consistency and clarity. +### Conversion Format for NIST References: + + 1. Standard Prefix: + + - All references are prefixed with "NIST". + + 2. Standard Types: + + - "800-53" references are formatted as NIST800-53. + - "800-53r5" references are formatted as NIST800-53R5 (with 'R' capitalized). + - "800-171" references are formatted as NIST800-171. + + 3. Details: + + - Section and subsection numbers use periods (.) for numeric separators. + - Parenthetical elements are separated by underscores (_), e.g., IA-5(1)(d) becomes IA-5_1_d. + - Subsection letters (e.g., "b") are appended with an underscore. Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag services, this task will be skipped. The opposite can also happen where you run only controls tagged with services. ```sh @@ -162,33 +210,34 @@ Below is an example of the tag section from a control within this role. Using th - rule_2.2.4 ``` -## Community Contribution + +## Community Contribution 🧑‍🤝‍🧑 We encourage you (the community) to contribute to this role. Please read the rules below. -- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge. +- Your work is done in your own individual branch. Make sure to Signed-off-by and GPG sign all commits you intend to merge. - All community Pull Requests are pulled into the devel branch -- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved +- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off-by, and a functional test before being approved - Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release +## Pipeline Testing 🔄 + +uses: + +- ansible-core 2.16 +- ansible collections - pulls in the latest version based on requirements file +- runs the audit using the devel branch +- This is an automated test that occurs on pull requests into devel +- self-hosted runners using OpenTofu + ## Known Issues Almalinux BaseOS, EPEL and many cloud providers repositories, do not allow gpgcheck(rule_1.2.1.2) or repo_gpgcheck (rule_1.2.1.3) this will cause issues during the playbook unless or a workaround is found. -## Pipeline Testing -uses: +## Local Testing 💻 -- ansible-core 2.12 -- ansible collections - pulls in the latest version based on requirements file -- runs the audit using the devel branch -- This is an automated test that occurs on pull requests into devel - -## Local Testing - -Molecule can be used to work on this role and test in distinct _scenarios_. - -### examples +### example ```bash molecule test -s default @@ -198,24 +247,15 @@ molecule verify -s localhost local testing uses: -- ansible 2.13.3 +- ansible-core - molecule 4.0.1 - molecule-docker 2.0.0 - molecule-podman 2.0.2 - molecule-vagrant 1.0.0 - molecule-azure 0.5.0 -## Added Extras -- [pre-commit](https://pre-commit.com) can be tested and can be run from within the directory - -```sh -pre-commit run -``` - -## Credits and Thanks - -Based on an original concept by Sam Doran +## Credits and Thanks 🙏 Massive thanks to the fantastic community and all its members. From 64e7aab306b81d5de857cb414ba040432bdabfde Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Oct 2025 13:48:29 +0100 Subject: [PATCH 34/47] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index 85eab9c..4d9dc7c 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,7 @@ - addressed issue #393 thank you to @fragglexarmy - addressed issue #394 thank you to @dbeuker - addressed issues #390 and #391 thanks to @polski-g +- addressed issue #398 thanks to trumbaut - Added max-concurrent options for audit - work flow updates - audit logic improvements From 4c91e7477fa1f7194f80de9cd00ec765d4690a93 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 2 Oct 2025 13:59:03 +0100 Subject: [PATCH 35/47] fixed typos Signed-off-by: Mark Bolwell --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5c75173..65a8fca 100644 --- a/README.md +++ b/README.md @@ -58,9 +58,9 @@ ## Looking for support? 🤝 -[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_WINDOWS_2022_cis) +[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RHEL9-CIS) -[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_WINDOWS_2022_cis) +[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RHEL9-CIS) ### Community 💬 @@ -95,7 +95,7 @@ Further details can be seen in the [Changelog](./ChangeLog.md) ## Matching a security Level for CIS -It is possible to to only run level 1 or level 2 controls for CIS. +It is possible to only run level 1 or level 2 controls for CIS. This is managed using tags: - level1-server From 9df94973d72687e31855446045deee5417adbf48 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 3 Oct 2025 07:56:30 +0100 Subject: [PATCH 36/47] added badge workflows Signed-off-by: Mark Bolwell --- .../benchmark_tracking_controller.yml | 38 +++++++++++++++++++ .github/workflows/export_badges_private.yml | 27 +++++++++++++ .github/workflows/export_badges_public.yml | 19 ++++++++++ 3 files changed, 84 insertions(+) create mode 100644 .github/workflows/benchmark_tracking_controller.yml create mode 100644 .github/workflows/export_badges_private.yml create mode 100644 .github/workflows/export_badges_public.yml diff --git a/.github/workflows/benchmark_tracking_controller.yml b/.github/workflows/benchmark_tracking_controller.yml new file mode 100644 index 0000000..0d9f515 --- /dev/null +++ b/.github/workflows/benchmark_tracking_controller.yml @@ -0,0 +1,38 @@ +--- + +# GitHub schedules all cron jobs in UTC. +# This expression will run the job every day at 9 AM Eastern Time during Daylight Saving Time (mid-March to early November). +# This expression will run the job every day at 8 AM Eastern Time during Standard Time (early November to mid-March). + +name: Central Benchmark Orchestrator + +on: + push: + branches: + - latest + schedule: + - cron: '0 6 * * *' # Runs daily at 9 AM ET + workflow_dispatch: + +jobs: + call-benchmark-tracker: + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == 'latest') + name: Start Benchmark Tracker + uses: ansible-lockdown/github_linux_IaC/.github/workflows/benchmark_track.yml@self_hosted + with: + repo_name: ${{ github.repository }} + secrets: + TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }} + BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }} + DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} + + call-monitor-promotions: + if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + name: Monitor Promotions and Auto-Promote + uses: ansible-lockdown/github_linux_IaC/.github/workflows/benchmark_promote.yml@self_hosted + with: + repo_name: ${{ github.repository }} + secrets: + TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }} + BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }} + DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} diff --git a/.github/workflows/export_badges_private.yml b/.github/workflows/export_badges_private.yml new file mode 100644 index 0000000..d316cbf --- /dev/null +++ b/.github/workflows/export_badges_private.yml @@ -0,0 +1,27 @@ +--- + +name: Export Private Repo Badges + +# Use different minute offsets with the same hourly pattern: +# Repo Group Suggested Cron Expression Explanation +# Group A 0 */6 * * * Starts at top of hour +# Group B 10 */6 * * * Starts at 10 after +# And So On + +on: + push: + branches: + - latest + schedule: + - cron: '0 */6 * * *' + workflow_dispatch: + +jobs: + export-badges: + if: github.event_name == 'workflow_dispatch' || (github.event_name == 'schedule' && startsWith(github.repository, 'ansible-lockdown/Private-')) || (github.event_name == 'push' && github.ref_name == 'latest') + uses: ansible-lockdown/github_linux_IaC/.github/workflows/export_badges_private.yml@self_hosted + with: + # Full org/repo path passed for GitHub API calls (e.g., ansible-lockdown/Private-Windows-2016-CIS) + repo_name: ${{ github.repository }} + secrets: + BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }} diff --git a/.github/workflows/export_badges_public.yml b/.github/workflows/export_badges_public.yml new file mode 100644 index 0000000..fa4b27f --- /dev/null +++ b/.github/workflows/export_badges_public.yml @@ -0,0 +1,19 @@ +--- + +name: Export Public Repo Badges + +on: + push: + branches: + - main + - devel + workflow_dispatch: + +jobs: + export-badges: + if: github.repository_visibility == 'public' && (github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && (github.ref_name == 'devel' || github.ref_name == 'main'))) + uses: ansible-lockdown/github_linux_IaC/.github/workflows/export_badges_public.yml@self_hosted + with: + repo_name: ${{ github.repository }} + secrets: + BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }} From 6500e39f4265eb7e7f2ebd414c0d4def366585d9 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 3 Oct 2025 08:19:07 +0100 Subject: [PATCH 37/47] Added fix for #399 thanks to @trumbaut Signed-off-by: Mark Bolwell --- Changelog.md | 2 +- tasks/section_5/cis_5.1.x.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Changelog.md b/Changelog.md index 4d9dc7c..d4b1b78 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,7 +6,7 @@ - addressed issue #393 thank you to @fragglexarmy - addressed issue #394 thank you to @dbeuker - addressed issues #390 and #391 thanks to @polski-g -- addressed issue #398 thanks to trumbaut +- addressed issue #398 & #399 thanks to trumbaut - Added max-concurrent options for audit - work flow updates - audit logic improvements diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 42ca036..dc450ea 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -41,8 +41,8 @@ ansible.builtin.file: path: "{{ item.path }}" owner: root - group: root - mode: 'u-x,go-rwx' + group: "{{ 'ssh_keys' if (item.gr_name == 'ssh_keys') else 'root' }}" + mode: "{{ 'u-x,g-wx,o-rwx' if (item.gr_name == 'ssh_keys') else 'u-x,go-rwx' }}" loop: "{{ discovered_ssh_private_host_key.files }}" loop_control: label: "{{ item.path }}" From de4b2cfa5cf80371436abb74f40bad59a68479c0 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 6 Oct 2025 17:51:08 +0000 Subject: [PATCH 38/47] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v25.9.0 → v25.9.1](https://github.com/ansible-community/ansible-lint/compare/v25.9.0...v25.9.1) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7fd561a..e633b2a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.9.0 + rev: v25.9.1 hooks: - id: ansible-lint name: Ansible-lint From 51668530a951cea132383eb884a2f4150e23425d Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 9 Oct 2025 14:10:29 -0400 Subject: [PATCH 39/47] update workflow benchmark_tracking_controller Signed-off-by: Frederick Witty --- .../benchmark_tracking_controller.yml | 24 +++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/.github/workflows/benchmark_tracking_controller.yml b/.github/workflows/benchmark_tracking_controller.yml index 0d9f515..039ec0d 100644 --- a/.github/workflows/benchmark_tracking_controller.yml +++ b/.github/workflows/benchmark_tracking_controller.yml @@ -1,8 +1,22 @@ --- # GitHub schedules all cron jobs in UTC. -# This expression will run the job every day at 9 AM Eastern Time during Daylight Saving Time (mid-March to early November). -# This expression will run the job every day at 8 AM Eastern Time during Standard Time (early November to mid-March). +# ────────────────────────────────────────────────────────────────────────────── +# Schedule: +# - '0 13 * * *' runs at 13:00 UTC every day. +# - This corresponds to: +# • 9:00 AM Eastern **during Daylight Saving Time** (mid-Mar → early-Nov) +# • 8:00 AM Eastern **during Standard Time** (early-Nov → mid-Mar) +# +# Job routing: +# - call-benchmark-tracker: +# • Runs on manual dispatch, and on pushes to the 'latest' branch. +# - call-monitor-promotions: +# • Runs on schedule or manual dispatch **only in repos named ansible-lockdown/Private-***. +# • Skips automatically in public repos (e.g., Windows-2022-CIS) to avoid false failures. +# +# Defense-in-depth: +# - The called promotion workflow may still keep its own guard to ensure only Private-* repos execute it. name: Central Benchmark Orchestrator @@ -11,11 +25,12 @@ on: branches: - latest schedule: - - cron: '0 6 * * *' # Runs daily at 9 AM ET + - cron: '0 13 * * *' # 13:00 UTC → 9 AM ET (DST) / 8 AM ET (Standard Time) workflow_dispatch: jobs: call-benchmark-tracker: + # Run on manual dispatch OR when 'latest' branch receives a push if: github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && github.ref_name == 'latest') name: Start Benchmark Tracker uses: ansible-lockdown/github_linux_IaC/.github/workflows/benchmark_track.yml@self_hosted @@ -27,7 +42,8 @@ jobs: DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} call-monitor-promotions: - if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + # Run on schedule or manual dispatch, but only for Private-* repos + if: (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && startsWith(github.repository, 'ansible-lockdown/Private-') name: Monitor Promotions and Auto-Promote uses: ansible-lockdown/github_linux_IaC/.github/workflows/benchmark_promote.yml@self_hosted with: From 451dce8aa79ac8e9b89584e2390d18d6cddcbeb1 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 13 Oct 2025 17:38:43 +0000 Subject: [PATCH 40/47] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/ansible-community/ansible-lint: v25.9.1 → v25.9.2](https://github.com/ansible-community/ansible-lint/compare/v25.9.1...v25.9.2) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e633b2a..0091b2a 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -46,7 +46,7 @@ repos: - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint - rev: v25.9.1 + rev: v25.9.2 hooks: - id: ansible-lint name: Ansible-lint From 278813694bf95e426743dc728fcb6661fa91ac80 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 16 Oct 2025 15:23:56 +0100 Subject: [PATCH 41/47] Updated permissions Signed-off-by: Mark Bolwell --- .github/workflows/devel_pipeline_validation.yml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml index deac4d7..8fd728a 100644 --- a/.github/workflows/devel_pipeline_validation.yml +++ b/.github/workflows/devel_pipeline_validation.yml @@ -17,12 +17,6 @@ # Allow manual running of workflow workflow_dispatch: - # Allow permissions for AWS auth - permissions: - id-token: write - contents: read - pull-requests: read - # A workflow run is made up of one or more jobs # that can run sequentially or in parallel jobs: @@ -30,6 +24,10 @@ welcome: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write + steps: - uses: actions/first-interaction@main with: @@ -45,6 +43,13 @@ playbook-test: # The type of runner that the job will run on runs-on: self-hosted + + # Allow permissions for AWS auth + permissions: + id-token: write + contents: read + pull-requests: read + env: ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }} # Imported as a variable by terraform From afcfda9ef06d8e40b0b6f3de8f02217e604f2d3c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 16 Oct 2025 15:24:49 +0100 Subject: [PATCH 42/47] compliant with 2.19 Signed-off-by: Mark Bolwell --- templates/audit/99_auditd.rules.j2 | 98 +++++------------------------- 1 file changed, 14 insertions(+), 84 deletions(-) diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2 index 4fa4516..c3c2b6c 100644 --- a/templates/audit/99_auditd.rules.j2 +++ b/templates/audit/99_auditd.rules.j2 @@ -10,12 +10,7 @@ {% endif %} {% if rhel9cis_rule_6_3_3_2 %} {% set syscalls = ["execve"] %} -{% set arch_syscalls = [] %} -{%- for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor -%} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S {{ arch_syscalls|join(',') }} -k user_emulation {% endif %} @@ -24,33 +19,18 @@ {% endif %} {% if rhel9cis_rule_6_3_3_4 %} {% set syscalls = ["adjtimex","settimeofday"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change {% set syscalls = ["clock_settime"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change -{% endif %} -{% endfor %} -w /etc/localtime -p wa -k time-change {% endif %} {% if rhel9cis_rule_6_3_3_5 %} {% set syscalls = ["sethostname","setdomainname"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale -w /etc/issue -p wa -k system-locale @@ -68,12 +48,7 @@ {% endif %} {% if rhel9cis_rule_6_3_3_7 %} {% set syscalls = ["creat","open","openat","truncate","ftruncate"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F exit=-EPERM -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F exit=-EACCES -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k access @@ -91,62 +66,27 @@ {% endif %} {% if rhel9cis_rule_6_3_3_9 %} {% set syscalls = ["chmod","fchmod","fchmodat"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["chown","fchown","lchown","fchownat"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["chmod","fchmod","fchmodat"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["chown","fchown","lchown","fchownat"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% set syscalls = ["setxattr","lsetxattr","fsetxattr","removexattr","lremovexattr","fremovexattr"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_mod {% endif %} {% if rhel9cis_rule_6_3_3_10 %} {% set syscalls = ["mount"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append(syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k mounts {% endif %} @@ -161,12 +101,7 @@ {% endif %} {% if rhel9cis_rule_6_3_3_13 %} {% set syscalls = ["unlink","unlinkat","rename","renameat"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete -a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k delete {% endif %} @@ -189,12 +124,7 @@ {% if rhel9cis_rule_6_3_3_19 %} -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules {% set syscalls = ["init_module","finit_module","delete_module","create_module","query_module"] %} -{% set arch_syscalls = [] %} -{% for syscall in syscalls %} -{% if syscall in supported_syscalls %} -{{ arch_syscalls.append( syscall) }} -{% endif %} -{% endfor %} +{% set arch_syscalls = syscalls | select("in", supported_syscalls) | list %} -a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k kernel_modules {% endif %} {% if rhel9cis_rule_6_3_3_20 %} From f8cdf84e95a45525444100041fd00629960ab657 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 16 Oct 2025 15:26:07 +0100 Subject: [PATCH 43/47] Added benchmark_version variable Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index 7cb906b..cbaa125 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -37,7 +37,7 @@ rhel9cis_legacy_boot: {{ rhel9cis_legacy_boot }} ## Benchmark name used by auditing control role # The audit variable found at the base ## metadata for Audit benchmark -benchmark_version: 'v2.0.0' +benchmark_version: {{ benchmark_version }} benchmark: RHEL9-CIS From ea17b0adc23e272801ef31a67592bee5042b8899 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 16 Oct 2025 15:26:42 +0100 Subject: [PATCH 44/47] removed legacy option Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ed14e51..fbe81eb 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -94,8 +94,6 @@ audit_max_concurrent: 50 ## Only run Audit do not remediate audit_only: false ### As part of audit_only ### -# This will enable files to be copied back to control node in audit_only mode -fetch_audit_files: false # Path to copy the files to will create dir structure in audit_only mode audit_capture_files_dir: /some/location to copy to on control node ############################# From 5354111505c088b47fb53689363fbd4b8e451345 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 16 Oct 2025 15:27:27 +0100 Subject: [PATCH 45/47] improved audit logic Signed-off-by: Mark Bolwell --- tasks/pre_remediation_audit.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml index dd9efb4..410473e 100644 --- a/tasks/pre_remediation_audit.yml +++ b/tasks/pre_remediation_audit.yml @@ -85,6 +85,7 @@ - name: Pre Audit | Capture audit data if json format ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4 changed_when: false + failed_when: pre_audit_summary.stderr | length > 0 register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary @@ -97,6 +98,7 @@ - name: Pre Audit | Capture audit data if documentation format ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' ' changed_when: false + failed_when: pre_audit_summary.stderr | length > 0 register: pre_audit_summary - name: Pre Audit | Set Fact for audit summary From 8ec8ebc8167ef99946ab4d7a7950c8b0b82fca9c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Thu, 16 Oct 2025 15:29:26 +0100 Subject: [PATCH 46/47] updated Signed-off-by: Mark Bolwell --- Changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/Changelog.md b/Changelog.md index d4b1b78..737f860 100644 --- a/Changelog.md +++ b/Changelog.md @@ -10,6 +10,7 @@ - Added max-concurrent options for audit - work flow updates - audit logic improvements +- auditd template 2.19 compatible ## 2.0.3 - Based on CIS v2.0.0 - addressed issue #387, thank you @fragglexarmy From e1dd9fd283b7b92cc74846a0feb6dbbb01ef5fbc Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 16 Oct 2025 15:12:19 -0400 Subject: [PATCH 47/47] Add workflow to auto add new issues to project Signed-off-by: Frederick Witty --- .../workflows/add_repo_issue_to_gh_project.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/workflows/add_repo_issue_to_gh_project.yml diff --git a/.github/workflows/add_repo_issue_to_gh_project.yml b/.github/workflows/add_repo_issue_to_gh_project.yml new file mode 100644 index 0000000..4a056eb --- /dev/null +++ b/.github/workflows/add_repo_issue_to_gh_project.yml @@ -0,0 +1,17 @@ +--- + +name: Add Repo Issue to ALD GH project +on: + issues: + types: + - opened + - reopened + - transferred +jobs: + add-to-project: + runs-on: ubuntu-latest + steps: + - uses: actions/add-to-project@main + with: + project-url: https://github.com/orgs/ansible-lockdown/projects/1 + github-token: ${{ secrets.GITHUB_TOKEN }}