section 2 v2.0.0 update

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-07-22 12:43:35 +01:00 · 2024-07-22 12:43:35 +01:00 · a53569a474
commit a53569a474
parent bad08c0228
3 changed files with 207 additions and 78 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -117,6 +117,8 @@
    - rhel9cis_crypto_policy_module | length > 0
  tags:
    - rule_1.6.1
+    - crypto
+    - NIST800-53R5_SC-6
  ansible.builtin.assert:
    that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
    fail_msg: "Crypto policy module is not a permitted version"
--- a/tasks/section_2/cis_2.4.x.yml
+++ b/tasks/section_2/cis_2.4.x.yml
@ -0,0 +1,182 @@
+---
+
+- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled"
+  when:
+    - rhel9cis_rule_2_4_1_1
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - cron
+    - rule_2.4.1.1
+    - NIST800-53R5_CM-1
+    - NIST800-53R5_CM-2
+    - NIST800-53R5_CM-6
+    - NIST800-53R5_CM-7
+    - NIST800-53R5_IA-5
+  ansible.builtin.service:
+    name: crond
+    enabled: true
+
+- name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured"
+  when:
+    - rhel9cis_rule_2_4_1_2
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - cron
+    - rule_2.4.1.2
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
+  ansible.builtin.file:
+    path: /etc/crontab
+    owner: root
+    group: root
+    mode: og-rwx
+
+- name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
+  when:
+    - rhel9cis_rule_2_4_1_3
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - cron
+    - rule_2.4.1.3
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
+  ansible.builtin.file:
+    path: /etc/cron.hourly
+    state: directory
+    owner: root
+    group: root
+    mode: og-rwx
+
+- name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
+  when:
+    - rhel9cis_rule_2_4_1_4
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - cron
+    - rule_2.4.1.4
+  ansible.builtin.file:
+    path: /etc/cron.daily
+    state: directory
+    owner: root
+    group: root
+    mode: og-rwx
+
+- name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
+  when:
+    - rhel9cis_rule_2_4_1_5
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - rule_2.4.1.5
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
+  ansible.builtin.file:
+    path: /etc/cron.weekly
+    state: directory
+    owner: root
+    group: root
+    mode: og-rwx
+
+- name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
+  when:
+    - rhel9cis_rule_2_4_1_6
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - rule_2.4.1.6
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
+  ansible.builtin.file:
+    path: /etc/cron.monthly
+    state: directory
+    owner: root
+    group: root
+    mode: og-rwx
+
+- name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
+  when:
+    - rhel9cis_rule_2_4_1_7
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - cron
+    - rule_2.4.1.7
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
+  ansible.builtin.file:
+    path: /etc/cron.d
+    state: directory
+    owner: root
+    group: root
+    mode: '0700'
+
+- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users"
+  when:
+    - rhel9cis_rule_2_4_1_8
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - cron
+    - rule_2.4.1.8
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
+  block:
+    - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Remove cron.deny"
+      ansible.builtin.file:
+        path: /etc/cron.deny
+        state: absent
+
+    - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Check if cron.allow exists"
+      ansible.builtin.stat:
+        path: "/etc/cron.allow"
+      register: rhel9cis_2_4_1_8_cron_allow_state
+
+    - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
+      ansible.builtin.file:
+        path: /etc/cron.allow
+        state: '{{ "file" if  rhel9cis_2_4_1_8_cron_allow_state.stat.exists else "touch" }}'
+        owner: root
+        group: root
+        mode: u-x,g-wx,o-rwx
+
+- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users"
+  when:
+    - rhel9cis_rule_2_4_2_1
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - cron
+    - rule_2.4.2.1
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
+  block:
+    - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Remove at.deny"
+      ansible.builtin.file:
+        path: /etc/at.deny
+        state: absent
+
+    - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists"
+      ansible.builtin.stat:
+        path: "/etc/at.allow"
+      register: rhel9cis_rule_2_4_2_1_at_allow_state
+
+    - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users"
+      ansible.builtin.file:
+        path: /etc/at.allow
+        state: '{{ "file" if rhel9cis_rule_2_4_2_1_at_allow_state.stat.exists else "touch" }}'
+        owner: root
+        group: root
+        mode: u-x,g-wx,o-rwx