sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Merge pull request #62 from ansible-lockdown/may23_updates

Browse source 
May23 updates
This commit is contained in:
uk-bolly 2023-05-18 18:07:07 +01:00 committed by GitHub
commit a888834396
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 12 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

5
Changelog.md
View file

@ -2,8 +2,9 @@
## 1.0.7
lint and yamll updates
improvemnst to 6.1.10, 6.1.11, 6.1.13, 6.1.14
lint and yaml updates
improvements to 6.1.10, 6.1.11, 6.1.13, 6.1.14
4.1.3.6 updated on process discovery
## 1.0.6

2
tasks/section_4/cis_4.1.3.x.yml
View file

@ -69,7 +69,7 @@
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
block:
- name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done
changed_when: false
failed_when: false
check_mode: false

6
tasks/section_5/cis_5.4.x.yml
View file

@ -54,9 +54,9 @@
line: "{{ item.line }}"
insertbefore: "{{ item.before }}"
loop:
- { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'}
- { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+required\s+pam_deny.so'}
- { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so', 'before':'^account required pam_unix.so'}
- { 'regexp': '^auth\s+required\s+pam_faillock.so preauth silent deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so preauth silent deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+sufficient\s+pam_unix.so try_first_pass'}
- { 'regexp': '^auth\s+required\s+pam_faillock.so authfail deny=.*unlock_time=.*', 'line': 'auth required pam_faillock.so authfail deny={{ rhel9cis_pam_faillock.deny }} unlock_time={{ rhel9cis_pam_faillock.unlock_time }}', 'before':'^auth\s+required\s+pam_deny.so'}
- { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account required pam_faillock.so', 'before':'^account required pam_unix.so'}
when:
- rhel9cis_add_faillock_without_authselect
- rhel9cis_5_4_2_risks == 'ACCEPT'

6
tasks/section_5/cis_5.5.x.yml
View file

@ -82,14 +82,14 @@
- name: "5.5.3 | PATCH | Ensure password reuse is limited | pwquality"
ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth
line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
line: "password requisite pam_pwhistory.so try_first_pass enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}"
insertafter: '^password\s*requisite\s*pam_pwquality.so'
- name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix"
ansible.builtin.replace:
path: /etc/pam.d/system-auth
regexp: '^password\s*(sufficient|requisite|sufficient)\s*pam_unix.so.*$'
replace: 'password requisite pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
regexp: '^password\s*sufficient\s*pam_unix.so.*$'
replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}'
when:
- rhel9cis_rule_5_5_3
tags:

4
tasks/section_5/cis_5.6.x.yml
View file

@ -13,7 +13,7 @@
- item.id != "shutdown"
- item.id != "halt"
- item.id != "nfsnobody"
- item.gid < min_int_uid | int
- item.uid < min_int_uid | int
- item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin"
loop_control:
@ -30,7 +30,7 @@
- item.id != "sync"
- item.id != "root"
- item.id != "nfsnobody"
- item.gid < min_int_uid | int
- item.uid < min_int_uid | int
- item.shell != " /bin/false"
- item.shell != " /usr/sbin/nologin"
loop_control: