From a14e9c5dbe035fa3bf3f2777b45f1045e6e49a84 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Feb 2023 11:31:46 +0000 Subject: [PATCH 1/6] #30 thanks to @smatterchew sshd config file dropin ability Signed-off-by: Mark Bolwell --- defaults/main.yml | 3 +++ tasks/prelim.yml | 16 +++++++++++++ tasks/section_5/cis_5.2.x.yml | 42 +++++++++++++++++------------------ 3 files changed, 40 insertions(+), 21 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index b7a3e4f..42f26cc 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -560,6 +560,9 @@ rhel9cis_logrotate: "daily" ## Section5 vars +# This will allow use of drop in files when CIS adopts them. +rhel9_cis_sshd_config_file: /etc/ssh/sshd_config + rhel9cis_sshd: clientalivecountmax: 0 clientaliveinterval: 900 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 18e0c17..97e9e99 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -175,6 +175,22 @@ - rule_5.1.1 - cron +# Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config +- name: "PRELIM | Section 5.2 | SSH" + ansible.builtin.file: + path: "{{ rhel9_cis_sshd_config_file }}" + owner: root + group: root + mode: 0600 + state: touch + when: + - rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config' + - "'openssh-server' in ansible_facts.packages" + tags: + - ssh + - level1_server + - level1_workstation + - name: "PRELIM | Install authconfig" ansible.builtin.package: name: authconfig diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 8d0c050..9054afd 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -2,7 +2,7 @@ - name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured" ansible.builtin.file: - path: /etc/ssh/sshd_config + path: "/etc/ssh/sshd_config" owner: root group: root mode: 0600 @@ -77,7 +77,7 @@ block: - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^AllowUsers" line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}" validate: sshd -t -f %s @@ -86,7 +86,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^AllowGroups" line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}" validate: sshd -t -f %s @@ -95,7 +95,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^DenyUsers" line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}" validate: sshd -t -f %s @@ -104,7 +104,7 @@ - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^DenyGroups" line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}" validate: sshd -t -f %s @@ -121,7 +121,7 @@ - name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#LogLevel|^LogLevel" line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' validate: sshd -t -f %s @@ -136,7 +136,7 @@ - name: "5.2.6 | PATCH | Ensure SSH PAM is enabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#UsePAM|^UsePAM" line: 'UsePAM yes' validate: sshd -t -f %s @@ -151,7 +151,7 @@ - name: "5.2.7 | PATCH | Ensure SSH root login is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#PermitRootLogin|^PermitRootLogin" line: 'PermitRootLogin no' validate: sshd -t -f %s @@ -166,7 +166,7 @@ - name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#HostbasedAuthentication|^HostbasedAuthentication" line: 'HostbasedAuthentication no' validate: sshd -t -f %s @@ -181,7 +181,7 @@ - name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords" line: 'PermitEmptyPasswords no' validate: sshd -t -f %s @@ -196,7 +196,7 @@ - name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#PermitUserEnvironment|^PermitUserEnvironment" line: 'PermitUserEnvironment no' validate: sshd -t -f %s @@ -211,7 +211,7 @@ - name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#IgnoreRhosts|^IgnoreRhosts" line: 'IgnoreRhosts yes' validate: sshd -t -f %s @@ -226,7 +226,7 @@ - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#X11Forwarding|^X11Forwarding" line: 'X11Forwarding no' validate: sshd -t -f %s @@ -241,7 +241,7 @@ - name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#AllowTcpForwarding|^AllowTcpForwarding" line: 'AllowTcpForwarding no' validate: sshd -t -f %s @@ -277,7 +277,7 @@ - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: '^Banner' line: 'Banner /etc/issue.net' when: @@ -291,7 +291,7 @@ - name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries 4' validate: sshd -t -f %s @@ -306,7 +306,7 @@ - name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#MaxStartups|^MaxStartups" line: 'MaxStartups 10:30:60' validate: sshd -t -f %s @@ -321,7 +321,7 @@ - name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#MaxSessions|^MaxSessions" line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' validate: sshd -t -f %s @@ -336,7 +336,7 @@ - name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: "^#LoginGraceTime|^LoginGraceTime" line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}" validate: sshd -t -f %s @@ -353,14 +353,14 @@ block: - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" ansible.builtin.lineinfile: - path: /etc/ssh/sshd_config + path: "{{ rhel9_cis_sshd_config_file }}" regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" validate: sshd -t -f %s From 642e89b20da4ac00885b135d8f86b7a2a7bfd01b Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Feb 2023 11:32:03 +0000 Subject: [PATCH 2/6] added issue 30 fix Signed-off-by: Mark Bolwell --- Changelog.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Changelog.md b/Changelog.md index f77e295..7fefc65 100644 --- a/Changelog.md +++ b/Changelog.md @@ -1,5 +1,9 @@ # Changes to rhel9CIS +## 1.0.2 + +#30 - thanks to smattterchew ability to change sshd config file to use dropin file instead. + ## 1.0.1 Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8 From f9239d7a8ad91ade3a175c06c258b55c507de45c Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Feb 2023 11:32:26 +0000 Subject: [PATCH 3/6] updated for issue #30 Signed-off-by: Mark Bolwell --- templates/ansible_vars_goss.yml.j2 | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 index fde2a67..caa87ce 100644 --- a/templates/ansible_vars_goss.yml.j2 +++ b/templates/ansible_vars_goss.yml.j2 @@ -467,6 +467,9 @@ rhel9cis_remote_log_queuesize: {{ rhel9cis_remote_log_queuesize }} rhel9cis_syslog: {{ rhel9cis_syslog }} # Section 5 +# This will allow use of drop in files when CIS adopts them. +rhel9_cis_sshd_config_file: {{ rhel9_cis_sshd_config_file }} + ## 5.2.4 Note the following to understand precedence and layout rhel9cis_sshd_limited: false rhel9cis_sshd_access: From a28c0531eebc6819e46614d794019ad570e5d177 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Feb 2023 14:02:49 +0000 Subject: [PATCH 4/6] align audit release Signed-off-by: Mark Bolwell --- Changelog.md | 1 + defaults/main.yml | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 7fefc65..4ca9caf 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,6 +3,7 @@ ## 1.0.2 #30 - thanks to smattterchew ability to change sshd config file to use dropin file instead. +Aligned benchmark audit version with remediate release ## 1.0.1 diff --git a/defaults/main.yml b/defaults/main.yml index 42f26cc..4a95eaf 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -33,6 +33,9 @@ python2_bin: /bin/python2.7 ## Benchmark name used by audting control role # The audit variable found at the base +## metadata for Audit benchmark +benchmark_version: 'v1.0.0' + benchmark: RHEL9-CIS # Whether to skip the reboot @@ -692,7 +695,7 @@ copy_goss_from_path: /some/accessible/path ## managed by the control audit_content # git audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git" -audit_git_version: devel +audit_git_version: "benchmark_{{ benchmark_version }}" # copy: audit_local_copy: "some path to copy from" From b9b283fd5219222fb5e47bdf24b88e56fa958f48 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Feb 2023 14:16:15 +0000 Subject: [PATCH 5/6] added fix for issue #30 Signed-off-by: Mark Bolwell --- Changelog.md | 6 +++++- tasks/section_1/cis_1.4.x.yml | 3 +++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/Changelog.md b/Changelog.md index 4ca9caf..ba1933c 100644 --- a/Changelog.md +++ b/Changelog.md @@ -2,7 +2,11 @@ ## 1.0.2 -#30 - thanks to smattterchew ability to change sshd config file to use dropin file instead. +thanks to @smatterchew +#30 ability to change sshd config file to use dropin file instead. + +thanks to @I-am-MoS +#34 create user.cfg if not present Aligned benchmark audit version with remediate release ## 1.0.1 diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml index f2dcaee..7f0e71a 100644 --- a/tasks/section_1/cis_1.4.x.yml +++ b/tasks/section_1/cis_1.4.x.yml @@ -26,6 +26,9 @@ owner: root group: root mode: "{{ item.mode }}" + state: touch + modification_time: preserve + acess_time: preserve loop: - { path: 'grub.cfg', mode: '0700' } - { path: 'grubenv', mode: '0600' } From 80168bc6d4e73affd810fdc2306b535f45a3eeca Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Mon, 20 Feb 2023 14:44:00 +0000 Subject: [PATCH 6/6] update urandom check again Signed-off-by: Mark Bolwell --- .github/workflows/linux_benchmark_testing.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/linux_benchmark_testing.yml b/.github/workflows/linux_benchmark_testing.yml index 978792e..991470e 100644 --- a/.github/workflows/linux_benchmark_testing.yml +++ b/.github/workflows/linux_benchmark_testing.yml @@ -90,8 +90,9 @@ jobs: # Set up requirements for random root password CIS 5.6.6 - name: add urandom passwd to root account shell: bash + working-directory: .github/workflows run: | - ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i .github/workflows/hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" -b + ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" -b --private-key .ssh/github_actions.pem # Run the ansible playbook - name: Run_Ansible_Playbook