diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 978792e..991470e 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -90,8 +90,9 @@ jobs: # Set up requirements for random root password CIS 5.6.6 - name: add urandom passwd to root account shell: bash + working-directory: .github/workflows run: | - ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i .github/workflows/hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" -b + ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" -b --private-key .ssh/github_actions.pem # Run the ansible playbook - name: Run_Ansible_Playbook diff --git a/Changelog.md b/Changelog.md index f77e295..ba1933c 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,14 @@ # Changes to rhel9CIS +## 1.0.2 + +thanks to @smatterchew +#30 ability to change sshd config file to use dropin file instead. + +thanks to @I-am-MoS +#34 create user.cfg if not present +Aligned benchmark audit version with remediate release + ## 1.0.1 Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 diff --git a/defaults/main.yml b/defaults/main.yml index b7a3e4f..4a95eaf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -33,6 +33,9 @@ python2_bin: /bin/python2.7 ## Benchmark name used by audting control role # The audit variable found at the base +## metadata for Audit benchmark +benchmark_version: 'v1.0.0' + benchmark: RHEL9-CIS # Whether to skip the reboot @@ -560,6 +563,9 @@ rhel9cis_logrotate: "daily" ## Section5 vars +# This will allow use of drop in files when CIS adopts them. +rhel9_cis_sshd_config_file: /etc/ssh/sshd_config + rhel9cis_sshd: clientalivecountmax: 0 clientaliveinterval: 900 @@ -689,7 +695,7 @@ copy_goss_from_path: /some/accessible/path ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: devel +audit_git_version: "benchmark_{{ benchmark_version }}" # copy: audit_local_copy: "some path to copy from" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 18e0c17..97e9e99 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -175,6 +175,22 @@ - rule_5.1.1 - cron +# Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config +- name: "PRELIM | Section 5.2 | SSH" + ansible.builtin.file: + path: "{{ rhel9_cis_sshd_config_file }}" + owner: root + group: root + mode: 0600 + state: touch + when: + - rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config' + - "'openssh-server' in ansible_facts.packages" + tags: + - ssh + - level1_server + - level1_workstation + - name: "PRELIM | Install authconfig" ansible.builtin.package: name: authconfig diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index f2dcaee..7f0e71a 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -26,6 +26,9 @@ owner: root group: root mode: "{{ item.mode }}" + state: touch + modification_time: preserve + acess_time: preserve loop: - { path: 'grub.cfg', mode: '0700' } - { path: 'grubenv', mode: '0600' } diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 8d0c050..9054afd 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -2,7 +2,7 @@ - name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" ansible.builtin.file: - path: /etc/ssh/sshd_config + path: "/etc/ssh/sshd_config" owner: root group: root mode: 0600 @@ -77,7 +77,7 @@ block: - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^AllowUsers" line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}" validate: sshd -t -f %s @@ -86,7 +86,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^AllowGroups" line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}" validate: sshd -t -f %s @@ -95,7 +95,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^DenyUsers" line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}" validate: sshd -t -f %s @@ -104,7 +104,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^DenyGroups" line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}" validate: sshd -t -f %s @@ -121,7 +121,7 @@ - name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' validate: sshd -t -f %s @@ -136,7 +136,7 @@ - name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' validate: sshd -t -f %s @@ -151,7 +151,7 @@ - name: "5.2.7 | PATCH | Ensure SSH root login is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' validate: sshd -t -f %s @@ -166,7 +166,7 @@ - name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' validate: sshd -t -f %s @@ -181,7 +181,7 @@ - name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' validate: sshd -t -f %s @@ -196,7 +196,7 @@ - name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' validate: sshd -t -f %s @@ -211,7 +211,7 @@ - name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#IgnoreRhosts|^IgnoreRhosts" line: 'IgnoreRhosts yes' validate: sshd -t -f %s @@ -226,7 +226,7 @@ - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' validate: sshd -t -f %s @@ -241,7 +241,7 @@ - name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' validate: sshd -t -f %s @@ -277,7 +277,7 @@ - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: '^Banner' line: 'Banner /etc/issue.net' when: @@ -291,7 +291,7 @@ - name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' validate: sshd -t -f %s @@ -306,7 +306,7 @@ - name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' validate: sshd -t -f %s @@ -321,7 +321,7 @@ - name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' validate: sshd -t -f %s @@ -336,7 +336,7 @@ - name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" validate: sshd -t -f %s @@ -353,14 +353,14 @@ block: - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" validate: sshd -t -f %s diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index fde2a67..caa87ce 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -467,6 +467,9 @@ rhel9cis_remote_log_queuesize: {{ rhel9cis_remote_log_queuesize }} rhel9cis_syslog: {{ rhel9cis_syslog }} # Section 5 +# This will allow use of drop in files when CIS adopts them. +rhel9_cis_sshd_config_file: {{ rhel9_cis_sshd_config_file }} + ## 5.2.4 Note the following to understand precedence and layout rhel9cis_sshd_limited: false rhel9cis_sshd_access: