sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Merge pull request #35 from ansible-lockdown/issues_30_and_34

Browse source 
Issues 30 and 34
This commit is contained in:
uk-bolly 2023-02-22 11:46:12 +00:00 committed by GitHub
commit a58e3ff0d6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 61 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.github/workflows/linux_benchmark_testing.yml vendored
View file

@ -90,8 +90,9 @@ jobs:
# Set up requirements for random root password CIS 5.6.6
- name: add urandom passwd to root account
shell: bash
working-directory: .github/workflows
run: |
ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i .github/workflows/hosts.yml -m shell -a "cat /dev/urandom | tr -dc [:print:] | head -c50 | passwd --stdin root" -b
ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i hosts.yml -m shell -a "cat /dev/urandom | tr -dc [:print:] | head -c50 | passwd --stdin root" -b --private-key .ssh/github_actions.pem
# Run the ansible playbook
- name: Run_Ansible_Playbook

9
Changelog.md
View file

@ -1,5 +1,14 @@
# Changes to rhel9CIS
## 1.0.2
thanks to @smatterchew
#30 ability to change sshd config file to use dropin file instead.
thanks to @I-am-MoS
#34 create user.cfg if not present
Aligned benchmark audit version with remediate release
## 1.0.1
Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8

8
defaults/main.yml
View file

@ -33,6 +33,9 @@ python2_bin: /bin/python2.7
## Benchmark name used by audting control role
# The audit variable found at the base
## metadata for Audit benchmark
benchmark_version: 'v1.0.0'
benchmark: RHEL9-CIS
# Whether to skip the reboot
@ -560,6 +563,9 @@ rhel9cis_logrotate: "daily"
## Section5 vars
# This will allow use of drop in files when CIS adopts them.
rhel9_cis_sshd_config_file: /etc/ssh/sshd_config
rhel9cis_sshd:
clientalivecountmax: 0
clientaliveinterval: 900
@ -689,7 +695,7 @@ copy_goss_from_path: /some/accessible/path
## managed by the control audit_content
# git
audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
audit_git_version: devel
audit_git_version: "benchmark_{{ benchmark_version }}"
# copy:
audit_local_copy: "some path to copy from"

16
tasks/prelim.yml
View file

@ -175,6 +175,22 @@
- rule_5.1.1
- cron
# Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config
- name: "PRELIM | Section 5.2 | SSH"
ansible.builtin.file:
path: "{{ rhel9_cis_sshd_config_file }}"
owner: root
group: root
mode: 0600
state: touch
when:
- rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config'
- "'openssh-server' in ansible_facts.packages"
tags:
- ssh
- level1_server
- level1_workstation
- name: "PRELIM | Install authconfig"
ansible.builtin.package:
name: authconfig

3
tasks/section_1/cis_1.4.x.yml
View file

@ -26,6 +26,9 @@
owner: root
group: root
mode: "{{ item.mode }}"
state: touch
modification_time: preserve
acess_time: preserve
loop:
- { path: 'grub.cfg', mode: '0700' }
- { path: 'grubenv', mode: '0600' }

42
tasks/section_5/cis_5.2.x.yml
View file

@ -2,7 +2,7 @@
- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured"
ansible.builtin.file:
path: /etc/ssh/sshd_config
path: "/etc/ssh/sshd_config"
owner: root
group: root
mode: 0600
@ -77,7 +77,7 @@
block:
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^AllowUsers"
line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}"
validate: sshd -t -f %s
@ -86,7 +86,7 @@
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^AllowGroups"
line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}"
validate: sshd -t -f %s
@ -95,7 +95,7 @@
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^DenyUsers"
line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}"
validate: sshd -t -f %s
@ -104,7 +104,7 @@
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^DenyGroups"
line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}"
validate: sshd -t -f %s
@ -121,7 +121,7 @@
- name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^#LogLevel|^LogLevel"
line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
validate: sshd -t -f %s
@ -136,7 +136,7 @@
- name: "5.2.6 | PATCH | Ensure SSH PAM is enabled"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^#UsePAM|^UsePAM"
line: 'UsePAM yes'
validate: sshd -t -f %s
@ -151,7 +151,7 @@
- name: "5.2.7 | PATCH | Ensure SSH root login is disabled"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^#PermitRootLogin|^PermitRootLogin"
line: 'PermitRootLogin no'
validate: sshd -t -f %s
@ -166,7 +166,7 @@
- name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^#HostbasedAuthentication|^HostbasedAuthentication"
line: 'HostbasedAuthentication no'
validate: sshd -t -f %s
@ -181,7 +181,7 @@
- name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords"
line: 'PermitEmptyPasswords no'
validate: sshd -t -f %s
@ -196,7 +196,7 @@
- name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^#PermitUserEnvironment|^PermitUserEnvironment"
line: 'PermitUserEnvironment no'
validate: sshd -t -f %s
@ -211,7 +211,7 @@
- name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^#IgnoreRhosts|^IgnoreRhosts"
line: 'IgnoreRhosts yes'
validate: sshd -t -f %s
@ -226,7 +226,7 @@
- name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^#X11Forwarding|^X11Forwarding"
line: 'X11Forwarding no'
validate: sshd -t -f %s
@ -241,7 +241,7 @@
- name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^#AllowTcpForwarding|^AllowTcpForwarding"
line: 'AllowTcpForwarding no'
validate: sshd -t -f %s
@ -277,7 +277,7 @@
- name: "5.2.15 | PATCH | Ensure SSH warning banner is configured"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: '^Banner'
line: 'Banner /etc/issue.net'
when:
@ -291,7 +291,7 @@
- name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: '^(#)?MaxAuthTries \d'
line: 'MaxAuthTries 4'
validate: sshd -t -f %s
@ -306,7 +306,7 @@
- name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^#MaxStartups|^MaxStartups"
line: 'MaxStartups 10:30:60'
validate: sshd -t -f %s
@ -321,7 +321,7 @@
- name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^#MaxSessions|^MaxSessions"
line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
validate: sshd -t -f %s
@ -336,7 +336,7 @@
- name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: "^#LoginGraceTime|^LoginGraceTime"
line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}"
validate: sshd -t -f %s
@ -353,14 +353,14 @@
block:
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: '^ClientAliveInterval'
line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}"
validate: sshd -t -f %s
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
path: "{{ rhel9_cis_sshd_config_file }}"
regexp: '^ClientAliveCountMax'
line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}"
validate: sshd -t -f %s

3
templates/ansible_vars_goss.yml.j2
View file

@ -467,6 +467,9 @@ rhel9cis_remote_log_queuesize: {{ rhel9cis_remote_log_queuesize }}
rhel9cis_syslog: {{ rhel9cis_syslog }}
# Section 5
# This will allow use of drop in files when CIS adopts them.
rhel9_cis_sshd_config_file: {{ rhel9_cis_sshd_config_file }}
## 5.2.4 Note the following to understand precedence and layout
rhel9cis_sshd_limited: false
rhel9cis_sshd_access: