forked from ansible-lockdown/RHEL9-CIS
Merge pull request #35 from ansible-lockdown/issues_30_and_34
Issues 30 and 34
This commit is contained in:
uk-bolly
GitHub
commit
a58e3ff0d6
7 changed files with 61 additions and 23 deletions
|
|
@ -90,8 +90,9 @@ jobs:
|
||||||
# Set up requirements for random root password CIS 5.6.6
|
# Set up requirements for random root password CIS 5.6.6
|
||||||
- name: add urandom passwd to root account
|
- name: add urandom passwd to root account
|
||||||
shell: bash
|
shell: bash
|
||||||
|
working-directory: .github/workflows
|
||||||
run: |
|
run: |
|
||||||
ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i .github/workflows/hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" -b
|
ANSIBLE_HOST_KEY_CHECKING=False && ansible all -i hosts.yml -m shell -a "cat /dev/urandom | tr -dc ‘[:print:]’ | head -c50 | passwd --stdin root" -b --private-key .ssh/github_actions.pem
|
||||||
|
|
||||||
# Run the ansible playbook
|
# Run the ansible playbook
|
||||||
- name: Run_Ansible_Playbook
|
- name: Run_Ansible_Playbook
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,14 @@
|
||||||
# Changes to rhel9CIS
|
# Changes to rhel9CIS
|
||||||
|
|
||||||
|
## 1.0.2
|
||||||
|
|
||||||
|
thanks to @smatterchew
|
||||||
|
#30 ability to change sshd config file to use dropin file instead.
|
||||||
|
|
||||||
|
thanks to @I-am-MoS
|
||||||
|
#34 create user.cfg if not present
|
||||||
|
Aligned benchmark audit version with remediate release
|
||||||
|
|
||||||
## 1.0.1
|
## 1.0.1
|
||||||
|
|
||||||
Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8
|
Control 6_2_16 new variable added thanks to @dulin_gnet on rhel8
|
||||||
|
|
|
||||||
|
|
@ -33,6 +33,9 @@ python2_bin: /bin/python2.7
|
||||||
|
|
||||||
## Benchmark name used by audting control role
|
## Benchmark name used by audting control role
|
||||||
# The audit variable found at the base
|
# The audit variable found at the base
|
||||||
|
## metadata for Audit benchmark
|
||||||
|
benchmark_version: 'v1.0.0'
|
||||||
|
|
||||||
benchmark: RHEL9-CIS
|
benchmark: RHEL9-CIS
|
||||||
|
|
||||||
# Whether to skip the reboot
|
# Whether to skip the reboot
|
||||||
|
|
@ -560,6 +563,9 @@ rhel9cis_logrotate: "daily"
|
||||||
|
|
||||||
## Section5 vars
|
## Section5 vars
|
||||||
|
|
||||||
|
# This will allow use of drop in files when CIS adopts them.
|
||||||
|
rhel9_cis_sshd_config_file: /etc/ssh/sshd_config
|
||||||
|
|
||||||
rhel9cis_sshd:
|
rhel9cis_sshd:
|
||||||
clientalivecountmax: 0
|
clientalivecountmax: 0
|
||||||
clientaliveinterval: 900
|
clientaliveinterval: 900
|
||||||
|
|
@ -689,7 +695,7 @@ copy_goss_from_path: /some/accessible/path
|
||||||
## managed by the control audit_content
|
## managed by the control audit_content
|
||||||
# git
|
# git
|
||||||
audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
|
audit_file_git: "https://github.com/ansible-lockdown/{{ benchmark }}-Audit.git"
|
||||||
audit_git_version: devel
|
audit_git_version: "benchmark_{{ benchmark_version }}"
|
||||||
|
|
||||||
# copy:
|
# copy:
|
||||||
audit_local_copy: "some path to copy from"
|
audit_local_copy: "some path to copy from"
|
||||||
|
|
|
||||||
|
|
@ -175,6 +175,22 @@
|
||||||
- rule_5.1.1
|
- rule_5.1.1
|
||||||
- cron
|
- cron
|
||||||
|
|
||||||
|
# Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config
|
||||||
|
- name: "PRELIM | Section 5.2 | SSH"
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0600
|
||||||
|
state: touch
|
||||||
|
when:
|
||||||
|
- rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config'
|
||||||
|
- "'openssh-server' in ansible_facts.packages"
|
||||||
|
tags:
|
||||||
|
- ssh
|
||||||
|
- level1_server
|
||||||
|
- level1_workstation
|
||||||
|
|
||||||
- name: "PRELIM | Install authconfig"
|
- name: "PRELIM | Install authconfig"
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
name: authconfig
|
name: authconfig
|
||||||
|
|
|
||||||
|
|
@ -26,6 +26,9 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: "{{ item.mode }}"
|
mode: "{{ item.mode }}"
|
||||||
|
state: touch
|
||||||
|
modification_time: preserve
|
||||||
|
acess_time: preserve
|
||||||
loop:
|
loop:
|
||||||
- { path: 'grub.cfg', mode: '0700' }
|
- { path: 'grub.cfg', mode: '0700' }
|
||||||
- { path: 'grubenv', mode: '0600' }
|
- { path: 'grubenv', mode: '0600' }
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured"
|
- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured"
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: /etc/ssh/sshd_config
|
path: "/etc/ssh/sshd_config"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0600
|
mode: 0600
|
||||||
|
|
@ -77,7 +77,7 @@
|
||||||
block:
|
block:
|
||||||
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers"
|
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^AllowUsers"
|
regexp: "^AllowUsers"
|
||||||
line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}"
|
line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}"
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -86,7 +86,7 @@
|
||||||
|
|
||||||
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups"
|
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^AllowGroups"
|
regexp: "^AllowGroups"
|
||||||
line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}"
|
line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}"
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -95,7 +95,7 @@
|
||||||
|
|
||||||
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
|
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^DenyUsers"
|
regexp: "^DenyUsers"
|
||||||
line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}"
|
line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}"
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -104,7 +104,7 @@
|
||||||
|
|
||||||
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups"
|
- name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^DenyGroups"
|
regexp: "^DenyGroups"
|
||||||
line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}"
|
line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}"
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -121,7 +121,7 @@
|
||||||
|
|
||||||
- name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate"
|
- name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^#LogLevel|^LogLevel"
|
regexp: "^#LogLevel|^LogLevel"
|
||||||
line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
|
line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -136,7 +136,7 @@
|
||||||
|
|
||||||
- name: "5.2.6 | PATCH | Ensure SSH PAM is enabled"
|
- name: "5.2.6 | PATCH | Ensure SSH PAM is enabled"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^#UsePAM|^UsePAM"
|
regexp: "^#UsePAM|^UsePAM"
|
||||||
line: 'UsePAM yes'
|
line: 'UsePAM yes'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -151,7 +151,7 @@
|
||||||
|
|
||||||
- name: "5.2.7 | PATCH | Ensure SSH root login is disabled"
|
- name: "5.2.7 | PATCH | Ensure SSH root login is disabled"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^#PermitRootLogin|^PermitRootLogin"
|
regexp: "^#PermitRootLogin|^PermitRootLogin"
|
||||||
line: 'PermitRootLogin no'
|
line: 'PermitRootLogin no'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -166,7 +166,7 @@
|
||||||
|
|
||||||
- name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
|
- name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^#HostbasedAuthentication|^HostbasedAuthentication"
|
regexp: "^#HostbasedAuthentication|^HostbasedAuthentication"
|
||||||
line: 'HostbasedAuthentication no'
|
line: 'HostbasedAuthentication no'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -181,7 +181,7 @@
|
||||||
|
|
||||||
- name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
|
- name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords"
|
regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords"
|
||||||
line: 'PermitEmptyPasswords no'
|
line: 'PermitEmptyPasswords no'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -196,7 +196,7 @@
|
||||||
|
|
||||||
- name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
|
- name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^#PermitUserEnvironment|^PermitUserEnvironment"
|
regexp: "^#PermitUserEnvironment|^PermitUserEnvironment"
|
||||||
line: 'PermitUserEnvironment no'
|
line: 'PermitUserEnvironment no'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -211,7 +211,7 @@
|
||||||
|
|
||||||
- name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled"
|
- name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^#IgnoreRhosts|^IgnoreRhosts"
|
regexp: "^#IgnoreRhosts|^IgnoreRhosts"
|
||||||
line: 'IgnoreRhosts yes'
|
line: 'IgnoreRhosts yes'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -226,7 +226,7 @@
|
||||||
|
|
||||||
- name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled"
|
- name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^#X11Forwarding|^X11Forwarding"
|
regexp: "^#X11Forwarding|^X11Forwarding"
|
||||||
line: 'X11Forwarding no'
|
line: 'X11Forwarding no'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -241,7 +241,7 @@
|
||||||
|
|
||||||
- name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled"
|
- name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^#AllowTcpForwarding|^AllowTcpForwarding"
|
regexp: "^#AllowTcpForwarding|^AllowTcpForwarding"
|
||||||
line: 'AllowTcpForwarding no'
|
line: 'AllowTcpForwarding no'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -277,7 +277,7 @@
|
||||||
|
|
||||||
- name: "5.2.15 | PATCH | Ensure SSH warning banner is configured"
|
- name: "5.2.15 | PATCH | Ensure SSH warning banner is configured"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: '^Banner'
|
regexp: '^Banner'
|
||||||
line: 'Banner /etc/issue.net'
|
line: 'Banner /etc/issue.net'
|
||||||
when:
|
when:
|
||||||
|
|
@ -291,7 +291,7 @@
|
||||||
|
|
||||||
- name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
|
- name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: '^(#)?MaxAuthTries \d'
|
regexp: '^(#)?MaxAuthTries \d'
|
||||||
line: 'MaxAuthTries 4'
|
line: 'MaxAuthTries 4'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -306,7 +306,7 @@
|
||||||
|
|
||||||
- name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured"
|
- name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^#MaxStartups|^MaxStartups"
|
regexp: "^#MaxStartups|^MaxStartups"
|
||||||
line: 'MaxStartups 10:30:60'
|
line: 'MaxStartups 10:30:60'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -321,7 +321,7 @@
|
||||||
|
|
||||||
- name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
|
- name: "5.2.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^#MaxSessions|^MaxSessions"
|
regexp: "^#MaxSessions|^MaxSessions"
|
||||||
line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
|
line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -336,7 +336,7 @@
|
||||||
|
|
||||||
- name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less"
|
- name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: "^#LoginGraceTime|^LoginGraceTime"
|
regexp: "^#LoginGraceTime|^LoginGraceTime"
|
||||||
line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}"
|
line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}"
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
@ -353,14 +353,14 @@
|
||||||
block:
|
block:
|
||||||
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
|
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: '^ClientAliveInterval'
|
regexp: '^ClientAliveInterval'
|
||||||
line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}"
|
line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}"
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
||||||
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
|
- name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
path: /etc/ssh/sshd_config
|
path: "{{ rhel9_cis_sshd_config_file }}"
|
||||||
regexp: '^ClientAliveCountMax'
|
regexp: '^ClientAliveCountMax'
|
||||||
line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}"
|
line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}"
|
||||||
validate: sshd -t -f %s
|
validate: sshd -t -f %s
|
||||||
|
|
|
||||||
|
|
@ -467,6 +467,9 @@ rhel9cis_remote_log_queuesize: {{ rhel9cis_remote_log_queuesize }}
|
||||||
rhel9cis_syslog: {{ rhel9cis_syslog }}
|
rhel9cis_syslog: {{ rhel9cis_syslog }}
|
||||||
|
|
||||||
# Section 5
|
# Section 5
|
||||||
|
# This will allow use of drop in files when CIS adopts them.
|
||||||
|
rhel9_cis_sshd_config_file: {{ rhel9_cis_sshd_config_file }}
|
||||||
|
|
||||||
## 5.2.4 Note the following to understand precedence and layout
|
## 5.2.4 Note the following to understand precedence and layout
|
||||||
rhel9cis_sshd_limited: false
|
rhel9cis_sshd_limited: false
|
||||||
rhel9cis_sshd_access:
|
rhel9cis_sshd_access:
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue