section 2 v2.0.0 update

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

tasks/main.yml

@@ -117,6 +117,8 @@
     - rhel9cis_crypto_policy_module | length > 0
   tags:
     - rule_1.6.1
+    - crypto
+    - NIST800-53R5_SC-6
   ansible.builtin.assert:
     that: rhel9cis_crypto_policy_module in rhel9cis_allowed_crypto_policies_modules
     fail_msg: "Crypto policy module is not a permitted version"

tasks/section_2/cis_2.4.x.yml

@@ -0,0 +1,182 @@
+---
+
+- name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled"
+  when:
+    - rhel9cis_rule_2_4_1_1
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - cron
+    - rule_2.4.1.1
+    - NIST800-53R5_CM-1
+    - NIST800-53R5_CM-2
+    - NIST800-53R5_CM-6
+    - NIST800-53R5_CM-7
+    - NIST800-53R5_IA-5
+  ansible.builtin.service:
+    name: crond
+    enabled: true
+
+- name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured"
+  when:
+    - rhel9cis_rule_2_4_1_2
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - cron
+    - rule_2.4.1.2
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
+  ansible.builtin.file:
+    path: /etc/crontab
+    owner: root
+    group: root
+    mode: og-rwx
+
+- name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
+  when:
+    - rhel9cis_rule_2_4_1_3
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - cron
+    - rule_2.4.1.3
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
+  ansible.builtin.file:
+    path: /etc/cron.hourly
+    state: directory
+    owner: root
+    group: root
+    mode: og-rwx
+
+- name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
+  when:
+    - rhel9cis_rule_2_4_1_4
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - cron
+    - rule_2.4.1.4
+  ansible.builtin.file:
+    path: /etc/cron.daily
+    state: directory
+    owner: root
+    group: root
+    mode: og-rwx
+
+- name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
+  when:
+    - rhel9cis_rule_2_4_1_5
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - rule_2.4.1.5
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
+  ansible.builtin.file:
+    path: /etc/cron.weekly
+    state: directory
+    owner: root
+    group: root
+    mode: og-rwx
+
+- name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
+  when:
+    - rhel9cis_rule_2_4_1_6
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - rule_2.4.1.6
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
+  ansible.builtin.file:
+    path: /etc/cron.monthly
+    state: directory
+    owner: root
+    group: root
+    mode: og-rwx
+
+- name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
+  when:
+    - rhel9cis_rule_2_4_1_7
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - cron
+    - rule_2.4.1.7
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
+  ansible.builtin.file:
+    path: /etc/cron.d
+    state: directory
+    owner: root
+    group: root
+    mode: '0700'
+
+- name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users"
+  when:
+    - rhel9cis_rule_2_4_1_8
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - cron
+    - rule_2.4.1.8
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
+  block:
+    - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Remove cron.deny"
+      ansible.builtin.file:
+        path: /etc/cron.deny
+        state: absent
+
+    - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Check if cron.allow exists"
+      ansible.builtin.stat:
+        path: "/etc/cron.allow"
+      register: rhel9cis_2_4_1_8_cron_allow_state
+
+    - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
+      ansible.builtin.file:
+        path: /etc/cron.allow
+        state: '{{ "file" if  rhel9cis_2_4_1_8_cron_allow_state.stat.exists else "touch" }}'
+        owner: root
+        group: root
+        mode: u-x,g-wx,o-rwx
+
+- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users"
+  when:
+    - rhel9cis_rule_2_4_2_1
+  tags:
+    - level1-server
+    - level1-workstation
+    - patch
+    - cron
+    - rule_2.4.2.1
+    - NIST800-53R5_AC-3
+    - NIST800-53R5_MP-2
+  block:
+    - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Remove at.deny"
+      ansible.builtin.file:
+        path: /etc/at.deny
+        state: absent
+
+    - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists"
+      ansible.builtin.stat:
+        path: "/etc/at.allow"
+      register: rhel9cis_rule_2_4_2_1_at_allow_state
+
+    - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users"
+      ansible.builtin.file:
+        path: /etc/at.allow
+        state: '{{ "file" if rhel9cis_rule_2_4_2_1_at_allow_state.stat.exists else "touch" }}'
+        owner: root
+        group: root
+        mode: u-x,g-wx,o-rwx

templates/etc/chrony.conf.j2

@@ -1,97 +1,42 @@
-## {{ ansible_managed }}
-
-# This the default chrony.conf file for the Debian chrony package.  After
-# editing this file use the command 'invoke-rc.d chrony restart' to make
-# your changes take effect.  John Hasler <jhasler@debian.org> 1998-2008
-
-# See www.pool.ntp.org for an explanation of these servers.  Please
-# consider joining the project if possible.  If you can't or don't want to
-# use these servers I suggest that you try your ISP's nameservers.  We mark
-# the servers 'offline' so that chronyd won't try to connect when the link
-# is down.  Scripts in /etc/ppp/ip-up.d and /etc/ppp/ip-down.d use chronyc
-# commands to switch it on when a dialup link comes up and off when it goes
-# down.  Code in /etc/init.d/chrony attempts to determine whether or not
-# the link is up at boot time and set the online status accordingly.  If
-# you have an always-on connection such as cable omit the 'offline'
-# directive and chronyd will default to online.
-#
-# Note that if Chrony tries to go "online" and dns lookup of the servers
-# fails they will be discarded.  Thus under some circumstances it is
-# better to use IP numbers than host names.
+{{ ansible_managed | comment }}
 
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (http://www.pool.ntp.org/join.html).
 {% for server in rhel9cis_time_synchronization_servers -%}
 server {{ server }} {{ rhel9cis_chrony_server_options }}
 {% endfor %}
 
-# Look here for the admin password needed for chronyc.  The initial
-# password is generated by a random process at install time.  You may
-# change it if you wish.
-
-keyfile /etc/chrony.keys
-
 # Record the rate at which the system clock gains/losses time.
 driftfile /var/lib/chrony/drift
 
 # Allow the system clock to be stepped in the first three updates
 # if its offset is larger than 1 second.
-makestep {{ rhel9cis_chrony_server_makestep }}
+makestep 1.0 3
 
 # Enable kernel synchronization of the real-time clock (RTC).
-{% if not rhel9cis_chrony_server_rtcsync %}#{% endif %}rtcsync
+rtcsync
+
+# Enable hardware timestamping on all interfaces that support it.
+#hwtimestamp *
 
 # Increase the minimum number of selectable sources required to adjust
 # the system clock.
-minsources {{ rhel9cis_chrony_server_minsources }}
+#minsources 2
 
-# Comment this line out to turn off logging.
+# Allow NTP client access from local network.
+#allow 192.168.0.0/16
 
-log tracking measurements statistics
+# Serve time even if not synchronized to a time source.
+#local stratum 10
+
+# Specify file containing keys for NTP authentication.
+keyfile /etc/chrony.keys
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+leapsectz right/UTC
+
+# Specify directory for log files.
 logdir /var/log/chrony
 
-# Stop bad estimates upsetting machine clock.
-
-maxupdateskew 100.0
-
-# Dump measurements when daemon exits.
-
-dumponexit
-
-# Specify directory for dumping measurements.
-
-dumpdir /var/lib/chrony
-
-# Let computer be a server when it is unsynchronised.
-
-local stratum 10
-
-# Allow computers on the unrouted nets to use the server.
-
-#allow 10/8
-#allow 192.168/16
-#allow 172.16/12
-
-# This directive forces `chronyd' to send a message to syslog if it
-# makes a system clock adjustment larger than a threshold value in seconds.
-
-logchange 0.5
-
-# This directive defines an email address to which mail should be sent
-# if chronyd applies a correction exceeding a particular threshold to the
-# system clock.
-
-# mailonchange root@localhost 0.5
-
-# This directive tells chrony to regulate the real-time clock and tells it
-# Where to store related data.  It may not work on some newer motherboards
-# that use the HPET real-time clock.  It requires enhanced real-time
-# support in the kernel.  I've commented it out because with certain
-# combinations of motherboard and kernel it is reported to cause lockups.
-
-# rtcfile /var/lib/chrony/chrony.rtc
-
-# If the last line of this file reads 'rtconutc' chrony will assume that
-# the CMOS clock is on UTC (GMT).  If it reads '# rtconutc' or is absent
-# chrony will assume local time.  The line (if any) was written by the
-# chrony postinst based on what it found in /etc/default/rcS.  You may
-# change it if necessary.
-rtconutc
+# Select which information is logged.
+#log measurements statistics tracking